package com.ibm.ws.security.spnego;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.filter.AuthenticationFilter;
import com.ibm.ws.security.spnego.internal.SpnegoConfigImpl;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebRequest;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {WebAuthenticator.class}, name = "com.ibm.ws.security.spnego", configurationPolicy = ConfigurationPolicy.REQUIRE, property = {"service.vendor=IBM", "com.ibm.ws.security.webAuthenticator.type=SPNEGO"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.spnego_1.0.16.jar:com/ibm/ws/security/spnego/SpnegoService.class */
public class SpnegoService implements WebAuthenticator {
    public static final TraceComponent tc = Tr.register(SpnegoService.class);
    static final String CONFIGURATION_ADMIN = "configurationAdmin";
    public static final String KEY_FILTER = "authenticationFilter";
    private final String KEY_LOCATION_ADMIN = "locationAdmin";
    private final AtomicServiceReference<WsLocationAdmin> locationAdminRef = new AtomicServiceReference<>("locationAdmin");
    protected final AtomicServiceReference<AuthenticationFilter> authFilterServiceRef = new AtomicServiceReference<>("authenticationFilter");
    private final AuthenticationResult CONTINUE = new AuthenticationResult(AuthResult.CONTINUE, "SPNEGO service said continue...");
    private SpnegoAuthenticator spnegoAuthenticator = null;
    private SpnegoConfig spnegoConfig = null;
    static final long serialVersionUID = 4319753680960683869L;

    @Reference(name = "authenticationFilter", service = AuthenticationFilter.class, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "authFilter id: " + serviceReference.getProperty("id") + " authFilterRef: " + serviceReference, new Object[0]);
        }
        this.authFilterServiceRef.setReference(serviceReference);
    }

    protected void updatedAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        this.authFilterServiceRef.setReference(serviceReference);
    }

    protected void unsetAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "authFilter id: " + serviceReference.getProperty("id") + " authFilterRef: " + serviceReference, new Object[0]);
        }
        this.authFilterServiceRef.unsetReference(serviceReference);
    }

    @Reference(service = WsLocationAdmin.class, name = "locationAdmin", policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        this.locationAdminRef.setReference(serviceReference);
    }

    protected void unsetLocationAdmin(ServiceReference<WsLocationAdmin> serviceReference) {
        this.locationAdminRef.unsetReference(serviceReference);
    }

    @Activate
    protected synchronized void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.locationAdminRef.activate(componentContext);
        this.authFilterServiceRef.activate(componentContext);
        this.spnegoConfig = new SpnegoConfigImpl(this.locationAdminRef.getServiceWithException(), map);
        this.spnegoAuthenticator = new SpnegoAuthenticator();
        Tr.info(tc, "SPNEGO_CONFIG_PROCESSED", this.spnegoConfig.getId());
    }

    @Modified
    protected synchronized void modified(Map<String, Object> map) {
        this.spnegoConfig = new SpnegoConfigImpl(this.locationAdminRef.getServiceWithException(), map);
        Tr.info(tc, "SPNEGO_CONFIG_MODIFIED", this.spnegoConfig.getId());
    }

    @Deactivate
    protected synchronized void deactivate(ComponentContext componentContext) {
        this.locationAdminRef.deactivate(componentContext);
        this.authFilterServiceRef.deactivate(componentContext);
        this.spnegoConfig = null;
        this.spnegoAuthenticator = null;
    }

    public void setSpnegoConfig(SpnegoConfig spnegoConfig) {
        this.spnegoConfig = spnegoConfig;
    }

    public void setSpnegoAuthenticator(SpnegoAuthenticator spnegoAuthenticator) {
        this.spnegoAuthenticator = spnegoAuthenticator;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        AuthenticationResult authenticationResult;
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = header == null;
        if (!shouldSpnegoAuthenticateThisRequest(webRequest, httpServletRequest, z)) {
            return this.CONTINUE;
        }
        if (z) {
            return this.spnegoAuthenticator.createNegotiateHeader(httpServletResponse, this.spnegoConfig);
        }
        if (this.spnegoConfig.isSpnGssCredentialEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "No GSSCredential for any of the service principal names.", new Object[0]);
            }
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "No GSSCredential for any of the service principal names.");
        } else {
            authenticationResult = this.spnegoAuthenticator.authenticate(httpServletRequest, httpServletResponse, header, this.spnegoConfig);
            if (authenticationResult != null && (authenticationResult.getStatus() == AuthResult.CONTINUE || authenticationResult.getStatus() == AuthResult.SUCCESS)) {
                return authenticationResult;
            }
        }
        if (!this.spnegoConfig.getDisableFailOverToAppAuthType()) {
            authenticationResult = this.CONTINUE;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "failOverToAppAuthType is allowed, so continue...", new Object[0]);
            }
        }
        return authenticationResult;
    }

    protected boolean shouldSpnegoAuthenticateThisRequest(WebRequest webRequest, HttpServletRequest httpServletRequest, boolean z) {
        if (z && webRequest.isUnprotectedURI()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "un-protectedURI request and no SPNEGO token so do not authenticate with SPNEGO web", new Object[0]);
            return false;
        }
        if (!(webRequest.isCallAfterSSO() && this.spnegoConfig.isInvokeAfterSSO()) && (webRequest.isCallAfterSSO() || this.spnegoConfig.isInvokeAfterSSO())) {
            return false;
        }
        return isAuthFilterAccept(httpServletRequest);
    }

    protected boolean isAuthFilterAccept(HttpServletRequest httpServletRequest) {
        AuthenticationFilter service = this.authFilterServiceRef.getService();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "authFilter:" + service, new Object[0]);
        }
        if (service != null) {
            return service.isAccepted(httpServletRequest);
        }
        if (!tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Authentication filter service is not avaliale, all HTTP requests will use SPNEGO authentication", new Object[0]);
        return true;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap hashMap) throws Exception {
        return null;
    }
}
