package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.token.WSCredentialTokenMapperInterface;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.SubjectCache;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManager;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.TokenPropagationCallbackHandler;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.IdUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/LTPAPropagationConsumeLoginModule.class */
public class LTPAPropagationConsumeLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private SecurityToken _token;
    private SecurityTokenManagerImpl _securityTokenManager;
    private Map<Object, Object> _context;
    private static final TraceComponent tc = Tr.register(LTPAPropagationConsumeLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = LTPAPropagationConsumeLoginModule.class.getName();

    /* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/wssapi/token/impl/LTPAPropagationConsumeLoginModule$_wsCredToken.class */
    private static class _wsCredToken {
        static WSCredentialTokenMapperInterface _wsCredTokenMapper;

        private _wsCredToken() {
        }

        static {
            _wsCredTokenMapper = null;
            try {
                Object newInstance = Class.forName("com.ibm.ws.security.token.WSCredentialTokenMapper").newInstance();
                if (LTPAPropagationConsumeLoginModule.tc.isDebugEnabled()) {
                    Tr.debug(LTPAPropagationConsumeLoginModule.tc, "Got instance of WSCredTokenMapper.");
                }
                _wsCredTokenMapper = (WSCredentialTokenMapperInterface) newInstance;
            } catch (Exception e) {
                Tr.processException(e, LTPAPropagationConsumeLoginModule.clsName + "init", "657");
            }
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        PropertyCallback propertyCallback = new PropertyCallback(null);
        try {
            this._handler.handle(new Callback[]{propertyCallback});
            this._context = propertyCallback.getProperties();
            TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) this._context.get(TokenConsumerConfig.CONFIG_KEY);
            LTPAPropagationTokenImpl lTPAPropagationTokenImpl = new LTPAPropagationTokenImpl();
            this._context.put(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING, lTPAPropagationTokenImpl);
            QName type = tokenConsumerConfig.getType();
            if (!com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN_PROPAGATION.equals(type)) {
                throw new LoginException(ConfigUtil.getMessage("security.wssecurity.PrivateConsumerConfig.s30", new String[]{type.toString(), com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN_PROPAGATION.toString()}));
            }
            OMElement oMElement = (OMElement) this._context.get("com.ibm.ws.wssecurity.constants.processingElement");
            lTPAPropagationTokenImpl.setXML(new OMStructure(oMElement));
            QName idAttributeName = IdUtils.getInstance().getIdAttributeName(oMElement);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            String attributeValue = idAttributeName != null ? oMElement.getAttributeValue(idAttributeName) : null;
            lTPAPropagationTokenImpl.setId(attributeValue);
            byte[] decode = Base64.decode(DOMUtils.getStringValue(oMElement));
            Subject subject = null;
            Object[] objArr = null;
            String str = null;
            ArrayList arrayList = null;
            WSCredentialTokenMapperInterface wSCredentialTokenMapperInterface = _wsCredToken._wsCredTokenMapper;
            WSSContextManager wSSContextManagerFactory = WSSContextManagerFactory.getInstance();
            SubjectCache subjectCache = null;
            if (wSSContextManagerFactory != null) {
                subjectCache = wSSContextManagerFactory.getSubjectCache();
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WSSContextManager object missing");
            }
            try {
                arrayList = WSOpaqueTokenHelper.getInstance().createTokenHolderListFromOpaqueToken(decode);
                objArr = getSubjectFromTokenHolderCacheKey(null, arrayList, subjectCache);
            } catch (WSSecurityException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught WSSecurityException trying to get cached Subject: " + e);
                }
            } catch (Exception e2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught Exception trying to get cached Subject: " + e2);
                }
            }
            if (objArr != null) {
                subject = (Subject) objArr[0];
                str = (String) objArr[1];
            }
            WSCredential wSCredential = null;
            WSPrincipal wSPrincipal = null;
            if (subject != null) {
                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                wSPrincipal = SubjectHelper.getPrincipalFromSubject(subject);
                if (wSCredential != null) {
                    boolean isDestroyed = wSCredential.isDestroyed();
                    boolean z = false;
                    try {
                        z = wSCredential.isForwardable();
                    } catch (Exception e3) {
                        isDestroyed = true;
                    }
                    boolean z2 = false;
                    if (subjectCache != null && wSCredentialTokenMapperInterface != null) {
                        try {
                            z2 = wSCredentialTokenMapperInterface.checkCushionValidityOfAllTokens(subject, subjectCache.getCushion());
                        } catch (WSLoginFailedException e4) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Exception when running checkCushionValidityOfAllTokens");
                            }
                        }
                    }
                    if (tc.isDebugEnabled()) {
                        if (z) {
                            Tr.debug(tc, "credential is forwardable, subject valid = " + z2);
                        } else {
                            Tr.debug(tc, "non-forwardable Subject");
                        }
                    }
                    if (isDestroyed || (z && !z2)) {
                        subject = null;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Credential has expired or is destroyed, logging in again.");
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Cached subject is valid.");
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "No WSCredential in Subject, logging in again.");
                    }
                    subject = null;
                }
            }
            if (subject == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Using JAAS config: system.RMI_INBOUND");
                }
                int size = arrayList != null ? arrayList.size() : 0;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "tokenList size = " + size);
                }
                byte[] bArr = null;
                for (int i = 0; i < size; i++) {
                    Object obj = arrayList.get(i);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "tokenList object [" + i + "] = " + obj.getClass().getName());
                    }
                    if (obj instanceof TokenHolder) {
                        TokenHolder tokenHolder = (TokenHolder) obj;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "th[" + i + "].name = " + tokenHolder.getName());
                            Tr.debug(tc, "th[" + i + "].version = " + tokenHolder.getVersion());
                        }
                        if ("com.ibm.ws.security.token.AuthorizationTokenImpl".equals(tokenHolder.getName())) {
                            bArr = tokenHolder.getBytes();
                            if (tc.isDebugEnabled()) {
                                if (bArr == null || bArr.length <= 0) {
                                    Tr.debug(tc, "Cred bytes from authz TokenHolder was null or zero-length");
                                } else {
                                    Tr.debug(tc, "Got cred bytes from authz TokenHolder");
                                }
                            }
                        }
                    }
                }
                try {
                    LoginContext loginContext = new LoginContext("system.RMI_INBOUND", new TokenPropagationCallbackHandler(this._context, arrayList, bArr));
                    loginContext.login();
                    subject = loginContext.getSubject();
                    if (str == null || str.length() == 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No cache key string found in token list; will not cache new subject.");
                        }
                    } else if (subjectCache != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Caching new subject with cache key string: " + str);
                        }
                        subjectCache.insert(subject, new Object[]{str});
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Not caching new subject because Securitycache instance is null.");
                    }
                    wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                    wSPrincipal = SubjectHelper.getPrincipalFromSubject(subject);
                } catch (LoginException e5) {
                    Tr.processException(e5, clsName + ".login()", "323", this);
                    throw new LoginException("Error logging in: " + e5.getClass().getName() + ": " + e5.getMessage());
                }
            }
            this._securityTokenManager = (SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
            if (subject != null) {
                this._securityTokenManager.addToSubject(subject);
            }
            lTPAPropagationTokenImpl.setWSCredential(wSCredential);
            lTPAPropagationTokenImpl.setWSPrincipal(wSPrincipal);
            try {
                lTPAPropagationTokenImpl.setBinary(wSCredential.getCredentialToken());
                lTPAPropagationTokenImpl.setPrincipal(wSPrincipal.getName());
                WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
                WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
                if (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, this._context) || auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, this._context)) {
                    Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(this._context, WSSAuditEventGenerator.TOKEN_ID, attributeValue);
                    wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, "Username", lTPAPropagationTokenImpl.getPrincipal());
                    wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.EXPIRATION, new Long(lTPAPropagationTokenImpl.getExpiration()).toString());
                }
                this._token = lTPAPropagationTokenImpl;
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "login()");
                return true;
            } catch (CredentialDestroyedException e6) {
                throw new LoginException(e6.getMessage());
            }
        } catch (Exception e7) {
            Tr.processException(e7, clsName + ".login", "137", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e7.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._securityTokenManager.addToken(this._token);
        this._context.put(Constants.WSSECURITY_TOKEN_PROCESSED, this._token);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private Object[] getSubjectFromTokenHolderCacheKey(byte[] bArr, List list, SubjectCache subjectCache) throws Exception {
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("getSubjectFromTokenHolderCacheKey(");
            stringBuffer.append("byte[] token[");
            stringBuffer.append(bArr == null ? "null" : "not null").append("], ");
            stringBuffer.append("List tokenHolderList)");
            Tr.entry(tc, stringBuffer.toString());
        }
        Subject subject = null;
        String str = null;
        if (list != null) {
            for (int i = 0; i < list.size(); i++) {
                TokenHolder tokenHolder = (TokenHolder) list.get(i);
                if (tokenHolder.getName().equals("com.ibm.wsspi.security.cred.cacheKey")) {
                    byte[] bytes = tokenHolder.getBytes();
                    if (bytes != null) {
                        str = StringBytesConversion.getConvertedString(bytes);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found cache key from token holder list: " + str);
                        }
                        subject = subjectCache.getSubject(str);
                    }
                    if (subject != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found Subject using cacheKey from prop token.");
                        }
                        if (bArr != null) {
                            WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                            SingleSignonToken defaultSSOTokenFromSubject = SubjectHelper.getDefaultSSOTokenFromSubject(subject);
                            if (!((wSCredentialFromSubject != null && Arrays.equals(bArr, wSCredentialFromSubject.getCredentialToken())) || (defaultSSOTokenFromSubject != null && Arrays.equals(bArr, defaultSSOTokenFromSubject.getBytes())))) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Subject found from cacheKey does not have matching LTPA token.");
                                }
                                subject = null;
                            }
                        }
                    }
                }
            }
        }
        Object[] objArr = (subject == null && str == null) ? null : new Object[]{subject, str};
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer2 = new StringBuffer("getSubjectFromTokenHolderCacheKey(");
            stringBuffer2.append("byte[], List) returns Object[][");
            stringBuffer2.append(objArr == null ? "null" : "not null").append("]");
            Tr.exit(tc, stringBuffer2.toString());
        }
        return objArr;
    }
}
