package com.ibm.ws.security.auth.kerberos;

import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.security.auth.callback.CcacheFileTextInputCallback;
import com.ibm.security.auth.callback.DefaultCcacheTextInputCallback;
import com.ibm.security.auth.module.Krb5LoginModule;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.auth.WSCredentialImpl;
import com.ibm.ws.security.common.util.CommonConstants;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.util.AccessController;
import com.ibm.wsspi.security.auth.callback.Constants;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/ibm/ws/security/auth/kerberos/Krb5LoginModuleWrapperClient.class */
public class Krb5LoginModuleWrapperClient extends Krb5LoginModule {
    private Subject _subject;
    private CallbackHandler _callbackHandler;
    private Map _sharedState;
    private Map _options;
    private WSCredential _credential;
    private static final Oid krb5MechOid = Krb5Utils.getKrb5MechOid();
    private static final TraceComponent tc = Tr.register((Class<?>) Krb5LoginModuleWrapperClient.class, "Security", Krb5NLS.MSG_FILE);
    protected boolean _debug = true;
    private GSSCredential _gssCred = null;
    private String _realmName = null;
    private String clientRealm = null;
    private String defaultRealm = null;
    boolean login_called = false;

    public Krb5LoginModuleWrapperClient() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "Krb5LoginModuleWrapperClient()");
            Tr.exit(tc, "Krb5LoginModuleWrapperClient()");
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(subject = \"" + subject.toString() + "\", callbackHandler = \"" + callbackHandler.toString() + "\", sharedState = \"" + map.toString() + "\", options = \"" + map2.toString() + "\")");
        }
        try {
            super.initialize(subject, callbackHandler, map, map2);
            this._subject = subject;
            this._callbackHandler = callbackHandler;
            this._sharedState = map;
            this._options = map2;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.initialize", "175", this);
            if (this._debug || tc.isEntryEnabled()) {
                Tr.error(tc, "initialize", new Object[]{e});
            }
        }
        this._debug = "true".equalsIgnoreCase((String) this._options.get("debug"));
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Krb5LoginModuleWrapperClient");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(subject, callbackHandler, sharedState, options)");
        }
    }

    public boolean login() throws CredentialExpiredException, FailedLoginException, LoginException {
        char[] password;
        if (this._debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        char[] cArr = null;
        NameCallback nameCallback = null;
        PasswordCallback passwordCallback = null;
        WSRealmNameCallbackImpl wSRealmNameCallbackImpl = null;
        CcacheFileTextInputCallback ccacheFileTextInputCallback = null;
        DefaultCcacheTextInputCallback defaultCcacheTextInputCallback = null;
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (this._sharedState.containsKey(Constants.CALLBACK_KEY)) {
            DefaultCcacheTextInputCallback[] defaultCcacheTextInputCallbackArr = (Callback[]) this._sharedState.get(Constants.CALLBACK_KEY);
            for (int i = 0; i < defaultCcacheTextInputCallbackArr.length; i++) {
                if (defaultCcacheTextInputCallbackArr[i] != null) {
                    if (defaultCcacheTextInputCallbackArr[i] instanceof NameCallback) {
                        nameCallback = (NameCallback) defaultCcacheTextInputCallbackArr[i];
                    } else if (defaultCcacheTextInputCallbackArr[i] instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) defaultCcacheTextInputCallbackArr[i];
                    } else if (defaultCcacheTextInputCallbackArr[i] instanceof WSRealmNameCallbackImpl) {
                        wSRealmNameCallbackImpl = (WSRealmNameCallbackImpl) defaultCcacheTextInputCallbackArr[i];
                    } else if (defaultCcacheTextInputCallbackArr[i] instanceof CcacheFileTextInputCallback) {
                        ccacheFileTextInputCallback = (CcacheFileTextInputCallback) defaultCcacheTextInputCallbackArr[i];
                    } else if (defaultCcacheTextInputCallbackArr[i] instanceof DefaultCcacheTextInputCallback) {
                        defaultCcacheTextInputCallback = defaultCcacheTextInputCallbackArr[i];
                    } else if (this._debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "The following callback was ignored: " + defaultCcacheTextInputCallbackArr[i].getClass().getName());
                    }
                }
            }
        } else {
            if (this._callbackHandler == null) {
                WSLoginFailedException wSLoginFailedException = new WSLoginFailedException("No CallbackHandler available to gather authentication information from the user.");
                contextManagerFactory.setRootException(wSLoginFailedException);
                throw wSLoginFailedException;
            }
            NameCallback nameCallback2 = new NameCallback("Username: ");
            nameCallback = nameCallback2;
            PasswordCallback passwordCallback2 = new PasswordCallback("Password: ", false);
            passwordCallback = passwordCallback2;
            WSRealmNameCallbackImpl wSRealmNameCallbackImpl2 = new WSRealmNameCallbackImpl("Realm Name", contextManagerFactory.getDefaultRealm());
            wSRealmNameCallbackImpl = wSRealmNameCallbackImpl2;
            CcacheFileTextInputCallback ccacheFileTextInputCallback2 = new CcacheFileTextInputCallback("CcacheFile: ");
            ccacheFileTextInputCallback = ccacheFileTextInputCallback2;
            DefaultCcacheTextInputCallback defaultCcacheTextInputCallback2 = new DefaultCcacheTextInputCallback("DefaultCcache: ");
            defaultCcacheTextInputCallback = defaultCcacheTextInputCallback2;
            Callback[] callbackArr = {nameCallback2, passwordCallback2, wSRealmNameCallbackImpl2, ccacheFileTextInputCallback2, defaultCcacheTextInputCallback2};
            try {
                this._callbackHandler.handle(callbackArr);
                this._sharedState.put(Constants.CALLBACK_KEY, callbackArr);
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.login", "249", this);
                Tr.error(tc, "security.jaas.callBackHandlerIOException", new Object[]{getClass().getName(), e});
                contextManagerFactory.setRootException(e);
                throw new WSLoginFailedException("IOException: " + e.getMessage(), e);
            } catch (UnsupportedCallbackException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.login", "254", this);
                Tr.error(tc, "security.jaas.callBackHandlerException", new Object[]{getClass().getName(), e2.getCallback().toString(), e2});
                contextManagerFactory.setRootException(e2);
                throw new WSLoginFailedException(e2.getCallback().toString() + " not supported by CallbackHandler to gather authentication information from the user" + e2.getMessage(), e2);
            }
        }
        String name = nameCallback != null ? nameCallback.getName() : null;
        if (passwordCallback != null && (password = passwordCallback.getPassword()) != null && password.length != 0) {
            cArr = new char[password.length];
            System.arraycopy(password, 0, cArr, 0, password.length);
        }
        if (wSRealmNameCallbackImpl != null) {
            this._realmName = wSRealmNameCallbackImpl.getRealmName();
        }
        String text = ccacheFileTextInputCallback != null ? ccacheFileTextInputCallback.getText() : null;
        String text2 = defaultCcacheTextInputCallback != null ? defaultCcacheTextInputCallback.getText() : null;
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "uid = " + (name == null ? "<null>" : name));
            Tr.debug(tc, "password = " + (cArr != null ? "<not null>" : "<null>"));
            Tr.debug(tc, "realm = " + this._realmName);
            Tr.debug(tc, "ccache File Name = " + (text == null ? "<null>" : text));
            Tr.debug(tc, "use DefaultCcache File = " + (text2 == null ? "<null>" : text2));
        }
        try {
            if (name == null || cArr == null) {
                if (name != null) {
                    this.login_called = true;
                    if (this._debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "Calling super.login() from wrapper with uid.");
                    }
                    return super.login();
                }
                this.login_called = true;
                if (this._debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Calling super.login() from wrapper client.");
                }
                return super.login();
            }
            this.login_called = true;
            this.clientRealm = Krb5Utils.getDefaultRealm("");
            this.defaultRealm = contextManagerFactory.getDefaultRealm();
            if (!this._realmName.equals(this.defaultRealm) && !this._realmName.equals(this.clientRealm) && !this._realmName.equals(CommonConstants.DEFAULT_REALM)) {
                Tr.warning(tc, "security.auth.kerberos.RealmMismatch", new Object[]{this._realmName, this.clientRealm, this.defaultRealm});
            }
            if (this._debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Calling super.login() from wrapper with uid and password.");
            }
            return super.login();
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.login", "346", this);
            if (this._debug || tc.isEntryEnabled()) {
                Tr.exit(tc, "login()", new Object[]{e3});
            }
            contextManagerFactory.setRootException(e3);
            throw new WSLoginFailedException(e3.getMessage(), e3);
        }
    }

    public boolean commit() throws LoginException {
        KRBAuthnToken createKRBAuthnToken;
        if (this._debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!this.login_called) {
            return true;
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.commit() from wrapper.");
        }
        super.commit();
        try {
            Set privateCredentials = this._subject.getPrivateCredentials(KerberosTicket.class);
            if (privateCredentials.size() > 1) {
                Tr.warning(tc, "security.auth.kerberos.MultipleCredsFound");
            }
            KerberosTicket kerberosTicket = null;
            for (Object obj : privateCredentials) {
                if (obj instanceof KerberosTicket) {
                    kerberosTicket = (KerberosTicket) obj;
                }
            }
            if (kerberosTicket != null) {
                final long time = kerberosTicket.getEndTime().getTime();
                KerberosPrincipal client = kerberosTicket.getClient();
                final String name = kerberosTicket.getClient().getName();
                if (this._debug || tc.isDebugEnabled()) {
                    Tr.debug(tc, "Name for cred: " + name);
                    Tr.debug(tc, "_subject: " + this._subject);
                }
                try {
                    Subject.doAs(this._subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws WSLoginFailedException, GSSException, Exception {
                            if (Krb5LoginModuleWrapperClient.this._gssCred == null) {
                                Krb5LoginModuleWrapperClient.this._gssCred = Krb5Utils.createGSSCredential(Krb5LoginModuleWrapperClient.this._subject);
                                if (Krb5LoginModuleWrapperClient.this._gssCred != null) {
                                    SubjectHelper.putGSSCredentialInSubject(Krb5LoginModuleWrapperClient.this._gssCred, Krb5LoginModuleWrapperClient.this._subject);
                                }
                            }
                            String str = (Krb5LoginModuleWrapperClient.this.clientRealm == null || Krb5LoginModuleWrapperClient.this.clientRealm.length() <= 0) ? (Krb5LoginModuleWrapperClient.this._realmName == null || Krb5LoginModuleWrapperClient.this._realmName.length() <= 0) ? Krb5LoginModuleWrapperClient.this.defaultRealm : Krb5LoginModuleWrapperClient.this._realmName : Krb5LoginModuleWrapperClient.this.clientRealm;
                            Krb5LoginModuleWrapperClient.this._credential = new WSCredentialImpl(str, name, name, (String) null, str + "/" + name, (ArrayList) null, (ArrayList) null, Krb5LoginModuleWrapperClient.krb5MechOid.toString(), null, true, time);
                            Krb5LoginModuleWrapperClient.this._sharedState.put(Constants.WSCREDENTIAL_KEY, Krb5LoginModuleWrapperClient.this._credential);
                            if (Krb5LoginModuleWrapperClient.this._subject.getPublicCredentials().contains(Krb5LoginModuleWrapperClient.this._credential)) {
                                return null;
                            }
                            Krb5LoginModuleWrapperClient.this._subject.getPublicCredentials().add(Krb5LoginModuleWrapperClient.this._credential);
                            return null;
                        }
                    });
                    if ((kerberosTicket != null || this._gssCred != null || client != null) && (createKRBAuthnToken = Krb5Utils.createKRBAuthnToken(kerberosTicket, this._gssCred, client, null, 0L)) != null) {
                        this._subject.getPrivateCredentials().add(createKRBAuthnToken);
                    }
                    if (this._debug || tc.isDebugEnabled()) {
                        Tr.debug(tc, "_credential.", this._credential);
                    }
                } catch (PrivilegedActionException e) {
                    Tr.debug(tc, "Exception in Subject.doAS.", new Object[]{e});
                    throw e.getException();
                }
            } else if (this._debug || tc.isDebugEnabled()) {
                Tr.debug(tc, "Kerberos Ticket is null ");
            }
            if (!tc.isEntryEnabled()) {
                return true;
            }
            Tr.exit(tc, "commit()");
            return true;
        } catch (Exception e2) {
            if (this._debug || tc.isEntryEnabled()) {
                Tr.debug(tc, "Exception during commit.", new Object[]{e2});
            }
            if (e2 instanceof WSLoginFailedException) {
                throw ((WSLoginFailedException) e2);
            }
            throw new WSLoginFailedException(e2.getMessage(), e2);
        }
    }

    public boolean abort() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.abort() from wrapper.");
        }
        return super.abort();
    }

    public boolean logout() throws LoginException {
        if (!this.login_called) {
            return true;
        }
        cleanup();
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Calling super.logout() from wrapper.");
        }
        return super.logout();
    }

    private void cleanup() {
        if (this._debug || tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Start credentials from the Subject.");
            Tr.debug(tc, "Start removing ...");
        }
        AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapperClient.2
            @Override // java.security.PrivilegedAction
            public Object run() {
                try {
                    if (Krb5LoginModuleWrapperClient.this._gssCred != null && Krb5LoginModuleWrapperClient.this._subject.getPrivateCredentials().contains(Krb5LoginModuleWrapperClient.this._gssCred)) {
                        Krb5LoginModuleWrapperClient.this._subject.getPrivateCredentials().remove(Krb5LoginModuleWrapperClient.this._gssCred);
                    }
                } catch (Exception e) {
                    if (Krb5LoginModuleWrapperClient.this._debug || Krb5LoginModuleWrapperClient.tc.isDebugEnabled()) {
                        Tr.error(Krb5LoginModuleWrapperClient.tc, "security.auth.kerberos.RemGSSCredException", new Object[]{e});
                    }
                }
                try {
                    if (Krb5LoginModuleWrapperClient.this._credential != null && Krb5LoginModuleWrapperClient.this._subject.getPublicCredentials().contains(Krb5LoginModuleWrapperClient.this._credential)) {
                        Krb5LoginModuleWrapperClient.this._subject.getPublicCredentials().remove(Krb5LoginModuleWrapperClient.this._credential);
                    }
                } catch (Exception e2) {
                    if (Krb5LoginModuleWrapperClient.this._debug || Krb5LoginModuleWrapperClient.tc.isDebugEnabled()) {
                        Tr.error(Krb5LoginModuleWrapperClient.tc, "security.auth.kerberos.RemCredException", new Object[]{e2});
                    }
                }
                if (Krb5LoginModuleWrapperClient.this._credential == null) {
                    return null;
                }
                try {
                    Krb5LoginModuleWrapperClient.this._credential.destroy();
                    return null;
                } catch (Exception e3) {
                    if (!Krb5LoginModuleWrapperClient.this._debug && !Krb5LoginModuleWrapperClient.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.error(Krb5LoginModuleWrapperClient.tc, "security.auth.kerberos.DestroyCredException", new Object[]{e3});
                    return null;
                }
            }
        });
        if (this._debug || tc.isDebugEnabled()) {
            Tr.debug(tc, "Removed.");
        }
        this._credential = null;
        this._gssCred = null;
        if (this._debug || tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }
}
