package com.ibm.websphere.security;

import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.ws.portletcontainer.portlet.PortletUtils;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.SingleSignonConfig;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.ws.security.util.StringUtil;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import com.ibm.wsspi.security.token.PropagationToken;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.security.token.WSSecurityPropagationHelper;
import java.lang.reflect.Method;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.portlet.ActionRequest;
import javax.portlet.ActionResponse;
import javax.portlet.PortletSession;
import javax.security.auth.AuthPermission;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:wasJars/wssec.jar:com/ibm/websphere/security/WSSecurityHelper.class */
public final class WSSecurityHelper {
    private static final TraceComponent tc = Tr.register(WSSecurityHelper.class, (String) null, AdminConstants.MSG_BUNDLE_NAME);
    private static final AuthPermission GETPROPATTRIBUTE_PERM = new AuthPermission("wssecurity.getPropagationAttributes");
    private static final AuthPermission SETPROPATTRIBUTE_PERM = new AuthPermission("wssecurity.addPropagationAttribute");
    private static Class webAttributesClass = null;
    private static Method createLogoutCookiesMethod = null;
    private static boolean isSSOEnabled = false;

    public static boolean isServerSecurityEnabled() {
        return ContextManagerFactory.getInstance().isServerSecurityEnabled();
    }

    public static boolean isGlobalSecurityEnabled() {
        return ContextManagerFactory.getInstance().isCellSecurityEnabled();
    }

    public static String getFirstCaller() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getFirstCaller");
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        String[] callerList = getCallerList();
        if (callerList == null || callerList.length <= 0) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller() returns null.");
            return null;
        }
        String str = callerList[0];
        if (str != null) {
            String substring = str.substring(str.indexOf(":", str.indexOf(":", str.indexOf(":") + 1) + 1) + 1);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getFirstCaller() returns " + substring);
            }
            return RealmSecurityName.getSecurityName(substring);
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getFirstCaller() returns null.");
        return null;
    }

    public static String getFirstServer() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getFirstServer");
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        String[] serverList = getServerList();
        if (serverList != null && serverList.length > 0) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getFirstServer() returns " + serverList[0]);
            }
            return serverList[0];
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getFirstServer() returns null.");
        return null;
    }

    public static String[] getCallerList() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCallerList");
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        try {
            PropagationToken propagationToken = ContextManagerFactory.getInstance().getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
            if (propagationToken == null) {
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getCallerList() returns null, token not present.");
                return null;
            }
            String[] attributes = propagationToken.getAttributes(AttributeNameConstants.WSPROP_CALLERS);
            if (attributes != null && attributes.length > 0) {
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getCallerList() returns " + attributes);
                }
                return attributes;
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getCallerList() returns null, attribute not present.");
            return null;
        } catch (Exception e) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "The following exception occurred calling getCallerList().", new Object[]{e});
            }
            Manager.Ffdc.log(e, WSSecurityHelper.class, "com.ibm.websphere.security.WSSecurityHelper.getCallerList", "254");
            return null;
        }
    }

    public static String[] getServerList() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getServerList");
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        try {
            PropagationToken propagationToken = ContextManagerFactory.getInstance().getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
            if (propagationToken != null) {
                String[] attributes = propagationToken.getAttributes(AttributeNameConstants.WSPROP_HOSTS);
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getServerList() returns " + attributes);
                }
                return attributes;
            }
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getServerList() returns null, token not present.");
            return null;
        } catch (Exception e) {
            Tr.error(tc, "The following exception occurred calling getServerList().", new Object[]{e});
            Manager.Ffdc.log(e, WSSecurityHelper.class, "com.ibm.websphere.security.WSSecurityHelper.getServerList", "308");
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "The following exception occurred calling getServerList().", new Object[]{e});
            return null;
        }
    }

    public static String[] getPropagationAttributes(String str) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getPropagationAttributes: " + str);
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(GETPROPATTRIBUTE_PERM);
        }
        PropagationToken propagationToken = ContextManagerFactory.getInstance().getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
        if (propagationToken != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getPropagationAttributes: success");
            }
            return propagationToken.getAttributes(str);
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.entry(tc, "getPropagationAttributes: no PropagationToken found on thread");
        return null;
    }

    public static String[] addPropagationAttribute(String str, String str2) throws WSSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addPropagationAttribute");
        }
        WSSecurityPropagationHelper wSSecurityPropagationHelper = WSSecurityPropagationHelper.getInstance();
        if (!wSSecurityPropagationHelper.isRMIInboundPropagationEnabled() && !wSSecurityPropagationHelper.isRMIOutboundPropagationEnabled() && !wSSecurityPropagationHelper.isWebInboundPropagationEnabled()) {
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getFirstCaller: Outbound propagation is disabled.");
            return null;
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(SETPROPATTRIBUTE_PERM);
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        PropagationToken propagationToken = contextManagerFactory.getPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1);
        if (propagationToken == null) {
            propagationToken = contextManagerFactory.createPropagationToken(null);
            if (propagationToken != null) {
                contextManagerFactory.setPropagationToken(AttributeNameConstants.WSPROPTOKEN_KEY_V1, propagationToken);
            }
        }
        if (propagationToken != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "addPropagationAttribute: success");
            }
            return propagationToken.addAttribute(str, str2);
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "addPropagationAttribute: attribute not set");
        return null;
    }

    public static byte[] convertCookieStringToBytes(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "convertCookieStringToBytes");
        }
        try {
            return StringUtil.getBytes(Base64Coder.base64Decode(str));
        } catch (Exception e) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "convertCookieStringToBytes: failed", new Object[]{e});
            }
            Manager.Ffdc.log(e, WSSecurityHelper.class, "com.ibm.websphere.security.WSSecurityHelper.convertCookieStringToBytes", "475");
            return null;
        }
    }

    public static void revokeSSOCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "revokeSSOCookies");
        }
        if (!isGlobalSecurityEnabled()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No action because global security was not enabled");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "revokeSSOCookies");
                return;
            }
            return;
        }
        if (webAttributesClass == null) {
            try {
                webAttributesClass = Class.forName("com.ibm.ws.security.web.WebAttributes");
                createLogoutCookiesMethod = webAttributesClass.getMethod("createLogoutCookiesStatic", HttpServletRequest.class, HttpServletResponse.class);
                AuthMechanismConfig authMechanism = SecurityObjectLocator.getSecurityConfig().getAuthMechanism("LTPA");
                if (authMechanism == null) {
                    Tr.warning(tc, "ltpa is null");
                }
                SingleSignonConfig singleSignon = authMechanism.getSingleSignon();
                if (singleSignon == null) {
                    Tr.warning(tc, "ltpa's sso is null");
                }
                isSSOEnabled = singleSignon.getBoolean("enabled");
            } catch (Exception e) {
                Tr.error(tc, "Initialization revokeSSOCookies failed with Exception:", new Object[]{e});
                throw new RuntimeException(e.getMessage());
            }
        }
        if (isSSOEnabled) {
            if (createLogoutCookiesMethod == null) {
                Tr.error(tc, "revokeSSOCookies init condition incorrect.");
                return;
            }
            try {
                createLogoutCookiesMethod.invoke(null, httpServletRequest, httpServletResponse);
            } catch (Exception e2) {
                Tr.error(tc, "Invoke createLogoutCookie failed with Exception:", new Object[]{e2});
                throw new RuntimeException(e2.getMessage());
            }
        }
    }

    public static void revokeSSOCookiesForPortlets(ActionRequest actionRequest, ActionResponse actionResponse) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "revokeSSOCookiesForPortlets");
        }
        revokeSSOCookies(PortletUtils.getHttpServletRequest(actionRequest), PortletUtils.getHttpServletResponse(actionResponse));
        PortletSession portletSession = actionRequest.getPortletSession(false);
        if (portletSession != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "invalidating existing portlet Session");
            }
            portletSession.invalidate();
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Existing portlet Session does not exist, nothing to invalidate");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "revokeSSOCookiesForPortlets");
        }
    }

    public static Cookie getLTPACookieFromSSOToken() throws Exception {
        Subject subject = null;
        Subject subject2 = null;
        Cookie cookie = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLTPACookie");
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getLTPACookieFromSSOToken trying runAsSubject");
            }
            Subject runAsSubject = WSSubject.getRunAsSubject();
            if (runAsSubject != null) {
                cookie = getLTPACookie(runAsSubject);
            }
            if (cookie == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getLTPACookieFromSSOToken trying invocationSubject");
                }
                subject2 = contextManagerFactory.getInvocationSubject();
                if (subject2 != null) {
                    cookie = getLTPACookie(subject2);
                }
            }
            if (cookie == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getLTPACookieFromSSOToken trying callerSubject");
                }
                subject = contextManagerFactory.getCallerSubject();
                if (subject != null) {
                    cookie = getLTPACookie(subject);
                }
            }
            if (runAsSubject == null && subject2 == null && subject == null && tc.isDebugEnabled()) {
                Tr.debug(tc, "runAsSubject, invocationSubject and callerSubject on the thread are all null");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getLTPACookieFromSSOToken: " + (cookie == null ? "null" : cookie.toString()));
            }
            return cookie;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getLTPACookieFromSSOToken caught exception: " + e.getMessage());
            }
            throw e;
        }
    }

    private static Cookie getLTPACookie(final Subject subject) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getLTPACookie");
        }
        Cookie cookie = null;
        try {
            new ArrayList();
            if (subject != null) {
                HashSet hashSet = new HashSet();
                try {
                    Set set = (Set) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.websphere.security.WSSecurityHelper.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            return subject.getPrivateCredentials(SingleSignonToken.class);
                        }
                    });
                    if (set != null && set.size() > 0) {
                        hashSet.addAll(set);
                    }
                    Set publicCredentials = subject.getPublicCredentials(SingleSignonToken.class);
                    if (publicCredentials != null && publicCredentials.size() > 0) {
                        hashSet.addAll(publicCredentials);
                    }
                    if (hashSet != null) {
                        Iterator it = hashSet.iterator();
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "getLTPACookie got a  not null ssoTokensFromSubject");
                        }
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "getLTPACookie getting next ssoToken");
                            }
                            SingleSignonToken singleSignonToken = (SingleSignonToken) it.next();
                            String name = singleSignonToken.getName();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "getLTPACookie this ssoToken name is: " + name);
                            }
                            if (name.equals("LtpaToken")) {
                                cookie = constructLTPACookieObj(singleSignonToken);
                                break;
                            }
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "getLTPACookie: no ssotoken found for this subject");
                    }
                } catch (Exception e) {
                    Manager.Ffdc.log(e, WSSecurityHelper.class, "com.ibm.ws.security.auth.LTPACookieBuilder.getLTPACookie", "250");
                    if (tc.isEntryEnabled()) {
                        Tr.debug(tc, "getLTPACookie caught exception", new Object[]{e});
                    }
                    if (!tc.isEntryEnabled()) {
                        return null;
                    }
                    Tr.exit(tc, "getLTPACookie: returning (null)");
                    return null;
                }
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getLTPACookie");
            }
            return cookie;
        } catch (Exception e2) {
            Manager.Ffdc.log(e2, WSSecurityHelper.class, "com.ibm.ws.security.auth..LTPACookieBuilder.getLTPACookie", "261");
            if (!tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getLTPACookie caught exception and returning null", new Object[]{e2});
            return null;
        }
    }

    private static Cookie constructLTPACookieObj(SingleSignonToken singleSignonToken) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "constructLTPACookieObj");
        }
        Cookie cookie = new Cookie(singleSignonToken.getName() + new Short(singleSignonToken.getVersion()).toString(), Base64Coder.base64Encode(StringUtil.toString(singleSignonToken.getBytes())));
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, cookie.toString());
        }
        return cookie;
    }
}
