package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TAIAuthenticator;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/webcontainer/security/WebProviderAuthenticatorProxy.class */
public class WebProviderAuthenticatorProxy implements WebAuthenticator {
    private static final TraceComponent tc = Tr.register(WebProviderAuthenticatorProxy.class);
    AuthenticationResult JASPI_CONT = new AuthenticationResult(AuthResult.CONTINUE, "JASPI said continue...");
    protected final AtomicServiceReference<SecurityService> securityServiceRef;
    protected final AtomicServiceReference<TAIService> taiServiceRef;
    protected final ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> interceptorServiceRef;
    protected volatile WebAppSecurityConfig webAppSecurityConfig;
    protected final ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRef;
    static final long serialVersionUID = -187182665254904997L;

    public WebProviderAuthenticatorProxy(AtomicServiceReference<SecurityService> atomicServiceReference, AtomicServiceReference<TAIService> atomicServiceReference2, ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> concurrentServiceReferenceMap, WebAppSecurityConfig webAppSecurityConfig, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap2) {
        this.securityServiceRef = atomicServiceReference;
        this.taiServiceRef = atomicServiceReference2;
        this.interceptorServiceRef = concurrentServiceReferenceMap;
        this.webAppSecurityConfig = webAppSecurityConfig;
        this.webAuthenticatorRef = concurrentServiceReferenceMap2;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        AuthenticationResult handleTAI = handleTAI(webRequest, true);
        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
            handleTAI = handleSSO(webRequest, null);
            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                webRequest.setCallAfterSSO(true);
                handleTAI = handleTAI(webRequest, false);
            }
        }
        return handleTAI;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationResult handleJaspi(WebRequest webRequest, HashMap<String, Object> hashMap) {
        WebAuthenticator webAuthenticator;
        AuthenticationResult authenticationResult = this.JASPI_CONT;
        if (this.webAuthenticatorRef != null && (webAuthenticator = (WebAuthenticator) this.webAuthenticatorRef.getService("com.ibm.ws.security.jaspi")) != null) {
            if (hashMap == null) {
                authenticationResult = handleSSO(webRequest, null);
                if (authenticationResult.getStatus() == AuthResult.CONTINUE) {
                    AuthenticationResult handleSSO = handleSSO(webRequest, "jaspicSession");
                    if (handleSSO.getStatus() == AuthResult.SUCCESS) {
                        HashMap hashMap2 = new HashMap();
                        hashMap2.put("javax.servlet.http.registerSession.subject", handleSSO.getSubject());
                        webRequest.setProperties(hashMap2);
                    }
                    authenticationResult = webAuthenticator.authenticate(webRequest);
                    if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
                        String header = webRequest.getHttpServletRequest().getHeader(BasicAuthAuthenticator.BASIC_AUTH_HEADER_NAME);
                        if (header != null && header.startsWith("Basic ")) {
                            String decodeCookieString = decodeCookieString(header.substring(6));
                            authenticationResult.setAuditCredValue(decodeCookieString.substring(0, decodeCookieString.indexOf(58)));
                        }
                        authenticationResult.setAuditCredType("JASPIC");
                    }
                }
            } else {
                try {
                    authenticationResult = webAuthenticator.authenticate(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse(), hashMap);
                    if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
                        String header2 = webRequest.getHttpServletRequest().getHeader(BasicAuthAuthenticator.BASIC_AUTH_HEADER_NAME);
                        if (header2 != null && header2.startsWith("Basic ")) {
                            String decodeCookieString2 = decodeCookieString(header2.substring(6));
                            authenticationResult.setAuditCredValue(decodeCookieString2.substring(0, decodeCookieString2.indexOf(58)));
                        }
                        authenticationResult.setAuditCredType("JASPIC");
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "129", this, new Object[]{webRequest, hashMap});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Internal error handling JASPI request", new Object[]{e});
                    }
                    authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
                }
            }
            if (authenticationResult.getStatus() == AuthResult.SUCCESS) {
                boolean z = false;
                Map<String, Object> properties = webRequest.getProperties();
                if (properties != null) {
                    z = Boolean.valueOf((String) properties.get("javax.servlet.http.registerSession")).booleanValue();
                }
                if (z) {
                    new SSOCookieHelperImpl(this.webAppSecurityConfig, "jaspicSession").addSSOCookiesToResponse(authenticationResult.getSubject(), webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
                }
                SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
                HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
                if (!httpServletResponse.isCommitted()) {
                    new PostParameterHelper(this.webAppSecurityConfig).restore(webRequest.getHttpServletRequest(), httpServletResponse);
                }
                if ((hashMap == null || hashMap.get("authType") == null || !hashMap.get("authType").equals("FORM_LOGIN")) && !httpServletResponse.isCommitted()) {
                    createSSOCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
                }
            }
        }
        return authenticationResult;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        return handleJaspi(new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, null), hashMap);
    }

    protected AuthenticationResult handleTAI(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticate;
        TAIAuthenticator taiAuthenticator = getTaiAuthenticator();
        if (taiAuthenticator == null) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "TAI invoke " + (z ? "before" : "after") + " SSO is not available, skipping TAI...");
        } else {
            authenticate = taiAuthenticator.authenticate(webRequest, z);
            if (authenticate.getStatus() != AuthResult.CONTINUE) {
                authenticate.setAuditCredType("TrustAssociationInterceptor");
            }
        }
        return authenticate;
    }

    protected AuthenticationResult handleSSO(WebRequest webRequest, String str) {
        AuthenticationResult authenticate = getSSOAuthenticator(webRequest, str).authenticate(webRequest);
        if (authenticate == null || authenticate.getStatus() != AuthResult.SUCCESS) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "SSO did not succeed, so continue ...");
        }
        return authenticate;
    }

    protected boolean isNotNullAndTrue(HttpServletRequest httpServletRequest, String str) {
        Boolean bool = (Boolean) httpServletRequest.getAttribute(str);
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    protected TAIAuthenticator getTaiAuthenticator() {
        TAIAuthenticator tAIAuthenticator = null;
        TAIService tAIService = (TAIService) this.taiServiceRef.getService();
        Iterator services = this.interceptorServiceRef.getServices();
        if (tAIService != null || (services != null && services.hasNext())) {
            tAIAuthenticator = new TAIAuthenticator(tAIService, this.interceptorServiceRef, ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), this.webAppSecurityConfig.createSSOCookieHelper());
        }
        return tAIAuthenticator;
    }

    public WebAuthenticator getSSOAuthenticator(WebRequest webRequest, String str) {
        return new SSOAuthenticator(((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), webRequest.getSecurityMetadata(), this.webAppSecurityConfig, str != null ? new SSOCookieHelperImpl(this.webAppSecurityConfig, str) : this.webAppSecurityConfig.createSSOCookieHelper());
    }

    public ConcurrentServiceReferenceMap<String, WebAuthenticator> getWebAuthenticatorRefs() {
        return this.webAuthenticatorRef;
    }

    @Sensitive
    private String decodeCookieString(@Sensitive String str) {
        try {
            return Base64Coder.base64Decode(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "281", this, new Object[]{"<sensitive java.lang.String>"});
            return null;
        }
    }
}
