package com.ibm.ws.wssecurity.platform.websphere.auth;

import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.websphere.wssecurity.wssapi.token.LTPAPropagationToken;
import com.ibm.websphere.wssecurity.wssapi.token.LTPAToken;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
import com.ibm.websphere.wssecurity.wssapi.token.X509Token;
import com.ibm.ws.security.auth.CacheException;
import com.ibm.ws.security.auth.SecurityCache;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.wssecurity.platform.auth.SubjectCache;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.token.CacheableSubjectHelperFactory;
import com.ibm.ws.wssecurity.token.WSSUserRegistryProcessor;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/platform/websphere/auth/WasSubjectCacheImpl.class */
public class WasSubjectCacheImpl implements SubjectCache {
    private static final TraceComponent tc = Tr.register(WasSubjectCacheImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = WasSubjectCacheImpl.class.getName();
    private static WSCredentialTokenMapperInterface wsCredTokenMapper = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/platform/websphere/auth/WasSubjectCacheImpl$_wsCredToken.class */
    public static class _wsCredToken {
        static WSCredentialTokenMapperInterface _wsCredTokenMapper;

        private _wsCredToken() {
        }

        static {
            _wsCredTokenMapper = null;
            try {
                Object newInstance = Class.forName("com.ibm.ws.security.token.WSCredentialTokenMapper").newInstance();
                if (WasSubjectCacheImpl.tc.isDebugEnabled()) {
                    Tr.debug(WasSubjectCacheImpl.tc, "Got instance of WSCredTokenMapper.");
                }
                _wsCredTokenMapper = (WSCredentialTokenMapperInterface) newInstance;
            } catch (Exception e) {
                Tr.processException(e, WasSubjectCacheImpl.clsName + "init", "981");
            }
        }
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public String createUniqueCachekey(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createUniqueIDForAuthCache");
        }
        String str = null;
        try {
            str = CacheableSubjectHelperFactory.getInstance().getIdentifier(subject);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception while getting unique ID from subject.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createUniqueIDForAuthCache: " + str);
        }
        return str;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject getSubjectFromAuthCacheByUniqueID(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubjectFromAuthCacheByUniqueID with " + str);
        }
        Subject subject = null;
        SecurityCache securityCache = ContextManagerFactory.getInstance().getSecurityCache();
        if (securityCache != null && str != null && str.length() > 0) {
            try {
                subject = securityCache.getSubject(str);
            } catch (CacheException e) {
                Tr.processException(e, clsName + ".getSubjectFromAuthCacheByUniqueID", "53");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught exception while looking up subject from AuthCache.", new Object[]{e});
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Not looking Subject in cache because SecurityCache instance is null.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubjectFromAuthCacheByUniqueID with " + str);
        }
        return subject;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject getSubjectFromAuthCacheByToken(SecurityToken securityToken) {
        Subject subject = null;
        SecurityCache securityCache = ContextManagerFactory.getInstance().getSecurityCache();
        if (securityCache != null && securityToken != null) {
            try {
                if (securityToken instanceof UsernameToken) {
                    final UsernameToken usernameToken = (UsernameToken) securityToken;
                    String username = usernameToken.getUsername();
                    if (username != null && username.length() > 0) {
                        char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.platform.websphere.auth.WasSubjectCacheImpl.1
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                return usernameToken.getPassword();
                            }
                        });
                        String str = null;
                        if (cArr != null) {
                            str = new String(cArr);
                        }
                        subject = (str == null || str.length() == 0) ? securityCache.getSubject(WSSContextManagerFactory.getInstance().getDefaultRealm(), username) : securityCache.getSubject(WSSContextManagerFactory.getInstance().getDefaultRealm(), username, str);
                    }
                } else if (securityToken instanceof LTPAPropagationToken) {
                    subject = null;
                } else if (securityToken instanceof LTPAToken) {
                    final LTPAToken lTPAToken = (LTPAToken) securityToken;
                    byte[] bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.platform.websphere.auth.WasSubjectCacheImpl.2
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return lTPAToken.getBinary();
                        }
                    });
                    if (bArr != null) {
                        subject = securityCache.getSubject(bArr);
                    }
                } else if (securityToken instanceof X509Token) {
                    X509Token x509Token = (X509Token) securityToken;
                    String mapCertificate = WSSUserRegistryProcessor.mapCertificate(x509Token.getCertificate());
                    if (mapCertificate == null || mapCertificate.length() == 0) {
                        mapCertificate = x509Token.getPrincipal();
                    }
                    subject = securityCache.getSubject(WSSContextManagerFactory.getInstance().getDefaultRealm(), mapCertificate);
                } else {
                    String principal = securityToken.getPrincipal();
                    if (principal != null) {
                        subject = securityCache.getSubject(WSSContextManagerFactory.getInstance().getDefaultRealm(), principal);
                    }
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught exception looking up Subject from AuthgetSecurityCache(): " + e);
                }
            }
        }
        Subject validateSubject = validateSubject(subject);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getCachedSubjectUsingToken: returning Subject = " + validateSubject);
        }
        return validateSubject;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public void addSubjectToAuthCache(Subject subject, String str) {
        SecurityCache securityCache = ContextManagerFactory.getInstance().getSecurityCache();
        if (subject == null || securityCache == null) {
            return;
        }
        String createSubjectUniqueID = getWSCredentialTokenMapperInterface().createSubjectUniqueID(subject);
        Object[] createCachekeys = createCachekeys(createSubjectUniqueID, str);
        if (createCachekeys == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unique ID is null. Adding Subject to AuthCache");
            }
            securityCache.insert(subject);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding Subject with ID " + createSubjectUniqueID + " to AuthCache");
            }
            securityCache.insert(subject, createCachekeys);
        }
    }

    private Object[] createCachekeys(String str, String str2) {
        Object[] objArr = null;
        if (str != null && !str.isEmpty() && str2 != null && !str2.isEmpty()) {
            objArr = new Object[]{str2, str};
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding Subject with ID " + str + " to AuthCache");
                Tr.debug(tc, "Adding Subject with cachekey " + str2 + " to AuthCache");
            }
        } else if (str != null && !str.isEmpty()) {
            objArr = new Object[]{str};
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding Subject with ID " + str + " to AuthCache");
            }
        } else if (str2 != null && !str2.isEmpty()) {
            objArr = new Object[]{str2};
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding Subject with ID " + str + " to AuthCache");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No Additional Key . Adding Subject to AuthCache");
        }
        return objArr;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject validateSubject(Subject subject) {
        return validateSubject(subject, false);
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject validateSubject(Subject subject, boolean z) {
        return validateSubject(subject, z, false);
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject validateAndRenewSubject(Subject subject, boolean z) {
        return validateSubject(subject, z, true);
    }

    public Subject validateSubject(Subject subject, boolean z, boolean z2) {
        if (subject != null) {
            WSCredential wSCredential = (WSCredential) subject.getPublicCredentials(WSCredential.class).iterator().next();
            if (wSCredential != null) {
                boolean isDestroyed = wSCredential.isDestroyed();
                boolean z3 = false;
                try {
                    z3 = wSCredential.isForwardable();
                } catch (Exception e) {
                    isDestroyed = true;
                }
                long j = 0;
                if (z) {
                    j = ContextManagerFactory.getInstance().getSecurityCache().getCushion();
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Cache cushion=" + j);
                }
                boolean z4 = false;
                try {
                    z4 = !z2 ? getWSCredentialTokenMapperInterface().checkCushionValidityOfAllTokens(subject, j) : getWSCredentialTokenMapperInterface().checkCushionValidityOfAllTokens(subject, j, true);
                } catch (WSLoginFailedException e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception when running checkCushionValidityOfAllTokens");
                    }
                }
                if (tc.isDebugEnabled()) {
                    if (z3) {
                        Tr.debug(tc, "credential is forwardable, subject valid = " + z4);
                    } else {
                        Tr.debug(tc, "non-forwardable Subject");
                    }
                }
                if (isDestroyed || (z3 && !z4)) {
                    subject = null;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Cached subject is valid.");
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No WSCredential in Subject, logging in again.");
                }
                subject = null;
            }
        }
        return subject;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public long getCushion() {
        return ContextManagerFactory.getInstance().getSecurityCache().getCushion();
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public void insert(Subject subject, Object[] objArr) {
        ContextManagerFactory.getInstance().getSecurityCache().insert(subject, objArr);
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.SubjectCache
    public Subject getSubject(Object obj) throws SoapSecurityException {
        try {
            return ContextManagerFactory.getInstance().getSecurityCache().getSubject(obj);
        } catch (CacheException e) {
            throw new SoapSecurityException(e.getMessage());
        }
    }

    private WSCredentialTokenMapperInterface getWSCredentialTokenMapperInterface() {
        if (wsCredTokenMapper != null) {
            return wsCredTokenMapper;
        }
        wsCredTokenMapper = _wsCredToken._wsCredTokenMapper;
        return wsCredTokenMapper;
    }
}
