package com.ibm.ws.security.csiv2.server.config.tss;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.rsadapter.FFDCLogger;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.csiv2.Authenticator;
import com.ibm.ws.security.token.TokenManager;
import com.ibm.ws.transport.iiop.security.SASException;
import com.ibm.ws.transport.iiop.security.SASInvalidEvidenceException;
import com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig;
import com.ibm.ws.transport.iiop.security.util.Util;
import com.ibm.wsspi.security.csiv2.TrustedIDEvaluator;
import javax.security.auth.Subject;
import org.omg.CSI.EstablishContext;
import org.omg.CSIIOP.AS_ContextSec;
import org.omg.IOP.Codec;

@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.csiv2_1.0.13.jar:com/ibm/ws/security/csiv2/server/config/tss/ServerLTPAMechConfig.class */
public class ServerLTPAMechConfig extends TSSASMechConfig {
    public static final String LTPA_OID = "oid:1.3.18.0.2.30.2";
    public static final String LTPA = "LTPA";
    private final transient Authenticator authenticator;
    private final transient TokenManager tokenManager;
    private final String targetName;
    private final boolean required;
    static final long serialVersionUID = -3144653036731130893L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(ServerLTPAMechConfig.class);

    public ServerLTPAMechConfig(Authenticator authenticator, TokenManager tokenManager, String str, boolean z) {
        this.authenticator = authenticator;
        this.tokenManager = tokenManager;
        this.targetName = str;
        this.required = z;
    }

    public ServerLTPAMechConfig(AS_ContextSec aS_ContextSec) {
        this.targetName = Util.decodeGSSExportedName(aS_ContextSec.target_name).getName();
        this.required = aS_ContextSec.target_requires == 64;
        this.authenticator = null;
        this.tokenManager = null;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public short getSupports() {
        return (short) 64;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public short getRequires() {
        return this.required ? (short) 64 : (short) 0;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public AS_ContextSec encodeIOR(Codec codec) throws Exception {
        AS_ContextSec aS_ContextSec = new AS_ContextSec();
        aS_ContextSec.target_supports = (short) 64;
        aS_ContextSec.target_requires = this.required ? (short) 64 : (short) 0;
        aS_ContextSec.client_authentication_mech = Util.encodeOID("oid:1.3.18.0.2.30.2");
        aS_ContextSec.target_name = Util.encodeGSSExportName("oid:1.3.18.0.2.30.2", this.targetName);
        return aS_ContextSec;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @FFDCIgnore({AuthenticationException.class})
    public Subject check(EstablishContext establishContext, Codec codec) throws SASException {
        Subject subject = null;
        if (establishContext != null && establishContext.client_authentication_token != null && establishContext.client_authentication_token.length > 0) {
            try {
                subject = this.authenticator.authenticate(Util.decodeLTPAToken(codec, establishContext.client_authentication_token));
            } catch (AuthenticationException e) {
                throw new SASInvalidEvidenceException(e.getMessage(), 1229079296);
            }
        } else if (this.required) {
            throw new SASInvalidEvidenceException("Client authentication is required at the server, but there was no client authentication token sent by the client.", 1229079296);
        }
        return subject;
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @FFDCIgnore({Exception.class})
    public boolean isTrusted(TrustedIDEvaluator trustedIDEvaluator, EstablishContext establishContext, Codec codec) {
        boolean z = false;
        if (establishContext != null && establishContext.client_authentication_token != null && establishContext.client_authentication_token.length > 0) {
            try {
                String[] attributes = this.tokenManager.recreateTokenFromBytes(Util.decodeLTPAToken(codec, establishContext.client_authentication_token)).getAttributes("u");
                if (attributes != null && attributes.length > 0) {
                    z = trustedIDEvaluator.isTrusted(AccessIdUtil.getUniqueId(attributes[0]));
                }
            } catch (Exception e) {
            }
        }
        return z;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString("", sb);
        return sb.toString();
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    @Trivial
    public void toString(String str, StringBuilder sb) {
        String str2 = str + FFDCLogger.TAB;
        sb.append(str).append("ServerLTPAMechConfig: [\n");
        sb.append(str2).append("targetName:   ").append(this.targetName).append("\n");
        sb.append(str2).append("required  :   ").append(this.required).append("\n");
        sb.append(str).append("]\n");
    }

    @Override // com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig
    public String getMechanism() {
        return "LTPA";
    }
}
