package com.ibm.ws.security.core;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.AuthorizationTable;
import com.ibm.websphere.security.SAFRoleMapper;
import com.ibm.websphere.security.SecurityProviderException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.PlatformCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.xslt4j.bcel.Constants;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Properties;
import javax.security.auth.Subject;

/* loaded from: input_file:lib/securityimpl.jar:com/ibm/ws/security/core/SAFAuthorizationTableImpl.class */
public class SAFAuthorizationTableImpl implements AuthorizationTable {
    private static final TraceComponent tc;
    public static final String SUBJECT_KEY = "AUTHZ_SUBJECT";
    public static final int EJBROLE_TRUE = 1;
    public static final int EJBROLE_FALSE = 0;
    public static final int EJBROLE_INACTIVE = -1;
    private static boolean _roleClassInactive;
    private SAFRoleMapper _roleMapper;
    private boolean _suppressMessages;
    private int _logOption;
    static Class class$com$ibm$ws$security$core$SAFAuthorizationTableImpl;

    public SAFAuthorizationTableImpl() {
        this._roleMapper = null;
        this._suppressMessages = false;
        this._logOption = 0;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
        this._roleMapper = SAFRoleMapperFactory.getSAFRoleMapper();
        String property = ((Properties) SecurityConfig.getConfig().getValue(CommonConstants.TOPLEVEL_PROPS)).getProperty(CommonConstants.COM_IBM_SECURITY_SAF_AUTHZ_LOG_OPTION);
        this._suppressMessages = new Boolean((String) SecurityConfig.getConfig().getValue(CommonConstants.COM_IBM_SECURITY_SAF_EJBROLE_AUDIT_MESSAGES_SUPPRESS)).booleanValue();
        if (property != null && property.length() > 0) {
            if (property.equalsIgnoreCase("NONE")) {
                this._logOption = 1;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Log Option is NONE.");
                }
            } else if (property.equalsIgnoreCase("ASIS")) {
                this._logOption = 2;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Log Option is ASIS.");
                }
            } else if (property.equalsIgnoreCase("NOFAIL")) {
                this._logOption = 3;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Log Option is NOFAIL.");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Following DEFAULT log option path.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.CONSTRUCTOR_NAME);
        }
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isEveryoneGranted(HashMap hashMap, String[] strArr) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isEveryoneGranted", new Object[]{hashMap, strArr});
        }
        boolean isRoleClassInactive = isRoleClassInactive();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isEveryoneGranted", new Boolean(isRoleClassInactive));
        }
        return isRoleClassInactive;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedRole(HashMap hashMap, String str, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedRole", new Object[]{hashMap, str, principal});
        }
        boolean isGrantedAnyRole = isGrantedAnyRole(hashMap, new String[]{str}, principal);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isGrantedRole", new Boolean(isGrantedAnyRole));
        }
        return isGrantedAnyRole;
    }

    @Override // com.ibm.websphere.security.AuthorizationTable
    public boolean isGrantedAnyRole(HashMap hashMap, String[] strArr, Principal principal) throws SecurityProviderException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isGrantedAnyRole", new Object[]{hashMap, strArr, principal});
        }
        boolean z = false;
        try {
            PlatformCredential platformCredential = (PlatformCredential) AccessController.doPrivileged(new PrivilegedExceptionAction(this, (Subject) hashMap.get("AUTHZ_SUBJECT")) { // from class: com.ibm.ws.security.core.SAFAuthorizationTableImpl.1
                private final Subject val$subject;
                private final SAFAuthorizationTableImpl this$0;

                {
                    this.this$0 = this;
                    this.val$subject = r5;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(this.val$subject);
                    if (wSCredentialFromSubject != null) {
                        return wSCredentialFromSubject.get(SecurityConfig.PLATFORM_CREDENTIAL);
                    }
                    return null;
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "PlatformCredential", platformCredential);
            }
            if (platformCredential != null) {
                z = isSAFPrincipalInAnyRole(hashMap, strArr, platformCredential);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "isGrantedAnyRole", new Boolean(z));
            }
            return z;
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e.getException(), "com.ibm.ws.security.SAFAuthorizationTableImpl", "249", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting PlatformCredential", e.getException());
            }
            throw new SecurityProviderException("Unable to acquire PlatformCredential", e.getException());
        }
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    private boolean isSAFPrincipalInAnyRole(HashMap hashMap, String[] strArr, PlatformCredential platformCredential) {
        boolean z;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isSAFPrincipalInAnyRole", new Object[]{hashMap, strArr, platformCredential});
        }
        if (strArr == null || strArr.length == 0) {
            throw new IllegalArgumentException("Target role is required");
        }
        boolean equals = com.ibm.ws.security.util.Constants.ADMIN_APP.equals((String) hashMap.get(AuthorizationTable.APP_NAME));
        String[] profilesFromRoles = getProfilesFromRoles(hashMap, strArr);
        switch (checkProfiles(profilesFromRoles, profilesFromRoles.length, platformCredential, (equals && this._logOption == 0) || this._suppressMessages, this._logOption)) {
            case -1:
                setRoleClassInactive();
                z = true;
                break;
            case 0:
            default:
                z = false;
                break;
            case 1:
                z = true;
                break;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isSAFPrincipalInAnyRole", new Boolean(z));
        }
        return z;
    }

    protected String[] getProfilesFromRoles(HashMap hashMap, String[] strArr) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getProfilesFromRoles", new Object[]{hashMap, strArr});
        }
        String[] strArr2 = new String[strArr.length];
        String str = (String) hashMap.get(AuthorizationTable.APP_NAME);
        for (int i = 0; i < strArr.length; i++) {
            strArr2[i] = this._roleMapper.getProfileFromRole(str, strArr[i]);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getProfilesFromRoles", strArr2);
        }
        return strArr2;
    }

    private native int checkProfiles(String[] strArr, int i, PlatformCredential platformCredential, boolean z, int i2);

    private static synchronized void setRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "markServiceDisabled");
        }
        if (!_roleClassInactive) {
            Tr.audit(tc, "BBOJ0015");
            _roleClassInactive = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "markServiceDisabled");
        }
    }

    private static boolean isRoleClassInactive() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isRoleClassInactive");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isRoleClassInactive", new Boolean(_roleClassInactive));
        }
        return _roleClassInactive;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$core$SAFAuthorizationTableImpl == null) {
            cls = class$(CommonConstants.SAF_AUTHZN_IMPL);
            class$com$ibm$ws$security$core$SAFAuthorizationTableImpl = cls;
        } else {
            cls = class$com$ibm$ws$security$core$SAFAuthorizationTableImpl;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        _roleClassInactive = false;
    }
}
