package com.ibm.ws.webcontainer.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.auth.InvalidTokenException;
import com.ibm.websphere.security.auth.TokenExpiredException;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.jaas.common.callback.AuthenticationHelper;
import com.ibm.ws.security.jwtsso.token.proxy.JwtSSOTokenHelper;
import com.ibm.ws.security.token.TokenManager;
import com.ibm.ws.webcontainer.security.TraceConstants;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.ltpa.Token;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/webcontainer/security/internal/WebSecurityHelperImpl.class */
public class WebSecurityHelperImpl {
    private static final TraceComponent tc = Tr.register(WebSecurityHelperImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static WebAppSecurityConfig webAppSecConfig = null;
    private static final AtomicServiceReference<TokenManager> tokenManagerRef = new AtomicServiceReference<>("tokenManager");
    static final long serialVersionUID = 533242549032213653L;

    public static void setWebAppSecurityConfig(WebAppSecurityConfig webAppSecurityConfig) {
        webAppSecConfig = webAppSecurityConfig;
    }

    public static Cookie getSSOCookieFromSSOToken(String... strArr) throws Exception {
        Cookie cookie = null;
        if (webAppSecConfig == null) {
            return null;
        }
        try {
            Subject runAsSubject = WSSubject.getRunAsSubject();
            if (runAsSubject == null) {
                runAsSubject = WSSubject.getCallerSubject();
            }
            if (runAsSubject != null) {
                cookie = getLTPACookie(runAsSubject, strArr);
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No subjects on the thread", new Object[0]);
            }
            return cookie;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.WebSecurityHelperImpl", "76", (Object) null, new Object[]{strArr});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getSSOCookieFromSSOTokenWithOutAttrs caught exception: " + e.getMessage(), new Object[0]);
            }
            throw e;
        }
    }

    public static WebAppSecurityConfig getWebAppSecurityConfig() {
        return webAppSecConfig;
    }

    public static String getJwtCookieName() {
        return JwtSSOTokenHelper.getJwtCookieName();
    }

    private static Cookie constructLTPACookieObj(SingleSignonToken singleSignonToken) {
        return createCookie(singleSignonToken.getBytes());
    }

    private static Cookie constructLTPACookieObj(SingleSignonToken singleSignonToken, String... strArr) {
        byte[] bytes = singleSignonToken.getBytes();
        try {
            Token recreateTokenFromBytes = recreateTokenFromBytes(bytes, strArr);
            if (recreateTokenFromBytes != null) {
                bytes = recreateTokenFromBytes.getBytes();
            }
            return createCookie(bytes);
        } catch (TokenExpiredException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.WebSecurityHelperImpl", "157", (Object) null, new Object[]{singleSignonToken, strArr});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Token is expired" + e.getMessage(), new Object[0]);
            return null;
        } catch (InvalidTokenException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.webcontainer.security.internal.WebSecurityHelperImpl", "152", (Object) null, new Object[]{singleSignonToken, strArr});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Token is not valid" + e2.getMessage(), new Object[0]);
            return null;
        }
    }

    private static Token recreateTokenFromBytes(byte[] bArr, String... strArr) throws InvalidTokenException, TokenExpiredException {
        Token token = null;
        TokenManager tokenManager = (TokenManager) tokenManagerRef.getService();
        if (tokenManager != null) {
            byte[] copyCredToken = AuthenticationHelper.copyCredToken(bArr);
            token = strArr != null ? tokenManager.recreateTokenFromBytes(copyCredToken, strArr) : tokenManager.recreateTokenFromBytes(copyCredToken, new String[0]);
        }
        return token;
    }

    private static Cookie createCookie(byte[] bArr) {
        return new Cookie(webAppSecConfig.getSSOCookieName(), Base64Coder.base64EncodeToString(bArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Cookie getLTPACookie(Subject subject, String... strArr) throws Exception {
        Cookie cookie = null;
        SingleSignonToken singleSignonToken = null;
        Iterator it = subject.getPrivateCredentials(SingleSignonToken.class).iterator();
        if (it.hasNext()) {
            singleSignonToken = (SingleSignonToken) it.next();
            if (it.hasNext()) {
                throw new WSSecurityException("More than one ssotoken found in subject");
            }
        }
        if (singleSignonToken != null) {
            cookie = strArr == null ? constructLTPACookieObj(singleSignonToken) : constructLTPACookieObj(singleSignonToken, strArr);
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "No ssotoken found for this subject", new Object[0]);
        }
        return cookie;
    }

    protected void setTokenManager(ServiceReference<TokenManager> serviceReference) {
        tokenManagerRef.setReference(serviceReference);
    }

    protected void unsetTokenManager(ServiceReference<TokenManager> serviceReference) {
        tokenManagerRef.unsetReference(serviceReference);
    }

    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        tokenManagerRef.activate(componentContext);
    }

    protected void deactivate(ComponentContext componentContext) {
        tokenManagerRef.deactivate(componentContext);
    }
}
