package com.ibm.wsspi.wssecurity.auth.module;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.webservices.engine.MessageContext;
import com.ibm.ws.webservices.wssecurity.KRBConstants;
import com.ibm.ws.webservices.wssecurity.config.KRBConfig;
import com.ibm.ws.webservices.wssecurity.config.KRBSPN;
import com.ibm.ws.webservices.wssecurity.util.KRB5Util;
import com.ibm.wsspi.wssecurity.auth.callback.KRBTokenCallback;
import com.ibm.wsspi.wssecurity.token.KRBTokenInfo;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;

/* loaded from: input_file:wasJars/was-wssecurity.jar:com/ibm/wsspi/wssecurity/auth/module/KRBLoginModule.class */
public class KRBLoginModule implements LoginModule {
    private static final String comp = "auth.KRBLoginModule";
    private static TraceComponent tc;
    private Subject subject = null;
    private CallbackHandler callbackHandler = null;
    private Map sharedState = null;
    private Map options = null;
    private boolean loginSucceeded = false;
    private KRBConfig config = null;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize()");
        }
        this.loginSucceeded = false;
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "initialize()");
        }
    }

    public boolean login() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "login()");
        }
        this.loginSucceeded = false;
        if (this.callbackHandler == null) {
            throw new LoginException(KRB5Util.getNLS().getString("security.wssecurity.kerberos.login.nocallbackhandler"));
        }
        Callback[] callbackArr = {new KRBTokenCallback()};
        try {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Invoking the callbacks");
            }
            this.callbackHandler.handle(callbackArr);
            byte[] kerberosToken = ((KRBTokenCallback) callbackArr[0]).getKerberosToken();
            String kerberosTokenValueType = ((KRBTokenCallback) callbackArr[0]).getKerberosTokenValueType();
            String kerberosTokenID = ((KRBTokenCallback) callbackArr[0]).getKerberosTokenID();
            KRBSPN spn = ((KRBTokenCallback) callbackArr[0]).getSPN();
            MessageContext messageContext = ((KRBTokenCallback) callbackArr[0]).getMessageContext();
            this.config = KRB5Util.getSPNList().getSPNConfig(spn, this.options);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token length= " + kerberosToken.length);
                Tr.debug(tc, "token valueType= " + kerberosTokenValueType);
                Tr.debug(tc, "tokenID= " + kerberosTokenID);
            }
            if (kerberosToken == null || kerberosToken.length == 0) {
                throw new LoginException(KRB5Util.getNLS().getString("security.wssecurity.kerberos.token.unavailable"));
            }
            this.loginSucceeded = validate(kerberosToken, kerberosTokenID, kerberosTokenValueType, spn, messageContext);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "login()");
            }
            return this.loginSucceeded;
        } catch (UnsupportedCallbackException e) {
            Tr.error(tc, "security.wssecurity.kerberos.unexpected.exception", e.getMessage());
            throw new LoginException(comp + e.getCallback().toString());
        } catch (Throwable th) {
            Tr.error(tc, "security.wssecurity.kerberos.unexpected.exception", KRB5Util.stackToString(th));
            throw new LoginException(comp + th.toString());
        }
    }

    public boolean commit() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "commit()");
        }
        if (!this.loginSucceeded) {
            abort();
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Login successful");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "commit()");
        }
        return this.loginSucceeded;
    }

    private boolean validate(byte[] bArr, String str, String str2, KRBSPN krbspn, MessageContext messageContext) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate()");
        }
        boolean z = false;
        String str3 = "";
        try {
            HashMap consumeKerberosToken = KRB5Util.consumeKerberosToken(this.subject, bArr, str2, krbspn);
            consumeKerberosToken.put(KRBConstants.STR_TOKENID, str);
            messageContext.setProperty(KRBConstants.STR_WSSECURITY_KRB_TOKEN_INFO, new KRBTokenInfo(consumeKerberosToken));
            String str4 = (String) consumeKerberosToken.get("WASPrincipal");
            if (str4 != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "getAuthenticatedUsername: WebSphere Security principal = " + str4);
                }
                str3 = KRB5Util.stripOutPrincipalName(str4);
                String stripOutRealmName = KRB5Util.stripOutRealmName(str4);
                if (str3 != null) {
                    this.sharedState.put("com.ibm.wsspi.wssecurity.Constants.DN", str3);
                    z = true;
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Kerberos client principal: " + str3);
                    }
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "WAS principal is not available after the mapping.");
                }
                if (stripOutRealmName != null) {
                    this.sharedState.put("com.ibm.wsspi.wssecurity.Constants.KerberosRealm", stripOutRealmName);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Kerberos realm: " + stripOutRealmName);
                    }
                }
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "User principal is not available.");
            }
        } catch (Throwable th) {
            FFDCFilter.processException(th, KRBLoginModule.class.getName(), "1");
            z = false;
        }
        if (tc.isAuditEnabled()) {
            if (z) {
                Tr.audit(tc, "security.wssecurity.kerberos.authorization.success", new Object[]{str3, this.config.getServiceName()});
            } else {
                Tr.audit(tc, "security.wssecurity.kerberos.authorization.failed", new Object[]{str3, this.config.getServiceName()});
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validate()");
        }
        return z;
    }

    public boolean abort() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "abort()");
        }
        cleanup();
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "abort()");
        return true;
    }

    public boolean logout() throws LoginException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout()");
        }
        cleanup();
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "logout()");
        return true;
    }

    private void cleanup() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup()");
        }
        this.loginSucceeded = false;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "cleanup()");
        }
    }

    static {
        tc = null;
        tc = Tr.register(KRBLoginModule.class, "Web Services Security", "com.ibm.ws.webservices.wssecurity.resources.was-wssecurity");
    }
}
