package com.ibm.wps.services.authorization;

import com.ibm.logging.Formatter;
import com.ibm.logging.IConstants;
import com.ibm.logging.ILogger;
import com.ibm.logging.mgr.LogManager;
import com.ibm.pvctools.wpsdebug.v4.configurator.WpsXmlAccessConstants;
import com.ibm.wps.command.xml.DecodeEngine;
import com.ibm.wps.puma.Group;
import com.ibm.wps.puma.GroupManager;
import com.ibm.wps.puma.Principal;
import com.ibm.wps.puma.User;
import com.ibm.wps.puma.UserManager;
import com.ibm.wps.sso.FavoritesHelper;
import com.ibm.wps.util.DataBackendException;
import com.ibm.wps.util.ObjectID;
import com.ibm.wps.util.Properties;
import com.ibm.wps.ws.rpi.RPIConstants;
import com.netegrity.sdk.apiutil.SmApiConnection;
import com.netegrity.sdk.apiutil.SmApiException;
import com.netegrity.sdk.apiutil.SmApiResult;
import com.netegrity.sdk.apiutil.SmApiSession;
import com.netegrity.sdk.policyapi.SmAgent;
import com.netegrity.sdk.policyapi.SmAgentType;
import com.netegrity.sdk.policyapi.SmDomain;
import com.netegrity.sdk.policyapi.SmPolicy;
import com.netegrity.sdk.policyapi.SmPolicyApi;
import com.netegrity.sdk.policyapi.SmPolicyApiImpl;
import com.netegrity.sdk.policyapi.SmPolicyLink;
import com.netegrity.sdk.policyapi.SmRealm;
import com.netegrity.sdk.policyapi.SmResponse;
import com.netegrity.sdk.policyapi.SmResponseAttr;
import com.netegrity.sdk.policyapi.SmRule;
import com.netegrity.sdk.policyapi.SmScheme;
import com.netegrity.sdk.policyapi.SmUserDirectory;
import com.netegrity.sdk.policyapi.SmUserPolicy;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.MissingResourceException;
import java.util.StringTokenizer;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
import netegrity.siteminder.javaagent.AgentAPI;
import netegrity.siteminder.javaagent.Attribute;
import netegrity.siteminder.javaagent.AttributeList;
import netegrity.siteminder.javaagent.InitDef;
import netegrity.siteminder.javaagent.RealmDef;
import netegrity.siteminder.javaagent.ResourceContextDef;
import netegrity.siteminder.javaagent.ServerDef;
import netegrity.siteminder.javaagent.SessionDef;

/* loaded from: input_file:plugins/com.ibm.wps_4.2.0/wps.jar:com/ibm/wps/services/authorization/SiteminderExternalAccessControlImpl.class */
public class SiteminderExternalAccessControlImpl extends ExternalAccessControlService {
    private static final String COPYRIGHT = "Licensed Materials - Property of IBM, 5724-B88, (C) Copyright IBM Corp. 2001, 2002 - All Rights reserved.";
    private static final int ANONYMOUS_ACCESS_MODE = 1;
    private static final int NOT_PROTECTED_MODE = 0;
    private String actionString;
    private static final int DEFAULT_ACCOUNTING_PORT = 44441;
    private static final int DEFAULT_AUTHENTICATION_PORT = 44442;
    private static final int DEFAULT_AUTHORIZATION_PORT = 44443;
    private static final int DEFAULT_CONNECTION_MAX = 10;
    private static final int DEFAULT_CONNECTION_MIN = 1;
    private static final int DEFAULT_CONNECTION_STEP = 1;
    private static final int DEFAULT_TIMEOUT = 20;
    private static final String ACCOUNTING_PORT = "accountingPort";
    private static final String AUTHENTICATION_PORT = "authenticationPort";
    private static final String AUTHORIZATION_PORT = "authorizationPort";
    private static final String CONNECTION_MAX = "connectionMax";
    private static final String CONNECTION_MIN = "connectionMin";
    private static final String CONNECTION_STEP = "connectionStep";
    private static final String TIMEOUT = "timeout";
    static Class class$com$ibm$wps$sso$SiteMinderSessionIdPrincipal;
    static Class class$com$ibm$wps$sso$SiteMinderSessionSpecPrincipal;
    private LogManager logMgr = null;
    private ILogger trcLog = null;
    private final int reservedObjectID = ObjectID.ANY.intValue();
    private SmDomain domain = null;
    private SmPolicyApi policyApi = null;
    private SmUserDirectory dir = null;
    private SmScheme scheme = null;
    private SmResponse[] responses = null;
    private SmAgent agent = null;
    private int MAX_TIMEOUT = 58400;
    private int IDLE_TIMEOUT = HttpServletResponse.SC_BAD_REQUEST;
    private boolean SYNC_AUDIT = false;
    private AgentAPI agentApi = null;
    private String ANONYMOUS_USER = "anonymous";
    private int public_access_mode = 1;
    private InitDef init = null;
    private String ANYAUTH_USER = "anyauth";
    private boolean logging = false;
    private int CONNECTIONS = 17;
    private int CONNECTIONSTEP = 1;
    private int CONNECTIONMAX = DEFAULT_TIMEOUT;
    private String SERVERS = "servers";

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public void addObject(ObjectType objectType, ObjectID objectID, String str) throws DataBackendException {
        if (this.logging) {
            this.trcLog.text(1L, this, "addObject", new StringBuffer().append("add object ").append(objectType).append(":").append(objectID).append(" alias ").append(str).toString());
        }
    }

    private Permission attributeToPermission(String str) {
        return str.indexOf("edit") != -1 ? Permission.EDIT : str.indexOf("copy") != -1 ? Permission.COPY : str.indexOf("create") != -1 ? Permission.CREATE : str.indexOf(WpsXmlAccessConstants.MANAGE) != -1 ? Permission.MANAGE : str.indexOf("view") != -1 ? Permission.VIEW : str.indexOf(WpsXmlAccessConstants.DELEGATE) != -1 ? Permission.DELEGATE : Permission.NONE;
    }

    private SmRealm createNameSpaceEntry(ObjectType objectType, ObjectID objectID, String str) throws DataBackendException {
        SmRealm createRealm = createRealm(objectType, objectID, getFriendlyName(objectType, objectID, str));
        createPoliciesForRule(createRealm, createRuleForRealm(createRealm));
        if (this.logging) {
            this.trcLog.exit(512L, this, "createNameSpaceEntry()");
        }
        return createRealm;
    }

    private boolean createPoliciesForRule(SmRealm smRealm, SmRule smRule) throws DataBackendException {
        if (this.logging) {
            this.trcLog.entry(128L, this, "createPoliciesForRule()");
        }
        new SmApiResult();
        SmPolicy smPolicy = new SmPolicy();
        for (int i = 0; i < this.responses.length; i++) {
            try {
                if (!this.policyApi.getPolicy(new StringBuffer().append(smRealm.getName()).append(Formatter.DEFAULT_SEPARATOR).append(this.responses[i].getName()).append(" policy").toString(), this.domain.getName(), smPolicy).isSuccess()) {
                    smPolicy.setName(new StringBuffer().append(smRealm.getName()).append(Formatter.DEFAULT_SEPARATOR).append(this.responses[i].getName()).append(" policy").toString());
                    smPolicy.setDescription(new StringBuffer().append(this.responses[i].getName()).append(" access for this WPS object").toString());
                    smPolicy.setEnabled(true);
                    smPolicy.setDomain(this.domain.getName());
                    this.policyApi.addPolicy(smPolicy);
                    SmPolicyLink smPolicyLink = new SmPolicyLink();
                    smPolicyLink.setPolicy(smPolicy.getOid());
                    smPolicyLink.setRule(smRule.getOid());
                    smPolicyLink.setDomain(this.domain.getName());
                    this.policyApi.addPolicyLink(smPolicyLink);
                    smPolicyLink.setResponse(this.responses[i].getOid());
                    this.policyApi.setResponseInPolicyLink(smPolicyLink);
                }
            } catch (SmApiException e) {
                throw new DataBackendException("in createPoliciesForRule(): ", e);
            }
        }
        if (this.logging) {
            this.trcLog.exit(128L, this, "createPoliciesForRule()");
        }
        return true;
    }

    private SmRealm createRealm(ObjectType objectType, ObjectID objectID, String str) throws DataBackendException {
        String str2;
        if (this.logging) {
            this.trcLog.entry(128L, this, "createRealm()");
        }
        SmRealm smRealm = new SmRealm();
        new SmApiResult();
        boolean equals = objectID.equals(ObjectID.ANY);
        try {
            SmApiResult realm = equals ? this.policyApi.getRealm(oidToRealmName(objectType, ObjectID.ANY, ""), this.domain.getName(), smRealm) : this.policyApi.getRealm(oidToRealmName(objectType, objectID, str), this.domain.getName(), smRealm);
            if (realm.isSuccess()) {
                str2 = "Found";
            } else {
                if (realm.getFacility() != 4 || realm.getSeverity() != 3 || realm.getStatus() != 36 || realm.getReason() != -28 || realm.getMessage().indexOf("not found") == -1) {
                    if (this.logging) {
                        this.trcLog.text(4L, this, "createRealm()", "unexpected error from getRealm()");
                    }
                    throw new DataBackendException(new StringBuffer().append("unexpected error from getRealm(). Results: ").append(realm.getMessage()).toString());
                }
                if (equals) {
                    smRealm = new SmRealm(oidToRealmName(objectType, ObjectID.ANY, str));
                    smRealm.setResourceFilter(new StringBuffer().append("/").append(oidToRealmName(objectType, ObjectID.ANY, str)).toString());
                    smRealm.setParentRealmOid(this.domain.getOid());
                    smRealm.setDescription(new StringBuffer().append("Protecting WPS ").append(objectType).append("s").toString());
                } else {
                    smRealm = new SmRealm(oidToRealmName(objectType, objectID, str));
                    smRealm.setResourceFilter(new StringBuffer().append("/").append(oidToRealmName(objectType, objectID, str)).toString());
                    smRealm.setParentRealmOid(createNameSpaceEntry(objectType, ObjectID.ANY, str).getOid());
                    smRealm.setDescription(new StringBuffer().append("Protecting WPS ").append(objectType).append("").append(objectID).toString());
                }
                smRealm.setAgent(this.agent.getOid());
                smRealm.setAgentType(this.agent.getAgentType());
                smRealm.setDomain(this.domain.getName());
                smRealm.setScheme(this.scheme.getOid());
                smRealm.setProcessAuthEvents(true);
                smRealm.setProcessAzEvents(true);
                smRealm.setProtectAll(true);
                smRealm.setMaxTimeout(this.MAX_TIMEOUT);
                smRealm.setIdleTimeout(this.IDLE_TIMEOUT);
                smRealm.setSyncAudit(this.SYNC_AUDIT);
                smRealm.setAzUserDirOid(this.dir.getOid());
                SmApiResult addRealm = this.policyApi.addRealm(smRealm);
                if (!addRealm.isSuccess()) {
                    throw new DataBackendException(new StringBuffer().append("Unexpected results from addRealm(). Result is:").append(addRealm).toString());
                }
                str2 = "Created";
            }
            if (this.logging) {
                this.trcLog.text(1L, this, "createRealm()", new StringBuffer().append(str2).append(" Realm \"").append(smRealm.getName()).append("\" : ").append(smRealm.getOid()).toString());
                this.trcLog.exit(256L, this, "createRealm()");
            }
            return smRealm;
        } catch (SmApiException e) {
            throw new DataBackendException((Throwable) e);
        }
    }

    private void createResponsesForDomain(SmDomain smDomain) throws DataBackendException {
        if (this.logging) {
            this.trcLog.entry(128L, this, "createResponseForDomain()");
        }
        try {
            SmResponseAttr[] smResponseAttrArr = new SmResponseAttr[this.responses.length];
            for (int i = 0; i < this.responses.length; i++) {
                if (!this.policyApi.getResponse(this.responses[i].getName(), smDomain.getName(), this.responses[i]).isSuccess()) {
                    this.responses[i].setDescription(new StringBuffer().append(this.responses[i].getName()).append(" response").toString());
                    this.responses[i].setAgentType(this.agent.getAgentType());
                    this.responses[i].setDomain(smDomain.getName());
                    this.policyApi.addResponse(this.responses[i]);
                    smResponseAttrArr[i] = new SmResponseAttr();
                    smResponseAttrArr[i].setResponse(this.responses[i].getOid());
                    smResponseAttrArr[i].setType(1);
                    smResponseAttrArr[i].setDomain(smDomain.getName());
                    smResponseAttrArr[i].setVarName(new StringBuffer().append("wps_").append(this.responses[i].getName()).append("_permission").toString());
                    smResponseAttrArr[i].setValue(FavoritesHelper.TYPE_PHONE_NUMBER);
                    this.policyApi.addResponseAttr(smResponseAttrArr[i]);
                }
            }
            if (this.logging) {
                this.trcLog.exit(256L, this, "createResponseForDomain()");
            }
        } catch (SmApiException e) {
            throw new DataBackendException((Throwable) e);
        }
    }

    private SmRule createRuleForRealm(SmRealm smRealm) throws DataBackendException {
        if (this.logging) {
            this.trcLog.entry(128L, this, "createRuleForRealm()");
        }
        SmRule smRule = new SmRule();
        try {
            if (!this.policyApi.getRule("anyAccessRule", smRealm.getName(), smRealm.getDomainName(), smRule).isSuccess()) {
                smRule.setName("anyAccessRule");
                smRule.setDescription("Rule to fire on ANY access to this realm");
                smRule.setEnabled(true);
                smRule.setRegularExpression(false);
                smRule.setDomain(this.domain.getName());
                smRule.setAgentType(this.agent.getAgentType());
                smRule.setAllowAccess(true);
                smRule.setAction(this.actionString);
                smRule.setResource(DecodeEngine.WILDCARD_NAME);
                smRule.setRealm(smRealm.getOid());
                this.policyApi.addRule(smRule);
                if (this.logging) {
                    this.trcLog.text(1L, this, "createRuleforRealm()", new StringBuffer().append("created rule for realm: ").append(smRealm.getName()).toString());
                }
            }
            if (this.logging) {
                this.trcLog.exit(128L, this, "createResponseForDomain()");
            }
            return smRule;
        } catch (SmApiException e) {
            throw new DataBackendException("in createRuleForRealm(): ", e);
        }
    }

    private ServerDef createServerDefinition(String str, Properties properties) {
        try {
            InetAddress.getByName(str);
            if (null == str || 0 == str.length()) {
                this.trcLog.text(1L, this, "createServerDef()", "Null or empty IP Addresses are not permitted");
                return null;
            }
            ServerDef serverDef = new ServerDef();
            serverDef.serverIpAddress = str;
            serverDef.accountingPort = DEFAULT_ACCOUNTING_PORT;
            serverDef.authenticationPort = DEFAULT_AUTHENTICATION_PORT;
            serverDef.authorizationPort = DEFAULT_AUTHORIZATION_PORT;
            serverDef.connectionMax = 10;
            serverDef.connectionMin = 1;
            serverDef.connectionStep = 1;
            serverDef.timeout = DEFAULT_TIMEOUT;
            int parsePositiveInteger = parsePositiveInteger(new StringBuffer().append(str).append(".").append(ACCOUNTING_PORT).toString(), properties);
            if (0 < parsePositiveInteger) {
                serverDef.accountingPort = parsePositiveInteger;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Accounting Port for server ").append(str).append(" has been changed to ").append(parsePositiveInteger).toString());
            }
            int parsePositiveInteger2 = parsePositiveInteger(new StringBuffer().append(str).append(".").append(AUTHENTICATION_PORT).toString(), properties);
            if (0 < parsePositiveInteger2) {
                serverDef.authenticationPort = parsePositiveInteger2;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Authentication Port for server ").append(str).append(" has been changed to ").append(parsePositiveInteger2).toString());
            }
            int parsePositiveInteger3 = parsePositiveInteger(new StringBuffer().append(str).append(".").append(AUTHORIZATION_PORT).toString(), properties);
            if (0 < parsePositiveInteger3) {
                serverDef.authorizationPort = parsePositiveInteger3;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Authorization Port for server ").append(str).append(" has been changed to ").append(parsePositiveInteger3).toString());
            }
            int parsePositiveInteger4 = parsePositiveInteger(new StringBuffer().append(str).append(".").append(CONNECTION_MAX).toString(), properties);
            if (0 < parsePositiveInteger4) {
                serverDef.connectionMax = parsePositiveInteger4;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Connection Max for server ").append(str).append(" has been changed to ").append(parsePositiveInteger4).toString());
            }
            int parsePositiveInteger5 = parsePositiveInteger(new StringBuffer().append(str).append(".").append(CONNECTION_MIN).toString(), properties);
            if (0 < parsePositiveInteger5) {
                serverDef.connectionMin = parsePositiveInteger5;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Connection Min for server ").append(str).append(" has been changed to ").append(parsePositiveInteger5).toString());
            }
            int parsePositiveInteger6 = parsePositiveInteger(new StringBuffer().append(str).append(".").append(CONNECTION_STEP).toString(), properties);
            if (0 < parsePositiveInteger6) {
                serverDef.connectionStep = parsePositiveInteger6;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Connection Step for server ").append(str).append(" has been changed to ").append(parsePositiveInteger6).toString());
            }
            int parsePositiveInteger7 = parsePositiveInteger(new StringBuffer().append(str).append(".").append("timeout").toString(), properties);
            if (0 < parsePositiveInteger7) {
                serverDef.timeout = parsePositiveInteger7;
                this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("Timeout for server ").append(str).append(" has been changed to ").append(parsePositiveInteger7).toString());
            }
            return serverDef;
        } catch (UnknownHostException e) {
            this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("The IP Address \"").append(str).append("\" is not valid, ignoring").toString());
            return null;
        }
    }

    private String extractSessionId(User user) {
        Class cls;
        if (this.logging) {
            this.trcLog.entry(1L, this, "extractSessionId()");
        }
        String str = null;
        Subject subject = user.getSubject();
        if (subject != null) {
            if (class$com$ibm$wps$sso$SiteMinderSessionIdPrincipal == null) {
                cls = class$("com.ibm.wps.sso.SiteMinderSessionIdPrincipal");
                class$com$ibm$wps$sso$SiteMinderSessionIdPrincipal = cls;
            } else {
                cls = class$com$ibm$wps$sso$SiteMinderSessionIdPrincipal;
            }
            Iterator it = subject.getPrincipals(cls).iterator();
            while (it.hasNext()) {
                str = it.next().toString();
            }
        }
        return str;
    }

    private String extractSessionSpec(User user) {
        Class cls;
        if (this.logging) {
            this.trcLog.entry(1L, this, "extractSessionSpec()");
        }
        String str = null;
        Subject subject = user.getSubject();
        if (subject != null) {
            if (class$com$ibm$wps$sso$SiteMinderSessionSpecPrincipal == null) {
                cls = class$("com.ibm.wps.sso.SiteMinderSessionSpecPrincipal");
                class$com$ibm$wps$sso$SiteMinderSessionSpecPrincipal = cls;
            } else {
                cls = class$com$ibm$wps$sso$SiteMinderSessionSpecPrincipal;
            }
            Iterator it = subject.getPrincipals(cls).iterator();
            while (it.hasNext()) {
                str = it.next().toString();
            }
        }
        return str;
    }

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public PermissionCollection getEntitledSubjects(ObjectType objectType, ObjectType objectType2, ObjectID objectID, String str) throws DataBackendException {
        PermissionCollection permissionCollection = new PermissionCollection(objectType2, objectID, objectType);
        if (this.logging) {
            this.trcLog.text(1L, this, "getEntitledSubjects", new StringBuffer().append("get entitled subjects for ").append(objectType2).append(":").append(objectID).toString());
        }
        try {
            Vector vector = new Vector();
            new SmUserPolicy();
            new PermissionSet(Permission.NONE);
            String friendlyName = getFriendlyName(objectType2, objectID, str);
            for (int i = 0; i < this.responses.length; i++) {
                this.policyApi.getUserPolicies(new StringBuffer().append(oidToRealmName(objectType2, objectID, friendlyName)).append(Formatter.DEFAULT_SEPARATOR).append(this.responses[i]).append(" policy").toString(), this.domain.getName(), vector);
                String str2 = "";
                if (objectType.equals(ObjectType.USER)) {
                    str2 = "person";
                } else if (objectType.equals(ObjectType.USER_GROUP)) {
                    str2 = IConstants.KEY_GROUP;
                }
                for (int i2 = 0; i2 < vector.size(); i2++) {
                    SmUserPolicy smUserPolicy = (SmUserPolicy) vector.elementAt(i2);
                    if (this.logging) {
                        this.trcLog.text(1L, this, "getEntitedSubjects()", new StringBuffer().append("policy found: filterpath->").append(smUserPolicy.getFilterPath()).append(" filterclass-> ").append(smUserPolicy.getFilterClass()).toString());
                    }
                    if (smUserPolicy.getFilterClass().toLowerCase().indexOf(str2) != -1) {
                        if (this.logging) {
                            this.trcLog.text(1L, this, "getEntitledSubjects()", new StringBuffer().append("setting ").append(this.responses[i].getName()).append(" permission for ").append(smUserPolicy.getFilterPath()).toString());
                        }
                        PermissionSet permissionSet = new PermissionSet();
                        permissionSet.setPermission(responseToPermission(this.responses[i]), true);
                        permissionCollection.setPermissions(permissionSet, getUser(smUserPolicy.getFilterPath()).getObjectId(), true);
                        if (this.logging) {
                            this.trcLog.text(1L, this, "getEntitledSubjects()", new StringBuffer().append("User:").append(smUserPolicy.getFilterPath()).append(" has ").append(this.responses[i].getName()).append(" access to: ").append(oidToRealmName(objectType2, objectID, friendlyName)).toString());
                        }
                    }
                }
                vector.clear();
            }
        } catch (SmApiException e) {
            if (this.logging) {
                this.trcLog.exception(512L, this, "getEntitledSubjects()", e);
            }
        }
        return permissionCollection;
    }

    private String getFilterName(ObjectType objectType, ObjectID objectID) {
        String id;
        if (objectType.equals(ObjectType.ANONYMOUS_USER)) {
            id = this.ANONYMOUS_USER;
        } else if (objectID.equals(ObjectID.ANY)) {
            id = this.ANYAUTH_USER;
        } else {
            id = objectType.equals(ObjectType.USER) ? getUser(objectID).getId() : getGroup(objectID).getId();
        }
        return id;
    }

    private String getFriendlyName(ObjectType objectType, ObjectID objectID, String str) {
        return !objectID.equals(ObjectID.ANY) ? new StringBuffer().append(str).append("(").append(objectID.toString()).append(")").toString() : objectType.toString();
    }

    private Group getGroup(ObjectID objectID) {
        if (objectID != null) {
            return GroupManager.instance().findById(objectID);
        }
        return null;
    }

    private Group getGroup(String str) {
        if (this.logging) {
            this.trcLog.text(1L, this, "getGroup(String)", new StringBuffer().append("getting group for: ").append(str).toString());
        }
        if (str != null) {
            return GroupManager.instance().findById(str);
        }
        if (!this.logging) {
            return null;
        }
        this.trcLog.text(4L, this, "getGroup(String)", "null DN for Group lookup");
        return null;
    }

    private final ObjectID getObjectID(Principal principal) {
        if (principal == null) {
            return ObjectID.ANY;
        }
        String id = principal.getId();
        return (id.indexOf("ANY") == -1 && id.indexOf("ANONYMOUS") == -1) ? principal.getObjectId() : ObjectID.ANY;
    }

    private final ObjectType getObjectType(Principal principal) {
        return (principal == null || principal == AccessControl.ANY_ANONYMOUS_USER) ? ObjectType.ANONYMOUS_USER : (principal == AccessControl.ANY_USER || (principal instanceof User)) ? ObjectType.USER : ObjectType.USER_GROUP;
    }

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public PermissionSet getPermissions(Principal principal, Collection collection, ObjectType objectType, ObjectID objectID, String str, ObjectType objectType2, Collection collection2) throws DataBackendException {
        String extractSessionId;
        if (this.logging) {
            this.trcLog.text(1L, this, "getPermissions(prin)", new StringBuffer().append("get permissions for ").append(getObjectType(principal)).append(":").append(getObjectID(principal)).append(" on ").append(objectType).append(":").append(objectID).toString());
        }
        ObjectType objectType3 = getObjectType(principal);
        ObjectID objectID2 = getObjectID(principal);
        PermissionSet permissionSet = new PermissionSet();
        String oidToResourceName = oidToResourceName(objectType, objectID, getFriendlyName(objectType, objectID, str));
        ResourceContextDef resourceContextDef = new ResourceContextDef("", "", oidToResourceName, this.actionString);
        RealmDef realmDef = new RealmDef();
        SessionDef sessionDef = new SessionDef();
        AttributeList attributeList = new AttributeList();
        if (this.logging) {
            this.trcLog.text(1L, this, "getPermissions(prin)", new StringBuffer().append("resource to check is: ").append(oidToResourceName).toString());
        }
        int isProtected = this.agentApi.isProtected("", resourceContextDef, realmDef);
        this.trcLog.text(1L, this, "getPermissions(prin)", new StringBuffer().append("SiteMinder isProtected=").append(isProtected).toString());
        if (isProtected == 1) {
            if (objectType3.equals(ObjectType.USER) && !objectID2.equals(ObjectID.ANY) && (extractSessionId = extractSessionId((User) principal)) != null) {
                sessionDef.id = extractSessionId;
                sessionDef.spec = extractSessionSpec((User) principal);
                int authorize = this.agentApi.authorize("", "WebSphere Portal Server", resourceContextDef, realmDef, sessionDef, attributeList);
                switch (authorize) {
                    case RPIConstants.ERR_CODE_ILLEGAL_STATE /* -3 */:
                    case -2:
                    case -1:
                        if (this.logging) {
                            this.trcLog.text(4L, this, "getPermissions(prin)", new StringBuffer().append("SiteMinder isAuthorized() failure, rc: ").append(authorize).toString());
                        }
                        throw new DataBackendException();
                    case 0:
                    default:
                        if (this.logging) {
                            this.trcLog.text(4L, this, "getPermissions(prin)", new StringBuffer().append("SiteMinder isAuthorized() failure, rc: ").append(authorize).toString());
                        }
                        throw new DataBackendException();
                    case 1:
                        if (this.logging) {
                            this.trcLog.text(1L, this, "getPermissions(prin)", "SiteMinder authorized() was successful. Evaluating responses for WP permissions");
                        }
                        Enumeration attributes = attributeList.attributes();
                        while (attributes.hasMoreElements()) {
                            permissionSet.addPermission(attributeToPermission(new String(((Attribute) attributes.nextElement()).value)));
                        }
                        break;
                    case 2:
                        if (this.logging) {
                            this.trcLog.text(1L, this, "getPermissions(prin)", new StringBuffer().append("Resource not authorized, SiteMinder isAuthorized() returned: ").append(authorize).toString());
                            break;
                        }
                        break;
                }
            }
        } else if (this.public_access_mode == 1) {
            permissionSet.setPermission(Permission.VIEW, true);
            this.trcLog.text(1L, this, "getPermissions(prin)", "Granting VIEW  permission to everyone b/c resource is not protected");
        }
        if (this.logging) {
            this.trcLog.text(1L, this, "getPermissions(prin)", new StringBuffer().append("Set returned from SiteMinder for ").append(objectType3).append(":").append(objectID2).append(" on ").append(oidToResourceName).append(" is  {").append(permissionSet).append("}").toString());
        }
        return permissionSet;
    }

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public PermissionSet getPermissions(ObjectType objectType, ObjectID objectID, ObjectType objectType2, Collection collection, ObjectType objectType3, ObjectID objectID2, String str, ObjectType objectType4, Collection collection2) throws DataBackendException {
        if (this.logging) {
            this.trcLog.text(128L, this, "getPermissions", new StringBuffer().append("get permissions for ").append(objectType).append(":").append(objectID).append(" on ").append(objectType3).append(":").append(objectID2).toString());
        }
        PermissionSet permissionSet = new PermissionSet(Permission.NONE);
        if (this.logging) {
            this.trcLog.text(1L, this, "getPermission()", new StringBuffer().append("set returned from SiteMinder for: ").append(objectType).append(":").append(objectID).append(" on ").append(objectType3).append(":").append(objectID2).append("is ").append(permissionSet).toString());
        }
        return permissionSet;
    }

    private User getUser(ObjectID objectID) {
        if (objectID != null) {
            return (User) UserManager.instance().findById(objectID);
        }
        return null;
    }

    private User getUser(String str) {
        if (str != null) {
            return (User) UserManager.instance().findById(str);
        }
        return null;
    }

    @Override // com.ibm.wps.services.Service
    public void init(Properties properties) throws Exception {
        this.logMgr = LogManager.getManager();
        this.trcLog = this.logMgr.getTraceLogger("AccessControlTraceLogger");
        this.logging = this.trcLog.isLogging();
        if (this.logging) {
            this.trcLog.text(1L, this, "entry", "initialized logging");
        }
        if (properties.getBoolean("accesscontrol.ready").booleanValue()) {
            initSiteminder(properties);
        } else if (this.logging) {
            this.trcLog.text(2L, this, "init()", "WARNING: Siteminder configuration is not ready. Check ExternalAccessControlService.properties. Siteminder authorization DISABLED");
        }
    }

    private void initSiteminder(Properties properties) throws DataBackendException {
        StringBuffer stringBuffer = new StringBuffer();
        String string = properties.getString("accesscontrol.domainname");
        this.actionString = properties.getString("accesscontrol.action", "Action");
        String string2 = properties.getString("accesscontrol.scheme", "Basic");
        String string3 = properties.getString("accesscontrol.agentname", "agent");
        String string4 = properties.getString("accesscontrol.agentsecret", "password");
        String string5 = properties.getString("accesscontrol.userdir", "userDir");
        String string6 = properties.getString("accesscontrol.admin", "siteminder");
        String string7 = properties.getString("accesscontrol.password", "userDir");
        boolean z = properties.getBoolean("failover", false);
        this.public_access_mode = properties.getInteger("accesscontrol.public_access_mode", 1);
        this.ANONYMOUS_USER = properties.getString("accesscontrol.anonymousid");
        this.ANYAUTH_USER = properties.getString("accesscontrol.anyauthuser");
        stringBuffer.append(new StringBuffer().append("accesscontrol.domainname: ").append(string).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.scheme: ").append(string2).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.agentname: ").append(string3).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.agentsecret: ").append(string4).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.userDir: ").append(string5).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.user: ").append(string6).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.password: ").append(string7).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.anonymousid: ").append(this.ANONYMOUS_USER).toString());
        stringBuffer.append(new StringBuffer().append("accesscontrol.action: ").append(this.actionString).toString());
        if (this.logging) {
            this.trcLog.text(1L, this, "initSiteminder()", stringBuffer.toString());
        }
        this.responses = new SmResponse[6];
        this.responses[0] = new SmResponse("edit");
        this.responses[1] = new SmResponse("view");
        this.responses[2] = new SmResponse(WpsXmlAccessConstants.MANAGE);
        this.responses[3] = new SmResponse("create");
        this.responses[4] = new SmResponse("copy");
        this.responses[5] = new SmResponse(WpsXmlAccessConstants.DELEGATE);
        try {
            String string8 = properties.getString(this.SERVERS);
            if (0 == string8.length()) {
                this.trcLog.text(1L, this, "initSiteminder()", "Please specify a value for the servers Property in the properties file");
                throw new DataBackendException("Please specify a value for the servers Property in the properties file");
            }
            StringTokenizer stringTokenizer = new StringTokenizer(string8, ",");
            if (0 >= stringTokenizer.countTokens()) {
                this.trcLog.text(1L, this, "initSiteminder()", "Please specify a value for the servers Property in the ExternalAccessControlService.properties file");
                throw new DataBackendException("Please specify a value for the servers Property in the ExternalAccessControlService.properties file");
            }
            boolean z2 = false;
            InitDef initDef = null;
            while (stringTokenizer.hasMoreTokens()) {
                String trim = stringTokenizer.nextToken().trim();
                this.trcLog.text(1L, this, "initSiteminder()", new StringBuffer().append("Loading configuration for server ").append(trim).toString());
                ServerDef createServerDefinition = createServerDefinition(trim, properties);
                if (null == createServerDefinition) {
                    this.trcLog.text(1L, this, "initSiteminder()", new StringBuffer().append("Cannot add Server ").append(trim).append(" due to errors in the configuration").toString());
                } else if (z2) {
                    initDef.addServerDef(createServerDefinition);
                } else {
                    initDef = new InitDef(string3, string4, z, createServerDefinition);
                    z2 = true;
                }
            }
            if (null == initDef) {
                this.trcLog.text(1L, this, "initSiteminder()", "Please specify a value for the servers Property in the ExternalAccessControlService.properties file");
                throw new DataBackendException("Please specify a value for the servers Property in the ExternalAccessControlService.properties file");
            }
            this.agentApi = new AgentAPI();
            this.agentApi.getConfig(initDef, "", "");
            this.agentApi.init(initDef);
            SmApiConnection smApiConnection = new SmApiConnection(false, false);
            smApiConnection.setAgentApiConnection(this.agentApi);
            SmApiSession smApiSession = new SmApiSession(smApiConnection);
            new SmApiResult();
            try {
                SmApiResult login = smApiSession.login(string6, string7, InetAddress.getLocalHost(), 0);
                if (this.logging) {
                    this.trcLog.text(4L, this, "initSiteminder()", new StringBuffer().append("Siteminder administrative login successful. username: ").append(string6).toString());
                }
                if (!login.isSuccess()) {
                    if (this.logging) {
                        this.trcLog.text(4L, this, "initSiteminder()", "Siteminder administrative login unsucessful. check accesscontrolservice.properties");
                    }
                    throw new DataBackendException(new StringBuffer().append("User; ").append(string6).append(" login unsucessful").toString());
                }
                this.policyApi = new SmPolicyApiImpl(smApiSession);
                this.scheme = new SmScheme();
                SmApiResult scheme = this.policyApi.getScheme(string2, this.scheme);
                if (!scheme.isSuccess()) {
                    throw new DataBackendException(new StringBuffer().append("Unsuccessful return from getScheme()").append(scheme).toString());
                }
                this.agent = new SmAgent();
                SmApiResult agent = this.policyApi.getAgent(string3, this.agent);
                if (!agent.isSuccess()) {
                    throw new DataBackendException(new StringBuffer().append("Unsuccessful return from getAgent()").append(agent).toString());
                }
                if (this.logging) {
                    SmAgentType smAgentType = new SmAgentType();
                    this.policyApi.getObject(this.agent.getAgentType().toString(), smAgentType);
                    this.trcLog.text(1L, this, "initSiteminder()", new StringBuffer().append("Agent: ").append(this.agent.getName()).append(" of type ").append(smAgentType.getName()).append(" found ").toString());
                }
                this.dir = new SmUserDirectory();
                SmApiResult userDirectory = this.policyApi.getUserDirectory(string5, this.dir);
                if (!userDirectory.isSuccess()) {
                    throw new DataBackendException(new StringBuffer().append("Unsuccessful return from getUserDirectory()").append(userDirectory).toString());
                }
                this.domain = new SmDomain();
                if (this.policyApi.getDomain(string, this.domain).isSuccess()) {
                    createResponsesForDomain(this.domain);
                    if (this.logging) {
                        this.trcLog.text(1L, this, "initSiteminder()", "Domain found.  responses initialized ");
                    }
                } else {
                    if (this.logging) {
                        this.trcLog.text(1L, this, "initSiteminder()", new StringBuffer().append("Domain not found. creating domain named ").append(this.domain.getName()).toString());
                    }
                    this.domain.setName(string);
                    this.domain.setDescription("WebSphere Portal Server Domain");
                    this.policyApi.addDomain(this.domain);
                    createResponsesForDomain(this.domain);
                    if (this.logging) {
                        this.trcLog.text(1L, this, "initSiteminder()", "created responses ");
                    }
                    SmApiResult addUserDirToDomain = this.policyApi.addUserDirToDomain(this.dir.getName(), this.domain.getName());
                    if (this.logging) {
                        this.trcLog.text(1L, this, "initSiteminder()", new StringBuffer().append("Tried to add User Directory: ").append(this.dir.getName()).append(" to domain: ").append(this.domain.getName()).append(". Result was ").append(addUserDirToDomain.isSuccess() ? "successful" : new StringBuffer().append("not successful: ").append(addUserDirToDomain.getMessage()).toString()).toString());
                    }
                    createNameSpaceEntry(ObjectType.EXTERNAL_ACL, ObjectID.ANY, "External ACL Control");
                    if (this.logging) {
                        this.trcLog.text(1L, this, "initSiteminder()", "created initial namespace for EXTERNAL_ACL");
                    }
                }
            } catch (UnknownHostException e) {
                if (this.logging) {
                    this.trcLog.exception(4L, this, "initSiteminder()", e);
                }
                throw new DataBackendException(new StringBuffer().append("User; ").append(string6).append(" login unsucessful").toString());
            }
        } catch (SmApiException e2) {
            if (this.logging) {
                this.trcLog.exception(512L, this, "initSiteminder()", e2);
            }
            throw new DataBackendException(new StringBuffer().append("Error initializing Siteminder. ").append(e2.getMessage()).toString());
        }
    }

    private String oidToRealmName(ObjectType objectType, ObjectID objectID, String str) {
        return objectID.equals(ObjectID.ANY) ? objectType.toString() : str;
    }

    private String oidToResourceName(ObjectType objectType, ObjectID objectID, String str) {
        return new StringBuffer().append("/").append(objectType.toString()).append(objectID.equals(ObjectID.ANY) ? "" : new StringBuffer().append("/").append(str).toString()).toString();
    }

    private int parsePositiveInteger(String str, Properties properties) {
        try {
            int parseInt = Integer.parseInt(properties.getString(str));
            if (0 >= parseInt) {
                return 0;
            }
            return parseInt;
        } catch (NumberFormatException e) {
            this.trcLog.text(1L, this, "createServerDef()", new StringBuffer().append("The Property specified by key ").append(str).append(" is not numeric. Using Default value").toString());
            return 0;
        } catch (MissingResourceException e2) {
            return 0;
        }
    }

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public void removeObject(ObjectType objectType, ObjectID objectID, String str) throws DataBackendException {
        if (this.logging) {
            this.trcLog.text(1L, this, "removeObject", new StringBuffer().append("remove object ").append(objectType).append(":").append(objectID).toString());
        }
        String friendlyName = getFriendlyName(objectType, objectID, str);
        new SmApiResult();
        SmPolicy smPolicy = new SmPolicy();
        try {
            SmRealm smRealm = new SmRealm();
            SmApiResult realm = this.policyApi.getRealm(oidToRealmName(objectType, objectID, friendlyName), this.domain.getName(), smRealm);
            if (realm.isSuccess()) {
                this.policyApi.deleteRealm(smRealm);
            } else if (this.logging) {
                this.trcLog.text(4L, this, "removeObject", new StringBuffer().append("error removing realm ").append(objectType).append(":").append(objectID).append(". ").append(realm.getMessage()).toString());
            }
            for (int i = 0; i < this.responses.length; i++) {
                if (this.policyApi.getPolicy(new StringBuffer().append(oidToRealmName(objectType, objectID, friendlyName)).append(Formatter.DEFAULT_SEPARATOR).append(this.responses[i]).append(" policy").toString(), this.domain.getName(), smPolicy).isSuccess()) {
                    SmApiResult deletePolicy = this.policyApi.deletePolicy(smPolicy);
                    if (!deletePolicy.isSuccess() && this.logging) {
                        this.trcLog.text(4L, this, "removeObject", new StringBuffer().append("error removing policy: ").append(smPolicy.getName()).append(". ").append(deletePolicy.getMessage()).toString());
                    }
                }
            }
        } catch (SmApiException e) {
            if (this.logging) {
                this.trcLog.exception(512L, this, "removeObject", e);
            }
            throw new DataBackendException(new StringBuffer().append("removeObject(").append(objectType).append(",").append(objectID).append(")").toString(), e);
        }
    }

    private Permission responseToPermission(SmResponse smResponse) {
        Permission permission = Permission.NONE;
        if (smResponse.getName().indexOf("view") != -1) {
            permission = Permission.VIEW;
        }
        if (smResponse.getName().indexOf("edit") != -1) {
            permission = Permission.EDIT;
        }
        if (smResponse.getName().indexOf(WpsXmlAccessConstants.MANAGE) != -1) {
            permission = Permission.MANAGE;
        }
        if (smResponse.getName().indexOf(WpsXmlAccessConstants.DELEGATE) != -1) {
            permission = Permission.DELEGATE;
        }
        if (smResponse.getName().indexOf("create") != -1) {
            permission = Permission.CREATE;
        }
        if (smResponse.getName().indexOf("copy") != -1) {
            permission = Permission.COPY;
        }
        return permission;
    }

    private void setExternalPermission(SmRealm smRealm, Permission permission, Principal principal) throws DataBackendException {
        try {
            if (this.logging) {
                this.trcLog.entry(128L, this, new StringBuffer().append("setExternalPermission(").append(smRealm.getName()).append(",").append(permission).append(",").append(principal.getId()).append(")").toString());
            }
            SmPolicy smPolicy = new SmPolicy();
            this.policyApi.getPolicy(new StringBuffer().append(smRealm.getName()).append(Formatter.DEFAULT_SEPARATOR).append(permission.toString().toLowerCase()).append(" policy").toString(), this.domain.getName(), smPolicy);
            SmUserPolicy smUserPolicy = new SmUserPolicy();
            smUserPolicy.setFilterPath(principal.getId());
            if (getObjectType(principal).equals(ObjectType.USER)) {
                smUserPolicy.setFilterClass("organizationalPersonman\t");
            } else {
                smUserPolicy.setFilterClass("groupOfUniqueNames");
            }
            smUserPolicy.setPolicyResolution(0);
            smUserPolicy.setPolicyFlags(0);
            smUserPolicy.setPolicy(smPolicy.getOid());
            smUserPolicy.setDomain(this.domain.getName());
            smUserPolicy.setUserDirectory(this.dir.getOid());
            this.policyApi.addUserPolicy(smUserPolicy);
        } catch (SmApiException e) {
            if (this.logging) {
                this.trcLog.exception(512L, this, "setExternalPermission()", e);
            }
            throw new DataBackendException(e);
        }
    }

    @Override // com.ibm.wps.services.authorization.ExternalAccessControlService
    public void setObjectControl(Principal principal, ObjectType objectType, ObjectID objectID, String str, boolean z) throws DataBackendException, NotAllowedException {
        if (this.logging) {
            this.trcLog.text(1L, this, "setObjectControl", new StringBuffer().append("set object control for ").append(objectType).append(":").append(objectID).append(" alias ").append(str).append(". Owner: ").append(principal != null ? principal.getId() : "no one").toString());
        }
        PermissionSet permissions = getPermissions(principal, null, ObjectType.EXTERNAL_ACL, ObjectID.ANY, str, null, null);
        if (!permissions.hasPermission(Permission.MANAGE) || !permissions.hasPermission(Permission.DELEGATE)) {
            if (this.logging) {
                this.trcLog.text(4L, this, "setObjectControl()", new StringBuffer().append("Principal: ").append(principal.getId()).append(" does not have MANAGE and DELEGATE permissions on: ").append(ObjectType.EXTERNAL_ACL).append(" in Siteminder ").toString());
            }
            throw new NotAllowedException(new StringBuffer().append(principal.getId()).append(" does not have MANAGE, DELEGATE permissions on EXTERNAL_ACL in Siteminder").toString());
        }
        if (!z) {
            removeObject(objectType, objectID, str);
            return;
        }
        SmRealm createNameSpaceEntry = createNameSpaceEntry(objectType, objectID, str);
        setExternalPermission(createNameSpaceEntry, Permission.MANAGE, principal);
        setExternalPermission(createNameSpaceEntry, Permission.DELEGATE, principal);
        if (this.logging) {
            this.trcLog.text(4L, this, "setObjectControl()", new StringBuffer().append("set MANAGE and DELEGATE for ").append(principal.getId()).append(" on ").append(getFriendlyName(objectType, objectID, str)).append(" in Siteminder ").toString());
        }
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }
}
