package com.ibm.ws.security.authorization.builtin.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authorization.AccessDecisionService;
import com.ibm.ws.security.authorization.AuthorizationService;
import com.ibm.ws.security.authorization.AuthorizationTableService;
import com.ibm.ws.security.authorization.FeatureAuthorizationTableService;
import com.ibm.ws.security.authorization.RoleSet;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authorization.builtin_1.0.9.jar:com/ibm/ws/security/authorization/builtin/internal/BuiltinAuthorizationService.class */
public class BuiltinAuthorizationService implements AuthorizationService {
    private static final TraceComponent tc = Tr.register(BuiltinAuthorizationService.class);
    protected static final String KEY_ACCESS_DECISION_SERVICE = "accessDecisionService";
    protected static final String KEY_AUTHORIZATION_TABLE_SERVICE = "authorizationTableService";
    static final String KEY_FEATURE_SECURITY_AUTHZ_SERVICE = "featureAuthzTableService";
    private static final String MGMT_AUTHZ_ROLES = "com.ibm.ws.management";
    static final long serialVersionUID = -1775444214011634357L;
    private final AtomicServiceReference<AccessDecisionService> accessDecisionServiceRef = new AtomicServiceReference<>(KEY_ACCESS_DECISION_SERVICE);
    private final ConcurrentServiceReferenceSet<AuthorizationTableService> authorizationTables = new ConcurrentServiceReferenceSet<>(KEY_AUTHORIZATION_TABLE_SERVICE);
    private final SubjectManager subjManager = new SubjectManager();
    private final AtomicServiceReference<FeatureAuthorizationTableService> featureAuthzTableServiceRef = new AtomicServiceReference<>(KEY_FEATURE_SECURITY_AUTHZ_SERVICE);

    protected void setAccessDecisionService(ServiceReference<AccessDecisionService> serviceReference) {
        this.accessDecisionServiceRef.setReference(serviceReference);
    }

    protected void unsetAccessDecisionService(ServiceReference<AccessDecisionService> serviceReference) {
        this.accessDecisionServiceRef.unsetReference(serviceReference);
    }

    protected void setAuthorizationTableService(ServiceReference<AuthorizationTableService> serviceReference) {
        this.authorizationTables.addReference(serviceReference);
    }

    protected void unsetAuthorizationTableService(ServiceReference<AuthorizationTableService> serviceReference) {
        this.authorizationTables.removeReference(serviceReference);
    }

    protected void setFeatureAuthzTableService(ServiceReference<FeatureAuthorizationTableService> serviceReference) {
        this.featureAuthzTableServiceRef.setReference(serviceReference);
    }

    protected void unsetFeatureAuthzTableService(ServiceReference<FeatureAuthorizationTableService> serviceReference) {
        this.featureAuthzTableServiceRef.unsetReference(serviceReference);
    }

    protected void activate(ComponentContext componentContext) {
        this.accessDecisionServiceRef.activate(componentContext);
        this.authorizationTables.activate(componentContext);
        this.featureAuthzTableServiceRef.activate(componentContext);
    }

    protected void deactivate(ComponentContext componentContext) {
        this.accessDecisionServiceRef.deactivate(componentContext);
        this.authorizationTables.deactivate(componentContext);
        this.featureAuthzTableServiceRef.deactivate(componentContext);
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationService
    public boolean isAuthorized(String str, Collection<String> collection, Subject subject) {
        validateInput(str, collection);
        Subject subject2 = subject;
        if (subject2 == null) {
            subject2 = this.subjManager.getCallerSubject();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            Tr.event(tc, "Determining if Subject is authorized to access resource " + str + ". Specified required roles are " + collection + ".", subject2);
        }
        if (collection.isEmpty()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "Subject is authorized to access resource " + str + " as there are no required roles.", subject2);
            return true;
        }
        if (isEveryoneGranted(str, collection)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "Subject is authorized to access resource " + str + " as everyone is authorized.", subject2);
            return true;
        }
        if (!isSubjectValid(subject2)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "Subject is NOT authorized to access resource " + str + " as the subject is not valid.", subject2);
            return false;
        }
        if (isAllAuthenticatedGranted(str, collection, subject2)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "Subject is authorized to access resource " + str + " as all authenticated users are authorized.", subject2);
            return true;
        }
        boolean isSubjectAuthorized = isSubjectAuthorized(str, collection, subject2);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            if (isSubjectAuthorized) {
                Tr.event(tc, "Subject is authorized to access resource " + str + " as the Subject possesses one of the required roles.", subject2);
            } else {
                ArrayList arrayList = new ArrayList();
                Iterator<String> it = collection.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next());
                }
                Tr.event(tc, "Subject is NOT authorized to access resource " + str + " as the Subject does not possess one of the required roles: " + arrayList, subject2);
            }
        }
        return isSubjectAuthorized;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationService
    public boolean isEveryoneGranted(String str, Collection<String> collection) {
        validateInput(str, collection);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            Tr.event(tc, "Determining if Everyone is authorized to access resource " + str + ". Specified required roles are " + collection + ".", new Object[0]);
        }
        if (collection.isEmpty()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return true;
            }
            Tr.event(tc, "Everyone is granted access to resource " + str + " as there are no required roles.", new Object[0]);
            return true;
        }
        boolean isGranted = this.accessDecisionServiceRef.getService().isGranted(str, collection, getRolesForSpecialSubject(str, AuthorizationTableService.EVERYONE), null);
        if (TraceComponent.isAnyTracingEnabled() && tc.isEventEnabled()) {
            if (isGranted) {
                Tr.event(tc, "Everyone is granted access to resource " + str + ".", new Object[0]);
            } else {
                Tr.event(tc, "Everyone is NOT granted access to resource " + str + ".", new Object[0]);
            }
        }
        return isGranted;
    }

    private Collection<String> getRolesForSpecialSubject(String str, String str2) {
        int i = 0;
        RoleSet roleSet = null;
        FeatureAuthorizationTableService service = this.featureAuthzTableServiceRef.getService();
        String str3 = null;
        if (service != null) {
            str3 = service.getFeatureAuthzRoleHeaderValue();
        }
        if (str3 == null || str3.equals(MGMT_AUTHZ_ROLES)) {
            Iterator<AuthorizationTableService> services = this.authorizationTables.getServices();
            while (services.hasNext()) {
                RoleSet rolesForSpecialSubject = services.next().getRolesForSpecialSubject(str, str2);
                if (rolesForSpecialSubject != null) {
                    roleSet = rolesForSpecialSubject;
                    i++;
                }
            }
            if (i > 1) {
                Tr.error(tc, "AUTHZ_MULTIPLE_RESOURCES_WITH_SAME_NAME", str);
                roleSet = null;
            }
        } else {
            roleSet = service.getRolesForSpecialSubject(str, str2);
        }
        return roleSet;
    }

    private Collection<String> getRolesForAccessId(String str, String str2) {
        int i = 0;
        RoleSet roleSet = null;
        FeatureAuthorizationTableService service = this.featureAuthzTableServiceRef.getService();
        String str3 = null;
        if (service != null) {
            str3 = service.getFeatureAuthzRoleHeaderValue();
        }
        if (str3 == null || str3.equals(MGMT_AUTHZ_ROLES)) {
            Iterator<AuthorizationTableService> services = this.authorizationTables.getServices();
            while (services.hasNext()) {
                RoleSet rolesForAccessId = services.next().getRolesForAccessId(str, str2);
                if (rolesForAccessId != null) {
                    roleSet = rolesForAccessId;
                    i++;
                }
            }
            if (i > 1) {
                Tr.error(tc, "AUTHZ_MULTIPLE_RESOURCES_WITH_SAME_NAME", str);
                roleSet = null;
            }
        } else {
            roleSet = service.getRolesForAccessId(str, str2);
        }
        return roleSet;
    }

    private boolean isSubjectAuthorized(String str, Collection<String> collection, Subject subject) {
        String[] groupIds;
        AccessDecisionService service = this.accessDecisionServiceRef.getService();
        WSCredential wSCredentialFromSubject = getWSCredentialFromSubject(subject);
        boolean isGranted = service.isGranted(str, collection, getRolesForAccessId(str, getAccessId(wSCredentialFromSubject)), subject);
        if (!isGranted && (groupIds = getGroupIds(wSCredentialFromSubject)) != null && groupIds.length > 0) {
            for (int i = 0; i < groupIds.length && !isGranted; i++) {
                Collection<String> rolesForAccessId = getRolesForAccessId(str, groupIds[i]);
                if (rolesForAccessId != null) {
                    isGranted = service.isGranted(str, collection, rolesForAccessId, subject);
                }
            }
        }
        return isGranted;
    }

    private WSCredential getWSCredentialFromSubject(Subject subject) {
        Set<Object> publicCredentials;
        if (subject == null || (publicCredentials = subject.getPublicCredentials()) == null || publicCredentials.size() <= 0) {
            return null;
        }
        for (Object obj : publicCredentials) {
            if (obj instanceof WSCredential) {
                return (WSCredential) obj;
            }
        }
        return null;
    }

    private String getAccessId(WSCredential wSCredential) {
        String str = null;
        try {
            str = wSCredential.getAccessId();
        } catch (CredentialDestroyedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.internal.BuiltinAuthorizationService", "351", this, new Object[]{wSCredential});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the access id: " + e, new Object[0]);
            }
        } catch (CredentialExpiredException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.authorization.builtin.internal.BuiltinAuthorizationService", "347", this, new Object[]{wSCredential});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the access id: " + e2, new Object[0]);
            }
        }
        return str;
    }

    private String[] getGroupIds(WSCredential wSCredential) {
        ArrayList arrayList = null;
        if (wSCredential == null) {
            return null;
        }
        try {
            arrayList = wSCredential.getGroupIds();
        } catch (CredentialExpiredException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorization.builtin.internal.BuiltinAuthorizationService", "374", this, new Object[]{wSCredential});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the group access ids: " + e, new Object[0]);
            }
        } catch (CredentialDestroyedException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.authorization.builtin.internal.BuiltinAuthorizationService", "378", this, new Object[]{wSCredential});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the group access ids: " + e2, new Object[0]);
            }
        }
        if (arrayList != null) {
            return (String[]) arrayList.toArray(new String[arrayList.size()]);
        }
        return null;
    }

    private void validateInput(String str, Collection<String> collection) {
        if (collection == null) {
            throw new NullPointerException("requiredRoles cannot be null.");
        }
        if (str == null) {
            throw new NullPointerException("resourceName cannot be null.");
        }
    }

    protected boolean isAllAuthenticatedGranted(String str, Collection<String> collection, Subject subject) {
        return this.accessDecisionServiceRef.getService().isGranted(str, collection, getRolesForSpecialSubject(str, AuthorizationTableService.ALL_AUTHENTICATED_USERS), subject);
    }

    private boolean isSubjectValid(Subject subject) {
        WSCredential wSCredentialFromSubject = getWSCredentialFromSubject(subject);
        return (wSCredentialFromSubject == null || wSCredentialFromSubject.isUnauthenticated() || wSCredentialFromSubject.isBasicAuth()) ? false : true;
    }
}
