package com.ibm.ws.hamanager.runtime;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.hamanager.coordinator.SecurityProvider;
import com.ibm.ws.hamanager.coordinator.dcs.ConnectionTokenProvider;
import com.ibm.ws.hamanager.nls.HAMMessages;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.net.InetAddress;
import java.util.HashSet;
import java.util.Set;
import javax.security.auth.Subject;

/* loaded from: input_file:com/ibm/ws/hamanager/runtime/DefaultTokenProvider.class */
class DefaultTokenProvider implements ConnectionTokenProvider {
    private static final TraceComponent TC = Tr.register((Class<?>) DefaultTokenProvider.class, "HAManager", HAMMessages.BUNDLE);
    private static final String svClassName = DefaultTokenProvider.class.getName();
    private static final String svSSKey = "cgSharedSecret";
    private static final String svDis = "Disabled";
    private static final String svEn = "Enabled";
    private String ivSecret;
    private boolean ivUseSecureTokens;
    private SecurityProvider ivSecurity;
    private long ivCushion;
    private WSCredential ivWsServerCred = null;
    private SingleSignonToken ivSSOToken = null;
    private Set ivRejected = new HashSet();
    private ContextManager ivContextMgr = ContextManagerFactory.getInstance();

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultTokenProvider(String str, boolean z, SecurityProvider securityProvider) {
        this.ivSecret = str;
        this.ivUseSecureTokens = z;
        this.ivSecurity = securityProvider;
        if (TC.isDebugEnabled()) {
            Tr.debug(TC, "create DefaultTokenProvider", new Object[]{new Boolean(this.ivUseSecureTokens), new Boolean(this.ivSecurity.isSecurityEnabled()), str});
        }
    }

    @Override // com.ibm.ws.hamanager.coordinator.dcs.ConnectionTokenProvider
    public byte[] getToken(String str, String str2) {
        if (TC.isDebugEnabled()) {
            Tr.debug(TC, "getToken", new Object[]{new Boolean(this.ivUseSecureTokens), str, str2, this.ivSecret});
        }
        if (!this.ivUseSecureTokens) {
            return this.ivSecret.getBytes();
        }
        if (!this.ivSecurity.isSecurityStarted()) {
            if (!TC.isDebugEnabled()) {
                return null;
            }
            Tr.debug(TC, "getToken - security not initialized");
            return null;
        }
        try {
            if (this.ivWsServerCred == null || !this.ivWsServerCred.isCurrent()) {
                this.ivSSOToken = null;
                Subject serverSubject = this.ivContextMgr.getServerSubject();
                this.ivWsServerCred = SubjectHelper.getWSCredentialFromSubject(serverSubject);
                if (TC.isDebugEnabled()) {
                    Tr.debug(TC, "initializing connection credential", new Object[]{serverSubject, this.ivWsServerCred});
                }
            }
            if (this.ivWsServerCred == null) {
                if (TC.isDebugEnabled()) {
                    Tr.debug(TC, "returning connection credential", "unitialized");
                }
                throw new Exception("WS Credential is null");
            }
            if (this.ivSSOToken != null && (this.ivSSOToken.getExpiration() - System.currentTimeMillis()) - this.ivCushion < 0) {
                this.ivSSOToken = null;
            }
            if (this.ivSSOToken == null) {
                this.ivSSOToken = this.ivContextMgr.getWSCredTokenMapper().createSSOTokenFromWSCredential(this.ivWsServerCred);
                this.ivSSOToken.addAttribute(svSSKey, this.ivSecret);
                this.ivCushion = (long) ((this.ivSSOToken.getExpiration() - System.currentTimeMillis()) * 0.2d);
            }
            byte[] bytes = this.ivSSOToken.getBytes();
            if (TC.isDebugEnabled()) {
                Tr.debug(TC, "returning secure Token", new Integer(bytes.length));
            }
            return bytes;
        } catch (Throwable th) {
            FFDCFilter.processException(th, svClassName, "159", this);
            Tr.error(TC, "HMGR0150", th);
            return null;
        }
    }

    @Override // com.ibm.ws.hamanager.coordinator.dcs.ConnectionTokenProvider
    public boolean authenticateMember(String str, String str2, byte[] bArr, InetAddress inetAddress) {
        if (TC.isDebugEnabled()) {
            Tr.debug(TC, "authenticateConnection", new Object[]{new Boolean(this.ivUseSecureTokens), new Integer(bArr.length), str, str2, inetAddress});
        }
        try {
            try {
                if (!this.ivUseSecureTokens) {
                    boolean equals = this.ivSecret.equals(new String(bArr));
                    if (equals) {
                        this.ivRejected.remove(str2);
                    } else if (!this.ivRejected.contains(str2)) {
                        this.ivRejected.add(str2);
                        Tr.info(TC, "HMGR0149", new Object[]{str, str2, inetAddress, svDis, getSenderSecurityState(bArr), getTokenFirstBytes(bArr), null});
                    }
                    if (TC.isDebugEnabled()) {
                        Tr.debug(TC, "authenticateConnection", new Boolean(equals));
                    }
                    return equals;
                }
                if (!this.ivSecurity.isSecurityStarted()) {
                    if (TC.isDebugEnabled()) {
                        Tr.debug(TC, "authenticateConnection", new Boolean(false));
                    }
                    return false;
                }
                String[] attributes = this.ivContextMgr.getWSCredTokenMapper().validateLTPAToken(bArr).getAttributes(svSSKey);
                String str3 = "null";
                if (attributes != null && attributes[0] != null) {
                    str3 = attributes[0];
                    if (this.ivSecret.equals(str3)) {
                        this.ivRejected.remove(str2);
                        if (TC.isDebugEnabled()) {
                            Tr.debug(TC, "authenticateConnection", new Boolean(true));
                        }
                        return true;
                    }
                }
                if (!this.ivRejected.contains(str2)) {
                    this.ivRejected.add(str2);
                    Tr.info(TC, "HMGR0149", new Object[]{str, str2, inetAddress, svEn, svEn, str3, null});
                }
                if (TC.isDebugEnabled()) {
                    Tr.debug(TC, "authenticateConnection", new Boolean(false));
                }
                return false;
            } catch (Throwable th) {
                FFDCFilter.processException(th, svClassName, "238", this);
                if (!this.ivRejected.contains(str2)) {
                    this.ivRejected.add(str2);
                    Object obj = svEn;
                    if (!this.ivUseSecureTokens) {
                        obj = svDis;
                    }
                    Tr.error(TC, "HMGR0149", new Object[]{str, str2, inetAddress, obj, getSenderSecurityState(bArr), getTokenFirstBytes(bArr), th});
                }
                if (TC.isDebugEnabled()) {
                    Tr.debug(TC, "authenticateConnection", new Boolean(false));
                }
                return false;
            }
        } catch (Throwable th2) {
            if (TC.isDebugEnabled()) {
                Tr.debug(TC, "authenticateConnection", new Boolean(false));
            }
            throw th2;
        }
    }

    private String getSenderSecurityState(byte[] bArr) {
        return bArr.length < 250 ? svDis : svEn;
    }

    private String getTokenFirstBytes(byte[] bArr) {
        byte[] bArr2 = bArr;
        if (bArr.length > 25) {
            bArr2 = new byte[25];
            System.arraycopy(bArr, 0, bArr2, 0, 25);
        }
        return new String(bArr2);
    }
}
