package com.ibm.wsspi.wssecurity.token;

import com.ibm.security.krb5.wss.util.ElementLocalNames;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.webservices.wssecurity.KRBConstants;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGenerator;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGeneratorImpl;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditService;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditServiceImpl;
import com.ibm.ws.webservices.wssecurity.config.WSSConsumerConfig;
import com.ibm.ws.webservices.wssecurity.token.TokenManager;
import com.ibm.ws.webservices.wssecurity.util.DOMUtil;
import com.ibm.ws.webservices.wssecurity.util.IdUtil;
import com.ibm.ws.webservices.wssecurity.util.NamespaceUtil;
import com.ibm.ws.webservices.wssecurity.util.NonceUtil;
import com.ibm.wsspi.webservices.rpc.handler.soap.SOAPMessageContext;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory;
import com.ibm.wsspi.wssecurity.auth.callback.WSCallbackHandlerFactoryImpl;
import com.ibm.wsspi.wssecurity.auth.token.UsernameToken;
import com.ibm.wsspi.wssecurity.config.TokenConsumerConfig;
import com.ibm.xml.soapsec.token.NonceManager;
import com.ibm.xml.soapsec.util.ConfigUtil;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/wsspi/wssecurity/token/UsernameTokenConsumer.class */
public class UsernameTokenConsumer implements TokenConsumerComponent {
    private static final String comp = "security.wssecurity";
    private boolean _initialized = false;
    public static final String _DISABLE_REGISTRY_CHECK = "com.ibm.wsspi.wssecurity.auth.module.UsernameLoginModule.disableUserRegistryCheck";
    private static final TraceComponent tc = Tr.register(UsernameTokenConsumer.class, "Web Services Security", "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = UsernameTokenConsumer.class.getName();

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this._initialized) {
            this._initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSConsumerComponent
    public void invoke(Node node, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(Node target[" + DOMUtil.getDisplayName(node) + "], Map context)");
        }
        final TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) map.remove(TokenConsumerConfig.CONFIG_KEY);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "TokenConsumerConfig [" + tokenConsumerConfig + "].");
        }
        SOAPMessageContext sOAPMessageContext = (SOAPMessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        int i = 0;
        Object obj = map.get(com.ibm.ws.webservices.wssecurity.Constants.WSS_VERSION);
        if (obj != null && (obj instanceof Integer)) {
            i = ((Integer) obj).intValue();
        }
        String str = com.ibm.ws.webservices.wssecurity.Constants.NAMESPACES[0][i];
        String str2 = com.ibm.ws.webservices.wssecurity.Constants.NAMESPACES[1][i];
        NonceManager nonceManager = (NonceManager) map.remove(NonceManager.class);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The NonceManager is " + (nonceManager == null ? "null." : "not null,"));
        }
        if (node.getNodeType() == 1) {
            Element element = (Element) node;
            String str3 = null;
            String idAttributeName = IdUtil.getInstance().getIdAttributeName(element);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The identifier attribute of the target element is [" + idAttributeName + "].");
            }
            if (idAttributeName != null) {
                str3 = element.getAttribute(idAttributeName);
            }
            Boolean bool = (Boolean) tokenConsumerConfig.getProperties().get(Constants.WSSECURITY_DECOUPLE_TOKEN);
            boolean z = true;
            if (bool != null) {
                z = bool.booleanValue();
            }
            final UsernameToken usernameToken = new UsernameToken(str3, null, null, !z ? element : DOMUtil.clone(element));
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    usernameToken.setUsedTokenConsumer(tokenConsumerConfig);
                    return null;
                }
            });
            setTokenToSubject(map, usernameToken);
            QName type = tokenConsumerConfig.getType();
            if (!com.ibm.ws.webservices.wssecurity.Constants.UNTOKEN.equals(type)) {
                throw new SoapSecurityException("Unsupported value type: " + type);
            }
            Element oneElement = DOMUtil.getOneElement(element, str, "Username");
            String str4 = null;
            if (oneElement != null) {
                str4 = DOMUtil.getStringValue(oneElement);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Username [" + str4 + "].");
            }
            String str5 = null;
            Element oneElement2 = DOMUtil.getOneElement(element, str, "Password");
            char[] cArr = null;
            if (oneElement2 != null) {
                String attribute = oneElement2.getAttribute("Type");
                if (attribute != null && attribute.length() > 0 && NamespaceUtil.equals(DOMUtil.getQName(oneElement2, attribute, i), com.ibm.ws.webservices.wssecurity.Constants.PASSWORD_DIGEST)) {
                    throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.UNSUPPORTED_SECURITY_TOKEN, "security.wssecurity.UsernameTokenConsumer.s01");
                }
                str5 = DOMUtil.getStringValue(oneElement2);
                if (str5 != null) {
                    cArr = str5.toCharArray();
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, cArr == null ? "Password is null." : "Password is not null.");
            }
            usernameToken.setDate(checkNonce(element, tokenConsumerConfig, str, str2, nonceManager));
            final boolean z2 = false;
            boolean z3 = false;
            if (tokenConsumerConfig.getTrustedIDEvaluator() != null) {
                z2 = tokenConsumerConfig.getTrustedIDEvaluator().evaluate(str4);
                if (!z2) {
                    Tr.warning(tc, "security.wssecurity.UsernameTokenConsumer.s02", new Object[]{str4});
                }
                AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.2
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        usernameToken.setTrusted(z2);
                        return null;
                    }
                });
            }
            if (!z2 && ConfigUtil.hasValue(str5)) {
                Set callers = ((WSSConsumerConfig) map.get("com.ibm.wsspi.wssecurity.config.wssConsumer.configKey")).getCallers();
                QName qName = com.ibm.ws.webservices.wssecurity.Constants.UNTOKEN;
                if (callers != null) {
                    Iterator it = callers.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        WSSConsumerConfig.CallerConfig callerConfig = (WSSConsumerConfig.CallerConfig) it.next();
                        QName tokenType = callerConfig.getTokenType();
                        WSSConsumerConfig.CallerConfig trustMethod = callerConfig.getTrustMethod();
                        if (tokenType.equals(qName) && trustMethod == null) {
                            z3 = true;
                            break;
                        }
                    }
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "delayLogin=" + z3);
            }
            final UsernameToken invokeLoginModule = invokeLoginModule(tokenConsumerConfig, str4, cArr, sOAPMessageContext, map, z3);
            if (invokeLoginModule != null) {
                str4 = invokeLoginModule.getUsername();
                cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.3
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return invokeLoginModule.getPassword();
                    }
                });
            }
            final String str6 = str4;
            final char[] cArr2 = cArr;
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    usernameToken.setUsername(str6);
                    usernameToken.setPassword(cArr2);
                    return null;
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Acquired token is [" + usernameToken + "].");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "WARNING: Unsupported node type: " + node.getNodeName());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Node target, Map context)");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static UsernameToken invokeLoginModule(TokenConsumerConfig tokenConsumerConfig, final String str, final char[] cArr, SOAPMessageContext sOAPMessageContext, final Map map, boolean z) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invokeLoginModule(TokenConsumerConfig config,String username[" + str + "],char[] password[" + (cArr == null ? "null" : "not null") + "],SOAPMessageContext messageContext,Map context,boolean delayLogin[" + z + "])");
        }
        HashMap hashMap = new HashMap();
        if (sOAPMessageContext != null) {
            hashMap.put(Constants.WSSECURITY_MESSAGE_CONTEXT, sOAPMessageContext);
        }
        if (z) {
            hashMap.put(_DISABLE_REGISTRY_CHECK, "true");
        }
        if (tokenConsumerConfig.getJAASConfigProperties() != null) {
            hashMap.putAll(tokenConsumerConfig.getJAASConfigProperties());
        }
        final String jAASConfig = tokenConsumerConfig.getJAASConfig();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JAAS config name is " + jAASConfig + ".");
            ConfigUtil.dumpJAASConfigEntry(jAASConfig);
        }
        if (jAASConfig == null) {
            Tr.error(tc, "security.wssecurityJAAS Config entry is missing. Check your configuration.");
        }
        final WSCallbackHandlerFactoryImpl wSCallbackHandlerFactoryImpl = new WSCallbackHandlerFactoryImpl();
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.5
            @Override // java.security.PrivilegedAction
            public Object run() {
                CallbackHandlerFactory.this.setUsername(str);
                return null;
            }
        });
        if (cArr != null) {
            AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.6
                @Override // java.security.PrivilegedAction
                public Object run() {
                    CallbackHandlerFactory.this.setPassword(cArr);
                    return null;
                }
            });
        }
        wSCallbackHandlerFactoryImpl.setProperties(hashMap);
        final CallbackHandler newCallbackHandler = wSCallbackHandlerFactoryImpl.newCallbackHandler();
        if (tc.isDebugEnabled()) {
            if (newCallbackHandler != null) {
                Tr.debug(tc, "Callback handler (" + newCallbackHandler.getClass().getName() + ") is [" + newCallbackHandler + "].");
            } else {
                Tr.debug(tc, "Callback handler is null");
            }
        }
        try {
            LoginContext loginContext = (LoginContext) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.wsspi.wssecurity.token.UsernameTokenConsumer.7
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException {
                    return new LoginContext(jAASConfig, (Subject) map.get(Constants.WSSECURITY_SUBJECT), newCallbackHandler);
                }
            });
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Succeed to construct the login context.");
            }
            loginContext.login();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Succeed to login.");
            }
            UsernameToken usernameToken = (UsernameToken) hashMap.get(Constants.WSSECURITY_TOKEN_LOGININFO);
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                Map<String, Object> auditEventContext = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, "AuthnType", tokenConsumerConfig.getType().toString());
                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, WSSAuditEventGenerator.TOKEN_ID, usernameToken.getId());
                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, "Username", str);
                WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext, jAASConfig, "SUCCESS");
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, sOAPMessageContext, map);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Auditing SECURITY_AUTHN event not enabled.");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "invokeLoginModule(TokenConsumerConfig config,UsernameToken token,SOAPMessageContext messageContext,Map context,boolean delayLogin) returns UsernameToken [" + usernameToken + "]");
            }
            return usernameToken;
        } catch (PrivilegedActionException e) {
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.ERROR)) {
                Map<String, Object> auditEventContext2 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.ERROR, WSSAuditService.WSSAuditReason.AUTHN_PRIVILEDGE_ACTION_EXCEPTION, e.toString());
                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext2, "AuthnType", tokenConsumerConfig.getType().toString());
                WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext2, jAASConfig, "FAILURE");
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, sOAPMessageContext, map);
            }
            throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_AUTHENTICATION, "security.wssecurity.X509TokenConsumer.s01", (LoginException) e.getCause());
        } catch (LoginException e2) {
            if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                Map<String, Object> auditEventContext3 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, e2.toString());
                WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext3, "AuthnType", tokenConsumerConfig.getType().toString());
                WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext3, jAASConfig, "SUCCESS");
                WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, sOAPMessageContext, map);
            }
            throw SoapSecurityException.format(com.ibm.ws.webservices.wssecurity.Constants.FAILED_AUTHENTICATION, "security.wssecurity.X509TokenConsumer.s02", e2);
        }
    }

    private static void setTokenToSubject(Map map, UsernameToken usernameToken) {
        TokenManager.setToken(map, usernameToken);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Date checkNonce(Element element, TokenConsumerConfig tokenConsumerConfig, String str, String str2, NonceManager nonceManager) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkNonce(Element target[" + DOMUtil.getDisplayName(element) + "], TokenConsumerConfig config,String nsWsse,String nsWsu,NonceManager nmanager)");
        }
        Map properties = tokenConsumerConfig.getProperties();
        boolean z = false;
        Object obj = properties.get(Constants.WSSECURITY_VERIFY_TIMESTAMP);
        if (obj != null) {
            z = ConfigUtil.isTrue(obj.toString());
        } else {
            Object obj2 = properties.get("com.ibm.wsspi.wssecurity.token.Username.verifyTimestamp");
            if (obj2 != null) {
                z = ConfigUtil.isTrue(obj2.toString());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found com.ibm.wsspi.wssecurity.token.Username.verifyTimestamp is [" + z + "].");
                }
            }
        }
        boolean z2 = false;
        Object obj3 = properties.get(Constants.WSSECURITY_VERIFY_NONCE);
        if (obj3 != null) {
            z2 = ConfigUtil.isTrue(obj3.toString());
        } else {
            Object obj4 = properties.get("com.ibm.wsspi.wssecurity.token.Username.verifyNonce");
            if (obj4 != null) {
                z2 = ConfigUtil.isTrue(obj4.toString());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found com.ibm.wsspi.wssecurity.token.Username.verifyNonce is [" + z2 + "].");
                }
            }
        }
        int i = -1;
        Object obj5 = properties.get(Constants.WSSECURITY_NONCE_MAX_AGE);
        if (obj5 != null && (obj5 instanceof Integer)) {
            i = ((Integer) obj5).intValue();
        }
        int i2 = -1;
        Object obj6 = properties.get(Constants.WSSECURITY_NONCE_CLOCK_SKEW);
        if (obj6 != null && (obj6 instanceof Integer)) {
            i2 = ((Integer) obj6).intValue();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "isTimestampRequired is [" + z + "].");
            Tr.debug(tc, "isNonceRequired is [" + z2 + "].");
            Tr.debug(tc, "nonceMaxAge is [" + i + "].");
            Tr.debug(tc, "nonceClockSkew is [" + i2 + "].");
        }
        Date date = null;
        if (z) {
            date = NonceUtil.checkNonceTimestamp(DOMUtil.getChildElement(element, str2, ElementLocalNames.WSU_CREATED), str2, i, i2);
        }
        if (z2) {
            NonceUtil.checkNonce(DOMUtil.getChildElement(element, str, KRBConstants.ELM_NONCE), str, nonceManager);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "checkNonce(Element target, TokenConsumerConfig config,String nsWsse,String nsWsu,NonceManager nmanager) returns Date[" + date + "]");
        }
        return date;
    }
}
