package com.ibm.ws.security.core;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.csi.CSIAccessException;
import com.ibm.websphere.csi.CSIException;
import com.ibm.websphere.csi.CollaboratorCookie;
import com.ibm.websphere.csi.EJBConfigData;
import com.ibm.websphere.csi.EJBKey;
import com.ibm.websphere.csi.EJBMethodInfo;
import com.ibm.websphere.csi.SecurityCookie;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.delegation.Delegation;
import com.ibm.ws.security.delegation.DelegationFactory;
import com.ibm.ws.security.ejb.SecurityBeanCookie;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.ServerIdentityHelper;
import com.ibm.ws.security.zOS.threadid.ThreadIdentityManager;
import com.ibm.ws.util.PlatformHelperFactory;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.ejb.EnterpriseBean;
import javax.security.auth.Subject;

/* loaded from: input_file:eclipse/plugins/com.ibm.websphere.v61_6.1.1/ws_runtime.jar:com/ibm/ws/security/core/EJSSecurityCollaborator.class */
public class EJSSecurityCollaborator extends SecurityCollaborator {
    private static final TraceComponent tc;
    private static final String[] UNPROTECTED;
    protected Delegation delegationPolicy;
    private final ThreadIdentityManager threadIdManager;
    private final boolean isZOS;
    private static EJSSecurityCollaborator securityCollaboratorInstance;
    static Class class$com$ibm$ws$security$core$EJSSecurityCollaborator;

    public static EJSSecurityCollaborator getInstance() {
        return securityCollaboratorInstance;
    }

    public EJSSecurityCollaborator() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "<init>");
        }
        this.delegationPolicy = DelegationFactory.getDelegation();
        this.isZOS = PlatformHelperFactory.getPlatformHelper().isZOS();
        this.threadIdManager = this.isZOS ? ThreadIdentityManager.getThreadIdentityManager() : null;
        securityCollaboratorInstance = this;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "<init>", this);
        }
    }

    @Override // com.ibm.ws.security.core.SecurityCollaborator
    public CollaboratorCookie preInvoke(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, CollaboratorCookie collaboratorCookie) throws CSIException {
        throw new CSIException("old preInvoke called");
    }

    @Override // com.ibm.ws.security.core.SecurityCollaborator
    public CollaboratorCookie preInvoke(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, CollaboratorCookie collaboratorCookie, EnterpriseBean enterpriseBean, Object[] objArr) throws CSIException {
        if (!securityEnabled) {
            return null;
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "preInvoke", new Object[]{eJBKey, eJBMethodInfo, collaboratorCookie, enterpriseBean, objArr});
        }
        String appName = ((SecurityBeanCookie) collaboratorCookie).getAppName();
        boolean isServerSecurityEnabled = WSSecurityHelper.isServerSecurityEnabled();
        boolean checkIfAdminApp = WSAccessManager.checkIfAdminApp(appName);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "preInvoke", new StringBuffer().append("app_name=").append(appName).append(" isAdminApp=").append(checkIfAdminApp).append(" isAppSecurityOn=").append(isServerSecurityEnabled).toString());
        }
        if (!isServerSecurityEnabled && !checkIfAdminApp) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "preInvoke", "Skip authorization for non-system apps when app security is disabled.");
            return null;
        }
        try {
            Subject callerSubject = contextManager.getCallerSubject();
            Subject invocationSubject = contextManager.getInvocationSubject();
            Subject subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction(this) { // from class: com.ibm.ws.security.core.EJSSecurityCollaborator.1
                private final EJSSecurityCollaborator this$0;

                {
                    this.this$0 = this;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws WSSecurityException {
                    return SecurityCollaborator.contextManager.getServerSubject();
                }
            });
            Subject[] subjectArr = new Subject[3];
            if (callerSubject != null) {
                subjectArr[0] = callerSubject;
            } else {
                subjectArr[0] = null;
            }
            subjectArr[1] = invocationSubject;
            SetUnauthenticatedSubjectIfNeeded(invocationSubject, callerSubject);
            Subject[] performAuthorization = performAuthorization(eJBKey, eJBMethodInfo, subject, callerSubject, (SecurityBeanCookie) collaboratorCookie, enterpriseBean, objArr);
            if (performAuthorization != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "performAuthorization returned non null retSubjects");
                }
                callerSubject = performAuthorization[1] != null ? performAuthorization[1] : performAuthorization[0];
            }
            Subject subject2 = callerSubject;
            eJBMethodInfo.getHomeName();
            Subject subject3 = callerSubject;
            if (!isUnprotected(((SecurityBeanCookie) collaboratorCookie).getBeanName())) {
                try {
                    subject2 = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction(this, eJBKey, eJBMethodInfo, subject, subject3, collaboratorCookie) { // from class: com.ibm.ws.security.core.EJSSecurityCollaborator.2
                        private final EJBKey val$ejb_key;
                        private final EJBMethodInfo val$method_info;
                        private final Subject val$own_subject;
                        private final Subject val$received_subject;
                        private final CollaboratorCookie val$bean_cookie;
                        private final EJSSecurityCollaborator this$0;

                        {
                            this.this$0 = this;
                            this.val$ejb_key = eJBKey;
                            this.val$method_info = eJBMethodInfo;
                            this.val$own_subject = subject;
                            this.val$received_subject = subject3;
                            this.val$bean_cookie = collaboratorCookie;
                        }

                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws CSIException {
                            return this.this$0.delegationPolicy.delegate(this.val$ejb_key, this.val$method_info, this.val$own_subject, this.val$received_subject, (SecurityBeanCookie) this.val$bean_cookie);
                        }
                    });
                } catch (PrivilegedActionException e) {
                    CSIAccessException cSIAccessException = (CSIException) e.getException();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Error getting delegatedSubject");
                    }
                    if (cSIAccessException instanceof CSIAccessException) {
                        throw cSIAccessException;
                    }
                    throw new CSIAccessException(cSIAccessException.getMessage());
                }
            }
            setSubjects(callerSubject, subject2);
            boolean z = false;
            boolean z2 = false;
            if (this.isZOS) {
                z = eJBMethodInfo.getEJBComponentMetaData().isApplicationSyncToOSThreadEnabled();
                z2 = this.threadIdManager.isThreadLocalApplicationSyncEnabled();
            }
            Object obj = null;
            if (z) {
                try {
                    obj = AccessController.doPrivileged(new PrivilegedExceptionAction(this, subject2) { // from class: com.ibm.ws.security.core.EJSSecurityCollaborator.3
                        private final Subject val$privInvokeSubject;
                        private final EJSSecurityCollaborator this$0;

                        {
                            this.this$0 = this;
                            this.val$privInvokeSubject = subject2;
                        }

                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return this.this$0.threadIdManager.setLocalOSThreadID(this.val$privInvokeSubject);
                        }
                    });
                } catch (PrivilegedActionException e2) {
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "Thread identity synchronization error", e2);
                    }
                    throw new CSIException(e2.getMessage(), e2);
                }
            } else if (z2) {
                try {
                    obj = ServerIdentityHelper.getServerIdentityHelper().push();
                } catch (Exception e3) {
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "Thread identity synchronization error", e3);
                    }
                    throw new CSIException(e3.getMessage(), e3);
                }
            }
            if (this.isZOS) {
                this.threadIdManager.setThreadLocalApplicationSyncEnabled(z);
            }
            CollaboratorCookie cookie = getCookie(subjectArr, obj, z2);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "preInvoke", cookie);
            }
            return cookie;
        } catch (WSSecurityException e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke", "192", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting subjects", e4);
            }
            throw new CSIAccessException(e4.getMessage(), e4);
        } catch (PrivilegedActionException e5) {
            Exception exception = e5.getException();
            FFDCFilter.processException(exception, "com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke", "186", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Error getting subjects", exception);
            }
            throw new CSIAccessException(exception.getMessage(), exception);
        }
    }

    @Override // com.ibm.ws.security.core.SecurityCollaborator
    protected boolean isUnprotected(String str) {
        for (int i = 0; i < UNPROTECTED.length; i++) {
            if (UNPROTECTED[i].equals(str)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.ibm.ws.security.core.SecurityCollaborator
    public String resolveHomeMethod(String str) {
        String resolveHomeMethod;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resolveHomeMethod", str);
        }
        if (str.startsWith("find")) {
            StringBuffer stringBuffer = new StringBuffer(3 + str.length());
            stringBuffer.append("ejb").append(str);
            stringBuffer.setCharAt(3, 'F');
            resolveHomeMethod = stringBuffer.toString();
        } else {
            resolveHomeMethod = super.resolveHomeMethod(str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resolveHomeMethod", resolveHomeMethod);
        }
        return resolveHomeMethod;
    }

    public void postInvoke(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, CollaboratorCookie collaboratorCookie, CollaboratorCookie collaboratorCookie2) throws CSIException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "postInvoke", new Object[]{eJBKey, eJBMethodInfo, collaboratorCookie, collaboratorCookie2});
        }
        if (collaboratorCookie != null) {
            super.postInvokeCommon(eJBKey, eJBMethodInfo, (SecurityCookie) collaboratorCookie, collaboratorCookie2);
            if (this.isZOS) {
                SecurityCookieImpl securityCookieImpl = (SecurityCookieImpl) collaboratorCookie;
                Object obj = ((SecurityCookieImpl) collaboratorCookie).syncToThreadToken;
                if (obj != null) {
                    try {
                        AccessController.doPrivileged(new PrivilegedExceptionAction(this, obj) { // from class: com.ibm.ws.security.core.EJSSecurityCollaborator.4
                            private final Object val$privsyncToThreadToken;
                            private final EJSSecurityCollaborator this$0;

                            {
                                this.this$0 = this;
                                this.val$privsyncToThreadToken = obj;
                            }

                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                this.this$0.threadIdManager.restoreLocalOSThreadID(this.val$privsyncToThreadToken);
                                return null;
                            }
                        });
                    } catch (PrivilegedActionException e) {
                        if (tc.isEventEnabled()) {
                            Tr.event(tc, "Unable to restore thread identity", e);
                        }
                        throw new CSIException(e.getMessage(), e);
                    }
                }
                this.threadIdManager.setThreadLocalApplicationSyncEnabled(securityCookieImpl.appSyncToOSThread);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "postInvoke");
        }
    }

    public CollaboratorCookie beanInstalled(EJBConfigData eJBConfigData) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beanInstalled", eJBConfigData);
        }
        CollaboratorCookie installBean = installBean(eJBConfigData);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beanInstalled", installBean);
        }
        return installBean;
    }

    public void beanUninstalled(CollaboratorCookie collaboratorCookie) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "beanUninstalled", collaboratorCookie);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "beanUninstalled");
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$security$core$EJSSecurityCollaborator == null) {
            cls = class$("com.ibm.ws.security.core.EJSSecurityCollaborator");
            class$com$ibm$ws$security$core$EJSSecurityCollaborator = cls;
        } else {
            cls = class$com$ibm$ws$security$core$EJSSecurityCollaborator;
        }
        tc = Tr.register(cls, "Security", "com.ibm.ejs.resources.security");
        UNPROTECTED = new String[]{"RemoteSRP", "RemoteSRPHome", "SrdSrvltCtxHome", "SessionBMP", "UPManager", "UP_ReadOnly", "UP_ReadWrite"};
    }
}
