package com.ibm.ws.security.provider;

import com.ibm.ejs.models.base.bindings.applicationbnd.AuthorizationTable;
import com.ibm.ejs.models.base.bindings.applicationbnd.Group;
import com.ibm.ejs.models.base.bindings.applicationbnd.User;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityConfig;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.util.Constants;
import com.ibm.ws.security.util.WCCMHelper;
import java.security.GeneralSecurityException;
import java.security.Permission;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import org.eclipse.jst.j2ee.common.SecurityRole;

/* loaded from: input_file:ws_runtime.jar:com/ibm/ws/security/provider/JaccProvider.class */
public class JaccProvider {
    private static TraceComponent tc;
    private static JaccProvider jaccProvider;
    private static boolean initialized;
    private static boolean ignoreCase;
    static Class class$com$ibm$ws$security$provider$JaccProvider;

    public static JaccProvider getInstance() {
        if (!initialized) {
            jaccProvider = new JaccProvider();
            initialized = true;
            Boolean bool = (Boolean) SecurityConfig.getConfig().getValue(CommonConstants.IGNORE_CASE);
            if (bool != null && bool.booleanValue()) {
                ignoreCase = true;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ignoreCase is set");
                }
            }
        }
        return jaccProvider;
    }

    private JaccProvider() {
    }

    public boolean checkUncheckedPerm(WSPolicyConfigurationImpl wSPolicyConfigurationImpl, Permission permission) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("checkUncheckedPerm: ").append(permission).toString());
        }
        ArrayList uncheckedList = wSPolicyConfigurationImpl.getUncheckedList();
        if (uncheckedList != null) {
            for (int i = 0; i < uncheckedList.size(); i++) {
                if (((Permission) uncheckedList.get(i)).implies(permission)) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, new StringBuffer().append("The permission: ").append(permission).append(" is in the uncheckedList. exit value:true").toString());
                    return true;
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, new StringBuffer().append("The permission: ").append(permission).append(" is not in the uncheckedList. exit value:false").toString());
        return false;
    }

    public boolean checkExcludedPerm(WSPolicyConfigurationImpl wSPolicyConfigurationImpl, Permission permission) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("checkExcludedPerm: ").append(permission).toString());
        }
        ArrayList excludedList = wSPolicyConfigurationImpl.getExcludedList();
        if (excludedList != null) {
            for (int i = 0; i < excludedList.size(); i++) {
                if (((Permission) excludedList.get(i)).implies(permission)) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, new StringBuffer().append("The permission: ").append(permission).append(" is in the excludedList. exit value:false").toString());
                    return true;
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, new StringBuffer().append("The permission: ").append(permission).append(" is not in the excludedList. exit value:true").toString());
        return false;
    }

    public boolean isEveryoneGranted(WSPolicyConfigurationImpl wSPolicyConfigurationImpl, Permission permission, String str) {
        List rolesForSubject;
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, new StringBuffer().append("isEveryoneGranted: ").append(permission).toString());
        }
        HashMap roleToPermMap = wSPolicyConfigurationImpl.getRoleToPermMap();
        ArrayList arrayList = null;
        if (!roleToPermMap.isEmpty()) {
            arrayList = new ArrayList();
            for (String str2 : roleToPermMap.keySet()) {
                ArrayList arrayList2 = (ArrayList) roleToPermMap.get(str2);
                for (int i = 0; i < arrayList2.size(); i++) {
                    if (((Permission) arrayList2.get(i)).implies(permission)) {
                        arrayList.add(str2);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Added role: ").append(str2).append(" to the requiredRoleList for Permission: ").append(permission).toString());
                        }
                    }
                }
            }
        }
        if (arrayList != null && arrayList.size() > 0) {
            int lastIndexOf = str.lastIndexOf("/");
            String str3 = null;
            if (lastIndexOf != -1) {
                String substring = str.substring(0, lastIndexOf);
                int lastIndexOf2 = substring.lastIndexOf("/");
                str3 = lastIndexOf2 != -1 ? substring.substring(lastIndexOf2 + 1) : substring;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("application name is: ").append(str3).toString());
            }
            AuthorizationTable authorizationTable = WSAccessManager.getAuthorizationTable(str3);
            if (authorizationTable != null && (rolesForSubject = authorizationTable.getRolesForSubject(Constants.EVERYONE)) != null) {
                for (int i2 = 0; i2 < rolesForSubject.size(); i2++) {
                    if (arrayList.contains(((SecurityRole) rolesForSubject.get(i2)).getRoleName())) {
                        if (!tc.isEntryEnabled()) {
                            return true;
                        }
                        Tr.exit(tc, "Everyone is granted access: . exit value:true");
                        return true;
                    }
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "Everyone is not granted access:");
        return false;
    }

    public boolean checkRolePerm(WSPolicyConfigurationImpl wSPolicyConfigurationImpl, Permission permission, String str) {
        Object obj;
        String str2;
        List rolesForSubject;
        List rolesForSubject2;
        List rolesForSubject3;
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, new StringBuffer().append("checkRolePerm: ").append(permission).toString());
        }
        HashMap roleToPermMap = wSPolicyConfigurationImpl.getRoleToPermMap();
        if (roleToPermMap.isEmpty()) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, new StringBuffer().append("No required roles list in the PolicyConfiguration for ContextID: ").append(str).append(" . exit value:true").toString());
            return true;
        }
        ArrayList arrayList = new ArrayList();
        for (String str3 : roleToPermMap.keySet()) {
            ArrayList arrayList2 = (ArrayList) roleToPermMap.get(str3);
            for (int i = 0; i < arrayList2.size(); i++) {
                if (((Permission) arrayList2.get(i)).implies(permission)) {
                    arrayList.add(str3);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Added role: ").append(str3).append(" to the requiredRoleList for Permission: ").append(permission).toString());
                    }
                }
            }
        }
        if (!(permission instanceof WebRoleRefPermission) && !(permission instanceof EJBRoleRefPermission) && arrayList.size() == 0) {
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "No required roles. exit value:true");
            return true;
        }
        int lastIndexOf = str.lastIndexOf("/");
        String str4 = null;
        if (lastIndexOf != -1) {
            String substring = str.substring(0, lastIndexOf);
            int lastIndexOf2 = substring.lastIndexOf("/");
            str4 = lastIndexOf2 != -1 ? substring.substring(lastIndexOf2 + 1) : substring;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("application name is: ").append(str4).toString());
        }
        AuthorizationTable authorizationTable = WSAccessManager.getAuthorizationTable(str4);
        if (authorizationTable == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, new StringBuffer().append("cannot get the authorization table for application : ").append(str4).append(". exit value:false").toString());
            return false;
        }
        if (!(permission instanceof WebResourcePermission) && (rolesForSubject3 = authorizationTable.getRolesForSubject(Constants.EVERYONE)) != null) {
            for (int i2 = 0; i2 < rolesForSubject3.size(); i2++) {
                if (arrayList.contains(((SecurityRole) rolesForSubject3.get(i2)).getRoleName())) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, "Everyone is granted access: . exit value:true");
                    return true;
                }
            }
        }
        try {
            obj = PolicyContext.getContext(CommonConstants.JACC_SUBJECT_KEY);
        } catch (PolicyContextException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authorize.JaccProvider.implies", "246", this);
            Tr.error(tc, "security.jacc.provider.pcontextkey.error", new Object[]{CommonConstants.JACC_SUBJECT_KEY, e});
            obj = null;
        }
        if (obj == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "Cannot get the subject from the policy context. exit value:false");
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Object returned from the policy context is: ").append(obj).toString());
        }
        Subject subject = obj instanceof Subject ? (Subject) obj : null;
        WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        if (subject == null || wSCredentialFromSubject.isUnauthenticated()) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "Subject is null or Unauthenticated, exit value:false");
            return false;
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        try {
            if (wSCredentialFromSubject.isBasicAuth()) {
                subject = contextManagerFactory.login(wSCredentialFromSubject);
            }
        } catch (Exception e2) {
            subject = null;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("authentication failed:").append(e2).toString());
            }
        }
        if (subject == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isGrantedAnyRole, getActualCredential() thru an exception, exit value:false");
            return false;
        }
        List rolesForSubject4 = authorizationTable.getRolesForSubject(Constants.ALL_AUTHENTICATED_USERS);
        if (rolesForSubject4 != null) {
            for (int i3 = 0; i3 < rolesForSubject4.size(); i3++) {
                if (arrayList.contains(((SecurityRole) rolesForSubject4.get(i3)).getRoleName())) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, "granted access to authenticated user, exit value:true");
                    return true;
                }
            }
        }
        WSCredential wSCredentialFromSubject2 = SubjectHelper.getWSCredentialFromSubject(subject);
        try {
            str2 = getAccessId(wSCredentialFromSubject2);
        } catch (GeneralSecurityException e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("getAccessId throw an exception:").append(e3).toString());
            }
            str2 = "???";
        }
        User createUser = WCCMHelper.createUser("user", "user");
        synchronized (createUser) {
            createUser.setAccessId(str2);
            createUser.setName(str2);
            rolesForSubject = authorizationTable.getRolesForSubject(createUser);
        }
        if (rolesForSubject != null) {
            for (int i4 = 0; i4 < rolesForSubject.size(); i4++) {
                if (arrayList.contains(((SecurityRole) rolesForSubject.get(i4)).getRoleName())) {
                    if (!tc.isEntryEnabled()) {
                        return true;
                    }
                    Tr.exit(tc, "granted access, exit value:true");
                    return true;
                }
            }
        }
        String[] strArr = null;
        try {
            strArr = getGroupIds(wSCredentialFromSubject2);
        } catch (GeneralSecurityException e4) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("getGroupId throw an exception:").append(e4).toString());
            }
        }
        int length = strArr == null ? 0 : strArr.length;
        Group createGroup = WCCMHelper.createGroup("group", "group");
        for (int i5 = 0; i5 < length; i5++) {
            synchronized (createGroup) {
                createGroup.setAccessId(strArr[i5]);
                createGroup.setName(strArr[i5]);
                rolesForSubject2 = authorizationTable.getRolesForSubject(createGroup);
            }
            if (rolesForSubject2 != null) {
                for (int i6 = 0; i6 < rolesForSubject2.size(); i6++) {
                    if (arrayList.contains(((SecurityRole) rolesForSubject2.get(i6)).getRoleName())) {
                        if (!tc.isEntryEnabled()) {
                            return true;
                        }
                        Tr.exit(tc, new StringBuffer().append("Group subjects.contains() accessId[").append(str2).append("], exit value:true").toString());
                        return true;
                    }
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, new StringBuffer().append("No role or group role found for accessId[").append(str2).append("], exit value:false").toString());
        return false;
    }

    private String getAccessId(WSCredential wSCredential) throws GeneralSecurityException {
        String accessId = wSCredential.getAccessId();
        if (accessId != null && accessId.length() > 0 && ignoreCase) {
            accessId = accessId.toLowerCase();
        }
        return accessId;
    }

    private String[] getGroupIds(WSCredential wSCredential) throws GeneralSecurityException {
        ArrayList groupIds = wSCredential.getGroupIds();
        String[] strArr = (String[]) groupIds.toArray(new String[groupIds.size()]);
        if (ignoreCase) {
            int length = strArr == null ? 0 : strArr.length;
            for (int i = 0; i < length; i++) {
                strArr[i] = strArr[i].toLowerCase();
            }
        }
        return strArr;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$provider$JaccProvider == null) {
            cls = class$("com.ibm.ws.security.provider.JaccProvider");
            class$com$ibm$ws$security$provider$JaccProvider = cls;
        } else {
            cls = class$com$ibm$ws$security$provider$JaccProvider;
        }
        tc = Tr.register(cls, (String) null, "com.ibm.ejs.resources.security");
        initialized = false;
        ignoreCase = false;
    }
}
