package com.ibm.ws.wssecurity.cxf.validator;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.registry.RegistryException;
import java.io.IOException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Locale;
import java.util.TimeZone;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.Validator;
import org.opensaml.ws.wssecurity.AttributedDateTime;

@TraceOptions(traceGroups = {}, traceGroup = "", messageBundle = "", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.wssecurity_1.0.3.jar:com/ibm/ws/wssecurity/cxf/validator/UsernameTokenValidator.class */
public class UsernameTokenValidator implements Validator {
    protected static final TraceComponent tc = Tr.register(UsernameTokenValidator.class, "wssecurity", "");
    private static SecurityService securityService = null;
    static final long serialVersionUID = 3464733876192653445L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public UsernameTokenValidator() {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public static void setSecurityService(SecurityService securityService2) {
        securityService = securityService2;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public static SecurityService getSecurityService() {
        return securityService;
    }

    @Override // org.apache.ws.security.validate.Validator
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        if (credential == null || credential.getUsernametoken() == null) {
            throw new WSSecurityException(0, "noCredential");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "RequestData ClassName:" + requestData.getClass().getName(), new Object[0]);
            Object msgContext = requestData.getMsgContext();
            if (msgContext != null) {
                Tr.debug(tc, "MsgContext ClassName:" + msgContext.getClass().getName(), new Object[0]);
            } else {
                Tr.debug(tc, "MsgContext**** ClassName**** is null", new Object[0]);
            }
        }
        boolean z = false;
        boolean z2 = false;
        String str = null;
        WSSConfig wssConfig = requestData.getWssConfig();
        if (wssConfig != null) {
            z = wssConfig.getHandleCustomPasswordTypes();
            z2 = wssConfig.getPasswordsAreEncoded();
            str = wssConfig.getRequiredPasswordType();
        }
        UsernameToken usernametoken = credential.getUsernametoken();
        validateCreated(usernametoken, requestData);
        usernametoken.setPasswordsAreEncoded(z2);
        String passwordType = usernametoken.getPasswordType();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "UsernameToken user " + usernametoken.getName(), new Object[0]);
            Tr.debug(tc, "UsernameToken password type " + passwordType, new Object[0]);
        }
        if (str != null && !str.equals(passwordType)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authentication failed as the received password type does not match the required password type of: " + str, new Object[0]);
            }
            throw new WSSecurityException(5);
        }
        String password = usernametoken.getPassword();
        if (usernametoken.isHashed()) {
            verifyDigestPassword(usernametoken, requestData);
        } else if (WSConstants.PASSWORD_TEXT.equals(passwordType) || (password != null && (passwordType == null || "".equals(passwordType.trim())))) {
            verifyPlaintextPassword(usernametoken, requestData);
        } else if (password == null) {
            verifyUnknownPassword(usernametoken, requestData);
        } else {
            if (!z) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication failed as handleCustomUsernameTokenTypes is false", new Object[0]);
                }
                throw new WSSecurityException(5);
            }
            verifyCustomPassword(usernametoken, requestData);
        }
        return credential;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void verifyCustomPassword(@Sensitive UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
        verifyPlaintextPassword(usernameToken, requestData);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void verifyPlaintextPassword(@Sensitive UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
        String name = usernameToken.getName();
        String passwordType = usernameToken.getPasswordType();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "UsernameToken user " + usernameToken.getName(), new Object[0]);
            Tr.debug(tc, "UsernameToken password type " + passwordType, new Object[0]);
        }
        if (usernameToken.isHashed()) {
            throw new WSSecurityException(5);
        }
        String password = usernameToken.getPassword();
        if (!WSConstants.PASSWORD_TEXT.equals(passwordType)) {
            throw new WSSecurityException(5);
        }
        if (name == null || name.length() <= 0 || password == null || password.length() <= 0) {
            throw new WSSecurityException(5);
        }
        checkUserAndPassword(name, password);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected String checkUserAndPassword(String str, @Sensitive String str2) throws WSSecurityException {
        TraceComponent traceComponent = null;
        try {
            String checkPassword = securityService.getUserRegistryService().getUserRegistry().checkPassword(str, str2);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                traceComponent = tc;
                Tr.debug(traceComponent, "Authenticated principal for " + str + " is  " + checkPassword, new Object[0]);
            }
            if (checkPassword == null) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "User " + str + " could not be validated.", new Object[0]);
                }
                throw new WSSecurityException(5);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "UsernameToken for " + str + " has been validated.", new Object[0]);
            }
            return checkPassword;
        } catch (RegistryException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator", "217", this, new Object[]{str, "<sensitive java.lang.String>"});
            TraceComponent traceComponent2 = traceComponent;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + traceComponent2, new Object[0]);
            }
            throw new WSSecurityException(traceComponent2.getMessage(), traceComponent2.getCause());
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean checkUser(String str) throws WSSecurityException {
        WSSecurityException wSSecurityException = null;
        try {
            boolean isValidUser = securityService.getUserRegistryService().getUserRegistry().isValidUser(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "User " + str + " is valid " + isValidUser, new Object[0]);
            }
            if (isValidUser) {
                return true;
            }
            wSSecurityException = new WSSecurityException(5);
            throw wSSecurityException;
        } catch (RegistryException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator", "255", this, new Object[]{str});
            WSSecurityException wSSecurityException2 = wSSecurityException;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting the access id for " + str + ": " + wSSecurityException2, new Object[0]);
            }
            throw new WSSecurityException(wSSecurityException2.getMessage(), wSSecurityException2.getCause());
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14, types: [org.apache.ws.security.WSPasswordCallback] */
    /* JADX WARN: Type inference failed for: r0v15 */
    /* JADX WARN: Type inference failed for: r0v20 */
    /* JADX WARN: Type inference failed for: r0v26, types: [javax.security.auth.callback.CallbackHandler] */
    /* JADX WARN: Type inference failed for: r1v10, types: [javax.security.auth.callback.Callback[]] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void verifyDigestPassword(@Sensitive UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
        if (requestData.getCallbackHandler() == null) {
            throw new WSSecurityException(0, "noCallback");
        }
        String name = usernameToken.getName();
        String password = usernameToken.getPassword();
        String nonce = usernameToken.getNonce();
        String created = usernameToken.getCreated();
        String passwordType = usernameToken.getPasswordType();
        boolean passwordsAreEncoded = usernameToken.getPasswordsAreEncoded();
        ?? wSPasswordCallback = new WSPasswordCallback(name, null, passwordType, 2, requestData);
        try {
            wSPasswordCallback = requestData.getCallbackHandler();
            wSPasswordCallback.handle(new Callback[]{wSPasswordCallback});
            String password2 = wSPasswordCallback.getPassword();
            if (password2 == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Callback supplied no password for: " + name, new Object[0]);
                }
                throw new WSSecurityException(5);
            }
            if (usernameToken.isHashed()) {
                if (!(passwordsAreEncoded ? UsernameToken.doPasswordDigest(nonce, created, Base64.decode(password2)) : UsernameToken.doPasswordDigest(nonce, created, password2)).equals(password)) {
                    throw new WSSecurityException(5);
                }
            } else if (!password2.equals(password)) {
                throw new WSSecurityException(5);
            }
            checkUserAndPassword(name, password2);
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator", "290", this, new Object[]{"<sensitive org.apache.ws.security.message.token.UsernameToken>", requestData});
            IOException iOException = wSPasswordCallback;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, iOException.getMessage(), new Object[0]);
            }
            throw new WSSecurityException(5, null, null, iOException);
        } catch (UnsupportedCallbackException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator", "296", this, new Object[]{"<sensitive org.apache.ws.security.message.token.UsernameToken>", requestData});
            UnsupportedCallbackException unsupportedCallbackException = wSPasswordCallback;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, unsupportedCallbackException.getMessage(), new Object[0]);
            }
            throw new WSSecurityException(5, null, null, unsupportedCallbackException);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void verifyUnknownPassword(@Sensitive UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
        if (usernameToken.getPasswordType() == null) {
            boolean z = false;
            Object msgContext = requestData.getMsgContext();
            if (msgContext != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "MsgContext ClassName:" + msgContext.getClass().getName(), new Object[0]);
                }
                if (msgContext instanceof SoapMessage) {
                    z = Utils.checkPolicyNoPassword((SoapMessage) msgContext);
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Policy NoPassword is " + z, new Object[0]);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "MsgContext**** is null", new Object[0]);
            }
            if (!z && !usernameToken.isDerivedKey()) {
                throw new WSSecurityException(5);
            }
            if (!checkUser(usernameToken.getName())) {
                throw new WSSecurityException(5);
            }
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void validateCreated(@Sensitive UsernameToken usernameToken, RequestData requestData) throws WSSecurityException {
        String created = usernameToken.getCreated();
        if (created == null || created.isEmpty()) {
            return;
        }
        if (requestData.getWssConfig() == null) {
            throw new WSSecurityException("WSSConfig cannot be null");
        }
        WSSConfig wssConfig = requestData.getWssConfig();
        int i = 300;
        int i2 = 300;
        if (wssConfig != null) {
            i = wssConfig.getTimeStampTTL();
            i2 = wssConfig.getTimeStampFutureTTL();
        }
        if (!verifyCreated(created, i, i2)) {
            throw new WSSecurityException(8);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected boolean verifyCreated(String str, int i, int i2) throws WSSecurityException {
        Date date = new Date();
        long time = date.getTime();
        if (i2 > 0) {
            date.setTime(time + (i2 * 1000));
        }
        Date convertDate = convertDate(str);
        if (convertDate != null && convertDate.after(date)) {
            return false;
        }
        date.setTime(time - (i * 1000));
        return convertDate == null || !convertDate.before(date);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Throwable, java.util.Date, java.lang.Object] */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public static Date convertDate(String str) throws WSSecurityException {
        ?? parse;
        try {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat(AttributedDateTime.DEFAULT_DATETIME_FORMAT, Locale.US);
            simpleDateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
            parse = simpleDateFormat.parse(str);
            return parse;
        } catch (ParseException e) {
            FFDCFilter.processException(e, "com.ibm.ws.wssecurity.cxf.validator.UsernameTokenValidator", "449", (Object) null, new Object[]{str});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception while parse a timestamp as '" + str + "' : " + ((Object) parse), new Object[0]);
            }
            throw new WSSecurityException("Can not parse TimeStamp :" + str, (Throwable) parse);
        }
    }
}
