package com.ibm.ws.wssecurity.impl.auth.module;

import com.ibm.websphere.security.auth.WSPrincipal;
import com.ibm.websphere.security.auth.callback.WSCredTokenCallbackImpl;
import com.ibm.websphere.security.auth.callback.WSRealmNameCallbackImpl;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.websphere.wssecurity.callbackhandler.PropertyCallback;
import com.ibm.websphere.wssecurity.callbackhandler.SAMLIdAssertionCallback;
import com.ibm.websphere.wssecurity.wssapi.token.ExchangeToken;
import com.ibm.websphere.wssecurity.wssapi.token.KRBToken;
import com.ibm.websphere.wssecurity.wssapi.token.LTPAPropagationToken;
import com.ibm.websphere.wssecurity.wssapi.token.LTPAToken;
import com.ibm.websphere.wssecurity.wssapi.token.SAMLToken;
import com.ibm.websphere.wssecurity.wssapi.token.SecurityToken;
import com.ibm.websphere.wssecurity.wssapi.token.UsernameToken;
import com.ibm.websphere.wssecurity.wssapi.token.X509Token;
import com.ibm.ws.wssecurity.config.CallerConfig;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGenerator;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditEventGeneratorFactory;
import com.ibm.ws.wssecurity.platform.audit.WSSAuditService;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManager;
import com.ibm.ws.wssecurity.platform.auth.WSSContextManagerFactory;
import com.ibm.ws.wssecurity.platform.auth.WSSRealmFactory;
import com.ibm.ws.wssecurity.token.LoginProcessor;
import com.ibm.ws.wssecurity.token.WSSUserRegistryProcessor;
import com.ibm.ws.wssecurity.util.ConfigUtil;
import com.ibm.ws.wssecurity.util.DOMUtils;
import com.ibm.ws.wssecurity.util.Tr;
import com.ibm.ws.wssecurity.util.TraceComponent;
import com.ibm.ws.wssecurity.wssapi.OMStructure;
import com.ibm.ws.wssecurity.wssapi.token.impl.KRB5TokenImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenManagerImpl;
import com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenWrapper;
import com.ibm.ws.wssecurity.xml.xss4j.dsig.util.Base64;
import com.ibm.wsspi.security.auth.callback.WSAppContextCallback;
import com.ibm.wsspi.security.auth.callback.WSServletRequestCallback;
import com.ibm.wsspi.security.auth.callback.WSServletResponseCallback;
import com.ibm.wsspi.security.auth.callback.WSTokenHolderCallback;
import com.ibm.wsspi.security.auth.callback.WSX509CertificateChainCallback;
import com.ibm.wsspi.security.token.WSOpaqueTokenHelper;
import com.ibm.wsspi.wssecurity.core.Constants;
import com.ibm.wsspi.wssecurity.core.SoapSecurityException;
import com.ibm.wsspi.wssecurity.saml.data.SAMLAttribute;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.namespace.QName;
import org.apache.axis2.context.MessageContext;
import org.ietf.jgss.GSSCredential;

/* loaded from: input_file:com/ibm/ws/wssecurity/impl/auth/module/WSWSSLoginModule.class */
public class WSWSSLoginModule implements LoginModule {
    private static final TraceComponent tc = Tr.register(WSWSSLoginModule.class, "Web Services Security", "com.ibm.ws.wssecurity.resources.wssmessages");
    private static String comp = "security.wssecurity";
    private CallbackHandler _handler;
    private Map _sharedState;
    private Map<Object, Object> _context = null;
    private SecurityToken _callerIdentityToken = null;
    private Subject _subject = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(Subject subject, CallbackHandler handler, Map sharedState, Map options)");
        }
        this._handler = callbackHandler;
        this._sharedState = map;
        this._subject = subject;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize(Subject, CallbackHandler, Map, Map)");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        Boolean bool = (Boolean) this._sharedState.get(Constants.WSSECURITY_CALLER_PROCESS_DONE);
        if (bool == null || !bool.booleanValue()) {
            throw new LoginException(ConfigUtil.getMessage(comp + ".LoginProcessor.s01"));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "It seems that caller identification process is successfully done.");
        }
        CallerConfig callerConfig = (CallerConfig) this._sharedState.get(com.ibm.wsspi.wssecurity.core.config.CallerConfig.CONFIG_KEY);
        this._callerIdentityToken = (SecurityToken) this._sharedState.get(Constants.WSSECURITY_CALLER_IDENTITY);
        SecurityToken securityToken = (SecurityToken) this._sharedState.get(Constants.WSSECURITY_TRUSTED_IDENTITY);
        String str = null;
        String str2 = null;
        Callback[] callbackArr = (Callback[]) this._sharedState.get("Callback");
        if (callbackArr != null) {
            int i = 0;
            int length = callbackArr.length;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (callbackArr[i] instanceof PropertyCallback) {
                    this._context = ((PropertyCallback) callbackArr[i]).getProperties();
                    break;
                }
                i++;
            }
        }
        if (this._context == null) {
            PropertyCallback propertyCallback = new PropertyCallback(null);
            try {
                this._handler.handle(new Callback[]{propertyCallback});
                this._context = propertyCallback.getProperties();
            } catch (Exception e) {
                throw new LoginException(ConfigUtil.getMessage(comp + ".BSTokenLoginModule.s01", new String[]{e.toString()}));
            }
        }
        String str3 = (String) this._context.get(com.ibm.ws.wssecurity.common.Constants.LTPA_ENFORCE_TOKEN_VERSION);
        boolean isTrue = ConfigUtil.isTrue(str3);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "enforceTokenVersion=" + str3);
        }
        QName callerIdentity = callerConfig.getCallerIdentity();
        QName valueType = this._callerIdentityToken.getValueType();
        if (this._callerIdentityToken == null) {
            throw new LoginException(ConfigUtil.getMessage(comp + ".LoginProcessor.s01"));
        }
        if (!valueType.equals(callerIdentity)) {
            if ((com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN.equals(callerIdentity) || com.ibm.ws.wssecurity.common.Constants.LTPAv2_TOKEN.equals(callerIdentity)) && ((com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN.equals(valueType) || com.ibm.ws.wssecurity.common.Constants.LTPAv2_TOKEN.equals(valueType)) && !isTrue)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found matching callerIdentityToken for ltpa caller with different version.");
                }
            } else if (!matchExchangedToken(callerIdentity, valueType)) {
                throw new LoginException(ConfigUtil.getMessage(comp + ".PrivateConsumerConfig.s30", new String[]{valueType.toString(), callerIdentity.toString()}));
            }
        }
        if (securityToken != null) {
            QName trustedIdentity = callerConfig.getTrustedIdentity();
            QName valueType2 = securityToken.getValueType();
            if (!valueType2.equals(trustedIdentity)) {
                if ((com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN.equals(trustedIdentity) || com.ibm.ws.wssecurity.common.Constants.LTPAv2_TOKEN.equals(trustedIdentity)) && ((com.ibm.ws.wssecurity.common.Constants.LTPA_TOKEN.equals(valueType2) || com.ibm.ws.wssecurity.common.Constants.LTPAv2_TOKEN.equals(valueType2)) && !isTrue)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Found matching trustedIdentityToken for ltpa caller with different version.");
                    }
                } else if (!matchExchangedToken(trustedIdentity, valueType2)) {
                    throw new LoginException(ConfigUtil.getMessage(comp + ".PrivateConsumerConfig.s30", new String[]{valueType2.toString(), trustedIdentity.toString()}));
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Caller identity token [" + this._callerIdentityToken.getValueType() + "].");
            Tr.debug(tc, "Trusted identity token [" + (securityToken == null ? null : securityToken.getValueType()) + "].");
        }
        WSSContextManager wSSContextManagerFactory = WSSContextManagerFactory.getInstance();
        String str4 = null;
        if (wSSContextManagerFactory == null) {
            Tr.error(tc, "security.wssecurity.ctxmgr.isnull");
        } else {
            str4 = wSSContextManagerFactory.getDefaultRealm();
        }
        WSTokenHolderCallback nameCallback = new NameCallback("Username: ");
        WSTokenHolderCallback passwordCallback = new PasswordCallback("Password: ", false);
        WSTokenHolderCallback wSCredTokenCallbackImpl = new WSCredTokenCallbackImpl("Credential Token: ");
        WSTokenHolderCallback[] wSTokenHolderCallbackArr = {nameCallback, passwordCallback, wSCredTokenCallbackImpl, new WSServletRequestCallback("HttpServletRequest: "), new WSServletResponseCallback("HttpServletResponse: "), new WSAppContextCallback("ApplicationContextCallback: "), new WSTokenHolderCallback("Authz Token List: "), new WSRealmNameCallbackImpl("Realm Name", str4), new WSX509CertificateChainCallback("X509Certificate[]: ")};
        if (this._callerIdentityToken instanceof UsernameToken) {
            final UsernameToken usernameToken = (UsernameToken) this._callerIdentityToken;
            String username = usernameToken.getUsername();
            if (username == null || username.length() == 0) {
                Tr.error(tc, comp + ".WSEC6735E", new Object[]{usernameToken.getValueType().toString(), "Login cancelled: username string is null or empty."});
                throw new LoginException(ConfigUtil.getMessage(comp + ".LoginProcessor.s11", new String[]{"Login cancelled: username string is null or empty."}));
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Realm is = " + str4);
            }
            try {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Examine if UsernameToken is realm qualified: " + username);
                }
                if (WSSRealmFactory.getInstance().isIdentityRealmQualified(username)) {
                    if (WSSRealmFactory.getInstance().isIdentityLocal(username)) {
                        username = WSSRealmFactory.getInstance().getIdentity(username);
                    } else {
                        if (!WSSRealmFactory.getInstance().isUserFromTrustedRealm(username)) {
                            throw new LoginException(ConfigUtil.getMessage(comp + ".WSWSSLoginModule.s02", new String[]{username}));
                        }
                        Hashtable hashtable = (Hashtable) this._sharedState.get("com.ibm.wsspi.security.cred.propertiesObject");
                        if (hashtable == null) {
                            hashtable = new Hashtable();
                            this._sharedState.put("com.ibm.wsspi.security.cred.propertiesObject", hashtable);
                        }
                        WSSRealmFactory.getInstance().addIdentityAssertionProperties(username, hashtable);
                    }
                }
                String removeRealm = WSSUserRegistryProcessor.removeRealm(str4, username);
                nameCallback.setName(removeRealm);
                str = removeRealm;
                str2 = usernameToken.getId();
                char[] cArr = (char[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.1
                    @Override // java.security.PrivilegedAction
                    public Object run() {
                        return usernameToken.getPassword();
                    }
                });
                passwordCallback.setPassword(cArr);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "UsernameToken found.");
                    Tr.debug(tc, "Username [" + removeRealm + "], Password [" + (cArr == null ? "null" : "not null") + "].");
                }
            } catch (SoapSecurityException e2) {
                throw new LoginException(e2.getMessage());
            }
        } else if (this._callerIdentityToken instanceof X509Token) {
            X509Token x509Token = (X509Token) this._callerIdentityToken;
            String mapCertificate = WSSUserRegistryProcessor.mapCertificate(x509Token.getCertificate());
            if (mapCertificate == null || mapCertificate.length() == 0) {
                mapCertificate = x509Token.getPrincipal();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "User security from X509BSToken.getPrincipal() [" + mapCertificate + "]");
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "User security from UserRegistryProcessor.mapCertificate() [" + mapCertificate + "]");
            }
            nameCallback.setName(mapCertificate);
            str = mapCertificate;
            str2 = x509Token.getId();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "X509BSToken found.");
                Tr.debug(tc, "Username [" + mapCertificate + "].");
            }
        } else if (this._callerIdentityToken instanceof KRBToken) {
            final KRB5TokenImpl kRB5TokenImpl = (KRB5TokenImpl) this._callerIdentityToken;
            String tokenPrincipal = kRB5TokenImpl.getTokenPrincipal();
            if (tokenPrincipal != null && tokenPrincipal.length() != 0) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found an effective kerberos principal from KRBAuthnToken: " + tokenPrincipal);
                }
                nameCallback.setName(tokenPrincipal);
                str = tokenPrincipal;
                str2 = kRB5TokenImpl.getId();
                try {
                    final GSSCredential gSSCredential = (GSSCredential) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws SoapSecurityException {
                            return kRB5TokenImpl.getGSSCredential();
                        }
                    });
                    final Subject subject = (Subject) this._context.get(Constants.WSSECURITY_SUBJECT);
                    if (gSSCredential != null) {
                        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.3
                            @Override // java.security.PrivilegedAction
                            public Object run() {
                                if (subject.getPrivateCredentials().contains(gSSCredential)) {
                                    if (!WSWSSLoginModule.tc.isDebugEnabled()) {
                                        return null;
                                    }
                                    Tr.debug(WSWSSLoginModule.tc, "GSSCredential already in Subject: " + gSSCredential.toString());
                                    return null;
                                }
                                if (WSWSSLoginModule.tc.isDebugEnabled()) {
                                    Tr.debug(WSWSSLoginModule.tc, "Adding GSSCredential to Subject: " + gSSCredential.toString());
                                }
                                subject.getPrivateCredentials().add(gSSCredential);
                                return null;
                            }
                        });
                    }
                    addToSubject(this._context, kRB5TokenImpl);
                } catch (PrivilegedActionException e3) {
                    Tr.error(tc, comp + ".WSSConsumer.s34", new Object[]{e3});
                    throw new LoginException(e3.getException().getMessage());
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No effective kerberos principal is found from Subject.");
            }
        } else if (this._callerIdentityToken instanceof LTPAPropagationToken) {
            final LTPAPropagationToken lTPAPropagationToken = (LTPAPropagationToken) this._callerIdentityToken;
            WSCredential wSCredential = (WSCredential) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return lTPAPropagationToken.getWSCredential();
                }
            });
            wSCredTokenCallbackImpl.setCredToken((byte[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.5
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return lTPAPropagationToken.getBinary();
                }
            }));
            WSPrincipal wSPrincipal = lTPAPropagationToken.getWSPrincipal();
            str = wSPrincipal.toString();
            str2 = lTPAPropagationToken.getId();
            if (wSCredential == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "No WSCredential found in LTPA Propagation Token.");
                }
                throw new LoginException(ConfigUtil.getMessage(comp + ".WSEC0168E"));
            }
            try {
                wSTokenHolderCallbackArr[6].setTokenHolderList(WSOpaqueTokenHelper.getInstance().createTokenHolderListFromOpaqueToken(Base64.decode(DOMUtils.getStringValue(((OMStructure) lTPAPropagationToken.getXML()).getNode()))));
                this._sharedState.put("WSCredential", wSCredential);
                this._context.put(LoginProcessor.isLTPAPropagationTokenCallerToken, "true");
                this._context.put(LoginProcessor.savedSubject, copySubject());
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "LTPA Propagation Token found.");
                    Tr.debug(tc, "WSCredential [" + wSCredential + "].");
                    Tr.debug(tc, "WSPrincipal [" + wSPrincipal + "].");
                }
            } catch (Exception e4) {
                this._context.put(LoginProcessor.isLTPAPropagationTokenCallerToken, "true");
                LoginException loginException = new LoginException(e4.getMessage());
                loginException.initCause(e4.getCause());
                throw loginException;
            }
        } else if (this._callerIdentityToken instanceof LTPAToken) {
            final LTPAToken lTPAToken = (LTPAToken) this._callerIdentityToken;
            byte[] bArr = (byte[]) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.6
                @Override // java.security.PrivilegedAction
                public Object run() {
                    return lTPAToken.getBinary();
                }
            });
            if (bArr == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Null credential value found for the LTPA token to login.");
                }
                throw new LoginException(ConfigUtil.getMessage(comp + ".LoginProcessor.s11", new String[]{"Null credentials for the LTPA token."}));
            }
            str = lTPAToken.getPrincipal();
            str2 = lTPAToken.getId();
            wSCredTokenCallbackImpl.setCredToken(bArr);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "LTPA Token found.");
                Tr.debug(tc, "Credential [" + bArr + "].");
            }
        } else {
            SecurityToken securityToken2 = this._callerIdentityToken;
            String principal = securityToken2.getPrincipal();
            if (principal == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Null principal value found for the custom token to login.");
                }
                throw new LoginException(ConfigUtil.getMessage(comp + ".LoginProcessor.s11", new String[]{"Null principal for the custom token."}));
            }
            String removeRealm2 = WSSUserRegistryProcessor.removeRealm(str4, principal);
            nameCallback.setName(removeRealm2);
            str = removeRealm2;
            str2 = securityToken2.getId();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token [" + securityToken2.getValueType() + "] found.");
                Tr.debug(tc, "Principal [" + removeRealm2 + "].");
            }
        }
        String doSAMLCrossDomainIDAssertion = this._callerIdentityToken instanceof SAMLToken ? doSAMLCrossDomainIDAssertion((SAMLToken) this._callerIdentityToken) : "false";
        WSSAuditService auditService = WSSContextManagerFactory.getInstance().getAuditService();
        WSSAuditEventGenerator wSSAuditEventGeneratorFactory = WSSAuditEventGeneratorFactory.getInstance();
        boolean isEventRequired = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, WSSAuditService.WSSAuditOutcome.SUCCESS, this._context);
        boolean isEventRequired2 = auditService.isEventRequired(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, WSSAuditService.WSSAuditOutcome.SUCCESS, this._context);
        if (isEventRequired && callerConfig.useIdentityAssertion()) {
            MessageContext messageContext = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            Map<String, Object> authnDelegationData = wSSAuditEventGeneratorFactory.setAuthnDelegationData(this._context, WSSAuditEventGenerator.DELEGATION_TYPE, WSSAuditEventGenerator.IDENTITY_ASSERTION);
            wSSAuditEventGeneratorFactory.addAuthnDelegationData(authnDelegationData, WSSAuditEventGenerator.ROLE_NAME, "");
            wSSAuditEventGeneratorFactory.addAuthnDelegationData(authnDelegationData, WSSAuditEventGenerator.IDENTITY_NAME, str);
            if (this._callerIdentityToken instanceof SAMLToken) {
                wSSAuditEventGeneratorFactory.addExtendedAuditData(authnDelegationData, "CrossDomainIDAssertion", doSAMLCrossDomainIDAssertion);
            }
            wSSAuditEventGeneratorFactory.addExtendedAuditData(authnDelegationData, "CallerIdentityType", valueType.toString());
            if (securityToken != null) {
                wSSAuditEventGeneratorFactory.addExtendedAuditData(authnDelegationData, "TrustedIdentity", securityToken.getId());
                wSSAuditEventGeneratorFactory.addExtendedAuditData(authnDelegationData, "TrustedIdentityType", securityToken.getValueType().toString());
            }
            wSSAuditEventGeneratorFactory.setAuditEventContext(this._context, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
            wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN_DELEGATION, messageContext, this._context);
        }
        if (isEventRequired2 && !callerConfig.useIdentityAssertion()) {
            MessageContext messageContext2 = (MessageContext) this._context.get(Constants.WSSECURITY_MESSAGE_CONTEXT);
            Map<String, Object> extendedAuditData = wSSAuditEventGeneratorFactory.setExtendedAuditData(this._context, "Username", str);
            wSSAuditEventGeneratorFactory.addProviderData(extendedAuditData, callerConfig.getJAASConfig(), WSSAuditEventGenerator.SUCCESS);
            wSSAuditEventGeneratorFactory.addAuthnTypeData(extendedAuditData, this._callerIdentityToken.getValueType().toString());
            wSSAuditEventGeneratorFactory.addExtendedAuditData(extendedAuditData, WSSAuditEventGenerator.TOKEN_ID, str2);
            wSSAuditEventGeneratorFactory.setAuditEventContext(this._context, WSSAuditService.WSSAuditOutcome.SUCCESS, WSSAuditService.WSSAuditReason.AUTHN_SUCCESS, null);
            wSSAuditEventGeneratorFactory.sendEvent(WSSAuditService.WSSAuditEventType.SECURITY_AUTHN, messageContext2, this._context);
        }
        SecurityTokenWrapper tokenWrapper = ((SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER)).getTokenWrapper(this._callerIdentityToken);
        if (tokenWrapper != null) {
            tokenWrapper.setUsedToLogin(true);
        }
        this._sharedState.put("Callback", wSTokenHolderCallbackArr);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "login()");
        return true;
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        this._context.put(Constants.WSSECURITY_TOKEN_LOGININFO, this._callerIdentityToken);
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "commit()");
        return true;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "abort()");
        return false;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "logout()");
        return false;
    }

    private static final void addToSubject(Map<Object, Object> map, final WSCredential wSCredential) {
        final Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.7
            @Override // java.security.PrivilegedAction
            public Object run() {
                if (subject.getPublicCredentials().contains(wSCredential)) {
                    if (!WSWSSLoginModule.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(WSWSSLoginModule.tc, "WSCredential already in Subject: " + wSCredential);
                    return null;
                }
                if (WSWSSLoginModule.tc.isDebugEnabled()) {
                    Tr.debug(WSWSSLoginModule.tc, "Adding WSCredential to Subject: " + wSCredential);
                }
                subject.getPublicCredentials().add(wSCredential);
                return null;
            }
        });
    }

    private static final void addToSubject(Map<Object, Object> map, final SecurityToken securityToken) {
        final Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.8
            @Override // java.security.PrivilegedAction
            public Object run() {
                if (subject.getPrivateCredentials().contains(securityToken)) {
                    if (!WSWSSLoginModule.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(WSWSSLoginModule.tc, "Token already in Subject: " + securityToken);
                    return null;
                }
                if (WSWSSLoginModule.tc.isDebugEnabled()) {
                    Tr.debug(WSWSSLoginModule.tc, "Adding Token to Subject: " + securityToken);
                }
                subject.getPrivateCredentials().add(securityToken);
                return null;
            }
        });
    }

    private static final void addToSubject(Map<Object, Object> map, final WSPrincipal wSPrincipal) {
        final Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.9
            @Override // java.security.PrivilegedAction
            public Object run() {
                if (subject.getPrincipals().contains(wSPrincipal)) {
                    if (!WSWSSLoginModule.tc.isDebugEnabled()) {
                        return null;
                    }
                    Tr.debug(WSWSSLoginModule.tc, "WSPrincipal already in Subject: " + wSPrincipal);
                    return null;
                }
                if (WSWSSLoginModule.tc.isDebugEnabled()) {
                    Tr.debug(WSWSSLoginModule.tc, "Adding WSPrincipal to Subject: " + wSPrincipal);
                }
                subject.getPrincipals().add(wSPrincipal);
                return null;
            }
        });
    }

    public final Subject copySubject() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubject(Subject)");
        }
        final Subject subject = this._subject;
        final Subject subject2 = new Subject();
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.10
            @Override // java.security.PrivilegedAction
            public Object run() {
                for (Object obj : subject.getPublicCredentials()) {
                    if (obj != null) {
                        if (!subject2.getPublicCredentials().contains(obj)) {
                            if (WSWSSLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSWSSLoginModule.tc, "Adding public object to Subject: " + obj);
                            }
                            subject2.getPublicCredentials().add(obj);
                        } else if (WSWSSLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(WSWSSLoginModule.tc, "Public object already in Subject: " + obj);
                        }
                    }
                }
                for (Object obj2 : subject.getPrivateCredentials()) {
                    if (obj2 != null) {
                        if (!subject2.getPrivateCredentials().contains(obj2)) {
                            if (WSWSSLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSWSSLoginModule.tc, "Adding private object to Subject: " + obj2);
                            }
                            subject2.getPrivateCredentials().add(obj2);
                        } else if (obj2 instanceof SecurityToken) {
                            if (WSWSSLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSWSSLoginModule.tc, "ws-sec Token private object already in Subject: " + obj2);
                            }
                        } else if (WSWSSLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(WSWSSLoginModule.tc, "Private object already in Subject: " + obj2);
                        }
                    }
                }
                for (Principal principal : subject.getPrincipals()) {
                    if (principal != null) {
                        if (!subject2.getPrincipals().contains(principal)) {
                            if (WSWSSLoginModule.tc.isDebugEnabled()) {
                                Tr.debug(WSWSSLoginModule.tc, "Adding principal object to Subject: " + principal);
                            }
                            subject2.getPrincipals().add(principal);
                        } else if (WSWSSLoginModule.tc.isDebugEnabled()) {
                            Tr.debug(WSWSSLoginModule.tc, "Principal object already in Subject: " + principal);
                        }
                    }
                }
                return null;
            }
        });
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "copySubject(Subject)");
        }
        return subject2;
    }

    private static final String getPrincipalFromSubject(Map<Object, Object> map, final SecurityToken securityToken) {
        final Subject subject = (Subject) map.get(Constants.WSSECURITY_SUBJECT);
        return (String) AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.wssecurity.impl.auth.module.WSWSSLoginModule.11
            @Override // java.security.PrivilegedAction
            public Object run() {
                Set<Object> privateCredentials = subject.getPrivateCredentials();
                if (privateCredentials == null || privateCredentials.isEmpty()) {
                    return null;
                }
                Iterator<Object> it = privateCredentials.iterator();
                boolean z = false;
                if (!(securityToken instanceof KRBToken)) {
                    return null;
                }
                SecurityToken securityToken2 = null;
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Object next = it.next();
                    if (next instanceof KRBToken) {
                        z = true;
                        securityToken2 = (SecurityToken) next;
                        break;
                    }
                }
                if (z) {
                    if (WSWSSLoginModule.tc.isDebugEnabled()) {
                        Tr.debug(WSWSSLoginModule.tc, "Found request Kerberos principal: " + securityToken2.getPrincipal());
                    }
                    return securityToken2.getPrincipal();
                }
                if (WSWSSLoginModule.tc.isDebugEnabled()) {
                    Tr.debug(WSWSSLoginModule.tc, "No request Kerberos principal found in the Subject.");
                    Tr.debug(WSWSSLoginModule.tc, "Use passed-in token principal instead - " + securityToken.getPrincipal());
                }
                return securityToken.getPrincipal();
            }
        });
    }

    private String doSAMLCrossDomainIDAssertion(SAMLToken sAMLToken) throws LoginException {
        String[] stringAttributeValue;
        String[] stringAttributeValue2;
        String[] stringAttributeValue3;
        String str = "false";
        Callback[] callbackArr = (Callback[]) this._sharedState.get("Callback");
        SAMLIdAssertionCallback sAMLIdAssertionCallback = null;
        if (callbackArr != null) {
            int i = 0;
            int length = callbackArr.length;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (callbackArr[i] instanceof SAMLIdAssertionCallback) {
                    sAMLIdAssertionCallback = (SAMLIdAssertionCallback) callbackArr[i];
                    break;
                }
                i++;
            }
        }
        if (sAMLIdAssertionCallback != null && sAMLIdAssertionCallback.isCrossDomainIdAssertion()) {
            str = "true";
            boolean z = false;
            boolean z2 = false;
            boolean z3 = false;
            boolean isUseNameQualifierForRealm = sAMLIdAssertionCallback.isUseNameQualifierForRealm();
            boolean isUseIssuerNameForRealm = sAMLIdAssertionCallback.isUseIssuerNameForRealm();
            ArrayList<String[]> credentialList = sAMLIdAssertionCallback.getCredentialList();
            String sAMLIssuerName = sAMLToken.getSAMLIssuerName();
            String str2 = null;
            String str3 = null;
            String str4 = null;
            List<SAMLAttribute> sAMLAttributes = sAMLToken.getSAMLAttributes();
            ArrayList arrayList = new ArrayList();
            String str5 = null;
            String str6 = null;
            boolean z4 = false;
            if (sAMLAttributes != null) {
                Iterator<SAMLAttribute> it = sAMLAttributes.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SAMLAttribute next = it.next();
                    if (isFromWSCredentialMapping(next)) {
                        str6 = next.getStringAttributeValue()[0];
                        str5 = sAMLToken.getSAMLNameID().getNameQualifier();
                        z4 = true;
                        break;
                    }
                }
            }
            if (isUseNameQualifierForRealm && !z4) {
                str5 = sAMLToken.getSAMLNameID().getNameQualifier();
            }
            if (isUseIssuerNameForRealm && z4) {
                str5 = sAMLToken.getSAMLIssuerName();
            }
            if (credentialList != null && !credentialList.isEmpty()) {
                Iterator<String[]> it2 = credentialList.iterator();
                while (it2.hasNext()) {
                    String[] next2 = it2.next();
                    for (SAMLAttribute sAMLAttribute : sAMLAttributes) {
                        String name = sAMLAttribute.getName();
                        String attributeNamespace = sAMLAttribute.getAttributeNamespace();
                        if (attributeNamespace == null) {
                            attributeNamespace = sAMLAttribute.getNameFormat();
                        }
                        if (next2[0] == null || sAMLIssuerName.equalsIgnoreCase(next2[0])) {
                            if (next2[1] != null && !next2[1].isEmpty()) {
                                z2 = true;
                                String[] onlyOneDefinedAttribute = getOnlyOneDefinedAttribute(sAMLAttribute, next2[1], next2[2], null);
                                if (onlyOneDefinedAttribute[1] != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Can not use more than one attribute values as principal.");
                                    }
                                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7557E"));
                                }
                                if (onlyOneDefinedAttribute[0] != null && onlyOneDefinedAttribute[1] == null) {
                                    if (str3 != null && !str3.equals(onlyOneDefinedAttribute[0])) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "The principal exists already.");
                                        }
                                        throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7558E"));
                                    }
                                    str3 = onlyOneDefinedAttribute[0];
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Found principal name:" + str3);
                                    }
                                }
                            }
                            if (next2[3] != null && !next2[3].isEmpty()) {
                                if (next2[7] == null || next2[7].trim().isEmpty()) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "realm rangle is required if using Attribute value for realm.");
                                    }
                                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7563E"));
                                }
                                z = true;
                                String[] onlyOneDefinedAttribute2 = getOnlyOneDefinedAttribute(sAMLAttribute, next2[3], next2[4], next2[7]);
                                if (onlyOneDefinedAttribute2[1] != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Can not use more than one attribute values as realm.");
                                    }
                                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7559E"));
                                }
                                if (onlyOneDefinedAttribute2[0] != null && onlyOneDefinedAttribute2[1] == null) {
                                    if (str2 != null && !str2.equals(onlyOneDefinedAttribute2[0])) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "The realm exists already.");
                                        }
                                        throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7560E"));
                                    }
                                    str2 = onlyOneDefinedAttribute2[0];
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Found Realm name:" + str2);
                                    }
                                }
                            }
                            if (next2[8] != null && !next2[8].isEmpty()) {
                                z3 = true;
                                String[] onlyOneDefinedAttribute3 = getOnlyOneDefinedAttribute(sAMLAttribute, next2[8], next2[9], null);
                                if (onlyOneDefinedAttribute3[1] != null) {
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Can not use more than one attribute values as unique ID.");
                                    }
                                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7561E"));
                                }
                                if (onlyOneDefinedAttribute3[0] != null && onlyOneDefinedAttribute3[1] == null) {
                                    if (str4 != null && !str4.equals(onlyOneDefinedAttribute3[0])) {
                                        if (tc.isDebugEnabled()) {
                                            Tr.debug(tc, "The uniqueId exists already.");
                                        }
                                        throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7562E"));
                                    }
                                    str4 = onlyOneDefinedAttribute3[0];
                                    if (tc.isDebugEnabled()) {
                                        Tr.debug(tc, "Found uniqueId name:" + str4);
                                    }
                                }
                            }
                            if (next2[5] != null && !next2[5].isEmpty()) {
                                if (next2[5] == null || next2[6] == null) {
                                    if (next2[5] != null && next2[6] == null && next2[5].equalsIgnoreCase(name) && (stringAttributeValue2 = sAMLAttribute.getStringAttributeValue()) != null) {
                                        for (String str7 : stringAttributeValue2) {
                                            arrayList.add(str7);
                                        }
                                    }
                                } else if (next2[5].equalsIgnoreCase(name) && next2[6].equalsIgnoreCase(attributeNamespace) && (stringAttributeValue3 = sAMLAttribute.getStringAttributeValue()) != null) {
                                    for (String str8 : stringAttributeValue3) {
                                        arrayList.add(str8);
                                    }
                                }
                            }
                        }
                    }
                }
            } else if (sAMLAttributes != null && !sAMLAttributes.isEmpty()) {
                ArrayList<String> arrayList2 = SAMLIdAssertionCallback.defaultGroupNameList;
                for (SAMLAttribute sAMLAttribute2 : sAMLAttributes) {
                    if (arrayList2.contains(sAMLAttribute2.getName().toLowerCase()) && (stringAttributeValue = sAMLAttribute2.getStringAttributeValue()) != null) {
                        for (String str9 : stringAttributeValue) {
                            arrayList.add(str9);
                        }
                    }
                }
            }
            if (str2 == null) {
                if (z) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no attribute could be used as realm.");
                    }
                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7563E"));
                }
                str2 = str5 != null ? str5 : sAMLToken.getSAMLIssuerName();
            }
            if (str3 == null) {
                if (z2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no attribute could be used as principal.");
                    }
                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7564E"));
                }
                str3 = sAMLToken.getPrincipal();
            }
            if (str4 == null) {
                if (z3) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "There is no attribute could be used as UniqueId.");
                    }
                    throw new LoginException(ConfigUtil.getMessage(comp + ".CWWSS7565E"));
                }
                str4 = str6 != null ? str6 : sAMLToken.getPrincipal();
            }
            Hashtable hashtable = (Hashtable) this._sharedState.get("com.ibm.wsspi.security.cred.propertiesObject");
            if (hashtable == null) {
                hashtable = new Hashtable();
                this._sharedState.put("com.ibm.wsspi.security.cred.propertiesObject", hashtable);
            }
            String str10 = str3;
            String str11 = str2 + "/" + str4;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "username = " + str10 + "  uniqueId = " + str11);
            }
            ArrayList arrayList3 = new ArrayList();
            if (arrayList != null && !arrayList.isEmpty()) {
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    String str12 = (String) it3.next();
                    if (!str12.startsWith(str2)) {
                        str12 = str2 + "/" + str12;
                    }
                    arrayList3.add("group:" + str12);
                }
            }
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", str11);
            hashtable.put("com.ibm.wsspi.security.cred.securityName", str10);
            hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList3);
            hashtable.put("com.ibm.wsspi.security.cred.realm", str2);
        }
        return str;
    }

    private String[] getOnlyOneDefinedAttribute(SAMLAttribute sAMLAttribute, String str, String str2, String str3) {
        String[] strArr = new String[2];
        String name = sAMLAttribute.getName();
        String attributeNamespace = sAMLAttribute.getAttributeNamespace();
        boolean z = false;
        if (str == null || str2 == null) {
            if (str != null && str2 == null && str.equalsIgnoreCase(name)) {
                z = true;
            }
        } else if (str.equalsIgnoreCase(name) && str2.equalsIgnoreCase(attributeNamespace)) {
            z = true;
        }
        if (z) {
            String[] stringAttributeValue = sAMLAttribute.getStringAttributeValue();
            int length = stringAttributeValue != null ? stringAttributeValue.length : 0;
            int i = 0;
            if (length > 0) {
                for (int i2 = 0; i2 < length; i2++) {
                    if (stringAttributeValue[i2] != null && !stringAttributeValue[i2].trim().isEmpty()) {
                        stringAttributeValue[i] = stringAttributeValue[i2];
                        if (i < 2) {
                            strArr[i] = stringAttributeValue[i2];
                        }
                        i++;
                    }
                }
            }
            if (i > 0 && str3 != null && !str3.trim().isEmpty()) {
                int i3 = i;
                int i4 = 0;
                strArr = new String[2];
                for (int i5 = 0; i5 < i3 && i4 < 2; i5++) {
                    if (str3.indexOf(stringAttributeValue[i5]) > -1 || str3.equals("*")) {
                        strArr[i4] = stringAttributeValue[i5];
                        i4++;
                    }
                }
            }
        }
        return strArr;
    }

    private static boolean isFromWSCredentialMapping(SAMLAttribute sAMLAttribute) {
        if ("UniqueSecurityName".equalsIgnoreCase(sAMLAttribute.getName())) {
            return (SAMLIdAssertionCallback.WSCREDENTIAL_NAMESPACE.equalsIgnoreCase(sAMLAttribute.getAttributeNamespace()) || SAMLIdAssertionCallback.WSCREDENTIAL_NAMESPACE.equalsIgnoreCase(sAMLAttribute.getNameFormat())) && sAMLAttribute.getStringAttributeValue() != null && sAMLAttribute.getStringAttributeValue().length == 1 && sAMLAttribute.getStringAttributeValue()[0] != null;
        }
        return false;
    }

    private boolean matchExchangedToken(QName qName, QName qName2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "matchExchangedToken(QName config_qn, QName token_qn )");
        }
        boolean z = false;
        Collection<SecurityToken> tokens = ((SecurityTokenManagerImpl) this._context.get(Constants.WSSECURITY_SECURITY_TOKEN_MANAGER)).getTokens();
        if (tokens != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, tokens.size() + " tokens found.");
            }
            if (tokens.size() > 0) {
                Iterator<SecurityToken> it = tokens.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    SecurityToken next = it.next();
                    if (qName.equals(next.getValueType()) && (next instanceof ExchangeToken)) {
                        ExchangeToken exchangeToken = (ExchangeToken) next;
                        if (exchangeToken.getAuthorizationToken() != null && qName2.equals(exchangeToken.getAuthorizationToken().getValueType())) {
                            z = true;
                            break;
                        }
                    }
                }
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "matchExchangedToken(QName config_qn, QName token_qn )" + z);
        }
        return z;
    }
}
