package com.ibm.ws.wssecurity.impl.auth.module;

import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.SAMLIdAssertionCallback;
import com.ibm.websphere.wssecurity.wssapi.XMLStructure;
import com.ibm.websphere.wssecurity.wssapi.token.LTPAToken;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.common.Result;
import com.ibm.ws.wssecurity.common.ResultPool;
import com.ibm.ws.wssecurity.impl.auth.callback.TrustedIdentityCallback;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.token.AuthResult;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.ConstantsRetrieverFactory;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.CallerConfig;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/impl/auth/module/PreCallerLoginModule.class */
public class PreCallerLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(PreCallerLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private Map _sharedState;
    private static boolean useOldCloneCriteria;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        TrustedIdentityCallback trustedIdentityCallback = new TrustedIdentityCallback();
        PropertyCallback propertyCallback = new PropertyCallback(null);
        Callback[] callbackArr = {trustedIdentityCallback, propertyCallback, new SAMLIdAssertionCallback()};
        try {
            this._handler.handle(callbackArr);
            Set<String> identityList = trustedIdentityCallback.getIdentityList();
            Map<Object, Object> properties = propertyCallback.getProperties();
            CallerConfig callerConfig = (CallerConfig) properties.get(CallerConfig.CONFIG_KEY);
            Result[] resultArr = ResultPool.get(properties, AuthResult.class);
            int length = resultArr.length;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The length of auth results = " + length);
            }
            if (length == 0) {
                throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s01"));
            }
            HashSet<SecurityToken> hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            if (callerConfig.useIdentityAssertion()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Identity Assertion IS used.");
                }
                if (callerConfig.trustAnyTrustedIdentity()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Any trusted identity is trusted in an unconditional way.");
                        Tr.debug(tc, "Checking caller identity only...");
                    }
                    for (Result result : resultArr) {
                        AuthResult authResult = (AuthResult) result;
                        if (authResult.isCallerIdentityCandidate() && authResult.isCallerToken()) {
                            SecurityToken securityToken = authResult.getTokenWrapper().getSecurityToken();
                            if (securityToken == null) {
                                throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s03"));
                            }
                            hashSet.add(securityToken);
                        }
                    }
                    if (hashSet.size() == 0) {
                        throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s01"));
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Trusted identity should be also validated.");
                    }
                    for (Result result2 : resultArr) {
                        AuthResult authResult2 = (AuthResult) result2;
                        if (authResult2.isCallerIdentityCandidate() && authResult2.isCallerToken()) {
                            SecurityToken securityToken2 = authResult2.getTokenWrapper().getSecurityToken();
                            if (securityToken2 == null) {
                                throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s03"));
                            }
                            hashSet.add(securityToken2);
                        }
                        if (authResult2.isTrustedIdentityCandidate() && authResult2.isCallerToken()) {
                            SecurityToken securityToken3 = authResult2.getTokenWrapper().getSecurityToken();
                            if (securityToken3 == null) {
                                throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s03"));
                            }
                            hashSet2.add(securityToken3);
                        }
                    }
                    if (hashSet.size() == 0) {
                        throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s01"));
                    }
                    if (hashSet2.size() == 0) {
                        throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s02"));
                    }
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Identity Assertion IS NOT used.");
                    Tr.debug(tc, "Checking caller identity only...");
                }
                for (Result result3 : resultArr) {
                    AuthResult authResult3 = (AuthResult) result3;
                    if (authResult3.isCallerIdentityCandidate() && authResult3.isCallerToken()) {
                        SecurityToken securityToken4 = authResult3.getTokenWrapper().getSecurityToken();
                        if (securityToken4 == null) {
                            throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s03"));
                        }
                        hashSet.add(securityToken4);
                    }
                }
                if (hashSet.size() == 0) {
                    throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s01"));
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stored the callbacks [" + callbackArr + "].");
            }
            this._sharedState.put(ConstantsRetrieverFactory.getInstance().getSecurityAuthCallBackKey(), callbackArr);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stored the caller configuration [" + callerConfig + "].");
            }
            this._sharedState.put(CallerConfig.CONFIG_KEY, callerConfig);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stored the caller identity candidates [" + hashSet + "].");
            }
            if (!hashSet.isEmpty()) {
                for (SecurityToken securityToken5 : hashSet) {
                    if (shouldCloseNode(securityToken5)) {
                        XMLStructure xml = securityToken5.getXML();
                        if (xml instanceof OMStructure) {
                            ((OMStructure) xml).close();
                        }
                    }
                }
            }
            this._sharedState.put(Constants.WSSECURITY_CALLER_IDENTITY_CANDIDATES, hashSet);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stored the trusted identity candidates [" + hashSet2 + "].");
            }
            this._sharedState.put(Constants.WSSECURITY_TRUSTED_IDENTITY_CANDIDATES, hashSet2);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Stored the context in the shared state [" + properties + "].");
            }
            this._sharedState.put(WSSAuditEventGenerator.LOCAL_CONTEXT, properties);
            if (identityList != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Stored the trusted identity list [" + identityList + "].");
                }
                this._sharedState.put(Constants.WSSECURITY_TRUSTED_IDENTITY_LIST, identityList);
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "login()");
            return true;
        } catch (Exception e) {
            throw new LoginException(ConfigUtil.getMessage(this.comp + ".BSTokenLoginModule.s01", new String[]{e.toString()}));
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private boolean shouldCloseNode(SecurityToken securityToken) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "shouldCloseNode(" + ConfigUtil.getObjType(securityToken) + ")");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "useOldCloneCriteria[" + useOldCloneCriteria + "]");
        }
        boolean z = false;
        if (!useOldCloneCriteria) {
            z = true;
        } else if (securityToken instanceof LTPAToken) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "shouldCloseNode returns[" + z + "]");
        }
        return z;
    }

    static {
        useOldCloneCriteria = false;
        try {
            useOldCloneCriteria = ConfigUtil.isTrue(System.getProperty("com.ibm.ws.wssecurity.useOldCloneCriteria"));
        } catch (Exception e) {
        }
    }
}
