package com.ibm.ws.security.jaspi;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.webcontainer.security.JaspiService;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.io.IOException;
import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.jaspic.1.1_1.0.16.jar:com/ibm/ws/security/jaspi/JaspiCallbackHandler.class */
public class JaspiCallbackHandler implements CallbackHandler {
    private static final TraceComponent tc = Tr.register((Class<?>) JaspiCallbackHandler.class, "Security", (String) null);
    private JaspiService jaspiService;
    static final long serialVersionUID = -5194404487149163479L;

    JaspiCallbackHandler() {
    }

    public JaspiCallbackHandler(JaspiService jaspiService) {
        this();
        this.jaspiService = jaspiService;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (callbackArr == null || callbackArr.length == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "handle", "No Callbacks received, do nothing.");
                return;
            }
            return;
        }
        try {
            for (Callback callback : callbackArr) {
                if (callback instanceof CallerPrincipalCallback) {
                    handleCallerPrincipalCallback((CallerPrincipalCallback) callback);
                } else if (callback instanceof GroupPrincipalCallback) {
                    handleGroupPrincipalCallback((GroupPrincipalCallback) callback);
                } else {
                    if (!(callback instanceof PasswordValidationCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    handlePasswordValidationCallback((PasswordValidationCallback) callback);
                }
            }
        } catch (UnsupportedCallbackException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "100", this, new Object[]{callbackArr});
            FFDCFilter.processException(e, getClass().getName() + ".handle", "97");
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "103", this, new Object[]{callbackArr});
            FFDCFilter.processException(e2, getClass().getName() + ".handle", "100");
            throw new IOException(e2);
        }
    }

    protected void handlePasswordValidationCallback(PasswordValidationCallback passwordValidationCallback) throws RemoteException, EntryNotFoundException, CustomRegistryException {
        UserRegistry userRegistry;
        Subject subject = passwordValidationCallback.getSubject();
        String username = passwordValidationCallback.getUsername();
        String str = new String(passwordValidationCallback.getPassword());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handlePasswordValidationCallback", passwordValidationCallback, username);
        }
        if (subject != null && (userRegistry = getUserRegistry()) != null) {
            if (checkUserPassword(username, str, userRegistry, userRegistry.getRealm(), subject)) {
                passwordValidationCallback.setResult(true);
            } else {
                passwordValidationCallback.setResult(false);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handlePasswordValidationCallback", "valid password? " + passwordValidationCallback.getResult());
        }
    }

    protected void handleCallerPrincipalCallback(CallerPrincipalCallback callerPrincipalCallback) throws WSSecurityException {
        String str;
        Subject subject = callerPrincipalCallback.getSubject();
        String name = callerPrincipalCallback.getName();
        Principal principal = callerPrincipalCallback.getPrincipal();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleCallerPrincipalCallback", "user=" + name, "principal=" + principal);
        }
        Hashtable<String, Object> hashtable = null;
        if (subject != null) {
            hashtable = getSubjectCustomData(subject);
            if (name == null && principal == null) {
                str = JaspiServiceImpl.UNAUTHENTICATED_ID;
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, str);
            } else if (principal != null) {
                str = principal.getName();
                addUseridAndGroupsKeys(str, hashtable);
                hashtable.put("com.ibm.wsspi.security.cred.jaspi.principal", principal);
            } else {
                str = name;
                addUseridAndGroupsKeys(str, hashtable);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Added securityName: " + str, new Object[0]);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleCallerPrincipalCallback", hashtable);
        }
    }

    protected void handleGroupPrincipalCallback(GroupPrincipalCallback groupPrincipalCallback) throws CustomRegistryException, EntryNotFoundException, RemoteException {
        Subject subject = groupPrincipalCallback.getSubject();
        Hashtable<String, Object> hashtable = null;
        if (subject != null) {
            String[] groups = groupPrincipalCallback.getGroups();
            if (groups != null && groups.length > 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Group names in Callback: ", Arrays.asList(groups));
                }
                hashtable = getSubjectCustomData(subject);
                List list = (List) hashtable.get(AttributeNameConstants.WSCREDENTIAL_GROUPS);
                if (list == null) {
                    list = new ArrayList();
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, list);
                }
                UserRegistry userRegistry = getUserRegistry();
                for (String str : groups) {
                    if (str != null && !str.isEmpty()) {
                        String uniqueGroupId = (userRegistry == null || !userRegistry.isValidGroup(str)) ? str : userRegistry.getUniqueGroupId(str);
                        if (!list.contains(uniqueGroupId)) {
                            list.add(uniqueGroupId);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Added groupId: " + uniqueGroupId, new Object[0]);
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, uniqueGroupId + " already exists in custom credential data, avoid duplicates.", new Object[0]);
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Group is null or an empty string, it has been ignored.", new Object[0]);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Callback has no groups.", new Object[0]);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleGroupPrincipalCallback", hashtable);
        }
    }

    protected void addUseridAndGroupsKeys(String str, Hashtable<String, Object> hashtable) {
        try {
            UserRegistry userRegistry = getUserRegistry();
            if (userRegistry == null || !userRegistry.isValidUser(str)) {
                if (userRegistry == null) {
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, "user:defaultRealm/" + str);
                } else {
                    hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID, userRegistry.getRealm() + "/" + str);
                }
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME, str);
            } else {
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_USERID, str);
                hashtable.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
                List<String> uniqueGroupIds = userRegistry.getUniqueGroupIds(str);
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, uniqueGroupIds);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Added userid: " + str + "  and groups: " + uniqueGroupIds, new Object[0]);
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "267", this, new Object[]{str, hashtable});
            FFDCFilter.processException(e, getClass().getName() + ".handleCallerPrincipalCallback", "245");
        }
    }

    @FFDCIgnore({PasswordCheckFailedException.class})
    protected boolean checkUserPassword(String str, @Sensitive String str2, UserRegistry userRegistry, String str3, Subject subject) throws EntryNotFoundException, CustomRegistryException, RemoteException {
        try {
            String checkPassword = userRegistry.checkPassword(str, str2);
            List<String> groupsForUser = userRegistry.getGroupsForUser(checkPassword);
            ArrayList arrayList = new ArrayList();
            if (groupsForUser != null) {
                Iterator<String> it = groupsForUser.iterator();
                while (it.hasNext()) {
                    arrayList.add(userRegistry.getUniqueGroupId(it.next()));
                }
            }
            newCustomCredential(subject, str3, checkPassword, arrayList);
            return true;
        } catch (PasswordCheckFailedException e) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "checkUserPassword - password is not valid.", new Object[0]);
            return false;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "289", this, new Object[]{str, "<sensitive java.lang.String>", userRegistry, str3, subject});
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "checkUserPassword - registry exception: " + e2, new Object[0]);
            return false;
        }
    }

    protected Hashtable<String, Object> newCustomCredential(Subject subject, String str, String str2, List<?> list) {
        Hashtable<String, Object> subjectCustomData = getSubjectCustomData(subject);
        subjectCustomData.put(AttributeNameConstants.WSCREDENTIAL_REALM, str);
        subjectCustomData.put(AttributeNameConstants.WSCREDENTIAL_USERID, str2);
        subjectCustomData.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
        if (list == null || list.isEmpty()) {
            subjectCustomData.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, new ArrayList());
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding groups found in registry", list);
            }
            subjectCustomData.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, list);
        }
        return subjectCustomData;
    }

    protected Hashtable<String, Object> getSubjectCustomData(final Subject subject) {
        Hashtable<String, Object> customCredentials = this.jaspiService.getCustomCredentials(subject);
        if (customCredentials == null) {
            customCredentials = (Hashtable) AccessController.doPrivileged(new PrivilegedAction<Hashtable<String, Object>>() { // from class: com.ibm.ws.security.jaspi.JaspiCallbackHandler.1
                static final long serialVersionUID = 7983645503625486425L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Hashtable<String, Object> run() {
                    Hashtable<String, Object> hashtable = new Hashtable<>();
                    subject.getPrivateCredentials().add(hashtable);
                    return hashtable;
                }
            });
        }
        return customCredentials;
    }

    UserRegistry getUserRegistry() {
        UserRegistry userRegistry = null;
        try {
            userRegistry = RegistryHelper.getUserRegistry(null);
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "336", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error getting the user registry", e);
            }
        }
        return userRegistry;
    }
}
