package com.ibm.ws.security.zOS.threadid;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.csi.EJBComponentMetaData;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.zOS.NativeConfiguration;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.security.zOS.SAFServiceResult;
import com.ibm.ws.threadContext.ComponentMetaDataAccessorImpl;
import com.ibm.ws.util.WSThreadLocal;
import com.ibm.ws.webcontainer.metadata.WebComponentMetaData;
import com.ibm.wsspi.security.auth.callback.Constants;
import java.util.Iterator;
import javax.security.auth.Subject;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/security/zOS/threadid/ThreadIdentityManager.class */
public final class ThreadIdentityManager implements WSLoginLocalOSExtension {
    private static final TraceComponent tc;
    private static final ThreadLocal _threadIdentity;
    private static final ThreadLocal _appSyncData;
    private static ThreadIdentityManager _instance;
    private ContextManager _contextManager;
    private boolean _isSyncEnabled;
    private boolean _isAppSyncEnabled;
    private boolean _serverSecurityEnabled;
    private ComponentMetaDataAccessorImpl _cmda = null;
    private PlatformCredentialManager _platformCredManager;
    static Class class$com$ibm$ws$security$zOS$threadid$ThreadIdentityManager;
    static Class class$com$ibm$ws$security$auth$PlatformCredential;
    static Class class$com$ibm$websphere$security$cred$WSCredential;

    public static ThreadIdentityManager getThreadIdentityManager() {
        if (_instance == null) {
            _instance = new ThreadIdentityManager();
        }
        return _instance;
    }

    private ThreadIdentityManager() {
        this._contextManager = null;
        this._isSyncEnabled = false;
        this._isAppSyncEnabled = false;
        this._serverSecurityEnabled = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        this._contextManager = ContextManagerFactory.getInstance();
        Boolean bool = (Boolean) SecurityConfig.getConfig().getValue("server.security.enabled");
        if (bool != null) {
            this._serverSecurityEnabled = bool.booleanValue();
        }
        NativeConfiguration config = NativeConfiguration.getConfig();
        this._isSyncEnabled = config.isConnectionManagementThreadIdentityEnabled();
        this._isAppSyncEnabled = config.isApplicationSyncToThreadEnabled();
        this._platformCredManager = PlatformCredentialManager.instance();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>", this);
        }
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public boolean isSyncToThreadEnabled() {
        return this._isSyncEnabled;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public boolean isApplicationSyncToOSThreadEnabled() {
        return this._isAppSyncEnabled;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public boolean isThreadLocalApplicationSyncEnabled() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isThreadLocalApplicationSyncEnabled");
        }
        Boolean bool = (Boolean) _appSyncData.get();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isThreadLocalApplicationSyncEnabled", bool);
        }
        return bool.booleanValue();
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public void setThreadLocalApplicationSyncEnabled(boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setThreadLocalApplicationSyncEnabled", new Boolean(z));
        }
        _appSyncData.set(new Boolean(z));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setThreadLocalApplicationSyncEnabled");
        }
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public Subject getLocalOSInvocationSubject() throws IllegalStateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLocalOSInvocationSubject");
        }
        Subject invocationSubject = getInvocationSubject();
        if (invocationSubject == null) {
            try {
                invocationSubject = this._contextManager.getServerSubject();
            } catch (WSSecurityException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to get server subject", e);
                }
            }
        }
        Subject extractJ2CSubject = extractJ2CSubject(invocationSubject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLocalOSInvocationSubject", extractJ2CSubject);
        }
        return extractJ2CSubject;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public Subject getLocalOSOwnSubject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLocalOSOwnSubject");
        }
        Subject subject = null;
        if (isSyncToThreadEnabled()) {
            try {
                subject = extractJ2CSubject(this._contextManager.getInvocationSubject());
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getLocalOSOwnSubject", e);
                }
            }
        } else {
            try {
                subject = extractJ2CSubject(this._contextManager.getServerSubject());
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getLocalOSOwnSubject", e2);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLocalOSOwnSubject", subject);
        }
        return subject;
    }

    private Subject extractJ2CSubject(Subject subject) {
        Subject j2CSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "extractJ2CSubject", subject);
        }
        if (subject != null) {
            PlatformCredential platformCredentialFromSubject = getPlatformCredentialFromSubject(subject);
            if (platformCredentialFromSubject == null) {
                platformCredentialFromSubject = this._platformCredManager.createDefaultCredential();
            }
            j2CSubject = platformCredentialFromSubject.getJ2CSubject();
        } else {
            j2CSubject = this._platformCredManager.createServerCredential().getJ2CSubject();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "extractJ2CSubject", j2CSubject);
        }
        return j2CSubject;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public Object setLocalOSThreadID(Subject subject) throws IllegalStateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setLocalOSThreadID", subject);
        }
        Object localOSThreadID = setLocalOSThreadID(subject, this._isSyncEnabled || this._isAppSyncEnabled);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setLocalOSThreadID", localOSThreadID);
        }
        return localOSThreadID;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public Object setAppLocalOSThreadID(Subject subject) throws IllegalStateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setAppLocalOSThreadID", subject);
        }
        Object localOSThreadID = setLocalOSThreadID(subject, this._isAppSyncEnabled);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setAppLocalOSThreadID", localOSThreadID);
        }
        return localOSThreadID;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public void restoreLocalOSThreadID(Object obj) throws IllegalStateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreLocalOSThreadID", obj);
        }
        restoreLocalOSThreadID(obj, this._isSyncEnabled || this._isAppSyncEnabled);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "restoreLocalOSThreadID");
        }
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public void restoreAppLocalOSThreadID(Object obj) throws IllegalStateException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreAppLocalOSThreadID", obj);
        }
        restoreLocalOSThreadID(obj, this._isAppSyncEnabled);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "restoreAppLocalOSThreadID");
        }
    }

    private Object setLocalOSThreadID(Subject subject, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setLocalOSThreadID", new Object[]{subject, new Boolean(z)});
        }
        PlatformCredential platformCredential = (PlatformCredential) _threadIdentity.get();
        if (z) {
            PlatformCredential platformCredential2 = null;
            if (subject != null) {
                platformCredential2 = getPlatformCredentialFromSubject(subject);
            }
            setThreadSecurityEnvironment(platformCredential2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setLocalOSThreadID", platformCredential);
        }
        return platformCredential;
    }

    private void restoreLocalOSThreadID(Object obj, boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreLocalOSThreadID", new Object[]{obj, new Boolean(z)});
        }
        if (z) {
            setThreadSecurityEnvironment((PlatformCredential) obj);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "restoreLocalOSThreadID");
        }
    }

    private boolean setThreadSecurityEnvironment(PlatformCredential platformCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setThreadSecurityEnvironment", platformCredential);
        }
        PlatformCredential platformCredential2 = (PlatformCredential) _threadIdentity.get();
        if (platformCredential == null) {
            platformCredential = this._platformCredManager.createServerCredential();
        }
        int ntv_setThreadSecurityEnvironment = platformCredential2.equals(platformCredential) ? 0 : platformCredential.getCredentialType() == PlatformCredential.SERVER ? ntv_setThreadSecurityEnvironment(null) : ntv_setThreadSecurityEnvironment(platformCredential);
        boolean z = ntv_setThreadSecurityEnvironment == 0;
        if (z) {
            _threadIdentity.set(platformCredential);
        } else if (ntv_setThreadSecurityEnvironment == 44) {
            _threadIdentity.set(null);
            Tr.info(tc, "security.zos.saf.threadid.sync.not.allowed.info", new Object[]{platformCredential.getUserId()});
        } else {
            Tr.error(tc, "security.zos.saf.threadid.sync.error", new Object[]{platformCredential.getUserId(), SAFServiceResult.getSafServiceResult()});
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setThreadSecurityEnvironment", new Boolean(z));
        }
        return z;
    }

    private PlatformCredential getPlatformCredentialFromSubject(Subject subject) {
        Class cls;
        Class cls2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", subject);
        }
        PlatformCredential platformCredential = null;
        if (class$com$ibm$ws$security$auth$PlatformCredential == null) {
            cls = class$("com.ibm.ws.security.auth.PlatformCredential");
            class$com$ibm$ws$security$auth$PlatformCredential = cls;
        } else {
            cls = class$com$ibm$ws$security$auth$PlatformCredential;
        }
        Iterator it = subject.getPrivateCredentials(cls).iterator();
        if (it.hasNext()) {
            platformCredential = (PlatformCredential) it.next();
        }
        if (platformCredential == null) {
            WSCredential wSCredential = null;
            if (class$com$ibm$websphere$security$cred$WSCredential == null) {
                cls2 = class$("com.ibm.websphere.security.cred.WSCredential");
                class$com$ibm$websphere$security$cred$WSCredential = cls2;
            } else {
                cls2 = class$com$ibm$websphere$security$cred$WSCredential;
            }
            Iterator it2 = subject.getPublicCredentials(cls2).iterator();
            if (it2.hasNext()) {
                wSCredential = (WSCredential) it2.next();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, Constants.WSCREDENTIAL_KEY, wSCredential);
            }
            if (wSCredential != null) {
                try {
                    platformCredential = (PlatformCredential) wSCredential.get("com.ibm.ws.security.zos.PlatformCredential");
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unexpected exception acquiring platform cred", e);
                    }
                }
            }
        }
        if (platformCredential == null) {
            platformCredential = this._platformCredManager.createDefaultCredential();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPlatformCredentialFromSubject", platformCredential);
        }
        return platformCredential;
    }

    private Subject getInvocationSubject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationSubject");
        }
        Subject subject = null;
        try {
            if (this._serverSecurityEnabled) {
                subject = this._contextManager.getInvocationSubject();
                if (subject == null) {
                    subject = this._contextManager.getCallerSubject();
                }
            }
        } catch (WSSecurityException e) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Exception acquring invocation subject", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInvocationSubject", subject);
        }
        return subject;
    }

    @Override // com.ibm.ws.security.auth.j2c.WSLoginLocalOSExtension
    public boolean getAppSyncEnabledFromComponentMetaData() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAppSyncEnabledFromComponentMetaData");
        }
        boolean z = false;
        if (this._isAppSyncEnabled) {
            EJBComponentMetaData componentMetaData = getMetaDataAccessor().getComponentMetaData();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "current meta data", componentMetaData);
            }
            if (componentMetaData != null) {
                if (componentMetaData instanceof EJBComponentMetaData) {
                    z = componentMetaData.isApplicationSyncToOSThreadEnabled();
                } else if (componentMetaData instanceof WebComponentMetaData) {
                    z = ((WebComponentMetaData) componentMetaData).getModuleMetaData().getWebAppConfig().isSyncToThreadEnabled();
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unknown component metadata", componentMetaData);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAppSyncEnabledFromComponentMetaData", new Boolean(z));
        }
        return z;
    }

    private ComponentMetaDataAccessorImpl getMetaDataAccessor() {
        if (this._cmda == null) {
            this._cmda = ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor();
        }
        return this._cmda;
    }

    public String toString() {
        return new StringBuffer().append(super.toString()).append(";_syncEnabled=").append(this._isSyncEnabled).append(",_appSyncEnabled=").append(this._isAppSyncEnabled).append(",_threadIdentity=").append(_threadIdentity).toString();
    }

    private static native int ntv_setThreadSecurityEnvironment(PlatformCredential platformCredential);

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$zOS$threadid$ThreadIdentityManager == null) {
            cls = class$("com.ibm.ws.security.zOS.threadid.ThreadIdentityManager");
            class$com$ibm$ws$security$zOS$threadid$ThreadIdentityManager = cls;
        } else {
            cls = class$com$ibm$ws$security$zOS$threadid$ThreadIdentityManager;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        _threadIdentity = new WSThreadLocal() { // from class: com.ibm.ws.security.zOS.threadid.ThreadIdentityManager.1
            @Override // java.lang.ThreadLocal
            protected Object initialValue() {
                if (ThreadIdentityManager.tc.isEntryEnabled()) {
                    Tr.entry(ThreadIdentityManager.tc, "_threadIdentity.initialValue");
                }
                PlatformCredential createServerCredential = PlatformCredentialManager.instance().createServerCredential();
                if (ThreadIdentityManager.tc.isEntryEnabled()) {
                    Tr.exit(ThreadIdentityManager.tc, "_threadIdentity.initialValue", createServerCredential);
                }
                return createServerCredential;
            }

            public String toString() {
                return get().toString();
            }
        };
        _appSyncData = new WSThreadLocal() { // from class: com.ibm.ws.security.zOS.threadid.ThreadIdentityManager.2
            @Override // java.lang.ThreadLocal
            protected Object initialValue() {
                return new Boolean(false);
            }
        };
    }
}
