package com.ibm.ws.security.authentication.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.callback.CallbackHandlerAuthenticationData;
import com.ibm.ws.security.authentication.internal.cache.keyproviders.BasicAuthCacheKeyProvider;
import com.ibm.ws.security.authentication.internal.cache.keyproviders.CustomCacheKeyProvider;
import com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.delegation.DelegationProvider;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistryService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.library.Library;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.Hashtable;
import java.util.Map;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@TraceOptions(traceGroups = {}, traceGroup = "", messageBundle = "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authentication.builtin_1.0.6.jar:com/ibm/ws/security/authentication/internal/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl implements AuthenticationService {
    private static final TraceComponent tc = Tr.register((Class<?>) AuthenticationServiceImpl.class, "Authentication", "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages");
    static final String CFG_ALLOW_HASHTABLE_LOGIN_WITH_ID_ONLY = "allowHashtableLoginWithIdOnly";
    static final String CFG_CACHE_ENABLED = "cacheEnabled";
    static final String KEY_AUTH_CACHE_SERVICE = "authCacheService";
    static final String KEY_USER_REGISTRY_SERVICE = "userRegistryService";
    static final String KEY_DELEGATION_PROVIDER = "delegationProvider";
    static final String KEY_DEFAULT_DELEGATION_PROVIDER = "defaultDelegationProvider";
    static final String WSCREDENTIAL_CACHE_KEY_INTERNAL_ASSERTION = "com.ibm.ws.authentication.internal.key.assertion";
    private JAASService jaasService;
    private ComponentContext cc;
    static final long serialVersionUID = -2769020573315772735L;
    private final AtomicServiceReference<AuthCacheService> authCacheServiceRef = new AtomicServiceReference<>(KEY_AUTH_CACHE_SERVICE);
    private final AtomicServiceReference<UserRegistryService> userRegistryServiceRef = new AtomicServiceReference<>("userRegistryService");
    private final AtomicServiceReference<DelegationProvider> delegationProviderRef = new AtomicServiceReference<>(KEY_DELEGATION_PROVIDER);
    private final AtomicServiceReference<DelegationProvider> defaultDelegationProviderRef = new AtomicServiceReference<>(KEY_DEFAULT_DELEGATION_PROVIDER);
    private boolean cacheEnabled = true;
    private boolean allowHashtableLoginWithIdOnly = false;
    private final AuthenticationGuard authenticationGuard = new AuthenticationGuard();

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AuthenticationServiceImpl() {
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setJaasService(JAASService jAASService) {
        this.jaasService = jAASService;
        if (jAASService instanceof JAASServiceImpl) {
            JAASServiceImpl.setAuthenticationService(this);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetJaasService(JAASService jAASService) {
        if (this.jaasService == jAASService) {
            this.jaasService = null;
            JAASServiceImpl.unsetAuthenticationService(this);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        this.authCacheServiceRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        this.authCacheServiceRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.delegationProviderRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.delegationProviderRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void setDefaultDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.defaultDelegationProviderRef.setReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void unsetDefaultDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.defaultDelegationProviderRef.unsetReference(serviceReference);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void updateCacheState(Map<String, Object> map) {
        getAuthenticationConfig(map);
        if (this.cacheEnabled) {
            this.authCacheServiceRef.activate(this.cc);
        } else {
            this.authCacheServiceRef.deactivate(this.cc);
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void getAuthenticationConfig(Map<String, Object> map) {
        Boolean bool = (Boolean) map.get(CFG_ALLOW_HASHTABLE_LOGIN_WITH_ID_ONLY);
        if (bool != null) {
            this.allowHashtableLoginWithIdOnly = bool.booleanValue();
        }
        Boolean bool2 = (Boolean) map.get(CFG_CACHE_ENABLED);
        if (bool2 != null) {
            this.cacheEnabled = bool2.booleanValue();
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.cc = componentContext;
        this.authCacheServiceRef.activate(componentContext);
        this.userRegistryServiceRef.activate(componentContext);
        this.delegationProviderRef.activate(componentContext);
        this.defaultDelegationProviderRef.activate(componentContext);
        updateCacheState(map);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void modified(Map<String, Object> map) {
        updateCacheState(map);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    protected void deactivate() {
        this.authCacheServiceRef.deactivate(this.cc);
        this.userRegistryServiceRef.deactivate(this.cc);
        this.delegationProviderRef.deactivate(this.cc);
        this.defaultDelegationProviderRef.deactivate(this.cc);
        JAASServiceImpl.unsetAuthenticationService(this);
        this.cc = null;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Subject authenticate(String str, Subject subject) throws AuthenticationException {
        return authenticate(str, new WSAuthenticationData(), subject);
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Subject authenticate(String str, AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        ReentrantLock optionallyObtainLockedLock = optionallyObtainLockedLock(authenticationData);
        try {
            Subject findSubjectInAuthCache = findSubjectInAuthCache(authenticationData, subject);
            if (findSubjectInAuthCache == null) {
                findSubjectInAuthCache = performJAASLogin(str, authenticationData, subject);
                insertSubjectInAuthCache(authenticationData, findSubjectInAuthCache);
            }
            return findSubjectInAuthCache;
        } finally {
            releaseLock(authenticationData, optionallyObtainLockedLock);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r16v0, types: [java.lang.Exception] */
    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Subject authenticate(String str, CallbackHandler callbackHandler, Subject subject) throws AuthenticationException {
        AuthenticationData authenticationData = null;
        try {
            authenticationData = new CallbackHandlerAuthenticationData(callbackHandler).createAuthenticationData();
            ReentrantLock optionallyObtainLockedLock = optionallyObtainLockedLock(authenticationData);
            try {
                Subject findSubjectInAuthCache = findSubjectInAuthCache(authenticationData, subject);
                if (findSubjectInAuthCache == null) {
                    findSubjectInAuthCache = performJAASLogin(str, callbackHandler, subject);
                    insertSubjectInAuthCache(authenticationData, findSubjectInAuthCache);
                }
                return findSubjectInAuthCache;
            } finally {
                releaseLock(authenticationData, optionallyObtainLockedLock);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl", "201", this, new Object[]{str, callbackHandler, subject});
            throw new AuthenticationException(authenticationData.getMessage());
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private ReentrantLock optionallyObtainLockedLock(AuthenticationData authenticationData) {
        ReentrantLock reentrantLock = null;
        if (isAuthCacheServiceAvailable()) {
            reentrantLock = this.authenticationGuard.requestAccess(authenticationData);
            reentrantLock.lock();
        }
        return reentrantLock;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private boolean isAuthCacheServiceAvailable() {
        return getAuthCacheService() != null;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void releaseLock(AuthenticationData authenticationData, ReentrantLock reentrantLock) {
        this.authenticationGuard.relinquishAccess(authenticationData, reentrantLock);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject findSubjectInAuthCache(AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        Subject subject2 = null;
        AuthCacheService authCacheService = getAuthCacheService();
        if (authCacheService != null) {
            Object obj = (String) authenticationData.get(AuthenticationData.TOKEN64);
            if (obj != null) {
                subject2 = findSubjectByTokenContents(authCacheService, obj, null);
            } else {
                byte[] bArr = (byte[]) authenticationData.get(AuthenticationData.TOKEN);
                if (bArr != null) {
                    subject2 = findSubjectByTokenContents(authCacheService, bArr, bArr);
                } else {
                    String str = (String) authenticationData.get(AuthenticationData.USERNAME);
                    String password = getPassword((char[]) authenticationData.get(AuthenticationData.PASSWORD));
                    if (str != null && password != null) {
                        subject2 = findSubjectByUseridAndPassword(authCacheService, str, password);
                    } else if (subject != null) {
                        subject2 = findSubjectBySubjectHashtable(authCacheService, subject);
                    }
                }
            }
        }
        return subject2;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject findSubjectByTokenContents(AuthCacheService authCacheService, Object obj, byte[] bArr) throws AuthenticationException {
        Subject subject = authCacheService.getSubject(obj);
        if (subject == null) {
            if (bArr == null && obj != null) {
                bArr = Base64Coder.base64Decode(obj.toString().getBytes());
            }
            if (bArr == null) {
                throw new AuthenticationException("Invalid LTPA Token");
            }
            String[] customCacheKey = CustomCacheKeyProvider.getCustomCacheKey(authCacheService, bArr);
            if (customCacheKey != null && customCacheKey.length > 0) {
                subject = authCacheService.getSubject(customCacheKey);
                if (subject == null) {
                    throw new AuthenticationException("Custom cache key missed authentication cache. Need to re-challenge the user to login again.");
                }
            }
        }
        return subject;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject findSubjectByUseridAndPassword(AuthCacheService authCacheService, String str, @Sensitive String str2) {
        return authCacheService.getSubject(BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str, str2));
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject findSubjectBySubjectHashtable(AuthCacheService authCacheService, Subject subject) {
        Subject subject2 = null;
        SubjectHelper subjectHelper = new SubjectHelper();
        Hashtable<String, ?> hashtableFromSubject = subjectHelper.getHashtableFromSubject(subject, new String[]{"com.ibm.wsspi.security.cred.cacheKey"});
        if (hashtableFromSubject != null) {
            String str = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.cacheKey");
            Boolean bool = (Boolean) hashtableFromSubject.get(WSCREDENTIAL_CACHE_KEY_INTERNAL_ASSERTION);
            if (bool != null) {
                hashtableFromSubject.remove(WSCREDENTIAL_CACHE_KEY_INTERNAL_ASSERTION);
            }
            if (str != null && bool != null && bool.equals(Boolean.TRUE)) {
                return authCacheService.getSubject(str);
            }
        }
        Hashtable<String, ?> hashtableFromSubject2 = subjectHelper.getHashtableFromSubject(subject, new String[]{AttributeNameConstants.WSCREDENTIAL_USERID, AttributeNameConstants.WSCREDENTIAL_PASSWORD});
        if (hashtableFromSubject2 != null) {
            String str2 = (String) hashtableFromSubject2.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            String str3 = (String) hashtableFromSubject2.get(AttributeNameConstants.WSCREDENTIAL_PASSWORD);
            subject2 = authCacheService.getSubject(str3 != null ? BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str2, str3) : BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str2));
        }
        return subject2;
    }

    @Sensitive
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getPassword(@Sensitive char[] cArr) {
        String str = null;
        if (cArr != null) {
            str = String.valueOf(cArr);
        }
        return str;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AuthCacheService getAuthCacheService() {
        return this.authCacheServiceRef.getService();
    }

    @FFDCIgnore({RegistryException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private String getRealm() {
        String str = "defaultReal";
        try {
            UserRegistryService service = this.userRegistryServiceRef.getService();
            if (service.isUserRegistryConfigured()) {
                str = service.getUserRegistry().getRealm();
            }
        } catch (RegistryException e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There was a problem getting the realm.", e);
            }
        }
        return str;
    }

    @FFDCIgnore({LoginException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject performJAASLogin(String str, CallbackHandler callbackHandler, Subject subject) throws AuthenticationException {
        if (this.jaasService == null) {
            Tr.error(tc, "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0]);
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0], "CWWKS1000E: The JAAS Service is unavailable."));
        }
        try {
            return this.jaasService.performLogin(str, callbackHandler, subject);
        } catch (LoginException e) {
            throw new AuthenticationException(e.getLocalizedMessage());
        }
    }

    @FFDCIgnore({LoginException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject performJAASLogin(String str, AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        if (this.jaasService == null) {
            Tr.error(tc, "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0]);
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0], "CWWKS1000E: The JAAS Service is unavailable."));
        }
        try {
            return this.jaasService.performLogin(str, authenticationData, subject);
        } catch (LoginException e) {
            throw new AuthenticationException(e.getLocalizedMessage());
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void insertSubjectInAuthCache(AuthenticationData authenticationData, Subject subject) {
        AuthCacheService authCacheService = getAuthCacheService();
        if (authCacheService != null) {
            String str = (String) authenticationData.get(AuthenticationData.USERNAME);
            String password = getPassword((char[]) authenticationData.get(AuthenticationData.PASSWORD));
            if (str == null || password == null) {
                authCacheService.insert(subject);
            } else {
                authCacheService.insert(subject, str, password);
            }
        }
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Subject delegate(String str, String str2) {
        return getRunAsSubjectFromProvider(str, str2);
    }

    @FFDCIgnore({AuthenticationException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject getRunAsSubjectFromProvider(String str, String str2) {
        Subject subject = null;
        try {
            DelegationProvider service = this.delegationProviderRef.getService();
            if (service == null) {
                service = this.defaultDelegationProviderRef.getService();
            }
            if (service != null) {
                subject = service.getRunAsSubject(str, str2);
            }
        } catch (AuthenticationException e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught an authentication exception, so will run as the invocation subject.", new Object[0]);
            }
        }
        return subject;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public Boolean isAllowHashTableLoginWithIdOnly() {
        return Boolean.valueOf(this.allowHashtableLoginWithIdOnly);
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public ClassLoader getSharedLibraryClassLoader(Library library) {
        return this.jaasService.getSharedLibraryClassLoader(library);
    }
}
