package com.ibm.ws.webcontainer.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.WebTrustAssociationUserException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.security.authentication.tai.TAIUtil;
import com.ibm.ws.security.authentication.utility.JaasLoginConfigConstants;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.SSOCookieHelper;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebRequest;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.security_1.0.10.jar:com/ibm/ws/webcontainer/security/internal/TAIAuthenticator.class */
public class TAIAuthenticator implements WebAuthenticator {
    private static final TraceComponent tc = Tr.register(TAIAuthenticator.class);
    private TAIService taiService;
    private ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> interceptorServiceRef;
    private SSOCookieHelper ssoCookieHelper;
    private AuthenticationService authenticationService;
    private final AuthenticationResult AUTHN_CONTINUE_RESULT = new AuthenticationResult(AuthResult.CONTINUE, "Authentication continue");
    private final String DISABLE_LTPA_AND_SESSION_NOT_ON_OR_AFTER = "com.ibm.ws.saml.spcookie.session.not.on.or.after";
    Map<String, TrustAssociationInterceptor> invokeBeforeSSOTais = new LinkedHashMap();
    Map<String, TrustAssociationInterceptor> invokeAfterSSOTais = new LinkedHashMap();
    static final long serialVersionUID = 5416276392955680341L;

    public TAIAuthenticator(TAIService tAIService, ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> concurrentServiceReferenceMap, AuthenticationService authenticationService, SSOCookieHelper sSOCookieHelper) {
        this.taiService = null;
        this.interceptorServiceRef = null;
        this.ssoCookieHelper = null;
        this.authenticationService = null;
        this.taiService = tAIService;
        this.interceptorServiceRef = concurrentServiceReferenceMap;
        this.authenticationService = authenticationService;
        this.ssoCookieHelper = sSOCookieHelper;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        return authenticate(webRequest, false);
    }

    public AuthenticationResult authenticate(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticationResult = this.AUTHN_CONTINUE_RESULT;
        TAIResult tAIResult = null;
        String str = null;
        boolean z2 = false;
        Map<String, TrustAssociationInterceptor> interceptorServices = getInterceptorServices(z);
        if (skipTai(webRequest, interceptorServices, z)) {
            return this.AUTHN_CONTINUE_RESULT;
        }
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        try {
            Iterator<Map.Entry<String, TrustAssociationInterceptor>> it = interceptorServices.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                TrustAssociationInterceptor value = it.next().getValue();
                if (value.isTargetInterceptor(httpServletRequest)) {
                    z2 = true;
                    str = value.getType();
                    tAIResult = value.negotiateValidateandEstablishTrust(httpServletRequest, httpServletResponse);
                    break;
                }
            }
            if (!z2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "TAI authenticator" + (z ? " before SSO " : " after SSO ") + "does not intercept this request", new Object[0]);
                }
                return this.AUTHN_CONTINUE_RESULT;
            }
        } catch (WebTrustAssociationFailedException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TAIAuthenticator", "120", this, new Object[]{webRequest, Boolean.valueOf(z)});
            Tr.error(tc, "SEC_TAI_VALIDATE_FAILED", e);
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        } catch (WebTrustAssociationUserException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.webcontainer.security.internal.TAIAuthenticator", "123", this, new Object[]{webRequest, Boolean.valueOf(z)});
            Tr.error(tc, "SEC_TAI_USER_EXCEPTION", e2);
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e2.getMessage());
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.webcontainer.security.internal.TAIAuthenticator", "126", this, new Object[]{webRequest, Boolean.valueOf(z)});
            Tr.error(tc, "SEC_TAI_GENERAL_EXCEPTION", e3);
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e3.getMessage());
        }
        if (authenticationResult.getStatus() != AuthResult.FAILURE) {
            return handleTaiResult(tAIResult, str, httpServletRequest, httpServletResponse);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI throws an un-expected exception: " + authenticationResult.getReason(), new Object[0]);
        }
        return authenticationResult;
    }

    private void processInterceptorServices() {
        TAIUtil tAIUtil = new TAIUtil();
        for (String str : this.interceptorServiceRef.keySet()) {
            TrustAssociationInterceptor service = this.interceptorServiceRef.getService(str);
            tAIUtil.processTAIUserFeatureProps(this.interceptorServiceRef, str);
            if (tAIUtil.isInvokeBeforeSSO()) {
                this.invokeBeforeSSOTais.put(str, service);
            }
            if (tAIUtil.isInvokeAfterSSO()) {
                this.invokeAfterSSOTais.put(str, service);
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "invokeBeforeSSOTais " + this.invokeBeforeSSOTais.toString(), new Object[0]);
            Tr.debug(tc, "invokeAfterSSOTais " + this.invokeAfterSSOTais.toString(), new Object[0]);
        }
    }

    private Map<String, TrustAssociationInterceptor> getInterceptorServices(boolean z) {
        if (this.taiService != null) {
            return this.taiService.getTais(z);
        }
        processInterceptorServices();
        return z ? this.invokeBeforeSSOTais : this.invokeAfterSSOTais;
    }

    private boolean skipTai(WebRequest webRequest, Map<String, TrustAssociationInterceptor> map, boolean z) {
        if (map == null || map.isEmpty()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return true;
            }
            Tr.debug(tc, "There is no interceptor config to invoke" + (z ? " before SSO " : " after SSO ") + ", skipping TAI...", new Object[0]);
            return true;
        }
        if (!webRequest.isUnprotectedURI() || webRequest.isProviderSpecialUnprotectedURI() || this.taiService == null || this.taiService.isInvokeForUnprotectedURI()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Skipping interceptor for unprotected URI...", new Object[0]);
        return true;
    }

    private AuthenticationResult handleTaiResult(TAIResult tAIResult, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticateWithTAIResult;
        if (tAIResult != null) {
            try {
            } catch (AuthenticationException e) {
                FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TAIAuthenticator", "220", this, new Object[]{tAIResult, str, httpServletRequest, httpServletResponse});
                authenticateWithTAIResult = new AuthenticationResult(AuthResult.SEND_401, e.getMessage());
            }
            if (tAIResult.getStatus() == 200) {
                authenticateWithTAIResult = authenticateWithTAIResult(httpServletRequest, httpServletResponse, tAIResult);
                return authenticateWithTAIResult;
            }
        }
        authenticateWithTAIResult = handleFallBackToAppAuthType(str, tAIResult);
        return authenticateWithTAIResult;
    }

    private AuthenticationResult handleFallBackToAppAuthType(String str, TAIResult tAIResult) throws AuthenticationException {
        if ((this.taiService == null || !this.taiService.isFailOverToAppAuthType()) && (tAIResult == null || tAIResult.getStatus() != 100)) {
            return tAIResult == null ? new AuthenticationResult(AuthResult.FAILURE, "taiResult is null") : new AuthenticationResult(AuthResult.TAI_CHALLENGE, "TrustAssociation Interception returns error", tAIResult.getStatus());
        }
        return tAIResult == null ? new AuthenticationResult(AuthResult.CONTINUE, "TAI allows fall back to application authentication type") : new AuthenticationResult(AuthResult.CONTINUE, tAIResult.getSubject());
    }

    private AuthenticationResult authenticateWithTAIResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, TAIResult tAIResult) throws AuthenticationException {
        AuthenticationResult authenticationResult = null;
        String authenticatedPrincipal = tAIResult.getAuthenticatedPrincipal();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI user name: " + authenticatedPrincipal, new Object[0]);
        }
        if (authenticatedPrincipal != null) {
            Subject subject = tAIResult.getSubject();
            if (subject != null) {
                WSCredential wSCredential = new SubjectHelper().getWSCredential(subject);
                if (wSCredential != null && wSCredential.isUnauthenticated()) {
                    new AuthenticationResult(AuthResult.FAILURE, "Subject from TAI is invalid for user: " + authenticatedPrincipal);
                }
                authenticationResult = authenticateWithSubject(httpServletRequest, httpServletResponse, subject);
            }
            if (authenticationResult == null || authenticationResult.getStatus() != AuthResult.SUCCESS) {
                authenticationResult = loginWithTAIUserName(httpServletRequest, httpServletResponse, subject, authenticatedPrincipal);
                if (authenticationResult == null || authenticationResult.getStatus() != AuthResult.SUCCESS) {
                    authenticationResult = new AuthenticationResult(AuthResult.CONTINUE, "authenticate failed.... allow to continue");
                }
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "TAI user name is null");
        }
        return authenticationResult;
    }

    private AuthenticationResult loginWithTAIUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject, String str) {
        return authenticateWithSubject(httpServletRequest, httpServletResponse, createUserIdHashtableSubject(subject, str));
    }

    @FFDCIgnore({AuthenticationException.class})
    private AuthenticationResult authenticateWithSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) {
        AuthenticationResult authenticationResult;
        try {
            Subject authenticate = this.authenticationService.authenticate(JaasLoginConfigConstants.SYSTEM_WEB_INBOUND, createAuthenticationData(httpServletRequest, httpServletResponse, subject), subject);
            authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, authenticate);
            if (!isDisableLtpaCookie(authenticate)) {
                this.ssoCookieHelper.addSSOCookiesToResponse(authenticate, httpServletRequest, httpServletResponse);
            }
        } catch (AuthenticationException e) {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        }
        return authenticationResult;
    }

    private boolean isDisableLtpaCookie(Subject subject) {
        return new SubjectHelper().getHashtableFromSubject(subject, new String[]{"com.ibm.ws.saml.spcookie.session.not.on.or.after"}) != null;
    }

    private Subject createUserIdHashtableSubject(Subject subject, String str) {
        Subject subject2 = subject;
        if (subject2 == null) {
            subject2 = new Subject();
        }
        Hashtable hashtable = new Hashtable();
        if (this.authenticationService == null || !this.authenticationService.isAllowHashTableLoginWithIdOnly().booleanValue()) {
            hashtable.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
        }
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_USERID, str);
        subject2.getPublicCredentials().add(hashtable);
        return subject2;
    }

    @Trivial
    protected AuthenticationData createAuthenticationData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) {
        WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_REQUEST, httpServletRequest);
        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_RESPONSE, httpServletResponse);
        if (subject != null) {
            try {
                Cookie lTPACookie = WebSecurityHelperImpl.getLTPACookie(subject);
                if (lTPACookie != null) {
                    wSAuthenticationData.set(AuthenticationData.TOKEN64, lTPACookie.getValue());
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TAIAuthenticator", "366", this, new Object[]{httpServletRequest, httpServletResponse, subject});
            }
        }
        return wSAuthenticationData;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap hashMap) throws Exception {
        return null;
    }
}
