package com.ibm.ws.wssecurity.caller;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.saml2.Saml20Attribute;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.sib.mfp.MfpConstants;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.saml2.UserCredentialResolver;
import com.ibm.wsspi.security.saml2.UserIdentityException;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.opensaml.saml2.core.NameID;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.wssecurity_1.0.18.jar:com/ibm/ws/wssecurity/caller/AssertionToSubject.class */
public class AssertionToSubject {
    Saml20Token token;
    private final Map<String, Object> callerConfig;
    static final String fixedStr = "_ibm";
    static final long serialVersionUID = 7499811885418360259L;
    private static final TraceComponent tc = Tr.register(AssertionToSubject.class, "WSSecurity", "com.ibm.ws.wssecurity.resources.WSSecurityMessages");
    public static final String KEY_USER_RESOLVER = "userResolver";
    static ConcurrentServiceReferenceMap<String, UserCredentialResolver> activatedUserResolverRef = new ConcurrentServiceReferenceMap<>(KEY_USER_RESOLVER);

    public AssertionToSubject(Map<String, Object> map, Saml20Token saml20Token) {
        this.token = null;
        this.callerConfig = map;
        this.token = saml20Token;
    }

    public static void setActivatedUserResolverRef(ConcurrentServiceReferenceMap<String, UserCredentialResolver> concurrentServiceReferenceMap) {
        activatedUserResolverRef = concurrentServiceReferenceMap;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "activatedUserResolverRef size():" + activatedUserResolverRef.size(), new Object[0]);
        }
    }

    public String getUser() throws SamlCallerTokenException {
        String userFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (userFromUserResolver = getUserFromUserResolver(null)) != null && !userFromUserResolver.isEmpty()) {
            return userFromUserResolver;
        }
        String sAMLNameID = this.token.getSAMLNameID();
        String str = (String) this.callerConfig.get(CallerConstants.USER_ID);
        if (str != null && !str.isEmpty()) {
            sAMLNameID = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (str.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    sAMLNameID = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (sAMLNameID == null) {
                throw new SamlCallerTokenException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{str, CallerConstants.USER_ID});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user from Token Attributes:" + sAMLNameID, new Object[0]);
            }
        }
        if (sAMLNameID == null || sAMLNameID.isEmpty()) {
            throw new SamlCallerTokenException("SAML20_ELEMENT_ERR", null, false, new Object[]{NameID.DEFAULT_ELEMENT_LOCAL_NAME});
        }
        return sAMLNameID;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getUserFromUserResolver(String str) throws SamlCallerTokenException {
        String str2 = null;
        Iterator services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str2 = ((UserCredentialResolver) services.next()).mapSAMLAssertionToUser(this.token);
            } catch (UserIdentityException e) {
                throw new SamlCallerTokenException("SAML20_CANNOT_RESOLVE_ASSERTION", e, false, new Object[]{e.getMessage()});
            }
        }
        return str2;
    }

    public String getRealm() throws SamlCallerTokenException {
        String realmFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (realmFromUserResolver = getRealmFromUserResolver()) != null && !realmFromUserResolver.isEmpty()) {
            return realmFromUserResolver;
        }
        String str = (String) this.callerConfig.get(CallerConstants.REALM_NAME);
        if (str != null && !str.isEmpty()) {
            return str;
        }
        String sAMLIssuerName = this.token.getSAMLIssuerName();
        String str2 = (String) this.callerConfig.get(CallerConstants.REALM_ID);
        if (str2 != null && !str2.isEmpty()) {
            sAMLIssuerName = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (str2.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    sAMLIssuerName = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (sAMLIssuerName == null) {
                throw new SamlCallerTokenException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{str2, CallerConstants.REALM_ID});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "realm from Token Attributes:" + sAMLIssuerName, new Object[0]);
            }
        }
        if (sAMLIssuerName == null) {
            throw new SamlCallerTokenException("SAML20_ELEMENT_ERR", null, false, new Object[]{SPConstants.ISSUER_NAME});
        }
        return sAMLIssuerName;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getRealmFromUserResolver() throws SamlCallerTokenException {
        String str = null;
        Iterator services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str = ((UserCredentialResolver) services.next()).mapSAMLAssertionToRealm(this.token);
            } catch (UserIdentityException e) {
                throw new SamlCallerTokenException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return str;
    }

    public String getUserUniqueIdentity(String str, String str2) throws SamlCallerTokenException {
        String userUniqueIDFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (userUniqueIDFromUserResolver = getUserUniqueIDFromUserResolver(str)) != null && !userUniqueIDFromUserResolver.isEmpty()) {
            return userUniqueIDFromUserResolver;
        }
        String str3 = str;
        String str4 = (String) this.callerConfig.get(CallerConstants.USER_UNIQUE_ID);
        if (str4 != null && !str4.isEmpty()) {
            str3 = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (str4.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    str3 = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (str3 == null) {
                throw new SamlCallerTokenException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{str4, CallerConstants.USER_UNIQUE_ID});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "uniqueUserId from Token Attributes:" + str3, new Object[0]);
            }
        }
        if (str3 == null) {
            throw new SamlCallerTokenException("SAML20_ELEMENT_ERR", null, false, new Object[]{NameID.DEFAULT_ELEMENT_LOCAL_NAME});
        }
        String str5 = "user:" + str2 + "/";
        if (!str3.startsWith(str5)) {
            int indexOf = str3.indexOf("/");
            str3 = (!str3.startsWith("user:") || indexOf <= 0) ? str5 + str3 : str5 + str3.substring(indexOf + 1);
        }
        return str3;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getUserUniqueIDFromUserResolver(String str) throws SamlCallerTokenException {
        String str2 = null;
        Iterator services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str2 = ((UserCredentialResolver) services.next()).mapSAMLAssertionToUserUniqueID(this.token);
            } catch (UserIdentityException e) {
                throw new SamlCallerTokenException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return str2;
    }

    public List<String> getGroupUniqueIdentityFromRegistry(String str) throws WSSecurityException, RemoteException, SamlCallerTokenException {
        List<String> groupsFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (groupsFromUserResolver = getGroupsFromUserResolver()) != null && groupsFromUserResolver.size() > 0) {
            return mapGroupsToUserRegistry(groupsFromUserResolver, str);
        }
        ArrayList arrayList = new ArrayList();
        String str2 = (String) this.callerConfig.get(CallerConstants.GROUP_ID);
        if (str2 != null) {
            String str3 = "group:" + str + "/";
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (str2.equals(saml20Attribute.getName()) && !saml20Attribute.getValuesAsString().isEmpty()) {
                    Iterator<String> it = saml20Attribute.getValuesAsString().iterator();
                    while (it.hasNext()) {
                        mapGroupToUserRegistry(arrayList, it.next(), str3);
                    }
                }
            }
        }
        return arrayList;
    }

    @FFDCIgnore({EntryNotFoundException.class})
    List<String> mapGroupToUserRegistry(List<String> list, String str, String str2) throws RemoteException, WSSecurityException {
        int indexOf;
        UserRegistry userRegistry = RegistryHelper.getUserRegistry((String) null);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "UserRegistry:" + userRegistry, new Object[0]);
        }
        if (str != null && str.startsWith(str2)) {
            str = str.substring(str2.length());
        } else if (str != null && str.startsWith("group:") && (indexOf = str.indexOf("/")) > 0) {
            str = str.substring(indexOf + 1);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "original Group:" + str, new Object[0]);
        }
        try {
            String uniqueGroupId = userRegistry.getUniqueGroupId(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "groupDN from registry:" + uniqueGroupId, new Object[0]);
            }
            list.add(str2 + uniqueGroupId);
            ListIterator listIterator = userRegistry.getUniqueGroupIds(uniqueGroupId).listIterator();
            while (listIterator.hasNext()) {
                String str3 = (String) listIterator.next();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "groupDN from GroupIds:" + str3, new Object[0]);
                }
                list.add(str2 + str3);
            }
        } catch (EntryNotFoundException e) {
        }
        return list;
    }

    List<String> mapGroupsToUserRegistry(List<String> list, String str) throws RemoteException, WSSecurityException {
        String str2 = "group:" + str + "/";
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            mapGroupToUserRegistry(arrayList, it.next(), str2);
        }
        return arrayList;
    }

    @FFDCIgnore({UserIdentityException.class})
    List<String> getGroupsFromUserResolver() throws SamlCallerTokenException {
        List<String> list = null;
        Iterator services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                list = ((UserCredentialResolver) services.next()).mapSAMLAssertionToGroups(this.token);
            } catch (UserIdentityException e) {
                throw new SamlCallerTokenException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return list;
    }

    public List<String> getGroupUniqueIdentity(String str) throws SamlCallerTokenException {
        List<String> groupsFromUserResolver;
        ArrayList arrayList = new ArrayList();
        if (activatedUserResolverRef.size() > 0 && (groupsFromUserResolver = getGroupsFromUserResolver()) != null && groupsFromUserResolver.size() > 0) {
            String str2 = "group:" + str + "/";
            for (String str3 : groupsFromUserResolver) {
                if (!str3.startsWith("group:")) {
                    str3 = str2 + str3;
                }
                arrayList.add(str3);
            }
            return arrayList;
        }
        String str4 = (String) this.callerConfig.get(CallerConstants.GROUP_ID);
        if (str4 != null && !str4.isEmpty()) {
            String str5 = "group:" + str + "/";
            Iterator<Saml20Attribute> it = this.token.getSAMLAttributes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Saml20Attribute next = it.next();
                if (str4.equals(next.getName())) {
                    if (!next.getValuesAsString().isEmpty()) {
                        for (String str6 : next.getValuesAsString()) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "groupDN from Token Attributes:" + str6, new Object[0]);
                            }
                            String str7 = str6;
                            if (!str6.startsWith(str5)) {
                                int indexOf = str6.indexOf("/");
                                str7 = (!str6.startsWith("group:") || indexOf <= 0) ? str5 + str6 : str5 + str6.substring(indexOf + 1);
                            }
                            arrayList.add(str7);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    @Trivial
    public String getCustomCacheKeyValue() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(this.token.getSAMLIssuerName()).append(MfpConstants.MESSAGE_HANDLE_SEPARATOR).append(this.token.getSamlID());
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "cxf-saml caller token cache key :" + stringBuffer.toString(), new Object[0]);
        }
        return stringBuffer.toString();
    }
}
