package com.ibm.ws.security.auth.j2c;

import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.GSSEncodeDecodeException;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.audit.AuditHandler;
import com.ibm.websphere.security.auth.MappingAuthData;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.common.auth.WSPrincipalImpl;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.cred.AuthDataCredential;
import com.ibm.ws.security.util.AuthData;
import com.ibm.wsspi.security.audit.AuditOutcome;
import com.ibm.wsspi.security.audit.AuditService;
import com.ibm.wsspi.security.audit.J2EEAuditEventFactory;
import com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandler;
import com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandlerFactory;
import java.io.IOException;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.resource.spi.ManagedConnectionFactory;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:lib/security.jar:com/ibm/ws/security/auth/j2c/WSDefaultPrincipalMapping.class */
public class WSDefaultPrincipalMapping {
    private static final TraceComponent tc;
    private static final WebSphereRuntimePermission perm;
    private static HashMap authDataMap;
    public static String DEFAULT_PRINCIPAL_MAPPING;
    private static final String CALLBACK_HANDLER = "CallbackHandler";
    private static boolean isFineGrained;
    private static WSMappingCallbackHandlerFactory cbkFactory;
    private static Subject unauthSubject;
    private static AuditHandler auditHandler;
    private static J2EEAuditEventFactory auditFactory;
    private static final String providerName = "WebSphere";
    private static AuditService auditService;
    private static final boolean providerSuccess = true;
    private static final boolean providerFailure = false;
    static Class class$com$ibm$ws$security$auth$j2c$WSDefaultPrincipalMapping;
    static Class class$java$lang$String;
    static Class class$com$ibm$ws$security$common$auth$WSPrincipalImpl;

    private WSDefaultPrincipalMapping() {
        Tr.warning(tc, "security.j2c.invalidWSDefaultPrincipalMapping");
    }

    public static Subject getMappedSubject(ManagedConnectionFactory managedConnectionFactory, String str, Map map) throws IOException, LoginException, SecurityException, Exception {
        LoginContext loginContext;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("getMappedSubject(ManagedConnectionFactory, ").append(str).append(", Map properties)").toString());
        }
        String trim = str == null ? DEFAULT_PRINCIPAL_MAPPING : str.trim();
        if (auditService == null) {
            auditService = ContextManagerFactory.getInstance().getAuditService();
            if (auditService != null) {
                auditHandler = auditService.newAuditHandler("WAS.security", "WAS.security");
                auditFactory = (J2EEAuditEventFactory) auditHandler.getAuditEventFactory(CommonConstants.AUDIT_J2EE_FACTORY_NAME);
                if (auditFactory != null && !Class.forName("com.ibm.wsspi.security.audit.J2EEAuditEventFactory").isInstance(auditFactory)) {
                    auditFactory = null;
                }
            }
        }
        String str2 = null;
        if (!trim.equals(DEFAULT_PRINCIPAL_MAPPING)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Logging into mapping module: ").append(trim).toString());
            }
            try {
                if (cbkFactory != null) {
                    WSMappingCallbackHandlerFactory wSMappingCallbackHandlerFactory = cbkFactory;
                    loginContext = new LoginContext(trim, WSMappingCallbackHandlerFactory.getInstance().getCallbackHandler(map, managedConnectionFactory));
                } else {
                    Tr.warning(tc, "security.j2c.initFailureRecovery");
                    loginContext = new LoginContext(trim, new WSMappingCallbackHandler(map, managedConnectionFactory));
                }
                loginContext.login();
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject(ManagedConnectionFactory, loginEntry, authDataAlias)");
                }
                if (auditFactory != null && auditFactory.isActive(2, 0)) {
                    WSCredential invocationCredential = ContextManagerFactory.getInstance().getInvocationCredential();
                    String str3 = null;
                    String defaultRealm = ContextManagerFactory.getInstance().getDefaultRealm();
                    if (invocationCredential != null && !invocationCredential.isUnauthenticated()) {
                        str3 = invocationCredential.getSecurityName();
                    }
                    Subject subject = loginContext.getSubject();
                    if (subject != null) {
                        for (PasswordCredential passwordCredential : subject.getPrivateCredentials(Class.forName("javax.resource.spi.security.PasswordCredential"))) {
                            auditFactory.sendMappingAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", null, str, true, defaultRealm, str3, "", passwordCredential != null ? passwordCredential.getUserName() : null, "security.audit.mapping.syccess.audit", null);
                        }
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Returning login subject.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getMappedSubject");
                }
                return loginContext.getSubject();
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.getSubject", "351");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append(GSSEncodeDecodeException.exceptionCaughtStr).append(e).toString());
                }
                throw e;
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Mapping module is default.");
        }
        if (map != null) {
            if (tc.isDebugEnabled()) {
                Tr.entry(tc, "Getting authDataAlias.");
            }
            str2 = (String) map.get("com.ibm.mapping.authDataAlias");
            if (str2 != null) {
                str2 = str2.trim();
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "security.j2c.missingParameter", new Object[]{"alias"});
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "security.j2c.missingParameter", new Object[]{"properties"});
        }
        if (!ContextManagerFactory.getInstance().isCellSecurityEnabled() && (str2 == null || str2.equals(""))) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Security disabled and no authdata alias, returning Unauthenticated Subject.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return getUnauthenticatedSubjectWithoutCredentials();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Creating Subject.");
        }
        WSCredential invocationCredential2 = ContextManagerFactory.getInstance().getInvocationCredential();
        if ((str2 == null || str2.equals("")) && (invocationCredential2 == null || invocationCredential2.isUnauthenticated())) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No authdata alias and current Subject is null or unauthenticated.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return getUnauthenticatedSubjectWithoutCredentials();
        }
        String str4 = null;
        if (invocationCredential2 != null && !invocationCredential2.isUnauthenticated()) {
            str4 = invocationCredential2.getSecurityName();
        }
        Subject subject2 = new Subject();
        subject2.getPrincipals().add(new WSPrincipalImpl(str4));
        if (str2 == null || str2.equals("")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No authdatalias, returning subject.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Got authdata info.");
            }
            if (authDataInt == null) {
                Tr.warning(tc, "security.j2c.mappingUnsuccessful");
                throw new LoginException(new StringBuffer().append("Incorrect authDataEntry and alias is: ").append(str2).toString());
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Creating password credential.");
            }
            PasswordCredential passwordCredential2 = new PasswordCredential(authDataInt.uid, authDataInt.psw.toCharArray());
            passwordCredential2.setManagedConnectionFactory(managedConnectionFactory);
            subject2.getPrivateCredentials().add(passwordCredential2);
            if (auditFactory != null && auditFactory.isActive(2, 0)) {
                auditFactory.sendMappingAuditEvent(auditHandler, AuditOutcome.SUCCESS, "SUCCESS", null, str, true, ContextManagerFactory.getInstance().getDefaultRealm(), str4, "", authDataInt.uid, "security.audit.mapping.syccess.audit", null);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        } catch (NullPointerException e2) {
            Tr.warning(tc, "security.j2c.mappingFailed", new Object[]{e2});
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getMappedSubject");
            }
            return subject2;
        }
    }

    public static Subject getSubject(ManagedConnectionFactory managedConnectionFactory, String str, String str2) throws IOException, LoginException, SecurityException, Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuffer().append("getSubject(ManagedConnectionFactory, ").append(str).append(", ").append(str2).append(")").toString());
        }
        String str3 = null;
        if (str2 != null) {
            str3 = str2.trim();
        }
        String trim = str == null ? DEFAULT_PRINCIPAL_MAPPING : str.trim();
        if (!trim.equals(DEFAULT_PRINCIPAL_MAPPING)) {
            try {
                LoginContext loginContext = new LoginContext(trim, new WSPrincipalMappingCallbackHandler(str3, managedConnectionFactory));
                loginContext.login();
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getSubject(ManagedConnectionFactory, loginEntry, authDataAlias)");
                }
                return loginContext.getSubject();
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.getSubject", "351");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append(GSSEncodeDecodeException.exceptionCaughtStr).append(e).toString());
                }
                throw e;
            }
        }
        Subject subject = new Subject();
        WSPrincipalImpl wSPrincipalImpl = null;
        try {
            wSPrincipalImpl = (WSPrincipalImpl) AccessController.doPrivileged(new PrivilegedAction(ContextManagerFactory.getInstance().getInvocationSubject()) { // from class: com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.1
                private final Subject val$subj0;

                {
                    this.val$subj0 = r4;
                }

                @Override // java.security.PrivilegedAction
                public Object run() {
                    Class cls;
                    Subject subject2 = this.val$subj0;
                    if (WSDefaultPrincipalMapping.class$com$ibm$ws$security$common$auth$WSPrincipalImpl == null) {
                        cls = WSDefaultPrincipalMapping.class$("com.ibm.ws.security.common.auth.WSPrincipalImpl");
                        WSDefaultPrincipalMapping.class$com$ibm$ws$security$common$auth$WSPrincipalImpl = cls;
                    } else {
                        cls = WSDefaultPrincipalMapping.class$com$ibm$ws$security$common$auth$WSPrincipalImpl;
                    }
                    return subject2.getPrincipals(cls).iterator().next();
                }
            });
        } catch (Exception e2) {
        }
        if (wSPrincipalImpl != null) {
            subject.getPrincipals().add(wSPrincipalImpl);
        }
        if (str3 == null || str3.equals("")) {
            return subject;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str3);
            if (authDataInt == null) {
                Tr.warning(tc, "auth data not found - null");
                throw new LoginException(new StringBuffer().append("Incorrect authDataEntry and alias is: ").append(str3).toString());
            }
            PasswordCredential passwordCredential = new PasswordCredential(authDataInt.uid, authDataInt.psw.toCharArray());
            passwordCredential.setManagedConnectionFactory(managedConnectionFactory);
            subject.getPrivateCredentials().add(passwordCredential);
            return subject;
        } catch (NullPointerException e3) {
            Tr.warning(tc, "Exception caught - auth data does not exist", new Object[]{e3});
            return subject;
        }
    }

    public static AuthDataCredential getAuthData(String str) throws LoginException, SecurityException {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("getAuthData(uidpswEntry = ").append(str).append(")").toString());
        }
        if (str == null || str.length() == 0) {
            return null;
        }
        try {
            AuthData authDataInt = getAuthDataInt(str);
            if (authDataInt != null) {
                return new AuthDataCredential(authDataInt.uid, authDataInt.psw, 0);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Alias not defined on server; local search not enabled or auth.data.props not loaded.");
            }
            return new AuthDataCredential(null, null, 1);
        } catch (NullPointerException e) {
            return new AuthDataCredential(null, null, 3);
        }
    }

    public static synchronized void refreshAuthData(HashMap hashMap) throws SecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "refreshAuthData");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                Tr.debug(tc, new StringBuffer().append("Expecting : ").append(perm.toString()).toString());
            }
            securityManager.checkPermission(perm);
        }
        if (hashMap != null) {
            try {
                if (!hashMap.isEmpty()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, new StringBuffer().append("Mapping auth data has ").append(hashMap.size()).append(" entries").toString());
                    }
                    Class<?> cls = Class.forName("com.ibm.ws.security.util.AuthData");
                    Class<?> cls2 = Class.forName("com.ibm.websphere.security.auth.MappingAuthData");
                    for (Object obj : hashMap.keySet()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, new StringBuffer().append("Mapping auth data alias = ").append(obj).toString());
                        }
                        Object obj2 = hashMap.get(obj);
                        if (obj2 != null) {
                            if (cls2.isInstance(obj2)) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Mapping auth data Class is MappingAuthData");
                                }
                                hashMap.put(obj, new AuthData(((MappingAuthData) obj2).getUserName(), ((MappingAuthData) obj2).getPassword()));
                            } else if (!cls.isInstance(obj2)) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Mapping auth data Class is neither AuthData nor MappingAuthData; set to null");
                                }
                                hashMap.put(obj, null);
                            }
                        }
                    }
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.refreshAuthData", "569");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, new StringBuffer().append(GSSEncodeDecodeException.exceptionCaughtStr).append(e).toString());
                }
            }
        }
        authDataMap = hashMap;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "refreshAuthData");
        }
    }

    public static synchronized AuthData getAuthDataInt(String str) throws SecurityException {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("getOneAuthDataEntry(uidpswEntry = ").append(str).append(")").toString());
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (isFineGrained) {
                WebSphereRuntimePermission webSphereRuntimePermission = new WebSphereRuntimePermission(new StringBuffer().append("getPasswordCredential.").append(str).toString());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check (Fine Grained) ...");
                    Tr.debug(tc, new StringBuffer().append("Expecting : ").append(webSphereRuntimePermission.toString()).toString());
                }
                securityManager.checkPermission(webSphereRuntimePermission);
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Performing Java 2 Security Permission Check ...");
                    Tr.debug(tc, new StringBuffer().append("Expecting : ").append(perm.toString()).toString());
                }
                securityManager.checkPermission(perm);
            }
        }
        if (authDataMap != null) {
            return (AuthData) authDataMap.get(str);
        }
        return null;
    }

    private static Subject getUnauthenticatedSubjectWithoutCredentials() {
        if (unauthSubject == null) {
            unauthSubject = new Subject();
            unauthSubject.getPrincipals().add(new WSPrincipalImpl("UNAUTHENTICATED"));
        }
        return unauthSubject;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        Class<?> cls2;
        String str;
        if (class$com$ibm$ws$security$auth$j2c$WSDefaultPrincipalMapping == null) {
            cls = class$("com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping");
            class$com$ibm$ws$security$auth$j2c$WSDefaultPrincipalMapping = cls;
        } else {
            cls = class$com$ibm$ws$security$auth$j2c$WSDefaultPrincipalMapping;
        }
        tc = Tr.register(cls, (String) null, "com.ibm.ejs.resources.security");
        perm = new WebSphereRuntimePermission("getPasswordCredential");
        authDataMap = null;
        DEFAULT_PRINCIPAL_MAPPING = AppConstants.APPDEPL_DEFAULT_PMAP;
        isFineGrained = false;
        cbkFactory = null;
        unauthSubject = null;
        auditHandler = null;
        auditFactory = null;
        auditService = null;
        try {
            Boolean bool = Boolean.TRUE;
            Class<?> cls3 = Class.forName("com.ibm.ws.security.core.SecurityConfig");
            Method method = cls3.getMethod("getConfig", null);
            Class<?>[] clsArr = new Class[1];
            if (class$java$lang$String == null) {
                cls2 = class$("java.lang.String");
                class$java$lang$String = cls2;
            } else {
                cls2 = class$java$lang$String;
            }
            clsArr[0] = cls2;
            Method method2 = cls3.getMethod("getValue", clsArr);
            Object invoke = method.invoke(null, new Object[0]);
            try {
                bool = (Boolean) method2.invoke(invoke, CommonConstants.ENFORCE_FINE_GRAINED_JCA_SECURITY);
            } catch (Throwable th) {
            }
            if (bool != null) {
                isFineGrained = bool.booleanValue();
            }
            try {
                str = (String) method2.invoke(invoke, CommonConstants.MAPPING_CALLBACK_HANDLER_FACTORY_CLASS);
                if (str == null) {
                    Tr.info(tc, "security.j2c.calbackHandlerFactoryUndefined", new Object[]{CommonConstants.MAPPING_CALLBACK_HANDLER_FACTORY_CLASS});
                    str = "com.ibm.ws.security.auth.callback.WSMappingCallbackHandlerFactoryImpl";
                }
            } catch (Throwable th2) {
                str = "com.ibm.ws.security.auth.callback.WSMappingCallbackHandlerFactoryImpl";
            }
            if (str != null && str.length() > 0) {
                str = str.trim();
            }
            cbkFactory = WSMappingCallbackHandlerFactory.getInstance(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.j2c.WSDefaultPrincipalMapping.static", "133");
            Tr.error(tc, "security.j2c.initFailure", new Object[]{e});
        }
    }
}
