package com.ibm.ws.security.authentication.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.internal.cache.keyproviders.BasicAuthCacheKeyProvider;
import com.ibm.ws.security.authentication.internal.cache.keyproviders.CustomCacheKeyProvider;
import com.ibm.ws.security.authentication.internal.jaas.JAASServiceImpl;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.credentials.CredentialsService;
import com.ibm.ws.security.delegation.DelegationProvider;
import com.ibm.ws.security.jaas.common.callback.CallbackHandlerAuthenticationData;
import com.ibm.ws.security.registry.RegistryException;
import com.ibm.ws.security.registry.UserRegistryService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.util.Hashtable;
import java.util.Map;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.LoginException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceOptions(messageBundle = "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages")
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.authentication.builtin_1.0.16.jar:com/ibm/ws/security/authentication/internal/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl implements AuthenticationService {
    private static final TraceComponent tc = Tr.register((Class<?>) AuthenticationServiceImpl.class, "Authentication", "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages");
    static final String CFG_ALLOW_HASHTABLE_LOGIN_WITH_ID_ONLY = "allowHashtableLoginWithIdOnly";
    static final String CFG_CACHE_ENABLED = "cacheEnabled";
    static final String KEY_AUTH_CACHE_SERVICE = "authCacheService";
    static final String KEY_USER_REGISTRY_SERVICE = "userRegistryService";
    static final String KEY_DELEGATION_PROVIDER = "delegationProvider";
    static final String KEY_DEFAULT_DELEGATION_PROVIDER = "defaultDelegationProvider";
    static final String KEY_CREDENTIALS_SERVICE = "credentialsService";
    private JAASService jaasService;
    private ComponentContext cc;
    static final long serialVersionUID = 8644919184246925537L;
    private final AtomicServiceReference<AuthCacheService> authCacheServiceRef = new AtomicServiceReference<>(KEY_AUTH_CACHE_SERVICE);
    private final AtomicServiceReference<UserRegistryService> userRegistryServiceRef = new AtomicServiceReference<>("userRegistryService");
    private final AtomicServiceReference<DelegationProvider> delegationProviderRef = new AtomicServiceReference<>(KEY_DELEGATION_PROVIDER);
    private final AtomicServiceReference<DelegationProvider> defaultDelegationProviderRef = new AtomicServiceReference<>(KEY_DEFAULT_DELEGATION_PROVIDER);
    private final AtomicServiceReference<CredentialsService> credentialsServiceRef = new AtomicServiceReference<>("credentialsService");
    private boolean cacheEnabled = true;
    private boolean allowHashtableLoginWithIdOnly = false;
    private String invalidDelegationUser = "";
    private final AuthenticationGuard authenticationGuard = new AuthenticationGuard();

    protected void setJaasService(JAASService jAASService) {
        this.jaasService = jAASService;
        if (jAASService instanceof JAASServiceImpl) {
            JAASServiceImpl.setAuthenticationService(this);
        }
    }

    protected void unsetJaasService(JAASService jAASService) {
        if (this.jaasService == jAASService) {
            this.jaasService = null;
            JAASServiceImpl.unsetAuthenticationService(this);
        }
    }

    protected void setAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        this.authCacheServiceRef.setReference(serviceReference);
    }

    protected void unsetAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        this.authCacheServiceRef.unsetReference(serviceReference);
    }

    protected void setUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.setReference(serviceReference);
    }

    protected void unsetUserRegistryService(ServiceReference<UserRegistryService> serviceReference) {
        this.userRegistryServiceRef.unsetReference(serviceReference);
    }

    protected void setDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.delegationProviderRef.setReference(serviceReference);
    }

    protected void unsetDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.delegationProviderRef.unsetReference(serviceReference);
    }

    protected void setDefaultDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.defaultDelegationProviderRef.setReference(serviceReference);
    }

    protected void unsetDefaultDelegationProvider(ServiceReference<DelegationProvider> serviceReference) {
        this.defaultDelegationProviderRef.unsetReference(serviceReference);
    }

    protected void setCredentialsService(ServiceReference<CredentialsService> serviceReference) {
        this.credentialsServiceRef.setReference(serviceReference);
    }

    protected void unsetCredentialsService(ServiceReference<CredentialsService> serviceReference) {
        this.credentialsServiceRef.unsetReference(serviceReference);
    }

    private void updateCacheState(Map<String, Object> map) {
        getAuthenticationConfig(map);
        if (this.cacheEnabled) {
            this.authCacheServiceRef.activate(this.cc);
        } else {
            this.authCacheServiceRef.deactivate(this.cc);
        }
    }

    private void getAuthenticationConfig(Map<String, Object> map) {
        Boolean bool = (Boolean) map.get(CFG_ALLOW_HASHTABLE_LOGIN_WITH_ID_ONLY);
        if (bool != null) {
            this.allowHashtableLoginWithIdOnly = bool.booleanValue();
        }
        Boolean bool2 = (Boolean) map.get(CFG_CACHE_ENABLED);
        if (bool2 != null) {
            this.cacheEnabled = bool2.booleanValue();
        }
    }

    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.cc = componentContext;
        this.authCacheServiceRef.activate(componentContext);
        this.userRegistryServiceRef.activate(componentContext);
        this.delegationProviderRef.activate(componentContext);
        this.defaultDelegationProviderRef.activate(componentContext);
        this.credentialsServiceRef.activate(componentContext);
        updateCacheState(map);
    }

    protected void modified(Map<String, Object> map) {
        updateCacheState(map);
    }

    protected void deactivate() {
        this.authCacheServiceRef.deactivate(this.cc);
        this.userRegistryServiceRef.deactivate(this.cc);
        this.delegationProviderRef.deactivate(this.cc);
        this.defaultDelegationProviderRef.deactivate(this.cc);
        this.credentialsServiceRef.deactivate(this.cc);
        JAASServiceImpl.unsetAuthenticationService(this);
        this.cc = null;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public Subject authenticate(String str, Subject subject) throws AuthenticationException {
        return authenticate(str, new WSAuthenticationData(), subject);
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public Subject authenticate(String str, AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        ReentrantLock optionallyObtainLockedLock = optionallyObtainLockedLock(authenticationData);
        try {
            if (isBasicAuthLogin(authenticationData)) {
                Subject createBasicAuthSubject = createBasicAuthSubject(authenticationData, subject);
                releaseLock(authenticationData, optionallyObtainLockedLock);
                return createBasicAuthSubject;
            }
            Subject findSubjectInAuthCache = findSubjectInAuthCache(authenticationData, subject);
            if (findSubjectInAuthCache == null) {
                findSubjectInAuthCache = performJAASLogin(str, authenticationData, subject);
                insertSubjectInAuthCache(authenticationData, findSubjectInAuthCache);
            }
            return findSubjectInAuthCache;
        } finally {
            releaseLock(authenticationData, optionallyObtainLockedLock);
        }
    }

    private boolean isBasicAuthLogin(AuthenticationData authenticationData) {
        boolean z = false;
        if (authenticationData != null) {
            String realm = getRealm();
            String str = (String) authenticationData.get(AuthenticationData.REALM);
            z = (str == null || str.equals(realm) || str.equals("defaultRealm")) ? false : true;
        }
        return z;
    }

    private Subject createBasicAuthSubject(AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        Subject subject2 = subject != null ? subject : new Subject();
        String str = (String) authenticationData.get(AuthenticationData.REALM);
        String str2 = (String) authenticationData.get(AuthenticationData.USERNAME);
        String password = getPassword((char[]) authenticationData.get(AuthenticationData.PASSWORD));
        CredentialsService service = this.credentialsServiceRef.getService();
        if (service != null) {
            try {
                service.setBasicAuthCredential(subject2, str, str2, password);
            } catch (CredentialException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl", "237", this, new Object[]{authenticationData, subject});
                throw new AuthenticationException(e.getMessage());
            }
        }
        return subject2;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public Subject authenticate(String str, CallbackHandler callbackHandler, Subject subject) throws AuthenticationException {
        try {
            AuthenticationData createAuthenticationData = new CallbackHandlerAuthenticationData(callbackHandler).createAuthenticationData();
            ReentrantLock optionallyObtainLockedLock = optionallyObtainLockedLock(createAuthenticationData);
            try {
                if (isBasicAuthLogin(createAuthenticationData)) {
                    Subject createBasicAuthSubject = createBasicAuthSubject(createAuthenticationData, subject);
                    releaseLock(createAuthenticationData, optionallyObtainLockedLock);
                    return createBasicAuthSubject;
                }
                Subject findSubjectInAuthCache = findSubjectInAuthCache(createAuthenticationData, subject);
                if (findSubjectInAuthCache == null) {
                    findSubjectInAuthCache = performJAASLogin(str, callbackHandler, subject);
                    insertSubjectInAuthCache(createAuthenticationData, findSubjectInAuthCache);
                }
                return findSubjectInAuthCache;
            } finally {
                releaseLock(createAuthenticationData, optionallyObtainLockedLock);
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.authentication.internal.AuthenticationServiceImpl", "252", this, new Object[]{str, callbackHandler, subject});
            throw new AuthenticationException(e.getMessage());
        }
    }

    private ReentrantLock optionallyObtainLockedLock(AuthenticationData authenticationData) {
        ReentrantLock reentrantLock = null;
        if (isAuthCacheServiceAvailable()) {
            reentrantLock = this.authenticationGuard.requestAccess(authenticationData);
            reentrantLock.lock();
        }
        return reentrantLock;
    }

    private boolean isAuthCacheServiceAvailable() {
        return getAuthCacheService() != null;
    }

    private void releaseLock(AuthenticationData authenticationData, ReentrantLock reentrantLock) {
        this.authenticationGuard.relinquishAccess(authenticationData, reentrantLock);
    }

    private Subject findSubjectInAuthCache(AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        Subject subject2 = null;
        AuthCacheService authCacheService = getAuthCacheService();
        if (authCacheService != null && authenticationData != null) {
            String str = (String) authenticationData.get(AuthenticationData.TOKEN64);
            if (str != null) {
                subject2 = findSubjectByTokenContents(authCacheService, str, null);
            } else {
                byte[] bArr = (byte[]) authenticationData.get(AuthenticationData.TOKEN);
                if (bArr != null) {
                    subject2 = findSubjectByTokenContents(authCacheService, null, bArr);
                } else {
                    String str2 = (String) authenticationData.get(AuthenticationData.USERNAME);
                    String password = getPassword((char[]) authenticationData.get(AuthenticationData.PASSWORD));
                    if (str2 != null && password != null) {
                        subject2 = findSubjectByUseridAndPassword(authCacheService, str2, password);
                    } else if (subject != null) {
                        subject2 = findSubjectBySubjectHashtable(authCacheService, subject);
                    }
                }
            }
        }
        return subject2;
    }

    private Subject findSubjectByTokenContents(AuthCacheService authCacheService, String str, byte[] bArr) throws AuthenticationException {
        Subject subject = null;
        if (str != null) {
            subject = authCacheService.getSubject(str);
        }
        if (subject == null && bArr != null) {
            subject = authCacheService.getSubject(bArr);
        }
        if (subject == null) {
            if (bArr == null && str != null) {
                bArr = Base64Coder.base64DecodeString(str);
            }
            if (bArr == null) {
                throw new AuthenticationException("Invalid LTPA Token");
            }
            String customCacheKey = CustomCacheKeyProvider.getCustomCacheKey(authCacheService, bArr);
            if (customCacheKey != null) {
                subject = authCacheService.getSubject(customCacheKey);
                if (subject == null) {
                    throw new AuthenticationException("Custom cache key missed authentication cache. Need to re-challenge the user to login again.");
                }
            }
        }
        return subject;
    }

    private Subject findSubjectByUseridAndPassword(AuthCacheService authCacheService, String str, @Sensitive String str2) {
        return authCacheService.getSubject(BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str, str2));
    }

    private Subject findSubjectBySubjectHashtable(AuthCacheService authCacheService, Subject subject) {
        Subject subject2 = null;
        SubjectHelper subjectHelper = new SubjectHelper();
        Hashtable<String, ?> hashtableFromSubject = subjectHelper.getHashtableFromSubject(subject, new String[]{"com.ibm.wsspi.security.cred.cacheKey"});
        if (hashtableFromSubject != null) {
            String str = (String) hashtableFromSubject.get("com.ibm.wsspi.security.cred.cacheKey");
            Boolean bool = (Boolean) hashtableFromSubject.get(AuthenticationConstants.INTERNAL_ASSERTION_KEY);
            if (str != null && bool != null && bool.equals(Boolean.TRUE)) {
                return authCacheService.getSubject(str);
            }
        }
        Hashtable<String, ?> hashtableFromSubject2 = subjectHelper.getHashtableFromSubject(subject, new String[]{AttributeNameConstants.WSCREDENTIAL_USERID, AttributeNameConstants.WSCREDENTIAL_PASSWORD});
        if (hashtableFromSubject2 != null) {
            String str2 = (String) hashtableFromSubject2.get(AttributeNameConstants.WSCREDENTIAL_USERID);
            String str3 = (String) hashtableFromSubject2.get(AttributeNameConstants.WSCREDENTIAL_PASSWORD);
            subject2 = authCacheService.getSubject(str3 != null ? BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str2, str3) : BasicAuthCacheKeyProvider.createLookupKey(getRealm(), str2));
        }
        return subject2;
    }

    @Sensitive
    private String getPassword(@Sensitive char[] cArr) {
        String str = null;
        if (cArr != null) {
            str = String.valueOf(cArr);
        }
        return str;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public AuthCacheService getAuthCacheService() {
        return this.authCacheServiceRef.getService();
    }

    @FFDCIgnore({RegistryException.class})
    private String getRealm() {
        String str = "defaultRealm";
        try {
            UserRegistryService service = this.userRegistryServiceRef.getService();
            if (service.isUserRegistryConfigured()) {
                str = service.getUserRegistry().getRealm();
            }
        } catch (RegistryException e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There was a problem getting the realm.", e);
            }
        }
        return str;
    }

    @FFDCIgnore({LoginException.class})
    private Subject performJAASLogin(String str, CallbackHandler callbackHandler, Subject subject) throws AuthenticationException {
        if (this.jaasService == null) {
            Tr.error(tc, "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0]);
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0], "CWWKS1000E: The JAAS Service is unavailable."));
        }
        try {
            return this.jaasService.performLogin(str, callbackHandler, subject);
        } catch (LoginException e) {
            throw new AuthenticationException(e.getLocalizedMessage());
        }
    }

    @FFDCIgnore({LoginException.class})
    private Subject performJAASLogin(String str, AuthenticationData authenticationData, Subject subject) throws AuthenticationException {
        if (this.jaasService == null) {
            Tr.error(tc, "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0]);
            throw new AuthenticationException(TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.authentication.internal.resources.AuthenticationMessages", "AUTHENTICATION_SERVICE_JAAS_UNAVAILABLE", new Object[0], "CWWKS1000E: The JAAS Service is unavailable."));
        }
        try {
            return this.jaasService.performLogin(str, authenticationData, subject);
        } catch (LoginException e) {
            throw new AuthenticationException(e.getLocalizedMessage());
        }
    }

    private void insertSubjectInAuthCache(AuthenticationData authenticationData, Subject subject) {
        AuthCacheService authCacheService = getAuthCacheService();
        if (authCacheService != null) {
            String str = (String) authenticationData.get(AuthenticationData.USERNAME);
            String password = getPassword((char[]) authenticationData.get(AuthenticationData.PASSWORD));
            if (str == null || password == null) {
                authCacheService.insert(subject);
            } else {
                authCacheService.insert(subject, str, password);
            }
        }
    }

    public void setInvalidDelegationUser(String str) {
        this.invalidDelegationUser = str;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public String getInvalidDelegationUser() {
        return this.invalidDelegationUser;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public Subject delegate(String str, String str2) {
        return getRunAsSubjectFromProvider(str, str2);
    }

    @FFDCIgnore({AuthenticationException.class})
    private Subject getRunAsSubjectFromProvider(String str, String str2) {
        Subject subject = null;
        DelegationProvider service = this.delegationProviderRef.getService();
        if (service == null) {
            try {
                service = this.defaultDelegationProviderRef.getService();
            } catch (AuthenticationException e) {
                setInvalidDelegationUser(service.getDelegationUser());
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Caught an authentication exception, so will run as the invocation subject.", new Object[0]);
                }
            }
        }
        if (service != null) {
            subject = service.getRunAsSubject(str, str2);
        }
        return subject;
    }

    @Override // com.ibm.ws.security.authentication.AuthenticationService
    public Boolean isAllowHashTableLoginWithIdOnly() {
        return Boolean.valueOf(this.allowHashtableLoginWithIdOnly);
    }
}
