package com.ibm.ws.collective.member.security.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.member.security.SingletonAuthorizer;
import com.ibm.ws.collective.security.CollectiveServerCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.context.SubjectManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Set;
import javax.management.DynamicMBean;
import javax.security.auth.Subject;
import org.apache.openjpa.persistence.query.AbstractVisitable;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {SingletonAuthorizer.class}, configurationPolicy = ConfigurationPolicy.IGNORE, immediate = true, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member.security_1.0.1.jar:com/ibm/ws/collective/member/security/internal/SingletonAuthorizerImpl.class */
public class SingletonAuthorizerImpl implements SingletonAuthorizer {
    private static final TraceComponent tc = Tr.register(SingletonAuthorizerImpl.class);
    private SubjectManager subjectManager;
    static final long serialVersionUID = -7780201707747618689L;
    private boolean isCollectiveController = false;
    private HostNameResolver resolver = new HostNameResolver();

    @Reference(service = DynamicMBean.class, target = "(jmx.objectname=WebSphere:feature=collectiveController,type=CollectiveRepository,name=CollectiveRepository)", cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    protected void setCollectiveRepositoryMBean(ServiceReference<DynamicMBean> serviceReference) {
        this.isCollectiveController = true;
    }

    protected void unsetCollectiveRepositoryMBean(ServiceReference<DynamicMBean> serviceReference) {
        this.isCollectiveController = false;
    }

    public SingletonAuthorizerImpl() {
        this.subjectManager = null;
        this.subjectManager = new SubjectManager();
    }

    public SingletonAuthorizerImpl(SubjectManager subjectManager) {
        this.subjectManager = null;
        this.subjectManager = subjectManager;
    }

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    protected void setHostNameResolver(HostNameResolver hostNameResolver) {
        this.resolver = hostNameResolver;
    }

    @Override // com.ibm.ws.collective.member.security.SingletonAuthorizer
    public void isAuthorized(String str) throws AccessControlException {
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is null: unauthenticated user, the server itself", new Object[0]);
                return;
            }
            return;
        }
        Set privateCredentials = callerSubject.getPrivateCredentials(CollectiveServerCredential.class);
        CollectiveServerCredential collectiveServerCredential = null;
        if (privateCredentials.iterator().hasNext()) {
            collectiveServerCredential = (CollectiveServerCredential) privateCredentials.iterator().next();
        }
        if (privateCredentials.isEmpty() || collectiveServerCredential == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted.  Caller Subject is not null, but has no collective server credential: an admin user.", new Object[0]);
                return;
            }
            return;
        }
        boolean isCollectiveController = collectiveServerCredential.isCollectiveController();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Collective member credential: isCollectiveController = " + isCollectiveController, new Object[0]);
        }
        if (isCollectiveController) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller Subject is not null and has a private credential of a collective controller.", new Object[0]);
                return;
            }
            return;
        }
        if (!this.isCollectiveController) {
            isLocalMember(collectiveServerCredential, str);
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            Tr.event(tc, "Access granted. Caller Subject is a member calling into a collective controller.", new Object[0]);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [boolean, java.lang.Throwable, java.net.UnknownHostException] */
    private void isLocalMember(CollectiveServerCredential collectiveServerCredential, String str) throws AccessControlException {
        ?? equals;
        String hostName = collectiveServerCredential.getHostName();
        if (hostName.trim().equalsIgnoreCase("localhost") || (equals = hostName.trim().equals("127.0.0.1")) != 0) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, "Access granted. Caller is a member on localhost", new Object[0]);
                return;
            }
            return;
        }
        try {
            Object doPrivileged = AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.collective.member.security.internal.SingletonAuthorizerImpl.1
                static final long serialVersionUID = -5977192066032663124L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                @Override // java.security.PrivilegedAction
                @FFDCIgnore({UnknownHostException.class})
                public Object run() {
                    try {
                        return InetAddress.getLocalHost().getHostAddress();
                    } catch (UnknownHostException e) {
                        return e;
                    }
                }
            });
            if (doPrivileged instanceof UnknownHostException) {
                throw ((UnknownHostException) doPrivileged);
            }
            String str2 = (String) doPrivileged;
            String hostAddressByName = this.resolver.getHostAddressByName(str2);
            String hostAddressByName2 = this.resolver.getHostAddressByName(hostName);
            if (hostAddressByName.equals(hostAddressByName2)) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                    Tr.event(tc, "Access granted. Caller is a member on the same host as this member:  " + str2, new Object[0]);
                    return;
                }
                return;
            }
            String str3 = "Access is denied. The caller is a member from a different host [" + hostName + AbstractVisitable.OPEN_BRACE + hostAddressByName2 + ")] than this member's host [" + str2 + AbstractVisitable.OPEN_BRACE + hostAddressByName + ")]";
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, str3, new Object[0]);
            }
            AccessControlException accessControlException = new AccessControlException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "SINGLETON_ACCESS_DENIED", new Object[]{str, hostName, str2}, "CWWKX9399E: The SingletonServiceMessenger MBean {0} operation cannot be completed. Permission is denied for the calling member on host {1} to complete the operation on the target member on different host {2}."));
            accessControlException.fillInStackTrace();
            throw accessControlException;
        } catch (UnknownHostException e) {
            FFDCFilter.processException(e, "com.ibm.ws.collective.member.security.internal.SingletonAuthorizerImpl", "236", this, new Object[]{collectiveServerCredential, str});
            String str4 = "Access is denied. Unable to confirm the members are on the same host due to unresolvable host: " + equals.getMessage();
            if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
                Tr.event(tc, str4, new Object[0]);
            }
            AccessControlException accessControlException2 = new AccessControlException(str4);
            accessControlException2.initCause(equals);
            accessControlException2.setStackTrace(equals.getStackTrace());
            throw accessControlException2;
        }
    }
}
