package com.ibm.wsspi.wssecurity.token;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ws.webservices.engine.MessageContext;
import com.ibm.ws.webservices.wssecurity.KRBConstants;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGenerator;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditEventGeneratorImpl;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditService;
import com.ibm.ws.webservices.wssecurity.audit.WSSAuditServiceImpl;
import com.ibm.ws.webservices.wssecurity.config.KRBSPN;
import com.ibm.ws.webservices.wssecurity.util.KRB5Util;
import com.ibm.wsspi.wssecurity.Constants;
import com.ibm.wsspi.wssecurity.SoapSecurityException;
import com.ibm.wsspi.wssecurity.auth.callback.KRBTokenCallbackHandler;
import com.ibm.wsspi.wssecurity.config.TokenConsumerConfig;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
import org.w3c.dom.Node;

/* loaded from: input_file:com/ibm/wsspi/wssecurity/token/KRBTokenConsumer.class */
public class KRBTokenConsumer implements TokenConsumerComponent {
    private static final String comp = "security.wssecurity";
    private static TraceComponent tc;

    @Override // com.ibm.ws.webservices.wssecurity.WSSComponent, com.ibm.wsspi.wssecurity.Initializable
    public void init(Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init()");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init()");
        }
    }

    @Override // com.ibm.ws.webservices.wssecurity.WSSConsumerComponent
    public void invoke(Node node, Map map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "invoke()");
        }
        TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) map.remove(TokenConsumerConfig.CONFIG_KEY);
        Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        MessageContext messageContext = (MessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Consuming the token " + node.getNodeName());
        }
        if (node.getNodeName().equals(KRBConstants.STR_WSSC_DERIVED_KEY_TOKEN)) {
            try {
                HashMap consumeDerivedKeyToken = KRB5Util.consumeDerivedKeyToken((Element) node);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating the derived key token ");
                }
                KRBDerivedKeyToken kRBDerivedKeyToken = new KRBDerivedKeyToken(consumeDerivedKeyToken);
                KRB5Util.addDerivedkeyTokenToContext(messageContext, kRBDerivedKeyToken);
                if (KRB5Util.addCredentialToSubject(subject, kRBDerivedKeyToken)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Subject is updated with dervied key token.");
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Subject is not updated with dervied key token.");
                }
            } catch (Throwable th) {
                throw SoapSecurityException.format(new QName(KRBConstants.STR_WSSE_NS, "Failed to consume Kerberos token."), "security.wssecurity.KRBTokenConsumer.s01", th.toString());
            }
        } else {
            if (node.getNodeType() != 1) {
                throw SoapSecurityException.format("WARNING: Unsupported node type: " + node.getNodeName());
            }
            try {
                KRBSPN spn = KRB5Util.getSPNList().getSPN(tokenConsumerConfig.getProperties(), 1);
                HashMap consumeBinarySecurityToken = KRB5Util.consumeBinarySecurityToken((Element) node);
                consumeBinarySecurityToken.put(KRBConstants.STR_SPN_OBJ_PROP, spn);
                consumeBinarySecurityToken.put(Constants.WSSECURITY_MESSAGE_CONTEXT, messageContext);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating KerberosToken callback handler");
                }
                KRBTokenCallbackHandler kRBTokenCallbackHandler = new KRBTokenCallbackHandler(consumeBinarySecurityToken);
                String jAASConfig = tokenConsumerConfig.getJAASConfig();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating the loginContext for " + jAASConfig);
                }
                LoginContext loginContext = new LoginContext(jAASConfig, subject, kRBTokenCallbackHandler);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Starting the Kerberos login  ");
                }
                loginContext.login();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "After Kerberos login  ");
                }
                KRBTokenInfo kRBTokenInfo = (KRBTokenInfo) messageContext.getProperty(KRBConstants.STR_WSSECURITY_KRB_TOKEN_INFO);
                if (kRBTokenInfo != null) {
                    addKerberosTokenToSubject(subject, kRBTokenInfo);
                }
                if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS)) {
                    Map<String, Object> auditEventContext = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
                    WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, "AuthnType", tokenConsumerConfig.getType().toString());
                    WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, WSSAuditEventGenerator.TOKEN_ID, kRBTokenInfo.getId());
                    WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext, "Username", kRBTokenInfo.getPrincipal());
                    WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext, jAASConfig, "SUCCESS");
                    WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Auditing SECURITY_AUTHN event not enabled.");
                }
            } catch (LoginException e) {
                if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED)) {
                    Map<String, Object> auditEventContext2 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, e.toString());
                    WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext2, "AuthnType", tokenConsumerConfig.getType().toString());
                    WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext2, tokenConsumerConfig.getJAASConfig(), "SUCCESS");
                    WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                throw SoapSecurityException.format(new QName(KRBConstants.STR_WSSE_NS, com.ibm.xml.soapsec.Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.KRBTokenConsumer.s01", e.toString());
            } catch (Throwable th2) {
                if (WSSAuditServiceImpl.getInstance().isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.ERROR)) {
                    Map<String, Object> auditEventContext3 = WSSAuditEventGeneratorImpl.getInstance().setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.ERROR, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, th2.toString());
                    WSSAuditEventGeneratorImpl.getInstance().addExtendedAuditData(auditEventContext3, "AuthnType", tokenConsumerConfig.getType().toString());
                    WSSAuditEventGeneratorImpl.getInstance().addProviderData(auditEventContext3, tokenConsumerConfig.getJAASConfig(), "FAILURE");
                    WSSAuditEventGeneratorImpl.getInstance().sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                throw SoapSecurityException.format(new QName(KRBConstants.STR_WSSE_NS, com.ibm.xml.soapsec.Constants.FAILED_AUTHENTICATION_QNAME), "security.wssecurity.KRBTokenConsumer.s01", th2.toString());
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke()");
        }
    }

    public static void addKerberosTokenToSubject(Subject subject, KRBTokenInfo kRBTokenInfo) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addKerberosTokenToSubject()");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(KRBConstants.STR_TOKENID, kRBTokenInfo.getId());
        hashMap.put(KRBConstants.STR_WAS_PRINCIPAL, kRBTokenInfo.getPrincipal());
        hashMap.put(KRBConstants.STR_UNIQUEID, kRBTokenInfo.getUniqueID());
        hashMap.put(KRBConstants.STR_EXPIRY_TIME, Long.toString(kRBTokenInfo.getExpiration()));
        hashMap.put("ValueType", kRBTokenInfo.getType().toString());
        KRBToken kRBToken = new KRBToken(hashMap);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "KRBToken created.");
        }
        if (KRB5Util.isTokenInSubject(subject, KRBMappedIdentityToken.class) && kRBToken != null) {
            kRBToken.setProcessed();
        }
        if (KRB5Util.addCredentialToSubject(subject, kRBToken)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Subject is updated with kerberos token.");
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject is not updated with kerberos token.");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addKerberosTokenToSubject()");
        }
    }

    static {
        tc = null;
        tc = Tr.register((Class<?>) KRBTokenConsumer.class, "Web Services Security", "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    }
}
