package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.security.oauth20.OAuth20Service;
import com.ibm.ws.security.oauth20.OAuthAuthenticationResult;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.webcontainer.security.internal.AuthResult;
import com.ibm.ws.webcontainer.security.internal.AuthenticationResult;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.CertificateLoginAuthenticator;
import com.ibm.ws.webcontainer.security.internal.FormLoginAuthenticator;
import com.ibm.ws.webcontainer.security.internal.SRTServletRequestUtils;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TraceConstants;
import com.ibm.ws.webcontainer.security.internal.TrustAssociationManager;
import com.ibm.ws.webcontainer.security.internal.WebAuthenticator;
import com.ibm.ws.webcontainer.security.internal.WebRequest;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.util.Hashtable;
import javax.security.auth.Subject;

@TraceOptions(traceGroups = {TraceConstants.TRACE_GROUP}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.webcontainer.security_1.0.1.20150314-1754.jar:com/ibm/ws/webcontainer/security/WebAuthenticatorProxy.class */
public class WebAuthenticatorProxy implements WebAuthenticator {
    private static final TraceComponent tc = Tr.register(WebAuthenticatorProxy.class);
    private static final String AUTH_TYPE = "AUTH_TYPE";
    private final AtomicServiceReference<SecurityService> securityServiceRef;
    private final AtomicServiceReference<TAIService> taiServiceRef;
    private final AtomicServiceReference<OAuth20Service> oauthServiceRef;
    private volatile WebAppSecurityConfig webAppSecurityConfig;
    private volatile PostParameterHelper postParameterHelper;
    static final long serialVersionUID = -7018910840146693408L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public WebAuthenticatorProxy(WebAppSecurityConfig webAppSecurityConfig, PostParameterHelper postParameterHelper, AtomicServiceReference<SecurityService> atomicServiceReference, AtomicServiceReference<TAIService> atomicServiceReference2, AtomicServiceReference<OAuth20Service> atomicServiceReference3) {
        this.webAppSecurityConfig = webAppSecurityConfig;
        this.postParameterHelper = postParameterHelper;
        this.securityServiceRef = atomicServiceReference;
        this.taiServiceRef = atomicServiceReference2;
        this.oauthServiceRef = atomicServiceReference3;
    }

    @Override // com.ibm.ws.webcontainer.security.internal.WebAuthenticator
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AuthenticationResult authenticate(WebRequest webRequest) {
        AuthenticationResult handleTAIAndOAuthAndSSO = handleTAIAndOAuthAndSSO(webRequest);
        String authenticationMethod = webRequest.getLoginConfig().getAuthenticationMethod();
        if (handleTAIAndOAuthAndSSO.getStatus() == AuthResult.CONTINUE) {
            WebAuthenticator webAuthenticator = getWebAuthenticator(webRequest);
            if (webAuthenticator == null) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to get the appropriate WebAuthenticator, denying request", new Object[0]);
                }
                return new AuthenticationResult(AuthResult.FAILURE, "An internal error occured. Unable to authenticate request.");
            }
            handleTAIAndOAuthAndSSO = webAuthenticator.authenticate(webRequest);
            if ((webAuthenticator instanceof CertificateLoginAuthenticator) && handleTAIAndOAuthAndSSO != null && handleTAIAndOAuthAndSSO.getStatus() != AuthResult.SUCCESS && this.webAppSecurityConfig.getAllowFailOverToBasicAuth()) {
                authenticationMethod = LoginConfiguration.BASIC;
                BasicAuthAuthenticator basicAuthAuthenticator = getBasicAuthAuthenticator();
                if (basicAuthAuthenticator == null) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Unable to get the BasicAuthAuthenticator, denying request", new Object[0]);
                    }
                    return new AuthenticationResult(AuthResult.FAILURE, "An internal error occured. Unable to authenticate request.");
                }
                handleTAIAndOAuthAndSSO = basicAuthAuthenticator.authenticate(webRequest);
            }
        }
        if (handleTAIAndOAuthAndSSO != null && handleTAIAndOAuthAndSSO.getStatus() == AuthResult.SUCCESS) {
            SRTServletRequestUtils.setPrivateAttribute(webRequest.getHttpServletRequest(), AUTH_TYPE, authenticationMethod);
            if (LoginConfiguration.FORM.equalsIgnoreCase(authenticationMethod)) {
                this.postParameterHelper.restore(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
            }
        }
        return handleTAIAndOAuthAndSSO;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleTAIAndOAuthAndSSO(WebRequest webRequest) {
        TAIService tAIService = (TAIService) this.taiServiceRef.getService();
        TrustAssociationManager trustAssociationManager = null;
        if (tAIService != null) {
            trustAssociationManager = new TrustAssociationManager(tAIService, ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), new SSOCookieHelperImpl(this.webAppSecurityConfig));
            AuthenticationResult handleTrustAssociation = trustAssociationManager.handleTrustAssociation(webRequest, true);
            if (handleTrustAssociation.getStatus() != AuthResult.CONTINUE) {
                return handleTrustAssociation;
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI service is not available, skipping TAI...", new Object[0]);
        }
        OAuth20Service oAuth20Service = null;
        if (this.oauthServiceRef != null) {
            oAuth20Service = (OAuth20Service) this.oauthServiceRef.getService();
        }
        if (oAuth20Service != null) {
            AuthenticationResult handleOAuth = handleOAuth(webRequest, oAuth20Service);
            if (handleOAuth.getStatus() != AuthResult.CONTINUE) {
                return handleOAuth;
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Oauth service is not available, skipping Oauth...", new Object[0]);
        }
        AuthenticationResult handleSSO = handleSSO(webRequest);
        if (handleSSO.getStatus() == AuthResult.CONTINUE && trustAssociationManager != null) {
            handleSSO = trustAssociationManager.handleTrustAssociation(webRequest, false);
        }
        return handleSSO;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleSSO(WebRequest webRequest) {
        WebAuthenticator sSOAuthenticator = getSSOAuthenticator(webRequest);
        if (sSOAuthenticator != null) {
            AuthenticationResult authenticate = sSOAuthenticator.authenticate(webRequest);
            return (authenticate == null || authenticate.getStatus() != AuthResult.SUCCESS) ? new AuthenticationResult(AuthResult.CONTINUE, "SSO is not succeed, continue ...") : authenticate;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Unable to get the SSO authenticator, denying request", new Object[0]);
        }
        return new AuthenticationResult(AuthResult.FAILURE, "An internal error occured. Unable to authenticate request.");
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected WebAuthenticator getSSOAuthenticator(WebRequest webRequest) {
        return new SSOAuthenticator(((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), webRequest.getSecurityMetadata(), this.webAppSecurityConfig, new SSOCookieHelperImpl(this.webAppSecurityConfig));
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected WebAuthenticator getWebAuthenticator(WebRequest webRequest) {
        LoginConfiguration loginConfiguration = webRequest.getSecurityMetadata().getLoginConfiguration();
        if (loginConfiguration != null) {
            String authenticationMethod = loginConfiguration.getAuthenticationMethod();
            if (LoginConfiguration.FORM.equalsIgnoreCase(authenticationMethod)) {
                return createFormLoginAuthenticator(webRequest);
            }
            if (LoginConfiguration.CLIENT_CERT.equalsIgnoreCase(authenticationMethod)) {
                return new CertificateLoginAuthenticator(((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), new SSOCookieHelperImpl(this.webAppSecurityConfig));
            }
        }
        return getBasicAuthAuthenticator();
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public BasicAuthAuthenticator getBasicAuthAuthenticator() {
        BasicAuthAuthenticator createBasicAuthenticator;
        try {
            createBasicAuthenticator = createBasicAuthenticator();
            return createBasicAuthenticator;
        } catch (RegistryException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAuthenticatorProxy", "231", this, new Object[0]);
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "RegistryException while trying to create BasicAuthAuthenticator", new Object[]{createBasicAuthenticator});
            return null;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected BasicAuthAuthenticator createBasicAuthenticator() throws RegistryException {
        SecurityService securityService = (SecurityService) this.securityServiceRef.getService();
        return new BasicAuthAuthenticator(securityService.getAuthenticationService(), securityService.getUserRegistryService().getUserRegistry(), new SSOCookieHelperImpl(this.webAppSecurityConfig), this.webAppSecurityConfig);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected FormLoginAuthenticator createFormLoginAuthenticator(WebRequest webRequest) {
        return new FormLoginAuthenticator(getSSOAuthenticator(webRequest), this.webAppSecurityConfig);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleOAuth(WebRequest webRequest, OAuth20Service oAuth20Service) {
        OAuthAuthenticationResult authenticate = oAuth20Service.authenticate(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        if (authenticate.getStatus() == 2) {
            return new AuthenticationResult(AuthResult.CONTINUE, "Oauth service said continue...");
        }
        if (authenticate.getStatus() == 1) {
            return new AuthenticationResult(AuthResult.FAILURE, "Oauth service failed the request...");
        }
        if (authenticate.getStatus() != 0) {
            return new AuthenticationResult(AuthResult.FAILURE, "Oauth service returned invalid status: " + authenticate.getStatus());
        }
        AuthenticationResult authenticationResult = null;
        if (authenticate.getUserName() != null) {
            authenticationResult = loginWithUserName(webRequest, authenticate.getSubject(), authenticate.getUserName());
        }
        return authenticationResult;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v17, types: [boolean] */
    /* JADX WARN: Type inference failed for: r0v18 */
    /* JADX WARN: Type inference failed for: r0v23, types: [com.ibm.ws.webcontainer.security.internal.AuthenticationResult] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult loginWithUserName(WebRequest webRequest, Subject subject, String str) {
        AuthenticationResult authenticationResult;
        Subject subject2 = subject;
        if (subject2 == null) {
            subject2 = new Subject();
        }
        Hashtable hashtable = new Hashtable();
        AuthenticationService authenticationService = ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService();
        if (!authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        hashtable.put("com.ibm.wsspi.security.cred.userId", str);
        AuthenticationException add = subject2.getPublicCredentials().add(hashtable);
        try {
            add = new AuthenticationResult(AuthResult.SUCCESS, authenticationService.authenticate("system.WEB_INBOUND", subject2));
            authenticationResult = add;
        } catch (AuthenticationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebAuthenticatorProxy", "303", this, new Object[]{webRequest, subject, str});
            authenticationResult = new AuthenticationResult(AuthResult.SEND_401, add.getMessage());
        }
        return authenticationResult;
    }

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, "<clinit>", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, "<clinit>");
        }
    }
}
