package com.ibm.ws.objectgrid.security;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.objectgrid.security.plugins.ObjectGridAuthorization;
import com.ibm.ws.objectgrid.Constants;
import com.ibm.ws.objectgrid.ServerSecurityConfigService;
import com.ibm.ws.objectgrid.runtime.RuntimeInfo;
import com.ibm.ws.objectgrid.security.config.IAdministratorAuthorizer;
import com.ibm.ws.xs.NLSConstants;
import com.ibm.ws.xs.util.Messages;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.management.MBeanPermission;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/ws/objectgrid/security/AdministratorAuthorizer.class */
public class AdministratorAuthorizer implements IAdministratorAuthorizer {
    private Class ogXSAAuthorizationClass;
    private SecurityManager securityManager;
    private static final TraceComponent tc = Tr.register(AdministratorAuthorizer.class, Constants.TR_SECURITY_GROUP_NAME, "com.ibm.ws.objectgrid.resources.ObjectGridMessages");
    private static AdministratorAuthorizer psa = null;
    private static ServiceAuthorization serviceAuthorization = new ServiceAuthorization();
    private static ServerSecurityConfigService serverSecurityService = ServerSecurityConfigService.instance();

    private AdministratorAuthorizer() {
        this.ogXSAAuthorizationClass = null;
        this.securityManager = null;
        Tr.entry(tc, "AdministratorAuthorizer constructor");
        if (RuntimeInfo.instance().isXC10()) {
            final Class<?> cls = getClass();
            try {
                this.ogXSAAuthorizationClass = ((ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.objectgrid.security.AdministratorAuthorizer.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return cls.getClassLoader();
                    }
                })).loadClass("com.ibm.ws.xsa.security.og.ObjectGridAuthorization");
                Tr.debug(tc, "AdministratorAuthenticator constructor. The ObjectGridAuthorization class resolved, so we are running in the XC10.");
            } catch (ClassNotFoundException e) {
                Tr.debug(tc, "AdministratorAuthenticator constructor. The ObjectGridAuthorization class was not resolved, so we are not running in the XC10.");
            }
        } else {
            this.securityManager = System.getSecurityManager();
        }
        Tr.exit(tc, "AdministratorAuthorizer constructor");
    }

    public static synchronized AdministratorAuthorizer getSingleton() {
        if (psa == null) {
            psa = new AdministratorAuthorizer();
        }
        return psa;
    }

    @Override // com.ibm.ws.objectgrid.security.config.IAdministratorAuthorizer
    public boolean isAuthorizationEnforced() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "AdministrativeControl is ", Boolean.valueOf(serverSecurityService.getServerSecurityProperties().getServerSecurityConfiguration().getAdministrativeControl()));
        }
        if (this.ogXSAAuthorizationClass == null && this.securityManager == null && !serverSecurityService.getServerSecurityProperties().getServerSecurityConfiguration().getAdministrativeControl()) {
            Tr.debug(tc, "Administrator Authorizer isAuthorizationEnforced returns false.");
            return false;
        }
        Tr.debug(tc, "Administrator Authorizer isAuthorizationEnforced returns true.");
        return true;
    }

    @Override // com.ibm.ws.objectgrid.security.config.IAdministratorAuthorizer
    public void administratorAccessPermitted(final Subject subject) throws SecurityException {
        Tr.entry(tc, "administratorAccessPermitted");
        if (isAuthorizationEnforced()) {
            if (subject == null || !(subject instanceof Subject)) {
                throw new AccessControlException("The caller does not have permission to do administration operations.");
            }
            if (this.ogXSAAuthorizationClass != null) {
                try {
                    if (!((ObjectGridAuthorization) this.ogXSAAuthorizationClass.newInstance()).checkPermission(subject, new MBeanPermission("*", "getAttribute,setAttribute,invoke,queryNames"))) {
                        String msg = Messages.getMsg(NLSConstants.SECURITY_NO_ADMINISTRATOR_PERMISSIONS_CWOBJ1324E);
                        Tr.error(tc, msg);
                        throw new SecurityException(msg);
                    }
                    Tr.event(tc, "The user has XS10 administrative permissions");
                } catch (IllegalAccessException e) {
                    Tr.event(tc, "IllegalAccessException instantiating the ObjectGridAuthorization class.");
                } catch (InstantiationException e2) {
                    Tr.event(tc, "Could not instantiate the ObjectGridAuthorization class.");
                }
            } else {
                final MBeanPermission mBeanPermission = new MBeanPermission("*", "getAttribute,setAttribute,invoke,queryNames");
                final PrivilegedExceptionAction administratorPermissionCheckAction = AdministratorPermissionCheckAction.getInstance(mBeanPermission);
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.objectgrid.security.AdministratorAuthorizer.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws AccessControlException {
                            try {
                                if (RuntimeInfo.instance().isWASServerProcess() && AdministratorAuthorizer.this.securityManager == null) {
                                    WASAuthorizationChecker.getInstance().checkPermission(subject, mBeanPermission);
                                } else {
                                    Subject.doAsPrivileged(subject, administratorPermissionCheckAction, (AccessControlContext) null);
                                }
                                return null;
                            } catch (PrivilegedActionException e3) {
                                Throwable cause = e3.getCause();
                                if (cause instanceof AccessControlException) {
                                    throw ((AccessControlException) cause);
                                }
                                Tr.event(AdministratorAuthorizer.tc, "Unexpected exception in isAdministratorAccessPermitted " + cause);
                                AccessControlException accessControlException = new AccessControlException("The caller does not have permission to do administration operations.");
                                accessControlException.initCause(cause);
                                throw accessControlException;
                            }
                        }
                    });
                } catch (PrivilegedActionException e3) {
                    Tr.event(tc, "the subject was denied administrator access.");
                    Throwable cause = e3.getCause();
                    if (!(cause instanceof AccessControlException)) {
                        Tr.event(tc, "Unexpected exception in administratorAccessPermitted " + cause);
                    }
                    AccessControlException accessControlException = new AccessControlException("The caller does not have permission to do administration operations.");
                    accessControlException.initCause(cause);
                    throw accessControlException;
                }
            }
            Tr.debug(tc, "The subject has administrator (MBean) permissions.");
            Tr.exit(tc, "administratorAccessPermitted");
        }
    }

    @Override // com.ibm.ws.objectgrid.security.config.IAdministratorAuthorizer
    public boolean isAuthorizationCheckRequired(String str, String str2) {
        return serviceAuthorization.isAuthorizationCheckRequired(str, str2);
    }

    @Override // com.ibm.ws.objectgrid.security.config.IAdministratorAuthorizer
    public void setupServiceAuthorization() {
        serviceAuthorization.setupSets();
    }
}
