package com.ibm.ws.security.zOS;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.zOS.authz.AccessLevel;
import com.ibm.ws.security.zOS.authz.SAFAuthorizationManager;
import com.ibm.wsspi.security.csiv2.TrustedIDEvaluator;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import javax.security.auth.Subject;
import org.aspectj.apache.bcel.Constants;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/zOS/TrustedIDEvaluatorImpl.class */
public class TrustedIDEvaluatorImpl implements TrustedIDEvaluator {
    private SAFAuthorizationManager authzMgr;
    private PlatformCredentialManager platformCredManager;
    private static final String className = "CBIND";
    private String realm;
    private static final TraceComponent tc = Tr.register(TrustedIDEvaluatorImpl.class, "Security", AdminConstants.MSG_BUNDLE_NAME);

    public TrustedIDEvaluatorImpl() {
        this.realm = "";
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        this.platformCredManager = PlatformCredentialManager.instance();
        this.authzMgr = SAFAuthorizationManager.instance();
        this.realm = getContextManager().getProperty(CommonConstants.ACTIVE_USER_REGISTRY_REALM);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.CONSTRUCTOR_NAME, this);
        }
    }

    @Override // com.ibm.wsspi.security.csiv2.TrustedIDEvaluator
    public boolean isTrusted(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTrusted", str);
        }
        boolean z = false;
        if (str.equals("*")) {
            z = false;
        } else if (getContextManager().isInternalServerId(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Using internally generated server ID", str);
            }
            z = checkProfileAccess(this.platformCredManager.createServerCredential());
        } else {
            try {
                Subject login = getContextManager().login(this.realm, str);
                if (login != null) {
                    z = checkProfileAccess(getPlatformCredentialFromSubject(login));
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not get subject");
                }
            } catch (WSLoginFailedException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.zOS.TrustedIDEvaluatorImpl.isTrusted", "154", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Login failed", e);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTrusted", new Boolean(z));
        }
        return z;
    }

    @Override // com.ibm.wsspi.security.csiv2.TrustedIDEvaluator
    public boolean isTrusted(String str, String str2) {
        if (tc.isEntryEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = str;
            objArr[1] = str2 != null ? "****" : null;
            Tr.entry(traceComponent, "isTrusted", objArr);
        }
        boolean z = false;
        if (str.equals("*")) {
            z = false;
        } else if (str2 == null || str2.equals("")) {
            z = isTrusted(str);
        } else {
            try {
                Subject login = getContextManager().login(this.realm, str, str2);
                if (login != null) {
                    z = checkProfileAccess(getPlatformCredentialFromSubject(login));
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not get subject");
                }
            } catch (WSLoginFailedException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.zOS.TrustedIDEvaluatorImpl.isTrusted", "215", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Login failed", e);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTrusted", new Boolean(z));
        }
        return z;
    }

    @Override // com.ibm.wsspi.security.csiv2.TrustedIDEvaluator
    public boolean isTrusted(X509Certificate[] x509CertificateArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTrusted", x509CertificateArr);
        }
        boolean z = false;
        try {
            Subject login = getContextManager().login(this.realm, x509CertificateArr);
            if (login != null) {
                z = checkProfileAccess(getPlatformCredentialFromSubject(login));
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Could not get subject");
            }
        } catch (WSLoginFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.zOS.TrustedIDEvaluatorImpl.isTrusted", "265", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Login failed", e);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTrusted", new Boolean(z));
        }
        return z;
    }

    public Boolean mutualAuthCBINDCheck(X509Certificate[] x509CertificateArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mutualAuthCBINDCheck", x509CertificateArr);
        }
        boolean isTrusted = NativeConfiguration.getConfig().isMutualAuthCBINDCheckEnabled() ? isTrusted(x509CertificateArr) : true;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mutualAuthCBINDCheck", new Boolean(isTrusted));
        }
        return new Boolean(isTrusted);
    }

    private boolean checkProfileAccess(PlatformCredential platformCredential) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkProfileAccess", platformCredential);
        }
        boolean z = false;
        String string = SecurityObjectLocator.getAdminData().getString(AdminData.GENERIC_SERVER_SHORT_NAME);
        boolean pushAdminContext = SecurityObjectLocator.pushAdminContext();
        try {
            String sAFProfilePrefix = SecurityObjectLocator.getSecurityConfig().getSAFProfilePrefix();
            if (pushAdminContext) {
                SecurityObjectLocator.popContext();
            }
            String str = (sAFProfilePrefix == null || sAFProfilePrefix.length() <= 0) ? "CB.BIND." + string : "CB.BIND." + sAFProfilePrefix + "." + string;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resource being checked is", str);
            }
            if (platformCredential != null) {
                try {
                    z = this.authzMgr.isAuthorized(platformCredential, className, str, AccessLevel.CONTROL);
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.zOS.TrustedIDEvaluatorImpl.checkProfileAccess", "356", this);
                    Tr.error(tc, "security.zos.saf.authz.failed", new Object[]{e.getLocalizedMessage()});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to perform authorization check", e);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Platform Credential for user is null");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "checkProfileAccess", new Boolean(z));
            }
            return z;
        } catch (Throwable th) {
            if (pushAdminContext) {
                SecurityObjectLocator.popContext();
            }
            throw th;
        }
    }

    private ContextManager getContextManager() {
        return ContextManagerFactory.getInstance();
    }

    private PlatformCredential getPlatformCredentialFromSubject(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPlatformCredentialFromSubject", subject);
        }
        PlatformCredential platformCredential = null;
        Iterator it = subject.getPrivateCredentials(PlatformCredential.class).iterator();
        if (it.hasNext()) {
            platformCredential = (PlatformCredential) it.next();
        }
        if (platformCredential == null) {
            WSCredential wSCredential = null;
            Iterator it2 = subject.getPublicCredentials(WSCredential.class).iterator();
            if (it2.hasNext()) {
                wSCredential = (WSCredential) it2.next();
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, com.ibm.wsspi.security.auth.callback.Constants.WSCREDENTIAL_KEY, wSCredential);
            }
            if (wSCredential != null) {
                try {
                    final WSCredential wSCredential2 = wSCredential;
                    platformCredential = (PlatformCredential) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.zOS.TrustedIDEvaluatorImpl.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return wSCredential2.get(CommonConstants.PLATFORM_CREDENTIAL);
                        }
                    });
                } catch (PrivilegedActionException e) {
                    Exception exception = e.getException();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to get PlatformCredential", exception);
                    }
                }
            }
        }
        if (platformCredential == null) {
            platformCredential = this.platformCredManager.createDefaultCredential();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getPlatformCredentialFromSubject", platformCredential);
        }
        return platformCredential;
    }
}
