package com.ibm.ws.security.registry.saf.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.credentials.saf.SAFCredentialsService;
import com.ibm.ws.security.registry.CertificateMapFailedException;
import com.ibm.ws.security.registry.CertificateMapNotSupportedException;
import com.ibm.ws.security.registry.EntryNotFoundException;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.internal.TraceConstants;
import com.ibm.ws.security.saf.SAFException;
import com.ibm.ws.security.saf.SAFSecurityName;
import com.ibm.ws.zos.jni.NativeMethodManager;
import com.ibm.ws.zos.jni.NativeMethodUtils;
import com.ibm.wsspi.security.credentials.saf.SAFCredential;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import org.apache.bcel.Constants;

@TraceOptions(traceGroups = {TraceConstants.TRACE_GROUP}, traceGroup = "", messageBundle = "com.ibm.ws.security.registry.saf.internal.resources.SAFRegistryMessages", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.security.registry.saf_1.0.jar:com/ibm/ws/security/registry/saf/internal/SAFAuthorizedRegistry.class */
public class SAFAuthorizedRegistry extends SAFRegistry {
    private static final TraceComponent tc = Tr.register(SAFAuthorizedRegistry.class);
    private SAFCredentialsService _safCredentialsService;
    private String _realm;
    private boolean _fallbackOccurred;
    static final long serialVersionUID = -950745776725219628L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public SAFAuthorizedRegistry(Map<String, Object> map, NativeMethodManager nativeMethodManager, SAFCredentialsService sAFCredentialsService) {
        super(map, nativeMethodManager);
        this._safCredentialsService = null;
        this._realm = null;
        this._fallbackOccurred = false;
        this._safCredentialsService = sAFCredentialsService;
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @FFDCIgnore({SAFException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public String checkPassword(String str, @Sensitive String str2) throws RegistryException {
        assertNotEmpty(str, "userSecurityName is null");
        assertNotEmpty(str2, "password given for user " + str + " is null");
        SAFCredential sAFCredential = null;
        try {
            sAFCredential = this._safCredentialsService.createPasswordCredential(str, str2, null);
            generateAuthorizedActivatedMessage();
        } catch (SAFException e) {
            if (e.isPenaltyBoxError()) {
                generateUnauthorizedFallbackMessage();
                return super.checkPassword(str, str2);
            }
            if (e.isSevere()) {
                throw new RegistryException(e.getMessage(), e);
            }
            e.logIfUnexpected();
        }
        if (sAFCredential != null) {
            return SAFSecurityName.create(str, this._safCredentialsService.getSAFCredentialTokenKey(sAFCredential));
        }
        return null;
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @FFDCIgnore({SAFException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public boolean isValidUser(String str) throws RegistryException {
        assertNotEmpty(str, "userSecurityName is null");
        boolean z = false;
        try {
            String parseKey = SAFSecurityName.parseKey(str);
            if (parseKey != null) {
                z = null != this._safCredentialsService.getCredentialFromKey(parseKey);
            } else {
                SAFCredential createAssertedCredential = this._safCredentialsService.createAssertedCredential(str, null);
                generateAuthorizedActivatedMessage();
                z = true;
                this._safCredentialsService.deleteCredential(createAssertedCredential);
            }
        } catch (SAFException e) {
            if (e.isPenaltyBoxError()) {
                generateUnauthorizedFallbackMessage();
                return super.isValidUser(SAFSecurityName.parseUserId(str));
            }
            if (e.isSevere()) {
                throw new RegistryException(e.getMessage(), e);
            }
            e.logIfUnexpected();
        }
        return z;
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @FFDCIgnore({SAFException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public String mapCertificate(X509Certificate x509Certificate) throws CertificateMapFailedException, RegistryException, CertificateMapNotSupportedException {
        assertNotNull(x509Certificate, "certificate is null");
        try {
            SAFCredential createCertificateCredential = this._safCredentialsService.createCertificateCredential(x509Certificate, null);
            generateAuthorizedActivatedMessage();
            if (createCertificateCredential == null) {
                throw new CertificateMapFailedException("Certificate could not be mapped to a valid SAF user ID");
            }
            return SAFSecurityName.create(createCertificateCredential.getUserId(), this._safCredentialsService.getSAFCredentialTokenKey(createCertificateCredential));
        } catch (SAFException e) {
            if (!e.isPenaltyBoxError()) {
                throw new CertificateMapFailedException(e.getMessage(), e);
            }
            generateUnauthorizedFallbackMessage();
            return super.mapCertificate(x509Certificate);
        }
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public String getRealm() {
        if (this._realm == null) {
            this._realm = super.getRealm();
            if (this._realm.equals(getDefaultRealm())) {
                this._realm = NativeMethodUtils.convertToASCII(ntv_getRealm());
                if (this._realm == null || this._realm.length() == 0) {
                    this._realm = getDefaultRealm();
                }
            }
        }
        return this._realm;
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public List<String> getGroupsForUser(String str) throws EntryNotFoundException, RegistryException {
        assertNotEmpty(str, "userSecurityName is null");
        return super.getGroupsForUser(SAFSecurityName.parseUserId(str));
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public String getUniqueUserId(String str) throws EntryNotFoundException, RegistryException {
        if (isValidUser(str)) {
            return SAFSecurityName.parseUserId(str);
        }
        throw new EntryNotFoundException(str + " is not a valid user");
    }

    @Override // com.ibm.ws.security.registry.saf.internal.SAFRegistry, com.ibm.ws.security.registry.UserRegistry
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public String getUserSecurityName(String str) throws EntryNotFoundException, RegistryException {
        if (isValidUser(str)) {
            return SAFSecurityName.parseUserId(str);
        }
        throw new EntryNotFoundException(str + " is not a valid user");
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void generateUnauthorizedFallbackMessage() {
        if (this._fallbackOccurred) {
            return;
        }
        this._fallbackOccurred = true;
        Tr.warning(tc, "PENALTY_BOX_FALLBACK", this._safCredentialsService.getProfilePrefix());
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void generateAuthorizedActivatedMessage() {
        if (this._fallbackOccurred) {
            this._fallbackOccurred = false;
            Tr.info(tc, "PENALTY_BOX_RECOVERY", this._safCredentialsService.getProfilePrefix());
        }
    }

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.STATIC_INITIALIZER_NAME, new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.STATIC_INITIALIZER_NAME);
        }
    }
}
