package com.ibm.ws.security.context.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.UnauthenticatedSubjectService;
import com.ibm.ws.security.authentication.helper.AuthenticateUserHelper;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.threadcontext.ThreadContext;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamField;
import java.util.Hashtable;
import java.util.Set;
import javax.security.auth.Subject;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.context_1.0.13.jar:com/ibm/ws/security/context/internal/SecurityContextImpl.class */
public class SecurityContextImpl implements ThreadContext {
    private static final long serialVersionUID = 2674866355469888259L;
    protected static final String DESERIALIZE_LOGINCONTEXT_DEFAULT = "system.DESERIALIZE_CONTEXT";
    private static final String CALLER_PRINCIPAL = "C";
    private static final String INVOCATION_PRINCIPAL = "I";
    private static final String JAAS_LOGIN_CONTEXT = "J";
    private static final String SEC_CONTEXT_UNABLE_TO_SERIALIZE = "SEC_CONTEXT_DESERIALIZE_AUTHN_ERROR";
    private String jaasLoginContextEntry;
    protected transient Subject invocationSubject;
    protected transient Subject callerSubject;
    private transient SubjectManager subjectManager;
    protected transient SubjectHelper subjectHelper;
    private static final TraceComponent tc = Tr.register(SecurityContextImpl.class);
    private static final String SUBJECTS_ARE_EQUAL = "E";
    private static final String CALLER_SUBJECT_CACHE_KEY = "CK";
    private static final String INVOCATION_SUBJECT_CACHE_KEY = "IK";
    private static final ObjectStreamField[] serialPersistentFields = {new ObjectStreamField("C", WSPrincipal.class), new ObjectStreamField("I", WSPrincipal.class), new ObjectStreamField(SUBJECTS_ARE_EQUAL, Boolean.TYPE), new ObjectStreamField("J", String.class), new ObjectStreamField(CALLER_SUBJECT_CACHE_KEY, String.class), new ObjectStreamField(INVOCATION_SUBJECT_CACHE_KEY, String.class)};
    protected WSPrincipal invocationPrincipal = null;
    protected WSPrincipal callerPrincipal = null;
    private boolean subjectsAreEqual = false;
    private transient Subject prevInvocationSubject = null;
    private transient Subject prevCallerSubject = null;
    private String callerSubjectCacheKey = null;
    private String invocationSubjectCacheKey = null;

    @ManualTrace
    public SecurityContextImpl(boolean z, String str) {
        this.jaasLoginContextEntry = null;
        this.invocationSubject = null;
        this.callerSubject = null;
        this.subjectManager = null;
        this.subjectHelper = null;
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "<init>", Boolean.valueOf(z), str);
        }
        this.jaasLoginContextEntry = str;
        this.subjectManager = new SubjectManager();
        this.subjectHelper = new SubjectHelper();
        if (z) {
            this.invocationSubject = this.subjectManager.getInvocationSubject();
            this.callerSubject = this.subjectManager.getCallerSubject();
        }
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "<init>", new Object[]{"caller/invocation subjects", this.callerSubject, this.invocationSubject});
        }
    }

    @Override // com.ibm.wsspi.threadcontext.ThreadContext
    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public ThreadContext m9296clone() {
        try {
            SecurityContextImpl securityContextImpl = (SecurityContextImpl) super.clone();
            securityContextImpl.prevCallerSubject = null;
            securityContextImpl.prevInvocationSubject = null;
            return securityContextImpl;
        } catch (CloneNotSupportedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.context.internal.SecurityContextImpl", "205", this, new Object[0]);
            throw new RuntimeException(e);
        }
    }

    @Override // com.ibm.wsspi.threadcontext.ThreadContext
    @ManualTrace
    public void taskStarting() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        this.prevInvocationSubject = this.subjectManager.getInvocationSubject();
        this.prevCallerSubject = this.subjectManager.getCallerSubject();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "taskStarting", "previous caller/invocation subjects", this.prevCallerSubject, this.prevInvocationSubject);
        }
        this.subjectManager.setInvocationSubject(this.invocationSubject);
        this.subjectManager.setCallerSubject(this.callerSubject);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "taskStarting", new Object[]{"new caller/invocation subjects", this.callerSubject, this.invocationSubject});
        }
    }

    @Override // com.ibm.wsspi.threadcontext.ThreadContext
    @ManualTrace
    public void taskStopping() {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "taskStopping", "restore caller/invocation subjects", this.prevCallerSubject, this.prevInvocationSubject);
        }
        this.subjectManager.setCallerSubject(this.prevCallerSubject);
        this.subjectManager.setInvocationSubject(this.prevInvocationSubject);
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "taskStopping");
        }
    }

    private boolean areSubjectsEqual(Subject subject, Subject subject2) {
        return subject == subject2;
    }

    @ManualTrace
    private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "writeObject", "caller/invocation subjects:", this.callerSubject, this.invocationSubject, "jaasLoginContextEntry:", this.jaasLoginContextEntry);
        }
        ObjectOutputStream.PutField putFields = objectOutputStream.putFields();
        if (this.callerSubject != null && !this.subjectHelper.isUnauthenticated(this.callerSubject)) {
            putFields.put("C", getWSPrincipal(this.callerSubject));
        }
        this.subjectsAreEqual = areSubjectsEqual(this.callerSubject, this.invocationSubject);
        putFields.put(SUBJECTS_ARE_EQUAL, this.subjectsAreEqual);
        if (!this.subjectsAreEqual && this.invocationSubject != null && !this.subjectHelper.isUnauthenticated(this.invocationSubject)) {
            putFields.put("I", getWSPrincipal(this.invocationSubject));
        }
        if (this.jaasLoginContextEntry != null) {
            putFields.put("J", this.jaasLoginContextEntry);
        }
        try {
            serializeSubjectCacheKey(putFields);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.context.internal.SecurityContextImpl", "290", this, new Object[]{objectOutputStream});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unable to serialize Subject Cache Key: " + e.getMessage(), new Object[0]);
            }
            if (tc.isWarningEnabled()) {
                Tr.warning(tc, SEC_CONTEXT_UNABLE_TO_SERIALIZE, new Object[0]);
            }
        }
        objectOutputStream.writeFields();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "writeObject", new Object[]{"subjects are equal: ", Boolean.valueOf(this.subjectsAreEqual)});
        }
    }

    @ManualTrace
    private void readObject(ObjectInputStream objectInputStream) throws ClassNotFoundException, IOException {
        boolean isAnyTracingEnabled = TraceComponent.isAnyTracingEnabled();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.entry(this, tc, "readObject", new Object[0]);
        }
        readState(objectInputStream.readFields());
        this.subjectManager = new SubjectManager();
        if (isAnyTracingEnabled && tc.isEntryEnabled()) {
            Tr.exit(this, tc, "readObject", new Object[]{"deserialized caller/invocation principals: ", this.callerPrincipal, this.invocationPrincipal, "subjects are equal? ", Boolean.valueOf(this.subjectsAreEqual), "jaasLoginContextEntry: ", this.jaasLoginContextEntry});
        }
    }

    private void readState(ObjectInputStream.GetField getField) throws IOException {
        this.callerPrincipal = (WSPrincipal) getField.get("C", (Object) null);
        this.subjectsAreEqual = getField.get(SUBJECTS_ARE_EQUAL, false);
        if (this.subjectsAreEqual) {
            this.invocationPrincipal = this.callerPrincipal;
        } else {
            this.invocationPrincipal = (WSPrincipal) getField.get("I", (Object) null);
        }
        this.jaasLoginContextEntry = (String) getField.get("J", (Object) null);
        this.callerSubjectCacheKey = (String) getField.get(CALLER_SUBJECT_CACHE_KEY, (Object) null);
        this.invocationSubjectCacheKey = (String) getField.get(INVOCATION_SUBJECT_CACHE_KEY, (Object) null);
    }

    @FFDCIgnore({AuthenticationException.class})
    protected Subject recreateFullSubject(WSPrincipal wSPrincipal, SecurityService securityService, AtomicServiceReference<UnauthenticatedSubjectService> atomicServiceReference, String str) {
        Subject subject = null;
        if (wSPrincipal != null) {
            String name = wSPrincipal.getName();
            AuthenticateUserHelper authenticateUserHelper = new AuthenticateUserHelper();
            if (this.jaasLoginContextEntry == null) {
                this.jaasLoginContextEntry = "system.DESERIALIZE_CONTEXT";
            }
            try {
                subject = authenticateUserHelper.authenticateUser(securityService.getAuthenticationService(), name, this.jaasLoginContextEntry, str);
            } catch (AuthenticationException e) {
                Tr.error(tc, SEC_CONTEXT_UNABLE_TO_SERIALIZE, e.getLocalizedMessage());
            }
        }
        if (subject == null) {
            subject = atomicServiceReference.getService().getUnauthenticatedSubject();
        }
        return subject;
    }

    protected WSPrincipal getWSPrincipal(Subject subject) throws IOException {
        WSPrincipal wSPrincipal = null;
        Set<WSPrincipal> principals = subject != null ? subject.getPrincipals(WSPrincipal.class) : null;
        if (principals != null && !principals.isEmpty()) {
            if (principals.size() > 1) {
                String str = null;
                for (WSPrincipal wSPrincipal2 : principals) {
                    str = str == null ? wSPrincipal2.getName() : str + ", " + wSPrincipal2.getName();
                }
                throw new IOException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "SEC_CONTEXT_DESERIALIZE_TOO_MANY_PRINCIPALS", new Object[]{str}, "CWWKS0801E: While getting the subject principal, the subject was found to have more than one principal of type WSPrincipal. Only one WSPrincipal can exist in the subject. The names of the WSPrincipals are: " + str + ". As a result, the security context will not be restored on the thread."));
            }
            wSPrincipal = (WSPrincipal) principals.iterator().next();
        }
        return wSPrincipal;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recreateFullSubjects(SecurityService securityService, AtomicServiceReference<UnauthenticatedSubjectService> atomicServiceReference) {
        this.callerSubject = recreateFullSubject(this.callerPrincipal, securityService, atomicServiceReference, this.callerSubjectCacheKey);
        if (this.subjectsAreEqual) {
            this.invocationSubject = this.callerSubject;
        } else {
            this.invocationSubject = recreateFullSubject(this.invocationPrincipal, securityService, atomicServiceReference, this.invocationSubjectCacheKey);
        }
    }

    private void serializeSubjectCacheKey(ObjectOutputStream.PutField putField) throws Exception {
        Hashtable<String, ?> hashtableFromSubject;
        Hashtable<String, ?> hashtableFromSubject2;
        if (this.callerSubject != null && (hashtableFromSubject2 = this.subjectHelper.getHashtableFromSubject(this.callerSubject, new String[]{"com.ibm.wsspi.security.cred.cacheKey"})) != null) {
            this.callerSubjectCacheKey = (String) hashtableFromSubject2.get("com.ibm.wsspi.security.cred.cacheKey");
        }
        if (this.callerSubjectCacheKey != null) {
            putField.put(CALLER_SUBJECT_CACHE_KEY, this.callerSubjectCacheKey);
        }
        if (!this.subjectsAreEqual && this.invocationSubject != null && (hashtableFromSubject = this.subjectHelper.getHashtableFromSubject(this.invocationSubject, new String[]{"com.ibm.wsspi.security.cred.cacheKey"})) != null) {
            this.invocationSubjectCacheKey = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.cacheKey");
        }
        if (this.invocationSubjectCacheKey != null) {
            putField.put(INVOCATION_SUBJECT_CACHE_KEY, this.invocationSubjectCacheKey);
        }
    }

    @Trivial
    public String toString() {
        return new StringBuilder(100).append(getClass().getSimpleName()).append('@').append(Integer.toHexString(hashCode())).append(' ').append(this.callerSubject == null ? null : this.callerSubject.getPrincipals()).append(' ').append(this.invocationSubject == null ? null : this.invocationSubject.getPrincipals()).toString();
    }
}
