package com.ibm.ws.security.delegation;

import com.ibm.ISecurityLocalObjectBaseL13Impl.DomainInfo;
import com.ibm.ejs.models.base.bindings.applicationbnd.RunAsMap;
import com.ibm.ejs.models.base.bindings.commonbnd.BasicAuthData;
import com.ibm.ejs.models.base.extensions.ejbext.SecurityIdentity;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.csi.CSIException;
import com.ibm.websphere.csi.EJBKey;
import com.ibm.websphere.csi.EJBMethodInfo;
import com.ibm.websphere.security.ProviderFailureException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.audit.AuditServiceImpl;
import com.ibm.ws.security.audit.utils.DataHelper;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityCollaborator;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.ejb.BeanPermissionRoleMap;
import com.ibm.ws.security.ejb.RunAsMapTable;
import com.ibm.ws.security.ejb.SecurityBeanCookie;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.policy.RunAsPolicyExtension;
import com.ibm.ws.security.token.WSCredentialTokenMapper;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.WCCMHelper;
import com.ibm.ws.security.web.WebAccessContext;
import com.ibm.ws.webservices.wssecurity.KRBConstants;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.audit.ContextHandler;
import com.ibm.wsspi.security.policy.EJBSecurityPolicy;
import com.ibm.wsspi.security.policy.WSPolicy;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.PropagationToken;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.servlet.ServletRegistration;
import org.eclipse.emf.common.util.EList;
import org.eclipse.jst.j2ee.common.Identity;
import org.eclipse.jst.j2ee.common.RunAsSpecifiedIdentity;
import org.eclipse.jst.j2ee.common.SecurityRole;
import org.eclipse.jst.j2ee.webapplication.Servlet;
import org.eclipse.jst.j2ee.webapplication.WebApp;

/* compiled from: DelegationImpl.java */
/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/delegation/MethodDelegation.class */
class MethodDelegation implements Delegation {
    private String runAsValue = new String();
    private String activeUserRegistry = null;
    private ContextManager contextManager = ContextManagerFactory.getInstance();
    private static AuditService auditService = null;
    private static ConcurrentHashMap auditOutcome = new ConcurrentHashMap();
    private static boolean auditServiceRetrieved = false;
    private static int MAX_EJBNAME_ENTRIES = 200;
    private static HashMap ejbNameCache = new HashMap(MAX_EJBNAME_ENTRIES);
    private static final TraceComponent tc = Tr.register((Class<?>) MethodDelegation.class, KRBConstants.ELM_SECURITY, AdminConstants.MSG_BUNDLE_NAME);

    protected boolean checkRunAsMethod(SecurityIdentity securityIdentity, String str, String str2) {
        EList methodElements = securityIdentity.getMethodElements();
        return (methodElements == null || methodElements.size() == 0 || !BeanPermissionRoleMap.findMatchingMethod(str, str2, methodElements)) ? false : true;
    }

    @Override // com.ibm.ws.security.delegation.Delegation
    public Subject delegate(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, Subject subject, Subject subject2, SecurityBeanCookie securityBeanCookie, String str) throws CSIException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.DELEGATE, new Object[]{eJBKey, eJBMethodInfo, subject, subject2, securityBeanCookie, str});
        }
        ContextHandler contextHandler = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.DELEGATE, new Object[]{eJBKey, eJBMethodInfo, subject, subject2, securityBeanCookie});
        }
        Subject subject3 = null;
        EJBSecurityPolicy eJBSecurityPolicy = eJBMethodInfo == null ? null : eJBMethodInfo.getEJBSecurityPolicy();
        if (eJBSecurityPolicy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "delegate EJBSecurityPolicy is null, using delegation policy in deployment descriptor");
            }
            throw new CSIException("Policy is null");
        }
        RunAsPolicyExtension runAsPolicyExtension = (RunAsPolicyExtension) ((WSPolicy) eJBSecurityPolicy).getExtensionAdapter(RunAsPolicyExtension.class);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "delegate policy and extentsion", new Object[]{eJBSecurityPolicy, runAsPolicyExtension});
        }
        if (runAsPolicyExtension != null) {
            if (runAsPolicyExtension.isRunAsCallerIdentity(str) || eJBSecurityPolicy.isRunAsCallerIdentity()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "delegate runAsCallerIdentity true");
                }
                this.runAsValue = AuditConstants.CLIENT_ID;
                subject3 = subject2;
            } else if (runAsPolicyExtension.isRunAsSystemIdentity(str)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "delegate runAsSystemIdentity true");
                }
                this.runAsValue = AuditConstants.SYSTEM_ID;
                subject3 = subject;
            } else if (runAsPolicyExtension.isRunAsSpecifiedIdentity(str)) {
                String runAsSpecifiedIdentity = runAsPolicyExtension.getRunAsSpecifiedIdentity(str);
                this.runAsValue = AuditConstants.SPECIFIED_ID.concat(":").concat(runAsSpecifiedIdentity);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "delegate got runAsSpecifiedIdentity from extension, role=" + runAsSpecifiedIdentity);
                }
                subject3 = getRunAsSpecifiedUserSubject(runAsSpecifiedIdentity, securityBeanCookie.getAppName());
                if (subject3 == null) {
                    subject3 = subject2;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "delegate getRunAsSpecifiedUserSubject is null, use received (caller) Subject");
                    }
                }
            } else {
                String runAsSpecifiedIdentity2 = eJBSecurityPolicy.getRunAsSpecifiedIdentity();
                if (runAsSpecifiedIdentity2 != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "delegate got runAsSpecifiedIdentity from policy, role=" + runAsSpecifiedIdentity2);
                    }
                    this.runAsValue = AuditConstants.SPECIFIED_ID.concat(":").concat(runAsSpecifiedIdentity2);
                    subject3 = getRunAsSpecifiedUserSubject(runAsSpecifiedIdentity2, securityBeanCookie.getAppName());
                    if (subject3 == null) {
                        subject3 = subject2;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "delegate getRunAsSpecifiedUserSubject is null, use received (caller) Subject");
                        }
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "delegate no runAs identity found, will runAs caller");
                    }
                    this.runAsValue = AuditConstants.CLIENT_ID;
                    subject3 = subject2;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.DELEGATE, subject3);
        }
        if (!auditServiceRetrieved && auditService == null) {
            auditService = ContextManagerFactory.getInstance().getAuditService();
            auditServiceRetrieved = true;
        }
        if (auditService != null) {
            contextHandler = ((AuditServiceImpl) auditService).getContextHandler();
            if (contextHandler == null) {
                Tr.error(tc, "security.audit.service.context.error");
                auditService.processAuditFailure("security.audit.service.context.error", null);
            }
        }
        if (auditService != null && auditService.isEventRequired("SECURITY_AUTHN_DELEGATION", "SUCCESS")) {
            if (contextHandler != null) {
                this.activeUserRegistry = SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getType();
                String str2 = null;
                if (subject3 != null) {
                    str2 = ((Principal) subject3.getPrincipals().toArray()[0]).getName();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "invocationSubject not null, rSubj: " + str2);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "invocationSubject null, rSubj null");
                }
                contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData(null, null, null, null));
                contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(eJBMethodInfo != null ? eJBMethodInfo.getMethodName() : null, AuditConstants.DELEGATION, str2, str2, null, securityBeanCookie.getAppName().concat(":").concat(securityBeanCookie.getBeanName()).concat(":").concat(str), eJBKey != null ? "ejb" : AuditConstants.SCA, new Long(0L), null, null, null, null));
                contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(auditService.getLastTrailId(), auditService.getEventTrailIds(), new Date(), new Long(0L).longValue()));
                contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(auditService.getFirstCaller(), auditService.getCallerList()));
                contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(auditService.getDomain(), ContextManagerFactory.getInstance().getDefaultRealm()));
                contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(this.activeUserRegistry)));
                HashMap buildDelegationData = DataHelper.buildDelegationData(AuditConstants.RUN_AS_DELEGATION, this.runAsValue, str2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "data: " + buildDelegationData.toString());
                }
                contextHandler.buildContextObject("APPLICATION_DELEGATION", buildDelegationData);
                auditOutcome = DataHelper.buildOutcomeData(AuditOutcome.SUCCESSFUL, new Integer(0), new Integer(0), "SUCCESS", 86L);
            }
            try {
                auditService.sendEvent("SECURITY_AUTHN_DELEGATION", auditOutcome);
            } catch (ProviderFailureException e) {
                Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e});
                auditService.processAuditFailure("security.audit.service.sendevent.error", e);
            }
        }
        return subject3;
    }

    @Override // com.ibm.ws.security.delegation.Delegation
    public Subject delegate(Subject subject, String str, WebAccessContext webAccessContext, String str2) throws CSIException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.DELEGATE, new Object[]{subject, str, webAccessContext, str2});
        }
        ContextHandler contextHandler = null;
        Subject subject2 = subject;
        this.runAsValue = AuditConstants.CLIENT_ID;
        String runAsRoleName = getRunAsRoleName(webAccessContext, str2);
        if (runAsRoleName != null && runAsRoleName.length() > 0) {
            this.runAsValue = AuditConstants.SPECIFIED_ID.concat(":").concat(runAsRoleName);
            subject2 = getRunAsSpecifiedUserSubject(runAsRoleName, webAccessContext.getEnterpriseAppName());
            if (subject2 == null) {
                this.runAsValue = AuditConstants.CLIENT_ID;
                subject2 = subject;
            }
        }
        if (auditService == null) {
            auditService = ContextManagerFactory.getInstance().getAuditService();
        }
        this.activeUserRegistry = SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getType();
        if (auditService != null) {
            contextHandler = ((AuditServiceImpl) auditService).getContextHandler();
            if (contextHandler == null) {
                Tr.error(tc, "security.audit.service.context.error");
                auditService.processAuditFailure("security.audit.service.context.error", null);
            }
        }
        if (auditService != null && auditService.isEventRequired("SECURITY_AUTHN_DELEGATION", "SUCCESS")) {
            if (contextHandler != null) {
                String str3 = null;
                if (subject2 != null) {
                    str3 = ((Principal) subject2.getPrincipals().toArray()[0]).getName();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "invokedSubject not null, rSubj: " + str3);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "invokedSubject null, rSubj null");
                }
                contextHandler.buildContextObject("SESSION_CONTEXT", DataHelper.buildSessionData(null, null, null, null));
                contextHandler.buildContextObject("ACCESS_CONTEXT", DataHelper.buildAccessData(webAccessContext != null ? webAccessContext.getWebAppName() : null, AuditConstants.DELEGATION, str3, str3, null, null, "web", new Long(0L), null, null, null, null));
                contextHandler.buildContextObject("EVENT_CONTEXT", DataHelper.buildEventData(auditService.getLastTrailId(), auditService.getEventTrailIds(), new Date(), new Long(0L).longValue()));
                contextHandler.buildContextObject("PROPAGATION_CONTEXT", DataHelper.buildPropagationData(auditService.getFirstCaller(), auditService.getCallerList()));
                contextHandler.buildContextObject("PROCESS_CONTEXT", DataHelper.buildProcessData(auditService.getDomain(), ContextManagerFactory.getInstance().getDefaultRealm()));
                contextHandler.buildContextObject("REGISTRY_CONTEXT", DataHelper.buildRegistryData(DataHelper.convertRegistryInfoType(this.activeUserRegistry)));
                HashMap buildDelegationData = DataHelper.buildDelegationData(AuditConstants.RUN_AS_DELEGATION, this.runAsValue, str3);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "data: " + buildDelegationData.toString());
                }
                contextHandler.buildContextObject("APPLICATION_DELEGATION", buildDelegationData);
                auditOutcome = DataHelper.buildOutcomeData(AuditOutcome.SUCCESSFUL, new Integer(0), new Integer(0), "SUCCESS", 86L);
            }
            try {
                auditService.sendEvent("SECURITY_AUTHN_DELEGATION", auditOutcome);
            } catch (ProviderFailureException e) {
                Tr.error(tc, "security.audit.service.sendevent.error", new Object[]{e});
                auditService.processAuditFailure("security.audit.service.sendevent.error", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.DELEGATE, subject2);
        }
        return subject2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void clearDelegationCache() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearDelegationCache");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Clearing ejbNameCache. Size:" + ejbNameCache.size());
        }
        ejbNameCache.clear();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "clearDelegationCache");
        }
    }

    protected Subject getRunAsSpecifiedUserSubject(String str, final String str2) {
        Subject subject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSpecifiedUserSubject");
        }
        String adminRealm = (!DomainInfo.isAppRealmDefined() || str2 == null || WSAccessManager.checkIfAdminApp(str2)) ? DomainInfo.getAdminRealm() : DomainInfo.getAppRealm();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSpecifiedUserSubject: using realm: " + adminRealm);
        }
        SecurityRole createSecurityRole = WCCMHelper.createSecurityRole(null, str);
        RunAsMap runAsMap = (RunAsMap) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.delegation.MethodDelegation.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                SecurityCollaborator.getRunAsMapTable();
                return RunAsMapTable.getRunAsMap(str2);
            }
        });
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "RunAs set to Specified Identity : RunAs Role = " + str);
        }
        if (runAsMap != null) {
            BasicAuthData basicAuthData = (BasicAuthData) runAsMap.getAuthData(createSecurityRole);
            if (basicAuthData != null && basicAuthData.getUserId() != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "authData.getUserId(): " + basicAuthData.getUserId() + " length: " + basicAuthData.getUserId().length());
                }
                try {
                    subject = this.contextManager.login(adminRealm, basicAuthData.getUserId(), basicAuthData.getPassword());
                    clearPropagationTokenIfCallerSubjectNullOrUnauthenticated();
                } catch (Exception e) {
                    if (basicAuthData.getUserId() != null && basicAuthData.getUserId().length() > 0) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.core.SecurityCollaborator.getRunAsSpecifiedUserSubject", "919", this);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception during user authentication:", e);
                        }
                        Tr.audit(tc, "security.authn.failed.foruser", new Object[]{basicAuthData.getUserId()});
                    }
                    subject = null;
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getRunAsSpecifiedUserSubject");
                }
                return subject;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Application Identity Not Configured");
                Tr.debug(tc, "Invocation (SPECIFIED) identity is set to ClientIdentity");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRunAsSpecifiedUserSubject");
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void clearPropagationTokenIfCallerSubjectNullOrUnauthenticated() {
        PropagationToken propagationToken;
        String[] attributes;
        String[] attributes2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "clearPropagationTokenIfCallerSubjectNullOrUnauthenticated");
        }
        if (!WSCredentialTokenMapper.isAnyPropagationEnabled()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "clearPropagationTokenIfCallerSubjectNullOrUnauthenticated (prop disabled)");
                return;
            }
            return;
        }
        try {
            propagationToken = this.contextManager.getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.core.SecurityCollaborator.clearPropagationTokenIfCallerSubjectNullOrUnauthenticated", "1015", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception determining if propagation token needs to be cleared.", new Object[]{e});
            }
        }
        if (propagationToken == null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "clearPropagationTokenIfCallerSubjectNullOrUnauthenticated (no token on the thread)");
                return;
            }
            return;
        }
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(this.contextManager.getCallerSubject());
        if (wSCredentialFromSubject != null && !wSCredentialFromSubject.isUnauthenticated()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "clearPropagationTokenIfCallerSubjectNullOrUnauthenticated (caller not null, prop token already set correctly)");
                return;
            }
            return;
        }
        if ((wSCredentialFromSubject == null || wSCredentialFromSubject.isUnauthenticated()) && (attributes = propagationToken.getAttributes(AttributeNameConstants.WSPROP_CALLERS)) != null && attributes.length == 1) {
            this.contextManager.setPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1, null);
            Enumeration attributeNames = propagationToken.getAttributeNames();
            while (attributeNames.hasMoreElements()) {
                String str = (String) attributeNames.nextElement();
                if (str != null && !str.equals(AttributeNameConstants.WSPROP_CALLERS) && !str.equals(AttributeNameConstants.WSPROP_HOSTS) && WSSecurityHelper.getPropagationAttributes(str) == null && (attributes2 = propagationToken.getAttributes(str)) != null && attributes2.length > 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Adding attributes for " + str + " to existing prop token");
                    }
                    for (String str2 : attributes2) {
                        WSSecurityHelper.addPropagationAttribute(str, str2);
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "clearPropagationTokenIfCallerSubjectNullOrUnauthenticated");
        }
    }

    protected String getRunAsRoleName(WebAccessContext webAccessContext, String str) {
        ServletRegistration servletRegistration;
        RunAsSpecifiedIdentity runAs;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsRoleName", new Object[]{webAccessContext, str});
        }
        if (webAccessContext == null || str == null) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getRunAsRoleName: return null");
            return null;
        }
        String str2 = null;
        WebApp webApp = webAccessContext.getWebApp();
        Servlet servlet = null;
        if (webApp != null) {
            servlet = webApp.getServletNamed(str);
        }
        if (servlet != null && (runAs = servlet.getRunAs()) != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "RunAs Specified for servlet" + str);
            }
            Identity identity = runAs.getIdentity();
            if (identity != null) {
                str2 = identity.getRoleName();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "static runAsRole->" + str2);
                }
            }
        }
        if (str2 == null) {
            Map<String, ? extends ServletRegistration> servletMap = webAccessContext.getServletMap();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "servletMap :" + servletMap);
            }
            if (servletMap != null && (servletRegistration = servletMap.get(str)) != null) {
                str2 = servletRegistration.getRunAsRole();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "servlet runAsRole->" + str2);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRunAsRoleName", new Object[]{str2});
        }
        return str2;
    }
}
