package com.ibm.ws.security.web.inbound.saml;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.ws.runtime.metadata.ComponentMetaData;
import com.ibm.ws.security.core.WSAccessManager;
import com.ibm.ws.security.web.inbound.saml.util.ConfigUtil;
import com.ibm.ws.security.web.inbound.saml.util.Decoder;
import com.ibm.ws.security.web.inbound.saml.util.MessageHelper;
import com.ibm.ws.threadContext.ComponentMetaDataAccessorImpl;
import com.ibm.ws.websvcs.transport.common.TransportConstants;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.axiom.om.OMElement;

/* loaded from: input_file:com/ibm/ws/security/web/inbound/saml/WebInboundSamlTAI.class */
public class WebInboundSamlTAI implements TrustAssociationInterceptor {
    static final TraceComponent tc = Tr.register(WebInboundSamlTAI.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    protected static boolean taiEnabled = false;
    protected static boolean isInitialized = false;
    protected WebInboundTAIConfig taiConfig = null;
    public static final String Authorization_Header = "Authorization";

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor(req[" + ConfigUtil.getObjState(httpServletRequest) + "]");
        }
        boolean z = false;
        if (!isAdminApp(httpServletRequest) && this.taiConfig.getRelyingPartyConfig(httpServletRequest) != null) {
            z = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTargetInterceptor returns [" + z + "]");
        }
        return z;
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust(req[" + ConfigUtil.getObjState(httpServletRequest) + "],res[" + ConfigUtil.getObjState(httpServletResponse) + "])");
        }
        TAIResult resourceAccessAuthn = resourceAccessAuthn(httpServletRequest, httpServletResponse, this.taiConfig.getRelyingPartyConfig(httpServletRequest));
        if (tc.isEntryEnabled()) {
            if (resourceAccessAuthn != null) {
                Tr.exit(tc, "negotiateValidateandEstablishTrust returns [" + resourceAccessAuthn.getAuthenticatedPrincipal() + "]");
            } else {
                Tr.exit(tc, "negotiateValidateandEstablishTrust fails");
            }
        }
        return resourceAccessAuthn;
    }

    protected TAIResult resourceAccessAuthn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Configuration configuration) throws WebTrustAssociationFailedException {
        TAIResult create;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resourceAccessAuthn(req[" + ConfigUtil.getObjState(httpServletRequest) + "],res[" + ConfigUtil.getObjState(httpServletResponse) + "],config[" + configuration + "])");
        }
        String requestHeader = getRequestHeader(httpServletRequest, configuration.getHeaderName());
        if (requestHeader == null || requestHeader.trim().length() == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no SAML token in the request.");
            }
            create = TAIResult.create(401);
        } else {
            SAMLToken sAMLToken = null;
            try {
                sAMLToken = validateSamlToken(httpServletRequest, httpServletResponse, configuration, requestHeader);
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    if (e.getCause() != null) {
                        Tr.debug(tc, "SAML Token validation fails: " + e.getCause().getMessage());
                    } else {
                        Tr.debug(tc, "SAML Token validation fails: " + e.getMessage());
                    }
                }
            }
            create = sAMLToken == null ? TAIResult.create(401) : createResult(httpServletRequest, httpServletResponse, sAMLToken, configuration);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resourceAccessAuthn returns [" + create.getAuthenticatedPrincipal() + "]");
        }
        return create;
    }

    protected TAIResult createResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLToken sAMLToken, Configuration configuration) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createResult(req[" + ConfigUtil.getObjState(httpServletRequest) + "],res[" + ConfigUtil.getObjState(httpServletResponse) + ",[" + ConfigUtil.getObjState(sAMLToken) + "],config[" + configuration + "])");
        }
        Subject subject = new Subject();
        addToSubjectAsPrivateCredentials(subject, sAMLToken);
        Hashtable<String, Object> createHashtable = createHashtable(sAMLToken, configuration);
        addToSubjectAsPrivateCredentials(subject, createHashtable);
        String str = (String) createHashtable.get("com.ibm.wsspi.security.cred.userId");
        if (str == null) {
            str = (String) createHashtable.get("com.ibm.wsspi.security.cred.securityName");
        }
        TAIResult create = TAIResult.create(200, str, subject);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createResult returns [" + ConfigUtil.getObjState(create) + "]");
        }
        return create;
    }

    protected boolean isAdminApp(HttpServletRequest httpServletRequest) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isAdminApp(req[" + ConfigUtil.getObjState(httpServletRequest) + "])");
        }
        ComponentMetaData componentMetaData = ComponentMetaDataAccessorImpl.getComponentMetaDataAccessor().getComponentMetaData();
        String str = null;
        if (componentMetaData != null) {
            str = componentMetaData.getModuleMetaData().getApplicationMetaData().getName();
        }
        if (str == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isAdminApp returns [false]");
            return false;
        }
        boolean checkIfAdminApp = WSAccessManager.checkIfAdminApp(str);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isAdminApp returns [" + checkIfAdminApp + "]");
        }
        return checkIfAdminApp;
    }

    Hashtable<String, Object> createHashtable(SAMLToken sAMLToken, Configuration configuration) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createHashtable(saml20Token[" + ConfigUtil.getObjState(sAMLToken) + "], config[" + configuration + "])");
        }
        AssertionToSubject assertionToSubject = new AssertionToSubject(configuration, sAMLToken);
        Hashtable<String, Object> hashtable = new Hashtable<>();
        String user = assertionToSubject.getUser();
        if (configuration.getMapIdentityToRegistry()) {
            putValue(hashtable, "com.ibm.wsspi.security.cred.userId", user);
        } else {
            String realm = assertionToSubject.getRealm();
            Object userUniqueIdentity = assertionToSubject.getUserUniqueIdentity(user, realm);
            List<String> groupUniqueIdentity = assertionToSubject.getGroupUniqueIdentity(realm);
            putValue(hashtable, "com.ibm.wsspi.security.cred.uniqueId", userUniqueIdentity);
            putValue(hashtable, "com.ibm.wsspi.security.cred.securityName", user);
            putValue(hashtable, "com.ibm.wsspi.security.cred.realm", realm);
            if (!groupUniqueIdentity.isEmpty()) {
                putValue(hashtable, "com.ibm.wsspi.security.cred.groups", groupUniqueIdentity);
            }
        }
        putValue(hashtable, "com.ibm.wsspi.security.cred.cacheKey", assertionToSubject.getCustomCacheKeyValue());
        putValue(hashtable, Constants.LTPA_COOKIE, configuration.getSetLtpaCookie());
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createHashtable returns [" + ConfigUtil.getObjState(hashtable) + "]");
        }
        return hashtable;
    }

    void putValue(Hashtable<String, Object> hashtable, String str, Object obj) {
        if (obj == null) {
            return;
        }
        hashtable.put(str, obj);
    }

    protected SAMLToken validateSamlToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Configuration configuration, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateSamlToken(req[" + ConfigUtil.getObjState(httpServletRequest) + ", res[" + ConfigUtil.getObjState(httpServletResponse) + ", config[" + configuration + "], encodedXml[" + str + "])");
        }
        try {
            ConsumerConfig consumerConfig = configuration.getConsumerConfig();
            OMElement decode = Decoder.decode(str);
            SAMLToken createSAMLToken = Decoder.createSAMLToken(decode, consumerConfig);
            verifySignatureAlgorithm(decode, configuration.getSignatureAlgorithm());
            verifyAudienceRestriction(createSAMLToken, configuration.getAudiences());
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "validateSAMLToken returns [" + ConfigUtil.getObjState(createSAMLToken) + "]");
            }
            return createSAMLToken;
        } catch (Exception e) {
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(e.getMessage());
            webTrustAssociationFailedException.initCause(e);
            throw webTrustAssociationFailedException;
        }
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(props[" + ConfigUtil.getObjState(properties) + "])");
        }
        this.taiConfig = new WebInboundTAIConfig(properties);
        if (!tc.isEntryEnabled()) {
            return 0;
        }
        Tr.exit(tc, "initialize returns [0]");
        return 0;
    }

    public String getVersion() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getVersion returns [" + com.ibm.ws.websvcs.rm.policyset.Constants._WSRM_1_0 + "]");
        }
        return com.ibm.ws.websvcs.rm.policyset.Constants._WSRM_1_0;
    }

    public String getType() {
        String name = getClass().getName();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getType returns [" + name + "]");
        }
        return name;
    }

    public void cleanup() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "cleanup: do Nothing");
        }
    }

    private static void addToSubjectAsPrivateCredentials(final Subject subject, final Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubjectAsPrivateCredentials(subj[" + ConfigUtil.getObjState(subject) + "],token[" + ConfigUtil.getObjState(obj) + "])");
        }
        if (obj != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                }
            });
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubjectAsPrivateCredentials");
        }
    }

    private static void verifySignatureAlgorithm(OMElement oMElement, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "verifySignatureAlgorithm(samlAssertion[" + ConfigUtil.getObjState(oMElement) + "], taiSigAlg[" + str + "])");
        }
        String str2 = Constants.SIGNATURE_ALG_SHA128;
        if (oMElement.toString().contains("rsa-sha256")) {
            str2 = Constants.SIGNATURE_ALG_SHA256;
        }
        if (str.equals(Constants.SIGNATURE_ALG_SHA256) && !str2.equals(Constants.SIGNATURE_ALG_SHA256)) {
            String message = MessageHelper.getMessage("security.webinbound.saml.sigalgmismatch");
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "verifySignatureAlgorithm: match found for " + str);
        }
    }

    private static void verifyAudienceRestriction(SAMLToken sAMLToken, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "verifyAudienceRestriction(SAMLToken[" + ConfigUtil.getObjState(sAMLToken) + "], taiAud[" + str + "])");
        }
        if (str != null) {
            boolean z = false;
            List<String> audienceRestriction = sAMLToken.getAudienceRestriction();
            List<String> parseAudiences = parseAudiences(str);
            for (String str2 : audienceRestriction) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "AudienceRestriction in SAML token: " + str2);
                }
                Iterator<String> it = parseAudiences.iterator();
                while (true) {
                    if (it.hasNext()) {
                        String next = it.next();
                        if (!str2.equals(next)) {
                            if (z) {
                                break;
                            }
                        } else {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Audience match is found for: " + next);
                            }
                            z = true;
                        }
                    }
                }
            }
            if (!z) {
                String message = MessageHelper.getMessage("security.webinbound.saml.audiencenotfound");
                Tr.error(tc, message);
                throw new WebTrustAssociationFailedException(message);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "verifyAudienceRestriction ");
        }
    }

    private static List<String> parseAudiences(String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "parseAudiences(taiAuds[" + str + "])");
        }
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, com.ibm.ws.wssecurity.trust.server.sts.Util.Constants.SEPARATOR_CHAR_KEY_NAME_KEY_TYPE);
            while (stringTokenizer.hasMoreTokens()) {
                String replaceAll = stringTokenizer.nextToken().replaceAll("\\s", "");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Audience read from TAI property: " + replaceAll);
                }
                arrayList.add(replaceAll);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "parseAudiences returns [" + ConfigUtil.getObjState(arrayList) + "]");
        }
        return arrayList;
    }

    private static String getRequestHeader(HttpServletRequest httpServletRequest, String str) {
        String header;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getRequestHeader(req[" + ConfigUtil.getObjState(httpServletRequest) + "], hdrName[" + str + "])");
        }
        String str2 = null;
        if (str != null) {
            ArrayList arrayList = new ArrayList();
            StringTokenizer stringTokenizer = new StringTokenizer(str, ",|");
            while (true) {
                if (!stringTokenizer.hasMoreTokens()) {
                    break;
                }
                String trim = stringTokenizer.nextToken().trim();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Header name read from TAI property: " + trim);
                }
                arrayList.add(trim);
                String header2 = httpServletRequest.getHeader(trim);
                str2 = header2;
                if (header2 != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Header name found in request: " + trim);
                    }
                }
            }
            if (str2 == null && (header = httpServletRequest.getHeader("Authorization")) != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authorization_Header is :  " + header);
                }
                Iterator it = arrayList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str3 = (String) it.next();
                    int length = str3.length();
                    if (header.startsWith(str3)) {
                        str2 = header.indexOf(TransportConstants.queryStrDelimiter) == length ? header.indexOf("\"") == length + 1 ? header.substring(length + 2, header.length() - 1) : header.substring(length + 1) : header.substring(length + 1);
                        if (str2 != null) {
                            str2 = str2.trim();
                        }
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found Authorization Token:  " + str2);
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getRequestHeader returning:  " + str2);
        }
        return str2;
    }
}
