package com.ibm.ws.wssecurity.wssapi.token.impl;

import com.ibm.websphere.wssecurity.admin.PolicyAttributesConstants;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.ws.wssecurity.core.token.TokenConsumerComponent;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.util.Axis2Util;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.CommonCallbackHandler;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.core.config.CallbackHandlerConfig;
import com.ibm.wsspi.wssecurity.core.config.TokenConsumerConfig;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMNode;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.util.XMLUtils;

/* loaded from: input_file:com/ibm/ws/wssecurity/wssapi/token/impl/CommonTokenConsumer.class */
public class CommonTokenConsumer implements TokenConsumerComponent {
    private static final String comp = "security.wssecurity";
    private boolean initialized = false;
    private static final TraceComponent tc = Tr.register(CommonTokenConsumer.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static final String clsName = CommonTokenConsumer.class.getName();

    @Override // com.ibm.ws.wssecurity.core.WSSComponent, com.ibm.ws.wssecurity.core.Initializable
    public void init(Map<Object, Object> map) throws SoapSecurityException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "init(Map map)");
        }
        if (!this.initialized) {
            this.initialized = true;
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "init(Map map)");
        }
    }

    @Override // com.ibm.ws.wssecurity.core.WSSConsumerComponent
    public void invoke(OMNode oMNode, Map<Object, Object> map) throws SoapSecurityException {
        Subject subject;
        Class<?> cls;
        if (tc.isEntryEnabled()) {
            StringBuffer stringBuffer = new StringBuffer("invoke(");
            stringBuffer.append("OMNode target[").append(DOMUtils.getDisplayName(oMNode)).append("], ");
            stringBuffer.append("Map context)");
            Tr.entry(tc, stringBuffer.toString());
        }
        final TokenConsumerConfig tokenConsumerConfig = (TokenConsumerConfig) map.get(TokenConsumerConfig.CONFIG_KEY);
        CallbackHandlerConfig callbackHandler = tokenConsumerConfig.getCallbackHandler();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "CallbackHandlerConfig [" + callbackHandler + "].");
        }
        CallbackHandler callbackHandler2 = null;
        if (callbackHandler != null) {
            callbackHandler2 = callbackHandler.getInstance();
            if (callbackHandler2 == null) {
                final String className = callbackHandler.getClassName();
                try {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Instantiating the callback handler [" + className + "]...");
                    }
                    final ClassLoader classLoader = (ClassLoader) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.1
                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            if (CommonTokenConsumer.tc.isEntryEnabled()) {
                                Tr.exit(CommonTokenConsumer.tc, "invoke(OMElement, Map)");
                            }
                            return Thread.currentThread().getContextClassLoader();
                        }
                    });
                    if (classLoader != null) {
                        try {
                            cls = (Class) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.2
                                @Override // java.security.PrivilegedExceptionAction
                                public Object run() throws ClassNotFoundException {
                                    return classLoader.loadClass(className);
                                }
                            });
                        } catch (PrivilegedActionException e) {
                            cls = Class.forName(className);
                        }
                    } else {
                        cls = Class.forName(className);
                    }
                    if (!CallbackHandler.class.isAssignableFrom(cls)) {
                        throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCode(map), "security.wssecurity.ConfigUtil.s17", className, CallbackHandler.class.getName());
                    }
                    HashMap hashMap = new HashMap();
                    hashMap.put(CallbackHandlerConfig.CONFIG_KEY, callbackHandler);
                    callbackHandler2 = (CallbackHandler) cls.getConstructor(Map.class).newInstance(hashMap);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to Instantiate the callback handler [" + className + "].");
                    }
                    callbackHandler.setInstance(callbackHandler2);
                } catch (SoapSecurityException e2) {
                    e2.fillInStackTrace();
                    throw e2;
                } catch (Exception e3) {
                    Tr.processException(e3, clsName + ".invoke", "182", this);
                    throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCode(map), "security.wssecurity.X509TokenGenerator.s01", className, e3);
                }
            }
            map.putAll(callbackHandler.getProperties());
            map.put(CallbackHandlerConfig.CONFIG_KEY, callbackHandler);
        }
        Map<Object, Object> properties = tokenConsumerConfig.getProperties();
        if (properties != null && oMNode != null) {
            String str = (String) properties.get(Constants.DOM_ELEMENT_ENABLED);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "com.ibm.wsspi.wssecurity.domElementEnabled : " + str);
            }
            if (ConfigUtil.isTrue(str)) {
                try {
                    OMElement oMElement = (OMElement) oMNode;
                    Object obj = null;
                    if (oMElement != null) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Mapping DOM Element to OMElement for the message...");
                        }
                        obj = XMLUtils.toDOM(oMElement);
                    }
                    map.put(Constants.DOM_PROCESSING_ELEMENT, obj);
                    Object obj2 = (HashMap) map.get(com.ibm.ws.wssecurity.common.Constants.DOMELEMENT_OMELEMENT_MAP);
                    if (obj2 == null) {
                        obj2 = new HashMap();
                        map.put(com.ibm.ws.wssecurity.common.Constants.DOMELEMENT_OMELEMENT_MAP, obj2);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "com.ibm.ws.wssecurity.domElementOmElementMap: " + obj2);
                    }
                } catch (Throwable th) {
                    Tr.processException(th, clsName + ".invoke", "223", this);
                    throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCode(map), "security.wssecurity.X509TokenGenerator.s01", th);
                }
            }
        }
        map.put("com.ibm.ws.wssecurity.constants.processingElement", oMNode);
        final String jAASConfig = tokenConsumerConfig.getJAASConfig();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JAAS config name is " + jAASConfig + PolicyAttributesConstants.DELIMITER);
        }
        if (jAASConfig == null) {
            throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCode(map), "security.wssecurity.WSEC6834E", tokenConsumerConfig.toString());
        }
        map.putAll(tokenConsumerConfig.getJAASConfigProperties());
        final CommonCallbackHandler commonCallbackHandler = new CommonCallbackHandler(callbackHandler2, map);
        Object obj3 = map.get(Constants.WSSECURITY_SUBJECT);
        if (obj3 == null || !(obj3 instanceof Subject)) {
            subject = new Subject();
            map.put(Constants.WSSECURITY_SUBJECT, subject);
        } else {
            subject = (Subject) obj3;
        }
        final Subject subject2 = subject;
        boolean z = false;
        LoginModule loginModule = null;
        DKTConsumeLoginModule dKTConsumeLoginModule = null;
        String str2 = (String) tokenConsumerConfig.getProperties().get(com.ibm.ws.wssecurity.common.Constants.OUR_LOGIN_CONFIG);
        if (ConfigUtil.hasValue(str2)) {
            if ("system.wss.consume.sct".equals(str2)) {
                loginModule = new SCTConsumeLoginModule();
                dKTConsumeLoginModule = new DKTConsumeLoginModule();
                z = true;
            } else if ("system.wss.consume.x509".equals(str2)) {
                loginModule = new X509ConsumeLoginModule();
                z = true;
            } else if ("system.wss.consume.unt".equals(str2)) {
                loginModule = new UNTConsumeLoginModule();
                z = true;
            }
        }
        WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
        WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
        MessageContext messageContext = (MessageContext) map.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
        boolean isEventRequired = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, map);
        boolean isEventRequired2 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.DENIED, map);
        boolean isEventRequired3 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.ERROR, map);
        if (isEventRequired || isEventRequired2 || isEventRequired3) {
            wSSAuditEventGeneratorFactory.setAuthnTypeData(map, tokenConsumerConfig.getType().toString());
        }
        if (z) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Avoiding JAAS login for " + jAASConfig);
            }
            HashMap hashMap2 = new HashMap();
            loginModule.initialize(subject2, commonCallbackHandler, hashMap2, new HashMap());
            if ("system.wss.consume.sct".equals(jAASConfig)) {
                dKTConsumeLoginModule.initialize(subject2, new CommonCallbackHandler(null, map), hashMap2, new HashMap());
            }
            try {
                if (!loginModule.login()) {
                    if (isEventRequired2) {
                        wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                        wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                    }
                    wSSAuditEventGeneratorFactory.clearAuditData(map);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Failed to login");
                    }
                    throw new LoginException("Login module " + loginModule.getClass().getName() + " login() method returned false");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to login");
                }
                if (dKTConsumeLoginModule != null) {
                    if (!dKTConsumeLoginModule.login()) {
                        if (isEventRequired2) {
                            wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                            wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                        }
                        wSSAuditEventGeneratorFactory.clearAuditData(map);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Failed to login");
                        }
                        throw new LoginException("Login module " + dKTConsumeLoginModule.getClass().getName() + " login() method returned false");
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to login");
                    }
                }
                if (!loginModule.commit()) {
                    if (isEventRequired2) {
                        wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                        wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                    }
                    wSSAuditEventGeneratorFactory.clearAuditData(map);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Failed to commit");
                    }
                    throw new LoginException("Login module " + loginModule.getClass().getName() + " commit() method returned false");
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeeded to commit");
                }
                if (isEventRequired) {
                    wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                    wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                if (dKTConsumeLoginModule != null) {
                    if (!dKTConsumeLoginModule.commit()) {
                        if (isEventRequired2) {
                            wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                            wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                        }
                        wSSAuditEventGeneratorFactory.clearAuditData(map);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Failed to commit");
                        }
                        throw new LoginException("Login module " + dKTConsumeLoginModule.getClass().getName() + " commit() method returned false");
                    }
                    if (isEventRequired) {
                        wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                        wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Succeeded to commit");
                    }
                }
            } catch (Exception e4) {
                Tr.processException(e4, clsName + ".invoke", "420", this);
                if (isEventRequired3) {
                    wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.ERROR, WSSAuditService.WSSAuditReason.AUTHN_LOGIN_EXCEPTION, e4.toString()), jAASConfig, WSSAuditEventGenerator.FAILURE);
                    wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                wSSAuditEventGeneratorFactory.clearAuditData(map);
                throw getSoapSecurityException(map, e4);
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Performing JAAS login for " + jAASConfig);
            }
            try {
                LoginContext loginContext = (LoginContext) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.3
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws LoginException {
                        LoginContext loginContext2 = new LoginContext(jAASConfig, subject2, commonCallbackHandler);
                        if (CommonTokenConsumer.tc.isEntryEnabled()) {
                            Tr.exit(CommonTokenConsumer.tc, "invoke(OMElement, Map)");
                        }
                        return loginContext2;
                    }
                });
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeed to construct the login context.");
                }
                loginContext.login();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Succeed to login.");
                }
                if (isEventRequired) {
                    wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                    wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
            } catch (Exception e5) {
                Tr.processException(e5, clsName + ".invoke", "475", this);
                if (isEventRequired2) {
                    wSSAuditEventGeneratorFactory.addProviderData(wSSAuditEventGeneratorFactory.setAuditEventContext(map, WSSAuditService.WSSAuditOutcome.DENIED, WSSAuditService.WSSAuditReason.AUTHN_DENIED, null), jAASConfig, WSSAuditEventGenerator.SUCCESS);
                    wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext, map);
                }
                wSSAuditEventGeneratorFactory.clearAuditData(map);
                throw getSoapSecurityException(map, e5);
            }
        }
        map.remove(Constants.WSSECURITY_TOKEN_FOR_ERROR_HANDLING);
        SecurityToken securityToken = (SecurityToken) map.remove(Constants.WSSECURITY_TOKEN_PROCESSED);
        if (securityToken == null) {
            throw SoapSecurityException.format(Axis2Util.setFailedAuthFaultCode(map), "security.wssecurity.X509TokenGenerator.s03", jAASConfig);
        }
        SecurityTokenManagerImpl securityTokenManagerImpl = (SecurityTokenManagerImpl) map.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER);
        final String str3 = (String) map.get(Constants.WSSECURITY_KEYINFO_TYPE);
        SecurityTokenWrapper tokenWrapper = securityTokenManagerImpl.getTokenWrapper(securityToken);
        final String str4 = (String) map.get(Constants.WSSECURITY_KEYINFO_UNIQUE_NAME);
        if (tokenWrapper == null) {
            final SecurityTokenWrapper securityTokenWrapper = new SecurityTokenWrapper(securityToken);
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    securityTokenWrapper.setUsedTokenConsumer(tokenConsumerConfig.hashCode(), tokenConsumerConfig.getClass().getName().hashCode());
                    securityTokenWrapper.setKeyInfoType(str3);
                    securityTokenWrapper.setKeyInfoUniqueID(str4);
                    return null;
                }
            });
            securityTokenManagerImpl.addTokenWrapper(securityTokenWrapper);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "SecurityTokenWrapper added: " + securityTokenWrapper);
            }
        }
        map.put(Constants.WSSECURITY_TOKEN_LOGININFO, securityToken);
        if (!isEventRequired && (isEventRequired2 || isEventRequired3)) {
            wSSAuditEventGeneratorFactory.clearAuditData(map);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "invoke(OMElement, Map)");
        }
    }

    static SoapSecurityException getSoapSecurityException(Map<Object, Object> map, Exception exc) {
        LoginException loginException;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getSoapSecurityException(ex=" + exc.getClass() + ")");
        }
        Exception exc2 = exc;
        QName failedAuthFaultCodeIfNone = Axis2Util.setFailedAuthFaultCodeIfNone(map);
        if (!(exc instanceof LoginException)) {
            if (!(exc instanceof PrivilegedActionException)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating new LoginException");
                }
                loginException = new LoginException();
                loginException.initCause(exc);
            } else if (exc.getCause() instanceof LoginException) {
                loginException = (LoginException) exc.getCause();
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Creating new LoginException");
                }
                loginException = new LoginException(ConfigUtil.getMessage("security.wssecurity.X509TokenConsumer.s01"));
                loginException.initCause(exc.getCause());
            }
            exc2 = loginException;
        }
        SoapSecurityException format = SoapSecurityException.format(failedAuthFaultCodeIfNone, "security.wssecurity.X509TokenConsumer.s02", exc2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getSoapSecurityException");
        }
        return format;
    }
}
