package com.ibm.wsspi.security.token;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.kerberos.auth.Krb5LoginModuleWrapper;
import com.ibm.ws.security.krb5.Krb5Common;
import com.ibm.ws.security.token.krb5.Krb5Helper;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/wsspi/security/token/SpnegoTokenHelper.class */
public class SpnegoTokenHelper {
    private static final TraceComponent tc = Tr.register(SpnegoTokenHelper.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");
    static final long serialVersionUID = 249773837765582850L;

    public static String buildSpnegoAuthorizationFromCallerSubject(String str, int i, boolean z) throws WSSecurityException, GSSException, PrivilegedActionException {
        Subject callerSubject = WSSubject.getCallerSubject();
        if (callerSubject == null) {
            callerSubject = WSSubject.getRunAsSubject();
        }
        return buildSpnegoAuthorizationFromSubject(str, callerSubject, i, z);
    }

    public static String buildSpnegoAuthorizationFromSubject(String str, Subject subject, int i, boolean z) throws GSSException, PrivilegedActionException {
        Krb5Helper.checkSpn(str);
        return Krb5Helper.buildSpnegoAuthorizationFromSubjectCommon(str, subject, i, z);
    }

    public static String buildSpnegoAuthorizationFromNativeCreds(final String str, final int i, final boolean z) throws GSSException, PrivilegedActionException {
        Krb5Helper.checkSpn(str);
        try {
            return (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.1
                static final long serialVersionUID = -6063323207179772536L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$1", AnonymousClass1.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws PrivilegedActionException, GSSException {
                    String propertyAsNeeded = Krb5Helper.setPropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", "false");
                    try {
                        String buildSpnegoAuthorization = Krb5Helper.buildSpnegoAuthorization(Krb5Helper.getGSSCred(null, null, Krb5Common.SPNEGO_MECH_OID, 1, Integer.MAX_VALUE, Integer.MAX_VALUE), str, i, z);
                        Krb5Common.restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, "false");
                        return buildSpnegoAuthorization;
                    } catch (Throwable th) {
                        Krb5Common.restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, "false");
                        throw th;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.token.SpnegoTokenHelper", "130", (Object) null, new Object[]{str, Integer.valueOf(i), Boolean.valueOf(z)});
            GSSException generalCause = Krb5Helper.getGeneralCause(e);
            if (generalCause instanceof GSSException) {
                throw generalCause;
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromUpn(final String str, final String str2, final String str3, final int i, final boolean z) throws GSSException, LoginException, PrivilegedActionException {
        Krb5Helper.checkSpn(str);
        Krb5Helper.checkUpn(str2);
        try {
            return (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.2
                static final long serialVersionUID = -8771378281528230433L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$2", AnonymousClass2.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException, PrivilegedActionException, GSSException {
                    String propertyAsNeeded = Krb5Helper.setPropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", "false");
                    try {
                        String buildSpnegoAuthorization = Krb5Helper.buildSpnegoAuthorization((GSSCredential) Subject.doAs(SpnegoTokenHelper.doKerberosLogin(str3, str2, null), new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.2.1
                            static final long serialVersionUID = -3876628782473623535L;
                            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$2$1", AnonymousClass1.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws GSSException, Exception {
                                return Krb5Helper.getGSSCred(null, str2, Krb5Common.SPNEGO_MECH_OID, 1, Integer.MAX_VALUE, Integer.MAX_VALUE);
                            }
                        }), str, i, z);
                        Krb5Common.restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, "false");
                        return buildSpnegoAuthorization;
                    } catch (Throwable th) {
                        Krb5Common.restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, "false");
                        throw th;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.token.SpnegoTokenHelper", "195", (Object) null, new Object[]{str, str2, str3, Integer.valueOf(i), Boolean.valueOf(z)});
            GSSException generalCause = Krb5Helper.getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                throw ((LoginException) generalCause);
            }
            if (generalCause instanceof GSSException) {
                throw generalCause;
            }
            throw e;
        }
    }

    public static String buildSpnegoAuthorizationFromUseridPassword(String str, String str2, @Sensitive String str3, int i, boolean z) throws GSSException, LoginException, PrivilegedActionException {
        return buildSpnegoAuthorizationFromUseridPassword(str, str2, str3, "JAASClient", i, z);
    }

    public static String buildSpnegoAuthorizationFromUseridPassword(final String str, final String str2, @Sensitive final String str3, final String str4, final int i, final boolean z) throws GSSException, LoginException, PrivilegedActionException {
        Krb5Helper.checkSpn(str);
        Krb5Helper.checkUpn(str2);
        Krb5Helper.checkPassword(str3);
        try {
            return (String) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.3
                static final long serialVersionUID = 5246391761545194704L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$3", AnonymousClass3.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws LoginException, GSSException, PrivilegedActionException {
                    return Krb5Helper.buildSpnegoAuthorization((GSSCredential) Subject.doAs(SpnegoTokenHelper.doKerberosLogin(str4, str2, str3), new PrivilegedExceptionAction<Object>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.3.1
                        static final long serialVersionUID = 2903546241992746685L;
                        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$3$1", AnonymousClass1.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws GSSException, Exception {
                            return Krb5Helper.getGSSCred(null, str2, Krb5Common.SPNEGO_MECH_OID, 1, Integer.MAX_VALUE, Integer.MAX_VALUE);
                        }
                    }), str, i, z);
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.token.SpnegoTokenHelper", "277", (Object) null, new Object[]{str, str2, "<sensitive java.lang.String>", str4, Integer.valueOf(i), Boolean.valueOf(z)});
            GSSException generalCause = Krb5Helper.getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                throw ((LoginException) generalCause);
            }
            if (generalCause instanceof GSSException) {
                throw generalCause;
            }
            throw e;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Subject doKerberosLogin(String str, String str2, @Sensitive String str3) throws LoginException {
        if (Krb5Common.IBM_KRB5_LOGIN_MODULE_AVAILABLE) {
            return doIBMKerberosLogin(str, str2, str3);
        }
        if (Krb5Common.OTHER_KRB5_LOGIN_MODULE_AVAILABLE) {
            return doOtherKerberosLogin(str, str2, str3);
        }
        return null;
    }

    private static Subject doIBMKerberosLogin(String str, final String str2, @Sensitive final String str3) throws LoginException {
        Subject subject = null;
        if (str == null) {
            str = "JAASClient";
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "jaasLoginContextEntry: " + str, new Object[0]);
            }
        }
        final String str4 = str;
        try {
            subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: com.ibm.wsspi.security.token.SpnegoTokenHelper.4
                static final long serialVersionUID = 5228473330192668780L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.wsspi.security.token.SpnegoTokenHelper$4", AnonymousClass4.class, "Token", "com.ibm.ws.security.token.internal.resources.TokenMessages");

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Subject run() throws LoginException {
                    LoginContext loginContext = new LoginContext(str4, new WSCallbackHandlerImpl(str2, str3));
                    loginContext.login();
                    return loginContext.getSubject();
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.wsspi.security.token.SpnegoTokenHelper", "327", (Object) null, new Object[]{str, str2, "<sensitive java.lang.String>"});
            Throwable generalCause = Krb5Helper.getGeneralCause(e);
            if (generalCause instanceof LoginException) {
                throw ((LoginException) generalCause);
            }
        }
        return subject;
    }

    static Subject doOtherKerberosLogin(String str, String str2, @Sensitive String str3) throws LoginException {
        Subject subject = new Subject();
        Krb5LoginModuleWrapper krb5LoginModuleWrapper = new Krb5LoginModuleWrapper();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap.put("isInitiator", "true");
        hashMap.put("refreshKrb5Config", "true");
        hashMap.put("doNotPrompt", "false");
        hashMap.put("clearPass", "true");
        hashMap.put("storeKey", "true");
        if (str3 != null) {
            hashMap.put("useFirstPass", "true");
            hashMap2.put("javax.security.auth.login.password", str3.toCharArray());
        } else {
            hashMap.put("tryFirstPass", "true");
            hashMap.put("useTicketCache", "true");
        }
        if (tc.isDebugEnabled()) {
            hashMap.put("debug", "true");
        }
        hashMap.put("principal", str2);
        hashMap2.put("javax.security.auth.login.name", str2);
        WSCallbackHandlerImpl wSCallbackHandlerImpl = new WSCallbackHandlerImpl(str2, str3);
        String propertyAsNeeded = Krb5Common.setPropertyAsNeeded(Krb5Common.KRB5_PRINCIPAL, str2);
        krb5LoginModuleWrapper.initialize(subject, wSCallbackHandlerImpl, hashMap2, hashMap);
        Krb5Common.debugKrb5LoginModule(subject, wSCallbackHandlerImpl, hashMap2, hashMap);
        krb5LoginModuleWrapper.login();
        krb5LoginModuleWrapper.commit();
        Krb5Common.setPropertyAsNeeded(Krb5Common.KRB5_PRINCIPAL, propertyAsNeeded);
        return subject;
    }
}
