package com.ibm.ws.security.admintask.securityDomain;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.management.exception.InvalidAttributeNameException;
import com.ibm.websphere.models.config.ipc.ssl.KeyStore;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.management.configservice.MOFUtil;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.profiletask.MessageFormatHelper;
import com.ibm.ws.ssl.commands.personalCertificates.PersonalCertificateHelper;
import com.ibm.ws.ssl.commands.utils.CommandConstants;
import com.ibm.ws.ssl.commands.utils.CommandHelper;
import java.util.ArrayList;
import java.util.Locale;
import java.util.ResourceBundle;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.ObjectName;
import javax.management.QueryExp;

/* loaded from: input_file:com/ibm/ws/security/admintask/securityDomain/ConfigureRSATokenAuthorization.class */
public class ConfigureRSATokenAuthorization extends AbstractTaskCommand {
    private static String BUNDLE_NAME = "com.ibm.ejs.resources.security";
    private static ResourceBundle resBundle = ResourceBundle.getBundle(BUNDLE_NAME, Locale.getDefault());
    private static TraceComponent tc = Tr.register(ConfigureRSATokenAuthorization.class, "ConfigureRSATokenAuthorization", "com.ibm.ws.security.admintask.securityDomain");
    Boolean globalSecEnabled;
    Long tokenExpiration;
    Long nonceCacheTimeout;
    String adminCertTrustStore;
    String adminCertTrustStoreScope;
    String adminCertKeyStore;
    String adminCertKeyStoreScope;
    String adminCertAlias;
    ObjectName trustStoreObj;
    ObjectName keyStoreObj;
    ObjectName certObj;

    public ConfigureRSATokenAuthorization(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.globalSecEnabled = new Boolean(false);
        this.tokenExpiration = null;
        this.nonceCacheTimeout = null;
        this.adminCertTrustStore = null;
        this.adminCertTrustStoreScope = null;
        this.adminCertKeyStore = null;
        this.adminCertKeyStoreScope = null;
        this.adminCertAlias = null;
        this.trustStoreObj = null;
        this.keyStoreObj = null;
        this.certObj = null;
    }

    public ConfigureRSATokenAuthorization(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.globalSecEnabled = new Boolean(false);
        this.tokenExpiration = null;
        this.nonceCacheTimeout = null;
        this.adminCertTrustStore = null;
        this.adminCertTrustStoreScope = null;
        this.adminCertKeyStore = null;
        this.adminCertKeyStoreScope = null;
        this.adminCertAlias = null;
        this.trustStoreObj = null;
        this.keyStoreObj = null;
        this.certObj = null;
    }

    private String getMsg(ResourceBundle resourceBundle, String str, Object[] objArr) {
        return MessageFormatHelper.getFormattedMessage(resourceBundle, str, objArr);
    }

    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.VALIDATE);
        }
        super.validate();
        try {
            ConfigService configService = ConfigServiceFactory.getConfigService();
            Session configSession = getConfigSession();
            ObjectName objectName = configService.resolve(configSession, "Cell=:Security=")[0];
            AttributeList attributeList = new AttributeList();
            this.tokenExpiration = (Long) getParameter("tokenExpiration");
            this.nonceCacheTimeout = (Long) getParameter("nonceCacheTimeout");
            this.adminCertTrustStore = (String) getParameter("adminCertTrustStore");
            this.adminCertTrustStoreScope = (String) getParameter("adminCertTrustStoreScope");
            this.adminCertKeyStore = (String) getParameter("adminCertKeyStore");
            this.adminCertKeyStoreScope = (String) getParameter("adminCertKeyStoreScope");
            this.adminCertAlias = (String) getParameter("adminCertAlias");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "tokenExpiration=" + this.tokenExpiration + " nonceCacheTimeout=" + this.nonceCacheTimeout + " adminCertTrustStore=" + this.adminCertTrustStore + " adminCertTrustStoreScope=" + this.adminCertTrustStoreScope + " adminCertKeyStore=" + this.adminCertKeyStore + " adminCertKeyStoreScope=" + this.adminCertKeyStoreScope + " adminCertAlias=" + this.adminCertAlias);
            }
            CommandHelper commandHelper = new CommandHelper();
            if (this.adminCertTrustStore != null) {
                if (this.adminCertTrustStoreScope == null) {
                    this.adminCertTrustStoreScope = commandHelper.defaultScope();
                }
                attributeList.clear();
                ConfigServiceHelper.setAttributeValue(attributeList, "name", this.adminCertTrustStore);
                this.trustStoreObj = commandHelper.getObjectName(configService, configSession, objectName, "keyStores", attributeList, this.adminCertTrustStoreScope);
            }
            if (this.adminCertKeyStore != null) {
                if (this.adminCertKeyStoreScope == null) {
                    this.adminCertKeyStoreScope = commandHelper.defaultScope();
                }
                attributeList.clear();
                ConfigServiceHelper.setAttributeValue(attributeList, "name", this.adminCertKeyStore);
                this.keyStoreObj = commandHelper.getObjectName(configService, configSession, objectName, "keyStores", attributeList, this.adminCertKeyStoreScope);
                if (this.adminCertAlias == null || (this.adminCertAlias != null && this.adminCertAlias.length() == 0)) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.noCertAlias.SECJ7745E", null));
                }
            }
            if (this.tokenExpiration != null) {
                this.tokenExpiration = Long.valueOf(this.tokenExpiration.longValue() * 60);
            }
            if (this.nonceCacheTimeout != null) {
                this.nonceCacheTimeout = Long.valueOf(this.nonceCacheTimeout.longValue() * 60);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, AuditConstants.VALIDATE);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.admintask.securityDomain.ConfigureRolePropAuthorization.validate", "151", this);
            throw new CommandValidationException(e.getMessage());
        }
    }

    protected void afterStepsExecuted() {
        ObjectName createConfigData;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        TaskCommandResultImpl taskCommandResult = getTaskCommandResult();
        if (!taskCommandResult.isSuccessful()) {
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
                return;
            }
            return;
        }
        AttributeList attributeList = new AttributeList();
        try {
            try {
                ConfigService configService = getConfigService();
                Session configSession = getConfigSession();
                ObjectName objectName = configService.resolve(configSession, "Cell=:Security=")[0];
                ObjectName rolePropObj = getRolePropObj(configSession, configService, objectName);
                if (rolePropObj != null) {
                    if (this.tokenExpiration == null) {
                        this.tokenExpiration = (Long) configService.getAttribute(configSession, rolePropObj, "tokenExpiration");
                    }
                    if (this.nonceCacheTimeout == null) {
                        this.nonceCacheTimeout = (Long) configService.getAttribute(configSession, rolePropObj, "nonceCacheTimeout");
                    }
                    if (this.trustStoreObj == null) {
                        this.trustStoreObj = (ObjectName) configService.getAttribute(configSession, rolePropObj, "adminCertificateTrustStore");
                    }
                    if (this.keyStoreObj == null) {
                        this.certObj = (ObjectName) configService.getAttribute(configSession, rolePropObj, "adminCertificate");
                        if (this.certObj != null) {
                            this.keyStoreObj = (ObjectName) configService.getAttribute(configSession, this.certObj, "keyStore");
                            if (this.adminCertAlias == null) {
                                this.adminCertAlias = (String) configService.getAttribute(configSession, this.certObj, "alias");
                            }
                        }
                    }
                }
                if (this.tokenExpiration == null) {
                    this.tokenExpiration = new Long(600L);
                }
                if (this.nonceCacheTimeout == null) {
                    this.nonceCacheTimeout = new Long(1200L);
                }
                if (this.tokenExpiration.longValue() >= this.nonceCacheTimeout.longValue()) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.nonceValue.SECJ7746E", null));
                }
                if (this.keyStoreObj != null && !isAdminKeyStore(configSession, configService, this.keyStoreObj)) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.RSAKeyStore.SECJ7747E", new Object[]{this.adminCertKeyStore}));
                }
                if (this.trustStoreObj != null && !isAdminKeyStore(configSession, configService, this.trustStoreObj)) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.RSATrustStore.SECJ7748E", new Object[]{this.adminCertTrustStore}));
                }
                if (this.adminCertAlias != null) {
                    if (this.keyStoreObj == null) {
                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.noKeyStore.SECJ7749E", null));
                    }
                    KeyStore convertToEObject = MOFUtil.convertToEObject(configSession, this.keyStoreObj);
                    if (!PersonalCertificateHelper.isAliasInKeyStore(this.adminCertAlias, PersonalCertificateHelper.getKsInfo(configSession, configService, convertToEObject.getName(), convertToEObject.getManagementScope().getScopeName()))) {
                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.certNotInKS.SECJ7750E", new Object[]{this.adminCertAlias, this.adminCertKeyStore}));
                    }
                }
                if (rolePropObj == null) {
                    attributeList.clear();
                    attributeList.add(new Attribute(AuthMechanismConfig.OID, "oid:1.3.18.0.2.30.6"));
                    attributeList.add(new Attribute(AuthMechanismConfig.AUTH_CONTEXT_IMPL_CLASS, "com.ibm.ISecurityLocalObjectTokenBaseImpl.WSSecurityContextAdminRolePropImpl"));
                    attributeList.add(new Attribute(AuthMechanismConfig.AUTH_CONFIG, "system.DEFAULT"));
                    attributeList.add(new Attribute(AuthMechanismConfig.SIMPLE_AUTH_CONFIG, "system.DEFAULT"));
                    attributeList.add(new Attribute(AuthMechanismConfig.AUTH_VALIDATION_CONFIG, "system.DEFAULT"));
                    rolePropObj = configService.createConfigData(configSession, objectName, "authMechanisms", "RSAToken", attributeList);
                }
                attributeList.clear();
                if (this.tokenExpiration != null) {
                    attributeList.add(new Attribute("tokenExpiration", Long.valueOf(this.tokenExpiration.longValue())));
                }
                if (this.nonceCacheTimeout != null) {
                    attributeList.add(new Attribute("nonceCacheTimeout", Long.valueOf(this.nonceCacheTimeout.longValue())));
                }
                if (this.trustStoreObj != null) {
                    attributeList.add(new Attribute("adminCertificateTrustStore", this.trustStoreObj));
                }
                configService.setAttributes(configSession, rolePropObj, attributeList);
                attributeList.clear();
                if (this.keyStoreObj != null) {
                    attributeList.add(new Attribute("keyStore", this.keyStoreObj));
                }
                if (this.adminCertAlias != null) {
                    attributeList.add(new Attribute("alias", this.adminCertAlias));
                }
                if (this.certObj != null) {
                    configService.setAttributes(configSession, this.certObj, attributeList);
                } else if (!attributeList.isEmpty() && (createConfigData = configService.createConfigData(configSession, objectName, "certificates", (String) null, attributeList)) != null) {
                    attributeList.clear();
                    attributeList.add(new Attribute("adminCertificate", createConfigData));
                    configService.setAttributes(configSession, rolePropObj, attributeList);
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "afterStepsExecuted");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.commands.securityDomain.ConfigureRolePropAuthorization", "317");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "exception caught", e);
                }
                taskCommandResult.setException(new CommandValidationException(e, e.getMessage()));
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "afterStepsExecuted");
                }
            }
        } catch (Throwable th) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
            throw th;
        }
    }

    public static ObjectName getRolePropObj(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRolePropObj");
        }
        ObjectName objectName2 = null;
        try {
            ArrayList arrayList = (ArrayList) configService.getAttribute(session, objectName, "authMechanisms");
            if (arrayList != null) {
                for (int i = 0; i < arrayList.size(); i++) {
                    AttributeList attributeList = (AttributeList) arrayList.get(i);
                    if (ConfigServiceHelper.getAttributeValue(attributeList, "_Websphere_Config_Data_Type").toString().equals("RSAToken")) {
                        ObjectName[] queryConfigObjects = configService.queryConfigObjects(session, (ObjectName) null, ConfigServiceHelper.createObjectName(attributeList), (QueryExp) null);
                        if (queryConfigObjects[0] != null) {
                            objectName2 = queryConfigObjects[0];
                        }
                    }
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getRolePropObj");
            }
            return objectName2;
        } catch (InvalidAttributeNameException e) {
            return objectName2;
        }
    }

    private boolean isAdminKeyStore(Session session, ConfigService configService, ObjectName objectName) throws Exception {
        String str = (String) configService.getAttribute(session, objectName, "usage");
        return str != null && str.equalsIgnoreCase(CommandConstants.KS_USAGE_RSA);
    }
}
