package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TAIAuthenticator;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/webcontainer/security/WebProviderAuthenticatorProxy.class */
public class WebProviderAuthenticatorProxy implements WebAuthenticator {
    private static final TraceComponent tc = Tr.register(WebProviderAuthenticatorProxy.class);
    AuthenticationResult JASPI_CONT = new AuthenticationResult(AuthResult.CONTINUE, "JASPI said continue...");
    protected final AtomicServiceReference<SecurityService> securityServiceRef;
    protected final AtomicServiceReference<TAIService> taiServiceRef;
    protected final ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> interceptorServiceRef;
    protected volatile WebAppSecurityConfig webAppSecurityConfig;
    protected final ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRef;
    static final long serialVersionUID = -5119862836190499692L;

    public WebProviderAuthenticatorProxy(AtomicServiceReference<SecurityService> atomicServiceReference, AtomicServiceReference<TAIService> atomicServiceReference2, ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> concurrentServiceReferenceMap, WebAppSecurityConfig webAppSecurityConfig, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap2) {
        this.securityServiceRef = atomicServiceReference;
        this.taiServiceRef = atomicServiceReference2;
        this.interceptorServiceRef = concurrentServiceReferenceMap;
        this.webAppSecurityConfig = webAppSecurityConfig;
        this.webAuthenticatorRef = concurrentServiceReferenceMap2;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        AuthenticationResult handleTAI = handleTAI(webRequest, true);
        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
            handleTAI = handleSSO(webRequest, null);
            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                webRequest.setCallAfterSSO(true);
                handleTAI = handleTAI(webRequest, false);
            }
        }
        return handleTAI;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationResult handleJaspi(final WebRequest webRequest, final HashMap<String, Object> hashMap) {
        WebAuthenticator webAuthenticator;
        AuthenticationResult authenticationResult = this.JASPI_CONT;
        if (this.webAuthenticatorRef != null && (webAuthenticator = (WebAuthenticator) this.webAuthenticatorRef.getService("com.ibm.ws.security.jaspi")) != null) {
            webRequest.getHttpServletRequest();
            authenticationResult = hashMap == null ? authenticateForOtherMechanisms(webRequest, authenticationResult, webAuthenticator) : authenticateForFormMechanism(webRequest, hashMap, webAuthenticator);
            if (authenticationResult.getStatus() == AuthResult.SUCCESS) {
                if (System.getSecurityManager() == null) {
                    processAuthenticationSuccess(webRequest, hashMap, authenticationResult);
                } else {
                    final AuthenticationResult authenticationResult2 = authenticationResult;
                    AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.1
                        static final long serialVersionUID = 3397013613883367688L;
                        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            WebProviderAuthenticatorProxy.this.processAuthenticationSuccess(webRequest, hashMap, authenticationResult2);
                            return null;
                        }
                    });
                }
            }
        }
        return authenticationResult;
    }

    private AuthenticationResult authenticateForOtherMechanisms(WebRequest webRequest, AuthenticationResult authenticationResult, WebAuthenticator webAuthenticator) {
        AuthenticationResult handleSSO = handleSSO(webRequest, null);
        Subject subject = handleSSO.getSubject();
        List<String> list = null;
        if (subject != null) {
            list = getTokenUsageFromSSOToken(subject, this.webAppSecurityConfig.createSSOCookieHelper());
        }
        boolean isProcessingNewAuthentication = ((JaspiService) webAuthenticator).isProcessingNewAuthentication(webRequest.getHttpServletRequest());
        if (!isJaspicForm(list)) {
            if (!isProcessingNewAuthentication && isJaspicSessionOrJsr375Form(list)) {
                HashMap hashMap = new HashMap();
                hashMap.put("javax.servlet.http.registerSession.subject", subject);
                webRequest.setProperties(hashMap);
            }
            handleSSO = webAuthenticator.authenticate(webRequest);
        }
        if (handleSSO.getStatus() != AuthResult.CONTINUE && !isProcessingNewAuthentication) {
            String header = webRequest.getHttpServletRequest().getHeader(BasicAuthAuthenticator.BASIC_AUTH_HEADER_NAME);
            if (header != null && header.startsWith("Basic ")) {
                String decodeCookieString = decodeCookieString(header.substring(6));
                handleSSO.setAuditCredValue(decodeCookieString.substring(0, decodeCookieString.indexOf(58)));
            }
            handleSSO.setAuditCredType("JASPIC");
        }
        return handleSSO;
    }

    private AuthenticationResult authenticateForFormMechanism(WebRequest webRequest, HashMap<String, Object> hashMap, WebAuthenticator webAuthenticator) {
        AuthenticationResult authenticationResult;
        try {
            authenticationResult = webAuthenticator.authenticate(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse(), hashMap);
            if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
                String header = webRequest.getHttpServletRequest().getHeader(BasicAuthAuthenticator.BASIC_AUTH_HEADER_NAME);
                if (header != null && header.startsWith("Basic ")) {
                    String decodeCookieString = decodeCookieString(header.substring(6));
                    authenticationResult.setAuditCredValue(decodeCookieString.substring(0, decodeCookieString.indexOf(58)));
                }
                authenticationResult.setAuditCredType("JASPIC");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "173", this, new Object[]{webRequest, hashMap, webAuthenticator});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error handling JASPI request", new Object[]{e});
            }
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        }
        return authenticationResult;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void processAuthenticationSuccess(WebRequest webRequest, HashMap<String, Object> hashMap, AuthenticationResult authenticationResult) {
        Subject subject = authenticationResult.getSubject();
        attemptToRestorePostParams(webRequest);
        boolean z = false;
        Map<String, Object> properties = webRequest.getProperties();
        if (properties != null) {
            z = Boolean.valueOf((String) properties.get("javax.servlet.http.registerSession")).booleanValue();
        }
        SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
        if (z) {
            registerSession(webRequest, subject, createSSOCookieHelper);
            return;
        }
        List<String> tokenUsageFromSSOToken = getTokenUsageFromSSOToken(subject, createSSOCookieHelper);
        if (!isJaspicAttribute(tokenUsageFromSSOToken)) {
            attemptToRemoveLtpaToken(webRequest, hashMap);
        } else if (isFormLogin(hashMap)) {
            registerSession(webRequest, subject, createSSOCookieHelper);
        } else {
            if (isJaspicSession(tokenUsageFromSSOToken)) {
                return;
            }
            createSSOCookieHelper.createLogoutCookies(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        }
    }

    private void registerSession(final WebRequest webRequest, final Subject subject, final SSOCookieHelper sSOCookieHelper) {
        if (System.getSecurityManager() == null) {
            sSOCookieHelper.addSSOCookiesToResponse(subject, webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        } else {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.2
                static final long serialVersionUID = 2061544974763019296L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class);

                @Override // java.security.PrivilegedAction
                public Object run() {
                    sSOCookieHelper.addSSOCookiesToResponse(subject, webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
                    return null;
                }
            });
        }
    }

    private HttpServletResponse attemptToRestorePostParams(WebRequest webRequest) {
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        if (!httpServletResponse.isCommitted()) {
            new PostParameterHelper(this.webAppSecurityConfig).restore(webRequest.getHttpServletRequest(), httpServletResponse);
        }
        return httpServletResponse;
    }

    private void attemptToRemoveLtpaToken(WebRequest webRequest, HashMap<String, Object> hashMap) {
        SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
        if (isFormLogin(hashMap)) {
            return;
        }
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        if (httpServletResponse.isCommitted()) {
            return;
        }
        createSSOCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        return handleJaspi(new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, null), hashMap);
    }

    protected AuthenticationResult handleTAI(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticate;
        TAIAuthenticator taiAuthenticator = getTaiAuthenticator();
        if (taiAuthenticator == null) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "TAI invoke " + (z ? "before" : "after") + " SSO is not available, skipping TAI...");
        } else {
            authenticate = taiAuthenticator.authenticate(webRequest, z);
            if (authenticate.getStatus() != AuthResult.CONTINUE) {
                authenticate.setAuditCredType("TrustAssociationInterceptor");
            }
        }
        return authenticate;
    }

    protected AuthenticationResult handleSSO(WebRequest webRequest, String str) {
        AuthenticationResult authenticate = getSSOAuthenticator(webRequest, str).authenticate(webRequest);
        if (authenticate == null || authenticate.getStatus() != AuthResult.SUCCESS) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "SSO did not succeed, so continue ...");
        }
        return authenticate;
    }

    protected boolean isNotNullAndTrue(HttpServletRequest httpServletRequest, String str) {
        Boolean bool = (Boolean) httpServletRequest.getAttribute(str);
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected TAIAuthenticator getTaiAuthenticator() {
        TAIAuthenticator tAIAuthenticator = null;
        TAIService tAIService = (TAIService) this.taiServiceRef.getService();
        Iterator services = this.interceptorServiceRef.getServices();
        if (tAIService != null || (services != null && services.hasNext())) {
            tAIAuthenticator = new TAIAuthenticator(tAIService, this.interceptorServiceRef, ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), this.webAppSecurityConfig.createSSOCookieHelper());
        }
        return tAIAuthenticator;
    }

    public WebAuthenticator getSSOAuthenticator(WebRequest webRequest, String str) {
        return new SSOAuthenticator(((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), webRequest.getSecurityMetadata(), this.webAppSecurityConfig, str != null ? new SSOCookieHelperImpl(this.webAppSecurityConfig, str) : this.webAppSecurityConfig.createSSOCookieHelper());
    }

    public ConcurrentServiceReferenceMap<String, WebAuthenticator> getWebAuthenticatorRefs() {
        return this.webAuthenticatorRef;
    }

    @Sensitive
    private String decodeCookieString(@Sensitive String str) {
        try {
            return Base64Coder.base64Decode(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "345", this, new Object[]{"<sensitive java.lang.String>"});
            return null;
        }
    }

    private List<String> getTokenUsageFromSSOToken(Subject subject, SSOCookieHelper sSOCookieHelper) {
        String[] attributes;
        SingleSignonToken defaultSSOTokenFromSubject = sSOCookieHelper.getDefaultSSOTokenFromSubject(subject);
        if (defaultSSOTokenFromSubject == null || (attributes = defaultSSOTokenFromSubject.getAttributes("com.ibm.ws.authentication.internal.auth.provider")) == null) {
            return null;
        }
        return Arrays.asList(attributes);
    }

    private boolean isJaspicSessionOrJsr375Form(List<String> list) {
        if (list != null) {
            return list.contains("jaspic") || list.contains("jsr375Form");
        }
        return false;
    }

    private boolean isJaspicSession(List<String> list) {
        return list != null && list.contains("jaspic");
    }

    private boolean isJaspicForm(List<String> list) {
        return list != null && list.contains("jaspicForm");
    }

    private boolean isJaspicAttribute(List<String> list) {
        if (list != null) {
            return list.contains("jaspic") || list.contains("jsr375Form") || list.contains("jaspicForm");
        }
        return false;
    }

    private boolean isFormLogin(Map<String, Object> map) {
        return map != null && "FORM_LOGIN".equals(map.get("authType"));
    }
}
