package com.ibm.ws.security.jca.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.auth.data.AuthData;
import com.ibm.websphere.security.auth.data.AuthDataProvider;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.intfc.SubjectManagerService;
import com.ibm.ws.security.jca.AuthDataService;
import com.ibm.ws.security.kerberos.auth.KerberosService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.SerializableProtectedString;
import com.ibm.wsspi.security.auth.callback.WSMappingCallbackHandler;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Set;
import javax.resource.spi.ManagedConnectionFactory;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(name = "com.ibm.ws.security.jca.authdata.service", configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jca/internal/AuthDataServiceImpl.class */
public class AuthDataServiceImpl implements AuthDataService {
    private static final TraceComponent tc = Tr.register(AuthDataServiceImpl.class, "AuthData", (String) null);
    protected static final String CFG_KEY_ID = "id";
    protected static final String CFG_KEY_DISPLAY_ID = "config.displayId";
    protected static final String CFG_KEY_USER = "user";
    protected static final String CFG_KEY_PASSWORD = "password";
    protected static final String KEY_SECURITY_SERVICE = "securityService";
    private static final String KEY_AUTH_DATA_ALIAS = "com.ibm.mapping.authDataAlias";
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
    private final AtomicServiceReference<SubjectManagerService> smServiceRef = new AtomicServiceReference<>("subjectManagerService");

    @Reference
    protected KerberosService krb5Service;

    @Reference
    protected AuthDataProvider authDataProvider;
    static final long serialVersionUID = 2224049223579382905L;

    /* JADX INFO: Access modifiers changed from: private */
    @Trivial
    /* loaded from: input_file:com/ibm/ws/security/jca/internal/AuthDataServiceImpl$GetInvocationSubjectAction.class */
    public static class GetInvocationSubjectAction implements PrivilegedAction<WSPrincipal> {
        final Subject subj;

        public GetInvocationSubjectAction(Subject subject) {
            this.subj = subject;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public WSPrincipal run() {
            WSPrincipal wSPrincipal = (WSPrincipal) this.subj.getPrincipals(WSPrincipal.class).iterator().next();
            return new WSPrincipal(wSPrincipal.getName(), wSPrincipal.getAccessId(), wSPrincipal.getAuthenticationMethod());
        }
    }

    @Reference(name = KEY_SECURITY_SERVICE, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    @Reference(name = "subjectManagerService", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    protected void setSubjectManagerService(ServiceReference<SubjectManagerService> serviceReference) {
        this.smServiceRef.setReference(serviceReference);
    }

    protected void unsetSubjectManagerService(ServiceReference<SubjectManagerService> serviceReference) {
        this.smServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.securityServiceRef.activate(componentContext);
        this.smServiceRef.activate(componentContext);
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        this.securityServiceRef.deactivate(componentContext);
        this.smServiceRef.deactivate(componentContext);
    }

    @Override // com.ibm.ws.security.jca.AuthDataService
    public Subject getSubject(ManagedConnectionFactory managedConnectionFactory, String str, Map<String, Object> map) throws LoginException {
        return str != null ? createSubjectUsingJAAS(str, managedConnectionFactory, map) : createSubjectUsingAuthData(managedConnectionFactory, map);
    }

    private Subject createSubjectUsingJAAS(String str, ManagedConnectionFactory managedConnectionFactory, Map<String, Object> map) throws LoginException {
        LoginContext loginContext = new LoginContext(str, new WSMappingCallbackHandler(map, managedConnectionFactory));
        loginContext.login();
        Subject subject = loginContext.getSubject();
        addInvocationSubjectPrincipal(subject);
        return subject;
    }

    private Subject createSubjectUsingAuthData(ManagedConnectionFactory managedConnectionFactory, Map<String, Object> map) throws LoginException {
        return obtainSubject(managedConnectionFactory, getAuthData(getAuthDataAlias(map)));
    }

    private String getAuthDataAlias(Map<String, Object> map) {
        if (map != null) {
            return (String) map.get(KEY_AUTH_DATA_ALIAS);
        }
        return null;
    }

    private AuthData getAuthData(String str) throws LoginException {
        return AuthDataProvider.getAuthData(str);
    }

    private Subject obtainSubject(ManagedConnectionFactory managedConnectionFactory, AuthData authData) throws LoginException {
        if (authData.getKrb5Principal() != null) {
            return this.krb5Service.getOrCreateSubject(authData.getKrb5Principal(), String.valueOf(authData.getPassword()).equals("") ? null : new SerializableProtectedString(authData.getPassword()), authData.getKrb5TicketCache());
        }
        Subject createSubject = createSubject(managedConnectionFactory, authData);
        addInvocationSubjectPrincipal(createSubject);
        optimize(createSubject);
        return createSubject;
    }

    private Subject createSubject(ManagedConnectionFactory managedConnectionFactory, AuthData authData) {
        Subject subject = new Subject();
        final PasswordCredential passwordCredential = new PasswordCredential(authData.getUserName(), authData.getPassword());
        passwordCredential.setManagedConnectionFactory(managedConnectionFactory);
        final Set<Object> privateCredentials = subject.getPrivateCredentials();
        if (System.getSecurityManager() == null) {
            privateCredentials.add(passwordCredential);
        } else {
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.ibm.ws.security.jca.internal.AuthDataServiceImpl.1
                static final long serialVersionUID = 2408650766991679092L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jca.internal.AuthDataServiceImpl$1", AnonymousClass1.class, "AuthData", (String) null);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    privateCredentials.add(passwordCredential);
                    return null;
                }
            });
        }
        return subject;
    }

    private void addInvocationSubjectPrincipal(final Subject subject) {
        final WSPrincipal invocationSubjectPrincipal = getInvocationSubjectPrincipal();
        if (invocationSubjectPrincipal != null) {
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.ibm.ws.security.jca.internal.AuthDataServiceImpl.2
                static final long serialVersionUID = -151293806573406031L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jca.internal.AuthDataServiceImpl$2", AnonymousClass2.class, "AuthData", (String) null);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    subject.getPrincipals().add(invocationSubjectPrincipal);
                    return null;
                }
            });
        }
    }

    @FFDCIgnore({Exception.class})
    private WSPrincipal getInvocationSubjectPrincipal() {
        Subject invocationSubject;
        WSPrincipal wSPrincipal = null;
        SubjectManagerService subjectManagerService = (SubjectManagerService) this.smServiceRef.getService();
        if (subjectManagerService != null && (invocationSubject = subjectManagerService.getInvocationSubject()) != null) {
            try {
                wSPrincipal = (WSPrincipal) AccessController.doPrivileged(new GetInvocationSubjectAction(invocationSubject));
            } catch (Exception e) {
            }
        }
        return wSPrincipal;
    }

    private void optimize(final Subject subject) {
        if (System.getSecurityManager() == null) {
            subject.setReadOnly();
        } else {
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.ibm.ws.security.jca.internal.AuthDataServiceImpl.3
                static final long serialVersionUID = 5724080646244982424L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jca.internal.AuthDataServiceImpl$3", AnonymousClass3.class, "AuthData", (String) null);

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    subject.setReadOnly();
                    return null;
                }
            });
        }
    }
}
