package com.ibm.ws.security.appbnd.internal.authorization;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.container.service.app.deploy.ApplicationInfo;
import com.ibm.ws.container.service.app.deploy.ModuleInfo;
import com.ibm.ws.container.service.metadata.ApplicationMetaDataListener;
import com.ibm.ws.container.service.metadata.MetaDataEvent;
import com.ibm.ws.container.service.metadata.ModuleMetaDataListener;
import com.ibm.ws.container.service.security.SecurityRoles;
import com.ibm.ws.container.service.state.ApplicationStateListener;
import com.ibm.ws.container.service.state.ModuleStateListener;
import com.ibm.ws.container.service.state.StateChangeException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.javaee.dd.appbnd.Group;
import com.ibm.ws.javaee.dd.appbnd.SecurityRole;
import com.ibm.ws.javaee.dd.appbnd.SpecialSubject;
import com.ibm.ws.javaee.dd.appbnd.Subject;
import com.ibm.ws.javaee.dd.appbnd.User;
import com.ibm.ws.runtime.metadata.ApplicationMetaData;
import com.ibm.ws.runtime.metadata.ModuleMetaData;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.appbnd.internal.TraceConstants;
import com.ibm.ws.security.appbnd.internal.delegation.DefaultDelegationProvider;
import com.ibm.ws.security.authorization.AuthorizationTableService;
import com.ibm.ws.security.authorization.RoleSet;
import com.ibm.ws.security.credentials.AccessIdUtil;
import com.ibm.ws.security.delegation.DelegationProvider;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.ws.security.registry.UserRegistryChangeListener;
import com.ibm.ws.security.registry.UserRegistryConfiguration;
import com.ibm.wsspi.adaptable.module.UnableToAdaptException;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.util.Collection;
import java.util.Dictionary;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;

@TraceOptions(traceGroups = {"security"}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.appbnd_1.0.3.jar:com/ibm/ws/security/appbnd/internal/authorization/AppBndAuthorizationTableService.class */
public class AppBndAuthorizationTableService implements ApplicationMetaDataListener, ModuleMetaDataListener, ApplicationStateListener, ModuleStateListener, AuthorizationTableService, UserRegistryChangeListener {
    private static final TraceComponent tc = Tr.register(AppBndAuthorizationTableService.class);
    static final String KEY_SECURITY_SERVICE = "securityService";
    static final String KEY_CONFIG_ADMIN = "configurationAdmin";
    static final String KEY_USER_REGISTRY_CONFIGURATION = "userRegistryConfiguration";
    private ServiceRegistration<DelegationProvider> defaultDelegationProviderReg;
    private static final String INVALID_ACCESS_ID = "";
    static final long serialVersionUID = 7147270180104566987L;
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");
    private final AtomicServiceReference<ConfigurationAdmin> configAdminRef = new AtomicServiceReference<>(KEY_CONFIG_ADMIN);
    private final AtomicServiceReference<UserRegistryConfiguration> userRegistryConfiguration = new AtomicServiceReference<>(KEY_USER_REGISTRY_CONFIGURATION);
    private volatile DefaultDelegationProvider defaultDelegationProvider = null;
    private final ConcurrentMap<String, Collection<SecurityRole>> resourceToSecurityRolesMap = new ConcurrentHashMap(16, 0.7f, 1);
    private boolean isIgnoreCaseSet = false;
    private boolean isIgnoreCase = false;
    private final ConcurrentMap<String, AuthzTableContainer> authzTableMap = new ConcurrentHashMap(16, 0.7f, 1);

    /* JADX INFO: Access modifiers changed from: private */
    @TraceOptions(traceGroups = {"security"}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:wlp/lib/com.ibm.ws.security.appbnd_1.0.3.jar:com/ibm/ws/security/appbnd/internal/authorization/AppBndAuthorizationTableService$AuthzTableContainer.class */
    public static final class AuthzTableContainer {
        final String resourceName;
        final ConcurrentMap<String, RoleSet> specialSubjectMap = new ConcurrentHashMap(16, 0.7f, 1);
        final ConcurrentMap<String, RoleSet> accessIdToRolesMap = new ConcurrentHashMap(16, 0.7f, 1);
        final ConcurrentMap<String, String> userToAccessIdMap = new ConcurrentHashMap(16, 0.7f, 1);
        final ConcurrentMap<String, String> groupToAccessIdMap = new ConcurrentHashMap(16, 0.7f, 1);
        static final long serialVersionUID = 2510182940130094083L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AuthzTableContainer.class);

        @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
        AuthzTableContainer(String str) {
            this.resourceName = str;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AppBndAuthorizationTableService() {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setUserRegistryConfiguration(ServiceReference<UserRegistryConfiguration> serviceReference) {
        this.userRegistryConfiguration.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetUserRegistryConfiguration(ServiceReference<UserRegistryConfiguration> serviceReference) {
        this.userRegistryConfiguration.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void registerDefaultDelegationProvider(ComponentContext componentContext) {
        this.defaultDelegationProvider = new DefaultDelegationProvider();
        this.defaultDelegationProvider.setSecurityService(this.securityServiceRef.getService());
        BundleContext bundleContext = componentContext.getBundleContext();
        Hashtable hashtable = new Hashtable();
        hashtable.put("type", "defaultProvider");
        this.defaultDelegationProviderReg = bundleContext.registerService((Class<Class>) DelegationProvider.class, (Class) this.defaultDelegationProvider, (Dictionary<String, ?>) hashtable);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void activate(ComponentContext componentContext) {
        this.securityServiceRef.activate(componentContext);
        this.configAdminRef.activate(componentContext);
        this.userRegistryConfiguration.activate(componentContext);
        registerDefaultDelegationProvider(componentContext);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void deactivate(ComponentContext componentContext) {
        this.securityServiceRef.deactivate(componentContext);
        this.configAdminRef.deactivate(componentContext);
        this.userRegistryConfiguration.deactivate(componentContext);
        if (this.defaultDelegationProviderReg != null) {
            this.defaultDelegationProviderReg.unregister();
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean establishInitialTable(String str, Collection<SecurityRole> collection) {
        if (this.authzTableMap.get(str) != null) {
            return false;
        }
        this.resourceToSecurityRolesMap.put(str, collection);
        AuthzTableContainer authzTableContainer = new AuthzTableContainer(str);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Created initial authorization tables for " + authzTableContainer.resourceName, new Object[0]);
        }
        this.authzTableMap.put(str, authzTableContainer);
        return true;
    }

    @Override // com.ibm.ws.container.service.metadata.ApplicationMetaDataListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationMetaDataCreated(MetaDataEvent<ApplicationMetaData> metaDataEvent) {
    }

    @Override // com.ibm.ws.container.service.metadata.ApplicationMetaDataListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationMetaDataDestroyed(MetaDataEvent<ApplicationMetaData> metaDataEvent) {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getApplicationManagerName(ApplicationInfo applicationInfo) {
        return applicationInfo.getMetaData().getJ2EEName().getApplication();
    }

    @Override // com.ibm.ws.container.service.state.ApplicationStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationStarting(ApplicationInfo applicationInfo) throws StateChangeException {
        String applicationManagerName = getApplicationManagerName(applicationInfo);
        try {
            List<SecurityRole> securityRoles = ((SecurityRoles) applicationInfo.getContainer().adapt(SecurityRoles.class)).getSecurityRoles();
            if (establishInitialTable(applicationManagerName, securityRoles)) {
                this.defaultDelegationProvider.createAppToSecurityRolesMapping(applicationManagerName, securityRoles);
            } else {
                Tr.error(tc, "AUTHZ_TABLE_DUPLICATE_APP_NAME", applicationManagerName);
                throw new StateChangeException(TraceNLS.getFormattedMessage(getClass(), com.ibm.ws.security.token.internal.TraceConstants.MESSAGE_BUNDLE, "AUTHZ_TABLE_DUPLICATE_APP_NAME", new Object[]{applicationManagerName}, "CWWKS9110E: Multiple applications have the name {0}. Security authorization policies requires that names be unique."));
            }
        } catch (UnableToAdaptException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.appbnd.internal.authorization.AppBndAuthorizationTableService", "265", this, new Object[]{applicationInfo});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There was a problem setting the security meta data for application " + applicationManagerName + ".", applicationManagerName);
            }
            Tr.error(tc, "AUTHZ_TABLE_NOT_CREATED", applicationManagerName);
        }
    }

    @Override // com.ibm.ws.container.service.state.ApplicationStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationStarted(ApplicationInfo applicationInfo) {
    }

    @Override // com.ibm.ws.container.service.state.ApplicationStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationStopping(ApplicationInfo applicationInfo) {
    }

    @Override // com.ibm.ws.container.service.state.ApplicationStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void applicationStopped(ApplicationInfo applicationInfo) {
        String applicationManagerName = getApplicationManagerName(applicationInfo);
        removeTable(applicationManagerName);
        this.defaultDelegationProvider.removeRoleToRunAsMapping(applicationManagerName);
    }

    @Override // com.ibm.ws.container.service.metadata.ModuleMetaDataListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleMetaDataCreated(MetaDataEvent<ModuleMetaData> metaDataEvent) {
    }

    @Override // com.ibm.ws.container.service.metadata.ModuleMetaDataListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleMetaDataDestroyed(MetaDataEvent<ModuleMetaData> metaDataEvent) {
    }

    @Override // com.ibm.ws.container.service.state.ModuleStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleStarting(ModuleInfo moduleInfo) {
    }

    @Override // com.ibm.ws.container.service.state.ModuleStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleStarted(ModuleInfo moduleInfo) {
    }

    @Override // com.ibm.ws.container.service.state.ModuleStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleStopping(ModuleInfo moduleInfo) {
    }

    @Override // com.ibm.ws.container.service.state.ModuleStateListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void moduleStopped(ModuleInfo moduleInfo) {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void removeTable(String str) {
        this.resourceToSecurityRolesMap.remove(str);
        this.authzTableMap.remove(str);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Map<String, RoleSet> updateMapForSpecialSubject(String str, Map<String, RoleSet> map, String str2) {
        RoleSet roleSet = RoleSet.EMPTY_ROLESET;
        HashSet hashSet = new HashSet();
        for (SecurityRole securityRole : this.resourceToSecurityRolesMap.get(str)) {
            String name = securityRole.getName();
            Iterator<SpecialSubject> it = securityRole.getSpecialSubjects().iterator();
            while (it.hasNext()) {
                if (str2.equals(it.next().getType().toString())) {
                    hashSet.add(name);
                }
            }
        }
        if (!hashSet.isEmpty()) {
            roleSet = new RoleSet(hashSet);
        }
        map.put(str2, roleSet);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Added the following subject to role mapping for application: " + str + ".", str2, roleSet);
        }
        return map;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public RoleSet getRolesForSpecialSubject(String str, String str2) {
        AuthzTableContainer authzTableContainer = this.authzTableMap.get(str);
        if (authzTableContainer == null) {
            return null;
        }
        Map<String, RoleSet> map = authzTableContainer.specialSubjectMap;
        if (map.get(str2) == null) {
            map = updateMapForSpecialSubject(str, map, str2);
        }
        return map.get(str2);
    }

    @FFDCIgnore({EntryNotFoundException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getMissingAccessId(Subject subject) {
        try {
            UserRegistry userRegistry = this.securityServiceRef.getService().getUserRegistryService().getUserRegistry();
            String realm = userRegistry.getRealm();
            if (subject instanceof Group) {
                return AccessIdUtil.createAccessId("group", realm, userRegistry.getUniqueGroupId(subject.getName()));
            }
            if (subject instanceof User) {
                return AccessIdUtil.createAccessId("user", realm, userRegistry.getUniqueUserId(subject.getName()));
            }
            return null;
        } catch (EntryNotFoundException e) {
            if (!TraceComponent.isAnyTracingEnabled()) {
                return null;
            }
            if (tc.isEventEnabled()) {
                Tr.event(tc, "No entry found for " + ((String) null) + " " + subject.getName() + " found in user registry. Unable to create access ID.", new Object[0]);
            }
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "EntryNotFoundException details:", e);
            return null;
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.appbnd.internal.authorization.AppBndAuthorizationTableService", "443", this, new Object[]{subject});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Unexpected exception getting the accessId for " + subject.getName() + ": " + ((Object) null), new Object[0]);
            return null;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String updateMissingUserAccessId(AuthzTableContainer authzTableContainer, User user, String str) {
        String missingAccessId = getMissingAccessId(user);
        if (missingAccessId != null) {
            authzTableContainer.userToAccessIdMap.put(str, missingAccessId);
        } else {
            authzTableContainer.userToAccessIdMap.put(str, "");
        }
        return missingAccessId;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String updateMissingGroupAccessId(AuthzTableContainer authzTableContainer, Group group, String str) {
        String missingAccessId = getMissingAccessId(group);
        if (missingAccessId != null) {
            authzTableContainer.groupToAccessIdMap.put(str, missingAccessId);
        } else {
            authzTableContainer.groupToAccessIdMap.put(str, "");
        }
        return missingAccessId;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Map<String, RoleSet> updateMapsForAccessId(String str, String str2) {
        RoleSet roleSet = RoleSet.EMPTY_ROLESET;
        HashSet hashSet = new HashSet();
        boolean isIgnoreCase = isIgnoreCase();
        AuthzTableContainer authzTableContainer = this.authzTableMap.get(str);
        for (SecurityRole securityRole : this.resourceToSecurityRolesMap.get(str)) {
            String name = securityRole.getName();
            if (str2.startsWith("user")) {
                for (User user : securityRole.getUsers()) {
                    String name2 = user.getName();
                    String accessId = user.getAccessId();
                    if (accessId == null || accessId.isEmpty() || !accessId.startsWith("user")) {
                        accessId = authzTableContainer.userToAccessIdMap.get(name2);
                        if (accessId == null) {
                            accessId = updateMissingUserAccessId(authzTableContainer, user, name2);
                        }
                    }
                    if (str2.equals(accessId)) {
                        hashSet.add(name);
                    }
                }
            } else if (str2.startsWith("group")) {
                for (Group group : securityRole.getGroups()) {
                    String name3 = group.getName();
                    String accessId2 = group.getAccessId();
                    if (accessId2 == null || accessId2.isEmpty() || !accessId2.startsWith("group")) {
                        accessId2 = authzTableContainer.groupToAccessIdMap.get(name3);
                        if (accessId2 == null) {
                            accessId2 = updateMissingGroupAccessId(authzTableContainer, group, name3);
                        }
                    }
                    if (isIgnoreCase ? str2.equalsIgnoreCase(accessId2) : str2.equals(accessId2)) {
                        hashSet.add(name);
                    }
                }
            }
        }
        if (!hashSet.isEmpty()) {
            roleSet = new RoleSet(hashSet);
        }
        authzTableContainer.accessIdToRolesMap.put(str2, roleSet);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Added the following subject to role mapping for application: " + str + ".", str2, roleSet);
        }
        return authzTableContainer.accessIdToRolesMap;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isIgnoreCase() {
        if (!this.isIgnoreCaseSet) {
            this.isIgnoreCase = new UserRegistryConfigHelper(this.securityServiceRef, this.userRegistryConfiguration, this.configAdminRef).isIgnoreCase();
            this.isIgnoreCaseSet = true;
        }
        return this.isIgnoreCase;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public RoleSet getRolesForAccessId(String str, String str2) {
        AuthzTableContainer authzTableContainer = this.authzTableMap.get(str);
        if (authzTableContainer == null) {
            return null;
        }
        Map<String, RoleSet> map = authzTableContainer.accessIdToRolesMap;
        if (map.get(str2) == null) {
            map = updateMapsForAccessId(str, str2);
        }
        return map.get(str2);
    }

    @Override // com.ibm.ws.security.registry.UserRegistryChangeListener
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public void notifyOfUserRegistryChange() {
        for (String str : this.authzTableMap.keySet()) {
            this.authzTableMap.put(str, new AuthzTableContainer(str));
        }
        this.isIgnoreCaseSet = false;
    }
}
