package com.ibm.ws.management.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.security.ManagementRole;
import com.ibm.ws.management.security.ManagementSecurityConstants;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authorization.AuthorizationTableService;
import com.ibm.ws.security.authorization.RoleSet;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.ws.security.registry.UserRegistryChangeListener;
import com.ibm.ws.security.registry.UserRegistryService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceSet;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.osgi.framework.ServiceReference;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.management.security_1.0.12.jar:com/ibm/ws/management/security/internal/ManagementSecurityAuthorizationTable.class */
public class ManagementSecurityAuthorizationTable implements AuthorizationTableService, UserRegistryChangeListener {
    static final String KEY_SECURITY_SERVICE = "securityService";
    static final String KEY_MANAGEMENT_ROLE = "managementRole";
    static final String KEY_LDAP_REGISTRY = "(service.factoryPid=com.ibm.ws.security.registry.ldap.config)";
    static final String KEY_IGNORE_CASE = "ignoreCase";
    private final RoleSet ADMIN_ROLE_SET;
    static final String KEY_CONFIG_ADMIN = "configurationAdmin";
    private static final RoleSet ALL_AUTHENTICATED_USERS_ROLESET;
    static final long serialVersionUID = -138313022265335081L;
    private static final TraceComponent tc = Tr.register(ManagementSecurityAuthorizationTable.class);
    private static HashSet<String> ALL_AUTHENTICATED_USERS_SET = new HashSet<>();
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");
    private final ConcurrentServiceReferenceSet<ManagementRole> managementRoles = new ConcurrentServiceReferenceSet<>(KEY_MANAGEMENT_ROLE);
    protected final AtomicServiceReference<ConfigurationAdmin> configAdminRef = new AtomicServiceReference<>("configurationAdmin");
    private final Map<String, RoleSet> accessIdToRoles = new HashMap();
    private final Map<String, String> userToAccessId = new HashMap();
    private final Map<String, String> groupToAccessId = new HashMap();
    private final Map<String, RoleSet> userToRoles = new HashMap();
    private final Map<String, RoleSet> groupToRoles = new HashMap();
    private boolean isIgnoreCaseSet = false;
    private boolean isIgnoreCase = false;

    public ManagementSecurityAuthorizationTable() {
        HashSet hashSet = new HashSet();
        hashSet.add(ManagementSecurityConstants.ADMINISTRATOR_ROLE_NAME);
        this.ADMIN_ROLE_SET = new RoleSet(hashSet);
    }

    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    protected synchronized void setManagementRole(ServiceReference<ManagementRole> serviceReference) {
        this.managementRoles.addReference(serviceReference);
        populateInitialAuthorizationTable();
    }

    protected synchronized void updatedManagementRole(ServiceReference<ManagementRole> serviceReference) {
        populateInitialAuthorizationTable();
    }

    protected synchronized void unsetManagementRole(ServiceReference<ManagementRole> serviceReference) {
        this.managementRoles.removeReference(serviceReference);
        populateInitialAuthorizationTable();
    }

    protected void setConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.setReference(serviceReference);
    }

    protected void unsetConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdminRef.unsetReference(serviceReference);
    }

    protected synchronized void activate(ComponentContext componentContext) {
        this.securityServiceRef.activate(componentContext);
        this.managementRoles.activate(componentContext);
        this.configAdminRef.activate(componentContext);
        populateInitialAuthorizationTable();
    }

    protected synchronized void deactivate(ComponentContext componentContext) {
        clearAuthorizationTable();
        this.configAdminRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
        this.managementRoles.deactivate(componentContext);
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    public RoleSet getRolesForSpecialSubject(String str, String str2) {
        if (ManagementSecurityConstants.ADMIN_RESOURCE_NAME.equals(str)) {
            return str2.equals(AuthorizationTableService.ALL_AUTHENTICATED_USERS) ? ALL_AUTHENTICATED_USERS_ROLESET : RoleSet.EMPTY_ROLESET;
        }
        return null;
    }

    @Override // com.ibm.ws.security.authorization.AuthorizationTableService
    public RoleSet getRolesForAccessId(String str, String str2) {
        if (ManagementSecurityConstants.ADMIN_RESOURCE_NAME.equals(str)) {
            return rolesForAccessId(str2);
        }
        return null;
    }

    private void clearAuthorizationTable() {
        this.accessIdToRoles.clear();
        this.userToAccessId.clear();
        this.groupToAccessId.clear();
        this.userToRoles.clear();
        this.groupToRoles.clear();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void populateInitialAuthorizationTable() {
        clearAuthorizationTable();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        Iterator<ManagementRole> services = this.managementRoles.getServices();
        while (services.hasNext()) {
            ManagementRole next = services.next();
            String roleName = next.getRoleName();
            for (String str : next.getUsers()) {
                Set set = (Set) hashMap.get(str);
                if (set == null) {
                    set = new HashSet();
                    hashMap.put(str, set);
                }
                set.add(roleName);
            }
            for (String str2 : next.getGroups()) {
                Set set2 = (Set) hashMap2.get(str2);
                if (set2 == null) {
                    set2 = new HashSet();
                    hashMap2.put(str2, set2);
                }
                set2.add(roleName);
            }
        }
        for (Map.Entry entry : hashMap.entrySet()) {
            this.userToRoles.put(entry.getKey(), new RoleSet((Set) entry.getValue()));
        }
        for (Map.Entry entry2 : hashMap2.entrySet()) {
            this.groupToRoles.put(entry2.getKey(), new RoleSet((Set) entry2.getValue()));
        }
    }

    private RoleSet rolesForAccessId(String str) {
        if (AccessIdUtil.isServerAccessId(str)) {
            return this.ADMIN_ROLE_SET;
        }
        RoleSet roleSet = this.accessIdToRoles.get(str);
        return roleSet == null ? findRolesForAccessId(str) : roleSet;
    }

    private RoleSet findRolesForAccessId(String str) {
        if (!AccessIdUtil.isAccessId(str)) {
            throw new IllegalArgumentException("Invalid accessId");
        }
        if (AccessIdUtil.isUserAccessId(str)) {
            for (String str2 : this.userToRoles.keySet()) {
                String str3 = this.userToAccessId.get(str2);
                if (str3 == null) {
                    str3 = getUserAccessId(str2);
                    if (str3 != null) {
                        this.userToAccessId.put(str2, str3);
                    } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to determine accessId of user " + str2, new Object[0]);
                    }
                }
                if (this.accessIdToRoles.get(str3) == null) {
                    this.accessIdToRoles.put(str3, this.userToRoles.get(str2));
                }
                if (isMatch(str, str3)) {
                    return this.accessIdToRoles.get(str3);
                }
            }
        } else {
            if (!AccessIdUtil.isGroupAccessId(str)) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unknown accessId", new Object[0]);
                }
                return RoleSet.EMPTY_ROLESET;
            }
            for (String str4 : this.groupToRoles.keySet()) {
                String str5 = this.groupToAccessId.get(str4);
                if (str5 == null) {
                    str5 = getGroupAccessId(str4);
                    if (str5 != null) {
                        this.groupToAccessId.put(str4, str5);
                    } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to determine accessId of group " + str4, new Object[0]);
                    }
                }
                if (this.accessIdToRoles.get(str5) == null) {
                    this.accessIdToRoles.put(str5, this.groupToRoles.get(str4));
                }
                if (isMatch(str, str5)) {
                    return this.accessIdToRoles.get(str5);
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "No roles mapped to accessId", str);
        }
        return RoleSet.EMPTY_ROLESET;
    }

    private String getUserAccessId(String str) {
        try {
            UserRegistry userRegistry = this.securityServiceRef.getService().getUserRegistryService().getUserRegistry();
            return AccessIdUtil.createAccessId("user", userRegistry.getRealm(), userRegistry.getUniqueUserId(str));
        } catch (EntryNotFoundException e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.security.internal.ManagementSecurityAuthorizationTable", "333", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + e, new Object[0]);
            return null;
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.management.security.internal.ManagementSecurityAuthorizationTable", "338", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + e2, new Object[0]);
            return null;
        }
    }

    private String getGroupAccessId(String str) {
        try {
            UserRegistry userRegistry = this.securityServiceRef.getService().getUserRegistryService().getUserRegistry();
            return AccessIdUtil.createAccessId("group", userRegistry.getRealm(), userRegistry.getUniqueGroupId(str));
        } catch (EntryNotFoundException e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.security.internal.ManagementSecurityAuthorizationTable", "362", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + e, new Object[0]);
            return null;
        } catch (RegistryException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.management.security.internal.ManagementSecurityAuthorizationTable", "367", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + e2, new Object[0]);
            return null;
        }
    }

    @Override // com.ibm.ws.security.registry.UserRegistryChangeListener
    public void notifyOfUserRegistryChange() {
        this.isIgnoreCaseSet = false;
        this.accessIdToRoles.clear();
        this.userToAccessId.clear();
        this.groupToAccessId.clear();
    }

    protected boolean isIgnoreCase() {
        if (!this.isIgnoreCaseSet) {
            this.isIgnoreCase = getIgnoreCase();
            this.isIgnoreCaseSet = true;
        }
        return this.isIgnoreCase;
    }

    protected boolean isMatch(String str, String str2) {
        return isIgnoreCase() ? str.equalsIgnoreCase(str2) : str.equals(str2);
    }

    protected boolean getIgnoreCase() {
        UserRegistryService userRegistryService;
        Object obj;
        boolean z = false;
        if (this.securityServiceRef != null && this.configAdminRef != null) {
            try {
                SecurityService service = this.securityServiceRef.getService();
                if (service != null && (userRegistryService = service.getUserRegistryService()) != null && userRegistryService.isUserRegistryConfigured()) {
                    String userRegistryType = userRegistryService.getUserRegistryType();
                    if ("LDAP".equalsIgnoreCase(userRegistryType) || "WIM".equalsIgnoreCase(userRegistryType)) {
                        z = true;
                        ConfigurationAdmin service2 = this.configAdminRef.getService();
                        if (service2 != null) {
                            Configuration[] listConfigurations = service2.listConfigurations(KEY_LDAP_REGISTRY);
                            if (listConfigurations != null) {
                                for (Configuration configuration : listConfigurations) {
                                    Dictionary<String, Object> properties = configuration.getProperties();
                                    if (properties != null && (obj = properties.get(KEY_IGNORE_CASE)) != null) {
                                        if (obj instanceof Boolean) {
                                            z = ((Boolean) obj).booleanValue();
                                        } else if ((obj instanceof String) && "false".equalsIgnoreCase((String) obj)) {
                                            z = false;
                                        }
                                    }
                                    if (!z) {
                                        break;
                                    }
                                }
                            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "The Ldap Configuration object is null, use the default value which is true.", new Object[0]);
                            }
                        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "The ConfigurationAdmin object is null, use the default value which is true.", new Object[0]);
                        }
                    }
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.management.security.internal.ManagementSecurityAuthorizationTable", "457", this, new Object[0]);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception is caught while accessing the user registry configuration information. The default value false is used.", e);
                }
            }
        }
        return z;
    }

    static {
        ALL_AUTHENTICATED_USERS_SET.add(ManagementSecurityConstants.ALL_AUTHENTICATED_USERS_ROLE_NAME);
        ALL_AUTHENTICATED_USERS_ROLESET = new RoleSet(ALL_AUTHENTICATED_USERS_SET);
    }
}
