package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.audit.AuditEvent;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.audit.Audit;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.collaborator.CollaboratorUtils;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.ChallengeReply;
import com.ibm.ws.webcontainer.security.internal.DenyReply;
import com.ibm.ws.webcontainer.security.internal.RedirectReply;
import com.ibm.ws.webcontainer.security.internal.SRTServletRequestUtils;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TAIChallengeReply;
import com.ibm.ws.webcontainer.security.internal.WebReply;
import com.ibm.ws.webcontainer.session.IHttpSessionContext;
import com.ibm.ws.webcontainer.srt.SRTServletRequest;
import com.ibm.ws.webcontainer.webapp.WebApp;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import java.security.Principal;
import java.util.Enumeration;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.security_1.0.20.jar:com/ibm/ws/webcontainer/security/AuthenticateApi.class */
public class AuthenticateApi {
    static final String KEY_SECURITY_SERVICE = "securityService";
    protected AtomicServiceReference<SecurityService> securityServiceRef;
    private final SubjectManager subjectManager;
    private final SubjectHelper subjectHelper;
    private final SSOCookieHelper ssoCookieHelper;
    private AuthCacheService authCacheService;
    private final CollaboratorUtils collabUtils;
    private AuthenticationService authService;
    private ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRefs;
    private ConcurrentServiceReferenceMap<String, UnprotectedResourceService> unprotectedResourceServiceRef;
    private Subject logoutSubject;
    static final long serialVersionUID = 4961033084277237683L;
    private static final TraceComponent tc = Tr.register(AuthenticateApi.class);
    protected static final WebReply DENY_AUTHN_FAILED = new DenyReply("AuthenticationFailed");

    public AuthenticateApi(SSOCookieHelper sSOCookieHelper, AtomicServiceReference<SecurityService> atomicServiceReference, CollaboratorUtils collaboratorUtils, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap, ConcurrentServiceReferenceMap<String, UnprotectedResourceService> concurrentServiceReferenceMap2) {
        SecurityService service;
        this.securityServiceRef = null;
        this.subjectManager = new SubjectManager();
        this.subjectHelper = new SubjectHelper();
        this.authCacheService = null;
        this.authService = null;
        this.webAuthenticatorRefs = null;
        this.unprotectedResourceServiceRef = null;
        this.logoutSubject = null;
        this.ssoCookieHelper = sSOCookieHelper;
        this.securityServiceRef = atomicServiceReference;
        this.collabUtils = collaboratorUtils;
        this.webAuthenticatorRefs = concurrentServiceReferenceMap;
        this.unprotectedResourceServiceRef = concurrentServiceReferenceMap2;
        if (atomicServiceReference == null || (service = atomicServiceReference.getService()) == null) {
            return;
        }
        this.authService = service.getAuthenticationService();
        if (this.authService != null) {
            this.authCacheService = this.authService.getAuthCacheService();
        }
    }

    public AuthenticateApi(SSOCookieHelper sSOCookieHelper, AuthenticationService authenticationService) {
        this.securityServiceRef = null;
        this.subjectManager = new SubjectManager();
        this.subjectHelper = new SubjectHelper();
        this.authCacheService = null;
        this.authService = null;
        this.webAuthenticatorRefs = null;
        this.unprotectedResourceServiceRef = null;
        this.logoutSubject = null;
        this.securityServiceRef = null;
        this.collabUtils = null;
        this.authCacheService = null;
        this.authService = authenticationService;
        this.ssoCookieHelper = sSOCookieHelper;
    }

    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, @Sensitive String str2, WebAppSecurityConfig webAppSecurityConfig, BasicAuthAuthenticator basicAuthAuthenticator) throws ServletException {
        String str3 = (String) httpServletRequest.getServletContext().getAttribute("com.ibm.ws.security.jaspi.authenticated");
        if (str3 != null && str3.equals(Boolean.toString(Boolean.TRUE.booleanValue()))) {
            throw new ServletException("The login method may not be invoked while JASPI authentication is active.");
        }
        boolean logoutOnHttpSessionExpire = webAppSecurityConfig.getLogoutOnHttpSessionExpire();
        if (httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid() && logoutOnHttpSessionExpire) {
            httpServletRequest.getSession(true);
        }
        throwExceptionIfAlreadyAuthenticate(httpServletRequest, httpServletResponse, webAppSecurityConfig, str);
        AuthenticationResult basicAuthenticate = basicAuthAuthenticator.basicAuthenticate(null, str, str2, httpServletRequest, httpServletResponse);
        if (basicAuthenticate != null && basicAuthenticate.getStatus() == AuthResult.SUCCESS) {
            Audit.audit(Audit.EventID.SECURITY_API_AUTHN_01, httpServletRequest, basicAuthenticate, 200);
            postProgrammaticAuthenticate(httpServletRequest, httpServletResponse, basicAuthenticate);
            return;
        }
        String str4 = basicAuthenticate.realm;
        if (str4 == null) {
            str4 = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
        }
        Audit.audit(Audit.EventID.SECURITY_API_AUTHN_01, httpServletRequest, basicAuthenticate, Integer.valueOf(createReplyForAuthnFailure(basicAuthenticate, str4).getStatusCode()));
        throw new ServletException(basicAuthenticate.getReason());
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) throws ServletException {
        logoutUnprotectedResourceServiceRef(httpServletRequest, httpServletResponse);
        createSubjectAndPushItOnThreadAsNeeded(httpServletRequest, httpServletResponse);
        AuthenticationResult authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, this.subjectManager.getCallerSubject());
        if (getJaspiService() == null) {
            authenticationResult.setAuditCredType(httpServletRequest.getAuthType());
            authenticationResult.setAuditOutcome("success");
            Audit.audit(Audit.EventID.SECURITY_API_AUTHN_TERMINATE_01, httpServletRequest, authenticationResult, Integer.valueOf(httpServletResponse.getStatus()));
        }
        removeEntryFromAuthCache(httpServletRequest, httpServletResponse, webAppSecurityConfig);
        invalidateSession(httpServletRequest);
        this.ssoCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
        this.ssoCookieHelper.createLogoutCookies(httpServletRequest, httpServletResponse);
        webAppSecurityConfig.createReferrerURLCookieHandler().clearReferrerURLCookie(httpServletRequest, httpServletResponse, "WASReqURL");
        SRTServletRequestUtils.removePrivateAttribute(httpServletRequest, "AUTH_TYPE");
        this.subjectManager.clearSubjects();
    }

    void logoutUnprotectedResourceServiceRef(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = false;
        String str = null;
        for (String str2 : this.unprotectedResourceServiceRef.keySet()) {
            if (!z) {
                z = true;
                str = getSessionUserName(httpServletRequest, httpServletResponse);
            }
            UnprotectedResourceService service = this.unprotectedResourceServiceRef.getService(str2);
            boolean logout = service.logout(httpServletRequest, httpServletResponse, str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "logout return " + logout + " on service " + service, new Object[0]);
            }
        }
    }

    String getSessionUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = null;
        if (httpServletRequest instanceof SRTServletRequest) {
            WebApp webApp = ((SRTServletRequest) httpServletRequest).getWebAppDispatcherContext().getWebApp();
            if (webApp != null) {
                IHttpSessionContext sessionContext = webApp.getSessionContext();
                if (sessionContext != null) {
                    str = sessionContext.getSessionUserName(httpServletRequest, httpServletResponse);
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "getSessionUserName:" + str, new Object[0]);
                    }
                } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "no httpSessionContext in WebApp", new Object[0]);
                }
            } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "no WebApp in SRTServletRequest", new Object[0]);
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Not a SRTServletRequest" + httpServletRequest, new Object[0]);
        }
        return str;
    }

    public void simpleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        createSubjectAndPushItOnThreadAsNeeded(httpServletRequest, httpServletResponse);
        AuthenticationResult authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, this.subjectManager.getCallerSubject());
        authenticationResult.setAuditCredType(httpServletRequest.getAuthType());
        authenticationResult.setAuditOutcome("success");
        Audit.audit(Audit.EventID.SECURITY_API_AUTHN_TERMINATE_01, httpServletRequest, authenticationResult, Integer.valueOf(httpServletResponse.getStatus()));
        invalidateSession(httpServletRequest);
        this.ssoCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
        this.ssoCookieHelper.createLogoutCookies(httpServletRequest, httpServletResponse);
        this.subjectManager.clearSubjects();
    }

    private void addToLoggedOutTokenCache(String str) {
        LoggedOutTokenCacheImpl.getInstance().addTokenToDistributedMap(str, "userName");
    }

    private void removeEntryFromAuthCache(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) {
        removeEntryFromAuthCacheForUser(httpServletRequest, httpServletResponse);
        removeEntryFromAuthCacheForToken(httpServletRequest, httpServletResponse, webAppSecurityConfig);
    }

    private void removeEntryFromAuthCacheForToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) {
        Cookie[] cookies;
        Principal userPrincipal;
        getAuthCacheService();
        if (this.authCacheService == null || (cookies = httpServletRequest.getCookies()) == null) {
            return;
        }
        String[] cookieValues = CookieHelper.getCookieValues(cookies, this.ssoCookieHelper.getSSOCookiename());
        if ((cookieValues == null || cookieValues.length == 0) && !"LtpaToken2".equalsIgnoreCase(this.ssoCookieHelper.getSSOCookiename())) {
            cookieValues = CookieHelper.getCookieValues(cookies, "LtpaToken2");
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[1];
            objArr[0] = cookieValues == null ? "<null>" : Integer.valueOf(cookieValues.length);
            Tr.debug(traceComponent, "Cookie size: ", objArr);
        }
        if (cookieValues == null || cookieValues.length <= 0) {
            return;
        }
        for (String str : cookieValues) {
            if (str != null && str.length() > 0) {
                try {
                    this.authCacheService.remove(str);
                    if (webAppSecurityConfig.isTrackLoggedOutSSOCookiesEnabled()) {
                        addToLoggedOutTokenCache(str);
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.AuthenticateApi", "324", this, new Object[]{httpServletRequest, httpServletResponse, webAppSecurityConfig});
                    String remoteUser = httpServletRequest.getRemoteUser();
                    if (remoteUser == null && (userPrincipal = httpServletRequest.getUserPrincipal()) != null) {
                        remoteUser = userPrincipal.getName();
                    }
                    Tr.warning(tc, "AUTHENTICATE_CACHE_REMOVAL_EXCEPTION", remoteUser, e.toString());
                }
            }
        }
    }

    private void getAuthCacheService() {
        if (this.authCacheService != null || this.securityServiceRef == null) {
            return;
        }
        this.authCacheService = this.securityServiceRef.getService().getAuthenticationService().getAuthCacheService();
    }

    private void removeEntryFromAuthCacheForUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal userPrincipal;
        getAuthCacheService();
        if (this.authCacheService == null) {
            return;
        }
        String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser == null && (userPrincipal = httpServletRequest.getUserPrincipal()) != null) {
            remoteUser = userPrincipal.getName();
        }
        if (remoteUser != null) {
            if (this.collabUtils != null) {
                String userRegistryRealm = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
                if (!remoteUser.contains(userRegistryRealm + ":")) {
                    remoteUser = userRegistryRealm + ":" + remoteUser;
                }
            }
            this.authCacheService.remove(remoteUser);
        }
    }

    public void throwExceptionIfAlreadyAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig, String str) throws ServletException {
        if (this.subjectHelper.isUnauthenticated(this.subjectManager.getCallerSubject())) {
            return;
        }
        if (webAppSecurityConfig.getWebAlwaysLogin()) {
            logout(httpServletRequest, httpServletResponse, webAppSecurityConfig);
            return;
        }
        AuthenticationResult authenticationResult = new AuthenticationResult(AuthResult.FAILURE, str);
        authenticationResult.setAuditCredType(httpServletRequest.getAuthType());
        authenticationResult.setAuditCredValue(str);
        authenticationResult.setAuditOutcome("failure");
        Audit.audit(Audit.EventID.SECURITY_API_AUTHN_01, httpServletRequest, authenticationResult, 401);
        throw new ServletException("Authentication had been already established");
    }

    private void invalidateSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "invalidating existing HTTP Session", new Object[0]);
            }
            session.invalidate();
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Existing HTTP Session does not exist, nothing to invalidate", new Object[0]);
        }
    }

    public void postProgrammaticAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationResult authenticationResult) {
        Subject subject = authenticationResult.getSubject();
        if (new SubjectHelper().isUnauthenticated(this.subjectManager.getCallerSubject())) {
            this.subjectManager.setCallerSubject(subject);
        }
        this.subjectManager.setInvocationSubject(subject);
        this.ssoCookieHelper.addSSOCookiesToResponse(subject, httpServletRequest, httpServletResponse);
    }

    private void createSubjectAndPushItOnThreadAsNeeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this.logoutSubject = null;
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if (callerSubject == null || this.subjectHelper.isUnauthenticated(callerSubject)) {
            if (this.authService == null && this.securityServiceRef != null) {
                this.authService = this.securityServiceRef.getService().getAuthenticationService();
            }
            AuthenticationResult handleSSO = new SSOAuthenticator(this.authService, null, null, this.ssoCookieHelper).handleSSO(httpServletRequest, httpServletResponse);
            if (handleSSO == null || handleSSO.getStatus() != AuthResult.SUCCESS) {
                return;
            }
            this.subjectManager.setCallerSubject(handleSSO.getSubject());
            this.logoutSubject = handleSSO.getSubject();
        }
    }

    String debugGetAllHttpHdrs(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            return null;
        }
        StringBuffer stringBuffer = new StringBuffer(512);
        Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
        while (headerNames != null && headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            stringBuffer.append(nextElement).append("=");
            stringBuffer.append("[").append(SRTServletRequestUtils.getHeader(httpServletRequest, nextElement)).append("]\n");
        }
        return stringBuffer.toString();
    }

    private JaspiService getJaspiService() {
        JaspiService jaspiService = null;
        if (this.webAuthenticatorRefs != null) {
            jaspiService = (JaspiService) this.webAuthenticatorRefs.getService("com.ibm.ws.security.jaspi");
        }
        return jaspiService;
    }

    public void logoutServlet30(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) throws ServletException {
        JaspiService jaspiService = getJaspiService();
        if (jaspiService != null) {
            try {
                jaspiService.logout(httpServletRequest, httpServletResponse, webAppSecurityConfig);
            } catch (AuthenticationException e) {
                FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.AuthenticateApi", "512", this, new Object[]{httpServletRequest, httpServletResponse, webAppSecurityConfig});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "AuthenticationException invoking JASPI service logout", e);
                }
            }
        }
        logout(httpServletRequest, httpServletResponse, webAppSecurityConfig);
    }

    public WebReply createReplyForAuthnFailure(AuthenticationResult authenticationResult, String str) {
        switch (authenticationResult.getStatus()) {
            case FAILURE:
                String reason = authenticationResult.getReason();
                return (reason == null || !reason.contains(AuditEvent.CRED_TYPE_JASPIC)) ? DENY_AUTHN_FAILED : new DenyReply(reason);
            case SEND_401:
                return new ChallengeReply(str);
            case TAI_CHALLENGE:
                return new TAIChallengeReply(authenticationResult.getTAIChallengeCode());
            case REDIRECT:
                return new RedirectReply(authenticationResult.getRedirectURL(), authenticationResult.getCookies());
            case UNKNOWN:
            case CONTINUE:
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication failed with status [" + authenticationResult.getStatus() + "] and reason [" + authenticationResult.getReason() + "]", new Object[0]);
                }
                return DENY_AUTHN_FAILED;
            default:
                return null;
        }
    }

    public Subject returnSubjectOnLogout() {
        return this.logoutSubject;
    }
}
