package com.ibm.ws.security.web.inbound.saml;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.security.web.inbound.saml.util.ConfigUtil;
import com.ibm.ws.security.web.inbound.saml.util.MessageHelper;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Locale;
import java.util.ResourceBundle;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/security/web/inbound/saml/AssertionToSubject.class */
public class AssertionToSubject {
    private static final TraceComponent tc = Tr.register(AssertionToSubject.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private static ResourceBundle samlBundle = ResourceBundle.getBundle("com.ibm.ws.wssecurity.resources.samlmessages", Locale.getDefault());
    private static SAMLToken token = null;
    Configuration config;

    public AssertionToSubject(Configuration configuration, SAMLToken sAMLToken) {
        this.config = configuration;
        token = sAMLToken;
    }

    public String getUser() throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUser");
        }
        String str = null;
        String principal = token.getPrincipal();
        String userIdentifier = this.config.getUserIdentifier();
        if (userIdentifier != null && !userIdentifier.isEmpty()) {
            try {
                principal = findAttValue(userIdentifier, Constants.USER_IDENTIFIER);
            } catch (Exception e) {
                str = e.getMessage();
            }
        } else if (principal == null || principal.isEmpty()) {
            str = MessageHelper.getMessage(samlBundle, "security.wssecurity.CWSML7010E", new String[]{"NameID", "Subject"});
        }
        if (str != null) {
            throw new WebTrustAssociationFailedException(MessageHelper.getMessage("security.webinbound.saml.noUserName") + " " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getUser returns [" + principal + "]");
        }
        return principal;
    }

    public String getRealm() throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealm");
        }
        String str = null;
        String realmName = this.config.getRealmName();
        if (realmName != null && !realmName.isEmpty()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getRealm returns [" + realmName + "]");
            }
            return realmName;
        }
        String sAMLIssuerName = token.getSAMLIssuerName();
        String realmIdentifier = this.config.getRealmIdentifier();
        if (realmIdentifier != null && !realmIdentifier.isEmpty()) {
            try {
                sAMLIssuerName = findAttValue(realmIdentifier, Constants.REALM_IDENTIFIER);
            } catch (Exception e) {
                str = e.getMessage();
            }
        } else if (sAMLIssuerName == null || sAMLIssuerName.isEmpty()) {
            str = MessageHelper.getMessage(samlBundle, "security.wssecurity.CWSML7004E", new String[]{"Issuer"});
        }
        if (str != null) {
            throw new WebTrustAssociationFailedException(MessageHelper.getMessage("security.webinbound.saml.noRealmName") + " " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealm returns [" + sAMLIssuerName + "]");
        }
        return sAMLIssuerName;
    }

    public String getUserUniqueIdentity(String str, String str2) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserUniqueIdentity(user[" + str + "], realm[" + str2 + "]");
        }
        String str3 = null;
        String str4 = str;
        String uniqueUserIdentifier = this.config.getUniqueUserIdentifier();
        if (uniqueUserIdentifier != null && !uniqueUserIdentifier.isEmpty()) {
            try {
                str4 = findAttValue(uniqueUserIdentifier, Constants.UID_IDENTIFIER);
            } catch (Exception e) {
                str3 = e.getMessage();
            }
        } else if (str4 == null || str4.isEmpty()) {
            str3 = MessageHelper.getMessage(samlBundle, "security.wssecurity.CWSML7010E", new String[]{"NameID", "Subject"});
        }
        if (str3 != null) {
            throw new WebTrustAssociationFailedException(MessageHelper.getMessage("security.webinbound.saml.noUniqueId") + " " + str3);
        }
        String str5 = "user:" + str2 + "/";
        if (!str4.startsWith(str5)) {
            str4 = str5 + str4;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getUserUniqueIdentity returns [" + str4 + "]");
        }
        return str4;
    }

    public List<String> getGroupUniqueIdentityFromRegistry(String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGroupUniqueIdentityFromRegistry(realm[" + str + "]");
        }
        ArrayList arrayList = new ArrayList();
        String groupIdentifier = this.config.getGroupIdentifier();
        if (groupIdentifier != null) {
            String str2 = "group:" + str + "/";
            for (SAMLAttribute sAMLAttribute : token.getSAMLAttributes()) {
                if (groupIdentifier.equals(sAMLAttribute.getName()) && sAMLAttribute.getStringAttributeValue().length > 0) {
                    for (String str3 : sAMLAttribute.getStringAttributeValue()) {
                        mapGroupToUserRegistry(arrayList, str3, str2);
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getGroupUniqueIdentityFromRegistry returns [" + ConfigUtil.getObjState(arrayList) + "]");
        }
        return arrayList;
    }

    List<String> mapGroupToUserRegistry(List<String> list, String str, String str2) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapGroupToUserRegistry(groups[" + ConfigUtil.getObjState(list) + "], origGroup[" + str + "], origRealmPrefix[" + str2 + "])");
        }
        if (str != null && str.startsWith(str2)) {
            str = str.substring(str2.length());
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "original Group:" + str);
        }
        try {
            UserRegistry userRegistry = RegistryHelper.getUserRegistry((String) null);
            String uniqueGroupId = userRegistry.getUniqueGroupId(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "groupDN from registry:" + uniqueGroupId);
            }
            list.add(str2 + uniqueGroupId);
            ListIterator<String> listIterator = userRegistry.getUniqueGroupIds(uniqueGroupId).listIterator();
            while (listIterator.hasNext()) {
                String next = listIterator.next();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "groupDN from GroupIds:" + next);
                }
                list.add(str2 + next);
            }
        } catch (EntryNotFoundException e) {
        } catch (Exception e2) {
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e2.getMessage());
            webTrustAssociationFailedException.initCause(e2);
            throw webTrustAssociationFailedException;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapGroupToUserRegistry returns [" + ConfigUtil.getObjState(list) + "]");
        }
        return list;
    }

    List<String> mapGroupsToUserRegistry(List<String> list, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapGroupsToUserRegistry(oldGroups[" + ConfigUtil.getObjState(list) + "], realm[" + str + "])");
        }
        String str2 = "group:" + str + "/";
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            mapGroupToUserRegistry(arrayList, it.next(), str2);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapGroupsToUserRegistry returns [" + ConfigUtil.getObjState(arrayList) + "]");
        }
        return arrayList;
    }

    public List<String> getGroupUniqueIdentity(String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGroupUniqueIdentity(realm[" + str + "])");
        }
        ArrayList arrayList = new ArrayList();
        String groupIdentifier = this.config.getGroupIdentifier();
        if (groupIdentifier != null && !groupIdentifier.isEmpty()) {
            String str2 = "group:" + str + "/";
            Iterator<SAMLAttribute> it = token.getSAMLAttributes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SAMLAttribute next = it.next();
                if (groupIdentifier.equals(next.getName())) {
                    if (next.getStringAttributeValue().length > 0) {
                        for (String str3 : next.getStringAttributeValue()) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "groupDN from Token Attributes:" + str3);
                            }
                            String str4 = str3;
                            if (!str4.startsWith(str2)) {
                                str4 = str2 + str3;
                            }
                            arrayList.add(str4);
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getGroupUniqueIdentity returns [" + ConfigUtil.getObjState(arrayList) + "]");
        }
        return arrayList;
    }

    public String getCustomCacheKeyValue() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getCustomCacheKeyValue");
        }
        StringBuffer stringBuffer = new StringBuffer();
        if (this.config.getProviderId() != null) {
            stringBuffer.append(this.config.getProviderId());
        }
        stringBuffer.append(token.getSAMLIssuerName().hashCode()).append("_").append(token.getSamlID());
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "token cache key :" + stringBuffer.toString());
        }
        String stringBuffer2 = stringBuffer.toString();
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getCustomCacheKeyValue returns [" + stringBuffer2 + "]");
        }
        return stringBuffer2;
    }

    private String findAttValue(String str, String str2) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "findAttValue(findAttribute[" + str + "], propertyName[" + str2 + "])");
        }
        String str3 = null;
        String str4 = null;
        List<SAMLAttribute> sAMLAttributes = token.getSAMLAttributes();
        if (sAMLAttributes.isEmpty()) {
            str4 = MessageHelper.getMessage(samlBundle, "security.wssecurity.CWSML7004E", new String[]{"AttributeStatement"});
        } else {
            for (SAMLAttribute sAMLAttribute : sAMLAttributes) {
                if (str.equals(sAMLAttribute.getName())) {
                    if (sAMLAttribute.getStringAttributeValue().length == 1) {
                        str3 = sAMLAttribute.getStringAttributeValue()[0];
                    } else {
                        str4 = sAMLAttribute.getStringAttributeValue().length > 1 ? MessageHelper.getMessage("security.webinbound.saml.multAttValue", new String[]{str}) : MessageHelper.getMessage("security.webinbound.saml.noAttValue", new String[]{str, "Attribute", "AttributeValue"});
                    }
                }
            }
        }
        if (str3 == null) {
            if (str4 == null) {
                str4 = MessageHelper.getMessage("security.webinbound.saml.noAtt", new String[]{"Attribute", "Name", str});
            }
            throw new Exception(MessageHelper.getMessage("security.webinbound.saml.configEntry", new String[]{str2, str}) + " " + str4);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "findAttValue returns [" + str3 + "]");
        }
        return str3;
    }
}
