package com.ibm.ws.websvcs.utils;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.webservices.utils.JavaUtils;
import com.ibm.ws.websvcs.Constants;
import com.ibm.wsspi.security.context.Context;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.axis2.AxisFault;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.jaxws.BindingProvider;
import org.apache.axis2.util.ThreadContextMigrator;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/websvcs/utils/SecurityContextMigrator.class */
public class SecurityContextMigrator implements ThreadContextMigrator {
    public static final String SERIALIZE_SECURITY_CONTEXT = "com.ibm.websvcs.client.serializeSecurityContext";
    private static final TraceComponent tc = Tr.register(SecurityContextMigrator.class, Constants.TR_GROUP, Constants.TR_RESOURCE_BUNDLE);

    public void cleanupContext(MessageContext messageContext) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanupContext");
        }
        if (messageContext.getAxisOperation() != null) {
            String messageExchangePattern = messageContext.getAxisOperation().getMessageExchangePattern();
            if ("http://www.w3.org/2006/01/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/2006/01/wsdl/in-out".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/in-out".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/in-out".equals(messageExchangePattern)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Resetting security context on Axis2 MessageContext");
                }
                messageContext.setProperty("com.ibm.wsspi.websphere.security.SecurityContext", (Object) null);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanupContext");
        }
    }

    public void cleanupThread(MessageContext messageContext) {
    }

    public void migrateContextToThread(final MessageContext messageContext) throws AxisFault {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "migrateContextToThread");
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "runWith MessageContext = " + messageContext);
            }
            runWithDomain(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws AxisFault {
                    if (SecurityContextMigrator.tc.isDebugEnabled()) {
                        Tr.debug(SecurityContextMigrator.tc, "invokeAction, MessageContext");
                    }
                    return Boolean.valueOf(SecurityContextMigrator.this._migrateContextToThread(messageContext));
                }
            }, messageContext);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "migrateContextToThread");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateContextToThread", "144", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception caught " + e.getMessage());
            }
            throw AxisFault.makeFault(e);
        }
    }

    public Object runWithDomain(final PrivilegedExceptionAction privilegedExceptionAction, MessageContext messageContext) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "runWithDomain MessageContext = " + messageContext);
        }
        if (messageContext == null || privilegedExceptionAction == null) {
            return null;
        }
        Object property = messageContext.getProperty("com.ibm.wsspi.websphere.security.SecurityContext");
        if (property == null || !(property instanceof Context)) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Security context object missing in Message Context");
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Retriving security context on MessageContext");
        }
        try {
            final Context context = (Context) property;
            return AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return context.runWithDomain(privilegedExceptionAction);
                }
            });
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.runWithDomain", "175", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception caught - runWithDomain");
            }
            throw new AxisFault(e.toString(), e);
        }
    }

    public boolean _migrateContextToThread(MessageContext messageContext) throws AxisFault {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "_migrateContextToThread");
        }
        try {
            try {
                final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                if (contextManagerFactory.isCellSecurityEnabled()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "WebSphere cell security enabled, copying security context from MessageContext to TLS");
                    }
                    if (messageContext.getAxisOperation() != null) {
                        String messageExchangePattern = messageContext.getAxisOperation().getMessageExchangePattern();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "MEP: " + messageExchangePattern);
                        }
                        if ("http://www.w3.org/2006/01/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/2006/01/wsdl/in-out".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/in-out".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/in-only".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/in-out".equals(messageExchangePattern)) {
                            Object property = messageContext.getProperty("com.ibm.wsspi.websphere.security.SecurityContext");
                            if (property != null && (property instanceof Context)) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Copying security context on MessageContext onto security context in thread local storage.");
                                }
                                final Context context = (Context) property;
                                if (tc.isDebugEnabled() && context != null) {
                                    Tr.debug(tc, "Dumping the original MessageContext subjects:");
                                    dumpSubjects(context);
                                }
                                try {
                                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.3
                                        @Override // java.security.PrivilegedExceptionAction
                                        public Object run() throws WSSecurityException {
                                            Context serializableContext = contextManagerFactory.getSerializableContext();
                                            serializableContext.setCallerSubject(context.getCallerSubject());
                                            serializableContext.setRunAsSubject(context.getRunAsSubject());
                                            serializableContext.setPropagationTokens(context.getPropagationTokens());
                                            serializableContext.setContext();
                                            if (!SecurityContextMigrator.tc.isDebugEnabled() || serializableContext == null) {
                                                return null;
                                            }
                                            Tr.debug(SecurityContextMigrator.tc, "Dumping the new tlsContext subjects:");
                                            SecurityContextMigrator.dumpSubjects(context);
                                            return null;
                                        }
                                    });
                                } catch (PrivilegedActionException e) {
                                    FFDCFilter.processException(e, "com.ibm.ws.websvcs.utils.SecurityContextMigrator._migrateContextToThread", "255");
                                    Throwable cause = e.getCause();
                                    throw (cause != null ? new AxisFault(cause.toString(), cause) : AxisFault.makeFault(e));
                                }
                            } else if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Security context was not found on MessageContext and does not need to be copied to thread local storage");
                            }
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WebSphere cell security disabled, will not copy security context from MessageContext to TLS");
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "_migrateContextToThread");
                return true;
            } catch (AxisFault e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception caught " + e2.getMessage());
                }
                FFDCFilter.processException(e2, "com.ibm.ws.websvcs.utils.SecurityContextMigrator._migrateContextToThread", "289", this);
                throw e2;
            } catch (Throwable th) {
                FFDCFilter.processException(th, "com.ibm.ws.websvcs.utils.SecurityContextMigrator._migrateContextToThread", "293", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception caught " + th.getMessage());
                }
                throw new AxisFault(th.toString(), th);
            }
        } catch (Throwable th2) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "_migrateContextToThread");
            }
            throw th2;
        }
    }

    public void migrateThreadToContext(MessageContext messageContext) throws AxisFault {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "migrateThreadToContext");
        }
        try {
            try {
                try {
                    try {
                        final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                        if (contextManagerFactory.isCellSecurityEnabled()) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "WebSphere cell security enabled, copying security context from TLS to MessageContext");
                            }
                            try {
                                final Context context = (Context) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.4
                                    @Override // java.security.PrivilegedExceptionAction
                                    public Object run() throws WSSecurityException {
                                        return contextManagerFactory.getSerializableContext();
                                    }
                                });
                                boolean shouldSerializeSecurityContext = shouldSerializeSecurityContext(messageContext);
                                String messageExchangePattern = messageContext.getAxisOperation() != null ? messageContext.getAxisOperation().getMessageExchangePattern() : null;
                                if (shouldSerializeSecurityContext && ("http://www.w3.org/2006/01/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/2006/01/wsdl/out-in".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/out-in".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/out-in".equals(messageExchangePattern))) {
                                    if (tc.isDebugEnabled() && context != null) {
                                        Tr.debug(tc, "Dumping the original context subjects:");
                                        dumpSubjects(context);
                                    }
                                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                                    final ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Serializing security context object for deep copy");
                                    }
                                    try {
                                        AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.5
                                            @Override // java.security.PrivilegedExceptionAction
                                            public Object run() throws IOException, ClassNotFoundException {
                                                objectOutputStream.writeObject(context);
                                                return null;
                                            }
                                        });
                                        final ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
                                        try {
                                            Context context2 = (Context) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.6
                                                @Override // java.security.PrivilegedExceptionAction
                                                public Object run() throws IOException, ClassNotFoundException {
                                                    return objectInputStream.readObject();
                                                }
                                            });
                                            if (tc.isDebugEnabled()) {
                                                Tr.debug(tc, "Setting deserialized context object on MessageContext");
                                            }
                                            messageContext.setProperty("com.ibm.wsspi.websphere.security.SecurityContext", context2);
                                            if (tc.isDebugEnabled() && context2 != null) {
                                                Tr.debug(tc, "Dumping the de-serialized context subjects on the MessageContext:");
                                                dumpSubjects(context2);
                                            }
                                        } catch (PrivilegedActionException e) {
                                            FFDCFilter.processException(e, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "407");
                                            Throwable cause = e.getCause();
                                            throw (cause != null ? new AxisFault(cause.toString(), cause) : AxisFault.makeFault(e));
                                        }
                                    } catch (PrivilegedActionException e2) {
                                        FFDCFilter.processException(e2, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "382");
                                        Throwable cause2 = e2.getCause();
                                        throw (cause2 != null ? new AxisFault(cause2.toString(), cause2) : AxisFault.makeFault(e2));
                                    }
                                } else {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Did not serialize/deserialize security context");
                                    }
                                    messageContext.setProperty("com.ibm.wsspi.websphere.security.SecurityContext", context);
                                }
                            } catch (PrivilegedActionException e3) {
                                FFDCFilter.processException(e3, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "333");
                                Throwable cause3 = e3.getCause();
                                throw (cause3 != null ? new AxisFault(cause3.toString(), cause3) : AxisFault.makeFault(e3));
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "WebSphere cell security disabled, will not copy security context from TLS to MessageContext");
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "migrateThreadToContext");
                        }
                    } catch (AxisFault e4) {
                        FFDCFilter.processException(e4, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "444", this);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception caught: " + e4.getMessage());
                        }
                        throw e4;
                    }
                } catch (IOException e5) {
                    FFDCFilter.processException(e5, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "451", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception caught: " + e5.getMessage());
                    }
                    throw AxisFault.makeFault(e5);
                }
            } catch (Throwable th) {
                FFDCFilter.processException(th, "com.ibm.ws.websvcs.utils.SecurityContextMigrator.migrateThreadToContext", "459", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception caught: " + th.getMessage());
                }
                throw new AxisFault(th.toString(), th);
            }
        } catch (Throwable th2) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "migrateThreadToContext");
            }
            throw th2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void dumpSubjects(final Context context) {
        if (tc.isDebugEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.entry(tc, "dumpSubjects");
            }
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.websvcs.utils.SecurityContextMigrator.7
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws WSSecurityException {
                        Subject callerSubject = context.getCallerSubject();
                        if (callerSubject == null) {
                            Tr.debug(SecurityContextMigrator.tc, "Caller subject is null");
                        } else {
                            Tr.debug(SecurityContextMigrator.tc, "Caller subject exists: " + callerSubject.toString());
                        }
                        Subject runAsSubject = context.getRunAsSubject();
                        if (runAsSubject == null) {
                            Tr.debug(SecurityContextMigrator.tc, "Caller subject is null");
                            return null;
                        }
                        Tr.debug(SecurityContextMigrator.tc, "RunAs subject exists: " + runAsSubject.toString());
                        return null;
                    }
                });
            } catch (Throwable th) {
                Tr.debug(tc, "Exception caught obtaining subjects: " + th.getMessage());
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "dumpSubjects");
            }
        }
    }

    public static boolean isSerializationTurnedOff(MessageContext messageContext) {
        boolean z = true;
        boolean z2 = false;
        if (messageContext != null && ContextManagerFactory.getInstance().isCellSecurityEnabled()) {
            String messageExchangePattern = messageContext.getAxisOperation() != null ? messageContext.getAxisOperation().getMessageExchangePattern() : null;
            if ("http://www.w3.org/2006/01/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/2006/01/wsdl/out-in".equals(messageExchangePattern) || "http://www.w3.org/2004/08/wsdl/out-in".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/out-only".equals(messageExchangePattern) || "http://www.w3.org/ns/wsdl/out-in".equals(messageExchangePattern)) {
                z = shouldSerializeSecurityContext(messageContext);
            }
        }
        if (!z) {
            z2 = true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isSerializationTurnedOff returns [" + z2 + "]");
        }
        return z2;
    }

    public static boolean shouldSerializeSecurityContext(MessageContext messageContext) {
        BindingProvider bindingProvider;
        boolean z = true;
        if (messageContext != null && (bindingProvider = (BindingProvider) messageContext.getProperty("org.apache.axis2.jaxws.BindingProvider")) != null) {
            z = getIsFalseProperty(bindingProvider.getRequestContext(), SERIALIZE_SECURITY_CONTEXT);
            if (tc.isDebugEnabled() && !z) {
                Tr.debug(tc, "com.ibm.websvcs.client.serializeSecurityContext is set to false. The Security context will not be serialized onto the MessageContext.  A reference to the active context will be used instead.  This will cause problems if you are making an asynch service call or using a Reliable Messaging policy.");
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "shouldSerializeSecurityContext returns [" + z + "]");
        }
        return z;
    }

    public static boolean getIsFalseProperty(Map<?, ?> map, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getIsFalseProperty(_map, " + str + ")");
        }
        String str2 = (String) map.get(str);
        boolean z = true;
        if (JavaUtils.hasValue(str2) && JavaUtils.isFalse(str2)) {
            z = false;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getIsFalseProperty returns [" + z + "]");
        }
        return z;
    }
}
