package org.picketlink.identity.federation.core.wstrust.auth;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.xml.datatype.XMLGregorianCalendar;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingManager;
import org.jboss.security.mapping.MappingType;
import org.picketlink.common.PicketLinkLogger;
import org.picketlink.common.PicketLinkLoggerFactory;
import org.picketlink.common.exceptions.fed.WSTrustException;
import org.picketlink.common.util.StringUtil;
import org.picketlink.identity.federation.core.constants.AttributeConstants;
import org.picketlink.identity.federation.core.constants.PicketLinkFederationConstants;
import org.picketlink.identity.federation.core.factories.JBossAuthCacheInvalidationFactory;
import org.picketlink.identity.federation.core.saml.v2.util.AssertionUtil;
import org.picketlink.identity.federation.core.wstrust.STSClient;
import org.picketlink.identity.federation.core.wstrust.STSClientConfig;
import org.picketlink.identity.federation.core.wstrust.STSClientFactory;
import org.picketlink.identity.federation.core.wstrust.STSClientPool;
import org.picketlink.identity.federation.core.wstrust.SamlCredential;
import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.w3c.dom.Element;

/* loaded from: input_file:WEB-INF/lib/picketlink-federation-2.7.0.Final.jar:org/picketlink/identity/federation/core/wstrust/auth/AbstractSTSLoginModule.class */
public abstract class AbstractSTSLoginModule implements LoginModule {
    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
    public static final String SHARED_TOKEN = "org.picketlink.identity.federation.core.wstrust.lm.stsToken";
    public static final String OPTIONS_CREDENTIALS = "useOptionsCredentials";
    public static final String OPTIONS_PW_STACKING = "password-stacking";
    public static final String STS_CONFIG_FILE = "configFile";
    public static final String ROLE_KEY = "roleKey";
    public static final String ENDPOINT_ADDRESS = "endpointAddress";
    public static final String PORT_NAME = "portName";
    public static final String SERVICE_NAME = "serviceName";
    public static final String USERNAME_KEY = "username";
    public static final String PASSWORD_KEY = "password";
    public static final String IS_BATCH = "isBatch";
    public static final String INITIAL_CLIENTS_IN_POOL = "initialClientsInPool";
    protected Subject subject;
    protected CallbackHandler callbackHandler;
    protected Element samlToken;
    protected boolean success;
    protected Map<String, ?> options;
    protected Map sharedState;
    protected boolean passwordStacking;
    protected boolean useFirstPass;
    protected boolean useOptionsCredentials;
    protected String roleKey = AttributeConstants.ROLE_IDENTIFIER_ASSERTION;
    protected boolean enableCacheInvalidation = false;
    protected boolean injectCallerPrincipalGroup = false;
    protected String securityDomain = null;
    protected boolean isBatch = false;
    protected int initialClientsInPool = 0;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.options = map2;
        this.sharedState = map;
        String str = (String) map2.get(OPTIONS_PW_STACKING);
        this.passwordStacking = str != null;
        if (this.passwordStacking) {
            this.useFirstPass = "useFirstPass".equals(str);
        }
        Boolean valueOf = Boolean.valueOf((String) map2.get(OPTIONS_CREDENTIALS));
        if (valueOf != null) {
            this.useOptionsCredentials = valueOf.booleanValue();
        }
        String str2 = (String) map2.get(ROLE_KEY);
        if (str2 != null && str2.length() > 0) {
            this.roleKey = str2;
        }
        String str3 = (String) map2.get("cache.invalidation");
        if (str3 != null && !str3.isEmpty()) {
            this.enableCacheInvalidation = Boolean.parseBoolean(str3);
            this.securityDomain = (String) map2.get(SecurityConstants.SECURITY_DOMAIN_OPTION);
            if (this.securityDomain == null || this.securityDomain.isEmpty()) {
                throw logger.optionNotSet(SecurityConstants.SECURITY_DOMAIN_OPTION);
            }
        }
        String str4 = (String) map2.get("inject.callerprincipal");
        if (str4 != null && !str4.isEmpty()) {
            this.injectCallerPrincipalGroup = Boolean.parseBoolean(str4);
        }
        String str5 = (String) map2.get("isBatch");
        if (StringUtil.isNotNull(str5)) {
            this.isBatch = Boolean.parseBoolean(str5);
        }
        String str6 = (String) map2.get(INITIAL_CLIENTS_IN_POOL);
        if (StringUtil.isNotNull(str6)) {
            try {
                this.initialClientsInPool = Integer.parseInt(str6);
            } catch (Exception e) {
                logger.cannotParseParameterValue(str6, e);
            }
        }
    }

    public boolean login() throws LoginException {
        STSClientPool sTSClientFactory;
        STSClientPool sTSClientFactory2;
        try {
            try {
                STSClientConfig.Builder createBuilder = createBuilder();
                if (this.useOptionsCredentials) {
                    useCredentialsFromOptions(createBuilder, this.options);
                } else if (isUseFirstPass()) {
                    useCredentialsFromSharedState(createBuilder);
                } else {
                    useCredentialsFromCallback(createBuilder);
                }
                if (this.passwordStacking) {
                    setPasswordStackingCredentials(createBuilder);
                }
                STSClient createWSTrustClient = createWSTrustClient(createBuilder.build());
                Element invokeSTS = invokeSTS(createWSTrustClient);
                if (invokeSTS == null) {
                    throw logger.authCouldNotIssueSAMLToken();
                }
                setSuccess(true);
                setSamlToken(invokeSTS);
                setSharedToken(invokeSTS);
                if (createWSTrustClient != null && (sTSClientFactory2 = STSClientFactory.getInstance()) != null) {
                    sTSClientFactory2.returnClient(createWSTrustClient);
                }
                return true;
            } catch (WSTrustException e) {
                throw logger.authLoginError(e);
            }
        } catch (Throwable th) {
            if (0 != 0 && (sTSClientFactory = STSClientFactory.getInstance()) != null) {
                sTSClientFactory.returnClient(null);
            }
            throw th;
        }
    }

    public abstract Element invokeSTS(STSClient sTSClient) throws WSTrustException, LoginException;

    public boolean commit() throws LoginException {
        if (!this.success) {
            return false;
        }
        SamlCredential samlCredential = new SamlCredential(this.samlToken);
        boolean add = this.subject.getPublicCredentials().add(samlCredential);
        populateSubject();
        if (!add) {
            return true;
        }
        logger.trace("Added Credential " + samlCredential);
        return true;
    }

    public boolean abort() throws LoginException {
        this.success = false;
        clearState();
        return true;
    }

    public boolean logout() throws LoginException {
        clearState();
        return true;
    }

    protected STSClientConfig.Builder createBuilder() {
        if (this.options.containsKey(STS_CONFIG_FILE)) {
            return new STSClientConfig.Builder(getRequiredOption(getOptions(), STS_CONFIG_FILE));
        }
        STSClientConfig.Builder builder = new STSClientConfig.Builder();
        builder.endpointAddress((String) this.options.get("endpointAddress"));
        builder.portName((String) this.options.get("portName")).serviceName((String) this.options.get("serviceName"));
        builder.username((String) this.options.get("username")).password((String) this.options.get("password"));
        builder.setBatch(this.isBatch);
        String str = (String) this.options.get("password");
        if (str != null && str.startsWith("MASK-")) {
            String str2 = (String) this.options.get(PicketLinkFederationConstants.SALT);
            if (StringUtil.isNullOrEmpty(str2)) {
                throw logger.optionNotSet("Salt");
            }
            String str3 = (String) this.options.get(PicketLinkFederationConstants.ITERATION_COUNT);
            if (StringUtil.isNullOrEmpty(str3)) {
                throw logger.optionNotSet("Iteration Count");
            }
            try {
                builder.password(StringUtil.decode(str, str2, Integer.parseInt(str3)));
            } catch (Exception e) {
                throw logger.unableToDecodePasswordError("Unable to decode password:" + str);
            }
        }
        return builder;
    }

    protected void useCredentialsFromCallback(STSClientConfig.Builder builder) throws LoginException {
        Callback nameCallback = new NameCallback("user:");
        PasswordCallback passwordCallback = new PasswordCallback("password:", true);
        try {
            getCallbackHandler().handle(new Callback[]{nameCallback, passwordCallback});
            String name = nameCallback.getName();
            if (StringUtil.isNotNull(name)) {
                builder.username(name);
            } else {
                logger.trace("UserName from callback is null");
            }
            char[] password = passwordCallback.getPassword();
            if (password != null) {
                builder.password(new String(password));
            } else {
                logger.trace("Password from callback is null");
            }
        } catch (IOException e) {
            throw logger.authLoginError(e);
        } catch (UnsupportedCallbackException e2) {
            throw logger.authLoginError(e2);
        }
    }

    private void setPasswordStackingCredentials(STSClientConfig.Builder builder) {
        Map map = this.sharedState;
        map.put("javax.security.auth.login.name", builder.getUsername());
        map.put("javax.security.auth.login.password", builder.getPassword());
    }

    protected void useCredentialsFromSharedState(STSClientConfig.Builder builder) {
        builder.username(getSharedUsername()).password(new String(getSharedPassword()));
    }

    protected void useCredentialsFromOptions(STSClientConfig.Builder builder, Map<String, ?> map) {
    }

    protected STSClientConfig getConfiguration(Map<String, ?> map) {
        return new STSClientConfig.Builder(getRequiredOption(map, STS_CONFIG_FILE)).build();
    }

    protected STSClient createWSTrustClient(STSClientConfig sTSClientConfig) {
        try {
            STSClientPool sTSClientFactory = STSClientFactory.getInstance();
            if (this.initialClientsInPool > 0) {
                sTSClientFactory.createPool(this.initialClientsInPool, sTSClientConfig);
            }
            return sTSClientFactory.getClient(sTSClientConfig);
        } catch (Exception e) {
            throw logger.authCouldNotCreateWSTrustClient(e);
        }
    }

    protected String getRequiredOption(Map<String, ?> map, String str) {
        String str2 = (String) map.get(str);
        if (str2 == null) {
            throw logger.optionNotSet(str);
        }
        return str2;
    }

    protected boolean isSuccess() {
        return this.success;
    }

    protected void setSuccess(boolean z) {
        this.success = z;
    }

    protected Subject getSubject() {
        return this.subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CallbackHandler getCallbackHandler() {
        return this.callbackHandler;
    }

    protected void setSamlToken(Element element) {
        this.samlToken = element;
    }

    protected void setSharedToken(Object obj) {
        if (this.sharedState == null) {
            return;
        }
        this.sharedState.put(SHARED_TOKEN, obj);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Object getSharedToken() {
        if (this.sharedState == null) {
            return null;
        }
        return this.sharedState.get(SHARED_TOKEN);
    }

    protected Map<String, ?> getOptions() {
        return this.options;
    }

    protected String getSharedUsername() {
        Object obj;
        if (this.sharedState == null || (obj = this.sharedState.get("javax.security.auth.login.name")) == null) {
            return null;
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        if (obj instanceof Principal) {
            return ((Principal) obj).getName();
        }
        throw new RuntimeException("sharedState javax.security.auth.login.name is supposed to contain String or Principal, but contains " + obj.getClass().getName());
    }

    protected char[] getSharedPassword() {
        if (this.sharedState == null) {
            return null;
        }
        Object obj = this.sharedState.get("javax.security.auth.login.password");
        if (obj instanceof char[]) {
            return (char[]) obj;
        }
        if (obj instanceof String) {
            return ((String) obj).toCharArray();
        }
        return null;
    }

    protected boolean isUseFirstPass() {
        return this.useFirstPass;
    }

    protected boolean isUsePasswordStacking() {
        return this.passwordStacking;
    }

    protected boolean isUseOptionsConfig() {
        return this.useOptionsCredentials;
    }

    private void clearState() {
        removeAllSamlCredentials(this.subject);
        this.samlToken = null;
    }

    public static void removeAllSamlCredentials(Subject subject) {
        Set publicCredentials = subject.getPublicCredentials(SamlCredential.class);
        if (publicCredentials.isEmpty()) {
            return;
        }
        subject.getPublicCredentials().removeAll(publicCredentials);
    }

    protected void populateSubject() {
        MappingContext mappingContext;
        MappingContext mappingContext2;
        MappingManager mappingManager = getMappingManager();
        if (mappingManager == null) {
            return;
        }
        try {
            mappingContext = mappingManager.getMappingContext(MappingType.PRINCIPAL.toString());
        } catch (NoSuchMethodError e) {
            mappingContext = mappingManager.getMappingContext(Principal.class);
        }
        try {
            mappingContext2 = mappingManager.getMappingContext(MappingType.ROLE.toString());
        } catch (NoSuchMethodError e2) {
            mappingContext2 = mappingManager.getMappingContext(RoleGroup.class);
        }
        HashMap hashMap = new HashMap();
        hashMap.put(SHARED_TOKEN, this.samlToken);
        try {
            AssertionType fromElement = SAMLUtil.fromElement(this.samlToken);
            if (mappingContext != null) {
                mappingContext.performMapping(hashMap, null);
                Principal principal = (Principal) mappingContext.getMappingResult().getMappedObject();
                this.subject.getPrincipals().add(principal);
                if (this.enableCacheInvalidation) {
                    JBossAuthCacheInvalidationFactory.TimeCacheExpiry cacheExpiry = JBossAuthCacheInvalidationFactory.getCacheExpiry();
                    XMLGregorianCalendar expiration = AssertionUtil.getExpiration(fromElement);
                    if (expiration != null) {
                        cacheExpiry.register(this.securityDomain, expiration.toGregorianCalendar().getTime(), principal);
                    } else {
                        logger.samlAssertionWithoutExpiration(fromElement.getID());
                    }
                }
            }
            if (mappingContext2 != null) {
                mappingContext2.performMapping(hashMap, null);
                RoleGroup roleGroup = (RoleGroup) mappingContext2.getMappingResult().getMappedObject();
                SimpleGroup simpleGroup = new SimpleGroup(roleGroup.getRoleName());
                Iterator<Role> it = roleGroup.getRoles().iterator();
                while (it.hasNext()) {
                    simpleGroup.addMember(new SimplePrincipal(it.next().getRoleName()));
                }
                this.subject.getPrincipals().add(simpleGroup);
            } else {
                ArrayList arrayList = new ArrayList();
                arrayList.addAll(StringUtil.tokenize(this.roleKey));
                List<String> roles = AssertionUtil.getRoles(fromElement, arrayList);
                if (roles.size() > 0) {
                    SimpleGroup simpleGroup2 = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER);
                    Iterator<String> it2 = roles.iterator();
                    while (it2.hasNext()) {
                        simpleGroup2.addMember(new SimplePrincipal(it2.next()));
                    }
                    this.subject.getPrincipals().add(simpleGroup2);
                }
            }
            if (this.injectCallerPrincipalGroup) {
                SimpleGroup simpleGroup3 = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
                Iterator<String> it3 = AssertionUtil.getRoles(fromElement, (List<String>) null).iterator();
                while (it3.hasNext()) {
                    simpleGroup3.addMember(new SimplePrincipal(it3.next()));
                }
                this.subject.getPrincipals().add(simpleGroup3);
            }
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    protected MappingManager getMappingManager() {
        SecurityContext securityContext = SecurityActions.getSecurityContext();
        if (securityContext == null) {
            return null;
        }
        return securityContext.getMappingManager();
    }
}
