package com.ibm.wps.sso.vaultservice;

import com.ibm.wps.puma.User;
import com.ibm.wps.puma.UserManager;
import com.ibm.wps.services.authorization.NotAllowedException;
import com.ibm.wps.services.log.Log;
import com.ibm.wps.sso.credentialvault.CredentialSlot;
import com.ibm.wps.sso.credentialvault.secrets.CredentialSecret;
import com.ibm.wps.sso.vaultservice.exceptions.SecretTypeNotSupportedException;
import com.ibm.wps.sso.vaultservice.exceptions.VaultServiceException;
import com.ibm.wps.util.ConcurrentModificationException;
import com.ibm.wps.util.DataBackendException;
import com.ibm.wps.util.ObjectID;
import com.ibm.wps.util.Properties;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import javax.security.auth.Subject;

/* loaded from: input_file:plugins/com.ibm.wps_4.2.0/wps.jar:com/ibm/wps/sso/vaultservice/VaultServiceImpl.class */
public class VaultServiceImpl extends VaultService {
    private static final String COPYRIGHT = "Licensed Materials - Property of IBM, 5724-B88, (C) Copyright IBM Corp. 2001, 2002 - All Rights reserved.";
    private static final String LOGGER = "com.ibm.wps.sso.vaultservice";
    private static final String SYSTEMCRED_DN = "systemcred.dn";
    private static final char DELIMITER = '|';
    private VaultAdapterManager adapterManager;
    private VaultSegmentManager segmentManager;
    private boolean initialized = false;
    private User systemCredUser = null;
    private String systemCredUserDN;

    public VaultServiceImpl() {
        this.adapterManager = null;
        this.segmentManager = null;
        if (Log.isDebugEnabled(LOGGER)) {
            Log.debug(LOGGER, "new VaultServiceImpl -- entry");
        }
        this.adapterManager = new VaultAdapterManager();
        this.segmentManager = new VaultSegmentManager();
        if (Log.isDebugEnabled(LOGGER)) {
            Log.debug(LOGGER, "new VaultServiceImpl -- exit");
        }
    }

    @Override // com.ibm.wps.services.Service
    public void init(Properties properties) throws Exception {
        if (this.initialized) {
            return;
        }
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.init -- entry");
        }
        this.systemCredUserDN = properties.getString(SYSTEMCRED_DN);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.init: systemCredUserDN set to '").append(this.systemCredUserDN).append("'").toString());
        }
        this.adapterManager.init(properties);
        this.segmentManager.init(this.adapterManager);
        this.initialized = true;
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.init -- exit");
        }
    }

    public void checkSystemDNInitialized() throws VaultServiceException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (this.systemCredUser != null) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.checkInitialized:  User for system credentials is already retrieved");
                return;
            }
            return;
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.checkInitialized:  Trying to retrieve user '").append(this.systemCredUserDN).append("'").toString());
        }
        if (null != this.systemCredUserDN) {
            this.systemCredUser = (User) UserManager.instance().findById(this.systemCredUserDN);
        }
        if (null == this.systemCredUser) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.checkInitialized:  Couldn't retrieve user '").append(this.systemCredUserDN).append("' for storing system credentials").toString());
            }
            Log.error(LOGGER, "VaultServiceImpl.checkInitialized:  The systemcred.dn property value is invalid.  Please make sure the value of systemcred.dn is a valid user in the Vault Service Properties File");
            throw new IllegalStateException("The systemcred.dn property is invalid.  Please make sure the value of systemcred.dn is a valid user in the Vault Service Properties File");
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.checkInitialized:  Will use the following user for system credentials:").append(this.systemCredUser).toString());
        }
    }

    @Override // com.ibm.wps.services.Service
    public void destroy() throws Exception {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.init() -- entry");
        }
        if (this.initialized) {
            this.adapterManager.destroy();
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.init() -- exit");
        }
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Map listVaultAdapters() {
        return this.adapterManager.getAdapterConfigs();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listResourcesInVault(String str) throws DataBackendException, VaultServiceException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.listResourcesInVault() -- entry:  ").append(str).toString());
        }
        VaultAdapter adapter = this.adapterManager.getAdapter(str);
        if (null == adapter) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.listResourcesInVault():  Vault Adapter of type '").append(str).append("' does not exist").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("Vault Adapter of type '").append(str).append("' does not exist").toString());
        }
        Iterator listResources = adapter.listResources();
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.listResourcesInVault() -- exit").append(listResources).toString());
        }
        return listResources;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public boolean isResourceInVault(String str, String str2) throws DataBackendException, VaultServiceException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isResourceInVault() -- entry:  ").append(str).append(", ").append(str2).toString());
        }
        VaultAdapter adapter = this.adapterManager.getAdapter(str);
        if (null == adapter) {
            throw new VaultServiceException(new StringBuffer().append("Vault Adapter of type \"").append(str).append("\" does not exist").toString());
        }
        boolean containsResource = adapter.containsResource(str2);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isResourceInVault() -- exit:  ").append(containsResource).toString());
        }
        return containsResource;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public VaultSegmentConfig createSegment(String str, String str2, String str3, boolean z) throws DataBackendException, VaultServiceException, ConcurrentModificationException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createSegment() -- entry:  ").append(str).append(", ").append(str2).append(", ").append(str3).append(", ").append(z).toString());
        }
        VaultAdapter adapter = this.adapterManager.getAdapter(str3);
        if (null == adapter) {
            throw new VaultServiceException(new StringBuffer().append("Vault Adapter of type \"").append(str3).append("\" does not exist").toString());
        }
        VaultSegmentConfig createSegment = this.segmentManager.createSegment(str, str2, adapter, z);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createSegment() -- exit:  ").append(createSegment).toString());
        }
        return createSegment;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void deleteSegment(ObjectID objectID) throws DataBackendException, ConcurrentModificationException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteSegment() -- entry:  ").append(objectID).toString());
        }
        this.segmentManager.deleteSegment(objectID);
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.deleteSegment() -- exit");
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public VaultSegmentConfig getSegment(ObjectID objectID) throws DataBackendException {
        return this.segmentManager.getSegmentConfig(objectID);
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Map listSegments() {
        return this.segmentManager.listSegmentConfigs();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Map listSegmentsWithoutVaultSlots() {
        return null;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public int[] getSupportedSecretTypes(ObjectID objectID) throws VaultServiceException, DataBackendException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.getSupportedSecretTypes() -- entry:  ").append(objectID).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(objectID);
        if (null == segment) {
            throw new VaultServiceException(new StringBuffer().append("The specified segment \"").append(objectID).append("\" does not exist").toString());
        }
        int[] supportedSecretTypes = segment.getSupportedSecretTypes();
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.getSupportedTypes() -- exit():  ").append(supportedSecretTypes).toString());
        }
        return supportedSecretTypes;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public boolean isSecretTypeSupported(ObjectID objectID, int i) throws VaultServiceException, DataBackendException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isSecretTypeSupported() -- entry:  ").append(objectID).append(", ").append(i).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(objectID);
        if (null == segment) {
            throw new VaultServiceException(new StringBuffer().append("The specified segment \"").append(objectID).append("\" does not exist").toString());
        }
        boolean isSecretTypeSupported = segment.isSecretTypeSupported(i);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isSecretTypeSupported() -- exit:  ").append(isSecretTypeSupported).toString());
        }
        return isSecretTypeSupported;
    }

    private void isValidVaultSlot(VaultSlotConfig vaultSlotConfig) throws VaultServiceException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isValidVaultSlot() -- entry:  ").append(vaultSlotConfig).toString());
        }
        if (vaultSlotConfig.isUserManaged() && null == vaultSlotConfig.getUserObjectID()) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.isValidVaultSlot():  Hmm, a vault slot that is userManaged must have a user associated with it. . .  No good.");
            }
            throw new VaultServiceException(new StringBuffer().append("Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" is not valid, it is user managed and does not have a user assciated with it.").toString());
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.isValidVaultSlot() -- exit");
        }
    }

    private String generateVaultSlotKey(VaultSlotConfig vaultSlotConfig) throws VaultServiceException {
        String stringBuffer;
        if (-1 != vaultSlotConfig.getResourceName().indexOf(124)) {
            throw new VaultServiceException("The Resource Name may not contain the \"|\" character");
        }
        if (null != vaultSlotConfig.getVaultSlotKey() && -1 != vaultSlotConfig.getVaultSlotKey().indexOf(124)) {
            throw new VaultServiceException("The Vault Slot Key may not contain the \"|\" character");
        }
        if (vaultSlotConfig.isUserManaged()) {
            StringBuffer stringBuffer2 = new StringBuffer(vaultSlotConfig.getResourceName());
            stringBuffer2.append('|');
            stringBuffer2.append(vaultSlotConfig.getUserObjectID().toString());
            if (null != vaultSlotConfig.getCPIID()) {
                stringBuffer2.append('|');
                stringBuffer2.append(vaultSlotConfig.getCPIID().toString());
            }
            stringBuffer = stringBuffer2.toString();
        } else {
            stringBuffer = vaultSlotConfig.getResourceName();
        }
        if (Log.isDebugEnabled(LOGGER)) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.generateVaultSlotKey():  Resource is now \"").append(stringBuffer).append("\"").toString());
        }
        return stringBuffer;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public VaultSlotConfig createVaultSlot(VaultSlotConfig vaultSlotConfig) throws DataBackendException, VaultServiceException, ConcurrentModificationException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot -- entry:  ").append(vaultSlotConfig).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
        if (null == segment) {
            Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, the vault slot cannot be created").toString());
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, the vault slot cannot be created").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("Segment ").append(vaultSlotConfig.getSegmentObjectID()).append(" does not exist").toString());
        }
        vaultSlotConfig.userManaged = segment.isUserMapped();
        isValidVaultSlot(vaultSlotConfig);
        vaultSlotConfig.resourceName = generateVaultSlotKey(vaultSlotConfig);
        if (null == vaultSlotConfig.vaultSlotKey || 0 == vaultSlotConfig.vaultSlotKey.length()) {
            vaultSlotConfig.vaultSlotKey = vaultSlotConfig.resourceName;
        }
        vaultSlotConfig.store();
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Stored vault slot \"").append(vaultSlotConfig.getVaultSlotKey()).append("\"").toString());
        }
        String resourceName = vaultSlotConfig.getResourceName();
        VaultAdapter vaultAdapter = segment.getVaultAdapter();
        if (null == vaultAdapter) {
            throw new VaultServiceException(new StringBuffer().append("The VaultAdapter of type ").append(segment.getVaultAdapterType()).append(" does not exist").toString());
        }
        if (!vaultAdapter.isReadOnly() && vaultAdapter.isManagingResources() && !vaultAdapter.containsResource(resourceName)) {
            vaultAdapter.createResource(resourceName);
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Created resource ").append(resourceName).toString());
            }
        } else if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  The adapter ").append(vaultAdapter.getType()).append(" is read only or is not managing resources.  The Vault Service will not create the resource").toString());
        }
        if (vaultAdapter.containsResource(resourceName)) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot() -- exit:  ").append(vaultSlotConfig).toString());
            }
            return vaultSlotConfig;
        }
        Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Resource \"").append(resourceName).append("\" does not exist in segment \"").append(segment.getName()).append("\".  The resource must exist before a Vault Slot can be created for it.").toString());
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Resource ").append(resourceName).append(" doesn't exist. . .").toString());
        }
        vaultSlotConfig.delete();
        throw new VaultServiceException(new StringBuffer().append("The resource ").append(resourceName).append(" does not exist in the vault.  The Vault Slot could not be created").toString());
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public VaultSlotConfig modifyVaultSlot(VaultSlotConfig vaultSlotConfig) throws DataBackendException, VaultServiceException, ConcurrentModificationException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.modifyVaultSlot() -- entry:  ").append(vaultSlotConfig).toString());
        }
        isValidVaultSlot(vaultSlotConfig);
        vaultSlotConfig.store();
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.modifyVaultSlot() -- exit:  ").append(vaultSlotConfig).toString());
        }
        return vaultSlotConfig;
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void deleteVaultSlot(VaultSlotConfig vaultSlotConfig) throws DataBackendException, VaultServiceException, ConcurrentModificationException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteVaultSlot() -- entry:  ").append(vaultSlotConfig).toString());
        }
        vaultSlotConfig.delete();
        VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
        if (null == segment) {
            Log.warn(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteVaultSlot():  The Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" was deleted, but its segment ").append(vaultSlotConfig.getSegmentObjectID()).append(" does not exist").toString());
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist!!").toString());
            }
        } else {
            String resourceName = vaultSlotConfig.getResourceName();
            VaultAdapter vaultAdapter = segment.getVaultAdapter();
            if (null == vaultAdapter) {
                throw new VaultServiceException(new StringBuffer().append("The VaultAdapter of type ").append(segment.getVaultAdapterType()).append(" does not exist").toString());
            }
            if (!vaultAdapter.isReadOnly() && vaultAdapter.isManagingResources() && vaultAdapter.containsResource(resourceName)) {
                CredentialSlot[] listForResource = CredentialSlot.listForResource(resourceName);
                if (null == listForResource || 0 == listForResource.length) {
                    vaultAdapter.deleteResource(resourceName);
                }
            } else if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.createVaultSlot():  The adapter ").append(vaultAdapter.getType()).append(" is read only or is not managing resources.  The Vault Service will not delete the resource").toString());
            }
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.deleteVaultSlot() -- exit");
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listAdminDefinedVaultSlots() throws DataBackendException {
        return Arrays.asList(CredentialSlot.listAdminDefined()).iterator();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listUserMappedVaultSlots() throws DataBackendException {
        return Arrays.asList(CredentialSlot.listUserMapped()).iterator();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listUserMappedVaultSlots(User user) throws DataBackendException {
        return Arrays.asList(CredentialSlot.listUserMapped(user.getObjectId())).iterator();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listUserMappedVaultSlots(User user, ObjectID objectID) throws DataBackendException {
        return Arrays.asList(CredentialSlot.listUserMapped(user.getObjectId(), objectID)).iterator();
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Iterator listUserAccessibleVaultSlots(User user, ObjectID objectID) throws DataBackendException {
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(Arrays.asList(CredentialSlot.listAdminDefined()));
        linkedList.addAll(Arrays.asList(CredentialSlot.listUserMapped(user.getObjectId())));
        linkedList.addAll(Arrays.asList(CredentialSlot.listUserMapped(user.getObjectId(), objectID)));
        return linkedList.iterator();
    }

    private final void isAccessValid(VaultSlotConfig vaultSlotConfig, User user, ObjectID objectID) throws NotAllowedException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Object[] objArr = {vaultSlotConfig, user, objectID};
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid() -- entry:  ").append(vaultSlotConfig).append(", ").append(user).append(", ").append(objectID).toString());
        }
        if (vaultSlotConfig.isUserManaged()) {
            if (null == user) {
                String stringBuffer = new StringBuffer().append("Someone is trying to access Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" without identifying themself!").toString();
                Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer).toString());
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer).toString());
                }
                throw new NotAllowedException(stringBuffer);
            }
            if (null != vaultSlotConfig.getCPIID()) {
                if (false == (user.getObjectId().equals(vaultSlotConfig.getUserObjectID()) && vaultSlotConfig.getCPIID().equals(objectID))) {
                    String stringBuffer2 = new StringBuffer().append("Access is not granted to Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" since user ").append(user.getId()).append(" along with portlet ").append(objectID).append(" does not own it").toString();
                    Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer2).toString());
                    if (isDebugEnabled) {
                        Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer2).toString());
                    }
                    throw new NotAllowedException(stringBuffer2);
                }
            } else if (false == user.getObjectId().equals(vaultSlotConfig.getUserObjectID())) {
                String stringBuffer3 = new StringBuffer().append("Access is not granted to Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" since user ").append(user.getId()).append(" does not own it").toString();
                Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer3).toString());
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer3).toString());
                }
                throw new NotAllowedException(stringBuffer3);
            }
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.isAccessValid() -- exit");
        }
    }

    private final void isAccessValid(VaultSlotConfig vaultSlotConfig, User user) throws NotAllowedException {
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid() -- entry:  ").append(vaultSlotConfig).append(", ").append(user).toString());
        }
        if (vaultSlotConfig.isUserManaged()) {
            if (null == user) {
                String stringBuffer = new StringBuffer().append("Someone is trying to access Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" without identifying themself!").toString();
                Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer).toString());
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer).toString());
                }
                throw new NotAllowedException(stringBuffer);
            }
            if (false == user.getObjectId().equals(vaultSlotConfig.getUserObjectID())) {
                String stringBuffer2 = new StringBuffer().append("Access is not granted to Vault Slot ").append(vaultSlotConfig.getVaultSlotKey()).append(" since user ").append(user.getId()).append(" does not own it").toString();
                Log.error(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer2).toString());
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.isAccessValid():  ").append(stringBuffer2).toString());
                }
                throw new NotAllowedException(stringBuffer2);
            }
        }
        if (isDebugEnabled) {
            Log.debug(LOGGER, "VaultServiceImpl.isAccessValid() -- exit");
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void addCredential(VaultSlotConfig vaultSlotConfig, CredentialSecret credentialSecret, User user) throws SecretTypeNotSupportedException, NotAllowedException, VaultServiceException, DataBackendException {
        addCredential(vaultSlotConfig, credentialSecret, user, null);
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void addCredential(VaultSlotConfig vaultSlotConfig, CredentialSecret credentialSecret, User user, ObjectID objectID) throws SecretTypeNotSupportedException, NotAllowedException, VaultServiceException, DataBackendException {
        checkSystemDNInitialized();
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.addCredential() -- entry:  ").append(vaultSlotConfig).append(", ").append(credentialSecret).append(", ").append(user).append(", ").append(objectID).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
        if (null == segment) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.addCredential():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist!!").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, credential could not be added for VaultSlot ").append(vaultSlotConfig.getVaultSlotKey()).toString());
        }
        VaultAdapter vaultAdapter = segment.getVaultAdapter();
        if (null == vaultAdapter) {
            throw new VaultServiceException(new StringBuffer().append("The adapter of type ").append(segment.getVaultAdapterType()).append(" does not exist").toString());
        }
        if (vaultAdapter.isReadOnly()) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.addCredential():  The credential could not be added, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("The credential could not be added, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
        }
        try {
            isAccessValid(vaultSlotConfig, user, objectID);
            User user2 = user;
            if (vaultSlotConfig.referencesSystemCredential()) {
                user2 = this.systemCredUser;
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.addCredential():  Going to use user with ObjectID ").append(vaultSlotConfig.getUserObjectID()).toString());
                }
            }
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.addCredential():  Using user ").append(user2).toString());
            }
            vaultAdapter.addCredential(credentialSecret, user2, vaultSlotConfig.getResourceName());
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.addCredential() -- exit");
            }
        } catch (NotAllowedException e) {
            Log.error(LOGGER, "VaultServiceImpl.addCredential():  Failed to add the credential, the user and/or portlet instance do not have access to the vault slot");
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.addCredential()");
            }
            throw e;
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public Subject getCredential(VaultSlotConfig vaultSlotConfig, User user, ObjectID objectID) throws SecretTypeNotSupportedException, VaultServiceException, NotAllowedException, DataBackendException {
        checkSystemDNInitialized();
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Object[] objArr = {vaultSlotConfig, user, objectID};
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.getCredential() -- entry:  ").append(vaultSlotConfig).append(", ").append(user).append(", ").append(objectID).toString());
        }
        try {
            isAccessValid(vaultSlotConfig, user, objectID);
            VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
            if (null == segment) {
                if (isDebugEnabled) {
                    Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.getCredential():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist!!").toString());
                }
                throw new VaultServiceException(new StringBuffer().append("Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, credential could not be retrieved for VaultSlot ").append(vaultSlotConfig.getVaultSlotKey()).toString());
            }
            User user2 = user;
            if (vaultSlotConfig.referencesSystemCredential()) {
                user2 = this.systemCredUser;
            }
            VaultAdapter vaultAdapter = segment.getVaultAdapter();
            if (null == vaultAdapter) {
                throw new VaultServiceException(new StringBuffer().append("The adapter of type ").append(segment.getVaultAdapterType()).append(" could not be found").toString());
            }
            CredentialSecret credential = vaultAdapter.getCredential(vaultSlotConfig.getSecretType(), user2, vaultSlotConfig.getResourceName());
            Subject subject = null;
            if (null != credential) {
                subject = new Subject();
                subject.getPrivateCredentials().add(credential);
            }
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.getCredential() -- exit:  ").append(subject).toString());
            }
            return subject;
        } catch (NotAllowedException e) {
            Log.error(LOGGER, "VaultServiceImpl.getCredential():  Failed to retrieve the credential, the user and/or portlet instance do not have access to the vault slot");
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.getCredential()");
            }
            throw e;
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void deleteCredential(VaultSlotConfig vaultSlotConfig, User user) throws SecretTypeNotSupportedException, NotAllowedException, VaultServiceException, DataBackendException {
        checkSystemDNInitialized();
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteCredential() -- entry:  ").append(vaultSlotConfig).append(", ").append(user).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
        if (null == segment) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteCredential():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist!!").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, credential could not be deleted for VaultSlot ").append(vaultSlotConfig.getVaultSlotKey()).toString());
        }
        VaultAdapter vaultAdapter = segment.getVaultAdapter();
        if (null == vaultAdapter) {
            throw new VaultServiceException(new StringBuffer().append("The adapter of type ").append(segment.getVaultAdapterType()).append(" does not exist").toString());
        }
        if (vaultAdapter.isReadOnly()) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.deleteCredential():  The credential could not be deleted, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("The credential could not be deleted, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
        }
        try {
            isAccessValid(vaultSlotConfig, user);
            User user2 = user;
            if (vaultSlotConfig.referencesSystemCredential()) {
                user2 = this.systemCredUser;
            }
            vaultAdapter.deleteCredential(vaultSlotConfig.getSecretType(), user2, vaultSlotConfig.getResourceName());
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.deleteCredential() -- exit");
            }
        } catch (NotAllowedException e) {
            Log.error(LOGGER, "VaultServiceImpl.deleteCredential():  Failed to delete the credential, the user does not have access to the vault slot");
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.deleteCredential()");
            }
            throw e;
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void modifyCredential(VaultSlotConfig vaultSlotConfig, CredentialSecret credentialSecret, User user, ObjectID objectID) throws SecretTypeNotSupportedException, NotAllowedException, VaultServiceException, DataBackendException {
        checkSystemDNInitialized();
        boolean isDebugEnabled = Log.isDebugEnabled(LOGGER);
        if (isDebugEnabled) {
            Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.modifyCredential() -- entry:  ").append(vaultSlotConfig).append(", ").append(credentialSecret).append(", ").append(user).append(", ").append(objectID).toString());
        }
        VaultSegment segment = this.segmentManager.getSegment(vaultSlotConfig.getSegmentObjectID());
        if (null == segment) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.modifyCredential():  Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist!!").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("Segment \"").append(vaultSlotConfig.getSegmentObjectID()).append("\" does not exist, credential could not be added for VaultSlot ").append(vaultSlotConfig.getVaultSlotKey()).toString());
        }
        VaultAdapter vaultAdapter = segment.getVaultAdapter();
        if (null == vaultAdapter) {
            throw new VaultServiceException(new StringBuffer().append("The adapter of type ").append(segment.getVaultAdapterType()).append(" does not exist").toString());
        }
        if (vaultAdapter.isReadOnly()) {
            if (isDebugEnabled) {
                Log.debug(LOGGER, new StringBuffer().append("VaultServiceImpl.modifyCredential():  The credential could not be modified, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
            }
            throw new VaultServiceException(new StringBuffer().append("The credential could not be modified, the vault type ").append(vaultAdapter.getType()).append(" is read only.").toString());
        }
        try {
            isAccessValid(vaultSlotConfig, user, objectID);
            User user2 = user;
            if (vaultSlotConfig.referencesSystemCredential()) {
                user2 = this.systemCredUser;
            }
            vaultAdapter.modifyCredential(credentialSecret, user2, vaultSlotConfig.getResourceName());
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.modifyCredential() -- exit");
            }
        } catch (NotAllowedException e) {
            Log.error(LOGGER, "VaultServiceImpl.modifyCredential():  Failed to modify the credential, the user and/or portlet instance do not have access to the vault slot");
            if (isDebugEnabled) {
                Log.debug(LOGGER, "VaultServiceImpl.modifyCredential()");
            }
            throw e;
        }
    }

    @Override // com.ibm.wps.sso.vaultservice.VaultService
    public void modifyCredential(VaultSlotConfig vaultSlotConfig, CredentialSecret credentialSecret, User user) throws SecretTypeNotSupportedException, NotAllowedException, VaultServiceException, DataBackendException {
        modifyCredential(vaultSlotConfig, credentialSecret, user, null);
    }
}
