package com.ibm.ws.security.embeddable.ejb;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.csi.CSIException;
import com.ibm.websphere.csi.EJBKey;
import com.ibm.websphere.csi.EJBMethodInfo;
import com.ibm.ws.security.auth.Identity;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.ejb.SecurityBeanCookie;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.wsspi.security.policy.EJBSecurityPolicy;
import javax.security.auth.Subject;

/* loaded from: input_file:WEB-INF/lib/admin-8.5.0.jar:com/ibm/ws/security/embeddable/ejb/EmbeddableEJBDelegation.class */
public class EmbeddableEJBDelegation {
    private static EmbeddableEJBDelegation _instance;
    private static final TraceComponent tc = Tr.register((Class<?>) EmbeddableEJBDelegation.class, "Security", AdminConstants.MSG_BUNDLE_NAME);

    public static EmbeddableEJBDelegation getInstance() {
        if (_instance == null) {
            _instance = new EmbeddableEJBDelegation();
        }
        return _instance;
    }

    private EmbeddableEJBDelegation() {
        _instance = this;
    }

    public Subject delegate(EJBKey eJBKey, EJBMethodInfo eJBMethodInfo, Subject subject, Subject subject2, SecurityBeanCookie securityBeanCookie, String str) throws CSIException {
        Subject subject3;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.DELEGATE, new Object[]{eJBKey, eJBMethodInfo, subject, subject2, securityBeanCookie});
        }
        EJBSecurityPolicy eJBSecurityPolicy = eJBMethodInfo == null ? null : eJBMethodInfo.getEJBSecurityPolicy();
        if (eJBSecurityPolicy == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "delegate EJBSecurityPolicy is null, using delegation policy in deployment descriptor");
            }
            throw new CSIException("Policy is null");
        }
        if (eJBSecurityPolicy.isRunAsCallerIdentity()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "delegate runAsCallerIdentity true");
            }
            subject3 = subject2;
        } else {
            String runAsSpecifiedIdentity = eJBSecurityPolicy.getRunAsSpecifiedIdentity();
            if (runAsSpecifiedIdentity != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "delegate got runAsSpecifiedIdentity from policy, role=" + runAsSpecifiedIdentity);
                }
                subject3 = getRunAsSpecifiedUserSubject(runAsSpecifiedIdentity, securityBeanCookie.getAppName());
                if (subject3 == null) {
                    subject3 = subject2;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "delegate getRunAsSpecifiedUserSubject is null, use received (caller) Subject");
                    }
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "delegate no runAs identity found, will runAs caller");
                }
                subject3 = subject2;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, AuditConstants.DELEGATE, subject3);
        }
        return subject3;
    }

    protected Subject getRunAsSpecifiedUserSubject(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRunAsSpecifiedUserSubject", new Object[]{str, str2});
        }
        Subject subject = null;
        String str3 = (String) EmbeddableEJBSecurityCollaborator.getInstance().getRunAsMap(str2).get(str);
        if (str3 != null) {
            subject = new Subject();
            subject.getPrincipals().add(new Identity(str3));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRunAsSpecifiedUserSubject", subject);
        }
        return subject;
    }
}
