package com.ibm.wsspi.security.common.auth.module;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.security.CertificateMapFailedException;
import com.ibm.websphere.security.CertificateMapNotSupportedException;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import java.rmi.RemoteException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

/* loaded from: input_file:wlp/com.ibm.ws.ejb.embeddableContainer_nls_8.5.0.jar:com/ibm/wsspi/security/common/auth/module/IdentityAssertionLoginModule.class */
public class IdentityAssertionLoginModule implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map sharedState;
    private Map options;
    private static final WebSphereRuntimePermission IDENTITY_ASSERTION_INITIALIZE = new WebSphereRuntimePermission("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize");
    private static final WebSphereRuntimePermission IDENTITY_ASSERTION_LOGIN = new WebSphereRuntimePermission("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login");
    private static final TraceComponent tc = Tr.register(IdentityAssertionLoginModule.class, (String) null, "com.ibm.ejs.resources.security");
    protected boolean debug = true;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    private ContextManager contextManager = ContextManagerFactory.getInstance();

    public IdentityAssertionLoginModule() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "IdentityAssertionLoginModule()");
            Tr.exit(tc, "IdentityAssertionLoginModule()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, new StringBuilder().append("initialize(subject = \"").append(subject.toString()).append("\", callbackHandler = \"").append(callbackHandler).toString() == null ? AppConstants.NULL_STRING : callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check");
                Tr.debug(tc, "Expecting : " + IDENTITY_ASSERTION_INITIALIZE.toString());
            }
            securityManager.checkPermission(IDENTITY_ASSERTION_INITIALIZE);
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        this.debug = "true".equalsIgnoreCase((String) this.options.get("debug"));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "IdentityAssertionLoginModule");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws WSLoginFailedException {
        int lastIndexOf;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing Java 2 Security Permission Check");
                Tr.debug(tc, "Expecting : " + IDENTITY_ASSERTION_LOGIN.toString());
            }
            securityManager.checkPermission(IDENTITY_ASSERTION_LOGIN);
        }
        Subject subject = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        String defaultRealm = contextManagerFactory.getDefaultRealm();
        UserRegistry registry = contextManagerFactory.getRegistry(defaultRealm);
        this.succeeded = false;
        if (this.commitSucceeded) {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "This login module is in a funny state, cleanup before starting a new login process.");
            }
            cleanup();
        }
        Map map = (Map) this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state");
        if (map == null) {
            Tr.error(tc, "security.jaas.IdentityAssertion.state");
            throw new WSLoginFailedException("No Trust information for trust validation.");
        }
        Tr.debug(tc, "We do have state information");
        Boolean bool = (Boolean) map.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted");
        if (bool == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Missing a trust key");
            }
            throw new WSLoginFailedException("No Trust Validator configured for trust validation, identity assertion is disabled.");
        }
        if (!bool.booleanValue()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "trust is false");
            }
            throw new WSLoginFailedException("No Trust established for trust validation, identity assertion is disabled.");
        }
        if (bool.booleanValue()) {
            Principal principal = (Principal) map.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal");
            X509Certificate[] x509CertificateArr = (X509Certificate[]) map.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates");
            if (principal == null && x509CertificateArr == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No principal or certificate recieved from shared state.");
                }
                Tr.error(tc, "security.jaas.IdentityAssertion.stat");
                throw new WSLoginFailedException("No principal or X509Certificate provided to login new user with.");
            }
            if (principal != null) {
                String name = principal.getName();
                if (name != null && (lastIndexOf = name.lastIndexOf("/")) >= 0) {
                    name = name.substring(lastIndexOf + 1);
                }
                try {
                    subject = contextManagerFactory.login(defaultRealm, name);
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception when calling contextManager.login");
                    }
                    throw new WSLoginFailedException(e.getMessage(), e);
                }
            }
            if (x509CertificateArr != null) {
                if (principal != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is a principal and a certificate, the principal will be used.");
                    }
                    Tr.warning(tc, "security.jaas.IdentityAssertion.context");
                } else {
                    try {
                        subject = contextManagerFactory.login(defaultRealm, registry.mapCertificate(x509CertificateArr));
                    } catch (RemoteException e2) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception when calling contextManager.login");
                        }
                        throw new WSLoginFailedException(e2.getMessage(), e2);
                    } catch (CertificateMapFailedException e3) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception when calling contextManager.login");
                        }
                        throw new WSLoginFailedException(e3.getMessage(), e3);
                    } catch (WSLoginFailedException e4) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception when calling contextManager.login");
                        }
                        throw new WSLoginFailedException(e4.getMessage(), e4);
                    } catch (CertificateMapNotSupportedException e5) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception when calling contextManager.login");
                        }
                        throw new WSLoginFailedException(e5.getMessage(), e5);
                    } catch (CustomRegistryException e6) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception when calling contextManager.login");
                        }
                        throw new WSLoginFailedException(e6.getMessage(), e6);
                    }
                }
            }
            if (subject != null) {
                try {
                    final Subject subject2 = subject;
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() {
                            Set<Object> publicCredentials = subject2.getPublicCredentials();
                            if (publicCredentials.size() > 0 && !IdentityAssertionLoginModule.this.sharedState.containsValue("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PublicCredentials")) {
                                IdentityAssertionLoginModule.this.sharedState.put("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PublicCredentials", publicCredentials);
                            }
                            Set<Object> privateCredentials = subject2.getPrivateCredentials();
                            if (privateCredentials.size() > 0 && !IdentityAssertionLoginModule.this.sharedState.containsValue("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials")) {
                                IdentityAssertionLoginModule.this.sharedState.put("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials", privateCredentials);
                            }
                            Set<Principal> principals = subject2.getPrincipals();
                            if (principals.size() <= 0 || IdentityAssertionLoginModule.this.sharedState.containsValue("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials")) {
                                return null;
                            }
                            IdentityAssertionLoginModule.this.sharedState.put("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.Principals", principals);
                            return null;
                        }
                    });
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Context login succeeded and information stored in shared state.  Shared state: " + this.sharedState);
                    }
                    this.succeeded = true;
                } catch (PrivilegedActionException e7) {
                    contextManagerFactory.setRootException(e7.getException());
                    throw new WSLoginFailedException(e7.getException().getMessage(), e7.getException());
                }
            }
        }
        return this.succeeded;
    }

    public boolean commit() throws WSLoginFailedException {
        boolean z;
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (this.succeeded) {
            if (!this.commitSucceeded) {
                try {
                    if (this.debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Start committing the changes to the Subject ...");
                    }
                    try {
                        AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.2
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() {
                                try {
                                    Set<Principal> set = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.Principals");
                                    if (set != null && set.size() > 0) {
                                        for (Principal principal : set) {
                                            if (principal != null && !IdentityAssertionLoginModule.this.subject.getPrincipals().contains(principal)) {
                                                IdentityAssertionLoginModule.this.subject.getPrincipals().add(principal);
                                            }
                                        }
                                    }
                                } catch (Exception e) {
                                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removePrinException", new Object[]{getClass().getName(), e});
                                }
                                try {
                                    Set set2 = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials");
                                    if (set2 != null && set2.size() > 0) {
                                        for (Object obj : set2) {
                                            if (obj != null && !IdentityAssertionLoginModule.this.subject.getPrivateCredentials().contains(obj)) {
                                                IdentityAssertionLoginModule.this.subject.getPrivateCredentials().add(obj);
                                            }
                                        }
                                    }
                                } catch (Exception e2) {
                                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e2});
                                }
                                try {
                                    Set set3 = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PublicCredentials");
                                    if (set3 != null && set3.size() > 0) {
                                        for (Object obj2 : set3) {
                                            if (obj2 != null && !IdentityAssertionLoginModule.this.subject.getPublicCredentials().contains(obj2)) {
                                                IdentityAssertionLoginModule.this.subject.getPublicCredentials().add(obj2);
                                            }
                                        }
                                    }
                                    return null;
                                } catch (Exception e3) {
                                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removeCredExecption", new Object[]{getClass().getName(), e3});
                                    return null;
                                }
                            }
                        });
                        if (this.debug || tc.isDebugEnabled()) {
                            Tr.debug(tc, "Change committed!");
                        }
                        this.commitSucceeded = true;
                    } catch (PrivilegedActionException e) {
                        ContextManagerFactory.getInstance().setRootException(e.getException());
                        throw new WSLoginFailedException(e.getException().getMessage(), e.getException());
                    }
                } catch (Exception e2) {
                    Tr.error(tc, "security.jaas.LoginModuleCommitError", new Object[]{getClass().getName(), e2});
                    cleanup();
                    this.commitSucceeded = false;
                }
            } else if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "It has been committed prior this call, nothing is done.");
            }
            z = this.commitSucceeded;
        } else {
            if (this.debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Do not commit because of authentication failed.");
            }
            z = false;
        }
        return z;
    }

    public boolean abort() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup the Subject, removes principals, private credentials, and public credentials from the Subject, reset all internal variables.");
            Tr.debug(tc, "Start cleanup ...");
        }
        cleanup();
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Cleanup done.");
        }
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        cleanupSharedState();
        if (!this.debug && !tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing the principal set, private credential set, and public credential set from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    Set set = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.common.auth.module.IdentityAssertionLoginModule.Principals");
                    if (set != null && set.size() > 0) {
                        for (Object obj : set) {
                            if (obj != null && IdentityAssertionLoginModule.this.subject.getPrincipals().contains(obj)) {
                                IdentityAssertionLoginModule.this.subject.getPrincipals().remove(obj);
                            }
                        }
                    }
                } catch (Exception e) {
                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e});
                }
                try {
                    Set set2 = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.common.auth.module.IdenityAssertionLoginModule.PrivateCredentials");
                    if (set2 != null && set2.size() > 0) {
                        for (Object obj2 : set2) {
                            if (obj2 != null && IdentityAssertionLoginModule.this.subject.getPrivateCredentials().contains(obj2)) {
                                IdentityAssertionLoginModule.this.subject.getPrivateCredentials().remove(obj2);
                            }
                        }
                    }
                } catch (Exception e2) {
                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removeCredException", new Object[]{getClass().getName(), e2});
                }
                try {
                    Set set3 = (Set) IdentityAssertionLoginModule.this.sharedState.get("com.ibm.wsspi.common.auth.module.IdentityAssertionLoginModule.publicCredentials");
                    if (set3 != null && set3.size() > 0) {
                        for (Object obj3 : set3) {
                            if (obj3 != null && IdentityAssertionLoginModule.this.subject.getPublicCredentials().contains(obj3)) {
                                IdentityAssertionLoginModule.this.subject.getPublicCredentials().remove(obj3);
                            }
                        }
                    }
                    return null;
                } catch (Exception e3) {
                    Tr.error(IdentityAssertionLoginModule.tc, "security.jaas.removeCredExecption", new Object[]{getClass().getName(), e3});
                    return null;
                }
            }
        });
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed principals and creds.");
        }
        cleanupSharedState();
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    private void cleanupSharedState() {
        if (this.debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanupSharedState()");
        }
        this.succeeded = false;
        this.commitSucceeded = false;
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start removing principalSet, privateSet and publicSet from the shared state.");
        }
        if (((Set) this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.Principals")) != null) {
            this.sharedState.remove("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.Principals");
        }
        if (((Set) this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials")) != null) {
            this.sharedState.remove("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PrivateCredentials");
        }
        if (((Set) this.sharedState.get("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PublicCredentials")) != null) {
            this.sharedState.remove("com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.PublicCredentials");
        }
        if (this.debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        if (this.debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanupSharedState()");
        }
    }
}
