package com.ibm.wsspi.security.common.auth.module;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.helper.AuthenticateUserHelper;
import com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistry;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/wsspi/security/common/auth/module/IdentityAssertionLoginModule.class */
public class IdentityAssertionLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(IdentityAssertionLoginModule.class, "Authentication", "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages");
    private static final String KEY_TRUST_STATE = "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state";
    private static final String KEY_PRINCIPAL = "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal";
    private static final String KEY_CERTIFICATES = "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates";
    private static final String KEY_TRUSTED = "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted";
    private Subject subject;
    private Map sharedState;
    protected Subject temporarySubject;
    private Principal trustedPrincipal;
    private X509Certificate[] certificateChain;
    private String username;
    private UserRegistry userRegistry;
    static final long serialVersionUID = 640671690103067063L;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        this.subject = subject;
        this.sharedState = map;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @FFDCIgnore({WSLoginFailedException.class})
    public boolean login() throws WSLoginFailedException {
        try {
            this.userRegistry = getUserRegistry();
            setUserNameFromDataInTrustState((Map) this.sharedState.get(KEY_TRUST_STATE));
            setUpTemporarySubject();
            return true;
        } catch (WSLoginFailedException e) {
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule", "135", this, new Object[0]);
            throw new WSLoginFailedException(getLocalizedMessage());
        }
    }

    private void setUserNameFromDataInTrustState(Map map) throws WSLoginFailedException {
        validateTrust(map);
        this.trustedPrincipal = (Principal) map.get(KEY_PRINCIPAL);
        this.certificateChain = (X509Certificate[]) map.get(KEY_CERTIFICATES);
        validateSufficientData();
        setUserName();
    }

    private void validateTrust(Map map) throws WSLoginFailedException {
        if (map == null || !((Boolean) map.get(KEY_TRUSTED)).booleanValue()) {
            throw new WSLoginFailedException("No Trust information for trust validation.");
        }
        Boolean bool = (Boolean) map.get(KEY_TRUSTED);
        if (bool == null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Missing a trust key", new Object[0]);
            }
            throw new WSLoginFailedException("No Trust Validator configured for trust validation, identity assertion is disabled.");
        }
        if (bool.booleanValue()) {
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "trust is false", new Object[0]);
        }
        throw new WSLoginFailedException("No Trust established for trust validation, identity assertion is disabled.");
    }

    private void validateSufficientData() throws WSLoginFailedException {
        if (this.trustedPrincipal == null) {
            if (!((this.certificateChain == null || this.certificateChain.length == 0) ? false : true)) {
                throw new WSLoginFailedException("No principal or X509Certificate provided to login new user with.");
            }
        }
    }

    private void setUserName() throws WSLoginFailedException {
        this.username = getUserNameFromPrincipal();
        if (this.username == null) {
            this.username = getUserNameFromCertificate();
        }
    }

    private String getUserNameFromPrincipal() {
        int lastIndexOf;
        String str = null;
        if (this.trustedPrincipal != null) {
            str = this.trustedPrincipal.getName();
            if (str != null && (lastIndexOf = str.lastIndexOf("/")) >= 0) {
                str = str.substring(lastIndexOf + 1);
            }
        }
        return str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r9v0, types: [java.lang.Exception] */
    private String getUserNameFromCertificate() throws WSLoginFailedException {
        String str = null;
        try {
            str = this.userRegistry.mapCertificate(this.certificateChain[0]);
            return str;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule", "201", this, new Object[0]);
            throw new WSLoginFailedException(str.getLocalizedMessage());
        }
    }

    private void setUpTemporarySubject() throws Exception {
        this.temporarySubject = new AuthenticateUserHelper().authenticateUser(getAuthenticationService(), this.username, "system.DEFAULT");
    }

    public boolean commit() throws WSLoginFailedException {
        if (this.temporarySubject != null) {
            setUpSubject();
            return true;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
            return false;
        }
        Tr.event(tc, "Authentication did not occur for this login module, abstaining.", new Object[0]);
        return false;
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [java.security.PrivilegedActionException, java.lang.Object] */
    protected void setUpSubject() throws WSLoginFailedException {
        ?? doPrivileged;
        try {
            doPrivileged = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.1
                static final long serialVersionUID = -4235717761535206731L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    IdentityAssertionLoginModule.this.updateSubjectWithTemporarySubjectContents();
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule", "253", this, new Object[0]);
            throw new WSLoginFailedException("Unable to setup the Subject: " + doPrivileged.getLocalizedMessage());
        }
    }

    protected void updateSubjectWithTemporarySubjectContents() {
        this.subject.getPrincipals().addAll(this.temporarySubject.getPrincipals());
        this.subject.getPublicCredentials().addAll(this.temporarySubject.getPublicCredentials());
        this.subject.getPrivateCredentials().addAll(this.temporarySubject.getPrivateCredentials());
    }

    public boolean abort() throws LoginException {
        cleanUpSubject();
        this.username = null;
        return true;
    }

    public boolean logout() throws LoginException {
        cleanUpSubject();
        this.username = null;
        return true;
    }

    private UserRegistry getUserRegistry() throws RegistryException {
        return JAASServiceImpl.getUserRegistry();
    }

    private AuthenticationService getAuthenticationService() {
        return JAASServiceImpl.getAuthenticationService();
    }

    private void cleanUpSubject() {
        if (this.temporarySubject != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.2
                static final long serialVersionUID = -8043289216984870743L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class);

                @Override // java.security.PrivilegedAction
                public Object run() {
                    IdentityAssertionLoginModule.this.subject.getPrincipals().removeAll(IdentityAssertionLoginModule.this.temporarySubject.getPrincipals());
                    IdentityAssertionLoginModule.this.subject.getPublicCredentials().removeAll(IdentityAssertionLoginModule.this.temporarySubject.getPublicCredentials());
                    IdentityAssertionLoginModule.this.subject.getPrivateCredentials().removeAll(IdentityAssertionLoginModule.this.temporarySubject.getPrivateCredentials());
                    return null;
                }
            });
        }
        this.temporarySubject = null;
    }
}
