package com.ibm.websphere.security.s4u2proxy;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.utility.JaasLoginConfigConstants;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.kerberos.internal.BoundedHashMap;
import com.ibm.ws.security.s4u2proxy.KerberosExtService;
import com.ibm.ws.security.token.krb5.Krb5Helper;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

/* JADX WARN: Classes with same name are omitted:
  input_file:wlp/dev/api/ibm/com.ibm.websphere.appserver.api.constrainedDelegation_1.0.16.jar:com/ibm/websphere/security/s4u2proxy/SpnegoHelper.class
 */
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {SpnegoHelper.class}, name = "SpnegoHelper", configurationPid = {"com.ibm.websphere.security.s4u2proxy.SpnegoHelper"}, immediate = true, configurationPolicy = ConfigurationPolicy.REQUIRE, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.kerberos.java8_1.0.16.jar:com/ibm/websphere/security/s4u2proxy/SpnegoHelper.class */
public class SpnegoHelper {
    private static final int MAX_CACHE = 10;
    static final String KEY_KERBEROS_EXT_SERVICE = "KerberosExtService";
    static final long serialVersionUID = -8028544169101711307L;
    private static final TraceComponent tc = Tr.register((Class<?>) SpnegoHelper.class, "security", "com.ibm.ws.security.internal.resources.LoggingMessages");
    private static Map<String, Object> delegateSubjectCache = null;
    static boolean ibmJDK = false;
    protected static final AtomicServiceReference<KerberosExtService> kerberosExtServiceRef = new AtomicServiceReference<>("KerberosExtService");

    public static String buildS4U2ProxyAuthorizationUsingS4U2Self(String str, String str2, int i, boolean z, String str3, String str4, String str5) throws GSSException, PrivilegedActionException, LoginException {
        Krb5Helper.checkUpn(str);
        Krb5Helper.checkSpn(str2);
        KerberosExtService kerberosExtService = getKerberosExtService();
        if (kerberosExtService.isS4U2selfEnable()) {
            return Krb5Helper.buildSpnegoAuthorization(kerberosExtService.getDelegateGSSCredUsingS4U2self(str, str2, GSSName.NT_USER_NAME, 1, str3, getDelegateServiceSubject(str3, str4, str5)), str2, i, z);
        }
        String formattedMessage = TraceNLS.getFormattedMessage((Class<?>) SpnegoHelper.class, "com.ibm.ws.security.internal.resources.LoggingMessages", "KRB_S4U2SELF_IS_NOT_ENABLED", new Object[]{"buildS4U2proxyAuthorization()"}, "CWWKS4342E: Can not process method {0} because the constrained delegation S4U2self is not enabled.");
        Tr.error(tc, formattedMessage, new Object[0]);
        throw new GSSException(16, 16, formattedMessage);
    }

    public static String buildS4U2proxyAuthorization(String str, Subject subject, int i, boolean z) throws GSSException, PrivilegedActionException {
        Krb5Helper.checkSpn(str);
        if (getKerberosExtService().isS4U2proxyEnable()) {
            return Krb5Helper.buildSpnegoAuthorizationFromSubjectCommon(str, subject, i, z);
        }
        String formattedMessage = TraceNLS.getFormattedMessage((Class<?>) SpnegoHelper.class, "com.ibm.ws.security.internal.resources.LoggingMessages", "KRB_S4U2PROXY_IS_NOT_ENABLED", new Object[]{"buildS4U2proxyAuthorization()"}, "CWWKS4343E: Can not process method {0} because the constrained delegation S4U2proxy is not enabled.");
        Tr.error(tc, formattedMessage, new Object[0]);
        throw new GSSException(16, 16, formattedMessage);
    }

    private static Subject getDelegateServiceSubject(String str, String str2, String str3) throws LoginException {
        Subject subject = (Subject) delegateSubjectCache.get(str);
        if (subject != null) {
            if (SubjectHelper.isTGTInSubjectValid(subject, str)) {
                return subject;
            }
            delegateSubjectCache.remove(str);
        }
        String propertyAsNeeded = Krb5Helper.setPropertyAsNeeded(Krb5Helper.USE_SUBJECT_CREDS_ONLY, "false");
        String propertyAsNeeded2 = Krb5Helper.setPropertyAsNeeded("KRB5_KTNAME", str3);
        String propertyAsNeeded3 = Krb5Helper.setPropertyAsNeeded("com.ibm.security.krb5.principal", str);
        try {
            Subject doKerberosLogin = doKerberosLogin(str2, str, null);
            Krb5Helper.restorePropertyAsNeeded(Krb5Helper.USE_SUBJECT_CREDS_ONLY, propertyAsNeeded, "false");
            Krb5Helper.restorePropertyAsNeeded("KRB5_KTNAME", propertyAsNeeded2, str3);
            Krb5Helper.restorePropertyAsNeeded("com.ibm.security.krb5.principal", propertyAsNeeded3, str);
            if (doKerberosLogin != null) {
                delegateSubjectCache.put(str, doKerberosLogin);
            }
            return doKerberosLogin;
        } catch (Throwable th) {
            Krb5Helper.restorePropertyAsNeeded(Krb5Helper.USE_SUBJECT_CREDS_ONLY, propertyAsNeeded, "false");
            Krb5Helper.restorePropertyAsNeeded("KRB5_KTNAME", propertyAsNeeded2, str3);
            Krb5Helper.restorePropertyAsNeeded("com.ibm.security.krb5.principal", propertyAsNeeded3, str);
            throw th;
        }
    }

    private static Subject doKerberosLogin(String str, final String str2, @Sensitive final String str3) throws LoginException {
        Subject subject = null;
        if (str == null) {
            str = JaasLoginConfigConstants.JAASClient;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "jaasLoginContextEntry: " + str, new Object[0]);
            }
        }
        final String str4 = str;
        try {
            subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: com.ibm.websphere.security.s4u2proxy.SpnegoHelper.1
                static final long serialVersionUID = 7098196343374431873L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Subject run() throws LoginException {
                    LoginContext loginContext = new LoginContext(str4, new WSCallbackHandlerImpl(str2, str3));
                    loginContext.login();
                    return loginContext.getSubject();
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.websphere.security.s4u2proxy.SpnegoHelper", "216", null, new Object[]{str, str2, "<sensitive java.lang.String>"});
            Throwable generalCause = Krb5Helper.getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                throw ((LoginException) generalCause);
            }
        }
        return subject;
    }

    private static KerberosExtService getKerberosExtService() throws GSSException {
        if (delegateSubjectCache == null) {
            delegateSubjectCache = new BoundedHashMap(10);
        }
        KerberosExtService service = kerberosExtServiceRef.getService();
        if (service == null) {
            Krb5Helper.serviceNotAvailableException();
        }
        Krb5Helper.checkSupportJDKVendor(ibmJDK);
        return service;
    }

    @Reference(service = KerberosExtService.class, name = "KerberosExtService", cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.STATIC)
    protected void setKerberosExtService(ServiceReference<KerberosExtService> serviceReference) {
        kerberosExtServiceRef.setReference(serviceReference);
    }

    protected void unsetKerberosExtService(ServiceReference<KerberosExtService> serviceReference) {
        kerberosExtServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext) {
        ibmJDK = Krb5Helper.isIBMJDK();
        if (ibmJDK) {
            kerberosExtServiceRef.activate(componentContext);
        }
    }

    @Modified
    protected void modified(Map<String, Object> map) {
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        kerberosExtServiceRef.deactivate(componentContext);
        ibmJDK = false;
    }
}
