package com.ibm.ws.security.saml.sso20.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.common.structures.Cache;
import com.ibm.ws.security.filemonitor.FileBasedActionable;
import com.ibm.ws.security.filemonitor.SecurityFileMonitor;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoSamlService;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.internal.utils.UnsolicitedResponseCache;
import com.ibm.ws.security.saml.sso20.rs.RsSamlConfigImpl;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorHelper;
import com.ibm.wsspi.kernel.filemonitor.FileMonitor;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/saml/sso20/internal/SsoServiceImpl.class */
public class SsoServiceImpl implements SsoSamlService {
    public static final String TYPE = "SAMLSso20";
    public static final String VERSION = "v1.0";
    static final String CONFIGURATION_ADMIN = "configurationAdmin";
    static final String KEY_SECURITY_SERVICE = "securityService";
    static final String KEY_SERVICE_PID = "service.pid";
    static final String KEY_PROVIDER_ID = "id";
    static final String KEY_ID = "id";
    static final String KEY_inboundPropagation = "inboundPropagation";
    public static final String KEY_KEYSTORE_SERVICE = "keyStoreService";
    public static final String KEY_SSL_SUPPORT = "sslSupport";
    private WebProviderAuthenticatorHelper authHelper;
    private SecurityFileMonitor idpMetadataFileMonitor;
    private ServiceRegistration<FileMonitor> idpMetadataFileMonitorRegistration;
    static final long serialVersionUID = -7516611989692527778L;
    public static final TraceComponent tc = Tr.register(SsoServiceImpl.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static final HashMap<String, Cache> acsCookieCacheMap = new HashMap<>();
    static final HashMap<String, UnsolicitedResponseCache> replayCacheMap = new HashMap<>();
    static HashMap<String, SsoSamlService> samlServiceMap = new HashMap<>();
    boolean isSamlInbound = false;
    private String providerId = null;
    private volatile ConfigurationAdmin configAdmin = null;
    protected AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
    protected AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>(KEY_KEYSTORE_SERVICE);
    protected AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>(KEY_SSL_SUPPORT);
    protected SsoConfig samlConfig = new SsoConfigImpl();

    protected void setConfigurationAdmin(ConfigurationAdmin configurationAdmin) {
        this.configAdmin = configurationAdmin;
        getSamlConfig().setConfigAdmin(configurationAdmin);
    }

    protected void updateConfigurationAdmin(ConfigurationAdmin configurationAdmin) {
        this.configAdmin = configurationAdmin;
        getSamlConfig().setConfigAdmin(configurationAdmin);
    }

    protected void unsetConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.configAdmin = null;
        getSamlConfig().setConfigAdmin(null);
    }

    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    protected void setSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "setSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    protected void updatedSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "updatedtSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    protected void unsetSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "unsetSslSupport service.pid:" + serviceReference.getProperty("service.pid"), new Object[0]);
        }
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.providerId = (String) map.get("id");
        this.securityServiceRef.activate(componentContext);
        this.keyStoreServiceRef.activate(componentContext);
        this.sslSupportRef.activate(componentContext);
        initProps(componentContext, map);
        Tr.info(tc, "SAML20_CONFIG_PROCESSED", new Object[]{this.providerId});
    }

    void initProps(ComponentContext componentContext, Map<String, Object> map) {
        String trim = ((String) map.get(KEY_inboundPropagation)).trim();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, this.providerId + " inboundPropagation:'" + trim + "'", new Object[0]);
        }
        this.isSamlInbound = Constants.REQUIRED.equals(trim) || Constants.TRUE.equals(trim);
        setSamlConfig(this.isSamlInbound ? new RsSamlConfigImpl(componentContext, map, this.configAdmin, SAMLRequestTAI.getFilterIdMap(), this) : new SsoConfigImpl(componentContext, map, this.configAdmin, SAMLRequestTAI.getFilterIdMap(), this));
        createFileMonitor(getSamlConfig());
        this.authHelper = new WebProviderAuthenticatorHelper(this.securityServiceRef);
        if (acsCookieCacheMap.get(this.providerId) == null) {
            Cache cache = new Cache(0, 0L);
            synchronized (acsCookieCacheMap) {
                acsCookieCacheMap.put(this.providerId, cache);
            }
        }
        if (replayCacheMap.get(this.providerId) == null) {
            UnsolicitedResponseCache unsolicitedResponseCache = new UnsolicitedResponseCache(0, 0L, getSamlConfig().getClockSkew());
            synchronized (acsCookieCacheMap) {
                replayCacheMap.put(this.providerId, unsolicitedResponseCache);
            }
        }
    }

    @Modified
    protected void modified(ComponentContext componentContext, Map<String, Object> map) {
        this.providerId = (String) map.get("id");
        unsetFileMonitorRegistration();
        initProps(componentContext, map);
        Tr.info(tc, "SAML20_CONFIG_MODIFIED", new Object[]{this.providerId});
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        unsetFileMonitorRegistration();
        this.securityServiceRef.deactivate(componentContext);
        this.keyStoreServiceRef.deactivate(componentContext);
        setSamlConfig(new SsoConfigImpl());
        this.sslSupportRef.deactivate(componentContext);
        synchronized (acsCookieCacheMap) {
            acsCookieCacheMap.remove(this.providerId);
            replayCacheMap.remove(this.providerId);
        }
        Tr.info(tc, "SAML20_CONFIG_DEACTIVATED", new Object[]{this.providerId});
    }

    public void setSamlConfig(SsoConfig ssoConfig) {
        this.samlConfig = ssoConfig;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public SsoConfig getConfig() {
        return this.samlConfig;
    }

    public SsoConfig getSamlConfig() {
        return this.samlConfig;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public String getProviderId() {
        return this.providerId;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public Constants.SamlSsoVersion getSamlVersion() {
        return Constants.SamlSsoVersion.SAMLSSO20;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public Cache getAcsCookieCache(String str) {
        Cache cache = acsCookieCacheMap.get(str);
        if (cache == null) {
            cache = new Cache(0, 0L);
            synchronized (acsCookieCacheMap) {
                acsCookieCacheMap.put(str, cache);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "acsCockieCache providerId:" + str + " cache:" + cache, new Object[0]);
        }
        return cache;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public UnsolicitedResponseCache getUnsolicitedResponseCache(String str) {
        UnsolicitedResponseCache unsolicitedResponseCache = replayCacheMap.get(str);
        if (unsolicitedResponseCache == null) {
            unsolicitedResponseCache = new UnsolicitedResponseCache(0, 0L, getSamlConfig().getClockSkew());
            synchronized (replayCacheMap) {
                replayCacheMap.put(str, unsolicitedResponseCache);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "replayCacheMap providerId:" + str + " cache:" + unsolicitedResponseCache, new Object[0]);
        }
        return unsolicitedResponseCache;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public WebProviderAuthenticatorHelper getAuthHelper() {
        return this.authHelper;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public String getAuthFilterId() {
        return getSamlConfig().getAuthFilterId();
    }

    @Sensitive
    public String getDefaultKeyStoreProperty(String str) {
        String str2 = null;
        SSLSupport sSLSupport = (SSLSupport) getSslSupportRef().getService();
        JSSEHelper jSSEHelper = null;
        if (sSLSupport != null) {
            jSSEHelper = sSLSupport.getJSSEHelper();
        }
        Properties properties = null;
        if (jSSEHelper != null) {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("com.ibm.ssl.direction", "inbound");
                properties = jSSEHelper.getProperties("", hashMap, (SSLConfigChangeListener) null, true);
            } catch (SSLException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoServiceImpl", "323", this, new Object[]{str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting jssehelper!!!", new Object[0]);
                }
            }
            if (properties != null) {
                str2 = properties.getProperty(str);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStore property ( " + str + " ) from default ssl config  ", new Object[0]);
                }
            }
        }
        return str2;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    @FFDCIgnore({CertificateException.class, KeyStoreException.class})
    @Sensitive
    public PrivateKey getPrivateKey() throws KeyStoreException, CertificateException {
        String keyStoreRef = getSamlConfig().getKeyStoreRef();
        String keyAlias = getSamlConfig().getKeyAlias();
        if (keyStoreRef == null) {
            keyStoreRef = getDefaultKeyStoreProperty("com.ibm.ssl.keyStoreName");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "KeyStore name from default ssl config  = ", new Object[]{keyStoreRef});
            }
        }
        KeyStoreService keyStoreService = (KeyStoreService) getKeyStoreServiceRef().getService();
        PrivateKey privateKey = null;
        if (keyStoreService != null) {
            if (keyAlias == null) {
                try {
                    privateKey = keyStoreService.getPrivateKeyFromKeyStore(keyStoreRef, "samlsp", getSamlConfig().getKeyPassword());
                } catch (KeyStoreException e) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception getting key using default alias.", new Object[]{e.toString()});
                        Tr.debug(tc, "Try getting key one more time to see if there is only one key!!", new Object[0]);
                    }
                    privateKey = keyStoreService.getPrivateKeyFromKeyStore(keyStoreRef);
                } catch (CertificateException e2) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception getting key using default alias.", new Object[]{e2.toString()});
                        Tr.debug(tc, "Try getting key one more time to see if there is only one key!!", new Object[0]);
                    }
                    privateKey = keyStoreService.getPrivateKeyFromKeyStore(keyStoreRef);
                }
            } else {
                privateKey = keyStoreService.getPrivateKeyFromKeyStore(keyStoreRef, keyAlias, getSamlConfig().getKeyPassword());
            }
        }
        return privateKey;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    @FFDCIgnore({CertificateException.class, KeyStoreException.class})
    @Sensitive
    public Certificate getSignatureCertificate() throws KeyStoreException, CertificateException {
        Certificate certificateFromKeyStore;
        String keyStoreRef = getSamlConfig().getKeyStoreRef();
        String keyAlias = getSamlConfig().getKeyAlias();
        if (keyStoreRef == null) {
            keyStoreRef = getDefaultKeyStoreProperty("com.ibm.ssl.keyStoreName");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "KeyStore name from default ssl config  = ", new Object[]{keyStoreRef});
            }
        }
        KeyStoreService keyStoreService = (KeyStoreService) getKeyStoreServiceRef().getService();
        if (keyAlias == null) {
            try {
                certificateFromKeyStore = keyStoreService.getCertificateFromKeyStore(keyStoreRef, "samlsp");
            } catch (KeyStoreException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting key using default alias.", new Object[]{e.toString()});
                    Tr.debug(tc, "Try getting key one more time to see if there is only one key!!", new Object[0]);
                }
                certificateFromKeyStore = keyStoreService.getX509CertificateFromKeyStore(keyStoreRef);
            } catch (CertificateException e2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting key using default alias.", new Object[]{e2.toString()});
                    Tr.debug(tc, "Try getting key one more time to see if there is only one key!!", new Object[0]);
                }
                certificateFromKeyStore = keyStoreService.getX509CertificateFromKeyStore(keyStoreRef);
            }
        } else {
            certificateFromKeyStore = keyStoreService.getCertificateFromKeyStore(keyStoreRef, keyAlias);
        }
        return certificateFromKeyStore;
    }

    void createFileMonitor(SsoConfig ssoConfig) {
        try {
            if (ssoConfig instanceof FileBasedActionable) {
                this.idpMetadataFileMonitor = new SecurityFileMonitor((FileBasedActionable) ssoConfig);
                String idpMetadata = ssoConfig.getIdpMetadata();
                if (idpMetadata != null && !idpMetadata.isEmpty()) {
                    setFileMonitorRegistration(this.idpMetadataFileMonitor.monitorFiles(Arrays.asList(ssoConfig.getIdpMetadata()), 2000L));
                }
            } else if (ssoConfig instanceof RsSamlConfigImpl) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The rsSamlConfig does not need to monitor idp metadata xml file.", new Object[0]);
                }
            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "ERROR: The samlConfig is not an FileBasedActionable instance.", new Object[0]);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoServiceImpl", "459", this, new Object[]{ssoConfig});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception creating the idpMetadata file monitor.", new Object[]{e});
            }
        }
    }

    protected void setFileMonitorRegistration(ServiceRegistration<FileMonitor> serviceRegistration) {
        this.idpMetadataFileMonitorRegistration = serviceRegistration;
    }

    protected void unsetFileMonitorRegistration() {
        if (this.idpMetadataFileMonitorRegistration != null) {
            this.idpMetadataFileMonitorRegistration.unregister();
            this.idpMetadataFileMonitorRegistration = null;
        }
    }

    ConfigurationAdmin getConfigurationAdmin() {
        return this.configAdmin;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public boolean searchTrustAnchors(Collection<X509Certificate> collection, String str) throws SamlException {
        if (str == null || str.isEmpty()) {
            str = getDefaultKeyStoreProperty("com.ibm.ssl.trustStoreName");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "TrustStore name from default ssl config  = ", new Object[]{str});
            }
        }
        KeyStoreService keyStoreService = (KeyStoreService) getKeyStoreServiceRef().getService();
        if (keyStoreService == null) {
            return false;
        }
        try {
            for (String str2 : keyStoreService.getTrustedCertEntriesInKeyStore(str)) {
                X509Certificate x509CertificateFromKeyStore = keyStoreService.getX509CertificateFromKeyStore(str, str2);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getCert trustAnchorName:" + str + " certId:" + str2 + " cert:" + x509CertificateFromKeyStore, new Object[0]);
                }
                collection.add(x509CertificateFromKeyStore);
            }
            return true;
        } catch (KeyStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.saml.sso20.internal.SsoServiceImpl", "510", this, new Object[]{collection, str});
            throw new SamlException(e);
        } catch (CertificateException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.saml.sso20.internal.SsoServiceImpl", "512", this, new Object[]{collection, str});
            throw new SamlException(e2);
        }
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public boolean isEnabled() {
        return getSamlConfig().isEnabled();
    }

    public AtomicServiceReference<KeyStoreService> getKeyStoreServiceRef() {
        return this.keyStoreServiceRef;
    }

    public AtomicServiceReference<SSLSupport> getSslSupportRef() {
        return this.sslSupportRef;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    public boolean isInboundPropagation() {
        return this.isSamlInbound;
    }

    @Override // com.ibm.ws.security.saml.SsoSamlService
    @Sensitive
    public String getDefaultKeyStorePassword() {
        return getDefaultKeyStoreProperty("com.ibm.ssl.keyStorePassword");
    }
}
