package com.ibm.ws.management.security.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate;
import com.ibm.ws.kernel.boot.jmx.service.MBeanServerPipeline;
import com.ibm.ws.management.security.ManagementSecurityConstants;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.util.ArrayList;
import java.util.List;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.AttributeNotFoundException;
import javax.management.InstanceNotFoundException;
import javax.management.InvalidAttributeValueException;
import javax.management.MBeanException;
import javax.management.ObjectName;
import javax.management.ReflectionException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.management.security_1.0.2.jar:com/ibm/ws/management/security/internal/JMXSecurityMBeanServer.class */
public class JMXSecurityMBeanServer extends MBeanServerForwarderDelegate {
    private static final TraceComponent tc = Tr.register(JMXSecurityMBeanServer.class);
    static final String KEY_MBEAN_SERVER_PIPLINE = "mBeanServerPipeline";
    static final String KEY_SECURITY_SERVICE = "securityService";
    private final AtomicServiceReference<MBeanServerPipeline> pipelineRef = new AtomicServiceReference<>(KEY_MBEAN_SERVER_PIPLINE);
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");
    final List<String> requiredRoles = new ArrayList();
    static final long serialVersionUID = -1305311308773171573L;

    public JMXSecurityMBeanServer() {
        this.requiredRoles.add(ManagementSecurityConstants.ADMINISTRATOR_ROLE_NAME);
    }

    protected synchronized void setMBeanServerPipeline(ServiceReference<MBeanServerPipeline> serviceReference) {
        this.pipelineRef.setReference(serviceReference);
    }

    protected synchronized void unsetMBeanServerPipeline(ServiceReference<MBeanServerPipeline> serviceReference) {
        this.pipelineRef.unsetReference(serviceReference);
    }

    protected synchronized void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected synchronized void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    private void insertJMXSecurityFilter() {
        MBeanServerPipeline service = this.pipelineRef.getService();
        if (service.contains(this)) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, getClass().getCanonicalName() + " already exists in MBeanServerPipeline", new Object[0]);
                return;
            }
            return;
        }
        if (!service.insert(this) && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Insertion of " + getClass().getCanonicalName() + " into MBeanServerPipeline failed", new Object[0]);
        }
    }

    protected synchronized void activate(ComponentContext componentContext) {
        this.pipelineRef.activate(componentContext);
        this.securityServiceRef.activate(componentContext);
        insertJMXSecurityFilter();
    }

    private void removeJMXSecurityFilter() {
        MBeanServerPipeline service = this.pipelineRef.getService();
        if (!service.contains(this)) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, getClass().getCanonicalName() + " already removed from MBeanServerPipeline", new Object[0]);
                return;
            }
            return;
        }
        if (!service.remove(this) && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Removal of " + getClass().getCanonicalName() + " into MBeanServerPipeline failed", new Object[0]);
        }
    }

    protected synchronized void deactivate(ComponentContext componentContext) {
        removeJMXSecurityFilter();
        this.pipelineRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public int getPriority() {
        return Integer.MAX_VALUE;
    }

    private boolean isAuthorized() {
        return this.securityServiceRef.getService().getAuthorizationService().isAuthorized(ManagementSecurityConstants.ADMIN_RESOURCE_NAME, this.requiredRoles, null);
    }

    private void throwAuthzException() throws SecurityException {
        SubjectManager subjectManager = new SubjectManager();
        String name = subjectManager.getInvocationSubject() != null ? subjectManager.getInvocationSubject().getPrincipals().iterator().next().getName() : "UNAUTHENTICATED";
        Tr.audit(tc, "MANAGEMENT_SECURITY_AUTHZ_FAILED", name, "MBeanAccess", this.requiredRoles);
        throw new SecurityException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "MANAGEMENT_SECURITY_AUTHZ_FAILED", new Object[]{name, "MBeanAccess", this.requiredRoles}, "CWWKX0100A: Authorization failed for user {0} while invoking management operation {1}. The user is not granted access to any of the required roles: {2}."));
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public Object getAttribute(ObjectName objectName, String str) throws MBeanException, AttributeNotFoundException, InstanceNotFoundException, ReflectionException {
        if (!isAuthorized()) {
            throwAuthzException();
        }
        return super.getAttribute(objectName, str);
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public AttributeList getAttributes(ObjectName objectName, String[] strArr) throws InstanceNotFoundException, ReflectionException {
        if (!isAuthorized()) {
            throwAuthzException();
        }
        return super.getAttributes(objectName, strArr);
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public void setAttribute(ObjectName objectName, Attribute attribute) throws InstanceNotFoundException, AttributeNotFoundException, InvalidAttributeValueException, MBeanException, ReflectionException {
        if (!isAuthorized()) {
            throwAuthzException();
        }
        super.setAttribute(objectName, attribute);
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public AttributeList setAttributes(ObjectName objectName, AttributeList attributeList) throws InstanceNotFoundException, ReflectionException {
        if (!isAuthorized()) {
            throwAuthzException();
        }
        return super.setAttributes(objectName, attributeList);
    }

    @Override // com.ibm.ws.kernel.boot.jmx.service.MBeanServerForwarderDelegate
    public Object invoke(ObjectName objectName, String str, Object[] objArr, String[] strArr) throws InstanceNotFoundException, MBeanException, ReflectionException {
        if (!isAuthorized()) {
            throwAuthzException();
        }
        return super.invoke(objectName, str, objArr, strArr);
    }
}
