package com.ibm.ws.security.authentication.jaas.modules;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.auth.InvalidTokenException;
import com.ibm.websphere.security.auth.TokenExpiredException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.callback.WSAuthMechOidCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.AccessIdUtil;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.jaas.common.callback.AuthenticationHelper;
import com.ibm.ws.security.jaas.common.callback.JwtTokenCallback;
import com.ibm.ws.security.jwtsso.token.proxy.JwtSSOTokenHelper;
import com.ibm.ws.security.registry.UserRegistry;
import com.ibm.wsspi.security.ltpa.Token;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.io.IOException;
import java.security.Principal;
import java.util.Hashtable;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/authentication/jaas/modules/TokenLoginModule.class */
public class TokenLoginModule extends ServerCommonLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(TokenLoginModule.class, "Authentication", "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages");
    private static final String LTPA_OID = "oid:1.3.18.0.2.30.2";
    private static final String JWT_OID = "oid:1.3.18.0.2.30.3";
    private Token recreatedToken;
    static final long serialVersionUID = -8443847235269521669L;
    private String accessId = null;
    private String customRealm = null;
    private String authProvider = null;
    private final String[] hashtableLoginProperties = {"com.ibm.wsspi.security.cred.uniqueId", "com.ibm.wsspi.security.cred.userId", "com.ibm.wsspi.security.cred.securityName", "com.ibm.wsspi.security.cred.realm", "com.ibm.wsspi.security.cred.cacheKey", "com.ibm.ws.authentication.internal.assertion", "com.ibm.ws.authentication.internal.json.web.token", "com.ibm.ws.authentication.internal.auth.provider"};

    @FFDCIgnore({InvalidTokenException.class, TokenExpiredException.class, WSLoginFailedException.class})
    public boolean login() throws LoginException {
        if (isAlreadyProcessed()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Already processed by other login module, abstaining.", new Object[0]);
            return false;
        }
        try {
            JwtTokenCallback[] requiredCallbacks = getRequiredCallbacks(this.callbackHandler);
            byte[] credToken = ((WSCredTokenCallbackImpl) requiredCallbacks[0]).getCredToken();
            String token = requiredCallbacks[2].getToken();
            if (credToken == null && token == null) {
                return false;
            }
            setAlreadyProcessed();
            if (token != null) {
                setUpTemporaryUserSubjectForJsonWebToken(token);
            } else {
                this.recreatedToken = getTokenManager().recreateTokenFromBytes(AuthenticationHelper.copyCredToken(credToken), new String[0]);
                this.accessId = this.recreatedToken.getAttributes("u")[0];
                if (AccessIdUtil.isServerAccessId(this.accessId)) {
                    setUpTemporaryServerSubject();
                } else {
                    setUpTemporaryUserSubject();
                }
            }
            updateSharedState();
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authentication.jaas.modules.TokenLoginModule", "116", this, new Object[0]);
            throw new AuthenticationException(e.getLocalizedMessage(), e);
        } catch (WSLoginFailedException e2) {
            throw new AuthenticationException(e2.getLocalizedMessage(), e2);
        } catch (TokenExpiredException e3) {
            throw new AuthenticationException(e3.getLocalizedMessage(), e3);
        } catch (InvalidTokenException e4) {
            throw new AuthenticationException(e4.getLocalizedMessage(), e4);
        }
    }

    @Override // com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule
    public Callback[] getRequiredCallbacks(CallbackHandler callbackHandler) throws IOException, UnsupportedCallbackException {
        Callback[] callbackArr = {new WSCredTokenCallbackImpl("Credential Token"), new WSAuthMechOidCallbackImpl("AuthMechOid"), new JwtTokenCallback()};
        callbackHandler.handle(callbackArr);
        return callbackArr;
    }

    private void setUpTemporaryServerSubject() throws Exception {
        this.temporarySubject = new Subject();
        this.temporarySubject.getPrivateCredentials().add(this.recreatedToken);
        String uniqueId = AccessIdUtil.getUniqueId(this.accessId);
        setWSPrincipal(this.temporarySubject, uniqueId, this.accessId, "token");
        setCredentials(this.temporarySubject, uniqueId, null);
        setOtherPrincipals(this.temporarySubject, uniqueId, this.accessId, "token", null);
    }

    private void setUpTemporaryUserSubject() throws Exception {
        this.temporarySubject = new Subject();
        this.temporarySubject.getPrivateCredentials().add(this.recreatedToken);
        String userSecurityName = getUserRegistry().getUserSecurityName(AccessIdUtil.getUniqueId(this.accessId));
        String securityName = getSecurityName(userSecurityName, userSecurityName);
        setWSPrincipal(this.temporarySubject, securityName, this.accessId, "token");
        setCredentials(this.temporarySubject, securityName, null);
        setOtherPrincipals(this.temporarySubject, securityName, this.accessId, "token", null);
    }

    private void setUpTemporaryUserSubjectForJsonWebToken(String str) throws Exception {
        String str2;
        new Subject();
        Subject handleJwtSSOToken = JwtSSOTokenHelper.handleJwtSSOToken(str);
        Set<Principal> principals = handleJwtSSOToken.getPrincipals();
        this.temporarySubject = new Subject();
        this.temporarySubject.getPrincipals().addAll(principals);
        Hashtable<String, ?> hashtableFromSubject = new SubjectHelper().getHashtableFromSubject(handleJwtSSOToken, this.hashtableLoginProperties);
        this.customPropertiesFromSubject = true;
        this.temporarySubject.getPrivateCredentials().add(hashtableFromSubject);
        String str3 = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.userId");
        if (str3 == null || !allowLoginWithIdOnly(hashtableFromSubject)) {
            this.accessId = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.uniqueId");
            str2 = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.securityName");
            this.customRealm = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.realm");
            this.authProvider = (String) hashtableFromSubject.get("com.ibm.ws.authentication.internal.auth.provider");
        } else {
            str2 = str3;
            UserRegistry userRegistry = getUserRegistry();
            this.accessId = AccessIdUtil.createAccessId("user", userRegistry.getRealm(), userRegistry.getUniqueUserId(str2));
        }
        setWSPrincipal(this.temporarySubject, str2, this.accessId, "jwtSSOToken");
        setCredentials(this.temporarySubject, str2, str2);
        setOtherPrincipals(this.temporarySubject, str2, this.accessId, "jwtSSOToken", hashtableFromSubject);
    }

    public boolean commit() throws LoginException {
        if (this.accessId == null) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isEventEnabled()) {
                return false;
            }
            Tr.event(tc, "Authentication did not occur for this login module, abstaining.", new Object[0]);
            return false;
        }
        setUpSubject();
        if (this.customRealm == null && (this.authProvider == null || this.authProvider.endsWith("Form"))) {
            return true;
        }
        addCustomAttributesToSSOToken();
        return true;
    }

    private void addCustomAttributesToSSOToken() {
        SingleSignonToken sSOToken = getSSOToken(this.subject);
        if (sSOToken != null) {
            if (this.customRealm != null) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Add custom realm into SSOToken", new Object[0]);
                }
                sSOToken.addAttribute("com.ibm.wsspi.security.cred.realm", this.customRealm);
            }
            if (this.authProvider == null || this.authProvider.endsWith("Form")) {
                return;
            }
            sSOToken.addAttribute("com.ibm.ws.authentication.internal.auth.provider", this.authProvider);
        }
    }

    public boolean abort() {
        cleanUpSubject();
        this.accessId = null;
        return true;
    }

    public boolean logout() {
        cleanUpSubject();
        this.accessId = null;
        return true;
    }
}
