package com.ibm.ISecurityLocalObjectBaseL13Impl;

import com.ibm.ISecurityL13SupportImpl.SecurityMessages;
import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.CSIv2EffectivePerformPolicy;
import com.ibm.ISecurityUtilityImpl.CSIUtil;
import com.ibm.ISecurityUtilityImpl.KeyFileEntry;
import com.ibm.ISecurityUtilityImpl.StringBytesConversion;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.Manager;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.config.AdminData;
import com.ibm.ws.security.config.CSIv2Config;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/ISecurityLocalObjectBaseL13Impl/CSICredentialsManager.class */
public class CSICredentialsManager {
    private static final TraceComponent tc = Tr.register(CSICredentialsManager.class, "SASRas", "com.ibm.ISecurityL13SupportImpl.sec");
    static CSICredentialsManager credsMgr = null;

    public static CSICredentialsManager getInstance() {
        if (credsMgr == null) {
            credsMgr = new CSICredentialsManager();
        }
        return credsMgr;
    }

    public synchronized Subject getInvocationSubject() {
        Subject subject;
        WSCredential wSCredentialFromSubject;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getInvocationSubject", this);
        }
        new CSIUtil();
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        try {
            subject = contextManagerFactory.getInvocationSubject();
            wSCredentialFromSubject = SubjectHelper.getWSCredentialFromSubject(subject);
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getInvocationCredentials", "181", this);
            Tr.debug(tc, "Java runtime exception while trying to get Invocation credentials from current.", new Object[]{e});
            subject = null;
        }
        if (subject != null && SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && !contextManagerFactory.getWSCredTokenMapper().checkValidityOfAllTokensAndRefresh(subject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JSAS0030W: Credentials are invalid. Trying unauthenticated login.");
            }
            Tr.error(tc, "security.JSAS0030W");
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getInvocationSubject");
            }
            return SubjectHelper.createUnauthenticatedSubject();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject is valid.");
        }
        if (wSCredentialFromSubject == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No invocation subject during Identity Assertion processing.  Return Unauthenticated subject");
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getInvocationSubject");
            }
            return SubjectHelper.createUnauthenticatedSubject();
        }
        if (wSCredentialFromSubject.isBasicAuth() && !wSCredentialFromSubject.isUnauthenticated() && SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS)) {
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The invocation credential is either BasicAuth or GSSUP.  Getting authentiated subject.");
                }
                subject = contextManagerFactory.login(wSCredentialFromSubject);
            } catch (Exception e2) {
                Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getInvocationCredentials", "169", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Java runtime exception while trying ContextManager.login. Returning unauthenticated subject", new Object[]{e2});
                }
                subject = SubjectHelper.createUnauthenticatedSubject();
            }
        }
        if (subject == null) {
            subject = SubjectHelper.createUnauthenticatedSubject();
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getInvocationSubject", subject);
        }
        return subject;
    }

    public synchronized Subject getClientSubject(final String str, CSIv2EffectivePerformPolicy cSIv2EffectivePerformPolicy) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getClientSubject", new Object[]{str, cSIv2EffectivePerformPolicy, this});
        }
        Subject subject = null;
        WSCredential wSCredential = null;
        String targetHostName = cSIv2EffectivePerformPolicy.getTargetHostName();
        CSIUtil cSIUtil = new CSIUtil();
        final LoginHelperImpl loginHelperImpl = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        CSIv2Config cSIv2Config = SecurityObjectLocator.getCSIv2Config();
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && cSIv2Config.getBoolean(CSIv2Config.IS_REALM_HOST_SUBJECT_LOOKUP_ENABLED)) {
            subject = VaultImpl.getInstance().getRealmHostSubject(str + ":" + targetHostName);
            if (subject != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Returning credential from realm/server Subject cache.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getClientSubject", subject);
                }
                return subject;
            }
        }
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && cSIv2Config.getBoolean(CSIv2Config.IS_REALM_SUBJECT_LOOKUP_ENABLED)) {
            subject = VaultImpl.getInstance().getRealmSubject(str);
            if (subject != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Returning subject from the realm/subject cache.");
                }
                if (tc.isEntryEnabled()) {
                    Tr.exit(tc, "getClientSubject", subject);
                }
                return subject;
            }
        }
        try {
            subject = contextManagerFactory.getInvocationSubject();
            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
        } catch (Exception e) {
            Manager.Ffdc.log(e, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "231", this);
            Tr.debug(tc, "Java runtime exception while trying to get_credentials from current.", new Object[]{e});
        }
        if (wSCredential != null && wSCredential.isUnauthenticated()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getClientSubject", subject);
            }
            return subject;
        }
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && subject == null) {
            subject = VaultImpl.getInstance().get_default_subject();
            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
            if (tc.isDebugEnabled() && wSCredential != null) {
                Tr.debug(tc, "Found a default Subject on the client side: " + wSCredential.getSecurityName());
            }
        }
        Integer valueOf = Integer.valueOf(SecurityObjectLocator.getCSIv2Config().getInteger("com.ibm.CORBA.authenticationTarget"));
        final boolean z = valueOf != null && valueOf.intValue() == 6;
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && (wSCredential == null || !((WSCredentialImpl) wSCredential).isForwardable(str, cSIv2EffectivePerformPolicy, subject))) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no invocation subject on the current thread; Login will be performed for " + str + "/null");
            }
            loginHelperImpl = new LoginHelperImpl(VaultImpl.getInstance().getORB());
            if (loginHelperImpl == null) {
                Tr.error(tc, "security.JSAS0020E");
                if (!tc.isEntryEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getClientSubject", null);
                return null;
            }
            boolean z2 = false;
            do {
                try {
                    try {
                        final WSCredential wSCredential2 = wSCredential;
                        subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                if (wSCredential2 == null || !wSCredential2.isBasicAuth() || wSCredential2.isUnauthenticated() || !z) {
                                    return loginHelperImpl.request_login_controlled(null, str, null, null, false);
                                }
                                return loginHelperImpl.request_login_controlled(wSCredential2.getSecurityName(), str, StringBytesConversion.getConvertedString(wSCredential2.getCredentialToken()), null, false);
                            }
                        });
                        z2 = false;
                        wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                    } catch (PrivilegedActionException e2) {
                        if (cSIv2Config.getBoolean("com.ibm.CORBA.authenticationRetryEnabled")) {
                            int i = cSIUtil.getCurrent().get_retry_count();
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Retry count is " + i);
                            }
                            if (i >= cSIv2Config.getInteger("com.ibm.CORBA.authenticationRetryCount")) {
                                Manager.Ffdc.log(e2, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "340", this);
                                Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("JSAS0240E", "JSAS0240E: Login failed.  Verify the userid/password is correct.  Check the properties file to ensure the login source is valid.  If this error occurs on the server, check the server properties to ensure the principalName has a valid realm and userid."));
                                throw e2.getException();
                            }
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "LOGGING IN AGAIN!!!  Previous login failed but retry count is not above the maximum retries.");
                            }
                            cSIUtil.getCurrent().increment_retry_count();
                            z2 = true;
                        }
                    }
                } catch (WSLoginFailedException e3) {
                    Manager.Ffdc.log(e3, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "354", this);
                    Tr.error(tc, "security.JSAS0240E", new Object[]{e3});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Login Failed reason: " + e3.getMessage());
                    }
                    throw e3;
                } catch (Exception e4) {
                    Manager.Ffdc.log(e4, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "366", this);
                    Tr.error(tc, "security.JSAS0240E", new Object[]{e4});
                    throw new WSLoginFailedException(e4.getMessage(), e4);
                }
            } while (z2);
            if (subject != null) {
                contextManagerFactory.setInvocationSubject(subject);
            }
        } else if (wSCredential != null && !((WSCredentialImpl) wSCredential).isForwardable(str, cSIv2EffectivePerformPolicy, subject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential is not forwardable to the target realm. Force to create Unauthenticated subject. target realm:" + str);
            }
            wSCredential = null;
        }
        if (wSCredential != null && wSCredential.isCurrent() && !wSCredential.isForwardable()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Resolved credentials is NOT forwardable. The credentials will be mapped.");
            }
            if (wSCredential.getOID().equalsIgnoreCase("No OID for this mechanism")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "LocalOS credentials is not forwardable.");
                }
                try {
                    String realmSecurityName = wSCredential.getRealmSecurityName();
                    if (realmSecurityName == null || realmSecurityName.length() <= 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No security name found.  Return unauthenticated subject.");
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "getClientSubject");
                        }
                        return SubjectHelper.createUnauthenticatedSubject();
                    }
                    subject = VaultImpl.getInstance().getBasicAuthSubject(realmSecurityName);
                    if (subject != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Returned BasicAuth subject.  Security_name: " + realmSecurityName);
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "getClientSubject", subject);
                        }
                        return subject;
                    }
                    if (subject == null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "No matched BasicAuth subject for this LocalOS subject.  Return Unauthenticated subject.");
                        }
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "getClientSubject");
                        }
                        return SubjectHelper.createUnauthenticatedSubject();
                    }
                } catch (Exception e5) {
                    Manager.Ffdc.log(e5, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientSubject", "438", this);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, SecurityMessages.getMsgOrUseDefault("TrcMsg405", "Unable to get client security name from credentials."));
                    }
                    Tr.debug(tc, e5.getMessage(), e5);
                }
            }
            try {
                if (contextManagerFactory.isServerCred(wSCredential)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Server invokes downstream request to different target realm: " + str);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Using key file to map server credential for new target realm.");
                    }
                    try {
                        if (cSIv2Config.getString("com.ibm.CORBA.keyFileName") == null || cSIv2Config.getString("com.ibm.CORBA.keyFileName").length() <= 0) {
                            Tr.error(tc, "security.JSAS0480E");
                            subject = SubjectHelper.createUnauthenticatedSubject();
                            wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                        } else {
                            KeyFileEntry find = loginHelperImpl.getKeyFileObject().find(str, wSCredential.getRealmSecurityName());
                            if (find != null) {
                                subject = SubjectHelper.createBasicAuthSubject(str, find.getUserid(), find.getPassword());
                                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                            } else {
                                Tr.error(tc, "security.JSAS0480E");
                                subject = SubjectHelper.createUnauthenticatedSubject();
                                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                            }
                        }
                    } catch (Exception e6) {
                        Manager.Ffdc.log(e6, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "505", this);
                        Tr.error(tc, "security.JSAS0480E", new Object[]{e6});
                        subject = SubjectHelper.createUnauthenticatedSubject();
                        wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
                    }
                }
            } catch (Exception e7) {
                Manager.Ffdc.log(e7, this, "com.ibm.ISecurityLocalObjectBaseL13Impl.CSICredentialsManager.getClientCredentials", "515", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Java runtime exception while trying to get_mapped_credentials.", new Object[]{e7});
                }
                subject = SubjectHelper.createUnauthenticatedSubject();
                wSCredential = SubjectHelper.getWSCredentialFromSubject(subject);
            }
        }
        if (subject != null && SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && !contextManagerFactory.getWSCredTokenMapper().checkValidityOfAllTokensAndRefresh(subject)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JSAS0030W: Credentials are invalid. Trying unauthenticated login.");
            }
            Tr.error(tc, "security.JSAS0030W");
            subject = SubjectHelper.createUnauthenticatedSubject();
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject is valid.");
        }
        if (wSCredential == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credentials are null or invalidated by rejection.");
            }
            subject = SubjectHelper.createUnauthenticatedSubject();
        }
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && cSIv2Config.getBoolean(CSIv2Config.IS_REALM_HOST_SUBJECT_LOOKUP_ENABLED) && subject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding credential to realm/server Subject cache.");
            }
            VaultImpl.getInstance().addRealmHostSubject(str + ":" + targetHostName, subject);
        }
        if (!SecurityObjectLocator.getAdminData().getBoolean(AdminData.IS_SERVER_PROCESS) && cSIv2Config.getBoolean(CSIv2Config.IS_REALM_SUBJECT_LOOKUP_ENABLED) && subject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "caching realm and the basic auth subject");
            }
            VaultImpl.getInstance().addRealmSubject(str, subject);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getClientSubject", subject);
        }
        return subject;
    }
}
