package com.ibm.ws.security.zOS.authz;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.AuthorizationTable;
import com.ibm.websphere.security.SAFRoleMapper;
import com.ibm.websphere.security.SecurityProviderException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.security.zOS.SAFServiceResult;
import com.ibm.ws.security.zOS.authz.SAFAuthorizationOptions;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Properties;
import javax.security.auth.Subject;

/* loaded from: input_file:com.ibm.ws.admin.client_6.1.0.jar:com/ibm/ws/security/zOS/authz/SAFAuthorizationTableImpl.class */
public class SAFAuthorizationTableImpl implements AuthorizationTable {
    private static final TraceComponent tc;
    private static final String SUBJECT_KEY = "AUTHZ_SUBJECT";
    private static boolean _roleClassInactive;
    private SAFRoleMapper _roleMapper;
    private boolean _suppressMessages;
    private boolean _suppressAdminMessages;
    private SAFAuthorizationOptions.LogOption _logOption;
    static Class class$com$ibm$ws$security$zOS$authz$SAFAuthorizationTableImpl;

    public SAFAuthorizationTableImpl() {
        this._roleMapper = null;
        this._suppressMessages = false;
        this._suppressAdminMessages = true;
        this._logOption = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        Properties properties = (Properties) SecurityConfig.getConfig().getValue(CommonConstants.TOPLEVEL_PROPS);
        String property = properties.getProperty(CommonConstants.SAF_AUTHZN_LOG_OPTION);
        if (property != null && property.length() > 0) {
            if (property.equals(SAFAuthorizationOptions.NONE.toString())) {
                this._logOption = SAFAuthorizationOptions.NONE;
            } else if (property.equals(SAFAuthorizationOptions.ASIS.toString())) {
                this._logOption = SAFAuthorizationOptions.ASIS;
            } else if (property.equals(SAFAuthorizationOptions.NOFAIL.toString())) {
                this._logOption = SAFAuthorizationOptions.NOFAIL;
            }
        }
        this._suppressMessages = "true".equalsIgnoreCase(properties.getProperty(CommonConstants.SAF_AUTHZN_MESSAGE_SUPPRESION));
        String property2 = properties.getProperty(CommonConstants.SAF_AUTHZN_MESSAGE_SUPPRESSION_ADMIN);
        if ((this._logOption != null && property2 == null) || (property2 != null && "false".equalsIgnoreCase(property2))) {
            this._suppressAdminMessages = false;
        }
        this._roleMapper = SAFRoleMapperFactory.getSAFRoleMapper();
        Tr.audit(tc, "security.zos.saf.authz.enabled");
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>", this);
        }
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isEveryoneGranted(HashMap hashMap, String[] strArr) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isEveryoneGranted", new Object[]{hashMap, strArr});
        }
        boolean isRoleClassInactive = isRoleClassInactive();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isEveryoneGranted", new Boolean(isRoleClassInactive));
        }
        return isRoleClassInactive;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedRole(HashMap hashMap, String str, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRole", new Object[]{hashMap, str, principal});
        }
        boolean isGrantedAnyRole = isGrantedAnyRole(hashMap, new String[]{str}, principal);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedRole", new Boolean(isGrantedAnyRole));
        }
        return isGrantedAnyRole;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedAnyRole(HashMap hashMap, String[] strArr, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAnyRole", new Object[]{hashMap, strArr, principal});
        }
        try {
            PlatformCredential platformCredential = (PlatformCredential) AccessController.doPrivileged(new PrivilegedExceptionAction(this, (Subject) hashMap.get("AUTHZ_SUBJECT")) { // from class: com.ibm.ws.security.zOS.authz.SAFAuthorizationTableImpl.1
                private final Subject val$subject;
                private final SAFAuthorizationTableImpl this$0;

                {
                    this.this$0 = this;
                    this.val$subject = r5;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(this.val$subject);
                    Object obj = null;
                    if (wSCredentialFromSubject != null) {
                        obj = wSCredentialFromSubject.get("com.ibm.ws.security.zos.PlatformCredential");
                    }
                    if (obj == null) {
                        obj = PlatformCredentialManager.instance().createDefaultCredential();
                    }
                    return obj;
                }
            });
            if (strArr == null || strArr.length == 0) {
                throw new IllegalArgumentException("Target role is required");
            }
            boolean isCredentialInAnyRole = isCredentialInAnyRole(platformCredential, getProfilesFromRoles(hashMap, strArr), getLogOption(), Constants.ADMIN_APP.equals((String) hashMap.get(AuthorizationTable.APP_NAME)) ? this._suppressAdminMessages : this._suppressMessages);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedAnyRole", new Boolean(isCredentialInAnyRole));
            }
            return isCredentialInAnyRole;
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e.getException(), CommonConstants.SAF_AUTHZN_IMPL, "255", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to acquire credential for authorization", e.getException());
            }
            throw new SecurityProviderException("Unable to acquire credential for authorization", e.getException());
        }
    }

    private boolean isCredentialInAnyRole(PlatformCredential platformCredential, String[] strArr, int i, boolean z) {
        boolean z2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isCredentialInAnyRole", new Object[]{platformCredential, strArr, new Integer(i), new Boolean(z)});
        }
        switch (checkProfiles(platformCredential, strArr, strArr.length, i, z)) {
            case 0:
                z2 = true;
                break;
            case 1:
            case 2:
            case 3:
            case 4:
            case 5:
            case 6:
            case 7:
            case 10:
            case 11:
            case 12:
            case 13:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            case 20:
            case 21:
            case 22:
            case 23:
            default:
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SAF authorization unexpected rc", SAFServiceResult.getSafServiceResult());
                }
                z2 = false;
                break;
            case 8:
            case 9:
                z2 = false;
                break;
            case 14:
                setRoleClassInactive();
                z2 = true;
                break;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isCredentialInAnyRole", new Boolean(z2));
        }
        return z2;
    }

    protected int getLogOption() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLogOption");
        }
        int value = this._logOption == null ? 0 : this._logOption.getValue();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLogOption", new Integer(value));
        }
        return value;
    }

    protected String[] getProfilesFromRoles(HashMap hashMap, String[] strArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getProfilesFromRoles", new Object[]{hashMap, strArr});
        }
        String[] strArr2 = new String[strArr.length];
        String str = (String) hashMap.get(AuthorizationTable.APP_NAME);
        for (int i = 0; i < strArr.length; i++) {
            strArr2[i] = this._roleMapper.getProfileFromRole(str, strArr[i]);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getProfilesFromRoles", strArr2);
        }
        return strArr2;
    }

    private native int checkProfiles(PlatformCredential platformCredential, String[] strArr, int i, int i2, boolean z);

    private static synchronized void setRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setRoleClassInactive");
        }
        if (!_roleClassInactive) {
            _roleClassInactive = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setRoleClassInactive");
        }
    }

    private static boolean isRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isRoleClassInactive");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isRoleClassInactive", new Boolean(_roleClassInactive));
        }
        return _roleClassInactive;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer(super.toString());
        stringBuffer.append(";_logOption=").append(this._logOption);
        stringBuffer.append(";_suppressMessages=").append(this._suppressMessages);
        stringBuffer.append(";_roleMapper=").append(this._roleMapper);
        stringBuffer.append(";_roleClassInactive").append(_roleClassInactive);
        return stringBuffer.toString();
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$zOS$authz$SAFAuthorizationTableImpl == null) {
            cls = class$(CommonConstants.SAF_AUTHZN_IMPL);
            class$com$ibm$ws$security$zOS$authz$SAFAuthorizationTableImpl = cls;
        } else {
            cls = class$com$ibm$ws$security$zOS$authz$SAFAuthorizationTableImpl;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        _roleClassInactive = false;
    }
}
