package com.ibm.ws.security.auth.kerberos;

import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.security.auth.module.Krb5LoginModule;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.callback.WSAuthMechOidCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.common.auth.util.CredentialsHelper;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.util.KRB5Util;
import com.ibm.wsspi.management.agent.AdminSubsystemExtensionHandler;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.security.auth.callback.WSAppContextCallback;
import com.ibm.wsspi.security.auth.callback.WSServletRequestCallback;
import com.ibm.wsspi.security.auth.callback.WSServletResponseCallback;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/kerberos/Krb5LoginModuleWrapper.class */
public class Krb5LoginModuleWrapper extends Krb5LoginModule {
    private Subject _subject;
    private CallbackHandler _callbackHandler;
    private Map _sharedState;
    private Map _options;
    private static final TraceComponent tc = Tr.register(Krb5LoginModuleWrapper.class, "Security", Krb5NLS.MSG_FILE);
    protected boolean _debug = true;
    private boolean _krb5Login = true;
    boolean login_called = false;

    public Krb5LoginModuleWrapper() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5LoginModuleWrapper()");
            Tr.exit(tc, "Krb5LoginModuleWrapper()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        try {
            super.initialize(subject, callbackHandler, map, map2);
            this._subject = subject;
            this._callbackHandler = callbackHandler;
            this._sharedState = map;
            this._options = map2;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.initialize", "167", this);
            if (this._debug || tc.isDebugEnabled()) {
                Tr.error(tc, AdminSubsystemExtensionHandler.INITIALIZE, new Object[]{e});
            }
        }
        this._debug = "true".equalsIgnoreCase((String) this._options.get("debug"));
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Krb5LoginModuleWrapper");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws CredentialExpiredException, FailedLoginException, LoginException {
        Callback[] callbackArr;
        final GSSCredential createGSSCredential;
        if (this._debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        char[] cArr = null;
        byte[] bArr = null;
        Hashtable hashtable = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (this._sharedState.containsKey(Constants.CALLBACK_KEY)) {
            callbackArr = (Callback[]) this._sharedState.get(Constants.CALLBACK_KEY);
        } else {
            if (this._callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            callbackArr = new Callback[]{new NameCallback("Username: "), new PasswordCallback("Password: ", false), new WSCredTokenCallbackImpl("Credential Token: "), new WSServletRequestCallback("HttpServletRequest: "), new WSServletResponseCallback("HttpServletResponse: "), new WSAppContextCallback("ApplicationContextCallback: "), new WSTokenHolderCallback("Authz Token List: "), new WSRealmNameCallbackImpl("Realm Name", contextManagerFactory.getDefaultRealm()), new WSX509CertificateChainCallback("X509Certificate[]: "), new WSAuthMechOidCallbackImpl("AuthMechOid: ")};
            try {
                this._callbackHandler.handle(callbackArr);
                this._sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "238", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e});
                contextManagerFactory.setRootException(e);
                throw new WSLoginFailedException("IOException: " + e.getMessage(), e);
            } catch (UnsupportedCallbackException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "243", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e2.getCallback().toString(), e2});
                contextManagerFactory.setRootException(e2);
                throw new WSLoginFailedException(e2.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e2.getMessage(), e2);
            }
        }
        String authMechOid = ((WSAuthMechOidCallbackImpl) callbackArr[9]).getAuthMechOid();
        String name = ((NameCallback) callbackArr[0]).getName();
        this._krb5Login = Krb5Utils.isKrb5Login(authMechOid, name);
        if (!this._krb5Login) {
            return true;
        }
        char[] password = ((PasswordCallback) callbackArr[1]).getPassword();
        if (password != null) {
            cArr = new char[password.length];
            System.arraycopy(password, 0, cArr, 0, password.length);
        }
        String realmName = ((WSRealmNameCallbackImpl) callbackArr[7]).getRealmName();
        byte[] credToken = ((WSCredTokenCallbackImpl) callbackArr[2]).getCredToken();
        if (credToken != null) {
            bArr = CredentialsHelper.copyCredToken(credToken);
        }
        List tokenHolderList = ((WSTokenHolderCallback) callbackArr[6]).getTokenHolderList();
        if (0 == 0) {
            try {
                final Subject subject = this._subject;
                hashtable = (Hashtable) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws CredentialDestroyedException, CredentialExpiredException {
                        Object[] array = subject.getPublicCredentials().toArray();
                        if (Krb5LoginModuleWrapper.this._debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                            Tr.debug(Krb5LoginModuleWrapper.tc, "Looking for custom properties in public cred list.");
                        }
                        for (int i = 0; i < array.length; i++) {
                            if (Krb5LoginModuleWrapper.this._debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                Tr.debug(Krb5LoginModuleWrapper.tc, "Object[" + i + "] in public list: " + array[i]);
                            }
                            if ((array[i] instanceof Hashtable) && ((Hashtable) array[i]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null && ((Hashtable) array[i]).get(AttributeNameConstants.WSCREDENTIAL_PASSWORD) != null) {
                                return array[i];
                            }
                        }
                        Object[] array2 = subject.getPrivateCredentials().toArray();
                        Tr.debug(Krb5LoginModuleWrapper.tc, "Looking for custom properties in private cred list.");
                        for (int i2 = 0; i2 < array2.length; i2++) {
                            if (Krb5LoginModuleWrapper.this._debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                Tr.debug(Krb5LoginModuleWrapper.tc, "Object[" + i2 + "] in private list: " + array2[i2]);
                            }
                            if ((array2[i2] instanceof Hashtable) && ((Hashtable) array2[i2]).get(AttributeNameConstants.WSCREDENTIAL_USERID) != null && ((Hashtable) array2[i2]).get(AttributeNameConstants.WSCREDENTIAL_PASSWORD) != null) {
                                return array2[i2];
                            }
                        }
                        return null;
                    }
                });
                if (hashtable != null) {
                    this._sharedState.put(AttributeNameConstants.WSCREDENTIAL_PROPERTIES_KEY, hashtable);
                }
            } catch (PrivilegedActionException e3) {
                FFDCFilter.processException(e3.getException(), "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "317", this);
                contextManagerFactory.setRootException(e3.getException());
                throw new WSLoginFailedException(e3.getException().getMessage(), e3.getException());
            }
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "uid = " + name);
            Tr.debug(tc, "realm = " + realmName);
            Tr.debug(tc, "password = " + (cArr != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "cred token = " + (bArr != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "authz token list = " + tokenHolderList);
            Tr.debug(tc, "custom properties = " + hashtable);
            Tr.debug(tc, "authMechOid = " + authMechOid);
        }
        if (hashtable != null) {
            String str = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            String str2 = (String) hashtable.get(AttributeNameConstants.WSCREDENTIAL_PASSWORD);
            if (this._debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Logging in using JAASClient login configuration with user: " + str);
            }
            if (str != null && !str.equals("") && str2 != null && !str2.equals("")) {
                str2.toCharArray();
                String string = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm");
                String defaultRealm = contextManagerFactory.getDefaultRealm();
                if (!realmName.equals(defaultRealm) && !realmName.equals(string) && !realmName.equals(CommonConstants.DEFAULT_REALM)) {
                    String str3 = "The login will be failed because the Kerberos realm name specified in the callback handler, " + realmName + ", does not match the Kerberos realm name specified in the server's security configuration: " + string + " or the default realm name: " + defaultRealm;
                    if (this._debug || tc.isEntryEnabled()) {
                        Tr.exit(tc, "login()", str3);
                    }
                    throw new WSLoginFailedException(str3);
                }
                try {
                    LoginContext loginContext = new LoginContext(KRB5Util.DEFAULT_JAAS_LOGIN_CONFIG, new WSCallbackHandlerImpl(str, str2));
                    loginContext.login();
                    if (this._debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Getting subject from login context.");
                    }
                    Subject subject2 = loginContext.getSubject();
                    if (subject2 != null && (createGSSCredential = Krb5Utils.createGSSCredential(subject2)) != null) {
                        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.2
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                if (Krb5LoginModuleWrapper.this._subject.getPrivateCredentials().contains(createGSSCredential)) {
                                    return null;
                                }
                                if (Krb5LoginModuleWrapper.this._debug || Krb5LoginModuleWrapper.tc.isDebugEnabled()) {
                                    Tr.debug(Krb5LoginModuleWrapper.tc, "Adding GSSCredential to Subject.");
                                }
                                Krb5LoginModuleWrapper.this._subject.getPrivateCredentials().add(createGSSCredential);
                                return null;
                            }
                        });
                    }
                    return true;
                } catch (LoginException e4) {
                    FFDCFilter.processException(e4, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "392", this);
                    if (this._debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception calling JAASClient login context: " + e4.toString());
                    }
                    return false;
                }
            }
        }
        if (name == null || cArr == null) {
            if (bArr != null || name != null) {
                if (this._debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Credential token or uid with no password has been received. Handling login outside this login module.");
                }
                return true;
            }
            this.login_called = true;
            if (this._debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Calling super.login() from wrapper.");
            }
            try {
                return super.login();
            } catch (Exception e5) {
                FFDCFilter.processException(e5, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "451", this);
                if (this._debug || tc.isEntryEnabled()) {
                    Tr.exit(tc, "login()", new Object[]{e5});
                }
                contextManagerFactory.setRootException(e5);
                throw new WSLoginFailedException(e5.getMessage(), e5);
            }
        }
        this.login_called = true;
        String string2 = SecurityObjectLocator.getSecurityConfig("security").getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm");
        String defaultRealm2 = contextManagerFactory.getDefaultRealm();
        if (!realmName.equals(defaultRealm2) && !realmName.equals(string2) && !realmName.equals(CommonConstants.DEFAULT_REALM)) {
            String str4 = "The login failed because the Kerberos realm name specified in the callback handler, " + realmName + ", does not match the Kerberos realm name specified in the server's security configuration: " + string2 + " or the default realm name: " + defaultRealm2;
            if (this._debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login()", str4);
            }
            throw new WSLoginFailedException(str4);
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.login() from wrapper with uid/password.");
        }
        try {
            boolean login = super.login();
            Tr.debug(tc, "Result from login: " + login);
            return login;
        } catch (Exception e6) {
            FFDCFilter.processException(e6, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login", "423", this);
            if (this._debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login()", new Object[]{e6});
            }
            contextManagerFactory.setRootException(e6);
            throw new WSLoginFailedException(e6.getMessage(), e6);
        }
    }

    public boolean commit() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.commit() from wrapper.");
        }
        return super.commit();
    }

    public boolean abort() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.abort() from wrapper.");
        }
        return super.abort();
    }

    public boolean logout() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.logout() from wrapper.");
        }
        return super.logout();
    }
}
