package com.ibm.ws.security.javaeesec.identitystore;

import com.ibm.websphere.ras.ProtectedString;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.CDIHelper;
import com.ibm.ws.security.javaeesec.JavaEESecConstants;
import java.lang.annotation.Annotation;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.spi.CDI;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.enterprise.credential.CallerOnlyCredential;
import javax.security.enterprise.credential.Credential;
import javax.security.enterprise.credential.UsernamePasswordCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition;
import javax.security.enterprise.identitystore.IdentityStore;
import javax.security.enterprise.identitystore.IdentityStorePermission;
import javax.security.enterprise.identitystore.PasswordHash;
import javax.sql.DataSource;

@Default
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@ApplicationScoped
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/javaeesec/identitystore/DatabaseIdentityStore.class */
public class DatabaseIdentityStore implements IdentityStore {
    private static final TraceComponent tc = Tr.register(DatabaseIdentityStore.class, "security", "com.ibm.ws.security.javaeesec.internal.resources.JavaEESecMessages");
    private final DatabaseIdentityStoreDefinitionWrapper idStoreDefinition;
    private final PasswordHash passwordHash;
    private InitialContext initialContext;
    private DataSource dataSource = null;
    private boolean evaluateAlways;
    static final long serialVersionUID = 6014569462181766753L;

    public DatabaseIdentityStore(DatabaseIdentityStoreDefinition databaseIdentityStoreDefinition) {
        this.initialContext = null;
        this.evaluateAlways = false;
        this.idStoreDefinition = new DatabaseIdentityStoreDefinitionWrapper(databaseIdentityStoreDefinition);
        Class<? extends PasswordHash> hashAlgorithm = this.idStoreDefinition.getHashAlgorithm();
        Instance instance = null;
        CDI cdi = CDIHelper.getCDI();
        instance = cdi != null ? cdi.select(hashAlgorithm, new Annotation[0]) : instance;
        if (instance == null) {
            Tr.error(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm});
            throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm}));
        }
        if (instance.isUnsatisfied() || instance.isAmbiguous()) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Try alternate bean lookup. isUnsatisfied() is " + instance.isUnsatisfied() + ", isAmbiguous() is " + instance.isAmbiguous(), new Object[0]);
            }
            Set beansFromCurrentModule = CDIHelper.getBeansFromCurrentModule(hashAlgorithm);
            if (beansFromCurrentModule.size() != 1) {
                if (beansFromCurrentModule.size() == 0) {
                    Tr.error(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm});
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "the CDI bean was not found for: " + hashAlgorithm, new Object[0]);
                    }
                    throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm}));
                }
                Tr.error(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm});
                if (tc.isEventEnabled()) {
                    Tr.event(tc, "Too many CDI beans were found for " + hashAlgorithm + ". Found " + beansFromCurrentModule.size(), new Object[0]);
                }
                throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_ERROR_HASH_NOTFOUND", new Object[]{hashAlgorithm}));
            }
            this.passwordHash = (PasswordHash) beansFromCurrentModule.iterator().next();
        } else {
            this.passwordHash = (PasswordHash) instance.get();
        }
        List<String> hashAlgorithmParameters = this.idStoreDefinition.getHashAlgorithmParameters();
        if (hashAlgorithmParameters != null && !hashAlgorithmParameters.isEmpty()) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Processing HashAlgorithmParameters.", new Object[0]);
            }
            HashMap hashMap = new HashMap(hashAlgorithmParameters.size());
            for (String str : hashAlgorithmParameters) {
                String[] split = str.split("=");
                if (split.length != 2) {
                    Tr.error(tc, "JAVAEESEC_ERROR_BAD_HASH_PARAM", new Object[]{hashAlgorithm, str});
                    throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_ERROR_BAD_HASH_PARAM", new Object[]{hashAlgorithm, str}));
                }
                hashMap.put(split[0], split[1]);
            }
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Processed HashAlgorithmParameters: " + hashMap, new Object[0]);
            }
            this.passwordHash.initialize(hashMap);
        }
        try {
            this.initialContext = new InitialContext();
        } catch (NamingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.DatabaseIdentityStore", "144", this, new Object[]{databaseIdentityStoreDefinition});
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Setting up InitializeContext failed, will try later.", new Object[]{e});
            }
        }
        this.evaluateAlways = !this.idStoreDefinition.isDataSourceEvaluated();
        if (tc.isEventEnabled()) {
            Tr.event(tc, "Always evaluate Datasource: " + this.evaluateAlways, new Object[0]);
        }
    }

    public Set<String> getCallerGroups(CredentialValidationResult credentialValidationResult) {
        HashSet hashSet = new HashSet();
        if (!validationTypes().contains(IdentityStore.ValidationType.PROVIDE_GROUPS)) {
            return hashSet;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new IdentityStorePermission(JavaEESecConstants.GET_GROUPS_PERMISSION));
        }
        String name = credentialValidationResult.getCallerPrincipal().getName();
        if (name == null) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "A null caller was passed into getCallerGroups. No groups returned. " + credentialValidationResult, new Object[0]);
            }
            return hashSet;
        }
        PreparedStatement preparedStatement = null;
        String str = "not_resolved";
        try {
            str = this.idStoreDefinition.getGroupsQuery();
            Connection connection = getConnection();
            ResultSet resultSet = null;
            try {
                PreparedStatement prepareStatement = connection.prepareStatement(str);
                prepareStatement.setString(1, name);
                ResultSet runQuery = runQuery(prepareStatement, name);
                if (runQuery != null) {
                    while (runQuery.next()) {
                        String string = runQuery.getString(1);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "For caller " + name + " found " + string, new Object[0]);
                        }
                        if (string != null) {
                            hashSet.add(string);
                        }
                    }
                } else if (tc.isEventEnabled()) {
                    Tr.event(tc, "The result query was null looking for groups for caller " + name + " with query " + str, new Object[0]);
                }
                if (runQuery != null) {
                    runQuery.close();
                }
                if (prepareStatement != null) {
                    prepareStatement.close();
                }
                if (connection != null) {
                    connection.close();
                }
                return hashSet;
            } catch (Throwable th) {
                if (0 != 0) {
                    resultSet.close();
                }
                if (0 != 0) {
                    preparedStatement.close();
                }
                if (connection != null) {
                    connection.close();
                }
                throw th;
            }
        } catch (NamingException | IllegalArgumentException | SQLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.DatabaseIdentityStore", "216", this, new Object[]{credentialValidationResult});
            Tr.warning(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS", new Object[]{name, str, hashSet, e});
            throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_WARNING_EXCEPTION_ON_GROUPS", new Object[]{name, str, hashSet, e.toString()}), e);
        }
    }

    public int priority() {
        return this.idStoreDefinition.getPriority();
    }

    @Sensitive
    public CredentialValidationResult validate(Credential credential) {
        String caller;
        if (!validationTypes().contains(IdentityStore.ValidationType.VALIDATE)) {
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        boolean z = false;
        ProtectedString protectedString = null;
        if (credential instanceof UsernamePasswordCredential) {
            caller = ((UsernamePasswordCredential) credential).getCaller();
            protectedString = new ProtectedString(((UsernamePasswordCredential) credential).getPassword().getValue());
        } else {
            if (!(credential instanceof CallerOnlyCredential)) {
                Tr.error(tc, "JAVAEESEC_ERROR_WRONG_CRED", new Object[0]);
                return CredentialValidationResult.NOT_VALIDATED_RESULT;
            }
            z = true;
            caller = ((CallerOnlyCredential) credential).getCaller();
        }
        if (caller == null) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "A null caller was passed in", new Object[0]);
            }
            return CredentialValidationResult.INVALID_RESULT;
        }
        if (!z && protectedString == null && tc.isEventEnabled()) {
            Tr.event(tc, "A null password was passed in for caller " + caller, new Object[0]);
        }
        ProtectedString protectedString2 = null;
        PreparedStatement preparedStatement = null;
        try {
            String callerQuery = this.idStoreDefinition.getCallerQuery();
            if (callerQuery == null || callerQuery.isEmpty()) {
                if (tc.isEventEnabled()) {
                    Tr.event(tc, new StringBuilder().append("The 'callerQuery' parameter can not be ").append(callerQuery).toString() == null ? "null." : "empty.", new Object[0]);
                }
                return CredentialValidationResult.INVALID_RESULT;
            }
            Connection connection = getConnection();
            ResultSet resultSet = null;
            try {
                PreparedStatement prepareStatement = connection.prepareStatement(callerQuery);
                prepareStatement.setString(1, caller);
                prepareStatement.setMaxRows(2);
                ResultSet runQuery = runQuery(prepareStatement, caller);
                if (runQuery == null) {
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "The result query was null looking for caller " + caller + " with query " + callerQuery, new Object[0]);
                    }
                    CredentialValidationResult credentialValidationResult = CredentialValidationResult.INVALID_RESULT;
                    if (runQuery != null) {
                        runQuery.close();
                    }
                    if (prepareStatement != null) {
                        prepareStatement.close();
                    }
                    if (connection != null) {
                        connection.close();
                    }
                    return credentialValidationResult;
                }
                if (!runQuery.next()) {
                    if (tc.isEventEnabled()) {
                        Tr.event(tc, "The result query was empty looking for caller " + caller + " with query " + callerQuery, new Object[0]);
                    }
                    CredentialValidationResult credentialValidationResult2 = CredentialValidationResult.INVALID_RESULT;
                    if (runQuery != null) {
                        runQuery.close();
                    }
                    if (prepareStatement != null) {
                        prepareStatement.close();
                    }
                    if (connection != null) {
                        connection.close();
                    }
                    return credentialValidationResult2;
                }
                if (!z) {
                    String string = runQuery.getString(1);
                    if (string == null) {
                        Tr.warning(tc, "JAVAEESEC_WARNING_NO_PWD", new Object[]{caller, callerQuery});
                        CredentialValidationResult credentialValidationResult3 = CredentialValidationResult.INVALID_RESULT;
                        if (runQuery != null) {
                            runQuery.close();
                        }
                        if (prepareStatement != null) {
                            prepareStatement.close();
                        }
                        if (connection != null) {
                            connection.close();
                        }
                        return credentialValidationResult3;
                    }
                    protectedString2 = new ProtectedString(string.toCharArray());
                }
                if (runQuery.next()) {
                    Tr.warning(tc, "JAVAEESEC_WARNING_MULTI_CALLER", new Object[]{caller, callerQuery});
                    CredentialValidationResult credentialValidationResult4 = CredentialValidationResult.INVALID_RESULT;
                    if (runQuery != null) {
                        runQuery.close();
                    }
                    if (prepareStatement != null) {
                        prepareStatement.close();
                    }
                    if (connection != null) {
                        connection.close();
                    }
                    return credentialValidationResult4;
                }
                if (runQuery != null) {
                    runQuery.close();
                }
                if (prepareStatement != null) {
                    prepareStatement.close();
                }
                if (connection != null) {
                    connection.close();
                }
                if (z || this.passwordHash.verify(protectedString.getChars(), String.valueOf(protectedString2.getChars()))) {
                    return new CredentialValidationResult(this.idStoreDefinition.getDataSourceLookup(), caller, (String) null, caller, getCallerGroups(new CredentialValidationResult((String) null, caller, (String) null, caller, (Set) null)));
                }
                if (tc.isEventEnabled()) {
                    Tr.event(tc, "PasswordHash verify check returned false for caller: " + caller, new Object[0]);
                }
                return CredentialValidationResult.INVALID_RESULT;
            } catch (Throwable th) {
                if (0 != 0) {
                    resultSet.close();
                }
                if (0 != 0) {
                    preparedStatement.close();
                }
                if (connection != null) {
                    connection.close();
                }
                throw th;
            }
        } catch (NamingException | IllegalArgumentException | SQLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.DatabaseIdentityStore", "327", this, new Object[]{credential});
            Tr.error(tc, "JAVAEESEC_ERROR_GEN_DB", new Object[]{caller, "not_resolved", e});
            throw new IdentityStoreRuntimeException(Tr.formatMessage(tc, "JAVAEESEC_ERROR_GEN_DB", new Object[]{caller, "not_resolved", e.toString()}), e);
        }
    }

    public Set<IdentityStore.ValidationType> validationTypes() {
        return this.idStoreDefinition.getUseFor();
    }

    /* JADX WARN: Finally extract failed */
    private ResultSet runQuery(PreparedStatement preparedStatement, String str) throws SQLException {
        long j = -1;
        try {
            try {
                if (tc.isDebugEnabled()) {
                    j = System.currentTimeMillis();
                }
                ResultSet executeQuery = preparedStatement.executeQuery();
                if (tc.isDebugEnabled()) {
                    long currentTimeMillis = System.currentTimeMillis();
                    Tr.debug(tc, "Time to run query on caller " + str + ". Start time: " + j + ". End time: " + currentTimeMillis + ". Total time in ms: " + (currentTimeMillis - j), new Object[0]);
                }
                return executeQuery;
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.identitystore.DatabaseIdentityStore", "358", this, new Object[]{preparedStatement, str});
                throw e;
            }
        } catch (Throwable th) {
            if (tc.isDebugEnabled()) {
                long currentTimeMillis2 = System.currentTimeMillis();
                Tr.debug(tc, "Time to run query on caller " + str + ". Start time: " + j + ". End time: " + currentTimeMillis2 + ". Total time in ms: " + (currentTimeMillis2 - j), new Object[0]);
            }
            throw th;
        }
    }

    private Connection getConnection() throws NamingException, SQLException {
        DataSource dataSource;
        if (this.initialContext == null) {
            this.initialContext = new InitialContext();
        }
        if (this.evaluateAlways || this.dataSource == null) {
            String dataSourceLookup = this.idStoreDefinition.getDataSourceLookup();
            if (dataSourceLookup == null || dataSourceLookup.isEmpty()) {
                throw new IllegalArgumentException("The 'dataSourceLookup' configuration cannot be " + (dataSourceLookup == null ? "null." : "empty."));
            }
            dataSource = (DataSource) this.initialContext.lookup(dataSourceLookup);
            if (!this.evaluateAlways) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "DataSource is stored for " + dataSourceLookup, new Object[0]);
                }
                this.dataSource = dataSource;
            }
        } else {
            dataSource = this.dataSource;
        }
        return dataSource.getConnection();
    }
}
