package com.ibm.ws.security.web;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.TrustAssociationInterceptor;
import com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.WebTrustAssociationUserException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.BasicAuthData;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.ws.webcontainer.srt.IPrivateRequestAttributes;
import java.util.Enumeration;
import java.util.Properties;
import java.util.StringTokenizer;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/ws/security/web/WebSealTrustAssociationInterceptor.class */
public class WebSealTrustAssociationInterceptor extends WebSphereBaseTrustAssociationInterceptor implements TrustAssociationInterceptor {
    protected String WebSealLoginID;
    private static TraceComponent tc = Tr.register((Class<?>) WebSealTrustAssociationInterceptor.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static int sourceCnt = 0;
    private final String WebSealTrustAssociationInterceptor_java_sourceCodeID = "$Id: @(#)82  1.11 src/pdwas/com/ibm/ws5/security/web/WebSealTrustAssociationInterceptor.java, amemb.jacc.was, amemb510, 040824a 04/08/06 00:44:40 @(#) $";
    protected WebAuthenticator webAuth = null;
    protected String[] ServerSources = null;
    protected String[] ID = null;
    protected boolean ignoreProxy = false;
    public String realm = "default";
    public boolean PDAlreadyAuthenticated = false;
    protected String WebSealUserID = null;
    protected boolean UsingLocallySpecifiedWebSealUser = false;
    protected int _viaDepth = 1;

    @Override // com.ibm.websphere.security.TrustAssociationInterceptor
    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        String str;
        String str2;
        String str3 = null;
        boolean z = false;
        Vector checkID = getCheckID();
        if (checkID.size() <= 0) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "There is no WebSeal ID. Hence, it is not via WebSeal.");
            return false;
        }
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String str4 = (String) headerNames.nextElement();
            checkID.remove(str4);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isTargetInteceptor: header name=" + str4);
            }
            if (str4.equalsIgnoreCase("via")) {
                z = true;
                str3 = WebAuthenticator.getHeader(httpServletRequest, str4);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "isTargetInterceptor: VIA=" + str3);
                }
                if (str3 != null && str3.trim().length() > 0) {
                    StringTokenizer stringTokenizer = new StringTokenizer(str3, ",");
                    int countTokens = stringTokenizer.countTokens();
                    String[] strArr = new String[countTokens];
                    int i = countTokens - 1;
                    while (stringTokenizer.hasMoreTokens()) {
                        strArr[i] = stringTokenizer.nextToken();
                        i--;
                    }
                    for (int i2 = 0; i2 < this._viaDepth && i2 < countTokens; i2++) {
                        String str5 = strArr[i2];
                        if (str5.trim().length() > 0) {
                            String trim = str5.trim();
                            if (!this.ignoreProxy || trim.indexOf("roxy") == -1) {
                                int indexOf = trim.indexOf(32);
                                if (indexOf <= -1) {
                                    Tr.error(tc, "security.web.ta.srcpatherr");
                                    throw new WebTrustAssociationException();
                                }
                                String substring = trim.substring(indexOf + 1);
                                int indexOf2 = substring.indexOf(32);
                                if (indexOf2 > -1) {
                                    substring = substring.substring(0, indexOf2);
                                }
                                String trim2 = substring.trim();
                                int indexOf3 = trim2.indexOf(58);
                                if (indexOf3 > -1) {
                                    str = trim2.substring(0, indexOf3);
                                    str2 = trim2.substring(indexOf3 + 1);
                                } else {
                                    str = trim2;
                                    str2 = "0";
                                }
                                if (checkVia(str, str2) == -1) {
                                    if (!tc.isDebugEnabled()) {
                                        return false;
                                    }
                                    Tr.debug(tc, "Host and port: " + trim2 + " is not trusted.");
                                    return false;
                                }
                                z = true;
                            }
                        }
                    }
                }
            }
        }
        if (str3 == null && (this.ServerSources == null || this.ServerSources.length == 0)) {
            z = true;
        }
        if (checkID.size() > 0 || !z) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "No, it is not via WebSeal.");
            return false;
        }
        if (!tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Yes, it is via WebSeal.");
        return true;
    }

    @Override // com.ibm.websphere.security.TrustAssociationInterceptor
    public void validateEstablishedTrust(HttpServletRequest httpServletRequest) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Entering validateEstablishedTrust...");
        }
        if (this.PDAlreadyAuthenticated) {
            return;
        }
        String header = WebAuthenticator.getHeader(httpServletRequest, "Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Exiting validateEstablishedTrust..Basic Auth not found in HTTP request.");
            }
            throw new WebTrustAssociationFailedException("Basic Auth is expected in Trust Association mode.");
        }
        String base64Decode = Base64Coder.base64Decode(header.substring(6));
        int indexOf = base64Decode.indexOf(58);
        if (indexOf < 0) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Exiting validateEstablishedTrust -- No basic auth username/password found.");
            }
            throw new WebTrustAssociationFailedException("Basic Auth username/password field is missing.");
        }
        String str = this.WebSealLoginID;
        if (str == null) {
            str = base64Decode.substring(0, indexOf);
        }
        String substring = base64Decode.substring(indexOf + 1);
        if (this.webAuth == null) {
            this.webAuth = WebAuthenticator.getInstance();
            if (this.webAuth == null) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "Exiting validateEstablishedTrust -- No WebAuthenticator found.");
                }
                throw new WebTrustAssociationFailedException("There is currently no web authenticator.");
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Going to authenticate " + str + ".");
        }
        int status = this.webAuth.basicAuthenticate(this.realm, str, substring).getStatus();
        if (status == 3 || status == 2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateEstablishedTrust authenticationf failure.");
            }
            throw new WebTrustAssociationFailedException("Basic Authentication failed.");
        }
        new BasicAuthData(str, substring);
        ((IPrivateRequestAttributes) httpServletRequest).setPrivateAttribute("AUTH_TYPE", "Basic");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Successful authentication for validateEstablishedTrust.");
        }
    }

    @Override // com.ibm.websphere.security.TrustAssociationInterceptor
    public String getAuthenticatedUsername(HttpServletRequest httpServletRequest) throws WebTrustAssociationUserException {
        String str = null;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuthenticatedUsername");
        }
        Enumeration headerNames = httpServletRequest.getHeaderNames();
        while (true) {
            if (!headerNames.hasMoreElements()) {
                break;
            }
            String str2 = (String) headerNames.nextElement();
            if (str2.equals("iv-user")) {
                str = WebAuthenticator.getHeader(httpServletRequest, str2);
                if (str == null) {
                    throw new WebTrustAssociationUserException("Null value provided as username.");
                }
            }
        }
        if (str == null) {
            throw new WebTrustAssociationUserException("No iv-user was found in request header.");
        }
        if (str.trim().length() == 0) {
            str = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "Exiting getAuthenticatedUsername: " + (str != null ? str : "no username found"));
        }
        return str;
    }

    @Override // com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor
    public int init(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init : init from property file not supported");
        }
        if (!tc.isEntryEnabled()) {
            return -1;
        }
        Tr.exit(tc, "init");
        return -1;
    }

    @Override // com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor
    public int init(Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Initializing WebSealTrustAssociationInterceptor...");
        }
        if (properties == null) {
            if (!tc.isDebugEnabled()) {
                return -1;
            }
            Tr.debug(tc, "Null properties passed to TA init()");
            return -1;
        }
        try {
            String[] strArr = null;
            String[] strArr2 = null;
            setVersion("WebSeal Interceptor Version 1.1");
            try {
                this.ID = getElements((String) properties.get("com.ibm.websphere.security.webseal.id"));
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.init", "322", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception encountered when retrieving webseal.id: " + e.getMessage());
                }
            }
            try {
                strArr = getElements((String) properties.get("com.ibm.websphere.security.webseal.hostnames"));
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.init", "330", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception encountered when retrieving webseal.hostname: " + e2.getMessage());
                }
            }
            try {
                strArr2 = getElements((String) properties.get("com.ibm.websphere.security.webseal.ports"));
            } catch (Exception e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.init", "339", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception encountered when retrieving webseal.ports: " + e3.getMessage());
                }
            }
            try {
                this._viaDepth = Integer.parseInt((String) properties.get("com.ibm.websphere.security.webseal.viaDepth"));
            } catch (Exception e4) {
                this._viaDepth = 1;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception encountered when retrieving webseal.viaDepth: " + e4.getMessage());
                }
            }
            try {
                this.WebSealLoginID = (String) properties.get("com.ibm.websphere.security.webseal.loginId");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WebSeal Login ID = " + this.WebSealLoginID);
                }
            } catch (Exception e5) {
                FFDCFilter.processException(e5, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.init", "349", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No webseal login id specified.");
                }
                this.WebSealLoginID = null;
            }
            this.PDAlreadyAuthenticated = setPDAlreadyAuthenticated(properties);
            if (strArr != null && strArr.length > 0 && strArr2 != null && strArr2.length > 0) {
                this.ServerSources = new String[strArr2.length * strArr.length];
            } else if (strArr != null && strArr.length > 0) {
                this.ServerSources = new String[strArr.length];
            }
            if (strArr != null) {
                for (String str : strArr) {
                    if (strArr2 != null) {
                        for (String str2 : strArr2) {
                            addASource(str, str2);
                        }
                    } else {
                        addASource(str, "0");
                    }
                }
            }
            this.ignoreProxy = setIgnoreProxy(properties);
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "Exiting initialization: SUCCESS");
            return 0;
        } catch (Exception e6) {
            FFDCFilter.processException(e6, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.init", "389", this);
            if (!tc.isDebugEnabled()) {
                return -1;
            }
            Tr.debug(tc, "Exception encountered during initialization: " + e6.getMessage());
            return -1;
        }
    }

    protected boolean setIgnoreProxy(Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setIgnoreProxy");
        }
        boolean z = false;
        String str = (String) properties.get("com.ibm.websphere.security.webseal.ignoreProxy");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "ignoreProxyString=" + str);
        }
        if (str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"))) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setIgnoreProxy");
        }
        return z;
    }

    protected boolean setPDAlreadyAuthenticated(Properties properties) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setPDAlreadyAuthenticated");
        }
        boolean z = false;
        String str = (String) properties.get("com.ibm.websphere.security.webseal.mutualSSL");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "mutualSSL=" + str);
        }
        if (str != null && (str.equalsIgnoreCase("true") || str.equalsIgnoreCase("yes"))) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setPDAlreadyAuthenticated");
        }
        return z;
    }

    protected void addASource(String str, String str2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addASource");
        }
        if (str != null && str.length() == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WebTAInterceptor: Adding an invalid hostname. ");
                return;
            }
            return;
        }
        try {
            Integer.decode(str2);
            String[] strArr = this.ServerSources;
            int i = sourceCnt;
            sourceCnt = i + 1;
            strArr[i] = str + ":" + str2;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WebTAInterceptor: Added source = " + str + ":" + str2);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "Exiting addASource");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.web.WebSealTrustAssociationInterceptor.addASource", "413", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "WebTAInterceptor: Adding an invalid port. ");
            }
        }
    }

    protected Vector getCheckID() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCheckID");
        }
        Vector vector = new Vector();
        if (this.ID != null) {
            for (int i = 0; i < this.ID.length; i++) {
                vector.addElement(this.ID[i]);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCheckID");
        }
        return vector;
    }

    @Override // com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor
    public void cleanup() {
    }

    private String[] getElements(String str) {
        Vector vector = new Vector();
        int i = 0;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getElements");
        }
        if (str == null || str.trim().length() <= 0) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.entry(tc, "getElements: returning NULL");
            return null;
        }
        while (true) {
            int indexOf = str.indexOf(44);
            if (indexOf == -1) {
                break;
            }
            vector.addElement(str.substring(0, indexOf).trim());
            i++;
            str = str.substring(indexOf + 1);
        }
        if (str.trim().length() > 0) {
            i++;
            vector.addElement(str.trim());
        }
        String[] strArr = new String[i];
        Enumeration elements = vector.elements();
        for (int i2 = 0; i2 < i; i2++) {
            strArr[i2] = (String) elements.nextElement();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getElements");
        }
        return strArr;
    }

    private int checkVia(String str, String str2) {
        String str3 = str + ":0";
        String str4 = str + ":" + str2;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "checkVia for " + str + ":" + str2);
        }
        if (this.ServerSources == null || this.ServerSources.length == 0) {
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "getCheckID:  0");
            return 0;
        }
        for (int i = 0; i < this.ServerSources.length; i++) {
            String str5 = this.ServerSources[i];
            if (str5.equalsIgnoreCase(str3) || str5.equalsIgnoreCase(str4)) {
                if (!tc.isEntryEnabled()) {
                    return 0;
                }
                Tr.exit(tc, "getCheckID:  0");
                return 0;
            }
        }
        if (!tc.isEntryEnabled()) {
            return -1;
        }
        Tr.exit(tc, "getCheckID:  -1");
        return -1;
    }
}
