package com.ibm.ws.security.jaspi;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.webcontainer.security.JaspiService;
import com.ibm.wsspi.security.registry.RegistryHelper;
import java.io.IOException;
import java.rmi.RemoteException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/jaspi/JaspiCallbackHandler.class */
public class JaspiCallbackHandler implements CallbackHandler {
    private static final TraceComponent tc = Tr.register(JaspiCallbackHandler.class, "Security", (String) null);
    private static final String DEFAULT_REALM = "defaultRealm";
    private JaspiService jaspiService;
    static final long serialVersionUID = 2172923547513246042L;

    JaspiCallbackHandler() {
    }

    public JaspiCallbackHandler(JaspiService jaspiService) {
        this();
        this.jaspiService = jaspiService;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (callbackArr == null || callbackArr.length == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "handle", new Object[]{"No Callbacks received, do nothing."});
                return;
            }
            return;
        }
        try {
            String str = DEFAULT_REALM;
            for (Callback callback : callbackArr) {
                if (callback instanceof CallerPrincipalCallback) {
                    handleCallerPrincipalCallback((CallerPrincipalCallback) callback, str);
                } else if (callback instanceof GroupPrincipalCallback) {
                    handleGroupPrincipalCallback((GroupPrincipalCallback) callback);
                } else if (callback instanceof PasswordValidationCallback) {
                    handlePasswordValidationCallback((PasswordValidationCallback) callback);
                } else {
                    if (!(callback instanceof NameCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    str = handleNameCallback((NameCallback) callback);
                }
            }
        } catch (UnsupportedCallbackException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "94", this, new Object[]{callbackArr});
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "96", this, new Object[]{callbackArr});
            throw new IOException(e2);
        }
    }

    private String handleNameCallback(NameCallback nameCallback) throws UnsupportedCallbackException {
        if ("com.ibm.wsspi.security.cred.realm".equals(nameCallback.getPrompt())) {
            return getRealm(nameCallback.getName());
        }
        throw new UnsupportedCallbackException(nameCallback);
    }

    private String getRealm(String str) {
        return (str == null || str.trim().isEmpty()) ? DEFAULT_REALM : str;
    }

    protected void handleCallerPrincipalCallback(CallerPrincipalCallback callerPrincipalCallback, String str) throws WSSecurityException {
        String str2;
        Subject subject = callerPrincipalCallback.getSubject();
        String name = callerPrincipalCallback.getName();
        Principal principal = callerPrincipalCallback.getPrincipal();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleCallerPrincipalCallback", new Object[]{"user=" + name, "principal=" + principal});
        }
        Hashtable<String, Object> hashtable = null;
        if (subject != null) {
            hashtable = getSubjectCustomData(subject);
            if (name == null && principal == null) {
                str2 = JaspiServiceImpl.UNAUTHENTICATED_ID;
                hashtable.put("com.ibm.wsspi.security.cred.securityName", str2);
            } else if (principal != null) {
                str2 = principal.getName();
                addCommonAttributes(str, str2, hashtable);
                hashtable.put("com.ibm.wsspi.security.cred.jaspi.principal", principal);
            } else {
                str2 = name;
                addCommonAttributes(str, str2, hashtable);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Added securityName: " + str2, new Object[0]);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleCallerPrincipalCallback", new Object[]{hashtable});
        }
    }

    protected void addCommonAttributes(String str, String str2, Hashtable<String, Object> hashtable) {
        try {
            UserRegistry userRegistry = getUserRegistry();
            if (userRegistry == null || !userRegistry.isValidUser(str2)) {
                if (userRegistry == null) {
                    hashtable.put("com.ibm.wsspi.security.cred.uniqueId", "user:" + str + "/" + str2);
                } else {
                    hashtable.put("com.ibm.wsspi.security.cred.uniqueId", userRegistry.getRealm() + "/" + str2);
                }
                hashtable.put("com.ibm.wsspi.security.cred.securityName", str2);
            } else {
                hashtable.put("com.ibm.wsspi.security.cred.userId", str2);
                hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
                List uniqueGroupIds = userRegistry.getUniqueGroupIds(str2);
                hashtable.put("com.ibm.wsspi.security.cred.groups", uniqueGroupIds);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Added userid: " + str2 + "  and groups: " + uniqueGroupIds, new Object[0]);
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "189", this, new Object[]{str, str2, hashtable});
        }
    }

    protected void handleGroupPrincipalCallback(GroupPrincipalCallback groupPrincipalCallback) throws CustomRegistryException, EntryNotFoundException, RemoteException {
        Subject subject = groupPrincipalCallback.getSubject();
        Hashtable<String, Object> hashtable = null;
        if (subject != null) {
            String[] groups = groupPrincipalCallback.getGroups();
            if (groups != null && groups.length > 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Group names in Callback: ", new Object[]{Arrays.asList(groups)});
                }
                hashtable = getSubjectCustomData(subject);
                List list = (List) hashtable.get("com.ibm.wsspi.security.cred.groups");
                if (list == null) {
                    list = new ArrayList();
                    hashtable.put("com.ibm.wsspi.security.cred.groups", list);
                }
                for (String str : groups) {
                    if (str != null && !str.isEmpty()) {
                        String mapGroup = mapGroup(str);
                        if (!list.contains(mapGroup)) {
                            list.add(mapGroup);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Added groupId: " + mapGroup, new Object[0]);
                            }
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, mapGroup + " already exists in custom credential data, avoid duplicates.", new Object[0]);
                        }
                    } else if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Group is null or an empty string, it has been ignored.", new Object[0]);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Callback has no groups.", new Object[0]);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handleGroupPrincipalCallback", new Object[]{hashtable});
        }
    }

    protected String mapGroup(String str) throws CustomRegistryException, EntryNotFoundException, RemoteException {
        UserRegistry userRegistry = getUserRegistry();
        return (userRegistry == null || !userRegistry.isValidGroup(str)) ? str : userRegistry.getUniqueGroupId(str);
    }

    protected void handlePasswordValidationCallback(PasswordValidationCallback passwordValidationCallback) throws RemoteException, EntryNotFoundException, CustomRegistryException {
        UserRegistry userRegistry;
        Subject subject = passwordValidationCallback.getSubject();
        String username = passwordValidationCallback.getUsername();
        String str = new String(passwordValidationCallback.getPassword());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handlePasswordValidationCallback", new Object[]{passwordValidationCallback, username});
        }
        if (subject != null && (userRegistry = getUserRegistry()) != null) {
            if (checkUserPassword(username, str, userRegistry, userRegistry.getRealm(), subject)) {
                passwordValidationCallback.setResult(true);
            } else {
                passwordValidationCallback.setResult(false);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "handlePasswordValidationCallback", new Object[]{"valid password? " + passwordValidationCallback.getResult()});
        }
    }

    @FFDCIgnore({PasswordCheckFailedException.class})
    protected boolean checkUserPassword(String str, @Sensitive String str2, UserRegistry userRegistry, String str3, Subject subject) throws EntryNotFoundException, CustomRegistryException, RemoteException {
        try {
            String checkPassword = userRegistry.checkPassword(str, str2);
            List groupsForUser = userRegistry.getGroupsForUser(checkPassword);
            ArrayList arrayList = new ArrayList();
            if (groupsForUser != null) {
                Iterator it = groupsForUser.iterator();
                while (it.hasNext()) {
                    arrayList.add(userRegistry.getUniqueGroupId((String) it.next()));
                }
            }
            newCustomCredential(subject, str3, checkPassword, arrayList);
            return true;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "312", this, new Object[]{str, "<sensitive java.lang.String>", userRegistry, str3, subject});
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "checkUserPassword - registry exception: " + e, new Object[0]);
            return false;
        } catch (PasswordCheckFailedException e2) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "checkUserPassword - password is not valid.", new Object[0]);
            return false;
        }
    }

    protected Hashtable<String, Object> newCustomCredential(Subject subject, String str, String str2, List<?> list) {
        Hashtable<String, Object> subjectCustomData = getSubjectCustomData(subject);
        subjectCustomData.put("com.ibm.wsspi.security.cred.realm", str);
        subjectCustomData.put("com.ibm.wsspi.security.cred.userId", str2);
        subjectCustomData.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        if (list == null || list.isEmpty()) {
            subjectCustomData.put("com.ibm.wsspi.security.cred.groups", new ArrayList());
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding groups found in registry", new Object[]{list});
            }
            subjectCustomData.put("com.ibm.wsspi.security.cred.groups", list);
        }
        return subjectCustomData;
    }

    protected Hashtable<String, Object> getSubjectCustomData(@Sensitive Subject subject) {
        Hashtable<String, Object> customCredentials = this.jaspiService.getCustomCredentials(subject);
        if (customCredentials == null) {
            customCredentials = new SubjectHelper().createNewHashtableInSubject(subject);
        }
        return customCredentials;
    }

    UserRegistry getUserRegistry() {
        UserRegistry userRegistry = null;
        try {
            userRegistry = RegistryHelper.getUserRegistry((String) null);
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jaspi.JaspiCallbackHandler", "350", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error getting the user registry", new Object[]{e});
            }
        }
        return userRegistry;
    }
}
