package com.ibm.ws.security.delegation;

import com.ibm.ISecurityLocalObjectBaseL13Impl.DomainInfo;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.SAFRoleMapper;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.security.zOS.SAFServiceResult;
import com.ibm.ws.security.zOS.authz.SAFRoleMapperFactory;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Hashtable;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/delegation/SAFMethodDelegation.class */
class SAFMethodDelegation extends MethodDelegation {
    public static final String AUTH_CACHE_SUPPORT_CUSTOM_KEY = "com.ibm.websphere.security.util.authCacheCustomKeySupport";
    private boolean customCacheKeySupport;
    private static final TraceComponent tc = Tr.register((Class<?>) SAFMethodDelegation.class, "Security", AdminConstants.MSG_BUNDLE_NAME);
    private static final SAFRoleMapper _roleMapper = SAFRoleMapperFactory.getSAFRoleMapper();
    private static boolean initialized = false;

    public SAFMethodDelegation() {
        this.customCacheKeySupport = false;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        String property = System.getProperty("com.ibm.websphere.security.util.authCacheCustomKeySupport");
        if (property == null || property.equalsIgnoreCase("false") || property.equalsIgnoreCase("no")) {
            this.customCacheKeySupport = false;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Custom Cache Key support is disabled.");
            }
        } else {
            this.customCacheKeySupport = true;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Custom Cache Key support is enabled.");
            }
        }
        if (!initialized) {
            Tr.audit(tc, "security.zos.saf.delegation.enabled");
        }
        initialized = true;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>", this);
        }
    }

    @Override // com.ibm.ws.security.delegation.MethodDelegation
    protected Subject getRunAsSpecifiedUserSubject(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSpecifiedUserSubject", new Object[]{str, str2});
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        Subject subject = null;
        String profileFromRole = _roleMapper.getProfileFromRole(str2, str);
        final PlatformCredential createRoleCredential = PlatformCredentialManager.instance().createRoleCredential(str2, str, profileFromRole);
        if (createRoleCredential != null) {
            String userId = createRoleCredential.getUserId();
            try {
                Subject subject2 = null;
                if (!this.customCacheKeySupport) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Custom Cache Key support is disabled, setting the auditString as the cacheKey.");
                    }
                    subject2 = new Subject();
                    Hashtable hashtable = new Hashtable();
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, createRoleCredential.getCacheKeyString());
                    subject2.getPublicCredentials().add(hashtable);
                }
                String adminRealm = (!DomainInfo.isAppRealmDefined() || str2 == null || WSAccessManager.checkIfAdminApp(str2)) ? DomainInfo.getAdminRealm() : DomainInfo.getAppRealm();
                if (tc.isEntryEnabled()) {
                    Tr.entry(tc, "getRunAsSpecifiedUserSubject: using realm: " + adminRealm);
                }
                subject = contextManagerFactory.login(adminRealm, userId, SecurityObjectLocator.getSecurityConfig().getProperty("com.ibm.ws.security.defaultLoginConfig"), (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, subject2);
                final WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.delegation.SAFMethodDelegation.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        wSCredentialFromSubject.set(CommonConstants.PLATFORM_CREDENTIAL, createRoleCredential);
                        return null;
                    }
                });
                clearPropagationTokenIfCallerSubjectNullOrUnauthenticated();
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e.getException(), "com.ibm.ws.security.delegation.SAFMethodDelegation.getRoleCredential", "193", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception setting PlatformCredential", e.getException());
                }
                subject = null;
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.delegation.SAFMethodDelegation.getRoleCredential", "199", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception during SAF role to user mapping", e2);
                }
                Tr.audit(tc, "security.authn.failed.foruser", new Object[]{userId});
                subject = null;
            }
        }
        if (createRoleCredential == null) {
            Tr.error(tc, "security.zos.saf.delegation.service.error", new Object[]{profileFromRole, str2, SAFServiceResult.getSafServiceResult()});
        }
        if (subject == null) {
            Tr.warning(tc, "security.zos.saf.delegation.using.caller.warning", new Object[]{str, str2});
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRunAsSpecifiedUserSubject", subject);
        }
        return subject;
    }
}
