package com.ibm.ws.jca.security.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.wsspi.security.registry.RegistryHelper;
import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;

/* loaded from: input_file:com/ibm/ws/jca/security/internal/J2CSecurityHelper.class */
public class J2CSecurityHelper {
    private static final String CACHE_KEY_PREFIX = "j2c:inboundSecurity:";
    private static final String CACHE_KEY_SEPARATOR = ":";
    static final TraceComponent tc = Tr.register(J2CSecurityHelper.class, "WAS.j2c.security", "com.ibm.ws.jca.security.resources.J2CAMessages");
    private static ThreadLocal<Subject> subjectStorage = new ThreadLocal<>();
    private static TraceNLS nls = TraceNLS.getTraceNLS(J2CSecurityHelper.class, "com.ibm.ws.jca.security.resources.J2CAMessages");
    private static String REALM_SEPARATOR = "/";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/ibm/ws/jca/security/internal/J2CSecurityHelper$AddPrivateCredentials.class */
    public static class AddPrivateCredentials implements PrivilegedAction<Object> {
        private final Subject execSubject;
        private final Hashtable<String, Object> newCred;

        public AddPrivateCredentials(Subject subject, Hashtable<String, Object> hashtable) {
            this.execSubject = subject;
            this.newCred = hashtable;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            this.execSubject.getPrivateCredentials().add(this.newCred);
            return null;
        }
    }

    /* loaded from: input_file:com/ibm/ws/jca/security/internal/J2CSecurityHelper$GetCustomCredentials.class */
    static class GetCustomCredentials implements PrivilegedAction<Object> {
        private final Subject execSubject;
        private final String cacheKey;

        public GetCustomCredentials(Subject subject, String str) {
            this.execSubject = subject;
            this.cacheKey = str;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            Set<Hashtable> privateCredentials = this.execSubject.getPrivateCredentials(Hashtable.class);
            if (privateCredentials == null || privateCredentials.isEmpty()) {
                if (!TraceComponent.isAnyTracingEnabled() || !J2CSecurityHelper.tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(J2CSecurityHelper.tc, "Subject has no Hashtable with custom credentials, return null.", new Object[0]);
                return null;
            }
            for (Hashtable hashtable : privateCredentials) {
                String str = (String) hashtable.get("com.ibm.wsspi.security.cred.cacheKey");
                if (TraceComponent.isAnyTracingEnabled() && J2CSecurityHelper.tc.isDebugEnabled()) {
                    Tr.debug(J2CSecurityHelper.tc, "Hashtable custom key", new Object[]{str});
                }
                if (this.cacheKey.equals(str)) {
                    return hashtable;
                }
            }
            if (!TraceComponent.isAnyTracingEnabled() || !J2CSecurityHelper.tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(J2CSecurityHelper.tc, "Subject has no Hashtable that matches cacheKey, return null.", new Object[0]);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/ibm/ws/jca/security/internal/J2CSecurityHelper$GetRegistry.class */
    public static class GetRegistry implements PrivilegedExceptionAction<UserRegistry> {
        private final String appRealm;

        public GetRegistry(String str) {
            this.appRealm = str;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public UserRegistry run() throws Exception {
            return RegistryHelper.getUserRegistry(this.appRealm);
        }
    }

    public static Subject getRunAsSubject() {
        return subjectStorage.get();
    }

    public static void setRunAsSubject(Subject subject) {
        subjectStorage.set(subject);
    }

    public static void removeRunAsSubject() {
        subjectStorage.remove();
    }

    private static void updateCustomHashtable(Hashtable<String, Object> hashtable, String str, String str2, String str3, List<?> list) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "updateCustomHashtable", new Object[]{hashtable, str, str2, str3, list});
        }
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", getCacheKey(str2, str));
        hashtable.put("com.ibm.wsspi.security.cred.realm", str);
        hashtable.put("com.ibm.wsspi.security.cred.securityName", str3);
        if (str2 != null) {
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", str2);
        }
        if (list == null || list.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.groups", new ArrayList());
        } else {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding groups found in registry", new Object[]{list});
            }
            hashtable.put("com.ibm.wsspi.security.cred.groups", list);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "updateCustomHashtable");
        }
    }

    public static void addSubjectCustomData(Subject subject, Hashtable<String, Object> hashtable) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "addSubjectCustomData", new Object[]{hashtable});
        }
        AccessController.doPrivileged(new AddPrivateCredentials(subject, hashtable));
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "addSubjectCustomData");
        }
    }

    public static Hashtable<String, Object> getCustomCredentials(Subject subject, String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "getCustomCredentials", new Object[]{str});
        }
        if (subject == null || str == null) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return null;
            }
            Tr.exit(tc, "getCustomCredentials", " null");
            return null;
        }
        Hashtable<String, Object> hashtable = (Hashtable) AccessController.doPrivileged(new GetCustomCredentials(subject, str));
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "getCustomCredentials", objectId(hashtable));
        }
        return hashtable;
    }

    public static void handlePasswordValidationCallback(PasswordValidationCallback passwordValidationCallback, Subject subject, Hashtable<String, Object> hashtable, String str, Invocation[] invocationArr) throws RemoteException, WSSecurityException {
        invocationArr[2] = Invocation.PASSWORDVALIDATIONCALLBACK;
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "handlePasswordValidationCallback", new Object[]{objectId(passwordValidationCallback), passwordValidationCallback.getUsername()});
        }
        Subject subject2 = passwordValidationCallback.getSubject();
        if (!subject.equals(subject2)) {
            Tr.warning(tc, "EXECUTION_CALLBACK_SUBJECT_MISMATCH_J2CA0673", new Object[]{"PasswordValidationCallback"});
            subject2 = subject;
        }
        try {
            String username = passwordValidationCallback.getUsername();
            String str2 = null;
            if (passwordValidationCallback.getPassword() != null) {
                str2 = new String(passwordValidationCallback.getPassword());
            }
            if (subject2 != null) {
                if (checkUserPassword(username, str2, (UserRegistry) AccessController.doPrivileged(new GetRegistry(str)), str, hashtable, invocationArr[0])) {
                    passwordValidationCallback.setResult(true);
                } else {
                    passwordValidationCallback.setResult(false);
                    hashtable.clear();
                }
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "handlePasswordValidationCallback", Boolean.valueOf(passwordValidationCallback.getResult()));
            }
        } catch (PrivilegedActionException e) {
            passwordValidationCallback.setResult(false);
            hashtable.clear();
            WSSecurityException exception = e.getException();
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "handlePasswordValidationCallback", Boolean.valueOf(passwordValidationCallback.getResult()));
            }
            if (!(exception instanceof WSSecurityException)) {
                throw new WSSecurityException(exception);
            }
            throw exception;
        }
    }

    public static void handleCallerPrincipalCallback(CallerPrincipalCallback callerPrincipalCallback, Subject subject, Hashtable<String, Object> hashtable, String str, String str2, Invocation[] invocationArr) throws WSSecurityException, RemoteException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "handleCallerPrincipalCallback", new Object[0]);
        }
        if (invocationArr[0] == Invocation.CALLERPRINCIPALCALLBACK) {
            String string = getNLS().getString("MULTIPLE_CALLERPRINCIPALCALLBACKS_NOT_SUPPORTED_J2CA0676", "J2CA0676E: The inflown security context supplied multiple instances of a JASPIC CallerPrincipalCallback in order to establish the security context of the Work instance.");
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "handleCallerPrincipalCallback");
            }
            throw new WSSecurityException(string);
        }
        invocationArr[0] = Invocation.CALLERPRINCIPALCALLBACK;
        String name = callerPrincipalCallback.getName();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "The userName got from the callback is : ", new Object[]{name});
        }
        Principal principal = callerPrincipalCallback.getPrincipal();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "handleCallerPrincipalCallback", new Object[]{"user=" + name, "principal=" + principal});
        }
        if (!subject.equals(callerPrincipalCallback.getSubject())) {
            Tr.warning(tc, "EXECUTION_CALLBACK_SUBJECT_MISMATCH_J2CA0673", new Object[]{"CallerPrincipalCallback"});
        }
        String name2 = (name == null && principal == null) ? str2 : principal != null ? principal.getName() : name;
        if (name2 == null) {
            name2 = str2;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "The securityName is : ", new Object[]{name2});
        }
        if (name2.equals(str2)) {
            hashtable.put("com.ibm.wsspi.security.cred.securityName", name2);
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", getCacheKey(null, null));
        } else {
            addUniqueIdAndGroupsForUser(name2, hashtable, str);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Added Credentials: ", new Object[]{hashtable});
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "handleCallerPrincipalCallback");
        }
    }

    public static void handleGroupPrincipalCallback(GroupPrincipalCallback groupPrincipalCallback, Subject subject, Hashtable<String, Object> hashtable, String str, Invocation[] invocationArr) throws RemoteException, WSSecurityException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "handleGroupPrincipalCallback", new Object[]{objectId(groupPrincipalCallback)});
        }
        invocationArr[1] = Invocation.GROUPPRINCIPALCALLBACK;
        if (!subject.equals(groupPrincipalCallback.getSubject())) {
            Tr.warning(tc, "EXECUTION_CALLBACK_SUBJECT_MISMATCH_J2CA0673", new Object[]{"GroupPrincipalCallback"});
        }
        String[] groups = groupPrincipalCallback.getGroups();
        if (groups != null && groups.length > 0) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Group names in Callback: ", new Object[]{Arrays.asList(groups)});
            }
            List list = (List) hashtable.get("com.ibm.wsspi.security.cred.groups");
            if (list == null) {
                list = new ArrayList();
                hashtable.put("com.ibm.wsspi.security.cred.groups", list);
            }
            try {
                UserRegistry userRegistry = (UserRegistry) AccessController.doPrivileged(new GetRegistry(str));
                for (String str2 : groups) {
                    if (str2 == null || str2.isEmpty()) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Group is null or an empty string, it has been ignored.", new Object[0]);
                        }
                    } else if (userRegistry.isValidGroup(str2)) {
                        String uniqueGroupId = userRegistry.getUniqueGroupId(str2);
                        if (!list.contains(uniqueGroupId)) {
                            list.add(uniqueGroupId);
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "Added groupId: " + uniqueGroupId, new Object[0]);
                            }
                        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(tc, uniqueGroupId + " already exists in custom credential data, avoid duplicates.", new Object[0]);
                        }
                    } else {
                        Tr.warning(tc, "INVALID_GROUP_ENCOUNTERED_J2CA0678", new Object[]{str2});
                    }
                }
            } catch (PrivilegedActionException e) {
                WSSecurityException exception = e.getException();
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, "handleGroupPrincipalCallback");
                }
                if (!(exception instanceof WSSecurityException)) {
                    throw new WSSecurityException(exception);
                }
                throw exception;
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Callback has no groups.", new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Added Credentials", new Object[]{hashtable});
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.exit(tc, "handleGroupPrincipalCallback");
        }
    }

    private static void addUniqueIdAndGroupsForUser(String str, Hashtable<String, Object> hashtable, String str2) throws WSSecurityException, RemoteException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "addUniqueIdAndGroupsForUser", new Object[]{str});
        }
        try {
            UserRegistry userRegistry = (UserRegistry) AccessController.doPrivileged(new GetRegistry(str2));
            if (!userRegistry.isValidUser(str)) {
                String formattedMessage = getNLS().getFormattedMessage("INVALID_USER_NAME_IN_PRINCIPAL_J2CA0670", new Object[]{str}, "J2CA0670E: The WorkManager was unable to establish the security context for the Work instance, because the resource adapter provided a caller identity " + str + ", which does not belong to the security domain associated with the application.");
                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                    Tr.exit(tc, "addUniqueIdAndGroupsForUser");
                }
                throw new WSSecurityException(formattedMessage);
            }
            String uniqueUserId = userRegistry.getUniqueUserId(str);
            String stripRealm = stripRealm(uniqueUserId, str2);
            List list = null;
            try {
                list = userRegistry.getUniqueGroupIds(stripRealm);
            } catch (EntryNotFoundException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception is ", new Object[]{e});
                }
                Tr.warning(tc, "NO_GROUPS_FOR_UNIQUEID_J2CA0679", new Object[]{stripRealm});
            }
            updateCustomHashtable(hashtable, str2, uniqueUserId, str, list);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Added uniqueId: " + uniqueUserId + " and uniqueGroups: " + list, new Object[0]);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "addUniqueIdAndGroupsForUser");
            }
        } catch (PrivilegedActionException e2) {
            WSSecurityException exception = e2.getException();
            if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
                Tr.exit(tc, "addUniqueIdAndGroupsForUser");
            }
            if (!(exception instanceof WSSecurityException)) {
                throw new WSSecurityException(exception);
            }
            throw exception;
        }
    }

    private static boolean checkUserPassword(String str, String str2, UserRegistry userRegistry, String str3, Hashtable<String, Object> hashtable, Invocation invocation) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
            Tr.entry(tc, "checkUserPassword user: " + str + ", realm: " + str3, new Object[0]);
        }
        if (str == null || str2 == null) {
            Tr.error(tc, "INVALID_USERNAME_PASSWORD_INBOUND_J2CA0674", new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkUserPassword", new Object[]{str, str2});
            return false;
        }
        if (!validateCallbackInformation(hashtable, str, invocation)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkUserPassword", " - invalid username and password.");
            return false;
        }
        try {
            userRegistry.checkPassword(str, str2);
            String stripRealm = stripRealm(userRegistry.getUniqueUserId(str), str3);
            ArrayList arrayList = new ArrayList();
            List groupsForUser = userRegistry.getGroupsForUser(str);
            if (groupsForUser != null) {
                Iterator it = groupsForUser.iterator();
                while (it.hasNext()) {
                    arrayList.add(userRegistry.getUniqueGroupId((String) it.next()));
                }
            }
            updateCustomHashtable(hashtable, str3, stripRealm, str, arrayList);
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "checkUserPassword", " - password is valid.");
            return true;
        } catch (PasswordCheckFailedException e) {
            Tr.error(tc, "INVALID_USERNAME_PASSWORD_INBOUND_J2CA0674", new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkUserPassword", " - invalid username and password");
            return false;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ejs.j2c.work.security.J2CSecurityHelper.checkUserPassword", "%C");
            Tr.error(tc, "VALIDATION_FAILED_INBOUND_J2CA0684", new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "checkUserPassword", " - unable to validate password.");
            return false;
        }
    }

    public static String getCacheKey(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        if (str == null || str2 == null) {
            sb.append(CACHE_KEY_PREFIX);
        } else {
            sb.append(CACHE_KEY_PREFIX).append(str).append(CACHE_KEY_SEPARATOR).append(str2);
        }
        return sb.toString();
    }

    private static boolean validateCallbackInformation(Hashtable<String, Object> hashtable, String str, Invocation invocation) {
        String str2;
        boolean z = true;
        if (invocation == Invocation.CALLERPRINCIPALCALLBACK && (str2 = (String) hashtable.get("com.ibm.wsspi.security.cred.securityName")) != null && !str2.equals(str)) {
            z = false;
            Tr.error(tc, "CALLBACK_SECURITY_NAME_MISMATCH_J2CA0675", new Object[]{str, str2});
        }
        return z;
    }

    private static String stripRealm(String str, String str2) {
        if (str == null || str2 == null) {
            return str;
        }
        int indexOf = str.indexOf(str2 + REALM_SEPARATOR);
        if (indexOf > -1) {
            str = str.substring(indexOf + str2.length() + 1);
        }
        return str;
    }

    public static String objectId(Object obj) {
        return obj == null ? "0x0" : obj.getClass().getName() + "@" + Integer.toHexString(obj.hashCode());
    }

    public static TraceNLS getNLS() {
        return nls;
    }
}
