package com.ibm.ws.security.csiv2.server.config.tss;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.csiv2.Authenticator;
import com.ibm.ws.security.csiv2.CommonCfg;
import com.ibm.ws.security.csiv2.server.TraceConstants;
import com.ibm.ws.security.csiv2.trust.TrustedIDEvaluatorImpl;
import com.ibm.ws.security.csiv2.util.SecurityServices;
import com.ibm.ws.security.token.TokenManager;
import com.ibm.ws.transport.iiop.security.config.tss.OptionsKey;
import com.ibm.ws.transport.iiop.security.config.tss.TSSASMechConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSCompoundSecMechConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSCompoundSecMechListConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSGSSUPMechConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSITTAbsent;
import com.ibm.ws.transport.iiop.security.config.tss.TSSITTAnonymous;
import com.ibm.ws.transport.iiop.security.config.tss.TSSITTDistinguishedName;
import com.ibm.ws.transport.iiop.security.config.tss.TSSITTPrincipalNameGSSUP;
import com.ibm.ws.transport.iiop.security.config.tss.TSSITTX509CertChain;
import com.ibm.ws.transport.iiop.security.config.tss.TSSNULLASMechConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSNULLTransportConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSSASMechConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSSSLTransportConfig;
import com.ibm.ws.transport.iiop.security.config.tss.TSSTransportMechConfig;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.omg.CSIIOP.TransportAddress;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.csiv2_1.0.13.jar:com/ibm/ws/security/csiv2/server/config/tss/ServerConfigHelper.class */
public class ServerConfigHelper extends CommonCfg {
    private static TraceComponent tc = Tr.register((Class<?>) ServerConfigHelper.class, "CSIv2", TraceConstants.MESSAGE_BUNDLE);
    public static final String KEY_POLICY = "serverPolicy";
    private static final String TYPE = "com.ibm.ws.security.csiv2.serverPolicyCSIV2";
    public static final String KEY_TRUSTED_IDENTITIES = "trustedIdentities";
    private final Authenticator authenticator;
    private final TokenManager tokenManager;
    private final UnauthenticatedSubjectService unauthenticatedSubjectService;
    private final String targetName;
    static final long serialVersionUID = -1795192382059217169L;

    public ServerConfigHelper(Authenticator authenticator, TokenManager tokenManager, UnauthenticatedSubjectService unauthenticatedSubjectService, String str, String str2) {
        super(str2);
        this.authenticator = authenticator;
        this.targetName = str;
        this.tokenManager = tokenManager;
        this.unauthenticatedSubjectService = unauthenticatedSubjectService;
    }

    public TSSConfig getTSSConfig(Map<String, Object> map, Map<String, List<TransportAddress>> map2) throws Exception {
        TSSConfig tSSConfig = new TSSConfig();
        printTrace("IIOP Server Policy", null, 0);
        CommonCfg.PolicyData extractPolicyData = extractPolicyData(map, KEY_POLICY, TYPE);
        if (extractPolicyData != null) {
            printTrace("CSIV2", null, 1);
            TSSCompoundSecMechListConfig mechListConfig = tSSConfig.getMechListConfig();
            mechListConfig.setStateful(extractPolicyData.stateful);
            printTrace("Stateful", Boolean.valueOf(mechListConfig.isStateful()), 2);
            populateSecMechList(mechListConfig, extractPolicyData.layersData, map2);
        }
        return tSSConfig;
    }

    private void populateSecMechList(TSSCompoundSecMechListConfig tSSCompoundSecMechListConfig, List<CommonCfg.LayersData> list, Map<String, List<TransportAddress>> map) throws Exception {
        Iterator<CommonCfg.LayersData> it = list.iterator();
        while (it.hasNext()) {
            for (Map.Entry<String, TSSCompoundSecMechConfig> entry : extractCompoundSecMech(it.next(), map).entrySet()) {
                tSSCompoundSecMechListConfig.add(entry.getValue(), entry.getKey());
            }
        }
    }

    protected Map<String, TSSCompoundSecMechConfig> extractCompoundSecMech(CommonCfg.LayersData layersData, Map<String, List<TransportAddress>> map) throws Exception {
        printTrace("Layers", null, 1);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        setAuthenticationLayerConfig(linkedHashMap, layersData);
        setTransportLayerConfig(linkedHashMap, layersData, map);
        setAttributeLayerConfig(linkedHashMap, layersData);
        return linkedHashMap;
    }

    private void setTransportLayerConfig(Map<String, TSSCompoundSecMechConfig> map, CommonCfg.LayersData layersData, Map<String, List<TransportAddress>> map2) throws SSLException {
        TSSTransportMechConfig tSSNULLTransportConfig;
        Map<String, Object> map3 = layersData.transportLayer;
        if (map3 != null) {
            printTrace("Transport Layer", null, 2);
            tSSNULLTransportConfig = (!((Boolean) map3.get("sslEnabled")).booleanValue() || "".equals((String) map3.get("sslRef"))) ? new TSSNULLTransportConfig() : extractSSLTransport(map3, map2);
        } else {
            tSSNULLTransportConfig = new TSSNULLTransportConfig();
        }
        Iterator<Map.Entry<String, TSSCompoundSecMechConfig>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            it.next().getValue().setTransport_mech(tSSNULLTransportConfig);
        }
    }

    private TSSTransportMechConfig extractSSLTransport(Map<String, Object> map, Map<String, List<TransportAddress>> map2) throws SSLException {
        String str = (String) map.get("sslRef");
        if (str == null) {
            str = this.defaultAlias;
        }
        OptionsKey associationOptions = SecurityServices.getSSLConfig().getAssociationOptions(str);
        TSSSSLTransportConfig tSSSSLTransportConfig = new TSSSSLTransportConfig(this.authenticator);
        tSSSSLTransportConfig.setSupports(associationOptions.supports);
        tSSSSLTransportConfig.setRequires(associationOptions.requires);
        List<TransportAddress> list = map2.get(str);
        if (list == null) {
            throw new IllegalStateException("No transport addressses configured for sslAlias: " + str + " with supports: " + ((int) associationOptions.supports) + " and requires: " + ((int) associationOptions.requires));
        }
        tSSSSLTransportConfig.setTransportAddresses(list);
        return tSSSSLTransportConfig;
    }

    private void setAuthenticationLayerConfig(Map<String, TSSCompoundSecMechConfig> map, CommonCfg.LayersData layersData) {
        Map<String, Object> map2 = layersData.authenticationLayer;
        if (map2 == null) {
            TSSCompoundSecMechConfig tSSCompoundSecMechConfig = new TSSCompoundSecMechConfig();
            tSSCompoundSecMechConfig.setAs_mech(new TSSNULLASMechConfig());
            map.put("oid:2.23.130.1.1.1", tSSCompoundSecMechConfig);
            return;
        }
        printTrace("Authentication Layer", null, 2);
        for (Map.Entry<String, TSSASMechConfig> entry : extractASMech(map2).entrySet()) {
            TSSCompoundSecMechConfig tSSCompoundSecMechConfig2 = new TSSCompoundSecMechConfig();
            tSSCompoundSecMechConfig2.setAs_mech(entry.getValue());
            map.put(entry.getKey(), tSSCompoundSecMechConfig2);
        }
    }

    private Map<String, TSSASMechConfig> extractASMech(Map<String, Object> map) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        ArrayList arrayList = new ArrayList();
        String str = (String) map.get(CommonCfg.KEY_ESTABLISH_TRUST_IN_CLIENT);
        boolean z = false;
        if ("Required".equals(str)) {
            z = true;
        } else if (CommonCfg.OPTION_NEVER.equals(str)) {
            Tr.warning(tc, "CSIv2_COMMON_AUTH_LAYER_DISABLED", str);
            linkedHashMap.put("oid:2.23.130.1.1.1", new TSSNULLASMechConfig());
            return linkedHashMap;
        }
        List<String> asMechanisms = getAsMechanisms(map);
        if (asMechanisms.isEmpty()) {
            Tr.warning(tc, "CSIv2_SERVER_AUTH_MECHANISMS_NULL", new Object[0]);
            linkedHashMap.put("oid:2.23.130.1.1.1", new TSSNULLASMechConfig());
        } else {
            for (String str2 : asMechanisms) {
                if (!arrayList.contains(str2.toUpperCase())) {
                    if (str2.equalsIgnoreCase("LTPA")) {
                        linkedHashMap.put("oid:1.3.18.0.2.30.2", new ServerLTPAMechConfig(this.authenticator, this.tokenManager, this.targetName, z));
                    } else if (str2.equalsIgnoreCase("GSSUP")) {
                        linkedHashMap.put("oid:2.23.130.1.1.1", new TSSGSSUPMechConfig(this.authenticator, this.targetName, z));
                    } else {
                        Tr.warning(tc, "CSIv2_SERVER_AUTH_MECHANISM_INVALID", str2);
                    }
                    arrayList.add(str2.toUpperCase());
                }
            }
            if (linkedHashMap.isEmpty()) {
                linkedHashMap.put("oid:2.23.130.1.1.1", new TSSNULLASMechConfig());
            }
        }
        return linkedHashMap;
    }

    private void setAttributeLayerConfig(Map<String, TSSCompoundSecMechConfig> map, CommonCfg.LayersData layersData) {
        TSSSASMechConfig tSSSASMechConfig;
        Map<String, Object> map2 = layersData.attributeLayer;
        if (map2 != null) {
            printTrace("Attribute Layer", null, 2);
            tSSSASMechConfig = extractSASMech(map2);
        } else {
            tSSSASMechConfig = new TSSSASMechConfig(new TrustedIDEvaluatorImpl());
            tSSSASMechConfig.addIdentityToken(new TSSITTAbsent());
        }
        Iterator<Map.Entry<String, TSSCompoundSecMechConfig>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            it.next().getValue().setSas_mech(tSSSASMechConfig);
        }
    }

    private TSSSASMechConfig extractSASMech(Map<String, Object> map) {
        boolean booleanValue = ((Boolean) map.get(CommonCfg.KEY_IDENTITY_ASSERTION_ENABLED)).booleanValue();
        String[] strArr = (String[]) map.get(CommonCfg.KEY_IDENTITY_ASSERTION_TYPES);
        TSSSASMechConfig tSSSASMechConfig = new TSSSASMechConfig(new TrustedIDEvaluatorImpl((String) map.get(KEY_TRUSTED_IDENTITIES)));
        tSSSASMechConfig.addIdentityToken(new TSSITTAbsent());
        if (booleanValue) {
            for (String str : strArr) {
                if ("ITTAnonymous".equals(str)) {
                    tSSSASMechConfig.addIdentityToken(new TSSITTAnonymous(this.unauthenticatedSubjectService));
                } else if ("ITTPrincipalName".equals(str)) {
                    tSSSASMechConfig.addIdentityToken(new TSSITTPrincipalNameGSSUP(this.authenticator, this.targetName));
                } else if ("ITTX509CertChain".equals(str)) {
                    tSSSASMechConfig.addIdentityToken(new TSSITTX509CertChain(this.authenticator));
                } else if ("ITTDistinguishedName".equals(str)) {
                    tSSSASMechConfig.addIdentityToken(new TSSITTDistinguishedName(this.authenticator));
                }
            }
        }
        return tSSSASMechConfig;
    }

    public Set<String> extractSslRefs(Map<String, Object> map) {
        return extractSslRefs(map, KEY_POLICY, TYPE);
    }
}
