package com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl;

import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.platform.websphere.token.KRB5TokenImpl;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.token.impl.LTPATokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.LTPAv2TokenImpl;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.token.AuthenticationToken;
import com.ibm.wsspi.security.token.TokenHolder;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;

/* loaded from: input_file:lib/com.ibm.wsfp.main.jar:com/ibm/ws/wssecurity/platform/websphere/wssapi/token/impl/wssTokenPropagationInboundLoginModule.class */
public class wssTokenPropagationInboundLoginModule implements LoginModule {
    private static final String comp = "security.wssecurity";
    private static final String UNT = "security.wssecurity_http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken";
    private static final String X509T = "security.wssecurity_http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
    private static final String LTPAT = "security.wssecurity_http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA";
    private static final String LTPAv2T = "security.wssecurity_http://www.ibm.com/websphere/appserver/tokentype#LTPAv2";
    private static final String KRBV5 = "security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ";
    private static final String EXCHANGED = "security.wssecurity_ExchangeToken";
    private static final String SAML11 = "security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
    private static final String SAML20 = "security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
    private Vector allTokens = null;
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map _sharedState;
    private Map options;
    private static final TraceComponent tc = Tr.register(wssTokenPropagationInboundLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = wssTokenPropagationInboundLoginModule.class.getName();
    private static final String AUTHN = WasAuthenticationTokenImpl.authenticationTokenName;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this._sharedState = map;
        this.options = map2;
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login");
        }
        WSTokenHolderCallback[] wSTokenHolderCallbackArr = {new WSTokenHolderCallback("Authentication Token List: ")};
        try {
            this.callbackHandler.handle(wSTokenHolderCallbackArr);
            this.allTokens = new Vector();
            List tokenHolderList = wSTokenHolderCallbackArr[0].getTokenHolderList();
            if (tokenHolderList != null) {
                for (int i = 0; i < tokenHolderList.size(); i++) {
                    try {
                        TokenHolder tokenHolder = (TokenHolder) tokenHolderList.get(i);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Restore authentication token: " + tokenHolder.getName());
                        }
                        if ("security.wssecurity_http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasUsernameTokenImpl wasUsernameTokenImpl = new WasUsernameTokenImpl();
                            wasUsernameTokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasUsernameTokenImpl);
                        } else if ("security.wssecurity_http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasX509TokenImpl wasX509TokenImpl = new WasX509TokenImpl();
                            wasX509TokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasX509TokenImpl);
                        } else if ("security.wssecurity_http://www.ibm.com/websphere/appserver/tokentype/5.0.2#LTPA".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            LTPATokenImpl lTPATokenImpl = new LTPATokenImpl();
                            lTPATokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(lTPATokenImpl);
                        } else if ("security.wssecurity_http://www.ibm.com/websphere/appserver/tokentype#LTPAv2".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            LTPAv2TokenImpl lTPAv2TokenImpl = new LTPAv2TokenImpl();
                            lTPAv2TokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(lTPAv2TokenImpl);
                        } else if ("security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            this.allTokens.addElement(new KRB5TokenImpl(tokenHolder.getBytes()));
                        } else if ("security.wssecurity_ExchangeToken".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasExchangeTokenImpl wasExchangeTokenImpl = new WasExchangeTokenImpl();
                            wasExchangeTokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasExchangeTokenImpl);
                        } else if (AUTHN.equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasAuthenticationTokenImpl wasAuthenticationTokenImpl = new WasAuthenticationTokenImpl();
                            wasAuthenticationTokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasAuthenticationTokenImpl);
                        } else if ("security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasSAML11TokenImpl wasSAML11TokenImpl = new WasSAML11TokenImpl();
                            wasSAML11TokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasSAML11TokenImpl);
                        } else if ("security.wssecurity_http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0".equals(tokenHolder.getName()) && tokenHolder.getVersion() == 1) {
                            WasSAML20TokenImpl wasSAML20TokenImpl = new WasSAML20TokenImpl();
                            wasSAML20TokenImpl.initialize(tokenHolder.getBytes());
                            this.allTokens.addElement(wasSAML20TokenImpl);
                        } else if (tc.isDebugEnabled()) {
                            Tr.debug(tc, tokenHolder.getName() + " is not processed by WS-Security login module.");
                        }
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Exception from de-serialization:" + e.getMessage());
                        }
                        Tr.processException(e, clsName + ".login", "C%", this);
                        LoginException loginException = new LoginException(e.getMessage());
                        loginException.initCause(e);
                        throw loginException;
                    }
                }
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login");
            return true;
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to handle callbackhandler.", e2.getStackTrace());
            }
            Tr.processException(e2, clsName + ".login", "%C", this);
            throw new LoginException(ConfigUtil.getMessage("security.wssecurity.BSTokenLoginModule.s01", new String[]{e2.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        while (this.allTokens != null && !this.allTokens.isEmpty()) {
            Object lastElement = this.allTokens.lastElement();
            this.allTokens.remove(lastElement);
            if (lastElement != null && (lastElement instanceof SecurityToken)) {
                final SecurityToken securityToken = (SecurityToken) lastElement;
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws LoginException {
                            try {
                                if (!wssTokenPropagationInboundLoginModule.this.subject.getPrivateCredentials().contains(securityToken) && !wssTokenPropagationInboundLoginModule.this.subject.getPublicCredentials().contains(securityToken) && !wssTokenPropagationInboundLoginModule.tokenExist(wssTokenPropagationInboundLoginModule.this.subject, securityToken)) {
                                    wssTokenPropagationInboundLoginModule.this.subject.getPrivateCredentials().add(securityToken);
                                }
                                return null;
                            } catch (Exception e) {
                                throw new LoginException(e.getMessage());
                            }
                        }
                    });
                } catch (Exception e) {
                    throw new LoginException(e.getMessage());
                }
            }
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        this.allTokens = null;
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final boolean tokenExist(Subject subject, SecurityToken securityToken) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "tokenExist() entry... " + securityToken.getId());
        }
        boolean z = getOneAuthnTokenFromSubjectByUniqueIDAndType(subject, ((AuthenticationToken) securityToken).getUniqueID(), securityToken.getValueType()) != null;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "tokenExist() exit... " + z);
        }
        return z;
    }

    private static final SecurityToken getOneAuthnTokenFromSubjectByUniqueIDAndType(final Subject subject, final String str, final QName qName) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getOneAuthnTokenFromSubjectByUniqueID() entry... " + str);
        }
        if (subject == null || str == null || str.trim().isEmpty() || qName == null) {
            return null;
        }
        try {
            SecurityToken securityToken = (SecurityToken) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.platform.websphere.wssapi.token.impl.wssTokenPropagationInboundLoginModule.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    Iterator it = subject.getPrivateCredentials(SecurityToken.class).iterator();
                    if (it.hasNext()) {
                        AuthenticationToken authenticationToken = (SecurityToken) it.next();
                        if (authenticationToken != null && (authenticationToken instanceof AuthenticationToken) && qName.equals(authenticationToken.getValueType())) {
                            AuthenticationToken authenticationToken2 = authenticationToken;
                            if (wssTokenPropagationInboundLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(wssTokenPropagationInboundLoginModule.tc, "Found SecurityToken in PrivateCredential: " + authenticationToken2.getUniqueID());
                            }
                            if (str.equals(authenticationToken2.getUniqueID())) {
                                return authenticationToken;
                            }
                        } else if (wssTokenPropagationInboundLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(wssTokenPropagationInboundLoginModule.tc, "NO SecurityToken is found to be processed...");
                        }
                    }
                    Iterator it2 = subject.getPublicCredentials(SecurityToken.class).iterator();
                    if (!it2.hasNext()) {
                        return null;
                    }
                    AuthenticationToken authenticationToken3 = (SecurityToken) it2.next();
                    if (authenticationToken3 == null || !(authenticationToken3 instanceof AuthenticationToken) || !qName.equals(authenticationToken3.getValueType())) {
                        if (!wssTokenPropagationInboundLoginModule.tc.isDebugEnabled()) {
                            return null;
                        }
                        Tr.debug(wssTokenPropagationInboundLoginModule.tc, "NO SecurityToken is found to be processed...");
                        return null;
                    }
                    AuthenticationToken authenticationToken4 = authenticationToken3;
                    if (wssTokenPropagationInboundLoginModule.tc.isDebugEnabled()) {
                        Tr.debug(wssTokenPropagationInboundLoginModule.tc, "Found SecurityToken in publicCredential: " + authenticationToken4.getUniqueID());
                    }
                    if (str.equals(authenticationToken4.getUniqueID())) {
                        return authenticationToken3;
                    }
                    return null;
                }
            });
            if (securityToken == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Could not find SecurityToken for uniqueID:" + str);
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Found SecurityToken from runAsSubject: " + securityToken);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getOneAuthnTokenFromSubjectByUniqueID() exits... ");
            }
            return securityToken;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception getting SecurityToken from Subject.", new Object[]{e});
            }
            throw new SoapSecurityException(e.getMessage(), e.getCause());
        }
    }
}
