package com.ibm.ISecurityLocalObjectBaseL13Impl;

import com.ibm.CSIv2Security.NotForwardableMechOID;
import com.ibm.IExtendedSecurity._LoginHelper;
import com.ibm.ISecurityL13SupportImpl.SecurityLogger;
import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.KeyFileEntry;
import com.ibm.ISecurityUtilityImpl.SecurityConfiguration;
import com.ibm.ISecurityUtilityImpl.SecurityMinorCodes;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.omg.CORBA.CompletionStatus;
import org.omg.CORBA.IntHolder;
import org.omg.CORBA.NO_PERMISSION;

/* loaded from: input_file:lib/sas.jar:com/ibm/ISecurityLocalObjectBaseL13Impl/CSICredentialsManager.class */
public class CSICredentialsManager {
    public synchronized Subject getInvocationSubject() {
        Subject subject;
        if (SecurityLogger.debugEntryEnabled) {
            SecurityLogger.debugEntry("CSICredentialsManager.getInvocationSubject");
        }
        WSCredential wSCredential = null;
        new CSIUtil();
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        try {
            subject = contextManagerFactory.getInvocationSubject();
            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getInvocationCredentials", "96", this);
            SecurityLogger.debugMessage("CSICredentialsManager.getInvocationSubject", "Java runtime exception while trying to get Invocation credentials from current.");
            SecurityLogger.logException("CSICredentialsManager.getInvocationSubject", e, 0, 0);
            subject = null;
        }
        if (wSCredential == null) {
            if (SecurityLogger.debugTraceEnabled) {
                SecurityLogger.debugMessage("CSICredentialsManager.getInvocationSubject", "No invocation subject during Identity Assertion processing.  Return Unauthenticated subject");
            }
            if (SecurityLogger.debugEntryEnabled) {
                SecurityLogger.debugExit("CSICredentialsManager.getInvocationSubject");
            }
            return SubjectHelper.createUnauthenticatedSubject();
        }
        if (wSCredential.isBasicAuth() && !wSCredential.isUnauthenticated()) {
            try {
                if (SecurityLogger.debugTraceEnabled) {
                    SecurityLogger.debugMessage("CSICredentialsManager.getInvocationSubject", "The invocation credential is either BasicAuth or GSSUP.  Getting authentiated subject.");
                }
                subject = contextManagerFactory.login(wSCredential);
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getInvocationCredentials", "132", this);
                if (SecurityLogger.traceEnabled) {
                    SecurityLogger.debugMessage("CSICredentialsManager.getInvocationSubject", "Java runtime exception while trying ContextManager.login. Returning unauthenticated subject");
                    SecurityLogger.logException("CSICredentialsManager.getInvocationSubject", e2, 0, 0);
                }
                subject = SubjectHelper.createUnauthenticatedSubject();
            }
        }
        if (subject == null) {
            subject = SubjectHelper.createUnauthenticatedSubject();
        }
        if (SecurityLogger.debugEntryEnabled) {
            SecurityLogger.debugExit("CSICredentialsManager.getInvocationSubject");
        }
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized Subject getClientSubject(String str, String str2) throws Exception {
        String str3 = null;
        if (SecurityLogger.debugEntryEnabled) {
            SecurityLogger.debugEntry("CSICredentialsManager.getClientSubject");
        }
        Subject subject = null;
        WSCredential wSCredential = null;
        CSIUtil cSIUtil = new CSIUtil();
        VaultImpl.getInstance();
        SecurityConfiguration securityConfiguration = VaultImpl.getSecurityConfiguration();
        _LoginHelper _loginhelper = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        try {
            subject = contextManagerFactory.getInvocationSubject();
            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "184", this);
            str3 = "Java runtime exception while trying to get_credentials from current.";
            SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
            SecurityLogger.logException("CSICredentialsManager.getClientSubject", e, 0, 0);
        }
        if (wSCredential != null && wSCredential.isUnauthenticated()) {
            if (SecurityLogger.debugEntryEnabled) {
                SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
            }
            return subject;
        }
        if (wSCredential == null) {
            try {
                subject = contextManagerFactory.getOwnSubject();
                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "217", this);
                str3 = "Java runtime exception while trying to get_credentials from current.";
                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                SecurityLogger.logException("CSICredentialsManager.getClientSubject", e2, 0, 0);
            }
        }
        if (!securityConfiguration.processIsServer() && (wSCredential == null || !((WSCredentialImpl) wSCredential).isForwardable(str))) {
            if (SecurityLogger.debugTraceEnabled) {
                str3 = new StringBuffer().append("There is no invocation subject on the current thread; Login will be performed for ").append(str).append("/null").toString();
                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
            }
            _loginhelper = cSIUtil.getCurrent().login_helper();
            if (_loginhelper == null) {
                SecurityLogger.logError("security.JSAS0020E", new Object[]{"CSICredentialsManager.getClientSubject"});
                if (!SecurityLogger.debugEntryEnabled) {
                    return null;
                }
                SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
                return null;
            }
            boolean z = false;
            do {
                try {
                    try {
                        subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction(this, _loginhelper, str) { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.1
                            private final _LoginHelper val$helper;
                            private final String val$realm;
                            private final CSICredentialsManager this$0;

                            {
                                this.this$0 = this;
                                this.val$helper = _loginhelper;
                                this.val$realm = str;
                            }

                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws WSLoginFailedException {
                                return ((LoginHelperImpl) this.val$helper).request_login_controlled(null, this.val$realm, null, null, false);
                            }
                        });
                        z = false;
                        wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                    } catch (PrivilegedActionException e3) {
                        if (securityConfiguration.authenticationRetryEnabled()) {
                            int i = cSIUtil.getCurrent().get_retry_count();
                            if (SecurityLogger.debugTraceEnabled) {
                                str3 = new StringBuffer().append("Retry count is ").append(i).toString();
                                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                            }
                            if (i >= securityConfiguration.getauthenticationRetryCount()) {
                                FFDCFilter.processException(e3, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "276", this);
                                SecurityMessages.getMsgOrUseDefault("JSAS0240E", "JSAS0240E: Login failed.  Verify the userid/password is correct.  Check the properties file to ensure the login source is valid.  If this error occurs on the server, check the server properties to ensure the principalName has a valid realm and userid.");
                                throw e3.getException();
                            }
                            if (SecurityLogger.debugTraceEnabled) {
                                str3 = "LOGGING IN AGAIN!!!  Previous login failed but retry count is not above the maximum retries.";
                                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                            }
                            cSIUtil.getCurrent().increment_retry_count();
                            z = true;
                        }
                    }
                } catch (WSLoginFailedException e4) {
                    FFDCFilter.processException(e4, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "262", this);
                    SecurityLogger.logError("security.JSAS0240E", new Object[]{"CSICredentialsManager.getClientSubject", e4});
                    if (SecurityLogger.debugTraceEnabled) {
                        SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", new StringBuffer().append("Login Failed reason: ").append(e4.getMessage()).toString());
                    }
                    throw e4;
                } catch (Exception e5) {
                    FFDCFilter.processException(e5, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "269", this);
                    SecurityLogger.logError("security.JSAS0240E", new Object[]{"CSICredentialsManager.getClientSubject", e5});
                    throw new WSLoginFailedException(e5.getMessage(), e5);
                }
            } while (z);
            if (subject != null) {
                contextManagerFactory.setInvocationSubject(subject);
            }
        }
        if (wSCredential != null && wSCredential.isCurrent() && !wSCredential.isForwardable()) {
            if (SecurityLogger.debugTraceEnabled) {
                str3 = "Resolved credentials is NOT forwardable. The credentials will be mapped.";
                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
            }
            if (wSCredential.getOID().equalsIgnoreCase(NotForwardableMechOID.value)) {
                if (SecurityLogger.debugTraceEnabled) {
                    str3 = "LocalOS credentials is not forwardable.";
                    SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                }
                try {
                    String realmSecurityName = wSCredential.getRealmSecurityName();
                    if (realmSecurityName == null || realmSecurityName.length() <= 0) {
                        if (SecurityLogger.debugTraceEnabled) {
                            SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", "No security name found.  Return unauthenticated subject.");
                        }
                        if (SecurityLogger.debugEntryEnabled) {
                            SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
                        }
                        return SubjectHelper.createUnauthenticatedSubject();
                    }
                    subject = VaultImpl.getInstance().getBasicAuthSubject(realmSecurityName);
                    if (subject != null) {
                        if (SecurityLogger.debugTraceEnabled) {
                            SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", new StringBuffer().append("Returned BasicAuth subject.  Security_name: ").append(realmSecurityName).toString());
                        }
                        if (SecurityLogger.debugEntryEnabled) {
                            SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
                        }
                        return subject;
                    }
                    if (subject == null) {
                        if (SecurityLogger.debugTraceEnabled) {
                            SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", "No matched BasicAuth subject for this LocalOS subject.  Return Unauthenticated subject.");
                        }
                        if (SecurityLogger.debugEntryEnabled) {
                            SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
                        }
                        return SubjectHelper.createUnauthenticatedSubject();
                    }
                } catch (Exception e6) {
                    FFDCFilter.processException(e6, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientSubject", "440", this);
                    if (SecurityLogger.traceEnabled) {
                        str3 = SecurityMessages.getMsgOrUseDefault("TrcMsg405", "Unable to get client security name from credentials.");
                        SecurityLogger.traceMessage("CSICredentialsManager.getClientSubject", str3);
                    }
                    SecurityLogger.logException("CSICredentialsManager.getClientSubject", e6, 0, 0);
                }
            }
            try {
                if (contextManagerFactory.isServerCred(wSCredential)) {
                    if (SecurityLogger.debugTraceEnabled) {
                        str3 = new StringBuffer().append("Server invokes downstream request to different target realm: ").append(str).toString();
                        SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                    }
                    if (SecurityLogger.debugTraceEnabled) {
                        str3 = "Using key file to map server credential for new target realm.";
                        SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                    }
                    try {
                        if (securityConfiguration.getkeyFileName() == null || securityConfiguration.getkeyFileName().length() <= 0) {
                            str3 = "security.JSAS0480E";
                            SecurityLogger.logError(str3, new Object[]{"CSICredentialsManager.getClientSubject"});
                            subject = SubjectHelper.createUnauthenticatedSubject();
                            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                        } else {
                            KeyFileEntry find = ((LoginHelperImpl) _loginhelper).getKeyFileObject().find(str, wSCredential.getRealmSecurityName());
                            if (find != null) {
                                subject = SubjectHelper.createBasicAuthSubject(str, find.getUserid(), find.getPassword());
                                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                            } else {
                                str3 = "security.JSAS0480E";
                                SecurityLogger.logError(str3, new Object[]{"CSICredentialsManager.getClientSubject"});
                                subject = SubjectHelper.createUnauthenticatedSubject();
                                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                            }
                        }
                    } catch (Exception e7) {
                        FFDCFilter.processException(e7, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "514", this);
                        str3 = "security.JSAS0480E";
                        SecurityLogger.logError(str3, new Object[]{"CSICredentialsManager.getClientSubject", e7});
                        subject = SubjectHelper.createUnauthenticatedSubject();
                        wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                    }
                }
            } catch (Exception e8) {
                FFDCFilter.processException(e8, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "429", this);
                if (SecurityLogger.traceEnabled) {
                    str3 = "Java runtime exception while trying to get_mapped_credentials.";
                    SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                    SecurityLogger.logException("CSICredentialsManager.getClientSubject", e8, 0, 0);
                }
                subject = SubjectHelper.createUnauthenticatedSubject();
                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
            }
        }
        if (wSCredential != null) {
            try {
                new IntHolder(0);
                if (!wSCredential.isCurrent()) {
                    if (SecurityLogger.debugTraceEnabled) {
                        str3 = "Credentials are expired or destroyed.";
                        SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", str3);
                    }
                    throw new NO_PERMISSION(str3, SecurityMinorCodes.CREDENTIAL_TOKEN_EXPIRED, CompletionStatus.COMPLETED_NO);
                }
                if (SecurityLogger.debugTraceEnabled) {
                    SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", "Credentials are valid.");
                }
            } catch (Exception e9) {
                FFDCFilter.processException(e9, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "473", this);
                SecurityLogger.logError("security.JSAS0202E", new Object[]{"CSICredentialsManager.getClientSubject", e9});
                subject = SubjectHelper.createUnauthenticatedSubject();
            }
        } else {
            if (SecurityLogger.debugTraceEnabled) {
                SecurityLogger.debugMessage("CSICredentialsManager.getClientSubject", "Credentials are null or invalidated by rejection.");
            }
            subject = SubjectHelper.createUnauthenticatedSubject();
        }
        if (SecurityLogger.debugEntryEnabled) {
            SecurityLogger.debugExit("CSICredentialsManager.getClientSubject");
        }
        return subject;
    }
}
