package com.ibm.ws.webcontainer.security.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.WebTrustAssociationUserException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.bcel.Constants;

/* JADX WARN: Classes with same name are omitted:
  input_file:resources/server_runtime/lib/com.ibm.ws.webcontainer.security.admin_1.0.jar:com/ibm/ws/webcontainer/security/internal/TrustAssociationManager.class
 */
@TraceOptions(traceGroups = {TraceConstants.TRACE_GROUP}, traceGroup = "", messageBundle = TraceConstants.MESSAGE_BUNDLE, traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.webcontainer.security.app_1.0.jar:com/ibm/ws/webcontainer/security/internal/TrustAssociationManager.class */
public class TrustAssociationManager {
    private static final TraceComponent tc = Tr.register(TrustAssociationManager.class);
    private TAIService taiService;
    private SSOCookieHelper ssoCookieHelper;
    private AuthenticationService authenticationService;
    private final AuthenticationResult AUTHN_CONTINUE_RESULT = new AuthenticationResult(AuthResult.CONTINUE, "Authentication continue");
    private Map<String, TrustAssociationInterceptor> taiObjects;
    static final long serialVersionUID = 2651153298060082674L;

    /* JADX INFO: Access modifiers changed from: package-private */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public TrustAssociationManager(TAIService tAIService, AuthenticationService authenticationService, SSOCookieHelper sSOCookieHelper) {
        this.taiService = null;
        this.ssoCookieHelper = null;
        this.authenticationService = null;
        this.taiObjects = new HashMap();
        this.taiService = tAIService;
        this.authenticationService = authenticationService;
        this.taiObjects = tAIService.getTaiObjects();
        this.ssoCookieHelper = sSOCookieHelper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v72 */
    /* JADX WARN: Type inference failed for: r0v73 */
    /* JADX WARN: Type inference failed for: r0v75, types: [boolean] */
    /* JADX WARN: Type inference failed for: r0v80, types: [com.ibm.wsspi.security.tai.TAIResult] */
    /* JADX WARN: Type inference failed for: r22v2, types: [com.ibm.websphere.security.WebTrustAssociationUserException] */
    /* JADX WARN: Type inference failed for: r22v3, types: [com.ibm.websphere.security.WebTrustAssociationFailedException] */
    /* JADX WARN: Type inference failed for: r22v4, types: [java.lang.Exception] */
    /* JADX WARN: Type inference failed for: r2v10, types: [java.lang.Object[]] */
    /* JADX WARN: Type inference failed for: r2v14, types: [java.lang.Object[]] */
    /* JADX WARN: Type inference failed for: r2v18, types: [java.lang.Object[]] */
    @FFDCIgnore({AuthenticationException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public AuthenticationResult handleTrustAssociation(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticateWithTAIResult;
        TAIResult tAIResult = null;
        String str = null;
        boolean z2 = false;
        AuthenticationResult authenticationResult = this.AUTHN_CONTINUE_RESULT;
        if (this.taiService.getTaiObjects().isEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no TAI enabled", new Object[0]);
            }
            return this.AUTHN_CONTINUE_RESULT;
        }
        List<String> tAIIds = this.taiService.getTAIIds(z);
        if (tAIIds == null || tAIIds.isEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no TAI enabled for " + (z ? "invoking before SSO" : "invoking after SSO"), new Object[0]);
            }
            return this.AUTHN_CONTINUE_RESULT;
        }
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        ClassLoader pushUnifiedClassLoader = this.taiService.pushUnifiedClassLoader(this.taiService.getUnifiedClassloader());
        try {
            int i = 0;
            int i2 = 0;
            while (true) {
                try {
                    try {
                        i = i2;
                        if (i >= tAIIds.size()) {
                            break;
                        }
                        TrustAssociationInterceptor trustAssociationInterceptor = this.taiObjects.get(tAIIds.get(i2));
                        ?? r0 = trustAssociationInterceptor;
                        if (r0 != 0 && (r0 = trustAssociationInterceptor.isTargetInterceptor(httpServletRequest)) != 0) {
                            z2 = true;
                            str = trustAssociationInterceptor.getType();
                            r0 = trustAssociationInterceptor.negotiateValidateandEstablishTrust(httpServletRequest, httpServletResponse);
                            tAIResult = r0;
                        }
                        i2++;
                        i = r0;
                    } catch (Exception e) {
                        FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "100", this, new Object[]{webRequest, Boolean.valueOf(z)});
                        ?? r22 = i;
                        Tr.error(tc, "SEC_TAI_GENERAL_EXCEPTION", new Object[]{r22});
                        new AuthenticationResult(AuthResult.FAILURE, r22.getMessage());
                        this.taiService.popUnifiedClassLoader(pushUnifiedClassLoader);
                    }
                } catch (WebTrustAssociationFailedException e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "94", this, new Object[]{webRequest, Boolean.valueOf(z)});
                    ?? r222 = i;
                    Tr.error(tc, "SEC_TAI_VALIDATE_FAILED", new Object[]{r222});
                    new AuthenticationResult(AuthResult.FAILURE, r222.getMessage());
                    this.taiService.popUnifiedClassLoader(pushUnifiedClassLoader);
                } catch (WebTrustAssociationUserException e3) {
                    FFDCFilter.processException(e3, "com.ibm.ws.webcontainer.security.internal.TrustAssociationManager", "97", this, new Object[]{webRequest, Boolean.valueOf(z)});
                    ?? r223 = i;
                    Tr.error(tc, "SEC_TAI_USER_EXCEPTION", new Object[]{r223});
                    new AuthenticationResult(AuthResult.FAILURE, r223.getMessage());
                    this.taiService.popUnifiedClassLoader(pushUnifiedClassLoader);
                }
            }
            this.taiService.popUnifiedClassLoader(pushUnifiedClassLoader);
            if (!z2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "TAI does not intercept this request", new Object[0]);
                }
                return this.AUTHN_CONTINUE_RESULT;
            }
            if (tAIResult != null) {
                try {
                } catch (AuthenticationException e4) {
                    authenticateWithTAIResult = new AuthenticationResult(AuthResult.SEND_401, e4.getMessage());
                }
                if (tAIResult.getStatus() == 200) {
                    authenticateWithTAIResult = authenticateWithTAIResult(httpServletRequest, httpServletResponse, tAIResult);
                    return authenticateWithTAIResult;
                }
            }
            authenticateWithTAIResult = handleFallBackToAppAuthType(str, tAIResult);
            return authenticateWithTAIResult;
        } catch (Throwable th) {
            this.taiService.popUnifiedClassLoader(pushUnifiedClassLoader);
            throw th;
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult handleFallBackToAppAuthType(String str, TAIResult tAIResult) throws AuthenticationException {
        return this.taiService.isFailOverToAppAuthType() ? tAIResult == null ? new AuthenticationResult(AuthResult.CONTINUE, "TAI allows fall back to application authentication type") : new AuthenticationResult(AuthResult.CONTINUE, tAIResult.getSubject()) : new AuthenticationResult(AuthResult.TAI_CHALLENGE, "Challenge from TrustAssociation Interception: " + str);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult authenticateWithTAIResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, TAIResult tAIResult) throws AuthenticationException {
        AuthenticationResult authenticationResult = null;
        String authenticatedPrincipal = tAIResult.getAuthenticatedPrincipal();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "TAI user name: " + authenticatedPrincipal, new Object[0]);
        }
        if (authenticatedPrincipal != null) {
            Subject subject = tAIResult.getSubject();
            if (subject != null) {
                WSCredential wSCredential = new SubjectHelper().getWSCredential(subject);
                if (wSCredential != null && wSCredential.isUnauthenticated()) {
                    new AuthenticationResult(AuthResult.FAILURE, "Subject from TAI is invalid for user: " + authenticatedPrincipal);
                }
                authenticationResult = authenticateWithSubject(httpServletRequest, httpServletResponse, subject);
            }
            if (authenticationResult == null || authenticationResult.getStatus() != AuthResult.SUCCESS) {
                authenticationResult = loginWithTAIUserName(httpServletRequest, httpServletResponse, subject, authenticatedPrincipal);
            }
        } else {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "TAI user name is null");
        }
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult loginWithTAIUserName(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject, String str) {
        return authenticateWithSubject(httpServletRequest, httpServletResponse, createUserIdHashtableSubject(subject, str));
    }

    @FFDCIgnore({AuthenticationException.class})
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private AuthenticationResult authenticateWithSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject) {
        AuthenticationResult authenticationResult;
        try {
            Subject authenticate = this.authenticationService.authenticate("system.WEB_INBOUND", subject);
            authenticationResult = new AuthenticationResult(AuthResult.SUCCESS, authenticate);
            this.ssoCookieHelper.addSSOCookiesToResponse(authenticate, httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        }
        return authenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private Subject createUserIdHashtableSubject(Subject subject, String str) {
        Subject subject2 = subject;
        if (subject2 == null) {
            subject2 = new Subject();
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        hashtable.put(AttributeNameConstants.WSCREDENTIAL_USERID, str);
        subject2.getPublicCredentials().add(hashtable);
        return subject2;
    }

    static {
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.entry(tc, Constants.STATIC_INITIALIZER_NAME, new Object[0]);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc != null && tc.isEntryEnabled()) {
            Tr.exit(tc, Constants.STATIC_INITIALIZER_NAME);
        }
    }
}
