package com.ibm.ws.webcontainer.security;

import com.ibm.etools.wdt.server.core.WDTConstants;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.collaborator.CollaboratorUtils;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.webcontainer.security.internal.BasicAuthAuthenticator;
import com.ibm.ws.webcontainer.security.internal.SRTServletRequestUtils;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.security.Principal;
import java.util.Enumeration;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:resources/server_runtime/lib/com.ibm.ws.webcontainer.security_1.0.2.jar:com/ibm/ws/webcontainer/security/AuthenticateApi.class */
public class AuthenticateApi {
    private static final TraceComponent tc = Tr.register(AuthenticateApi.class);
    static final String KEY_SECURITY_SERVICE = "securityService";
    protected AtomicServiceReference<SecurityService> securityServiceRef;
    private final SubjectManager subjectManager;
    private final SubjectHelper subjectHelper;
    private final SSOCookieHelper ssoCookieHelper;
    private final AuthCacheService authCacheService;
    private final CollaboratorUtils collabUtils;
    private final AuthenticationService authService;
    static final long serialVersionUID = 1249945886020318704L;

    public AuthenticateApi(SSOCookieHelper sSOCookieHelper, AtomicServiceReference<SecurityService> atomicServiceReference, CollaboratorUtils collaboratorUtils) {
        this.securityServiceRef = null;
        this.subjectManager = new SubjectManager();
        this.subjectHelper = new SubjectHelper();
        this.ssoCookieHelper = sSOCookieHelper;
        this.securityServiceRef = atomicServiceReference;
        this.collabUtils = collaboratorUtils;
        this.authService = atomicServiceReference.getService().getAuthenticationService();
        this.authCacheService = atomicServiceReference.getService().getAuthenticationService().getAuthCacheService();
    }

    public AuthenticateApi(SSOCookieHelper sSOCookieHelper, AuthenticationService authenticationService) {
        this.securityServiceRef = null;
        this.subjectManager = new SubjectManager();
        this.subjectHelper = new SubjectHelper();
        this.securityServiceRef = null;
        this.collabUtils = null;
        this.authCacheService = null;
        this.authService = authenticationService;
        this.ssoCookieHelper = sSOCookieHelper;
    }

    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, @Sensitive String str2, WebAppSecurityConfig webAppSecurityConfig, BasicAuthAuthenticator basicAuthAuthenticator) throws ServletException {
        boolean logoutOnHttpSessionExpire = webAppSecurityConfig.getLogoutOnHttpSessionExpire();
        if (httpServletRequest.getRequestedSessionId() != null && !httpServletRequest.isRequestedSessionIdValid() && logoutOnHttpSessionExpire) {
            httpServletRequest.getSession(true);
        }
        throwExceptionIfAlreadyAuthenticate(httpServletRequest, httpServletResponse, webAppSecurityConfig);
        AuthenticationResult basicAuthenticate = basicAuthAuthenticator.basicAuthenticate(null, str, str2, httpServletRequest, httpServletResponse);
        if (basicAuthenticate == null || basicAuthenticate.getStatus() != AuthResult.SUCCESS) {
            throw new ServletException(basicAuthenticate.getReason());
        }
        postProgrammaticAuthenticate(httpServletRequest, httpServletResponse, basicAuthenticate);
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) throws ServletException {
        createSubjectAndPushItOnThreadAsNeeded(httpServletRequest, httpServletResponse);
        removeEntryFromAuthCache(httpServletRequest, httpServletResponse, webAppSecurityConfig);
        invalidateSession(httpServletRequest);
        this.ssoCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
        this.ssoCookieHelper.createLogoutCookies(httpServletRequest, httpServletResponse);
        new ReferrerURLCookieHandler(webAppSecurityConfig).clearReferrerURLCookie(httpServletRequest, httpServletResponse, ReferrerURLCookieHandler.REFERRER_URL_COOKIENAME);
        SRTServletRequestUtils.removePrivateAttribute(httpServletRequest, "AUTH_TYPE");
        this.subjectManager.clearSubjects();
    }

    public void simpleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        createSubjectAndPushItOnThreadAsNeeded(httpServletRequest, httpServletResponse);
        invalidateSession(httpServletRequest);
        this.ssoCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
        this.ssoCookieHelper.createLogoutCookies(httpServletRequest, httpServletResponse);
        this.subjectManager.clearSubjects();
    }

    private void addToLoggedOutTokenCache(String str) {
        LoggedOutTokenCacheImpl.getInstance().addTokenToDistributedMap(str, "userName");
    }

    private void removeEntryFromAuthCache(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) {
        removeEntryFromAuthCacheForUser(httpServletRequest, httpServletResponse);
        removeEntryFromAuthCacheForToken(httpServletRequest, httpServletResponse, webAppSecurityConfig);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v23, types: [int] */
    /* JADX WARN: Type inference failed for: r0v24 */
    /* JADX WARN: Type inference failed for: r0v37, types: [boolean] */
    private void removeEntryFromAuthCacheForToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) {
        Cookie[] cookies;
        ?? length;
        Principal userPrincipal;
        if (this.authCacheService == null || (cookies = httpServletRequest.getCookies()) == null) {
            return;
        }
        String[] cookieValues = CookieHelper.getCookieValues(cookies, this.ssoCookieHelper.getSSOCookiename());
        if ((cookieValues == null || cookieValues.length == 0) && !"LtpaToken2".equalsIgnoreCase(this.ssoCookieHelper.getSSOCookiename())) {
            cookieValues = CookieHelper.getCookieValues(cookies, "LtpaToken2");
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[1];
            objArr[0] = cookieValues == null ? "<null>" : Integer.valueOf(cookieValues.length);
            Tr.debug(traceComponent, "Cookie size: ", objArr);
        }
        if (cookieValues == null || cookieValues.length <= 0) {
            return;
        }
        for (String str : cookieValues) {
            if (str != null && (length = str.length()) > 0) {
                try {
                    this.authCacheService.remove(str);
                    length = webAppSecurityConfig.isTrackLoggedOutSSOCookiesEnabled();
                    if (length != 0) {
                        addToLoggedOutTokenCache(str);
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.AuthenticateApi", "199", this, new Object[]{httpServletRequest, httpServletResponse, webAppSecurityConfig});
                    Exception exc = length;
                    String remoteUser = httpServletRequest.getRemoteUser();
                    if (remoteUser == null && (userPrincipal = httpServletRequest.getUserPrincipal()) != null) {
                        remoteUser = userPrincipal.getName();
                    }
                    Tr.warning(tc, "AUTHENTICATE_CACHE_REMOVAL_EXCEPTION", remoteUser, exc.toString());
                }
            }
        }
    }

    private void removeEntryFromAuthCacheForUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Principal userPrincipal;
        if (this.authCacheService == null) {
            return;
        }
        String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser == null && (userPrincipal = httpServletRequest.getUserPrincipal()) != null) {
            remoteUser = userPrincipal.getName();
        }
        if (remoteUser != null) {
            if (this.collabUtils != null) {
                String userRegistryRealm = this.collabUtils.getUserRegistryRealm(this.securityServiceRef);
                if (!remoteUser.contains(userRegistryRealm + ":")) {
                    remoteUser = userRegistryRealm + ":" + remoteUser;
                }
            }
            this.authCacheService.remove(remoteUser);
        }
    }

    public void throwExceptionIfAlreadyAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebAppSecurityConfig webAppSecurityConfig) throws ServletException {
        if (this.subjectHelper.isUnauthenticated(this.subjectManager.getCallerSubject())) {
            return;
        }
        if (!webAppSecurityConfig.getWebAlwaysLogin()) {
            throw new ServletException("Authentication had been already established");
        }
        logout(httpServletRequest, httpServletResponse, webAppSecurityConfig);
    }

    private void invalidateSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "invalidating existing HTTP Session", new Object[0]);
            }
            session.invalidate();
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Existing HTTP Session does not exist, nothing to invalidate", new Object[0]);
        }
    }

    public void postProgrammaticAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationResult authenticationResult) {
        Subject subject = authenticationResult.getSubject();
        if (this.subjectManager.getCallerSubject() == null) {
            this.subjectManager.setCallerSubject(subject);
        }
        this.subjectManager.setInvocationSubject(subject);
        this.ssoCookieHelper.addSSOCookiesToResponse(subject, httpServletRequest, httpServletResponse);
    }

    private void createSubjectAndPushItOnThreadAsNeeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult handleSSO;
        Subject callerSubject = this.subjectManager.getCallerSubject();
        if ((callerSubject == null || this.subjectHelper.isUnauthenticated(callerSubject)) && (handleSSO = new SSOAuthenticator(this.authService, null, null, this.ssoCookieHelper).handleSSO(httpServletRequest, httpServletResponse)) != null && handleSSO.getStatus() == AuthResult.SUCCESS) {
            this.subjectManager.setCallerSubject(handleSSO.getSubject());
        }
    }

    String debugGetAllHttpHdrs(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            return null;
        }
        StringBuffer stringBuffer = new StringBuffer(512);
        Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
        while (headerNames != null && headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            stringBuffer.append(nextElement).append(WDTConstants.EQUAL_TAG);
            stringBuffer.append("[").append(SRTServletRequestUtils.getHeader(httpServletRequest, nextElement)).append("]\n");
        }
        return stringBuffer.toString();
    }
}
