package com.ibm.ws.security.saml.sso20.internal;

import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.filter.AuthenticationFilter;
import com.ibm.ws.security.common.config.CommonConfigUtils;
import com.ibm.ws.security.filemonitor.FileBasedActionable;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.internal.utils.FileInfo;
import com.ibm.ws.security.saml.sso20.internal.utils.MsgCtxUtil;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.saml.sso20.metadata.AcsDOMMetadataProvider;
import com.ibm.wsspi.kernel.service.location.WsLocationAdmin;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.kernel.service.utils.SerializableProtectedString;
import java.io.File;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.osgi.framework.BundleContext;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/internal/SsoConfigImpl.class */
public class SsoConfigImpl extends PkixTrustEngineConfig implements SsoConfig, FileBasedActionable {
    public static final String KEY_ID = "id";
    public static final String KEY_SERVICE_PID = "service.pid";
    public static final String CFG_KEY_AUTH_FILTER_REF = "authFilterRef";
    public static final String KEY_clockSkew = "clockSkew";
    public static final String KEY_authnRequestTime = "authnRequestTime";
    private String providerId;
    private Map<String, Object> props;
    private volatile ConfigurationAdmin configAdmin;
    private HashMap<String, String> filterIdMap;
    static final String KEY_wantAssertionsSigned = "wantAssertionsSigned";
    static final String KEY_includeX509InSPMetadata = "includeX509InSPMetadata";
    static final String KEY_signatureMethodAlgorithm = "signatureMethodAlgorithm";
    static final String KEY_authnRequestsSigned = "authnRequestsSigned";
    static final String KEY_forceAuthn = "forceAuthn";
    static final String KEY_isPassive = "isPassive";
    static final String KEY_allowCreate = "allowCreate";
    static final String KEY_authnContextClassRef = "authnContextClassRef";
    static final String KEY_authnContextComparisonType = "authnContextComparisonType";
    static final String KEY_nameIDFormat = "nameIDFormat";
    static final String KEY_customizeNameIDFormat = "customizeNameIDFormat";
    static final String KEY_idpMetadata = "idpMetadata";
    static final String KEY_keyStoreRef = "keyStoreRef";
    static final String KEY_keyAlias = "keyAlias";
    static final String KEY_keyPassword = "keyPassword";
    static final String KEY_loginPageURL = "loginPageURL";
    static final String KEY_errorPageURL = "errorPageURL";
    static final String KEY_tokenReplayTimeout = "tokenReplayTimeout";
    static final String KEY_sessionNotOnOrAfter = "sessionNotOnOrAfter";
    static final String KEY_userIdentifier = "userIdentifier";
    static final String KEY_groupIdentifier = "groupIdentifier";
    static final String KEY_userUniqueIdentifier = "userUniqueIdentifier";
    static final String KEY_realmIdentifier = "realmIdentifier";
    static final String KEY_includeTokenInSubject = "includeTokenInSubject";
    static final String KEY_mapToUserRegistry = "mapToUserRegistry";
    static final String KEY_disableInitialRequestCookie = "disableInitialRequestCookie";
    static final String KEY_disableLtpaCookie = "disableLtpaCookie";
    static final String KEY_spCookieName = "spCookieName";
    static final String KEY_realmName = "realmName";
    static final String KEY_spHostAndPort = "spHostAndPort";
    static final String KEY_targetPageUrl = "targetPageUrl";
    static final String KEY_reAuthnOnAssertionExpire = "reAuthnOnAssertionExpire";
    static final String KEY_reAuthnCushion = "reAuthnCushion";
    static final String KEY_servletRequestLogoutPerformsSamlLogout = "spLogout";
    static final String KEY_enabled = "enabled";
    static final String KEY_httpsRequired = "httpsRequired";
    static final String KEY_allowCustomCacheKey = "allowCustomCacheKey";
    static final String KEY_createSession = "createSession";
    static final String KEY_useRelayStateForTarget = "useRelayStateForTarget";
    public static final String KEY_postLogoutRedirectUrl = "postLogoutRedirectUrl";
    static final String ignoreAttributes;
    boolean bInit;
    boolean enabled;
    ComponentContext cc;
    SsoSamlService parentSsoService;
    long clockSkewMilliSeconds;
    String keyStoreRef;
    String keyAlias;
    String keyPassword;
    String signatureMethodAlgorithm;
    String userIdentifier;
    String groupIdentifier;
    String userUniqueIdentifier;
    String realmIdentifier;
    boolean includeTokenInSubject;
    boolean httpsRequired;
    boolean mapUserIdentifierToUserRegistry;
    boolean setLtpaCookie;
    boolean wantAssertionsSigned;
    String realmName;
    String headerName;
    ArrayList<String> headerNames;
    String[] audiences;
    long authnRequestTimeMilliSeconds;
    boolean authnRequestsSigned;
    boolean includeX509InSPMetadata;
    boolean forceAuthn;
    boolean isPassive;
    Boolean allowCreate;
    String[] authnContextClassRefs;
    String authnContextComparisonType;
    String nameIDFormat;
    String idpMetadata;
    AcsDOMMetadataProvider idpMetadataProvider;
    String loginPageURL;
    String errorPageURL;
    long tokenReplayTimeout;
    long sessionNotOnOrAfter;
    boolean allowCustomCacheKey;
    Constants.MapToUserRegistry mapToUserRegistry;
    boolean disableInitialRequestCookie;
    boolean disableLtpaCookie;
    String spCookieName;
    String spHostAndPort;
    String targetPageUrl;
    boolean bIdpMetadataProviderHandled;
    boolean createSession;
    boolean reAuthnOnAssertionExpire;
    long reAuthnCushion;
    private String bundleLocation;
    boolean useRelayStateForTarget;
    String postLogoutRedirectUrl;
    private boolean servletRequestLogoutPerformsSamlLogout;
    static HashMap<String, String> nameIDFormatMap;
    CommonConfigUtils configUtils;
    static final long serialVersionUID = 3704880481202686879L;
    public static final TraceComponent tc = Tr.register(SsoConfigImpl.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    public static final Object KEY_PROVIDER_ID = "id";
    static final String KEY_headerName = "headerName";
    static final String KEY_audiences = "audiences";
    static final String[] notInUseAttributes = {KEY_headerName, KEY_audiences};

    public SsoConfigImpl() {
        this.providerId = null;
        this.props = null;
        this.configAdmin = null;
        this.filterIdMap = null;
        this.bInit = false;
        this.enabled = true;
        this.cc = null;
        this.parentSsoService = null;
        this.clockSkewMilliSeconds = 300000L;
        this.keyStoreRef = null;
        this.keyAlias = null;
        this.keyPassword = null;
        this.signatureMethodAlgorithm = "SHA256";
        this.userIdentifier = Constants.LOCAL_NAME_NameID;
        this.groupIdentifier = null;
        this.userUniqueIdentifier = Constants.LOCAL_NAME_NameID;
        this.realmIdentifier = "issuer";
        this.includeTokenInSubject = true;
        this.httpsRequired = true;
        this.mapUserIdentifierToUserRegistry = false;
        this.setLtpaCookie = false;
        this.wantAssertionsSigned = true;
        this.realmName = null;
        this.headerName = null;
        this.headerNames = null;
        this.audiences = new String[]{Constants.ANY_AUDIENCE};
        this.authnRequestTimeMilliSeconds = 600000L;
        this.authnRequestsSigned = true;
        this.includeX509InSPMetadata = true;
        this.forceAuthn = false;
        this.isPassive = false;
        this.allowCreate = null;
        this.authnContextClassRefs = null;
        this.authnContextComparisonType = null;
        this.nameIDFormat = null;
        this.idpMetadata = null;
        this.idpMetadataProvider = null;
        this.loginPageURL = null;
        this.errorPageURL = null;
        this.tokenReplayTimeout = 1800000L;
        this.sessionNotOnOrAfter = 7200000L;
        this.allowCustomCacheKey = true;
        this.mapToUserRegistry = Constants.MapToUserRegistry.No;
        this.disableInitialRequestCookie = false;
        this.disableLtpaCookie = true;
        this.spCookieName = null;
        this.spHostAndPort = null;
        this.targetPageUrl = null;
        this.bIdpMetadataProviderHandled = false;
        this.createSession = true;
        this.reAuthnOnAssertionExpire = false;
        this.reAuthnCushion = 0L;
        this.useRelayStateForTarget = true;
        this.postLogoutRedirectUrl = null;
        this.servletRequestLogoutPerformsSamlLogout = false;
        this.configUtils = new CommonConfigUtils();
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public Constants.SamlSsoVersion getSamlVersion() {
        return Constants.SamlSsoVersion.SAMLSSO20;
    }

    public SsoConfigImpl(ComponentContext componentContext, Map<String, Object> map, ConfigurationAdmin configurationAdmin, HashMap<String, String> hashMap, SsoSamlService ssoSamlService) {
        this.providerId = null;
        this.props = null;
        this.configAdmin = null;
        this.filterIdMap = null;
        this.bInit = false;
        this.enabled = true;
        this.cc = null;
        this.parentSsoService = null;
        this.clockSkewMilliSeconds = 300000L;
        this.keyStoreRef = null;
        this.keyAlias = null;
        this.keyPassword = null;
        this.signatureMethodAlgorithm = "SHA256";
        this.userIdentifier = Constants.LOCAL_NAME_NameID;
        this.groupIdentifier = null;
        this.userUniqueIdentifier = Constants.LOCAL_NAME_NameID;
        this.realmIdentifier = "issuer";
        this.includeTokenInSubject = true;
        this.httpsRequired = true;
        this.mapUserIdentifierToUserRegistry = false;
        this.setLtpaCookie = false;
        this.wantAssertionsSigned = true;
        this.realmName = null;
        this.headerName = null;
        this.headerNames = null;
        this.audiences = new String[]{Constants.ANY_AUDIENCE};
        this.authnRequestTimeMilliSeconds = 600000L;
        this.authnRequestsSigned = true;
        this.includeX509InSPMetadata = true;
        this.forceAuthn = false;
        this.isPassive = false;
        this.allowCreate = null;
        this.authnContextClassRefs = null;
        this.authnContextComparisonType = null;
        this.nameIDFormat = null;
        this.idpMetadata = null;
        this.idpMetadataProvider = null;
        this.loginPageURL = null;
        this.errorPageURL = null;
        this.tokenReplayTimeout = 1800000L;
        this.sessionNotOnOrAfter = 7200000L;
        this.allowCustomCacheKey = true;
        this.mapToUserRegistry = Constants.MapToUserRegistry.No;
        this.disableInitialRequestCookie = false;
        this.disableLtpaCookie = true;
        this.spCookieName = null;
        this.spHostAndPort = null;
        this.targetPageUrl = null;
        this.bIdpMetadataProviderHandled = false;
        this.createSession = true;
        this.reAuthnOnAssertionExpire = false;
        this.reAuthnCushion = 0L;
        this.useRelayStateForTarget = true;
        this.postLogoutRedirectUrl = null;
        this.servletRequestLogoutPerformsSamlLogout = false;
        this.configUtils = new CommonConfigUtils();
        this.parentSsoService = ssoSamlService;
        this.cc = componentContext;
        this.bundleLocation = componentContext.getBundleContext().getBundle().getLocation();
        try {
            setConfig(map, configurationAdmin, hashMap);
        } catch (SamlException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoConfigImpl", "218", this, new Object[]{componentContext, map, configurationAdmin, hashMap, ssoSamlService});
        }
    }

    public void setConfig(Map<String, Object> map, ConfigurationAdmin configurationAdmin, HashMap<String, String> hashMap) throws SamlException {
        this.bInit = true;
        this.providerId = (String) map.get(KEY_PROVIDER_ID);
        this.props = map;
        this.filterIdMap = hashMap;
        setConfigAdmin(configurationAdmin);
        processProps(map);
        if (this.providerId == null || this.providerId.isEmpty()) {
            Tr.error(tc, "SAML20_SP_ID_ATTRIBUTE_EMPTY", new Object[0]);
        }
    }

    private void processProps(Map<String, Object> map) throws SamlException {
        Tr.warning(tc, "SAML_CONFIG_IGNORE_ATTRIBUTES", new Object[]{"false", ignoreAttributes, this.providerId});
        this.clockSkewMilliSeconds = ((Long) map.get("clockSkew")).longValue();
        this.authnRequestTimeMilliSeconds = ((Long) map.get("authnRequestTime")).longValue();
        this.httpsRequired = ((Boolean) map.get(KEY_httpsRequired)).booleanValue();
        this.allowCustomCacheKey = ((Boolean) map.get(KEY_allowCustomCacheKey)).booleanValue();
        this.wantAssertionsSigned = ((Boolean) map.get(KEY_wantAssertionsSigned)).booleanValue();
        this.signatureMethodAlgorithm = trim((String) map.get(KEY_signatureMethodAlgorithm));
        this.authnRequestsSigned = ((Boolean) map.get(KEY_authnRequestsSigned)).booleanValue();
        this.includeX509InSPMetadata = ((Boolean) map.get(KEY_includeX509InSPMetadata)).booleanValue();
        this.forceAuthn = ((Boolean) map.get(KEY_forceAuthn)).booleanValue();
        this.isPassive = ((Boolean) map.get(KEY_isPassive)).booleanValue();
        this.allowCreate = (Boolean) map.get(KEY_allowCreate);
        this.authnContextClassRefs = trim((String[]) map.get(KEY_authnContextClassRef));
        this.authnContextComparisonType = trim((String) map.get(KEY_authnContextComparisonType));
        this.nameIDFormat = processNameIDFormat(map, (String) map.get(KEY_nameIDFormat));
        this.idpMetadata = trim((String) map.get(KEY_idpMetadata));
        this.idpMetadataProvider = null;
        this.keyStoreRef = trim((String) map.get(KEY_keyStoreRef));
        this.keyAlias = trim((String) map.get(KEY_keyAlias));
        this.keyPassword = getPassword((SerializableProtectedString) map.get(KEY_keyPassword));
        this.loginPageURL = trim((String) map.get(KEY_loginPageURL));
        this.errorPageURL = trim((String) map.get(KEY_errorPageURL));
        this.tokenReplayTimeout = ((Long) map.get(KEY_tokenReplayTimeout)).longValue();
        this.sessionNotOnOrAfter = ((Long) map.get(KEY_sessionNotOnOrAfter)).longValue();
        this.userIdentifier = trim((String) map.get(KEY_userIdentifier));
        this.groupIdentifier = trim((String) map.get(KEY_groupIdentifier));
        this.userUniqueIdentifier = trim((String) map.get(KEY_userUniqueIdentifier));
        if (this.userUniqueIdentifier == null || this.userUniqueIdentifier.isEmpty()) {
            this.userUniqueIdentifier = this.userIdentifier;
        }
        this.realmIdentifier = trim((String) map.get(KEY_realmIdentifier));
        this.includeTokenInSubject = ((Boolean) map.get(KEY_includeTokenInSubject)).booleanValue();
        this.mapToUserRegistry = Constants.MapToUserRegistry.valueOf((String) map.get(KEY_mapToUserRegistry));
        this.disableInitialRequestCookie = ((Boolean) map.get(KEY_disableInitialRequestCookie)).booleanValue();
        this.disableLtpaCookie = ((Boolean) map.get(KEY_disableLtpaCookie)).booleanValue();
        this.spCookieName = trim((String) map.get(KEY_spCookieName));
        this.realmName = trim((String) map.get(KEY_realmName));
        this.spHostAndPort = trim((String) map.get(KEY_spHostAndPort));
        this.targetPageUrl = trim((String) map.get(KEY_targetPageUrl));
        this.enabled = ((Boolean) map.get(KEY_enabled)).booleanValue();
        if (map.get(KEY_createSession) != null) {
            this.createSession = ((Boolean) map.get(KEY_createSession)).booleanValue();
        }
        this.reAuthnOnAssertionExpire = ((Boolean) map.get(KEY_reAuthnOnAssertionExpire)).booleanValue();
        this.reAuthnCushion = ((Long) map.get(KEY_reAuthnCushion)).longValue();
        this.useRelayStateForTarget = ((Boolean) map.get(KEY_useRelayStateForTarget)).booleanValue();
        this.postLogoutRedirectUrl = this.configUtils.getConfigAttribute(map, KEY_postLogoutRedirectUrl);
        this.servletRequestLogoutPerformsSamlLogout = ((Boolean) map.get(KEY_servletRequestLogoutPerformsSamlLogout)).booleanValue();
        processPkixTrustEngine(map);
    }

    private void processPkixTrustEngine(Map<String, Object> map) throws SamlException {
        try {
            super.processPkixTrustEngine(map, this.configAdmin, this.bundleLocation);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoConfigImpl", "304", this, new Object[]{map});
            throw new SamlException(e);
        }
    }

    String processNameIDFormat(Map<String, Object> map, String str) {
        if (str == null || str.isEmpty()) {
            return "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
        }
        String str2 = str.equals(Constants.NAME_ID_SHORT_CUSTOMIZE) ? (String) map.get(KEY_customizeNameIDFormat) : nameIDFormatMap.get(str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, this.providerId + "> NameIDFormat:" + str2 + " id:" + str, new Object[0]);
        }
        return str2;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public void setConfigAdmin(ConfigurationAdmin configurationAdmin) {
        this.configAdmin = configurationAdmin;
        if (this.props == null || !tc.isDebugEnabled()) {
            return;
        }
        String str = (String) this.props.get("authFilterRef");
        Tr.debug(tc, this.providerId + "> saml AuthenticationFilter Ref:" + str + " id:" + getAuthFilterId(str), new Object[0]);
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getProviderId() {
        return this.providerId;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public AuthenticationFilter getAuthFilter(ConcurrentServiceReferenceMap<String, AuthenticationFilter> concurrentServiceReferenceMap) {
        String str;
        if (this.props == null || (str = (String) this.props.get("authFilterRef")) == null || str.isEmpty()) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, this.providerId + "> Ref:" + str + " id:" + getAuthFilterId(str), new Object[0]);
        }
        AuthenticationFilter authenticationFilter = (AuthenticationFilter) concurrentServiceReferenceMap.getService(str);
        if (authenticationFilter == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "AuthnFilter Ref:" + str + " points to no AuthnFilter, we accept all the requests", new Object[0]);
            }
            Tr.error(tc, "SAML20_AUTH_FILTER_NOT_EXISTING", new Object[]{getAuthFilterId(str), this.providerId});
        }
        return authenticationFilter;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getAuthFilterId() {
        if (this.props != null) {
            return getAuthFilterId((String) this.props.get("authFilterRef"));
        }
        return null;
    }

    public String getAuthFilterId(String str) {
        Dictionary properties;
        if (str == null || str.isEmpty()) {
            return null;
        }
        String str2 = this.filterIdMap.get(str);
        if (str2 != null) {
            return str2;
        }
        Configuration configuration = null;
        try {
            if (this.configAdmin != null) {
                configuration = this.configAdmin.getConfiguration(str, (String) null);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authFilterRef configuration", new Object[]{configuration});
            }
            if (configuration == null || (properties = configuration.getProperties()) == null) {
                return null;
            }
            return (String) properties.get("id");
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoConfigImpl", "397", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Invalid authFilterRef configuration", new Object[]{e.getMessage()});
            return null;
        }
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public long getClockSkew() {
        return this.clockSkewMilliSeconds;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isWantAssertionsSigned() {
        return this.wantAssertionsSigned;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isAuthnRequestsSigned() {
        return this.authnRequestsSigned;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isForceAuthn() {
        return this.forceAuthn;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isPassive() {
        return this.isPassive;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String[] getAuthnContextClassRef() {
        if (this.authnContextClassRefs == null) {
            return null;
        }
        return (String[]) this.authnContextClassRefs.clone();
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getNameIDFormat() {
        return this.nameIDFormat;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getIdpMetadata() {
        return this.idpMetadata;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getKeyStoreRef() {
        return this.keyStoreRef;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getKeyAlias() {
        return this.keyAlias;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    @Sensitive
    public String getKeyPassword() {
        return this.keyPassword;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getLoginPageURL() {
        return this.loginPageURL;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getErrorPageURL() {
        return this.errorPageURL;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public long getTokenReplayTimeout() {
        return this.tokenReplayTimeout;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public long getSessionNotOnOrAfter() {
        return this.sessionNotOnOrAfter;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getUserIdentifier() {
        return this.userIdentifier;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getGroupIdentifier() {
        return this.groupIdentifier;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getUserUniqueIdentifier() {
        return this.userUniqueIdentifier;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getRealmIdentifier() {
        return this.realmIdentifier;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isIncludeTokenInSubject() {
        return this.includeTokenInSubject;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public Constants.MapToUserRegistry getMapToUserRegistry() {
        return this.mapToUserRegistry;
    }

    @Override // com.ibm.ws.security.saml.sso20.internal.PkixTrustEngineConfig
    public String toString() {
        String str = "notInitialized yet";
        if (this.bInit) {
            str = "\nproviderId:" + this.providerId + "\nwantAssertionsSigned:" + this.wantAssertionsSigned + "\nsignatureMethodAlgorithm:" + this.signatureMethodAlgorithm + "\nauthnRequestsSigned:" + this.authnRequestsSigned + "\nforceAuthn:" + this.forceAuthn + "\ncreateSession:" + this.createSession + "\nisPassive:" + this.isPassive + "\nallowCreate:" + this.allowCreate + "\nauthnContextComparisonType:" + this.authnContextComparisonType + "\nnameIDFormat:" + this.nameIDFormat + "\nidpMetadata:" + this.idpMetadata + "\nkeyStoreRef:" + this.keyStoreRef + "\nkeyAlias:" + this.keyAlias + "\nkeyPassword:" + (this.keyPassword == null ? "null" : "*****") + "\nloginPageURL:" + this.loginPageURL + "\nerrorPageURL:" + this.errorPageURL + "\ntokenReplayTimeout:" + this.tokenReplayTimeout + "\nuserIdentifier:" + this.userIdentifier + "\ngroupIdentifier:" + this.groupIdentifier + "\nuserUniqueIdentifier:" + this.userUniqueIdentifier + "\nrealmIdentifier:" + this.realmIdentifier + "\nincludeTokenInSubject:" + this.includeTokenInSubject + "\nmapToUserRegistry:" + this.mapToUserRegistry + "\ndisableInitialRequestCookie:" + this.disableInitialRequestCookie + "\ndisableLtpaCookie:" + this.disableLtpaCookie + "\nspCookieName:" + this.spCookieName + "\nrealmName:" + this.realmName + "\nspHostAndPort:" + this.spHostAndPort + "\ntargetPageUrl:" + this.targetPageUrl + "\nuseRelayStateForTarget:" + this.useRelayStateForTarget + "\ntrustedIssuers:" + (this.trustedIssuers == null ? "null" : Integer.valueOf(this.trustedIssuers.length)) + "\nenabled:" + this.enabled + "\nincludeX509InSPMetadata:" + this.includeX509InSPMetadata + (!this.isPkixTrustEngineEnabled ? ";" : "\npkixTrustEngine enabled\nx509 cert list:" + this.pkixX509List.toString() + "\ncrl list:" + this.pkixCrlList.toString()) + "\npostLogoutRedirectUrl:" + this.postLogoutRedirectUrl + "\nservletRequestLogoutPerformsSamlLogout: " + this.servletRequestLogoutPerformsSamlLogout;
        }
        return str;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getSignatureMethodAlgorithm() {
        return (!"SHA256".equalsIgnoreCase(this.signatureMethodAlgorithm) && "SHA1".equalsIgnoreCase(this.signatureMethodAlgorithm)) ? "http://www.w3.org/2000/09/xmldsig#rsa-sha1" : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public AcsDOMMetadataProvider getIdpMetadataProvider() {
        try {
            if (!this.bIdpMetadataProviderHandled) {
                this.idpMetadataProvider = MsgCtxUtil.parseIdpMetadataProvider(this);
                this.bIdpMetadataProviderHandled = true;
            }
        } catch (SamlException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoConfigImpl", "601", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Can not parse MetadataFile:" + this.idpMetadata, new Object[0]);
            }
        }
        return this.idpMetadataProvider;
    }

    public void performFileBasedAction(Collection<File> collection) {
        this.idpMetadataProvider = null;
        this.bIdpMetadataProviderHandled = false;
        Tr.info(tc, "SAML20_IDP_METADATA_FILE_CHANGED", new Object[]{this.idpMetadata, this.providerId});
    }

    public BundleContext getBundleContext() {
        if (this.cc != null) {
            return this.cc.getBundleContext();
        }
        return null;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public Boolean getAllowCreate() {
        return this.allowCreate;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getAuthnContextComparisonType() {
        return this.authnContextComparisonType;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isDisableLtpaCookie() {
        return this.disableLtpaCookie;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getSpCookieName(WsLocationAdmin wsLocationAdmin) {
        String str;
        if (this.spCookieName == null || this.spCookieName.isEmpty()) {
            if (wsLocationAdmin != null) {
                String replace = wsLocationAdmin.resolveString(Constants.WLP_USER_DIR).replace('\\', '/');
                str = FileInfo.getHostName() + "_" + replace + (replace.endsWith("/") ? "" : "/") + "servers/" + wsLocationAdmin.getServerName() + "/" + this.providerId;
            } else {
                Tr.error(tc, "OSGI_SERVICE_ERROR", new Object[]{"WsLocationAdmin"});
                str = this.providerId;
            }
            this.spCookieName = Constants.COOKIE_NAME_SP_PREFIX + SamlUtil.hash(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "cookieHashName: " + this.spCookieName + " cookieLongName: " + str, new Object[0]);
            }
        }
        return this.spCookieName;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public List<String> getPkixX509CertificateList() {
        return this.pkixX509List;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public List<String> getPkixCrlList() {
        return this.pkixCrlList;
    }

    @Override // com.ibm.ws.security.saml.sso20.internal.PkixTrustEngineConfig, com.ibm.ws.security.saml.SsoConfig
    public Collection<X509Certificate> getPkixTrustAnchors() {
        ArrayList arrayList = new ArrayList();
        try {
            this.parentSsoService.searchTrustAnchors(arrayList, this.trustAnchorName);
            addX509Certs(arrayList);
        } catch (SamlException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoConfigImpl", "724", this, new Object[0]);
        }
        return arrayList;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isPkixTrustEngineEnabled() {
        return this.isPkixTrustEngineEnabled;
    }

    @Sensitive
    String getPassword(SerializableProtectedString serializableProtectedString) {
        if (serializableProtectedString == null || serializableProtectedString.isEmpty()) {
            return null;
        }
        return PasswordUtil.passwordDecode(new String(serializableProtectedString.getChars()));
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public long getAuthnRequestTime() {
        return this.authnRequestTimeMilliSeconds;
    }

    @Override // com.ibm.ws.security.saml.sso20.internal.PkixTrustEngineConfig, com.ibm.ws.security.saml.SsoConfig
    public String[] getPkixTrustedIssuers() {
        if (this.trustedIssuers == null) {
            return null;
        }
        return (String[]) this.trustedIssuers.clone();
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isEnabled() {
        return this.enabled;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getRealmName() {
        return this.realmName;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getSpHostAndPort() {
        return this.spHostAndPort;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isHttpsRequired() {
        return this.httpsRequired;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isAllowCustomCacheKey() {
        if (this.disableLtpaCookie) {
            return true;
        }
        return this.allowCustomCacheKey;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean createSession() {
        return this.createSession;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getHeaderName() {
        return (String) unexpectedCall("Saml,saml,SAML");
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public ArrayList<String> getHeaderNames() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Saml");
        arrayList.add("saml");
        arrayList.add("SAML");
        return (ArrayList) unexpectedCall(arrayList);
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String[] getAudiences() {
        return (String[]) unexpectedCall(new String[]{Constants.ANY_AUDIENCE});
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isReAuthnOnAssertionExpire() {
        return this.reAuthnOnAssertionExpire;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public long getReAuthnCushion() {
        return this.reAuthnCushion;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getTargetPageUrl() {
        return this.targetPageUrl;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isIncludeX509InSPMetadata() {
        return this.includeX509InSPMetadata;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean getUseRelayStateForTarget() {
        return this.useRelayStateForTarget;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public String getPostLogoutRedirectUrl() {
        return this.postLogoutRedirectUrl;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isServletRequestLogoutPerformsSamlLogout() {
        return this.servletRequestLogoutPerformsSamlLogout;
    }

    @Override // com.ibm.ws.security.saml.SsoConfig
    public boolean isDisableInitialRequestCookie() {
        return this.disableInitialRequestCookie;
    }

    static {
        String str = notInUseAttributes[0];
        for (int i = 1; i < notInUseAttributes.length; i++) {
            str = str.concat(", ").concat(notInUseAttributes[i]);
        }
        ignoreAttributes = str;
        nameIDFormatMap = new HashMap<>();
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_UNSPECIFIED, Constants.NAME_ID_FORMAT_UNSPECIFIED);
        nameIDFormatMap.put("email", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_X509_SUBJECT, Constants.NAME_ID_FORMAT_X509_SUBJECT);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_WIN_DOMAIN_QUALIFIED, Constants.NAME_ID_FORMAT_WIN_DOMAIN_QUALIFIED);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_KERBEROS, Constants.NAME_ID_FORMAT_KERBEROS);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_ENTITY, Constants.NAME_ID_FORMAT_ENTITY);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_PERSISTENT, Constants.NAME_ID_FORMAT_PERSISTENT);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_TRANSIENT, Constants.NAME_ID_FORMAT_TRANSIENT);
        nameIDFormatMap.put(Constants.NAME_ID_SHORT_ENCRYPTED, Constants.NAME_ID_FORMAT_ENCRYPTED);
    }
}
