package com.ibm.ws.jca.security.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.WSSecurityHelper;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.credentials.CredentialsService;
import com.ibm.ws.security.intfc.WSSecurityService;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.Hashtable;
import java.util.Set;
import javax.resource.spi.work.SecurityContext;
import javax.resource.spi.work.WorkCompletedException;
import javax.resource.spi.work.WorkContext;
import javax.resource.spi.work.WorkException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import org.openid4java.message.AssociationRequest;

/* loaded from: input_file:wlp/lib/com.ibm.ws.jca.inbound.security_1.0.13.jar:com/ibm/ws/jca/security/internal/SecWorkContextHandler.class */
public class SecWorkContextHandler {
    static final TraceComponent tc = Tr.register((Class<?>) SecWorkContextHandler.class, "WAS.j2c.security", "com.ibm.ws.jca.security.resources.J2CAMessages");
    private static SecWorkContextHandler _instance;

    private SecWorkContextHandler() {
    }

    public static SecWorkContextHandler getInstance() {
        if (_instance == null) {
            _instance = new SecWorkContextHandler();
        }
        return _instance;
    }

    public void associate(CredentialsService credentialsService, WSSecurityService wSSecurityService, UnauthenticatedSubjectService unauthenticatedSubjectService, final AuthenticationService authenticationService, WorkContext workContext, String str) throws WorkCompletedException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, AssociationRequest.MODE_ASSOC, J2CSecurityHelper.objectId(workContext), str);
        }
        if (!WSSecurityHelper.isServerSecurityEnabled()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, AssociationRequest.MODE_ASSOC, "Application security is not enabled for the application server.");
                return;
            }
            return;
        }
        TraceNLS nls = J2CSecurityHelper.getNLS();
        try {
            UserRegistry userRegistry = wSSecurityService.getUserRegistry(null);
            String realm = userRegistry != null ? userRegistry.getRealm() : null;
            final Subject subject = new Subject();
            J2CSecurityCallbackHandler j2CSecurityCallbackHandler = new J2CSecurityCallbackHandler(subject, realm, credentialsService.getUnauthenticatedUserid());
            ((SecurityContext) workContext).setupSecurityContext(j2CSecurityCallbackHandler, subject, null);
            WSCredential wSCredential = new SubjectHelper().getWSCredential(subject);
            if (wSCredential != null) {
                if (j2CSecurityCallbackHandler.getInvocations()[0] == Invocation.CALLERPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[1] == Invocation.GROUPPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[2] == Invocation.PASSWORDVALIDATIONCALLBACK) {
                    String string = nls.getString("AUTHENTICATED_SUBJECT_AND_CALLBACK_NOT_SUPPORTED_J2CA0677", "J2CA0677E: An authenticated JAAS Subject and one or more JASPIC callbacks were passed to the application server by the resource adapter.");
                    if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                        Tr.exit(tc, AssociationRequest.MODE_ASSOC);
                    }
                    throw new WSSecurityException(string);
                }
                if (!realm.equals(wSCredential.getRealmName()) && !RegistryHelper.isRealmInboundTrusted(wSCredential.getRealmName(), realm)) {
                    String formattedMessage = nls.getFormattedMessage("REALM_IS_NOT_TRUSTED_J2CA0685", new Object[]{null}, "REALM_IS_NOT_TRUSTED_J2CA0685");
                    if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                        Tr.exit(tc, AssociationRequest.MODE_ASSOC);
                    }
                    throw new WSSecurityException(formattedMessage);
                }
                J2CSecurityHelper.setRunAsSubject(subject);
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, AssociationRequest.MODE_ASSOC);
                    return;
                }
                return;
            }
            Hashtable<String, Object> customCredentials = J2CSecurityHelper.getCustomCredentials(subject, j2CSecurityCallbackHandler.getCacheKey());
            Set<Principal> principals = subject.getPrincipals();
            if (j2CSecurityCallbackHandler.getInvocations()[0] == Invocation.CALLERPRINCIPALCALLBACK) {
                if (customCredentials == null || !customCredentials.containsKey(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME)) {
                    throw new WSSecurityException(nls.getString("CUSTOM_CREDENTIALS_MISSING_J2CA0668", "J2CA0668E: The WorkManager was unable to populate the execution subject with the caller principal or credentials necessary to establish the security context for this Work instance."));
                }
            } else {
                if ((j2CSecurityCallbackHandler.getInvocations()[1] == Invocation.GROUPPRINCIPALCALLBACK || j2CSecurityCallbackHandler.getInvocations()[2] == Invocation.PASSWORDVALIDATIONCALLBACK) && principals.size() != 1) {
                    throw new WSSecurityException(nls.getString("CALLERPRINCIPAL_NOT_PROVIDED_J2CA0669", "J2CA0669E: The resource adapter did not provide a CallerPrincipalCallback, an execution subject containing a single principal, or an empty execution subject."));
                }
                if (principals.isEmpty()) {
                    j2CSecurityCallbackHandler.handle(new Callback[]{new CallerPrincipalCallback(subject, (String) null)});
                } else {
                    if (principals.size() != 1) {
                        throw new WSSecurityException(nls.getString("CALLERPRINCIPAL_NOT_PROVIDED_J2CA0669", "J2CA0669E: The resource adapter did not provide a CallerPrincipalCallback, an execution subject containing a single principal, or an empty execution subject."));
                    }
                    CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(subject, principals.iterator().next());
                    subject.getPrincipals().clear();
                    j2CSecurityCallbackHandler.handle(new Callback[]{callerPrincipalCallback});
                }
                customCredentials = J2CSecurityHelper.getCustomCredentials(subject, j2CSecurityCallbackHandler.getCacheKey());
            }
            Subject unauthenticatedSubject = ((String) customCredentials.get(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME)).equals(credentialsService.getUnauthenticatedUserid()) ? unauthenticatedSubjectService.getUnauthenticatedSubject() : (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: com.ibm.ws.jca.security.internal.SecWorkContextHandler.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Subject run() throws Exception {
                    return authenticationService.authenticate("system.DEFAULT", subject);
                }
            });
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "The RunAs subject is created after a successful login.", new Object[0]);
            }
            J2CSecurityHelper.setRunAsSubject(unauthenticatedSubject);
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, AssociationRequest.MODE_ASSOC);
            }
        } catch (RuntimeException e) {
            Tr.error(tc, "SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", e);
            WorkCompletedException workCompletedException = new WorkCompletedException(nls.getString("SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", "J2CA0671E: The WorkManager was unable to associate the inflown SecurityContext to the Work instance."), WorkException.INTERNAL);
            workCompletedException.initCause(e);
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, AssociationRequest.MODE_ASSOC);
            }
            throw workCompletedException;
        } catch (Exception e2) {
            Tr.error(tc, "SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", e2);
            WorkCompletedException workCompletedException2 = new WorkCompletedException(nls.getString("SECURITY_CONTEXT_NOT_ASSOCIATED_J2CA0671", "J2CA0671E: The WorkManager was unable to associate the inflown SecurityContext to the Work instance."), WorkException.INTERNAL);
            workCompletedException2.initCause(e2);
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, AssociationRequest.MODE_ASSOC);
            }
            throw workCompletedException2;
        }
    }

    public void dissociate() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "dissociate", new Object[0]);
        }
        if (WSSecurityHelper.isServerSecurityEnabled()) {
            J2CSecurityHelper.removeRunAsSubject();
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "dissociate");
        }
    }
}
