package com.ibm.ws.transport.iiop.security.config.css;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.csiv2.SecurityMinorCodes;
import com.ibm.ws.security.csiv2.TraceConstants;
import com.ibm.ws.transport.iiop.security.config.ConfigUtil;
import com.ibm.ws.transport.iiop.security.config.tss.TSSSASMechConfig;
import com.ibm.wsspi.kernel.service.utils.SerializableProtectedString;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.NO_PERMISSION;
import org.omg.CSI.AuthorizationElement;
import org.omg.CSI.IdentityToken;
import org.omg.IOP.Codec;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/transport/iiop/security/config/css/CSSSASMechConfig.class */
public class CSSSASMechConfig implements Serializable {
    private static final TraceComponent tc = Tr.register(CSSSASMechConfig.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    public static final String TYPE_ITTAnonymous = "ITTAnonymous";
    public static final String TYPE_ITTPrincipalName = "ITTPrincipalName";
    public static final String TYPE_ITTX509CertChain = "ITTX509CertChain";
    public static final String TYPE_ITTDistinguishedName = "ITTDistinguishedName";
    protected short supports;
    private short requires;
    private boolean required;
    private CSSSASIdentityToken identityToken;
    private String trustedIdentity;
    private SerializableProtectedString trustedPassword;
    private int supportedIdentityTypes;
    static final long serialVersionUID = -5727345326876120621L;
    protected final Map<Integer, CSSSASIdentityToken> idTokens = new HashMap();
    private String cantHandleMsg = null;
    private final List<String> configuredTypes = new ArrayList();

    public short getSupports() {
        return this.supports;
    }

    public short getRequires() {
        return this.requires;
    }

    public boolean isRequired() {
        return this.required;
    }

    public void setRequired(boolean z) {
        this.required = z;
    }

    public CSSSASIdentityToken getIdentityToken() {
        return this.identityToken;
    }

    public void setIdentityToken(CSSSASIdentityToken cSSSASIdentityToken) {
        this.identityToken = cSSSASIdentityToken;
    }

    public void addIdentityToken(CSSSASIdentityToken cSSSASIdentityToken) {
        short type = (short) cSSSASIdentityToken.getType();
        this.supportedIdentityTypes |= type;
        this.idTokens.put(Integer.valueOf(cSSSASIdentityToken.getType()), cSSSASIdentityToken);
        if (cSSSASIdentityToken.getType() > 0) {
            this.supports = (short) (this.supports | 1024);
            if (type != 1) {
                this.configuredTypes.add(typesToString(type));
            }
        }
    }

    public boolean canHandle(TSSSASMechConfig tSSSASMechConfig, String str) {
        if ((this.supports & tSSSASMechConfig.getRequires()) != tSSSASMechConfig.getRequires()) {
            buildSupportsFailedMsg(tSSSASMechConfig, str);
            return false;
        }
        if ((this.requires & tSSSASMechConfig.getSupports()) != this.requires) {
            buildRequiresFailedMsg(tSSSASMechConfig, str);
            return false;
        }
        int supportedIdentityTypes = tSSSASMechConfig.getSupportedIdentityTypes();
        if (this.supportedIdentityTypes == 0 || supportedIdentityTypes == 0 || (this.supportedIdentityTypes & supportedIdentityTypes) != 0) {
            return true;
        }
        buildIdentityAssertionFailedMsg(tSSSASMechConfig, str);
        return false;
    }

    public String getCantHandleMsg() {
        return this.cantHandleMsg;
    }

    public AuthorizationElement[] encodeAuthorizationElement() {
        return new AuthorizationElement[0];
    }

    public IdentityToken encodeIdentityToken(TSSSASMechConfig tSSSASMechConfig, Codec codec) {
        CSSSASIdentityToken cSSSASIdentityToken = this.idTokens.get(0);
        if (this.supports != 0) {
            Subject clientSubject = getClientSubject();
            SubjectHelper subjectHelper = new SubjectHelper();
            int supportedIdentityTypes = tSSSASMechConfig.getSupportedIdentityTypes();
            cSSSASIdentityToken = subjectHelper.isUnauthenticated(clientSubject) ? getAnonymousIdentityToken(supportedIdentityTypes) : getIdentityTokenBasedOnConfiguredTypes(supportedIdentityTypes);
        }
        return cSSSASIdentityToken.encodeIdentityToken(codec);
    }

    protected Subject getClientSubject() {
        SubjectManager subjectManager = new SubjectManager();
        Subject invocationSubject = subjectManager.getInvocationSubject();
        if (invocationSubject == null) {
            invocationSubject = subjectManager.getCallerSubject();
        }
        return invocationSubject;
    }

    private CSSSASIdentityToken getAnonymousIdentityToken(int i) {
        CSSSASIdentityToken cSSSASIdentityToken = null;
        if (this.idTokens.get(1) == null) {
            debugAndThrowNoPermissionException("The client cannot create the ITTAnonymous identity assertion token because it is not supported by the configuration of this client.", "CSIv2_CLIENT_ANONYMOUS_ASSERTION_NOT_SUPPORTED_BY_CLIENT", "CWWKS9546E: The client cannot create the ITTAnonymous identity assertion token because it is not supported by the configuration of this client.");
        } else if ((i & 1) != 0) {
            cSSSASIdentityToken = this.idTokens.get(1);
        } else {
            debugAndThrowNoPermissionException("The client cannot create the ITTAnonymous identity assertion token because it is not supported by the configuration of the remote server.", "CSIv2_CLIENT_ANONYMOUS_ASSERTION_NOT_SUPPORTED_BY_SERVER", "CWWKS9545E: The client cannot create the ITTAnonymous identity assertion token because it is not supported by the configuration of the remote server.");
        }
        return cSSSASIdentityToken;
    }

    private void debugAndThrowNoPermissionException(String str, String str2, String str3) throws NO_PERMISSION {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, str, new Object[0]);
        }
        throw new NO_PERMISSION(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, str2, new Object[0], str3), SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
    }

    private CSSSASIdentityToken getIdentityTokenBasedOnConfiguredTypes(int i) {
        CSSSASIdentityToken cSSSASIdentityToken = null;
        Iterator<String> it = this.configuredTypes.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            int stringToType = stringToType(it.next());
            if (canPerformAssertionWith(stringToType, i)) {
                cSSSASIdentityToken = this.idTokens.get(Integer.valueOf(stringToType));
                break;
            }
        }
        ensureThereIsAnIdentityToken(cSSSASIdentityToken);
        return cSSSASIdentityToken;
    }

    private int stringToType(String str) {
        int i = 0;
        if ("ITTAnonymous".equals(str)) {
            i = 1;
        } else if ("ITTPrincipalName".equals(str)) {
            i = 2;
        } else if ("ITTX509CertChain".equals(str)) {
            i = 4;
        } else if ("ITTDistinguishedName".equals(str)) {
            i = 8;
        }
        return i;
    }

    private boolean canPerformAssertionWith(int i, int i2) {
        return ((this.supportedIdentityTypes & i) == 0 || (i2 & i) == 0) ? false : true;
    }

    private void ensureThereIsAnIdentityToken(CSSSASIdentityToken cSSSASIdentityToken) {
        String formattedMessage;
        if (cSSSASIdentityToken == null) {
            if (this.supportedIdentityTypes == 1) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The client cannot assert an authenticated subject because it supports identity assertions with ITTAnonymous only.", new Object[0]);
                }
                formattedMessage = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_ANONYMOUS_ASSERTION_ONLY", new Object[0], "CWWKS9547E: The client cannot assert an authenticated subject because it supports identity assertions with ITTAnonymous only.");
            } else {
                String typesToString = typesToString(this.supportedIdentityTypes & 14);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The client cannot assert an authenticated subject because the configuration of the remote server does not support identity assertions with types:", new Object[]{typesToString});
                }
                formattedMessage = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_ASSERTION_TYPE_NOT_SUPPORTED", new Object[]{typesToString}, "CWWKS9548E: The client cannot assert an authenticated subject because the configuration of the remote server does not support identity assertions with types <{0}>.");
            }
            throw new NO_PERMISSION(formattedMessage, SecurityMinorCodes.SECURITY_MECHANISM_NOT_SUPPORTED, CompletionStatus.COMPLETED_NO);
        }
    }

    @Trivial
    private String typesToString(int i) {
        String str;
        str = "";
        str = (1 & i) != 0 ? str + "ITTAnonymous " : "";
        if ((2 & i) != 0) {
            str = str + "ITTPrincipalName ";
        }
        if ((4 & i) != 0) {
            str = str + "ITTX509CertChain ";
        }
        if ((8 & i) != 0) {
            str = str + "ITTDistinguishedName";
        }
        return str.isEmpty() ? "None" : str.trim();
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        toString("", sb);
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Trivial
    public void toString(String str, StringBuilder sb) {
        String str2 = str + "  ";
        sb.append(str).append("CSSSASMechConfig: [\n");
        sb.append(str2).append("SUPPORTS: ").append(ConfigUtil.flags(this.supports)).append("\n");
        sb.append(str2).append("REQUIRES: ").append(ConfigUtil.flags(this.requires)).append("\n");
        if (this.identityToken != null) {
            this.identityToken.toString(str2, sb);
        }
        sb.append("\n");
        Iterator<CSSSASIdentityToken> it = this.idTokens.values().iterator();
        while (it.hasNext()) {
            it.next().toString(str2, sb);
        }
        sb.append(str).append("]\n");
    }

    public boolean isAsserting() {
        return this.trustedIdentity != null;
    }

    public void setTrustedIdentity(String str) {
        this.trustedIdentity = str;
    }

    public String getTrustedIdentity() {
        return this.trustedIdentity;
    }

    public void setTrustedPassword(SerializableProtectedString serializableProtectedString) {
        this.trustedPassword = serializableProtectedString;
    }

    public SerializableProtectedString getTrustedPassword() {
        return this.trustedPassword;
    }

    public int getSupportedIdentityTypes() {
        return this.supportedIdentityTypes;
    }

    public boolean isAssertingITTAbsent(TSSSASMechConfig tSSSASMechConfig) {
        return (this.supportedIdentityTypes & tSSSASMechConfig.getSupportedIdentityTypes()) == 0;
    }

    private void buildSupportsFailedMsg(TSSSASMechConfig tSSSASMechConfig, String str) {
        if (str.equalsIgnoreCase("DISABLED")) {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_SUPPORTS_NO_AUTH_FAILED", new Object[]{ConfigUtil.flags(this.supports), ConfigUtil.flags(tSSSASMechConfig.getRequires())}, "CWWKS9560E: The client security policy has the attribute layer configured with <{0}> as Supported in the server.xml file and the server security policy is configured with <{1}> as Required.");
        } else {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_SUPPORTS_FAILED", new Object[]{str, ConfigUtil.flags(this.supports), ConfigUtil.flags(tSSSASMechConfig.getRequires())}, "CWWKS9559E: The client security policy has the attribute layer configured for {0} with <{1}> as Supported in the server.xml file and the server security policy is configured with <{2}> as Required.");
        }
    }

    private void buildRequiresFailedMsg(TSSSASMechConfig tSSSASMechConfig, String str) {
        if (str.equalsIgnoreCase("DISABLED")) {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_REQUIRES_NO_AUTH_FAILED", new Object[]{ConfigUtil.flags(this.requires), ConfigUtil.flags(tSSSASMechConfig.getSupports())}, "CWWKS9562E: The client security policy has the attribute layer configured with <{0}> as Required in the server.xml file and the server security policy is configured with <{1}> as Supported.");
        } else {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_REQUIRES_FAILED", new Object[]{str, ConfigUtil.flags(this.requires), ConfigUtil.flags(tSSSASMechConfig.getSupports())}, "CWWKS9561E: The client security policy has the attribute layer configured for {0} with <{1}> as Required in the server.xml file and the server security policy is configured with <{2}> as Supported.");
        }
    }

    private void buildIdentityAssertionFailedMsg(TSSSASMechConfig tSSSASMechConfig, String str) {
        if (str.equalsIgnoreCase("DISABLED")) {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_IDENTITY_ASSERTION_NO_AUTH_FAILED", new Object[]{ConfigUtil.flags(this.supports), ConfigUtil.flags(tSSSASMechConfig.getRequires())}, "CWWKS9564E: The client security policy has the attribute layer configured with identity assertion type <{0}> in the server.xml file and the server security policy is configured with identity assertion type <{1}>.");
        } else {
            this.cantHandleMsg = TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "CSIv2_CLIENT_COMPATIBLE_ATTRIBUTE_IDENTITY_ASSERTION_FAILED", new Object[]{str, ConfigUtil.flags(this.supports), ConfigUtil.flags(tSSSASMechConfig.getRequires())}, "CWWKS9563E: The client security policy has the attribute layer configured for <{0}> with identity assertion type <{1}> in the server.xml file and the server security policy is configured with identity assertion type <{2}>.");
        }
    }
}
