package com.ibm.ws.security.openid20.client;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.openid20.util.MessageHelper;
import com.ibm.ws.security.openid20.util.OidUtil;
import com.ibm.ws.util.Base64;
import com.ibm.wsspi.security.tai.TAIResult;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.Hashtable;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpStatus;
import org.apache.http.client.params.AuthPolicy;

/* loaded from: input_file:com/ibm/ws/security/openid20/client/BasicAuthAuthenticator.class */
public class BasicAuthAuthenticator {
    private static final TraceComponent tc = Tr.register(BasicAuthAuthenticator.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private static SecureRandom srandom = new SecureRandom();

    public static TAIResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OpenIDClientConfig openIDClientConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "authenticate(req[" + OidUtil.getObjState(httpServletRequest) + "], res[" + OidUtil.getObjState(httpServletResponse) + "], config[" + OidUtil.getObjState(openIDClientConfig) + "])");
        }
        try {
            String[] extractBasicAuthHeader = extractBasicAuthHeader(httpServletRequest);
            String realmName = openIDClientConfig.getRealmName();
            if (extractBasicAuthHeader == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request does not have basic Auth header.. ignoring basic auth");
                }
                if (openIDClientConfig.isTryOpenIDIfBasicAuthFails()) {
                    return null;
                }
                httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"" + realmName + "\", error=Request does not have basic Auth header");
                return TAIResult.create(HttpStatus.SC_UNAUTHORIZED);
            }
            try {
                httpServletRequest.login(extractBasicAuthHeader[0], extractBasicAuthHeader[1]);
                String name = httpServletRequest.getUserPrincipal().getName();
                if (name == null) {
                    throw new ServletException("userSecurityName is null");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authentication using Basic Auth for user " + extractBasicAuthHeader[0] + " successful");
                }
                return TAIResult.create(HttpStatus.SC_OK, name, getSubject(name));
            } catch (ServletException e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Failed to authenticate using basic auth token " + e.getMessage());
                }
                if (openIDClientConfig.isTryOpenIDIfBasicAuthFails()) {
                    if (!tc.isEntryEnabled()) {
                        return null;
                    }
                    Tr.exit(tc, "authenticate returns [null]");
                    return null;
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "user authentication for " + extractBasicAuthHeader[0] + " failed... attempting OpenID");
                }
                httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"" + realmName + "\", error=Failed to authenticate using basic auth token");
                return TAIResult.create(HttpStatus.SC_UNAUTHORIZED);
            }
        } catch (OpenIDRelyingPartyException e2) {
            String message = MessageHelper.getMessage("security.openid20.client.invalidbasicauthheader");
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        }
    }

    private static String[] extractBasicAuthHeader(HttpServletRequest httpServletRequest) throws OpenIDRelyingPartyException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "extractBasicAuthHeader(req[" + OidUtil.getObjState(httpServletRequest) + "])");
        }
        String[] strArr = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.startsWith(AuthPolicy.BASIC)) {
            String substring = header.substring(AuthPolicy.BASIC.length());
            if (substring.length() > 0) {
                try {
                    strArr = OidUtil.split(new String(Base64.decode(substring)), ":", 2);
                } catch (Exception e) {
                    String str = "Failed to decode the basic auth token, exception: " + e.getMessage();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, str);
                    }
                    throw new OpenIDRelyingPartyException(str);
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "extractBasicAuthHeader returns [" + OidUtil.getObjState(strArr) + "]");
        }
        return strArr;
    }

    private static Subject getSubject(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSubject(usn[" + str + "])");
        }
        Subject subject = new Subject();
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", str + new BigInteger(130, srandom).toString(32));
        addToSubjectAsPublicCredentials(subject, hashtable);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSubject returns [" + OidUtil.getObjState(subject) + "]");
        }
        return subject;
    }

    private static void addToSubjectAsPublicCredentials(final Subject subject, final Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubjectAsPublicCredentials");
        }
        if (subject != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Adding public cred");
            }
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.openid20.client.BasicAuthAuthenticator.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPublicCredentials().add(obj);
                    return null;
                }
            });
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Subject is null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubjectAsPublicCredentials");
        }
    }
}
