package com.ibm.ws.security.auth.kerberos;

import com.ibm.CSIv2Security.LTPAMechOID;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.AdminContext;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.Result;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.CredentialMapFailedException;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityConfigManager;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.UserRegistryConfig;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.ltpa.LTPAServerObject;
import com.ibm.ws.security.util.StringUtil;
import com.ibm.ws.util.PlatformHelperFactory;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/auth/kerberos/Krb5WSCredentialUtils.class */
public class Krb5WSCredentialUtils {
    private static final GSSManager _manager = GSSManager.getInstance();
    private static LTPAServerObject _ltpaServer = null;
    private static SecurityConfig _security = null;
    private static SecurityConfigManager _scm = null;
    private static TraceComponent tc = Tr.register((Class<?>) Krb5WSCredentialUtils.class, "Security", Krb5NLS.MSG_FILE);

    public static WSCredential Krb5ToRegistryWSCredential(String str) throws NoCredentialFoundException, CredentialMapFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5ToRegistryWSCredential", new Object[]{str});
        }
        WSCredential wSCredential = null;
        String adjustUserName = adjustUserName(str);
        UserRegistry userRegistry = (UserRegistry) SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getUserRegistryImpl();
        if (userRegistry != null) {
            try {
                wSCredential = userRegistry.createCredential(getUserDN(userRegistry, adjustUserName));
                wSCredential.set(CommonConstants.LOGIN_UID, adjustUserName);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "returning from createCredential");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.Krb5ToRegistryWSCredential", "166");
                e.printStackTrace();
            }
        }
        if (tc.isDebugEnabled()) {
            if (wSCredential == null) {
                Tr.debug(tc, "*** newly created WSCredential is NULL!");
            } else {
                Tr.debug(tc, wSCredential.toString());
            }
        }
        if (wSCredential == null && userRegistry != null) {
            Tr.error(tc, "security.auth.kerberos.NoCredFound");
            throw new NoCredentialFoundException();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "Krb5ToRegistryWSCredential()");
        }
        return wSCredential;
    }

    public static String Krb5ToRegistryDN(String str) throws NoCredentialFoundException, CredentialMapFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5ToRegistryDN", new Object[]{str});
        }
        String adjustUserName = adjustUserName(str);
        UserRegistry userRegistry = (UserRegistry) SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry().getUserRegistryImpl();
        if (userRegistry == null) {
            return null;
        }
        try {
            return getUserDN(userRegistry, adjustUserName);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.Krb5ToRegistryDN", "221");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception in Krb5ToRegistryDN: ", new Object[]{e});
            }
            if (e instanceof CredentialMapFailedException) {
                throw ((CredentialMapFailedException) e);
            }
            if (e instanceof NoCredentialFoundException) {
                throw ((NoCredentialFoundException) e);
            }
            throw new NoCredentialFoundException(e.getMessage());
        }
    }

    public static WSCredential Krb5ToAuthMechWSCredential(Subject subject, GSSCredential gSSCredential, WSCredential wSCredential) throws NoCredentialFoundException, CredentialMapFailedException {
        long j;
        WSCredentialImpl wSCredentialImpl;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5ToAuthMechWSCredential");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Entry parameters:");
            Tr.debug(tc, (subject == null || subject.toString().length() == 0) ? "subject: NULL" : subject.toString());
            Tr.debug(tc, gSSCredential != null ? gSSCredential.toString() : "gssCredential: NULL");
            Tr.debug(tc, wSCredential != null ? wSCredential.toString() : "urCred: NULL");
        }
        String str = KRB5MechOID.value;
        try {
            SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
            long longValue = (Long.valueOf(securityConfig.getActiveAuthMechanism().getLong("timeout")).longValue() * 60 * 1000) + System.currentTimeMillis();
            if (gSSCredential != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Krb5ToAuthMechWSCredential for " + gSSCredential.getName().toString());
                }
                j = (gSSCredential.getRemainingLifetime() * 1000) + System.currentTimeMillis();
            } else {
                str = LTPAMechOID.value;
                j = longValue;
            }
            boolean z = securityConfig.getActiveAuthMechanism().getBoolean(AuthMechanismConfig.ALLOW_LTPA_AUTH);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Krb5ToAuthMechWSCredential - authMechOid: " + str + ", krb5expiration: " + j + ", ltpaSupported: " + z);
            }
            if (z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating WSCredential with LTPA token for backwards compatiblity.");
                }
                byte[] bytes = getLTPAServerObject().createLTPAToken(wSCredential.getAccessId(), securityConfig.getProperty("com.ibm.wsspi.security.token.authenticationTokenFactory")).getBytes();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Krb5ToAuthMechWSCredential - ltpaToken: " + StringUtil.toString(bytes));
                }
                long j2 = j < longValue ? j : longValue;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Krb5ToAuthMechWSCredential - expiration: " + j2);
                }
                wSCredentialImpl = new WSCredentialImpl(wSCredential, str, bytes, true, j2);
            } else {
                wSCredentialImpl = new WSCredentialImpl(wSCredential, str, new byte[0], true, j);
            }
            if (wSCredentialImpl == null) {
                Tr.error(tc, "security.auth.kerberos.NoCredFound");
                throw new NoCredentialFoundException();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Krb5ToAuthMechWSCredential()");
            }
            return wSCredentialImpl;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.Krb5ToAuthMechWSCredential", "334");
            Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"createCredential()", e});
            throw new CredentialMapFailedException(e.getMessage(), e);
        }
    }

    public static KRBAuthnToken validateToken(final byte[] bArr) throws Exception, GSSException {
        KRBAuthnToken kRBAuthnToken = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateToken() " + new Object[]{bArr});
        }
        try {
            GSSCredential serverSpnGSSCred = ContextManagerFactory.getInstance().getServerSpnGSSCred();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateToken: serverCred is :" + serverSpnGSSCred);
            }
            try {
                final GSSContext createContext = _manager.createContext(serverSpnGSSCred);
                Krb5Utils.setUseSubjectCredsOnly(true);
                Subject subject = new Subject();
                try {
                    try {
                        if (((byte[]) Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                if (Krb5WSCredentialUtils.tc.isDebugEnabled()) {
                                    Tr.debug(Krb5WSCredentialUtils.tc, "validateToken: calling acceptSecContext.");
                                }
                                return createContext.acceptSecContext(bArr, 0, bArr.length);
                            }
                        }, AccessController.getContext())) == null && tc.isDebugEnabled()) {
                            Tr.debug(tc, "validateToken: outToken is null");
                        }
                        KerberosTicket kerberosTicket = null;
                        if (subject != null) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "validateToken: " + subject.toString());
                            }
                            kerberosTicket = SubjectHelper.getKerberosTicketFromSubject(subject);
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "validateToken: subject is null.");
                        }
                        KerberosPrincipal kerberosPrincipal = null;
                        long j = 0;
                        if (createContext.isEstablished()) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "validateToken: serverContext established successfully.");
                            }
                            j = createContext.getLifetime();
                            GSSName srcName = createContext.getSrcName();
                            if (srcName != null) {
                                kerberosPrincipal = new KerberosPrincipal(srcName.toString());
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "validateToken: serverContext is not established");
                        }
                        GSSCredential gSSCredential = null;
                        if (SecurityObjectLocator.getSecurityConfig().getActiveAuthMechanism().getBoolean("enabledGssCredDelegate")) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "validateToken: Delegated GSSCredential is enabled");
                            }
                            try {
                                if (createContext.isEstablished()) {
                                    gSSCredential = createContext.getDelegCred();
                                }
                                if (tc.isDebugEnabled()) {
                                    if (gSSCredential == null) {
                                        Tr.debug(tc, "validateToken: Delegated GSSCredential is null.");
                                    } else {
                                        Tr.debug(tc, "validateToken: Delegated GSSCredential is not null.");
                                    }
                                }
                                if (kerberosTicket != null || gSSCredential != null || kerberosPrincipal != null) {
                                    kRBAuthnToken = Krb5Utils.createKRBAuthnToken(kerberosTicket, gSSCredential, kerberosPrincipal, null, j);
                                }
                            } catch (GSSException e) {
                                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "485");
                                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"getDelegCred()", e});
                                throw e;
                            }
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "validateToken: Delegated GSSCredential is disabled");
                            }
                            if (kerberosPrincipal != null) {
                                kRBAuthnToken = Krb5Utils.createKRBAuthnToken(null, null, kerberosPrincipal, null, j);
                            }
                        }
                        if (createContext != null) {
                            try {
                                createContext.dispose();
                            } catch (GSSException e2) {
                                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "518");
                                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"dispose()", e2});
                            }
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "validateToken()");
                        }
                        return kRBAuthnToken;
                    } catch (PrivilegedActionException e3) {
                        if (!SecurityMessages.suppressFFDCforKrbSkewError(e3)) {
                            FFDCFilter.processException(e3, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "412");
                        }
                        throw e3.getException();
                    }
                } catch (Exception e4) {
                    Tr.error(tc, "security.auth.kerberos.exception", new Object[]{createContext, "validateToken()", e4});
                    FFDCFilter.processException(e4, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "433");
                    throw new WSLoginFailedException(e4.getMessage(), e4);
                } catch (GSSException e5) {
                    Object[] objArr = {"validateToken()", e5};
                    if (10 == e5.getMajor() && 37 == e5.getMinor()) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Suppressing SECJ9314E error message for retriable clock skew error.");
                        }
                        if (!SecurityMessages.suppressFFDCforKrbSkewError(e5)) {
                            FFDCFilter.processException(e5, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "421");
                        }
                    } else {
                        Tr.error(tc, "security.auth.kerberos.unexpectedexception", objArr);
                        FFDCFilter.processException(e5, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "426");
                    }
                    throw new WSLoginFailedException(e5.getMessage(), e5);
                }
            } catch (GSSException e6) {
                FFDCFilter.processException(e6, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "384");
                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"createContext()", e6});
                throw e6;
            }
        } catch (Exception e7) {
            FFDCFilter.processException(e7, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.validateToken", "374");
            Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"createCredential()", e7});
            throw e7;
        }
    }

    public static String adjustUserName(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "adjustUserName() " + str);
        }
        String str2 = str;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        boolean z = securityConfig.getActiveAuthMechanism().getBoolean("trimUserName");
        String string = securityConfig.getActiveAuthMechanism().getString("krb5Realm");
        if (z) {
            str2 = Krb5Utils.trimUserName(str);
        } else if (str.indexOf("@") < 0 && string != null && !string.equals("")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "kerberos_realm: " + string);
            }
            str2 = str + "@" + string;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "adjustUserName() " + str2);
        }
        return str2;
    }

    public static String getUserDN(UserRegistry userRegistry, String str) throws NoCredentialFoundException, CredentialMapFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserDN() " + str);
        }
        String str2 = null;
        try {
            UserRegistryConfig activeUserRegistry = SecurityObjectLocator.getSecurityConfig().getActiveUserRegistry();
            if ((PlatformHelperFactory.getPlatformHelper().isZOS() && activeUserRegistry.getType().equals("LOCALOS")) || activeUserRegistry.getType().equals("WIMUserRegistry")) {
                String uniqueUserId = userRegistry.getUniqueUserId(str);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "accessID found is " + uniqueUserId);
                }
                if (uniqueUserId != null && uniqueUserId.length() > 0) {
                    str2 = uniqueUserId.indexOf("/") != -1 ? uniqueUserId.substring(uniqueUserId.indexOf("/") + 1, uniqueUserId.length()) : uniqueUserId;
                }
            } else {
                Result users = userRegistry.getUsers(str, 1);
                if (users.getList().size() > 1) {
                    throw new CredentialMapFailedException("Returned multiple users from the registry getUsers: " + str);
                }
                if (users.getList().size() == 1) {
                    str2 = (String) users.getList().get(0);
                }
            }
            if (str2 == null || str2.length() == 0) {
                throw new NoCredentialFoundException("Did not find user in userRegistry for userName: " + str);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getuserDN() " + str2);
            }
            return str2;
        } catch (EntryNotFoundException e) {
            throw new NoCredentialFoundException(e.getMessage());
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.getUserDN", "602");
            Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"getUserDN()", e2});
            throw new CredentialMapFailedException(e2.getMessage());
        }
    }

    private static LTPAServerObject getLTPAServerObject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLTPAServerObject");
        }
        LTPAServerObject lTPAServerObject = null;
        try {
            if (_scm == null) {
                _scm = SecurityObjectLocator.getSecurityConfigManager();
            }
            if (_scm == null || !_scm.isAdminAgent()) {
                if (_ltpaServer == null) {
                    _ltpaServer = (LTPAServerObject) com.ibm.ws.security.util.AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.3
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return LTPAServerObject.getLTPAServer();
                        }
                    });
                }
                lTPAServerObject = _ltpaServer;
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "in AdminAgent process, get LTPAServerObject from thread each time");
                    Tr.debug(tc, "AdminContext.peek() = " + AdminContext.peek());
                }
                lTPAServerObject = (LTPAServerObject) com.ibm.ws.security.util.AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return LTPAServerObject.getLTPAServer();
                    }
                });
            }
        } catch (PrivilegedActionException e) {
            Tr.debug(tc, "PrivilegedActionException getting LTPAServerObject", new Object[]{e});
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5WSCredentialUtils.LTPAServerObject", "659");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getLTPAServerObject", lTPAServerObject);
        }
        return lTPAServerObject;
    }
}
