package com.ibm.xml.soapsec.token;

import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.CallbackHandlerFactory;
import com.ibm.wsspi.wssecurity.id.TrustedIDEvaluatorException;
import com.ibm.xml.soapsec.Constants;
import com.ibm.xml.soapsec.Result;
import com.ibm.xml.soapsec.ResultPool;
import com.ibm.xml.soapsec.dsig.SignatureReceiverConfig;
import com.ibm.xml.soapsec.dsig.SignatureResult;
import com.ibm.xml.soapsec.token.TokenResult;
import com.ibm.xml.soapsec.util.Tr;
import com.ibm.xml.soapsec.util.TraceComponent;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.faces.validator.BeanValidator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;

/* loaded from: input_file:lib/ecc_v2r3m0f010/com.ibm.ws.webservices.thinclient_8.5.0.jar:com/ibm/xml/soapsec/token/ReceiverLogin.class */
public class ReceiverLogin implements ReceiverLoginComponent {
    private static final TraceComponent tc = Tr.register(ReceiverLogin.class, Constants.TR_GROUP, "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    private static final String clsName = ReceiverLogin.class.getName();
    private static final String comp = "security.wssecurity";
    protected TokenReceiverConfig conf = null;
    protected SignatureReceiverConfig sconf = null;
    protected String currentRealm = null;

    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void init(Map map) throws Exception {
        this.conf = (TokenReceiverConfig) map.get(TokenReceiverConfig.class);
        this.sconf = (SignatureReceiverConfig) map.get(SignatureReceiverConfig.class);
        this.currentRealm = UserRegistry.getInstance().getRealm();
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.ibm.xml.soapsec.SoapSecurityComponent
    public void invoke(Document document, Element element, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke(" + document + BeanValidator.VALIDATION_GROUPS_DELIMITER + element + BeanValidator.VALIDATION_GROUPS_DELIMITER + map + ")");
        }
        if (this.conf == null) {
            throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.INVALID_SECURITY_QNAME), "security.wssecurity.ReceiverLogin.token01");
        }
        String idType = this.conf.getIdType();
        String trustMode = this.conf.getTrustMode();
        List<String> authMethods = this.conf.getAuthMethods();
        if (authMethods == null) {
            authMethods = new LinkedList();
        }
        Subject subject = null;
        String str = null;
        boolean z = false;
        String str2 = null;
        for (String str3 : authMethods) {
            str2 = str2 == null ? new String(str3) : str2 + ", " + str3;
            if (str3.equals(Constants.STR_ID)) {
                TokenResult.Username username = null;
                if (!idType.equals("X509Certificate")) {
                    Result[] resultArr = ResultPool.get(map, TokenResult.Username.class);
                    int i = 0;
                    while (true) {
                        if (i >= resultArr.length) {
                            break;
                        }
                        TokenResult.Username username2 = (TokenResult.Username) resultArr[i];
                        if (username2.isIdAssertion()) {
                            subject = username2.getSubject();
                            str = username2.getIdName();
                            username = username2;
                            break;
                        }
                        i++;
                    }
                } else {
                    Result[] resultArr2 = ResultPool.get(map, TokenResult.X509.class);
                    int i2 = 0;
                    while (true) {
                        if (i2 >= resultArr2.length) {
                            break;
                        }
                        TokenResult.X509 x509 = (TokenResult.X509) resultArr2[i2];
                        if (!x509.getUsed()) {
                            subject = login(this.conf.getLoginMapping(Constants.STR_ID), getSecurityName(x509.getCertificate()), null, null, map);
                            str = x509.getIdName();
                            username = x509;
                            x509.setAuthenticatedId();
                            break;
                        }
                        i2++;
                    }
                }
                if (Constants.STR_BASIC.equals(trustMode)) {
                    Result[] resultArr3 = ResultPool.get(map, TokenResult.Username.class);
                    boolean z2 = false;
                    int i3 = 0;
                    while (true) {
                        if (i3 >= resultArr3.length) {
                            break;
                        }
                        TokenResult.Username username3 = (TokenResult.Username) resultArr3[i3];
                        if (!username3.isIdAssertion() && validateId(username3.getUsername())) {
                            z2 = true;
                            break;
                        }
                        i3++;
                    }
                    if (!z2) {
                        throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token35");
                    }
                } else if ("Signature".equals(trustMode)) {
                    Result[] resultArr4 = ResultPool.get(map, SignatureResult.class);
                    if (resultArr4.length <= 0) {
                        throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token03");
                    }
                    String idName = username.getIdName();
                    if (idName == null) {
                        throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token05");
                    }
                    boolean z3 = false;
                    int i4 = 0;
                    while (true) {
                        if (i4 >= resultArr4.length) {
                            break;
                        }
                        SignatureResult signatureResult = (SignatureResult) resultArr4[i4];
                        String securityName = getSecurityName(signatureResult.getCertificate());
                        if (signatureResult.isSigned(idName) && validateId(securityName)) {
                            z3 = true;
                            break;
                        }
                        i4++;
                    }
                    if (!z3) {
                        throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token06");
                    }
                }
                if (subject != null) {
                    ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
                    String str4 = null;
                    Map properties = this.conf.getLoginMapping(Constants.STR_ID).getProperties();
                    if (properties != null) {
                        Set<String> keySet = properties.keySet();
                        if (keySet != null && !keySet.isEmpty()) {
                            for (String str5 : keySet) {
                                if ("LoginUsername".equals(str5)) {
                                    str4 = (String) properties.get(str5);
                                }
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "CallerConfig's properties has no entry.");
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Extracted Username", str4);
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "properties is null.");
                    }
                    if (contextManagerFactory == null) {
                        Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
                    } else {
                        try {
                            addToSubject(contextManagerFactory.login(this.currentRealm, str4), subject);
                        } catch (WSLoginFailedException e) {
                            Tr.processException((Throwable) e, clsName + ".login", "236", (Object) this);
                            throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token11", e);
                        }
                    }
                }
            } else if (str3.equals(Constants.STR_BASIC)) {
                Result[] resultArr5 = ResultPool.get(map, TokenResult.Username.class);
                int i5 = 0;
                while (true) {
                    if (i5 >= resultArr5.length) {
                        break;
                    }
                    TokenResult.Username username4 = (TokenResult.Username) resultArr5[i5];
                    if (!username4.isIdAssertion()) {
                        subject = username4.getSubject();
                        str = username4.getIdName();
                        break;
                    }
                    i5++;
                }
            } else if (str3.equals("Signature")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "authMethod is Signature.");
                }
                Result[] resultArr6 = ResultPool.get(map, SignatureResult.class);
                String str6 = null;
                int i6 = 0;
                while (true) {
                    if (i6 >= resultArr6.length) {
                        break;
                    }
                    SignatureResult signatureResult2 = (SignatureResult) resultArr6[i6];
                    if (signatureResult2.getCompliance()) {
                        str6 = getSecurityName(signatureResult2.getCertificate());
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Calling Signature login module, uname is " + str6);
                        }
                        subject = login(this.conf.getLoginMapping("Signature"), str6, null, null, map);
                        if (tc.isDebugEnabled()) {
                            if (subject == null) {
                                Tr.debug(tc, "Subject returned from Signature login module is null.");
                            } else {
                                Tr.debug(tc, "Subject returned from Signature login module is not null.");
                            }
                        }
                        z = true;
                        signatureResult2.setAuthenticatedId();
                    } else {
                        i6++;
                    }
                }
                if (subject != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "authMethod is Signature, subject is not null, uname is " + str6);
                    }
                    ContextManager contextManagerFactory2 = ContextManagerFactory.getInstance();
                    if (contextManagerFactory2 == null) {
                        Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "about to do context manager login. realm is " + this.currentRealm + ", uname is " + str6);
                        }
                        try {
                            Subject login = contextManagerFactory2.login(this.currentRealm, str6);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Context manager login successful. About to add credentials and principal to subject.");
                            }
                            addToSubject(login, subject);
                        } catch (WSLoginFailedException e2) {
                            Tr.processException((Throwable) e2, clsName + ".login", "307", (Object) this);
                            throw SoapSecurityException.format("security.wssecurity.ReceiverLogin.token11", e2);
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "authMethod is Signature, subject is null");
                }
            } else {
                Result[] resultArr7 = ResultPool.get(map, TokenResult.Generic.class);
                if (0 < resultArr7.length) {
                    TokenResult.Generic generic = (TokenResult.Generic) resultArr7[0];
                    subject = generic.getSubject();
                    str = generic.getIdName();
                }
            }
            if (subject != null) {
                break;
            }
        }
        if (authMethods.size() != 0) {
            if (subject == null) {
                Tr.error(tc, "security.wssecurity.WSEC5207E", new Object[]{str2});
                throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.ReceiverLogin.token07");
            }
            if (!z && this.sconf.getRequiredIntegralParts().contains("securitytoken")) {
                boolean z4 = false;
                Result[] resultArr8 = ResultPool.get(map, SignatureResult.class);
                int i7 = 0;
                while (true) {
                    if (i7 >= resultArr8.length) {
                        break;
                    }
                    if (((SignatureResult) resultArr8[i7]).isSigned(str)) {
                        z4 = true;
                        break;
                    }
                    i7++;
                }
                if (!z4) {
                    throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.FAILED_CHECK_QNAME), "security.wssecurity.ReceiverLogin.unsigned");
                }
            }
            ResultPool.add(map, new LoginResult(subject));
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(Document doc, Element target,Map context)");
        }
    }

    private void addToSubject(final Subject subject, final Subject subject2) {
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.xml.soapsec.token.ReceiverLogin.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                for (Object obj : subject.getPublicCredentials()) {
                    if (obj != null) {
                        if (subject2.getPublicCredentials().contains(obj)) {
                            Tr.error(ReceiverLogin.tc, "Public credential already exists within subject");
                        } else {
                            if (ReceiverLogin.tc.isDebugEnabled()) {
                                Tr.debug(ReceiverLogin.tc, "Adding public object to Subject: " + obj);
                            }
                            subject2.getPublicCredentials().add(obj);
                        }
                    }
                }
                for (Object obj2 : subject.getPrivateCredentials()) {
                    if (obj2 != null) {
                        if (subject2.getPrivateCredentials().contains(obj2)) {
                            Tr.error(ReceiverLogin.tc, "Private credential already exists within subject");
                        } else {
                            if (ReceiverLogin.tc.isDebugEnabled()) {
                                Tr.debug(ReceiverLogin.tc, "Adding private object to Subject: " + obj2);
                            }
                            subject2.getPrivateCredentials().add(obj2);
                        }
                    }
                }
                for (Principal principal : subject.getPrincipals()) {
                    if (principal != null) {
                        if (subject2.getPrincipals().contains(principal)) {
                            Tr.error(ReceiverLogin.tc, "Principal already exists within subject");
                        } else {
                            if (ReceiverLogin.tc.isDebugEnabled()) {
                                Tr.debug(ReceiverLogin.tc, "Adding principal object to Subject: " + principal);
                            }
                            subject2.getPrincipals().add(principal);
                        }
                    }
                }
                return null;
            }
        });
    }

    protected boolean validateId(String str) {
        try {
            return this.conf.getTrustedIDEvaluator().evaluate(str);
        } catch (TrustedIDEvaluatorException e) {
            Tr.processException(e, clsName + ".validateId", "265");
            Tr.error(tc, "security.wssecurity.ReceiverLogin.trust", e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Subject login(LoginMapping loginMapping, Object obj, Document document, char[] cArr, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login(" + loginMapping + BeanValidator.VALIDATION_GROUPS_DELIMITER + obj + BeanValidator.VALIDATION_GROUPS_DELIMITER + "XXXXXX" + BeanValidator.VALIDATION_GROUPS_DELIMITER + map + ")");
        }
        CallbackHandlerFactory callbackHandlerFactory = loginMapping.getCallbackHandlerFactory();
        if (obj instanceof byte[]) {
            callbackHandlerFactory.setTokenBytes((byte[]) obj);
        } else if (obj instanceof Element) {
            callbackHandlerFactory.setXMLToken((Element) obj);
            callbackHandlerFactory.setSOAPMessage(document);
        } else {
            callbackHandlerFactory.setUsername((String) obj);
            callbackHandlerFactory.setPassword(cArr);
        }
        callbackHandlerFactory.setProperties(loginMapping.getProperties());
        try {
            LoginContext loginContext = new LoginContext(loginMapping.getConfigName(), callbackHandlerFactory.newCallbackHandler());
            try {
                loginContext.login();
                Subject subject = loginContext.getSubject();
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "login(LoginMapping mapping, Object token, char[] password) returns " + subject);
                }
                return subject;
            } catch (LoginException e) {
                Tr.processException(e, clsName + ".login", "315");
                Tr.error(tc, "security.wssecurity.WSEC5201E", e);
                throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.ReceiverLogin.token11", e.toString());
            }
        } catch (LoginException e2) {
            Tr.processException(e2, clsName + ".login", "300");
            Tr.error(tc, "security.wssecurity.ReceiverLogin.token10", e2);
            throw SoapSecurityException.format(Constants.getQName(Constants.getWSSENS(map), Constants.INVALID_SECURITY_QNAME), "security.wssecurity.ReceiverLogin.token10", e2.toString());
        }
    }

    private String getSecurityName(final X509Certificate x509Certificate) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSecurityName", x509Certificate);
        }
        String str = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.xml.soapsec.token.ReceiverLogin.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                return UserRegistry.getInstance().mapCertificate(x509Certificate);
            }
        });
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "mappedName: " + str);
        }
        if (str == null || str.length() == 0) {
            str = x509Certificate.getSubjectDN().getName();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "mappedName is null, so used the DN in the certificate: " + str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSecurityName returns " + str);
        }
        return str;
    }
}
