package com.ibm.ws.security.common.token.propagation;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.WSSubject;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.common.TraceConstants;
import com.ibm.ws.security.common.jwk.utils.JsonUtils;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicy;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(configurationPid = {"com.ibm.ws.security.common.token.propagation.tokenpropagationhelper"}, configurationPolicy = ConfigurationPolicy.OPTIONAL, name = "TokenPropagationHelper", service = {TokenPropagationHelper.class}, immediate = true, property = {"service.vendor=IBM"})
/* loaded from: input_file:com/ibm/ws/security/common/token/propagation/TokenPropagationHelper.class */
public class TokenPropagationHelper {
    private static volatile SecurityService securityService;
    public static final TraceComponent tc = Tr.register(TokenPropagationHelper.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static final String KEY_SECURITY_SERVICE = "securityService";
    public static final String JWT_TOKEN = "jwt";
    public static final String ISSUED_JWT_TOKEN = "issuedJwt";
    static final long serialVersionUID = 4762419818274598655L;

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Modified
    protected void modified(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Reference(name = KEY_SECURITY_SERVICE, policy = ReferencePolicy.DYNAMIC)
    protected void setSecurityService(SecurityService securityService2) {
        securityService = securityService2;
    }

    protected void unsetSecurityService(SecurityService securityService2) {
        securityService = null;
    }

    public static String getAccessTokenType() throws Exception {
        return getSubjectAttributeString("token_type", true);
    }

    public static String getAccessToken() throws Exception {
        return getSubjectAttributeString("access_token", true);
    }

    public static String getJwtToken() throws Exception {
        String issuedJwtToken = getIssuedJwtToken();
        if (issuedJwtToken == null) {
            issuedJwtToken = getAccessToken();
            if (!isJwt(issuedJwtToken)) {
                issuedJwtToken = null;
            }
        }
        return issuedJwtToken;
    }

    private static boolean isJwt(String str) {
        return str != null && str.indexOf(JsonUtils.DELIMITER) >= 0;
    }

    public static String getIssuedJwtToken() throws Exception {
        return getSubjectAttributeString(ISSUED_JWT_TOKEN, true);
    }

    public static String getScopes() throws Exception {
        return getSubjectAttributeString("scope", true);
    }

    public static Subject getRunAsSubject() {
        try {
            return getRunAsSubjectInternal();
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.common.token.propagation.TokenPropagationHelper", "125", (Object) null, new Object[0]);
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Received Exception retrieving subject: " + e, new Object[0]);
            return null;
        }
    }

    static Subject getRunAsSubjectInternal() throws Exception {
        try {
            return (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.common.token.propagation.TokenPropagationHelper.1
                static final long serialVersionUID = 5468788588715823967L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.common.token.propagation.TokenPropagationHelper$1", AnonymousClass1.class, (String) null, (String) null);

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return WSSubject.getRunAsSubject();
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.common.token.propagation.TokenPropagationHelper", "144", (Object) null, new Object[0]);
            throw new Exception(e.getCause());
        }
    }

    public static String getUserName() throws Exception {
        Subject runAsSubjectInternal = getRunAsSubjectInternal();
        if (runAsSubjectInternal == null) {
            return null;
        }
        Iterator<Principal> it = runAsSubjectInternal.getPrincipals().iterator();
        if (it.hasNext()) {
            return it.next().getName();
        }
        return null;
    }

    static String getSubjectAttributeString(String str, boolean z) throws Exception {
        Subject runAsSubjectInternal = getRunAsSubjectInternal();
        if (runAsSubjectInternal != null) {
            return getSubjectAttributeObject(runAsSubjectInternal, str, z);
        }
        return null;
    }

    @FFDCIgnore({PrivilegedActionException.class})
    static String getSubjectAttributeObject(Subject subject, String str, boolean z) throws Exception {
        try {
            String credentialAttribute = getCredentialAttribute(subject.getPublicCredentials(), str, z, "publicCredentials");
            if (credentialAttribute == null || credentialAttribute.isEmpty()) {
                credentialAttribute = getCredentialAttribute(subject.getPrivateCredentials(), str, z, "privateCredentials");
            }
            return credentialAttribute;
        } catch (PrivilegedActionException e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find a value for the attribute (" + str + ")", new Object[0]);
            }
            throw new Exception(e.getCause());
        }
    }

    static String getCredentialAttribute(final Set<Object> set, final String str, final boolean z, final String str2) throws PrivilegedActionException {
        Object doPrivileged = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.common.token.propagation.TokenPropagationHelper.2
            static final long serialVersionUID = 4609726558464948832L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.common.token.propagation.TokenPropagationHelper$2", AnonymousClass2.class, (String) null, (String) null);

            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                int i = 0;
                for (Object obj : set) {
                    i++;
                    if (TraceComponent.isAnyTracingEnabled() && TokenPropagationHelper.tc.isDebugEnabled()) {
                        Tr.debug(TokenPropagationHelper.tc, str2 + "(" + i + ") class:" + obj.getClass().getName(), new Object[0]);
                    }
                    if ((obj instanceof Map) && (!z || ((Map) obj).get("access_token") != null)) {
                        Object obj2 = ((Map) obj).get(str);
                        if (obj2 != null) {
                            return obj2;
                        }
                    }
                }
                return null;
            }
        });
        if (doPrivileged != null) {
            return doPrivileged.toString();
        }
        return null;
    }

    public static synchronized boolean pushSubject(String str) {
        if (securityService == null || str == null) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "returning false because user or securityService is null, user= " + str + " secsvc= " + securityService, new Object[0]);
            return false;
        }
        AuthenticationService authenticationService = securityService.getAuthenticationService();
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        if (!authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        hashtable.put("com.ibm.wsspi.security.cred.userId", str);
        subject.getPublicCredentials().add(hashtable);
        try {
            return setRunAsSubject(authenticationService.authenticate("system.WEB_INBOUND", subject));
        } catch (AuthenticationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.common.token.propagation.TokenPropagationHelper", "274", (Object) null, new Object[]{str});
            FFDCFilter.processException(e, TokenPropagationHelper.class.getName(), "pushSubject", new Object[]{str});
            Tr.error(tc, "ERROR_AUTHENTICATE", new Object[]{e.getMessage()});
            return false;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.common.token.propagation.TokenPropagationHelper", "280", (Object) null, new Object[]{str});
            FFDCFilter.processException(e2, TokenPropagationHelper.class.getName(), "pushSubject", new Object[]{str});
            return false;
        }
    }

    public static synchronized boolean setRunAsSubject(final Subject subject) {
        try {
            Subject runAsSubject = getRunAsSubject();
            AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.common.token.propagation.TokenPropagationHelper.3
                static final long serialVersionUID = -9185960601214760639L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.common.token.propagation.TokenPropagationHelper$3", AnonymousClass3.class, (String) null, (String) null);

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    WSSubject.setRunAsSubject(subject);
                    return null;
                }
            });
            if (!tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "setRunAsSubject, runAsSubject before = ", new Object[]{runAsSubject});
            Tr.debug(tc, "setRunAsSubject, runAsSubject after = ", new Object[]{subject});
            return true;
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.common.token.propagation.TokenPropagationHelper", "309", (Object) null, new Object[]{subject});
            FFDCFilter.processException(e, TokenPropagationHelper.class.getName(), "setRunAsSubject", new Object[0]);
            return false;
        }
    }
}
