package com.ibm.ws.wssecurity.impl.auth.module;

import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.saml.common.SAMLCommonConstants;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.NamespaceUtil;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.config.CallerConfig;
import java.util.Collection;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axis2.context.MessageContext;

/* loaded from: input_file:com/ibm/ws/wssecurity/impl/auth/module/SAMLCallerLoginModule.class */
public class SAMLCallerLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(SAMLCallerLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private String comp = "security.wssecurity";
    private Map _sharedState = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._sharedState = map;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        Boolean bool = (Boolean) this._sharedState.get(Constants.WSSECURITY_CALLER_PROCESS_DONE);
        if (bool == null || !bool.booleanValue()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caller identification process is not done yet. So the process of this login module is continued.");
            }
            CallerConfig callerConfig = (CallerConfig) this._sharedState.get(CallerConfig.CONFIG_KEY);
            Collection<SecurityToken> collection = (Collection) this._sharedState.get(Constants.WSSECURITY_CALLER_IDENTITY_CANDIDATES);
            Collection<SecurityToken> collection2 = (Collection) this._sharedState.get(Constants.WSSECURITY_TRUSTED_IDENTITY_CANDIDATES);
            Collection collection3 = (Collection) this._sharedState.get(Constants.WSSECURITY_TRUSTED_IDENTITY_LIST);
            SecurityToken securityToken = null;
            SecurityToken securityToken2 = null;
            if (callerConfig.useIdentityAssertion()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Identity Assertion IS used.");
                }
                if (callerConfig.trustAnyTrustedIdentity()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Any trusted identity is trusted in an unconditional way.");
                        Tr.debug(tc, "Checking caller identity only...");
                    }
                    QName expectedTargetNamespaceForTokenType = NamespaceUtil.getExpectedTargetNamespaceForTokenType(callerConfig.getCallerIdentity());
                    if (SAMLCommonConstants._SAML11_QNAME.equals(expectedTargetNamespaceForTokenType) || SAMLCommonConstants._SAML20_QNAME.equals(expectedTargetNamespaceForTokenType)) {
                        for (SecurityToken securityToken3 : collection) {
                            if (securityToken3 instanceof SAMLToken) {
                                if (securityToken != null) {
                                    String message = ConfigUtil.getMessage(this.comp + ".LoginProcessor.s05");
                                    WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
                                    WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
                                    Map<Object, Object> map = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                                    if (auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map)) {
                                        MessageContext messageContext = (MessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                        Map<String, Object> auditEventContext = wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, message);
                                        wSSAuditEventGeneratorFactory.addExtendedAuditData(auditEventContext, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                        wSSAuditEventGeneratorFactory.addProviderData(auditEventContext, SAMLCallerLoginModule.class.getName(), "SUCCESS");
                                        wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                                    }
                                    throw new LoginException(message);
                                }
                                securityToken = securityToken3;
                                bool = Boolean.TRUE;
                                if (tc.isDebugEnabled()) {
                                    Tr.debug(tc, "Found caller identity.");
                                }
                            }
                        }
                        if (collection2.size() == 0 && securityToken != null) {
                            String message2 = ConfigUtil.getMessage(this.comp + ".LoginProcessor.s02");
                            WSSAuditService auditService2 = WSSContextManagerFactory.getInstance().getAuditService();
                            WSSAuditEventGenerator wSSAuditEventGeneratorFactory2 = WSSAuditEventGeneratorFactory.getInstance();
                            Map<Object, Object> map2 = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                            if (auditService2.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, WSSAuditService.WSSAuditOutcome.DENIED, map2)) {
                                MessageContext messageContext2 = (MessageContext) map2.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                Map<String, Object> auditEventContext2 = wSSAuditEventGeneratorFactory2.setAuditEventContext(map2, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, message2);
                                wSSAuditEventGeneratorFactory2.addAuthnDelegationData(auditEventContext2, WSSAuditEventGenerator.DELEGATION_TYPE, WSSAuditEventGenerator.IDENTITY_ASSERTION);
                                wSSAuditEventGeneratorFactory2.addAuthnDelegationData(auditEventContext2, WSSAuditEventGenerator.ROLE_NAME, callerConfig.getTrustedIdentity().toString());
                                wSSAuditEventGeneratorFactory2.addAuthnDelegationData(auditEventContext2, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                wSSAuditEventGeneratorFactory2.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, messageContext2, map2);
                            }
                            throw new LoginException(message2);
                        }
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Trusted identity should be also validated.");
                    }
                    QName expectedTargetNamespaceForTokenType2 = NamespaceUtil.getExpectedTargetNamespaceForTokenType(callerConfig.getCallerIdentity());
                    boolean z = SAMLCommonConstants._SAML11_QNAME.equals(expectedTargetNamespaceForTokenType2) || SAMLCommonConstants._SAML20_QNAME.equals(expectedTargetNamespaceForTokenType2);
                    if (z) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Checking both caller identity and trusted identity...");
                        }
                        if (collection3 == null) {
                            String message3 = ConfigUtil.getMessage(this.comp + ".WSEC6842E");
                            WSSAuditService auditService3 = WSSContextManagerFactory.getInstance().getAuditService();
                            WSSAuditEventGenerator wSSAuditEventGeneratorFactory3 = WSSAuditEventGeneratorFactory.getInstance();
                            Map<Object, Object> map3 = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                            if (auditService3.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, WSSAuditService.WSSAuditOutcome.DENIED, map3)) {
                                MessageContext messageContext3 = (MessageContext) map3.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                Map<String, Object> auditEventContext3 = wSSAuditEventGeneratorFactory3.setAuditEventContext(map3, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, message3);
                                wSSAuditEventGeneratorFactory3.addAuthnDelegationData(auditEventContext3, WSSAuditEventGenerator.DELEGATION_TYPE, WSSAuditEventGenerator.IDENTITY_ASSERTION);
                                wSSAuditEventGeneratorFactory3.addAuthnDelegationData(auditEventContext3, WSSAuditEventGenerator.ROLE_NAME, callerConfig.getTrustedIdentity().toString());
                                wSSAuditEventGeneratorFactory3.addAuthnDelegationData(auditEventContext3, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                wSSAuditEventGeneratorFactory3.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, messageContext3, map3);
                            }
                            throw new LoginException(message3);
                        }
                        for (SecurityToken securityToken4 : collection) {
                            if (securityToken4 instanceof SAMLToken) {
                                if (securityToken != null) {
                                    throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s05"));
                                }
                                securityToken = securityToken4;
                            }
                        }
                    }
                    QName expectedTargetNamespaceForTokenType3 = NamespaceUtil.getExpectedTargetNamespaceForTokenType(callerConfig.getTrustedIdentity());
                    boolean z2 = SAMLCommonConstants._SAML11_QNAME.equals(expectedTargetNamespaceForTokenType3) || SAMLCommonConstants._SAML20_QNAME.equals(expectedTargetNamespaceForTokenType3);
                    if (z2) {
                        for (SecurityToken securityToken5 : collection2) {
                            if (securityToken5 instanceof SAMLToken) {
                                String principal = ((SAMLToken) securityToken5).getPrincipal();
                                if (collection3 != null && principal != null) {
                                    if (!collection3.contains(principal)) {
                                        String str = principal + "is not a trusted id";
                                        WSSAuditService auditService4 = WSSContextManagerFactory.getInstance().getAuditService();
                                        WSSAuditEventGenerator wSSAuditEventGeneratorFactory4 = WSSAuditEventGeneratorFactory.getInstance();
                                        Map<Object, Object> map4 = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                                        if (auditService4.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, WSSAuditService.WSSAuditOutcome.DENIED, map4)) {
                                            MessageContext messageContext4 = (MessageContext) map4.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                            Map<String, Object> auditEventContext4 = wSSAuditEventGeneratorFactory4.setAuditEventContext(map4, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, str);
                                            wSSAuditEventGeneratorFactory4.addAuthnDelegationData(auditEventContext4, WSSAuditEventGenerator.DELEGATION_TYPE, WSSAuditEventGenerator.IDENTITY_ASSERTION);
                                            wSSAuditEventGeneratorFactory4.addAuthnDelegationData(auditEventContext4, WSSAuditEventGenerator.ROLE_NAME, callerConfig.getTrustedIdentity().toString());
                                            wSSAuditEventGeneratorFactory4.addAuthnDelegationData(auditEventContext4, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                            wSSAuditEventGeneratorFactory4.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, messageContext4, map4);
                                        }
                                        throw new LoginException(str);
                                    }
                                    if (securityToken2 != null) {
                                        throw new LoginException(ConfigUtil.getMessage(this.comp + ".LoginProcessor.s04"));
                                    }
                                    securityToken2 = securityToken5;
                                }
                            }
                        }
                        if (securityToken2 == null && securityToken != null) {
                            String message4 = ConfigUtil.getMessage(this.comp + ".LoginProcessor.s02");
                            WSSAuditService auditService5 = WSSContextManagerFactory.getInstance().getAuditService();
                            WSSAuditEventGenerator wSSAuditEventGeneratorFactory5 = WSSAuditEventGeneratorFactory.getInstance();
                            Map<Object, Object> map5 = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                            if (auditService5.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, WSSAuditService.WSSAuditOutcome.DENIED, map5)) {
                                MessageContext messageContext5 = (MessageContext) map5.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                Map<String, Object> auditEventContext5 = wSSAuditEventGeneratorFactory5.setAuditEventContext(map5, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, message4);
                                wSSAuditEventGeneratorFactory5.addAuthnDelegationData(auditEventContext5, WSSAuditEventGenerator.DELEGATION_TYPE, WSSAuditEventGenerator.IDENTITY_ASSERTION);
                                wSSAuditEventGeneratorFactory5.addAuthnDelegationData(auditEventContext5, WSSAuditEventGenerator.ROLE_NAME, callerConfig.getTrustedIdentity().toString());
                                wSSAuditEventGeneratorFactory5.addAuthnDelegationData(auditEventContext5, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                wSSAuditEventGeneratorFactory5.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, messageContext5, map5);
                            }
                            throw new LoginException(message4);
                        }
                    }
                    if (z && z2 && securityToken2 != null && securityToken != null) {
                        bool = Boolean.TRUE;
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found both caller identity and trusted identity.");
                        }
                    } else if (z && securityToken != null) {
                        if (((SecurityToken) this._sharedState.get(Constants.WSSECURITY_TRUSTED_IDENTITY)) != null) {
                            bool = Boolean.TRUE;
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found caller identity here.");
                        }
                    } else if (z2 && securityToken2 != null) {
                        if (((SecurityToken) this._sharedState.get(Constants.WSSECURITY_CALLER_IDENTITY)) != null) {
                            bool = Boolean.TRUE;
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found trusted identity here.");
                        }
                    }
                }
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Identity Assertion IS NOT used.");
                }
                QName expectedTargetNamespaceForTokenType4 = NamespaceUtil.getExpectedTargetNamespaceForTokenType(callerConfig.getCallerIdentity());
                if (SAMLCommonConstants._SAML11_QNAME.equals(expectedTargetNamespaceForTokenType4) || SAMLCommonConstants._SAML20_QNAME.equals(expectedTargetNamespaceForTokenType4)) {
                    for (SecurityToken securityToken6 : collection) {
                        if (securityToken6 instanceof SAMLToken) {
                            if (securityToken != null) {
                                String message5 = ConfigUtil.getMessage(this.comp + ".LoginProcessor.s05");
                                WSSAuditService auditService6 = WSSContextManagerFactory.getInstance().getAuditService();
                                WSSAuditEventGenerator wSSAuditEventGeneratorFactory6 = WSSAuditEventGeneratorFactory.getInstance();
                                Map<Object, Object> map6 = (Map) this._sharedState.get(WSSAuditEventGenerator.LOCAL_CONTEXT);
                                if (auditService6.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map6)) {
                                    MessageContext messageContext6 = (MessageContext) map6.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
                                    Map<String, Object> auditEventContext6 = wSSAuditEventGeneratorFactory6.setAuditEventContext(map6, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, message5);
                                    wSSAuditEventGeneratorFactory6.addExtendedAuditData(auditEventContext6, WSSAuditEventGenerator.IDENTITY_NAME, callerConfig.getCallerIdentity().toString());
                                    wSSAuditEventGeneratorFactory6.addProviderData(auditEventContext6, SAMLCallerLoginModule.class.getName(), "SUCCESS");
                                    wSSAuditEventGeneratorFactory6.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext6, map6);
                                }
                                throw new LoginException(message5);
                            }
                            securityToken = securityToken6;
                            bool = Boolean.TRUE;
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Found caller identity.");
                            }
                        }
                    }
                }
            }
            if (bool != null && bool.booleanValue()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Logged that caller identification process is successfully done.");
                }
                this._sharedState.put(Constants.WSSECURITY_CALLER_PROCESS_DONE, bool);
            }
            if (securityToken != null) {
                Tr.debug(tc, "Stored the caller identity [" + securityToken + "].");
                this._sharedState.put(Constants.WSSECURITY_CALLER_IDENTITY, securityToken);
            }
            if (securityToken2 != null) {
                Tr.debug(tc, "Stored the trusted identity [" + securityToken2 + "].");
                this._sharedState.put(Constants.WSSECURITY_TRUSTED_IDENTITY, securityToken2);
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Since caller identification process is successfully done, the process of this login module is skipped.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "login()");
        }
        return true;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }
}
