package com.ibm.ws.security.javaeesec.cdi.beans;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.CDIHelper;
import com.ibm.wsspi.security.registry.RegistryHelper;
import java.lang.annotation.Annotation;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Set;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.spi.CDI;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.callback.PasswordValidationCallback;
import javax.security.enterprise.AuthenticationException;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.security.enterprise.credential.BasicAuthenticationCredential;
import javax.security.enterprise.credential.Credential;
import javax.security.enterprise.credential.UsernamePasswordCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import javax.security.enterprise.identitystore.IdentityStoreHandler;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/javaeesec/cdi/beans/Utils.class */
public class Utils {
    private static final TraceComponent tc = Tr.register(Utils.class, "security", "com.ibm.ws.security.javaeesec.cdi.internal.resources.JavaEESecMessages");
    private boolean logNoIDInfo = false;
    static final long serialVersionUID = 7719278886142842682L;

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationStatus validateUserAndPassword(CDI cdi, String str, Subject subject, @Sensitive UsernamePasswordCredential usernamePasswordCredential, HttpMessageContext httpMessageContext) throws AuthenticationException {
        return validateCredential(cdi, str, subject, usernamePasswordCredential, httpMessageContext);
    }

    protected AuthenticationStatus validateCredential(CDI cdi, String str, Subject subject, @Sensitive Credential credential, HttpMessageContext httpMessageContext) throws AuthenticationException {
        AuthenticationStatus validateWithUserRegistry;
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        if (isIdentityStoreAvailable(cdi)) {
            IdentityStoreHandler identityStoreHandler = getIdentityStoreHandler(cdi);
            if (identityStoreHandler == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "IdentityStoreHandler bean is not found. ", new Object[0]);
                }
                throw new AuthenticationException("No IdentityStoreHandler found");
            }
            validateWithUserRegistry = validateWithIdentityStore(str, subject, credential, identityStoreHandler);
        } else {
            if (!this.logNoIDInfo) {
                Tr.info(tc, "JAVAEESEC_CDI_INFO_NO_IDENTITY_STORE", new Object[0]);
                this.logNoIDInfo = true;
            }
            validateWithUserRegistry = isRegistryAvailable() ? validateWithUserRegistry(subject, credential, httpMessageContext.getHandler()) : AuthenticationStatus.NOT_DONE;
        }
        return validateWithUserRegistry;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationStatus handleAuthenticate(CDI cdi, String str, @Sensitive Credential credential, Subject subject, HttpMessageContext httpMessageContext) throws AuthenticationException {
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        AuthenticationStatus validateCredential = validateCredential(cdi, str, subject, credential, httpMessageContext);
        if (validateCredential == AuthenticationStatus.SUCCESS) {
            httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.authType", "JASPI_AUTH");
        }
        return validateCredential;
    }

    public AuthenticationStatus validateWithIdentityStore(String str, Subject subject, @Sensitive Credential credential, IdentityStoreHandler identityStoreHandler) {
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        CredentialValidationResult validate = identityStoreHandler.validate(credential);
        if (validate.getStatus() == CredentialValidationResult.Status.VALID) {
            setLoginHashtable(str, subject, validate);
            authenticationStatus = AuthenticationStatus.SUCCESS;
        } else if (validate.getStatus() == CredentialValidationResult.Status.NOT_VALIDATED) {
            authenticationStatus = AuthenticationStatus.NOT_DONE;
        }
        return authenticationStatus;
    }

    private AuthenticationStatus validateWithUserRegistry(Subject subject, @Sensitive Credential credential, CallbackHandler callbackHandler) throws AuthenticationException {
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        if (callbackHandler != null) {
            if (!isSupportedCredential(credential)) {
                Tr.error(tc, "JAVAEESEC_CDI_ERROR_UNSUPPORTED_CRED", new Object[]{credential.getClass().getName()});
                throw new AuthenticationException(Tr.formatMessage(tc, "JAVAEESEC_CDI_ERROR_UNSUPPORTED_CRED", new Object[]{credential.getClass().getName()}));
            }
            PasswordValidationCallback passwordValidationCallback = new PasswordValidationCallback(subject, ((UsernamePasswordCredential) credential).getCaller(), ((UsernamePasswordCredential) credential).getPassword().getValue());
            try {
                callbackHandler.handle(new Callback[]{passwordValidationCallback});
                if (passwordValidationCallback.getResult()) {
                    authenticationStatus = AuthenticationStatus.SUCCESS;
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.cdi.beans.Utils", "123", this, new Object[]{subject, "<sensitive javax.security.enterprise.credential.Credential>", callbackHandler});
                throw new AuthenticationException(e.toString());
            }
        }
        return authenticationStatus;
    }

    private void setLoginHashtable(String str, Subject subject, CredentialValidationResult credentialValidationResult) {
        Hashtable<String, Object> subjectHashtable = getSubjectHashtable(subject);
        String name = credentialValidationResult.getCallerPrincipal().getName();
        String callerUniqueId = credentialValidationResult.getCallerUniqueId();
        String identityStoreId = credentialValidationResult.getIdentityStoreId();
        String str2 = identityStoreId != null ? identityStoreId : str;
        if (str2 == null || str2.isEmpty()) {
            str2 = "defaultRealm";
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The realm name is not defined, \"defaultRealm\" is used.", new Object[0]);
            }
        }
        String str3 = callerUniqueId != null ? callerUniqueId : name;
        setCommonAttributes(subjectHashtable, str2, name);
        setUniqueId(subjectHashtable, str2, str3);
        setGroups(subjectHashtable, credentialValidationResult.getCallerGroups());
        subjectHashtable.put("com.ibm.wsspi.security.cred.cacheKey", String.valueOf(subjectHashtable.hashCode()));
    }

    private void setCommonAttributes(Hashtable<String, Object> hashtable, String str, String str2) {
        hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        hashtable.put("com.ibm.wsspi.security.cred.realm", str);
        hashtable.put("com.ibm.wsspi.security.cred.userId", str2);
        hashtable.put("com.ibm.wsspi.security.cred.securityName", str2);
    }

    private void setUniqueId(Hashtable<String, Object> hashtable, String str, String str2) {
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", "user:" + str + "/" + str2);
    }

    private void setGroups(Hashtable<String, Object> hashtable, Set<String> set) {
        if (set == null || set.isEmpty()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No group  found in an identitystore", new Object[0]);
            }
            hashtable.put("com.ibm.wsspi.security.cred.groups", new ArrayList());
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding groups found in an identitystore", new Object[]{set});
            }
            hashtable.put("com.ibm.wsspi.security.cred.groups", new ArrayList(set));
        }
    }

    private Hashtable<String, Object> getSubjectHashtable(Subject subject) {
        Hashtable<String, Object> subjectExistingHashtable = getSubjectExistingHashtable(subject);
        if (subjectExistingHashtable == null) {
            subjectExistingHashtable = createNewSubjectHashtable(subject);
        }
        return subjectExistingHashtable;
    }

    public Hashtable<String, Object> getSubjectExistingHashtable(final Subject subject) {
        if (subject == null) {
            return null;
        }
        return (Hashtable) AccessController.doPrivileged(new PrivilegedAction<Hashtable<String, Object>>() { // from class: com.ibm.ws.security.javaeesec.cdi.beans.Utils.1
            static final long serialVersionUID = 6465427640815995979L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.javaeesec.cdi.beans.Utils$1", AnonymousClass1.class, "security", "com.ibm.ws.security.javaeesec.cdi.internal.resources.JavaEESecMessages");

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Hashtable<String, Object> run() {
                Set privateCredentials = subject.getPrivateCredentials(Hashtable.class);
                if (privateCredentials != null && !privateCredentials.isEmpty()) {
                    return (Hashtable) privateCredentials.iterator().next();
                }
                if (!Utils.tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(Utils.tc, "Subject has no Hashtable with custom credentials, return null.", new Object[0]);
                return null;
            }
        });
    }

    public Hashtable<String, Object> createNewSubjectHashtable(final Subject subject) {
        return (Hashtable) AccessController.doPrivileged(new PrivilegedAction<Hashtable<String, Object>>() { // from class: com.ibm.ws.security.javaeesec.cdi.beans.Utils.2
            static final long serialVersionUID = -7365263597260288116L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.javaeesec.cdi.beans.Utils$2", AnonymousClass2.class, "security", "com.ibm.ws.security.javaeesec.cdi.internal.resources.JavaEESecMessages");

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Hashtable<String, Object> run() {
                Hashtable<String, Object> hashtable = new Hashtable<>();
                subject.getPrivateCredentials().add(hashtable);
                return hashtable;
            }
        });
    }

    public IdentityStoreHandler getIdentityStoreHandler(CDI cdi) {
        IdentityStoreHandler identityStoreHandler = null;
        Instance select = cdi.select(IdentityStoreHandler.class, new Annotation[0]);
        if (!select.isUnsatisfied() && !select.isAmbiguous()) {
            identityStoreHandler = (IdentityStoreHandler) select.get();
        }
        if (identityStoreHandler == null && !cdi.getBeanManager().equals(CDIHelper.getBeanManager())) {
            identityStoreHandler = (IdentityStoreHandler) CDIHelper.getBeanFromCurrentModule(IdentityStoreHandler.class);
        }
        return identityStoreHandler;
    }

    public boolean isIdentityStoreAvailable(CDI cdi) {
        Instance select = cdi.select(IdentityStore.class, new Annotation[0]);
        if (select == null || select.isUnsatisfied() || select.isAmbiguous()) {
            return (cdi.getBeanManager().equals(CDIHelper.getBeanManager()) || CDIHelper.getBeansFromCurrentModule(IdentityStore.class).isEmpty()) ? false : true;
        }
        return true;
    }

    private boolean isSupportedCredential(@Sensitive Credential credential) {
        if (credential != null) {
            return (credential instanceof UsernamePasswordCredential) || (credential instanceof BasicAuthenticationCredential);
        }
        return false;
    }

    protected boolean isRegistryAvailable() {
        try {
            return RegistryHelper.getUserRegistry((String) null) != null;
        } catch (WSSecurityException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.cdi.beans.Utils", "273", this, new Object[0]);
            if (!tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "Internal error getting the user registry", new Object[]{e});
            return true;
        }
    }
}
