package com.ibm.ws.webcontainer.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.WebTrustAssociationUserException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.webcontainer.security.SSOCookieHelper;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@TraceOptions(traceGroups = {TraceConstants.TRACE_GROUP}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.webcontainer.security_1.0.1.20150314-1754.jar:com/ibm/ws/webcontainer/security/internal/TrustAssociationManager.class */
public class TrustAssociationManager {
    private static final TraceComponent tc = Tr.register(TrustAssociationManager.class);
    private TAIService taiService;
    private SSOCookieHelper ssoCookieHelper;
    private AuthenticationService authenticationService;
    private final AuthenticationResult AUTHN_CONTINUE_RESULT = new AuthenticationResult(AuthResult.CONTINUE, "Authentication continue");
    static final long serialVersionUID = 1053935151847878743L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public TrustAssociationManager(TAIService tAIService, AuthenticationService authenticationService, SSOCookieHelper sSOCookieHelper) {
        this.taiService = null;
        this.ssoCookieHelper = null;
        this.authenticationService = null;
        this.taiService = tAIService;
        this.authenticationService = authenticationService;
        this.ssoCookieHelper = sSOCookieHelper;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AuthenticationResult handleTrustAssociation(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticationResult = this.AUTHN_CONTINUE_RESULT;
        TAIResult tAIResult = null;
        String str = null;
        boolean z2 = false;
        Map<String, TrustAssociationInterceptor> tais = this.taiService.getTais(z);
        if (skipTai(webRequest, tais, z)) {
            return this.AUTHN_CONTINUE_RESULT;
        }
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        try {
            Iterator<Map.Entry<String, TrustAssociationInterceptor>> it = tais.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                TrustAssociationInterceptor value = it.next().getValue();
                if (value.isTargetInterceptor(httpServletRequest)) {
                    z2 = true;
                    str = value.getType();
                    tAIResult = value.negotiateValidateandEstablishTrust(httpServletRequest, httpServletResponse);
                    break;
                }
            }
            if (!z2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "TAI does not intercept this request", new Object[0]);
                }
                httpServletResponse = this.AUTHN_CONTINUE_RESULT;
                return httpServletResponse;
            }
        } catch (WebTrustAssociationFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "92", this, new Object[]{webRequest, Boolean.valueOf(z)});
            HttpServletResponse httpServletResponse2 = httpServletResponse;
            Tr.error(tc, "SEC_TAI_VALIDATE_FAILED", new Object[]{httpServletResponse2});
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, httpServletResponse2.getMessage());
        } catch (WebTrustAssociationUserException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "95", this, new Object[]{webRequest, Boolean.valueOf(z)});
            HttpServletResponse httpServletResponse3 = httpServletResponse;
            Tr.error(tc, "SEC_TAI_USER_EXCEPTION", new Object[]{httpServletResponse3});
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, httpServletResponse3.getMessage());
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "98", this, new Object[]{webRequest, Boolean.valueOf(z)});
            HttpServletResponse httpServletResponse4 = httpServletResponse;
            Tr.error(tc, "SEC_TAI_GENERAL_EXCEPTION", new Object[]{httpServletResponse4});
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, httpServletResponse4.getMessage());
        }
        if (authenticationResult.getStatus() != AuthResult.FAILURE) {
            return handleTaiResult(tAIResult, str, httpServletRequest, httpServletResponse);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI throws an un-expected exception: " + authenticationResult.getReason(), new Object[0]);
        }
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean skipTai(WebRequest webRequest, Map<String, TrustAssociationInterceptor> map, boolean z) {
        if (map == null || map.isEmpty()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "There is no TAI enabled for " + (z ? "invoking before SSO" : "invoking after SSO"), new Object[0]);
            return true;
        }
        if (!webRequest.isUnprotectedURI() || this.taiService.isInvokeForUnprotectedURI()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Skipping TAI for unprotected URI...", new Object[0]);
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleTaiResult(TAIResult tAIResult, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult;
        AuthenticationResult authenticationResult2 = tAIResult;
        if (authenticationResult2 != null) {
            try {
            } catch (AuthenticationException e) {
                FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "150", this, new Object[]{tAIResult, str, httpServletRequest, httpServletResponse});
                authenticationResult = new AuthenticationResult(AuthResult.SEND_401, authenticationResult2.getMessage());
            }
            if (tAIResult.getStatus() == 200) {
                authenticationResult2 = authenticateWithTAIResult(httpServletRequest, httpServletResponse, tAIResult);
                authenticationResult = authenticationResult2;
                return authenticationResult;
            }
        }
        authenticationResult2 = handleFallBackToAppAuthType(str, tAIResult);
        authenticationResult = authenticationResult2;
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleFallBackToAppAuthType(String str, TAIResult tAIResult) throws AuthenticationException {
        if (this.taiService.isFailOverToAppAuthType()) {
            return tAIResult == null ? new AuthenticationResult(AuthResult.CONTINUE, "TAI allows fall back to application authentication type") : new AuthenticationResult(AuthResult.CONTINUE, tAIResult.getSubject());
        }
        return tAIResult == null ? new AuthenticationResult(AuthResult.FAILURE, "taiResult is null") : new AuthenticationResult(AuthResult.TAI_CHALLENGE, "TrustAssociation Interception returns error", tAIResult.getStatus());
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult authenticateWithTAIResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, TAIResult tAIResult) throws AuthenticationException {
        AuthenticationResult authenticationResult = null;
        String authenticatedPrincipal = tAIResult.getAuthenticatedPrincipal();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI user name: " + authenticatedPrincipal, new Object[0]);
        }
        if (authenticatedPrincipal != null) {
            Subject subject = tAIResult.getSubject();
            if (subject != null) {
                WSCredential wSCredential = new SubjectHelper().getWSCredential(subject);
                if (wSCredential != null && wSCredential.isUnauthenticated()) {
                    new AuthenticationResult(AuthResult.FAILURE, "Subject from TAI is invalid for user: " + authenticatedPrincipal);
                }
                authenticationResult = authenticateWithSubject(httpServletRequest, httpServletResponse, subject);
            }
            if (authenticationResult == null || authenticationResult.getStatus() != AuthResult.SUCCESS) {
                authenticationResult = loginWithTAIUserName(httpServletRequest, httpServletResponse, subject, authenticatedPrincipal);
                if (authenticationResult == null || authenticationResult.getStatus() != AuthResult.SUCCESS) {
                    authenticationResult = new AuthenticationResult(AuthResult.CONTINUE, "authenticate failed.... allow to continue");
                }
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "TAI user name is null");
        }
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult loginWithTAIUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject, String str) {
        return authenticateWithSubject(httpServletRequest, httpServletResponse, createUserIdHashtableSubject(subject, str));
    }

    @FFDCIgnore({AuthenticationException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult authenticateWithSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) {
        AuthenticationResult authenticationResult;
        try {
            Subject authenticate = this.authenticationService.authenticate("system.WEB_INBOUND", createAuthenticationData(httpServletRequest, httpServletResponse), subject);
            authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, authenticate);
            this.ssoCookieHelper.addSSOCookiesToResponse(authenticate, httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        }
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject createUserIdHashtableSubject(Subject subject, String str) {
        Subject subject2 = subject;
        if (subject2 == null) {
            subject2 = new Subject();
        }
        Hashtable hashtable = new Hashtable();
        if (this.authenticationService == null || !this.authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        hashtable.put("com.ibm.wsspi.security.cred.userId", str);
        subject2.getPublicCredentials().add(hashtable);
        return subject2;
    }

    @Trivial
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected AuthenticationData createAuthenticationData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_REQUEST, httpServletRequest);
        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_RESPONSE, httpServletResponse);
        return wSAuthenticationData;
    }

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, "<clinit>", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, "<clinit>");
        }
    }
}
