package com.ibm.ws.security.saml.sso20.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.EntryNotFoundException;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.websphere.security.saml2.Saml20Attribute;
import com.ibm.websphere.security.saml2.Saml20Token;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.saml.Constants;
import com.ibm.ws.security.saml.SsoConfig;
import com.ibm.ws.security.saml.SsoRequest;
import com.ibm.ws.security.saml.error.SamlException;
import com.ibm.ws.security.saml.sso20.internal.utils.HashUtils;
import com.ibm.ws.security.saml.sso20.internal.utils.SamlUtil;
import com.ibm.ws.security.saml.sso20.token.Saml20TokenImpl;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.registry.RegistryHelper;
import com.ibm.wsspi.security.saml2.UserCredentialResolver;
import com.ibm.wsspi.security.saml2.UserIdentityException;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import org.joda.time.DateTime;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.saml.sso20_1.0.14.jar:com/ibm/ws/security/saml/sso20/internal/AssertionToSubject.class */
public class AssertionToSubject {
    SsoConfig ssoConfig;
    Saml20Token token;
    SsoRequest samlRequest;
    public static final String KEY_USER_RESOLVER = "userResolver";
    static final String fixedStr = "_ibm";
    static final long serialVersionUID = -1475273301771710071L;
    public static final TraceComponent tc = Tr.register((Class<?>) AssertionToSubject.class, "SAML20", "com.ibm.ws.security.saml.sso20.internal.resources.SamlSso20Messages");
    static ConcurrentServiceReferenceMap<String, UserCredentialResolver> activatedUserResolverRef = new ConcurrentServiceReferenceMap<>("userResolver");

    public AssertionToSubject(SsoRequest ssoRequest, SsoConfig ssoConfig, Saml20Token saml20Token) {
        this.ssoConfig = null;
        this.token = null;
        this.samlRequest = null;
        this.ssoConfig = ssoConfig;
        this.token = saml20Token;
        this.samlRequest = ssoRequest;
    }

    public static void setActivatedUserResolverRef(ConcurrentServiceReferenceMap<String, UserCredentialResolver> concurrentServiceReferenceMap) {
        activatedUserResolverRef = concurrentServiceReferenceMap;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "activatedUserResolverRef size():" + activatedUserResolverRef.size(), new Object[0]);
        }
    }

    public String getUser() throws SamlException {
        String userFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (userFromUserResolver = getUserFromUserResolver(null)) != null && !userFromUserResolver.isEmpty()) {
            return userFromUserResolver;
        }
        String sAMLNameID = this.token.getSAMLNameID();
        String userIdentifier = this.ssoConfig.getUserIdentifier();
        if (userIdentifier != null && !userIdentifier.isEmpty()) {
            sAMLNameID = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (userIdentifier.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    sAMLNameID = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (sAMLNameID == null) {
                throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"user name"});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user from Token Attributes:" + sAMLNameID, new Object[0]);
            }
        }
        if (sAMLNameID == null || sAMLNameID.isEmpty()) {
            throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"user name"});
        }
        return sAMLNameID;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getUserFromUserResolver(String str) throws SamlException {
        String str2 = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str2 = services.next().mapSAMLAssertionToUser(this.token);
            } catch (UserIdentityException e) {
                throw new SamlException("SAML20_CANNOT_RESOLVE_ASSERTION", e, false, new Object[]{e.getMessage()});
            }
        }
        return str2;
    }

    public String getRealm() throws SamlException {
        String realmFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (realmFromUserResolver = getRealmFromUserResolver()) != null && !realmFromUserResolver.isEmpty()) {
            return realmFromUserResolver;
        }
        String realmName = this.ssoConfig.getRealmName();
        if (realmName != null && !realmName.isEmpty()) {
            return realmName;
        }
        String sAMLIssuerName = this.token.getSAMLIssuerName();
        String realmIdentifier = this.ssoConfig.getRealmIdentifier();
        if (realmIdentifier != null && !realmIdentifier.isEmpty()) {
            sAMLIssuerName = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (realmIdentifier.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    sAMLIssuerName = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (sAMLIssuerName == null) {
                throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"realm"});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "realm from Token Attributes:" + sAMLIssuerName, new Object[0]);
            }
        }
        if (sAMLIssuerName == null) {
            throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"realm"});
        }
        return sAMLIssuerName;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getRealmFromUserResolver() throws SamlException {
        String str = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str = services.next().mapSAMLAssertionToRealm(this.token);
            } catch (UserIdentityException e) {
                throw new SamlException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return str;
    }

    public String getUserUniqueIdentity(String str, String str2) throws SamlException {
        String userUniqueIDFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (userUniqueIDFromUserResolver = getUserUniqueIDFromUserResolver(str)) != null && !userUniqueIDFromUserResolver.isEmpty()) {
            return userUniqueIDFromUserResolver;
        }
        String str3 = str;
        String userUniqueIdentifier = this.ssoConfig.getUserUniqueIdentifier();
        if (userUniqueIdentifier != null && !userUniqueIdentifier.isEmpty()) {
            str3 = null;
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (userUniqueIdentifier.equals(saml20Attribute.getName()) && saml20Attribute.getValuesAsString().size() == 1) {
                    str3 = saml20Attribute.getValuesAsString().get(0);
                }
            }
            if (str3 == null) {
                throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"unique user name"});
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "uniaueUserId from Token Attributes:" + str3, new Object[0]);
            }
        }
        if (str3 == null) {
            throw new SamlException("SAML20_ATTRIBUTE_ERR", null, false, new Object[]{"unique user name"});
        }
        String str4 = "user:" + str2 + "/";
        if (!str3.startsWith(str4)) {
            int indexOf = str3.indexOf("/");
            str3 = (!str3.startsWith("user:") || indexOf <= 0) ? str4 + str3 : str4 + str3.substring(indexOf + 1);
        }
        return str3;
    }

    @FFDCIgnore({UserIdentityException.class})
    String getUserUniqueIDFromUserResolver(String str) throws SamlException {
        String str2 = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                str2 = services.next().mapSAMLAssertionToUserUniqueID(this.token);
            } catch (UserIdentityException e) {
                throw new SamlException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return str2;
    }

    public List<String> getGroupUniqueIdentityFromRegistry(String str) throws WSSecurityException, RemoteException, SamlException {
        List<String> groupsFromUserResolver;
        if (activatedUserResolverRef.size() > 0 && (groupsFromUserResolver = getGroupsFromUserResolver()) != null && groupsFromUserResolver.size() > 0) {
            return mapGroupsToUserRegistry(groupsFromUserResolver, str);
        }
        ArrayList arrayList = new ArrayList();
        String groupIdentifier = this.ssoConfig.getGroupIdentifier();
        if (groupIdentifier != null) {
            String str2 = "group:" + str + "/";
            for (Saml20Attribute saml20Attribute : this.token.getSAMLAttributes()) {
                if (groupIdentifier.equals(saml20Attribute.getName()) && !saml20Attribute.getValuesAsString().isEmpty()) {
                    Iterator<String> it = saml20Attribute.getValuesAsString().iterator();
                    while (it.hasNext()) {
                        mapGroupToUserRegistry(arrayList, it.next(), str2);
                    }
                }
            }
        }
        return arrayList;
    }

    @FFDCIgnore({EntryNotFoundException.class})
    List<String> mapGroupToUserRegistry(List<String> list, String str, String str2) throws RemoteException, WSSecurityException {
        int indexOf;
        UserRegistry userRegistry = RegistryHelper.getUserRegistry(null);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "UserRegistry:" + userRegistry, new Object[0]);
        }
        if (str != null && str.startsWith(str2)) {
            str = str.substring(str2.length());
        } else if (str != null && str.startsWith("group:") && (indexOf = str.indexOf("/")) > 0) {
            str = str.substring(indexOf + 1);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "original Group:" + str, new Object[0]);
        }
        try {
            String uniqueGroupId = userRegistry.getUniqueGroupId(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "groupDN from registry:" + uniqueGroupId, new Object[0]);
            }
            list.add(str2 + uniqueGroupId);
            ListIterator<String> listIterator = userRegistry.getUniqueGroupIds(uniqueGroupId).listIterator();
            while (listIterator.hasNext()) {
                String next = listIterator.next();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "groupDN from GroupIds:" + next, new Object[0]);
                }
                list.add(str2 + next);
            }
        } catch (EntryNotFoundException e) {
        }
        return list;
    }

    List<String> mapGroupsToUserRegistry(List<String> list, String str) throws RemoteException, WSSecurityException {
        String str2 = "group:" + str + "/";
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            mapGroupToUserRegistry(arrayList, it.next(), str2);
        }
        return arrayList;
    }

    @FFDCIgnore({UserIdentityException.class})
    List<String> getGroupsFromUserResolver() throws SamlException {
        List<String> list = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            try {
                list = services.next().mapSAMLAssertionToGroups(this.token);
            } catch (UserIdentityException e) {
                throw new SamlException("SAML20_CANNOT_RESOLVE_ASSERTION", e, new Object[]{e.getMessage()});
            }
        }
        return list;
    }

    public List<String> getGroupUniqueIdentity(String str) throws SamlException {
        List<String> groupsFromUserResolver;
        ArrayList arrayList = new ArrayList();
        if (activatedUserResolverRef.size() > 0 && (groupsFromUserResolver = getGroupsFromUserResolver()) != null && groupsFromUserResolver.size() > 0) {
            String str2 = "group:" + str + "/";
            for (String str3 : groupsFromUserResolver) {
                if (!str3.startsWith("group:")) {
                    str3 = str2 + str3;
                }
                arrayList.add(str3);
            }
            return arrayList;
        }
        String groupIdentifier = this.ssoConfig.getGroupIdentifier();
        if (groupIdentifier != null && !groupIdentifier.isEmpty()) {
            String str4 = "group:" + str + "/";
            Iterator<Saml20Attribute> it = this.token.getSAMLAttributes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Saml20Attribute next = it.next();
                if (groupIdentifier.equals(next.getName())) {
                    if (!next.getValuesAsString().isEmpty()) {
                        for (String str5 : next.getValuesAsString()) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "groupDN from Token Attributes:" + str5, new Object[0]);
                            }
                            String str6 = str5;
                            if (!str5.startsWith(str4)) {
                                int indexOf = str5.indexOf("/");
                                str6 = (!str5.startsWith("group:") || indexOf <= 0) ? str4 + str5 : str4 + str5.substring(indexOf + 1);
                            }
                            arrayList.add(str6);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    @Trivial
    public String getCustomCacheKeyValue(String str) {
        if (this.samlRequest.isDisableLtpaCookie()) {
            String generateRandom = SamlUtil.generateRandom();
            this.samlRequest.setSpCookieValue(generateRandom);
            return getAfterDigestValue(str, generateRandom);
        }
        String str2 = str + "_" + SamlUtil.hash(this.token.getSAMLAsString());
        this.samlRequest.setSpCookieValue(str2);
        return str2;
    }

    @Sensitive
    public static String getAfterDigestValue(String str, String str2) {
        return HashUtils.digest(str + "_" + str2 + fixedStr);
    }

    @Trivial
    public void handleSessionNotOnOrAfter(Hashtable<String, Object> hashtable, Saml20Token saml20Token) {
        if (this.samlRequest.isDisableLtpaCookie()) {
            long j = 0;
            if (saml20Token instanceof Saml20TokenImpl) {
                j = ((Saml20TokenImpl) saml20Token).getSessionNotOnOrAfter();
            }
            if (j == 0) {
                j = new DateTime().getMillis() + this.ssoConfig.getSessionNotOnOrAfter();
            }
            hashtable.put(Constants.SP_COOKIE_AND_SESSION_NOT_ON_OR_AFTER, Long.valueOf(j));
        }
    }
}
