package com.ibm.ws.management.util;

import com.ibm.IExtendedSecurity._LoginHelper;
import com.ibm.ISecurityLocalObjectBaseL13Impl.CredentialsImpl;
import com.ibm.ISecurityLocalObjectBaseL13Impl.CurrentImpl;
import com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl;
import com.ibm.ISecurityLocalObjectBaseL13Impl.VaultImpl;
import com.ibm.ISecurityUtilityImpl.CredentialsHelper;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebSphereRuntimePermission;
import com.ibm.websphere.security.auth.AuthenticationFailedException;
import com.ibm.websphere.security.auth.WSSecurityContext;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.orb.GlobalORBFactory;
import com.ibm.ws.security.auth.WSLoginHelperImpl;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.core.SecurityContext;
import com.ibm.ws.security.role.RoleBasedAppException;
import com.ibm.ws.security.role.RoleBasedConfigurator;
import com.ibm.ws.security.service.SecurityService;
import com.ibm.ws.security.service.SecurityServiceEvent;
import com.ibm.ws.security.service.SecurityServiceListener;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Properties;
import org.omg.CORBA.IntHolder;
import org.omg.Security.CredentialType;
import org.omg.Security.InvalidCredentialType;
import org.omg.Security.OpaqueHolder;
import org.omg.SecurityLevel2.Credentials;
import org.omg.SecurityLevel2.CredentialsHolder;
import org.omg.SecurityLevel2.InvalidCredential;
import org.omg.SecurityLevel2.LoginFailed;

/* loaded from: input_file:lib/wasjmx.jar:com/ibm/ws/management/util/SecurityHelper.class */
public final class SecurityHelper implements SecurityServiceListener {
    private static final TraceComponent tc;
    public static final String isInternal = "isInternal";
    public static final String loginMethod = "LoginMethod";
    public static final String tokenBasedAuth = "TokenBased";
    public static final String basicAuth = "BasicAuth";
    public static final String tokeElement = "token";
    public static final String trustStoreProp = "javax.net.ssl.trustStore";
    public static final String keyStoreProp = "javax.net.ssl.keyStore";
    public static final String trustStorePasswordProp = "javax.net.ssl.trustStorePassword";
    public static final String keyStorePasswordProp = "javax.net.ssl.keyStorePassword";
    public static final String sslHandlerProp = "java.protocol.handler.pkgs";
    public static final String defaultSslHandler = "com.ibm.net.ssl.internal.www.protocol";
    private static String realm;
    private static VaultImpl vault;
    private static final WebSphereRuntimePermission perm;
    private static SecurityHelper myself;
    private static CurrentImpl currentImpl;
    static Class class$com$ibm$ws$management$util$SecurityHelper;
    private boolean securityEnabled = false;
    private boolean securityServiceEnabled = false;
    private RoleBasedConfigurator configurator = null;
    private WSSecurityContext securityContext = null;
    private WSCredential sysCredentials = null;
    private Properties SOAPSslSetting = null;
    private SecurityService securityService = null;

    private SecurityHelper() {
    }

    public static SecurityHelper getHelper() {
        return myself;
    }

    public static VaultImpl getVault() {
        if (vault != null) {
            return vault;
        }
        vault = VaultImpl.getInstance();
        return vault;
    }

    @Override // com.ibm.ws.security.service.SecurityServiceListener
    public void stateChanged(SecurityServiceEvent securityServiceEvent) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "stateChanged");
        }
        int state = securityServiceEvent.getState();
        if (state == 1) {
            this.securityServiceEnabled = true;
            realm = this.securityService.getRealm();
            this.securityContext = this.securityService.getWSSecurityContext();
            try {
                this.configurator = this.securityService.getConfigurator();
            } catch (RoleBasedAppException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RoleBasedConfigurator not initialized");
                }
            } finally {
                this.securityService = null;
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, new StringBuffer().append("Security service state change to: ").append(state).toString());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "stateChanged");
        }
    }

    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
        this.securityEnabled = this.securityService.isSecurityEnabled();
    }

    public void setSOAPSslSetting(Properties properties) {
        this.SOAPSslSetting = properties;
    }

    public boolean isSecurityEnabled() {
        return this.securityEnabled;
    }

    public boolean isSecurityServiceStarted() {
        return this.securityServiceEnabled;
    }

    public RoleBasedConfigurator getConfigurator() {
        return this.configurator;
    }

    public String getRealm() {
        return realm;
    }

    public WSSecurityContext getWSSecurityContext() {
        return this.securityContext;
    }

    public Properties getSOAPSslSetting() {
        return this.SOAPSslSetting;
    }

    public static Credentials authenticate(String str, String str2, String str3) throws AuthenticationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate");
        }
        try {
            Credentials actualCredential = getActualCredential(CredentialsHelper.mapWSToCorba(WSLoginHelperImpl.authenticate(str, str2, str3)));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate");
            }
            return actualCredential;
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "fail to authenticate", e);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "authenticate - failed");
            }
            throw new AuthenticationFailedException();
        }
    }

    public static void removeCredFromThreadTable(Credentials credentials) {
        getCurrent().removeCredFromThreadTable(credentials);
    }

    private static synchronized CurrentImpl getCurrent() {
        Class cls;
        if (currentImpl == null && SecurityContext.isServerProcess() && ContextManagerFactory.getInstance().isCellSecurityEnabled()) {
            try {
                currentImpl = (CurrentImpl) GlobalORBFactory.globalORB().resolve_initial_references(CommonConstants.SECURITY_CURRENT);
            } catch (Throwable th) {
                if (class$com$ibm$ws$management$util$SecurityHelper == null) {
                    cls = class$("com.ibm.ws.management.util.SecurityHelper");
                    class$com$ibm$ws$management$util$SecurityHelper = cls;
                } else {
                    cls = class$com$ibm$ws$management$util$SecurityHelper;
                }
                FFDCFilter.processException(th, cls.getName(), "268");
                throw new ExceptionInInitializerError(th);
            }
        }
        return currentImpl;
    }

    public static Credentials pushInvocationCredential(Credentials credentials) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "pushInvocationCredential");
        }
        Credentials credentials2 = null;
        try {
            CurrentImpl current = getCurrent();
            credentials2 = current.get_credentials(CredentialType.SecInvocationCredentials);
            current.set_credentials(CredentialType.SecInvocationCredentials, credentials);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.pushInvocationCredential", "226");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "pushInvocationCredential");
        }
        return credentials2;
    }

    public static void popInvocationCredential(Credentials credentials) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "popInvocationCredential");
        }
        try {
            getCurrent().set_credentials(CredentialType.SecInvocationCredentials, credentials);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.popInvocationCredential", "239");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "popInvocationCredential");
        }
    }

    public static Credentials getOwnedCredentials() {
        return getServerCredential();
    }

    public static Credentials retrieveCredential() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "retrieveCredential");
        }
        Credentials receivedCredential = getReceivedCredential();
        if (receivedCredential == null) {
            receivedCredential = getInvocationCredential();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "retrieveCredential");
        }
        return receivedCredential;
    }

    public static Credentials getInvocationCredential() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationCredential");
        }
        Credentials credentials = null;
        new IntHolder(0);
        CurrentImpl current = getCurrent();
        boolean z = false;
        if (current != null) {
            try {
                credentials = current.get_credentials(CredentialType.SecInvocationCredentials);
                if (credentials != null) {
                    z = ((CredentialsImpl) credentials).getExpiration() - System.currentTimeMillis() > 0;
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "394");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to obtain invocation credential from current.", e);
                }
                z = false;
            }
            if (!z && credentials != null && current.isServerCred(credentials)) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server credential is expired, logging in to get a new one.");
                    }
                    _LoginHelper login_helper = current.login_helper();
                    if (login_helper != null) {
                        credentials = (CredentialsImpl) AccessController.doPrivileged(new PrivilegedExceptionAction(login_helper) { // from class: com.ibm.ws.management.util.SecurityHelper.1
                            private final _LoginHelper val$loginHelper;

                            {
                                this.val$loginHelper = login_helper;
                            }

                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginFailed {
                                return ((LoginHelperImpl) this.val$loginHelper).request_login_controlled((String) null, SecurityHelper.realm, (String) null, (CredentialsHolder) null, (OpaqueHolder) null, true, false);
                            }
                        });
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "450");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unable to obtain received credential or credential expired", e2);
                    }
                    credentials = null;
                }
            } else if (!z && credentials != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Non-server invocation credentials are invalid or expired.");
                }
                if (!(credentials instanceof com.ibm.ISecurityLocalObjectBasicAuthImpl.CredentialsImpl)) {
                    CredentialsImpl credentialsImpl = null;
                    CredentialsImpl credentialsImpl2 = null;
                    try {
                        credentialsImpl = (CredentialsImpl) getVault().get_default_credentials(CredentialsHelper.getUserName((CredentialsImpl) credentials));
                    } catch (Exception e3) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Could not find baCreds in default_creds_list.", e3);
                        }
                        FFDCFilter.processException(e3, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "345");
                    }
                    if (credentialsImpl != null) {
                        try {
                            credentialsImpl2 = (CredentialsImpl) credentialsImpl.get_mapped_creds(null, realm, null, true, true, false);
                        } catch (Exception e4) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Exception occurred while logging in.", e4);
                            }
                            FFDCFilter.processException(e4, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "377");
                        } catch (LoginFailed e5) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Login failed with baCreds.", e5);
                            }
                            FFDCFilter.processException(e5, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "369");
                        }
                        if (credentialsImpl2 == null || !credentialsImpl2.isForwardable()) {
                            try {
                                current.set_credentials(CredentialType.SecInvocationCredentials, credentialsImpl);
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Using baCreds to set invocation credentails");
                                }
                            } catch (InvalidCredentialType e6) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "InvalidCredentialType (2) occurred when setting invocation credentials.", e6);
                                }
                                FFDCFilter.processException(e6, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "428");
                            } catch (InvalidCredential e7) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "InvalidCredential (2) occurred when setting invocation credentials.", e7);
                                }
                                FFDCFilter.processException(e7, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "420");
                            }
                        } else {
                            try {
                                current.set_credentials(CredentialType.SecInvocationCredentials, credentialsImpl2);
                            } catch (InvalidCredentialType e8) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "InvalidCredentialType (1) occurred when setting invocation credentials.", e8);
                                }
                                FFDCFilter.processException(e8, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "345");
                            } catch (InvalidCredential e9) {
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "InvalidCredential (1) occurred when setting invocation credentials.", e9);
                                }
                                FFDCFilter.processException(e9, "com.ibm.ws.management.connector.util.SecurityHelper.getInvocationCredential", "345");
                            }
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Invalid creds are BasicAuth.");
                }
            } else if (credentials == null && tc.isDebugEnabled()) {
                Tr.debug(tc, "Invocation credentials are null.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInvocationCredential");
        }
        return credentials;
    }

    public static void resetContext() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resetContext");
        }
        getCurrent().initialize_requestor_context(null);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resetContext");
        }
    }

    public static void setReceivedCredential(Credentials credentials) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setReceivedCredential");
        }
        getCurrent().set_received_credentials(new Credentials[]{credentials});
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setReceivedCredential");
        }
    }

    public static Credentials getReceivedCredential() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getReceivedCredential");
        }
        Credentials[] credentialsArr = new Credentials[1];
        new IntHolder(0);
        CurrentImpl current = getCurrent();
        boolean z = false;
        if (current != null) {
            try {
                credentialsArr = current.received_credentials();
                if (credentialsArr != null && credentialsArr[0] != null) {
                    z = ((CredentialsImpl) credentialsArr[0]).getExpiration() - System.currentTimeMillis() > 0;
                }
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Unable to obtain received credential from current.", e);
                }
                FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedCredential", "504");
                z = false;
            }
            if (!z && credentialsArr != null && credentialsArr[0] != null && current.isServerCred(credentialsArr[0])) {
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server credential is expired, logging in to get a new one.");
                    }
                    _LoginHelper login_helper = current.login_helper();
                    if (login_helper != null) {
                        credentialsArr[0] = (CredentialsImpl) AccessController.doPrivileged(new PrivilegedExceptionAction(login_helper) { // from class: com.ibm.ws.management.util.SecurityHelper.2
                            private final _LoginHelper val$loginHelper;

                            {
                                this.val$loginHelper = login_helper;
                            }

                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws LoginFailed {
                                return ((LoginHelperImpl) this.val$loginHelper).request_login_controlled((String) null, SecurityHelper.realm, (String) null, (CredentialsHolder) null, (OpaqueHolder) null, true, false);
                            }
                        });
                    }
                } catch (Exception e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedCredential", "557");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unable to obtain received credential or credential expired", e2);
                    }
                    credentialsArr[0] = null;
                }
            } else if (!z && credentialsArr != null && credentialsArr[0] != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Non-server received credentials are invalid or expired.");
                }
                if (!(credentialsArr[0] instanceof com.ibm.ISecurityLocalObjectBasicAuthImpl.CredentialsImpl)) {
                    CredentialsImpl credentialsImpl = null;
                    CredentialsImpl credentialsImpl2 = null;
                    try {
                        credentialsImpl = (CredentialsImpl) getVault().get_default_credentials(CredentialsHelper.getUserName((CredentialsImpl) credentialsArr[0]));
                    } catch (Exception e3) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Could not find baCreds in default_creds_list.", e3);
                        }
                        FFDCFilter.processException(e3, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedCredential", "825");
                    }
                    if (credentialsImpl != null) {
                        try {
                            credentialsImpl2 = (CredentialsImpl) credentialsImpl.get_mapped_creds(null, realm, null, true, true, false);
                        } catch (Exception e4) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Exception occurred while logging in.", e4);
                            }
                            FFDCFilter.processException(e4, "com.ibm.ws.management.util.SecurityHelper.getReceivedCredential", "857");
                        } catch (LoginFailed e5) {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Login failed with baCreds.", e5);
                            }
                            FFDCFilter.processException(e5, "com.ibm.ws.management.connector.util.SecurityHelper.getReceivedCredential", "849");
                        }
                        if (credentialsImpl2 == null || !credentialsImpl2.isForwardable()) {
                            credentialsArr[0] = credentialsImpl;
                            current.set_received_credentials(credentialsArr);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Using baCreds to set recieved credentails");
                            }
                        } else {
                            credentialsArr[0] = credentialsImpl2;
                            current.set_received_credentials(credentialsArr);
                        }
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Invalid creds are BasicAuth.");
                }
            } else if (!z && credentialsArr != null && credentialsArr[0] != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Non-server received credentials are invalid or expired.");
                }
                credentialsArr[0] = null;
            } else if ((credentialsArr == null || credentialsArr[0] == null) && tc.isDebugEnabled()) {
                Tr.debug(tc, "Received credentials are null.");
            }
        }
        if (credentialsArr != null && credentialsArr[0] != null) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getReceivedCredential");
            }
            return credentialsArr[0];
        }
        if (!tc.isEntryEnabled()) {
            return null;
        }
        Tr.exit(tc, "getReceivedCredential");
        return null;
    }

    public static Credentials getActualCredential(Credentials credentials) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getActualCredential");
        }
        if (credentials instanceof com.ibm.ISecurityLocalObjectBasicAuthImpl.CredentialsImpl) {
            try {
                credentials = ((com.ibm.ISecurityLocalObjectBasicAuthImpl.CredentialsImpl) credentials).get_mapped_credentials(null, "", null);
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getActualCredential", e);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getActualCredential");
        }
        return credentials;
    }

    public static Credentials getServerCredential() {
        Credentials credentials = null;
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, new StringBuffer().append("Performing Java 2 Security Permission Check ...Expecting : ").append(perm.toString()).toString());
            }
            securityManager.checkPermission(perm);
        }
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Getting server basic auth credentials.");
            }
            CurrentImpl current = getCurrent();
            _LoginHelper _loginhelper = null;
            if (current != null) {
                _loginhelper = current.login_helper();
            }
            if (_loginhelper != null) {
                try {
                    credentials = ((LoginHelperImpl) _loginhelper).request_login_controlled((String) null, realm, (String) null, (CredentialsHolder) null, (OpaqueHolder) null, true, false);
                } catch (Exception e) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Exception logging in to get server cred.", e);
                    }
                    FFDCFilter.processException(e, "com.ibm.ws.management.connector.util.SecurityHelper.getServerCredential", "988");
                    credentials = null;
                } catch (LoginFailed e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "LoginFailed exception getting server cred.", e2);
                    }
                    FFDCFilter.processException(e2, "com.ibm.ws.management.connector.util.SecurityHelper.getServerCredential", "979");
                    credentials = null;
                }
            }
        } catch (Exception e3) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "unable to obtain own credential or credential expired", e3);
            }
            FFDCFilter.processException(e3, "com.ibm.ws.management.connector.util.SecurityHelper.getServerCredential", "1001");
            credentials = null;
        }
        return credentials;
    }

    public static String getUserName() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserName");
        }
        String str = null;
        Credentials retrieveCredential = retrieveCredential();
        if (retrieveCredential != null) {
            str = CredentialsHelper.getUserName((CredentialsImpl) retrieveCredential);
        }
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getUserName");
        }
        return str;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError(e.getMessage());
        }
    }

    static {
        Class cls;
        if (class$com$ibm$ws$management$util$SecurityHelper == null) {
            cls = class$("com.ibm.ws.management.util.SecurityHelper");
            class$com$ibm$ws$management$util$SecurityHelper = cls;
        } else {
            cls = class$com$ibm$ws$management$util$SecurityHelper;
        }
        tc = Tr.register(cls);
        realm = null;
        vault = null;
        perm = new WebSphereRuntimePermission("SecOwnCredentials");
        myself = new SecurityHelper();
        currentImpl = null;
    }
}
