package com.ibm.websphere.security.auth;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.SyncToOSThreadHelper;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.security.AccessControlContext;
import java.security.GeneralSecurityException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.AuthPermission;
import javax.security.auth.Subject;

/* loaded from: input_file:wasJars/wssec.jar:com/ibm/websphere/security/auth/WSSubject.class */
public final class WSSubject {
    private static final TraceComponent tc = Tr.register(WSSubject.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static final SyncToOSThreadHelper syncHelper = new SyncToOSThreadHelper();
    private static final Class thisClass = WSSubject.class;
    private static final AuthPermission DOAS_PERM = new AuthPermission("doAs");
    private static final AuthPermission DOASPRIVILEGED_PERM = new AuthPermission("doAsPrivileged");
    private static final AuthPermission GETCALLERSUBJECT_PERM = new AuthPermission("wssecurity.getCallerSubject");
    private static final AuthPermission GETRUNASSUBJECT_PERM = new AuthPermission("wssecurity.getRunAsSubject");
    private static final AuthPermission SETRUNASSUBJECT_PERM = new AuthPermission("wssecurity.setRunAsSubject");
    private static final PrivilegedExceptionAction getCallerSubjectAction = new PrivilegedExceptionAction() { // from class: com.ibm.websphere.security.auth.WSSubject.2
        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws WSSecurityException {
            if (WSSubject.tc.isEntryEnabled()) {
                Tr.entry(WSSubject.tc, "WSSubject.getCallerSubjectAction.run");
            }
            ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
            if (contextManagerFactory == null) {
                if (WSSubject.tc.isDebugEnabled()) {
                    Tr.debug(WSSubject.tc, "Failed to get ContextManager");
                }
                throw new WSSecurityException("Failed to get ContextManager");
            }
            Subject callerSubject = contextManagerFactory.getCallerSubject();
            if (callerSubject != null) {
                callerSubject.setReadOnly();
            } else if (WSSubject.tc.isDebugEnabled()) {
                Tr.debug(WSSubject.tc, "No caller subject");
            }
            if (WSSubject.tc.isEntryEnabled()) {
                Tr.exit(WSSubject.tc, "WSSubject.getCallerSubjectAction.run");
            }
            return callerSubject;
        }
    };
    private static final PrivilegedExceptionAction getRunAsSubjectAction = new PrivilegedExceptionAction() { // from class: com.ibm.websphere.security.auth.WSSubject.3
        @Override // java.security.PrivilegedExceptionAction
        public Object run() throws WSSecurityException {
            if (WSSubject.tc.isEntryEnabled()) {
                Tr.entry(WSSubject.tc, "WSSubject.getRunAsSubjectAction.run");
            }
            ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
            if (contextManagerFactory == null) {
                if (WSSubject.tc.isDebugEnabled()) {
                    Tr.debug(WSSubject.tc, "Failed to get ContextManager");
                }
                throw new WSSecurityException("Failed to get ContextManager");
            }
            Subject invocationSubject = contextManagerFactory.getInvocationSubject();
            if (invocationSubject != null) {
                invocationSubject.setReadOnly();
            } else if (WSSubject.tc.isDebugEnabled()) {
                Tr.debug(WSSubject.tc, "No invocation credential");
            }
            if (WSSubject.tc.isEntryEnabled()) {
                Tr.entry(WSSubject.tc, "WSSubject.getRunAsSubjectAction.run");
            }
            return invocationSubject;
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:wasJars/wssec.jar:com/ibm/websphere/security/auth/WSSubject$SubjectCookie.class */
    public static final class SubjectCookie {
        boolean syncEnabled = false;
        Subject subject = null;
        Object credToken = null;

        SubjectCookie() {
        }

        public String toString() {
            return super.toString() + ";syncEnabled=" + this.syncEnabled + ",credToken=" + this.credToken + ",subject=" + this.subject;
        }
    }

    public static Object doAs(Subject subject, PrivilegedAction privilegedAction) {
        return doAs(subject, privilegedAction, false);
    }

    public static Object doAs(Subject subject, PrivilegedAction privilegedAction, boolean z) {
        RuntimeException runtimeException;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doAs", new Object[]{subject, privilegedAction});
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(DOAS_PERM);
        }
        if (privilegedAction == null) {
            throw new IllegalArgumentException("null PrivilegedAction provided");
        }
        SubjectCookie subjectCookie = null;
        SubjectCookie invocationSubject = setInvocationSubject(subject);
        if (z) {
            subjectCookie = setCallerSubject(subject);
        }
        try {
            try {
                Object doAs = Subject.doAs(subject, (PrivilegedAction<Object>) privilegedAction);
                restoreInvocationSubject(invocationSubject);
                if (z) {
                    restoreCallerSubject(subjectCookie);
                }
                return doAs;
            } finally {
            }
        } catch (Throwable th) {
            restoreInvocationSubject(invocationSubject);
            if (z) {
                restoreCallerSubject(subjectCookie);
            }
            throw th;
        }
    }

    public static Object doAs(Subject subject, PrivilegedExceptionAction privilegedExceptionAction) throws PrivilegedActionException {
        return doAs(subject, privilegedExceptionAction, false);
    }

    public static Object doAs(Subject subject, PrivilegedExceptionAction privilegedExceptionAction, boolean z) throws PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doAs", new Object[]{subject, privilegedExceptionAction});
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(DOAS_PERM);
        }
        if (privilegedExceptionAction == null) {
            throw new IllegalArgumentException("null PrivilegedExceptionAction provided");
        }
        SubjectCookie subjectCookie = null;
        SubjectCookie invocationSubject = setInvocationSubject(subject);
        if (z) {
            subjectCookie = setCallerSubject(subject);
        }
        try {
            try {
                Object doAs = Subject.doAs(subject, (PrivilegedExceptionAction<Object>) privilegedExceptionAction);
                restoreInvocationSubject(invocationSubject);
                if (z) {
                    restoreCallerSubject(subjectCookie);
                }
                return doAs;
            } catch (PrivilegedActionException e) {
                throw e;
            } catch (Throwable th) {
                Tr.event(tc, "WSSubject.doAs(Subject, PrivilegedExceptionAction) Exception caught " + dump(th));
                Manager.Ffdc.log(th, thisClass, "com.ibm.websphere.security.auth.WSSubject.doAs", "198");
                throw new RuntimeException(th);
            }
        } catch (Throwable th2) {
            restoreInvocationSubject(invocationSubject);
            if (z) {
                restoreCallerSubject(subjectCookie);
            }
            throw th2;
        }
    }

    public static Object doAsPrivileged(Subject subject, PrivilegedAction privilegedAction, AccessControlContext accessControlContext) {
        return doAsPrivileged(subject, privilegedAction, accessControlContext, false);
    }

    public static Object doAsPrivileged(Subject subject, PrivilegedAction privilegedAction, AccessControlContext accessControlContext, boolean z) {
        RuntimeException runtimeException;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doAsPrivileged", new Object[]{subject, privilegedAction, accessControlContext});
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(DOASPRIVILEGED_PERM);
        }
        if (privilegedAction == null) {
            throw new IllegalArgumentException("null PrivilegedAction provided");
        }
        SubjectCookie subjectCookie = null;
        SubjectCookie invocationSubject = setInvocationSubject(subject);
        if (z) {
            subjectCookie = setCallerSubject(subject);
        }
        try {
            try {
                Object doAsPrivileged = Subject.doAsPrivileged(subject, (PrivilegedAction<Object>) privilegedAction, accessControlContext);
                restoreInvocationSubject(invocationSubject);
                if (z) {
                    restoreCallerSubject(subjectCookie);
                }
                return doAsPrivileged;
            } finally {
            }
        } catch (Throwable th) {
            restoreInvocationSubject(invocationSubject);
            if (z) {
                restoreCallerSubject(subjectCookie);
            }
            throw th;
        }
    }

    public static Object doAsPrivileged(Subject subject, PrivilegedExceptionAction privilegedExceptionAction, AccessControlContext accessControlContext) throws PrivilegedActionException {
        return doAsPrivileged(subject, privilegedExceptionAction, accessControlContext, false);
    }

    public static Object doAsPrivileged(Subject subject, PrivilegedExceptionAction privilegedExceptionAction, AccessControlContext accessControlContext, boolean z) throws PrivilegedActionException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doAsPrivileged", new Object[]{subject, privilegedExceptionAction, accessControlContext});
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(DOASPRIVILEGED_PERM);
        }
        if (privilegedExceptionAction == null) {
            throw new IllegalArgumentException("null PrivilegedExceptionAction provided");
        }
        SubjectCookie subjectCookie = null;
        SubjectCookie invocationSubject = setInvocationSubject(subject);
        if (z) {
            subjectCookie = setCallerSubject(subject);
        }
        try {
            try {
                Object doAsPrivileged = Subject.doAsPrivileged(subject, (PrivilegedExceptionAction<Object>) privilegedExceptionAction, accessControlContext);
                restoreInvocationSubject(invocationSubject);
                if (z) {
                    restoreCallerSubject(subjectCookie);
                }
                return doAsPrivileged;
            } catch (PrivilegedActionException e) {
                throw e;
            } catch (Throwable th) {
                Tr.event(tc, "WSSubject.doAsPrivileged(Subject, PrivilegedExceptionAction, AccessControlContext) Exception caught " + dump(th));
                Manager.Ffdc.log(th, thisClass, "com.ibm.websphere.security.auth.WSSubject.doAsPrivileged", "338");
                throw new RuntimeException(th);
            }
        } catch (Throwable th2) {
            restoreInvocationSubject(invocationSubject);
            if (z) {
                restoreCallerSubject(subjectCookie);
            }
            throw th2;
        }
    }

    public static Subject getCallerSubject() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerSubject");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GETCALLERSUBJECT_PERM);
        }
        Subject subject = null;
        if (SecurityContext.isServerProcess()) {
            try {
                subject = (Subject) AccessController.doPrivileged(getCallerSubjectAction);
            } catch (PrivilegedActionException e) {
                WSSecurityException wSSecurityException = (WSSecurityException) e.getException();
                Tr.event(tc, "Failed in getting the caller identity: " + dump(wSSecurityException));
                Manager.Ffdc.log(wSSecurityException, thisClass, "com.ibm.websphere.security.auth.WSSubject.getCallerSubject", "406");
                throw wSSecurityException;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCallerSubject", subject);
        }
        return subject;
    }

    public static Subject getRunAsSubject() throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSubject");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GETRUNASSUBJECT_PERM);
        }
        try {
            Subject subject = (Subject) AccessController.doPrivileged(getRunAsSubjectAction);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getRunAsSubject", subject);
            }
            return subject;
        } catch (PrivilegedActionException e) {
            WSSecurityException wSSecurityException = (WSSecurityException) e.getException();
            Tr.event(tc, "Failed in getting the run as identity: " + dump(wSSecurityException));
            Manager.Ffdc.log(wSSecurityException, thisClass, "com.ibm.websphere.security.auth.WSSubject.getRunAsSubject", "464");
            throw wSSecurityException;
        }
    }

    public static void setRunAsSubject(final Subject subject) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setRunAsSubject", subject);
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(SETRUNASSUBJECT_PERM);
        }
        try {
            AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.websphere.security.auth.WSSubject.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSSecurityException {
                    ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                    contextManagerFactory.setInvocationSubject(subject);
                    contextManagerFactory.addWSSubjectToCache(subject);
                    return null;
                }
            });
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "setRunAsSubject");
            }
        } catch (PrivilegedActionException e) {
            WSSecurityException wSSecurityException = (WSSecurityException) e.getException();
            Tr.event(tc, "Failed in setting the run as identity: " + dump(wSSecurityException));
            Manager.Ffdc.log(wSSecurityException, thisClass, "com.ibm.websphere.security.auth.WSSubject.setRunAsSubject", "515");
            throw wSSecurityException;
        }
    }

    public static String getCallerPrincipal() {
        WSCredential wSCredentialFromSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerPrincipal");
        }
        String str = null;
        try {
            Subject callerSubject = ContextManagerFactory.getInstance().getCallerSubject();
            if (callerSubject != null && (wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(callerSubject)) != null && !wSCredentialFromSubject.isUnauthenticated()) {
                str = wSCredentialFromSubject.getSecurityName();
            }
        } catch (GeneralSecurityException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception of getting the caller principal", dump(e));
            }
            Manager.Ffdc.log(e, thisClass, "com.ibm.websphere.security.auth.WSSubject.getCallerPrincipal", "567");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCallerPrincipal", str);
        }
        return str;
    }

    public static String getSAFUserFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSAFUserFromSubject", subject);
        }
        String str = null;
        if (subject != null) {
            str = ContextManagerFactory.getInstance().getSAFUserFromSubject(subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSAFUserFromSubject", str);
        }
        return str;
    }

    public static Throwable getRootLoginException() {
        return ContextManagerFactory.getInstance().getRootException();
    }

    private static SubjectCookie setInvocationSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setInvocationSubject", subject);
        }
        SubjectCookie subjectCookie = new SubjectCookie();
        if (subject == null) {
            try {
                subject = SubjectHelper.createUnauthenticatedSubject();
            } catch (Throwable th) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSSubject.setInvocationSubject(Subject), Exception caught " + dump(th));
                }
                Manager.Ffdc.log(th, thisClass, "com.ibm.websphere.security.auth.WSSubject.setInvocationSubject", "649");
                restoreInvocationSubject(subjectCookie);
                throw new RuntimeException(th);
            }
        }
        subjectCookie.subject = ContextManagerFactory.getInstance().pushInvocationSubject(subject);
        subjectCookie.syncEnabled = syncHelper.isThreadLocalApplicationSyncEnabled();
        if (syncHelper.isCurrentComponentAppSyncEnabled()) {
            subjectCookie.credToken = syncHelper.setAppSyncToThread(subject);
            syncHelper.setThreadLocalApplicationSyncEnabled(true);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setInvocationSubject", subjectCookie);
        }
        return subjectCookie;
    }

    private static SubjectCookie setCallerSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setCallerSubject", subject);
        }
        SubjectCookie subjectCookie = new SubjectCookie();
        if (subject == null) {
            try {
                subject = SubjectHelper.createUnauthenticatedSubject();
            } catch (Throwable th) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WSSubject.setCallerSubject(Subject), Exception caught " + dump(th));
                }
                Manager.Ffdc.log(th, thisClass, "com.ibm.websphere.security.auth.WSSubject.setCallerSubject", "675");
                restoreCallerSubject(subjectCookie);
                throw new RuntimeException(th);
            }
        }
        subjectCookie.subject = ContextManagerFactory.getInstance().pushReceivedSubject(subject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setCallerSubject", subjectCookie);
        }
        return subjectCookie;
    }

    private static void restoreInvocationSubject(SubjectCookie subjectCookie) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreInvocationSubject", subjectCookie);
        }
        try {
            try {
                if (syncHelper.isCurrentComponentAppSyncEnabled()) {
                    syncHelper.setThreadLocalApplicationSyncEnabled(subjectCookie.syncEnabled);
                    syncHelper.restoreAppSyncToThread(subjectCookie.credToken);
                }
                ContextManagerFactory.getInstance().popInvocationSubject(subjectCookie.subject);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "restoreInvocationSubject");
                }
            } catch (Throwable th) {
                ContextManagerFactory.getInstance().popInvocationSubject(subjectCookie.subject);
                throw th;
            }
        } catch (Throwable th2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSSubject.restoreInvocationSubject(Subject) Exception caught " + dump(th2));
            }
            Manager.Ffdc.log(th2, thisClass, "com.ibm.websphere.security.auth.WSSubject.restoreInvocationSubject", "710");
            throw new RuntimeException(th2);
        }
    }

    private static void restoreCallerSubject(SubjectCookie subjectCookie) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "restoreCallerSubject", subjectCookie);
        }
        try {
            ContextManagerFactory.getInstance().popReceivedSubject(subjectCookie.subject);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "restoreCallerSubject");
            }
        } catch (Throwable th) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSSubject.restoreCallerSubject(Subject) Exception caught " + dump(th));
            }
            Manager.Ffdc.log(th, thisClass, "com.ibm.websphere.security.auth.WSSubject.restoreCallerSubject", "727");
            throw new RuntimeException(th);
        }
    }

    private static String dump(Throwable th) {
        StringWriter stringWriter = new StringWriter();
        th.printStackTrace(new PrintWriter(stringWriter));
        return stringWriter.toString();
    }

    private WSSubject() {
    }
}
