package com.ibm.ws.collective.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.collective.security.CollectiveDNUtil;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.credentials.CredentialProvider;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialException;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CredentialProvider.class}, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM", "type=CollectiveServerCredential"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.security_1.0.14.jar:com/ibm/ws/collective/security/internal/CollectiveServerCredentialProvider.class */
public class CollectiveServerCredentialProvider implements CredentialProvider {
    private static final TraceComponent tc = Tr.register(CollectiveServerCredentialProvider.class);
    static final long serialVersionUID = -1617346219080716833L;

    @Activate
    protected void activate() {
    }

    @Deactivate
    protected void deactivate() {
    }

    @Override // com.ibm.ws.security.credentials.CredentialProvider
    @FFDCIgnore({InvalidNameException.class})
    public void setCredential(Subject subject) throws CredentialException {
        if (subject.isReadOnly()) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Received a read-only Subject, this is highly unexpected, abstaining", new Object[0]);
                return;
            }
            return;
        }
        Set principals = subject.getPrincipals(WSPrincipal.class);
        if (principals.isEmpty()) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "No WSPrincipal in the Subject, not an internal credential, abstaining.", new Object[0]);
                return;
            }
            return;
        }
        if (principals.size() != 1) {
            throw new CredentialException("Too many WSPrincipals in the subject");
        }
        WSPrincipal wSPrincipal = (WSPrincipal) principals.iterator().next();
        String accessId = wSPrincipal.getAccessId();
        if (!AccessIdUtil.isServerAccessId(accessId)) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Received a Subject that was not a server Subject, abstaining.", new Object[0]);
                return;
            }
            return;
        }
        if (wSPrincipal.getAuthenticationMethod() != "certificate") {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Received a Subject that was not authenticated with certificate, method: " + wSPrincipal.getAuthenticationMethod(), new Object[0]);
                return;
            }
            return;
        }
        String realm = AccessIdUtil.getRealm(accessId);
        if (!CollectiveDNUtil.COLLECTIVE_REALM.equals(realm)) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Received a Subject that was not from the collective realm. Received realm: " + realm, new Object[0]);
                return;
            }
            return;
        }
        try {
            String uniqueId = AccessIdUtil.getUniqueId(accessId);
            CollectiveDNUtil.validateCollectiveDNSyntax(uniqueId);
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Establishing CollectiveServerCredential for DN: " + uniqueId, new Object[0]);
            }
            subject.getPrivateCredentials().add(new CollectiveServerCredentialImpl(uniqueId, CollectiveDNUtil.COLLECTIVE_ROLE_CONTROLLER.equals(CollectiveDNUtil.getCollectiveRole(uniqueId)), CollectiveDNUtil.getServerName(uniqueId), CollectiveDNUtil.getHostName(uniqueId), CollectiveDNUtil.getURLEncodedUserDir(uniqueId)));
        } catch (InvalidNameException e) {
            if (tc.isEventEnabled()) {
                Tr.event(tc, "Received a Subject was a non-collective certificate, abstaining...", new Object[0]);
            }
        }
    }

    @Override // com.ibm.ws.security.credentials.CredentialProvider
    public boolean isSubjectValid(Subject subject) {
        return true;
    }
}
