package com.ibm.ws.wssecurity.platform.websphere.auth;

import com.ibm.ISecurityUtilityImpl.RealmSecurityName;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.util.AccessController;
import com.ibm.ws.wssecurity.platform.auth.WSSContextFactory;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManager;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.platform.auth.WSSRealm;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.token.WSSecurityPropagationHelper;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:lib/com.ibm.jaxws.thinclient_9.0.jar:com/ibm/ws/wssecurity/platform/websphere/auth/WSSRealmImpl.class */
public class WSSRealmImpl implements WSSRealm {
    private static final TraceComponent tc = Tr.register(WSSRealmImpl.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String comp = "security.wssecurity";

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public boolean isUserFromTrustedRealm(String str) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isUserFromTrustedRealm: " + str);
        }
        boolean z = false;
        if (str != null) {
            int indexOf = str.indexOf(WSSRealm.IDENTITY_DELIMITER);
            if (indexOf != str.lastIndexOf(WSSRealm.IDENTITY_DELIMITER)) {
                Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str, WSSRealm.IDENTITY_DELIMITER});
            } else if (indexOf > 0 && indexOf < str.length() - WSSRealm.IDENTITY_DELIMITER.length()) {
                String substring = str.substring(indexOf + WSSRealm.IDENTITY_DELIMITER.length());
                String realmFromUniqueID = WSSecurityPropagationHelper.getRealmFromUniqueID(substring);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "asserted uniqueId = " + substring + " realm = " + realmFromUniqueID);
                }
                z = RegistryHelper.isRealmInboundTrusted(realmFromUniqueID, (String) null);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "trusted = " + z);
        }
        return z;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public String getRealmQualifiedIdentity(final Subject subject, final boolean z, final boolean z2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealmQualifiedIdentity");
        }
        String str = null;
        if (subject != null) {
            try {
                str = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.wssecurity.platform.websphere.auth.WSSRealmImpl.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        try {
                            return WSSRealmImpl.this.getRealmQualifiedIdentityHelper(subject, z, z2);
                        } catch (Exception e) {
                            throw new SecurityException(e);
                        }
                    }
                });
            } catch (Exception e) {
                throw new SoapSecurityException(e);
            }
        }
        if (str != null && z2 && !isIdentityRealmQualified(str)) {
            Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str, WSSRealm.IDENTITY_DELIMITER});
            str = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealmQualifiedIdentity: " + str);
        }
        if (str == null) {
            throw SoapSecurityException.format("security.wssecurity.WSSRealmImpl.s01");
        }
        return str;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public String getRealmQualifiedIdentity(String str, final String str2, final boolean z, final boolean z2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealmQualifiedIdentity " + str);
        }
        String str3 = null;
        if (str != null) {
            try {
                final String securityName = RealmSecurityName.getSecurityName(str);
                str3 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.wssecurity.platform.websphere.auth.WSSRealmImpl.2
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        try {
                            WSSContextManager wSSContextManagerFactory = WSSContextManagerFactory.getInstance();
                            Subject login = str2 == null ? wSSContextManagerFactory.login(wSSContextManagerFactory.getDefaultRealm(), securityName) : wSSContextManagerFactory.login(wSSContextManagerFactory.getDefaultRealm(), securityName, str2);
                            if (WSSRealmImpl.tc.isDebugEnabled()) {
                                Tr.debug(WSSRealmImpl.tc, "subject = " + login.toString());
                            }
                            return WSSRealmImpl.this.getRealmQualifiedIdentityHelper(login, z, z2);
                        } catch (Exception e) {
                            throw new SecurityException(e);
                        }
                    }
                });
            } catch (Exception e) {
                throw new SoapSecurityException(e);
            }
        }
        if (str3 != null && z2 && !isIdentityRealmQualified(str3)) {
            Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str3, WSSRealm.IDENTITY_DELIMITER});
            str3 = null;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealmQualifiedIdentity: " + str3);
        }
        if (str3 == null) {
            throw SoapSecurityException.format("security.wssecurity.WSSRealmImpl.s01");
        }
        return str3;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public String getRealmQualifiedRunAsIdentity(final MessageContext messageContext, final boolean z, final boolean z2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealmQualifiedRusAsIdentity");
        }
        try {
            String str = (String) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.platform.websphere.auth.WSSRealmImpl.3
                @Override // java.security.PrivilegedExceptionAction
                public Object run() {
                    try {
                        Subject runAsSubject = WSSContextFactory.getInstance().getRunAsSubject(messageContext);
                        if (runAsSubject != null) {
                            return WSSRealmImpl.this.getRealmQualifiedIdentityHelper(runAsSubject, z, z2);
                        }
                        return null;
                    } catch (SoapSecurityException e) {
                        throw new SecurityException(e);
                    }
                }
            });
            if (str != null && z2 && !isIdentityRealmQualified(str)) {
                Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str, WSSRealm.IDENTITY_DELIMITER});
                str = null;
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getRealmQualifiedRunAsIdentity: " + str);
            }
            if (str == null) {
                throw SoapSecurityException.format("security.wssecurity.WSSRealmImpl.s01");
            }
            return str;
        } catch (Exception e) {
            throw new SoapSecurityException(e);
        }
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public String getIdentity(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getIdentity: " + str);
        }
        String str2 = null;
        if (str != null) {
            int indexOf = str.indexOf(WSSRealm.IDENTITY_DELIMITER);
            if (indexOf != str.lastIndexOf(WSSRealm.IDENTITY_DELIMITER)) {
                Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str, WSSRealm.IDENTITY_DELIMITER});
            } else {
                str2 = (indexOf < 0 || indexOf >= str.length() - MINIMUM_QUALIFIED_IDENTITY_LENGTH) ? str : str.substring(0, indexOf);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getIdentity: " + str2);
        }
        return str2;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public int getNumberOfDelimiters(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getNumberOfDelimiters: " + str);
        }
        int i = 0;
        if (str != null) {
            int i2 = 0;
            while (i2 >= 0 && i2 <= str.length() - WSSRealm.IDENTITY_DELIMITER.length()) {
                i2 = str.indexOf(WSSRealm.IDENTITY_DELIMITER, i2);
                if (i2 > 0 && i2 <= str.length() - WSSRealm.IDENTITY_DELIMITER.length()) {
                    i++;
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getNumberOfDelimiters: " + i);
        }
        return i;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public boolean isIdentityRealmQualified(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isIdentityRealmQualified: " + str);
        }
        boolean z = false;
        if (str != null && str.length() >= MINIMUM_QUALIFIED_IDENTITY_LENGTH) {
            int indexOf = str.indexOf(WSSRealm.IDENTITY_DELIMITER);
            int lastIndexOf = str.lastIndexOf(WSSRealm.IDENTITY_DELIMITER);
            if (indexOf >= 0 && indexOf == lastIndexOf && indexOf < str.length() - MINIMUM_QUALIFIED_IDENTITY_LENGTH) {
                z = true;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isIdentityRealmQualified: " + z);
        }
        return z;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public boolean isIdentityLocal(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isIdentityLocal: " + str);
        }
        boolean z = !isIdentityRealmQualified(str);
        if (!z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "isIdentityRealmQualified, inspect realm ...");
            }
            if (str != null && str.length() >= MINIMUM_QUALIFIED_IDENTITY_LENGTH) {
                int indexOf = str.indexOf(WSSRealm.IDENTITY_DELIMITER);
                int lastIndexOf = str.lastIndexOf(WSSRealm.IDENTITY_DELIMITER);
                if (indexOf > 0 && indexOf != lastIndexOf) {
                    Tr.error(tc, "security.wssecurity.WSSRealmImpl.s02", new Object[]{str, WSSRealm.IDENTITY_DELIMITER});
                } else if (indexOf < str.length() - MINIMUM_QUALIFIED_IDENTITY_LENGTH) {
                    String substring = str.substring(indexOf + WSSRealm.IDENTITY_DELIMITER.length());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "uniqueId = " + substring);
                    }
                    String realm = RealmSecurityName.getRealm(substring);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "realm = " + realm);
                    }
                    if (realm != null && realm.equalsIgnoreCase(WSSContextManagerFactory.getInstance().getDefaultRealm())) {
                        z = true;
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isIdentityLocal: " + z);
        }
        return z;
    }

    @Override // com.ibm.ws.wssecurity.platform.auth.WSSRealm
    public void addIdentityAssertionProperties(String str, Map map) {
        int indexOf;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addIdentityAssertionProperties: " + str);
        }
        if (map == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "customProperties cannot be null");
                return;
            }
            return;
        }
        if (str != null && str.length() >= MINIMUM_QUALIFIED_IDENTITY_LENGTH && (indexOf = str.indexOf(WSSRealm.IDENTITY_DELIMITER)) >= 0 && indexOf < str.length() - MINIMUM_QUALIFIED_IDENTITY_LENGTH) {
            String substring = str.substring(0, indexOf);
            String substring2 = str.substring(indexOf + WSSRealm.IDENTITY_DELIMITER.length());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "username = " + substring + "  uniqueId = " + substring2);
            }
            map.put("com.ibm.wsspi.security.cred.uniqueId", substring2);
            map.put("com.ibm.wsspi.security.cred.securityName", substring);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addIdentityAssertionProperties: " + map.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getRealmQualifiedIdentityHelper(Subject subject, boolean z, boolean z2) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRealmQualifiedIdentityHelper: subject " + (subject == null ? AppConstants.NULL_STRING : "not null"));
        }
        String str = null;
        String str2 = null;
        if (subject != null) {
            if (z2) {
                try {
                    Set<Object> publicCredentials = subject.getPublicCredentials();
                    if (publicCredentials != null) {
                        Iterator<Object> it = publicCredentials.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            Object next = it.next();
                            if (next instanceof WSCredential) {
                                str2 = ((WSCredential) next).getRealmUniqueSecurityName();
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "uniqueId = " + str2);
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    throw new SoapSecurityException(e);
                }
            }
            Set<Principal> principals = subject.getPrincipals();
            if (principals != null) {
                Iterator<Principal> it2 = principals.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    Principal next2 = it2.next();
                    if (next2 instanceof WSPrincipal) {
                        str = (z || z2) ? ((WSPrincipal) next2).getName() : RealmSecurityName.getSecurityName(((WSPrincipal) next2).getName());
                    }
                }
            }
            if (z2 && str2 != null && str2.length() > 0) {
                str = str + WSSRealm.IDENTITY_DELIMITER + str2;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRealmQualifiedIdentityHelper: " + str);
        }
        return str;
    }
}
