package com.ibm.ws.wssecurity.caller;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorHelper;
import com.ibm.ws.wssecurity.token.TokenUtils;
import java.rmi.RemoteException;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.wssecurity_1.0.15.jar:com/ibm/ws/wssecurity/caller/SAMLAuthenticator.class */
public class SAMLAuthenticator {
    public static final TraceComponent tc = Tr.register(SAMLAuthenticator.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    WebProviderAuthenticatorHelper authHelper = TokenUtils.getAuthHelper();
    private Map<String, Object> callerConfig;
    private Saml20Token samltoken;
    static final long serialVersionUID = 154840321663826637L;

    public SAMLAuthenticator(Map<String, Object> map, Saml20Token saml20Token) {
        this.callerConfig = null;
        this.samltoken = null;
        this.callerConfig = map;
        this.samltoken = saml20Token;
    }

    public AuthenticationResult authenticate() throws Exception {
        try {
            Saml20Token saml20Token = this.samltoken;
            AssertionToSubject assertionToSubject = new AssertionToSubject(this.callerConfig, saml20Token);
            String user = assertionToSubject.getUser();
            AuthenticationResult authenticateLogin = authenticateLogin(createHashtable(assertionToSubject, saml20Token, user), user);
            if (authenticateLogin.getStatus() != AuthResult.SUCCESS) {
                if ("User".equalsIgnoreCase((String) this.callerConfig.get(CallerConstants.MAP_TO_UR))) {
                    Tr.error(tc, "error_authenticate_maptouser", new Object[]{user});
                } else {
                    Tr.error(tc, "error_authenticate", new Object[]{authenticateLogin.getReason()});
                }
            }
            return authenticateLogin;
        } catch (SamlCallerTokenException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.caller.SAMLAuthenticator", "85", this, new Object[0]);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception: " + e.getCause(), new Object[0]);
            }
            Tr.error(tc, "failed_to_obtain_subject_info", new Object[]{e.getLocalizedMessage()});
            throw e;
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.caller.SAMLAuthenticator", "95", this, new Object[0]);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception: " + e2.getCause(), new Object[0]);
            }
            Tr.error(tc, "failed_to_authenticate", new Object[]{e2.getLocalizedMessage()});
            throw e2;
        }
    }

    private AuthenticationResult authenticateLogin(Hashtable<String, Object> hashtable, String str) {
        Subject subject = new Subject();
        if (((Boolean) this.callerConfig.get(CallerConstants.INCLUDE_TOKEN)).booleanValue()) {
            subject.getPrivateCredentials().add(this.samltoken);
        }
        boolean z = false;
        if ("User".equalsIgnoreCase((String) this.callerConfig.get(CallerConstants.MAP_TO_UR))) {
            z = true;
        }
        return this.authHelper.loginWithUserName((HttpServletRequest) null, (HttpServletResponse) null, str, subject, hashtable, z);
    }

    Hashtable<String, Object> createHashtable(AssertionToSubject assertionToSubject, Saml20Token saml20Token, String str) throws SamlCallerTokenException, WSSecurityException, RemoteException {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        if ("No".equalsIgnoreCase((String) this.callerConfig.get(CallerConstants.MAP_TO_UR))) {
            String realm = assertionToSubject.getRealm();
            String userUniqueIdentity = assertionToSubject.getUserUniqueIdentity(str, realm);
            List<String> groupUniqueIdentity = assertionToSubject.getGroupUniqueIdentity(realm);
            putValue(hashtable, "com.ibm.wsspi.security.cred.uniqueId", userUniqueIdentity);
            putValue(hashtable, "com.ibm.wsspi.security.cred.securityName", str);
            putValue(hashtable, "com.ibm.wsspi.security.cred.realm", realm);
            if (!groupUniqueIdentity.isEmpty()) {
                putValue(hashtable, "com.ibm.wsspi.security.cred.groups", groupUniqueIdentity);
            }
        } else if ("User".equalsIgnoreCase((String) this.callerConfig.get(CallerConstants.MAP_TO_UR))) {
            putValue(hashtable, "com.ibm.wsspi.security.cred.userId", str);
        } else if ("Group".equalsIgnoreCase((String) this.callerConfig.get(CallerConstants.MAP_TO_UR))) {
            String realm2 = assertionToSubject.getRealm();
            String userUniqueIdentity2 = assertionToSubject.getUserUniqueIdentity(str, realm2);
            List<String> groupUniqueIdentityFromRegistry = assertionToSubject.getGroupUniqueIdentityFromRegistry(realm2);
            putValue(hashtable, "com.ibm.wsspi.security.cred.uniqueId", userUniqueIdentity2);
            putValue(hashtable, "com.ibm.wsspi.security.cred.securityName", str);
            putValue(hashtable, "com.ibm.wsspi.security.cred.realm", realm2);
            if (!groupUniqueIdentityFromRegistry.isEmpty()) {
                putValue(hashtable, "com.ibm.wsspi.security.cred.groups", groupUniqueIdentityFromRegistry);
            }
        }
        putValue(hashtable, "com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        if (((Boolean) this.callerConfig.get(CallerConstants.ALLOW_CACHE_KEY)).booleanValue()) {
            putValue(hashtable, "com.ibm.wsspi.security.cred.cacheKey", assertionToSubject.getCustomCacheKeyValue());
        }
        return hashtable;
    }

    void putValue(Hashtable<String, Object> hashtable, String str, Object obj) {
        if (obj == null) {
            return;
        }
        hashtable.put(str, obj);
    }
}
