package com.ibm.ws.security.auth.kerberos;

import com.ibm.ISecurityLocalObjectCSIv2UtilityImpl.OID;
import com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5NLS;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.security.krb5.internal.Config;
import com.ibm.security.krb5.internal.ktab.KeyTab;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.application.AppConstants;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.management.configservice.SystemAttributes;
import com.ibm.websphere.management.exception.InvalidAttributeNameException;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.SubjectHelper;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.config.ServerStatusHelper;
import com.ibm.ws.security.config.UserRegistryConfig;
import com.ibm.ws.security.core.ContextManager;
import com.ibm.ws.security.core.ContextManagerFactory;
import com.ibm.ws.security.spnego.Constants;
import com.ibm.ws.security.token.WSKRBAuthnTokenFactoryFactory;
import com.ibm.ws.security.zOS.PlatformCredentialManager;
import com.ibm.ws.util.PlatformHelperFactory;
import com.ibm.ws.wssecurity.platform.websphere.token.KRBTicket;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnToken;
import com.ibm.wsspi.wssecurity.platform.token.KRBAuthnTokenFactory;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import javax.management.AttributeList;
import javax.management.ObjectName;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.omg.CSI.KRB5MechOID;

/* loaded from: input_file:com/ibm/ws/security/auth/kerberos/Krb5Utils.class */
public class Krb5Utils {
    private static final String KRB5_OID = "1.2.840.113554.1.2.2";
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private static final GSSManager _mgr = GSSManager.getInstance();
    private static Oid krb5MechOid = null;
    private static Oid spnegoMechOid = null;
    private static TraceComponent tc = Tr.register(Krb5Utils.class, "Security", Krb5NLS.MSG_FILE);

    public static GSSCredential createGSSCredential(Subject subject) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createGSSCredential(temp_subject)");
        }
        GSSCredential gSSCredential = null;
        try {
            KerberosTicket kerberosTicketFromSubject = SubjectHelper.getKerberosTicketFromSubject(subject);
            if (kerberosTicketFromSubject != null) {
                final String name = kerberosTicketFromSubject.getClient().getName();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Name for cred: " + name);
                }
                gSSCredential = (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5Utils.1
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws GSSException, Exception {
                        try {
                            return Krb5Utils._mgr.createCredential((name != null ? Krb5Utils._mgr.createName(name, GSSName.NT_USER_NAME, Krb5Utils.getKrb5MechOid()) : null).canonicalize(Krb5Utils.getKrb5MechOid()), Integer.MAX_VALUE, Krb5Utils.getKrb5MechOid(), 1);
                        } catch (Exception e) {
                            FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.createGSSCredential", "160", this);
                            if (!Krb5Utils.tc.isEntryEnabled()) {
                                return null;
                            }
                            Tr.error(Krb5Utils.tc, "security.auth.kerberos.Exception", new Object[]{"createName() or createCredential()", e});
                            return null;
                        } catch (GSSException e2) {
                            FFDCFilter.processException((Throwable) e2, "com.ibm.security.auth.kerberos.krb5utils.createGSSCredential", "155", (Object) this);
                            if (!Krb5Utils.tc.isEntryEnabled()) {
                                return null;
                            }
                            Tr.error(Krb5Utils.tc, "security.auth.kerberos.GSSException", new Object[]{"createName() or createCredential()", e2});
                            return null;
                        }
                    }
                });
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "createGSSCredential(temp_subject) " + gSSCredential);
            }
            return gSSCredential;
        } catch (PrivilegedActionException e) {
            Tr.debug(tc, "Exception in Subject.doAS.", new Object[]{e.getException().toString()});
            return null;
        }
    }

    public static GSSCredential createGSSCredential(KerberosTicket kerberosTicket) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createGSSCredential(kTicket)");
        }
        GSSCredential gSSCredential = null;
        if (kerberosTicket != null) {
            try {
                final String name = kerberosTicket.getClient().getName();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "kTicket client name: " + name);
                }
                Subject subject = new Subject();
                subject.getPrivateCredentials().add(kerberosTicket);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Add Kerberos ticket in temp_subject = " + subject);
                }
                gSSCredential = (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5Utils.2
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws GSSException, Exception {
                        try {
                            return Krb5Utils._mgr.createCredential((name != null ? Krb5Utils._mgr.createName(name, GSSName.NT_USER_NAME, Krb5Utils.getKrb5MechOid()) : null).canonicalize(Krb5Utils.getKrb5MechOid()), Integer.MAX_VALUE, Krb5Utils.getKrb5MechOid(), 1);
                        } catch (Exception e) {
                            FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.createGSSCredential", "231", this);
                            if (!Krb5Utils.tc.isEntryEnabled()) {
                                return null;
                            }
                            Tr.error(Krb5Utils.tc, "security.auth.kerberos.Exception", new Object[]{"createName() or createCredential()", e});
                            return null;
                        } catch (GSSException e2) {
                            FFDCFilter.processException((Throwable) e2, "com.ibm.security.auth.kerberos.krb5utils.createGSSCredential", "226", (Object) this);
                            if (!Krb5Utils.tc.isEntryEnabled()) {
                                return null;
                            }
                            Tr.error(Krb5Utils.tc, "security.auth.kerberos.GSSException", new Object[]{"createName() or createCredential()", e2});
                            return null;
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                Tr.debug(tc, "Exception in Subject.doAS.", new Object[]{e.getException().toString()});
                return null;
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createGSSCredential(kTicket) " + gSSCredential);
        }
        return gSSCredential;
    }

    public static Oid getKrb5MechOid() {
        if (krb5MechOid != null) {
            return krb5MechOid;
        }
        try {
            krb5MechOid = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.getKrb5MechOid", "263");
            Tr.debug(tc, "krb5MechOid is null", new Object[]{Oid.class, "Oid(\"1.2.840.113554.1.2.2\")", e});
            krb5MechOid = null;
        }
        return krb5MechOid;
    }

    public static Oid getSpnegoMechOid() {
        if (spnegoMechOid != null) {
            return spnegoMechOid;
        }
        try {
            spnegoMechOid = new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.getSpnegoMechOid", "283");
            Tr.debug(tc, "spnegoMechOid is null", new Object[]{Oid.class, "Oid(\"1.3.6.1.5.5.2\")", e});
            spnegoMechOid = null;
        }
        return spnegoMechOid;
    }

    public static void setUseSubjectCredsOnly(boolean z) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setUseSubjectCredsOnly");
        }
        final String str = z ? "true" : "false";
        String str2 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5Utils.3
            @Override // java.security.PrivilegedAction
            public Object run() {
                String property = System.getProperty(Constants.KEY_JGSS_USE_SUBJ_CREDS);
                System.setProperty(Constants.KEY_JGSS_USE_SUBJ_CREDS, str);
                return property;
            }
        });
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "useSubjectCredsOnly property previous: " + (str2 != null ? str2 : "<null>") + " and now: " + str);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setUseSubjectCredsOnly");
        }
    }

    public static void setKrbConfigProp(final String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setKrbConfigProp");
        }
        if (str != null && str.length() != 0) {
            String str2 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5Utils.4
                @Override // java.security.PrivilegedAction
                public Object run() {
                    String property = System.getProperty("java.security.krb5.conf");
                    System.setProperty("java.security.krb5.conf", str);
                    return property;
                }
            });
            try {
                Config.getInstance();
                Config.refresh();
                Config.getInstance();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reloaded the kerberos config file.");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.setKrbConfigProp", "351");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, e.getMessage(), new Object[]{e});
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "java.security.krb5.conf property previous: " + (str2 != null ? str2 : "<null>") + " and now: " + str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setKrbConfigProp");
        }
    }

    public static void setKrbKeytabProp(final String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "setKrbKeytabProp");
        }
        if (str != null && str.length() != 0) {
            String str2 = (String) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.security.auth.kerberos.Krb5Utils.5
                @Override // java.security.PrivilegedAction
                public Object run() {
                    String property = System.getProperty("KRB5_KTNAME");
                    System.setProperty("KRB5_KTNAME", str);
                    return property;
                }
            });
            if (str2 != null && str2.length() > 0 && !str2.equals(str)) {
                Tr.warning(tc, "security.auth.kerberos.cannot.resetkeytab", new Object[]{str, str2, str2});
            }
            try {
                KeyTab.getInstance(str);
                KeyTab.refresh();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reloaded the keytab file");
                }
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.setKrbKeytabProp", "396");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, e.getMessage(), new Object[]{e});
                }
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "KRB5_KTNAME property previous: " + (str2 != null ? str2 : "<null>") + " and now: " + str);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "setKrbKeytabProp");
        }
    }

    public static boolean isKrb5Login(String str, String str2) {
        String regionId;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isKrb5Login: Oid:" + str + " uid: " + (str2 != null ? str2 : "<null>"));
        }
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        if (!OID.compareOIDs(securityConfig.getActiveAuthMechanism().getString(AuthMechanismConfig.OID), KRB5MechOID.value)) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "activeAuthMechanism is not KRB5. Handling login outside this login module");
            return false;
        }
        ContextManager contextManagerFactory = ContextManagerFactory.getInstance();
        if (SecurityObjectLocator.getAdminData().getString("com.ibm.ws.security.internalServerId") != null && contextManagerFactory.isInternalServerId(str2)) {
            Tr.debug(tc, "internal server ID. Handling login outside this login module");
            return false;
        }
        if (str2 == null && str != null && !OID.compareOIDs(str, KRB5MechOID.value)) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Authentication mechanism is NOT Kerberos. Handling login outside this login module.");
            return false;
        }
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && securityConfig.getActiveUserRegistry().getType().equals("LOCALOS") && (regionId = ContextManagerFactory.getInstance().getRegionId()) != null && regionId.length() != 0 && regionId.equals(str2)) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "region ID for zOS. Handling login outside this login module");
            return false;
        }
        String string = securityConfig.getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Config");
        if (string != null) {
            setKrbConfigProp(string);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isKrb5Login true");
        }
        return true;
    }

    public static String getKrb5Realm() throws Exception {
        String string;
        String string2 = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Realm");
        if ((string2 == null || string2.length() == 0) && (string = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Config")) != null && string.length() > 0) {
            string2 = getDefaultRealm(string);
        }
        return string2;
    }

    public static String getDefaultRealm(String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getDefaultRealm");
        }
        String str2 = null;
        try {
            if (!ServerStatusHelper.isServer()) {
                Config.getInstance();
                Config.refresh();
                str2 = Config.getInstance().getDefaultRealm();
            } else if (str != null && str.length() > 0) {
                setKrbConfigProp(str);
                Config.getInstance();
                Config.refresh();
                str2 = Config.getInstance().getDefaultRealm();
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "getDefaultRealm " + str2);
            }
            return str2;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.getDefaultRealm", "521");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e.getMessage(), new Object[]{e});
            }
            throw e;
        }
    }

    public static String getKrb5Keytab() throws Exception {
        String string;
        String string2 = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Keytab");
        if ((string2 == null || string2.length() == 0) && (string = SecurityObjectLocator.getSecurityConfig().getAuthMechanism(AuthMechanismConfig.TYPE_KERBEROS).getString("krb5Config")) != null && string.length() > 0) {
            string2 = getDefaultKeytab(string);
        }
        if (string2 != null && string2.length() > 0) {
            try {
                KeyTab.getInstance(string2);
                KeyTab.refresh();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Reloaded the keytab file");
                }
            } catch (IOException e) {
                FFDCFilter.processException(e, "com.ibm.security.auth.kerberos.krb5utils.getKrb5Keytab", "549");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, e.getMessage(), new Object[]{e});
                }
            }
        }
        return string2;
    }

    /* JADX WARN: Code restructure failed: missing block: B:54:0x001d, code lost:
    
        if (r7.length() == 0) goto L10;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static java.lang.String getDefaultKeytab(java.lang.String r7) throws java.lang.Exception {
        /*
            Method dump skipped, instructions count: 307
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ibm.ws.security.auth.kerberos.Krb5Utils.getDefaultKeytab(java.lang.String):java.lang.String");
    }

    public static ObjectName getAuthMechObj(Session session, ConfigService configService, ObjectName objectName, String str) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAuthMechObj");
        }
        ObjectName objectName2 = null;
        try {
            ArrayList arrayList = (ArrayList) configService.getAttribute(session, objectName, "authMechanisms");
            if (arrayList != null) {
                for (int i = 0; i < arrayList.size(); i++) {
                    AttributeList attributeList = (AttributeList) arrayList.get(i);
                    if (ConfigServiceHelper.getAttributeValue(attributeList, SystemAttributes._WEBSPHERE_CONFIG_DATA_TYPE).toString().equals(str)) {
                        ObjectName[] queryConfigObjects = configService.queryConfigObjects(session, null, ConfigServiceHelper.createObjectName(attributeList), null);
                        if (queryConfigObjects[0] != null) {
                            objectName2 = queryConfigObjects[0];
                        }
                    }
                }
            }
        } catch (InvalidAttributeNameException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthMechObj caught an unexpected exception.", new Object[]{e});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAuthMechObj " + objectName2);
        }
        return objectName2;
    }

    public static KRBAuthnToken createKRBAuthnToken(KerberosTicket kerberosTicket, GSSCredential gSSCredential, KerberosPrincipal kerberosPrincipal, String str, long j) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createKRBAuthnToken");
        }
        KRBAuthnToken kRBAuthnToken = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "kTicket: " + (kerberosTicket != null ? "<not null>" : AppConstants.NULL_STRING));
            Tr.debug(tc, "gssCred: " + (gSSCredential != null ? "<not null>" : AppConstants.NULL_STRING));
            Tr.debug(tc, "krbPrincipal: " + (kerberosPrincipal != null ? kerberosPrincipal : AppConstants.NULL_STRING));
            Tr.debug(tc, "krbRealm: " + (str != null ? str : AppConstants.NULL_STRING));
            Tr.debug(tc, "lifetime: " + j);
        }
        if (gSSCredential != null || kerberosTicket != null || kerberosPrincipal != null) {
            try {
                HashMap hashMap = new HashMap();
                if (gSSCredential != null) {
                    hashMap.put(KRBAuthnTokenFactory.GSS_CREDENTIAL, gSSCredential);
                }
                if (kerberosTicket != null) {
                    hashMap.put(KRBAuthnTokenFactory.KERBEROS_TICKET, kerberosTicket);
                }
                if (gSSCredential == null && kerberosTicket == null && kerberosPrincipal != null) {
                    long j2 = SecurityObjectLocator.getSecurityConfig().getAuthMechanism("LTPA").getLong(AuthMechanismConfig.TIMEOUT) * 60 * 1000;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "defaultLifetime: " + j2);
                        Tr.debug(tc, "Use default lifetime: " + new Date(j2 + System.currentTimeMillis()));
                    }
                    hashMap.put(KRBAuthnTokenFactory.EXPIRATION_TIME, Long.valueOf(j2 + System.currentTimeMillis()));
                }
                String str2 = null;
                if (kerberosPrincipal != null) {
                    str2 = kerberosPrincipal.getName();
                } else if (kerberosTicket != null) {
                    str2 = kerberosTicket.getClient().getName();
                } else if (gSSCredential != null) {
                    str2 = gSSCredential.getName().toString();
                }
                String str3 = str;
                if (str2 != null && str2.length() > 0) {
                    String str4 = str2;
                    int indexOf = str2.indexOf("@");
                    if (indexOf > 0) {
                        str4 = str2.substring(0, indexOf);
                        if (str3 == null || str3.length() == 0) {
                            str3 = str2.substring(indexOf + 1, str2.length());
                        }
                    }
                    hashMap.put(KRBAuthnTokenFactory.PRINCIPAL_NAME, str4);
                }
                if (str3 != null && str3.length() > 0) {
                    hashMap.put(KRBAuthnTokenFactory.REALM_NAME, str3);
                }
                kRBAuthnToken = WSKRBAuthnTokenFactoryFactory.getFactory().createToken(hashMap);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.createKRBAuthnToken", "719");
                Tr.error(tc, "security.auth.kerberos.unexpectedexception", new Object[]{"KRBAuthnToken()", e});
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Kerberos ticket, gssCred and Kerberos principal name are null - not good!");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getTokenExpiration: " + kRBAuthnToken.getTokenExpiration());
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createKRBAuthnToken " + (kRBAuthnToken != null ? "<not null>" : "<null>"));
        }
        return kRBAuthnToken;
    }

    public static String mapKerbPrincToRACF(String str, GSSCredential gSSCredential) throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "mapKerbPrincToRACF()");
        }
        String str2 = null;
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        String property = securityConfig.getProperty(SecurityConfig.KRB_USE_BUILTIN_SAF_MAPPING);
        String property2 = securityConfig.getProperty(SecurityConfig.KRB_USE_RACMAP_SAF_MAPPING);
        String property3 = securityConfig.getProperty(SecurityConfig.SPNEGO_USE_RACMAP_SAF_MAPPING);
        String property4 = securityConfig.getProperty(SecurityConfig.SPNEGO_USE_BUILTIN_SAF_MAPPING);
        UserRegistryConfig activeUserRegistry = securityConfig.getActiveUserRegistry();
        boolean equals = AuthMechanismConfig.TYPE_KERBEROS.equals(securityConfig.getActiveAuthMechanism().getType());
        boolean z = false;
        AuthMechanismConfig authMechanism = securityConfig.getAuthMechanism(AuthMechanismConfig.TYPE_SPNEGO);
        if (authMechanism != null) {
            z = authMechanism.getBoolean(AuthMechanismConfig.SPNEGO_ENABLED);
        }
        if (PlatformHelperFactory.getPlatformHelper().isZOS() && ((equals || z) && activeUserRegistry.getType().equals("LOCALOS"))) {
            if (str != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Got Kerberos principal name from input parameter: " + str);
                }
            } else if (gSSCredential != null) {
                try {
                    str = gSSCredential.getName().toString();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Got Kerberos principal name from GSSCred: " + str);
                    }
                } catch (GSSException e) {
                    if (tc.isDebugEnabled()) {
                        Tr.exit(tc, "mapKerbPrincToRACF() Error getting name from GSSCredential. Caught exception: " + e);
                    }
                    throw new WSLoginFailedException(e.getMessage(), e);
                }
            }
            PlatformCredentialManager instance = PlatformCredentialManager.instance();
            boolean z2 = property != null && property.equalsIgnoreCase("true");
            boolean z3 = property4 != null && property4.equalsIgnoreCase("true");
            if ((equals && z2) || (z && z3)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Map Kerberos principal name to RACF ID using KERB segment:" + str);
                }
                String mapKerbPrincipal = instance.mapKerbPrincipal(str);
                if (mapKerbPrincipal == null || mapKerbPrincipal.length() == 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.exit(tc, "mapKerbPrincToRACF() Can not map Kerberos principal " + str + " to RACF ID");
                    }
                    throw new LoginException("Can not map Kerberos principal " + str + " to RACF ID");
                }
                str2 = mapKerbPrincipal;
            } else if ((instance.isSAFVersionValidForIdentityPropagation() && property2 != null && property2.equalsIgnoreCase("true") && equals) || (property3 != null && property3.equalsIgnoreCase("true") && z)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Map Kerberos principal name to RACF ID using RACMAP profiles");
                }
                String str3 = str;
                String str4 = "";
                if (str != null) {
                    try {
                        int indexOf = str.indexOf(64);
                        if (indexOf > 0) {
                            str3 = str.substring(0, indexOf);
                            str4 = str.substring(indexOf + 1);
                        }
                    } catch (Exception e2) {
                        if (tc.isDebugEnabled()) {
                            Tr.exit(tc, "mapKerbPrincToRACF() Error mapping Kerberos principal " + str + " to RACF ID. Caught the following exception: " + e2);
                        }
                        throw new WSLoginFailedException(e2.getMessage(), e2);
                    }
                }
                String createNameFromPlatformCredential = instance.createNameFromPlatformCredential(instance.createMappedCredential(str3, str4));
                if (createNameFromPlatformCredential == null || createNameFromPlatformCredential.length() == 0) {
                    if (tc.isDebugEnabled()) {
                        Tr.exit(tc, "mapKerbPrincToRACF() Can not map Kerberos principal " + str + " to RACF ID");
                    }
                    throw new LoginException("Can not map Kerberos principal " + str + " to RACF ID");
                }
                str2 = createNameFromPlatformCredential;
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "All conditions were not met for mapping to SAF user id, returning null");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "mapKerbPrincToRACF()", str2);
        }
        return str2;
    }

    public static String getAltKRBAuthnTokenUniqueId(Subject subject) {
        KRBAuthnToken kerberosAuthnTokenFromSubject;
        String tokenUniqueID;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getAltKRBAuthnTokenUniqueId()");
        }
        if (subject == null || (kerberosAuthnTokenFromSubject = SubjectHelper.getKerberosAuthnTokenFromSubject(subject)) == null) {
            return null;
        }
        String property = SecurityObjectLocator.getSecurityConfig().getProperty(SecurityConfig.USE_KRB_AUTHN_TOKEN_ALT_UNIQUE_ID);
        if (property == null || !property.equalsIgnoreCase("true")) {
            tokenUniqueID = kerberosAuthnTokenFromSubject.getTokenUniqueID();
        } else {
            tokenUniqueID = kerberosAuthnTokenFromSubject.getTokenPrincipal() + "@" + kerberosAuthnTokenFromSubject.getTokenRealm();
            if (tokenUniqueID != null) {
                boolean z = false;
                if ((kerberosAuthnTokenFromSubject instanceof KRBTicket) && ((KRBTicket) kerberosAuthnTokenFromSubject).getKerberosTicket() != null) {
                    z = true;
                }
                tokenUniqueID = z ? tokenUniqueID + ":krbCredential=yes" : tokenUniqueID + ":krbCredential=no";
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getAltKRBAuthnTokenUniqueId() " + tokenUniqueID);
        }
        return tokenUniqueID;
    }

    public static String trimUserName(String str) {
        int indexOf;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "trimUserName " + str);
        }
        String str2 = str;
        if (str != null && (indexOf = str.indexOf(64)) > 0) {
            str2 = str.substring(0, indexOf);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "trimUserName " + str2);
        }
        return str2;
    }

    public static Exception getGSSException(Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getGSSException", obj);
        }
        if (tc.isDebugEnabled() && obj != null) {
            Tr.debug(tc, "getGSSException class name: " + obj.getClass().getName());
        }
        Exception exc = null;
        if (obj instanceof Throwable) {
            Throwable th = (Throwable) obj;
            while (true) {
                Exception exc2 = th;
                if (exc2 == null) {
                    break;
                }
                if (exc2 instanceof GSSException) {
                    exc = exc2;
                    break;
                }
                th = exc2.getCause();
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getGSSException: " + exc);
        }
        return exc;
    }
}
