package com.ibm.ejs.j2c.work.security;

import com.ibm.ejs.j2c.J2CConstants;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ejs.sm.client.ui.NLS;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.j2c.work.WorkContextHandler;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.common.util.AuditConstants;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import javax.resource.spi.work.SecurityContext;
import javax.resource.spi.work.WorkCompletedException;
import javax.resource.spi.work.WorkContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:lib/com.ibm.ws.runtime.jar:com/ibm/ejs/j2c/work/security/SecWorkContextHandler.class */
public class SecWorkContextHandler implements WorkContextHandler {
    static final TraceComponent tc = Tr.register((Class<?>) SecWorkContextHandler.class, J2CConstants.traceSpec, J2CConstants.messageFile);
    private static SecWorkContextHandler _instance;

    private SecWorkContextHandler() {
    }

    public static SecWorkContextHandler getInstance() {
        if (_instance == null) {
            _instance = new SecWorkContextHandler();
        }
        return _instance;
    }

    @Override // com.ibm.ws.j2c.work.WorkContextHandler
    public void associate(WorkContext workContext, String str) throws WorkCompletedException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, AuditConstants.ASSOCIATE, new Object[]{J2CSecurityHelper.objectId(workContext), str});
        }
        if (!WSSecurityHelper.isServerSecurityEnabled()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "associate Application security is not enabled for the application server.");
                return;
            }
            return;
        }
        NLS nls = J2CSecurityHelper.getNLS();
        try {
            try {
                SecurityObjectLocator.pushAppContext("J2CApplicationContext");
                final ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The usage of ContextManager.getAppRealm() is required here and is correct for V8.x");
                }
                final String appRealm = contextManagerFactory.getAppRealm();
                final Subject subject = new Subject();
                J2CSecurityCallbackHandler j2CSecurityCallbackHandler = new J2CSecurityCallbackHandler(subject, appRealm, contextManagerFactory.getUnauthenticatedString());
                ((SecurityContext) workContext).setupSecurityContext(j2CSecurityCallbackHandler, subject, (Subject) null);
                WSCredential wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
                if (contextManagerFactory.isWSSubject(subject)) {
                    if (j2CSecurityCallbackHandler.getInvocations()[0] == Invocation.CALLERPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[1] == Invocation.GROUPPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[2] == Invocation.PASSWORDVALIDATIONCALLBACK) {
                        String string = nls.getString("AUTHENTICATED_SUBJECT_AND_CALLBACK_NOT_SUPPORTED_J2CA0677", "J2CA0677E: An authenticated JAAS Subject and one or more JASPIC callbacks were passed to the application server by the resource adapter.");
                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                            Tr.exit(tc, AuditConstants.ASSOCIATE);
                        }
                        throw new WSSecurityException(string);
                    }
                    if (appRealm.equals(wSCredentialFromSubject.getRealmName()) || RegistryHelper.isRealmInboundTrusted(wSCredentialFromSubject.getRealmName(), appRealm)) {
                        J2CSecurityHelper.setRunAsSubject(subject);
                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                            Tr.exit(tc, AuditConstants.ASSOCIATE);
                        }
                        return;
                    }
                    String formattedMessage = nls.getFormattedMessage("REALM_IS_NOT_TRUSTED_J2CA0685", new Object[]{wSCredentialFromSubject.getRealmName()}, "REALM_IS_NOT_TRUSTED_J2CA0685");
                    if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                        Tr.exit(tc, AuditConstants.ASSOCIATE);
                    }
                    throw new WSSecurityException(formattedMessage);
                }
                Hashtable<String, Object> customCredentials = J2CSecurityHelper.getCustomCredentials(subject, j2CSecurityCallbackHandler.getCacheKey());
                Set<Principal> principals = subject.getPrincipals();
                if (j2CSecurityCallbackHandler.getInvocations()[0] == Invocation.CALLERPRINCIPALCALLBACK) {
                    if (customCredentials == null || !customCredentials.containsKey(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME)) {
                        throw new WSSecurityException(nls.getString("CUSTOM_CREDENTIALS_MISSING_J2CA0668", "J2CA0668E: The WorkManager was unable to populate the execution subject with the caller principal or credentials necessary to establish the security context for this Work instance."));
                    }
                } else {
                    if ((j2CSecurityCallbackHandler.getInvocations()[1] == Invocation.GROUPPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[2] == Invocation.PASSWORDVALIDATIONCALLBACK) && principals.size() != 1) {
                        throw new WSSecurityException(nls.getString("CALLERPRINCIPAL_NOT_PROVIDED_J2CA0669", "J2CA0669E: The resource adapter did not provide a CallerPrincipalCallback, an execution subject containing a single principal, or an empty execution subject."));
                    }
                    if (principals.isEmpty()) {
                        j2CSecurityCallbackHandler.handle(new Callback[]{new CallerPrincipalCallback(subject, (String) null)});
                    } else {
                        if (principals.size() != 1) {
                            throw new WSSecurityException(nls.getString("CALLERPRINCIPAL_NOT_PROVIDED_J2CA0669", "J2CA0669E: The resource adapter did not provide a CallerPrincipalCallback, an execution subject containing a single principal, or an empty execution subject."));
                        }
                        CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(subject, principals.iterator().next());
                        subject.getPrincipals().clear();
                        j2CSecurityCallbackHandler.handle(new Callback[]{callerPrincipalCallback});
                    }
                    customCredentials = J2CSecurityHelper.getCustomCredentials(subject, j2CSecurityCallbackHandler.getCacheKey());
                }
                final String str2 = (String) customCredentials.get(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME);
                Subject createUnauthenticatedSubject = str2.equals(contextManagerFactory.getUnauthenticatedString()) ? contextManagerFactory.createUnauthenticatedSubject() : (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: com.ibm.ejs.j2c.work.security.SecWorkContextHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Subject run() throws Exception {
                        return contextManagerFactory.login(appRealm, str2, "system.DEFAULT", (HttpServletRequest) null, (HttpServletResponse) null, (Map) null, subject);
                    }
                });
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The RunAs subject is created after a successful login.");
                }
                J2CSecurityHelper.setRunAsSubject(createUnauthenticatedSubject);
                SecurityObjectLocator.popContext();
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, AuditConstants.ASSOCIATE);
                }
            } catch (Exception e) {
                Tr.error(tc, "SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", e);
                WorkCompletedException workCompletedException = new WorkCompletedException(nls.getString("SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", "J2CA0671E: The WorkManager was unable to associate the inflown SecurityContext to the Work instance."), "-1");
                workCompletedException.initCause(e);
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, AuditConstants.ASSOCIATE);
                }
                throw workCompletedException;
            }
        } finally {
            SecurityObjectLocator.popContext();
        }
    }

    @Override // com.ibm.ws.j2c.work.ContextHandler
    public void dissociate() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "dissociate");
        }
        if (WSSecurityHelper.isServerSecurityEnabled()) {
            J2CSecurityHelper.removeRunAsSubject();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "dissociate");
        }
    }
}
