package com.ibm.ws.security.mp.jwt.tai;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.filter.AuthenticationFilter;
import com.ibm.ws.security.common.jwk.utils.JsonUtils;
import com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig;
import com.ibm.ws.security.mp.jwt.MpConfigProxyService;
import com.ibm.ws.security.mp.jwt.config.MpConfigUtil;
import com.ibm.ws.security.mp.jwt.error.ErrorHandlerImpl;
import com.ibm.ws.security.mp.jwt.error.MpJwtProcessingException;
import com.ibm.ws.security.mp.jwt.impl.utils.MicroProfileJwtTaiRequest;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {TrustAssociationInterceptor.class}, immediate = true, configurationPolicy = ConfigurationPolicy.IGNORE, name = "microProfileJwtTAI", property = {"service.vendor=IBM", "type=microProfileJwtTAI", "id=MPJwtTAI", "TAIName=MPJwtTAI", "invokeBeforeSSO:Boolean=true", "addLTPACookieToResponse:Boolean=false"})
/* loaded from: input_file:com/ibm/ws/security/mp/jwt/tai/MicroProfileJwtTAI.class */
public class MicroProfileJwtTAI implements TrustAssociationInterceptor {
    public static final String KEY_SERVICE_PID = "service.pid";
    public static final String KEY_PROVIDER_ID = "id";
    public static final String KEY_ID = "id";
    private static final String KEY_MPJWT_CONFIG = "microProfileJwtConfig";
    public static final String KEY_LOCATION_ADMIN = "locationAdmin";
    public static final String KEY_AUTH_CACHE_SERVICE = "authCacheService";
    public static final String KEY_MP_JWT_CONFIG = "microProfileJwtConfig";
    public static final String ATTRIBUTE_TAI_REQUEST = "MPJwtTaiRequest";
    public static final String JTI_CLAIM = "jti";
    TAIJwtUtils taiJwtUtils = new TAIJwtUtils();
    ReferrerURLCookieHandler referrerURLCookieHandler = null;
    TAIRequestHelper taiRequestHelper = new TAIRequestHelper();
    MpConfigUtil mpConfigUtil;
    static final long serialVersionUID = -5282451228455552443L;
    private static TraceComponent tc = Tr.register(MicroProfileJwtTAI.class, "MPJWT", "com.ibm.ws.security.mp.jwt.resources.MicroProfileJwtMessages");
    public static final String KEY_SECURITY_SERVICE = "securityService";
    static final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
    public static final String KEY_FILTER = "authFilter";
    protected static final ConcurrentServiceReferenceMap<String, AuthenticationFilter> authFilterServiceRef = new ConcurrentServiceReferenceMap<>(KEY_FILTER);
    static final ConcurrentServiceReferenceMap<String, MicroProfileJwtConfig> mpJwtConfigRef = new ConcurrentServiceReferenceMap<>("microProfileJwtConfig");
    public static final String KEY_MP_JWT_EXTENSION_SERVICE = "mpJwtExtensionService";
    static final AtomicServiceReference<MpConfigProxyService> mpConfigProxyServiceRef = new AtomicServiceReference<>(KEY_MP_JWT_EXTENSION_SERVICE);

    public MicroProfileJwtTAI() {
        this.mpConfigUtil = null;
        this.mpConfigUtil = new MpConfigUtil(mpConfigProxyServiceRef);
    }

    @Reference(service = SecurityService.class, name = KEY_SECURITY_SERVICE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    public void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        securityServiceRef.setReference(serviceReference);
    }

    public void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        securityServiceRef.unsetReference(serviceReference);
    }

    @Reference(service = AuthenticationFilter.class, name = KEY_FILTER, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.RELUCTANT)
    protected void setAuthFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        String str = (String) serviceReference.getProperty(KEY_SERVICE_PID);
        synchronized (authFilterServiceRef) {
            authFilterServiceRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " setAuthFilter pid:" + str, new Object[0]);
            Tr.debug(tc, "@AV999 setAuthFilter service ref:" + getAuthFilter(str), new Object[0]);
        }
    }

    protected void updatedAuthFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        String str = (String) serviceReference.getProperty(KEY_SERVICE_PID);
        synchronized (authFilterServiceRef) {
            authFilterServiceRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " setAuthFilter pid:" + str, new Object[0]);
        }
    }

    protected void unsetAuthFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        String str = (String) serviceReference.getProperty(KEY_SERVICE_PID);
        synchronized (authFilterServiceRef) {
            authFilterServiceRef.removeReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " unsetAuthFilter pid:" + str, new Object[0]);
        }
    }

    public static AuthenticationFilter getAuthFilter(String str) {
        return (AuthenticationFilter) authFilterServiceRef.getService(str);
    }

    @Reference(service = MicroProfileJwtConfig.class, name = "microProfileJwtConfig", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.RELUCTANT)
    protected void setMicroProfileJwtConfig(ServiceReference<MicroProfileJwtConfig> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        synchronized (mpJwtConfigRef) {
            mpJwtConfigRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " setMicroProfileJwtConfig id:" + str + " Number of references is now: " + mpJwtConfigRef.size() + "service = " + mpJwtConfigRef.getService(str), new Object[0]);
        }
    }

    protected void updatedMicroProfileJwtConfig(ServiceReference<MicroProfileJwtConfig> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        synchronized (mpJwtConfigRef) {
            mpJwtConfigRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " updateMicroProfileJwtConfig id:" + str, new Object[0]);
        }
    }

    protected void unsetMicroProfileJwtConfig(ServiceReference<MicroProfileJwtConfig> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        synchronized (mpJwtConfigRef) {
            mpJwtConfigRef.removeReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " unsetMicroProfileJwtConfig id:" + str, new Object[0]);
        }
    }

    public static MicroProfileJwtConfig getMicroProfileJwtConfig(String str) {
        return (MicroProfileJwtConfig) mpJwtConfigRef.getService(str);
    }

    public static Iterator<MicroProfileJwtConfig> getServices() {
        return mpJwtConfigRef.getServices();
    }

    @Reference(service = MpConfigProxyService.class, name = KEY_MP_JWT_EXTENSION_SERVICE, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setMpConfigProxyService(ServiceReference<MpConfigProxyService> serviceReference) {
        mpConfigProxyServiceRef.setReference(serviceReference);
    }

    protected void unsetMpConfigProxyService(ServiceReference<MpConfigProxyService> serviceReference) {
        mpConfigProxyServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        synchronized (authFilterServiceRef) {
            authFilterServiceRef.activate(componentContext);
        }
        synchronized (mpJwtConfigRef) {
            mpJwtConfigRef.activate(componentContext);
        }
        securityServiceRef.activate(componentContext);
        mpConfigProxyServiceRef.activate(componentContext);
    }

    @Modified
    protected void modified(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        synchronized (authFilterServiceRef) {
            authFilterServiceRef.deactivate(componentContext);
        }
        synchronized (mpJwtConfigRef) {
            for (String str : mpJwtConfigRef.keySet()) {
                mpJwtConfigRef.removeReference(str, mpJwtConfigRef.getReference(str));
            }
            mpJwtConfigRef.deactivate(componentContext);
        }
        securityServiceRef.deactivate(componentContext);
        mpConfigProxyServiceRef.deactivate(componentContext);
    }

    @ManualTrace
    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "isTargetInterceptor", new Object[]{httpServletRequest});
        }
        boolean requestShouldBeHandledByTAI = this.taiRequestHelper.requestShouldBeHandledByTAI(httpServletRequest, this.taiRequestHelper.createMicroProfileJwtTaiRequestAndSetRequestAttribute(httpServletRequest), isNewMpJwtAndMpConfig(httpServletRequest));
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "isTargetInterceptor", Boolean.valueOf(requestShouldBeHandledByTAI));
        }
        return requestShouldBeHandledByTAI;
    }

    private boolean isNewMpJwtAndMpConfig(HttpServletRequest httpServletRequest) {
        boolean z = false;
        if (!this.mpConfigUtil.getMpConfig(httpServletRequest).isEmpty()) {
            z = true;
        }
        return z;
    }

    @ManualTrace
    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust", new Object[]{httpServletRequest, httpServletResponse});
        }
        TAIResult associatedConfigAndHandleRequest = getAssociatedConfigAndHandleRequest(httpServletRequest, httpServletResponse, (MicroProfileJwtTaiRequest) httpServletRequest.getAttribute("MPJwtTaiRequest"), TAIResult.create(403));
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "negotiateValidateandEstablishTrust", associatedConfigAndHandleRequest);
        }
        return associatedConfigAndHandleRequest;
    }

    @FFDCIgnore({MpJwtProcessingException.class})
    @ManualTrace
    TAIResult getAssociatedConfigAndHandleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MicroProfileJwtTaiRequest microProfileJwtTaiRequest, TAIResult tAIResult) throws WebTrustAssociationFailedException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getAssociatedConfigAndHandleRequest", new Object[]{httpServletRequest, httpServletResponse, microProfileJwtTaiRequest, tAIResult});
        }
        try {
            TAIResult handleRequestBasedOnJwtConfig = handleRequestBasedOnJwtConfig(httpServletRequest, httpServletResponse, microProfileJwtTaiRequest.getOnlyMatchingConfig(), tAIResult);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "getAssociatedConfigAndHandleRequest", handleRequestBasedOnJwtConfig);
            }
            return handleRequestBasedOnJwtConfig;
        } catch (MpJwtProcessingException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "A unique mpJwt config wasn't found for this request. Exception was " + e.getMessage(), new Object[0]);
            }
            TAIResult sendToErrorPage = sendToErrorPage(httpServletResponse, tAIResult);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "getAssociatedConfigAndHandleRequest", sendToErrorPage);
            }
            return sendToErrorPage;
        }
    }

    @ManualTrace
    TAIResult handleRequestBasedOnJwtConfig(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MicroProfileJwtConfig microProfileJwtConfig, TAIResult tAIResult) throws WebTrustAssociationFailedException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "handleRequestBasedOnJwtConfig", new Object[]{httpServletRequest, httpServletResponse, microProfileJwtConfig, tAIResult});
        }
        if (microProfileJwtConfig != null) {
            TAIResult andValidateMicroProfileJwt = getAndValidateMicroProfileJwt(httpServletRequest, httpServletResponse, microProfileJwtConfig);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "handleRequestBasedOnJwtConfig", andValidateMicroProfileJwt);
            }
            return andValidateMicroProfileJwt;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Client config for request could not be found. An error must have occurred initializing this request.", new Object[0]);
        }
        TAIResult sendToErrorPage = sendToErrorPage(httpServletResponse, tAIResult);
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "handleRequestBasedOnJwtConfig", sendToErrorPage);
        }
        return sendToErrorPage;
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        return 0;
    }

    public String getVersion() {
        return null;
    }

    public String getType() {
        return null;
    }

    public void cleanup() {
    }

    @ManualTrace
    TAIResult getAndValidateMicroProfileJwt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MicroProfileJwtConfig microProfileJwtConfig) throws WebTrustAssociationFailedException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getAndValidateMicroProfileJwt", new Object[]{httpServletRequest, httpServletResponse, microProfileJwtConfig});
        }
        String bearerToken = this.taiRequestHelper.getBearerToken(httpServletRequest, microProfileJwtConfig);
        if (bearerToken != null) {
            TAIResult handleMicroProfileJwtValidation = handleMicroProfileJwtValidation(httpServletRequest, httpServletResponse, microProfileJwtConfig, bearerToken, false);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "getAndValidateMicroProfileJwt", handleMicroProfileJwtValidation);
            }
            return handleMicroProfileJwtValidation;
        }
        Tr.error(tc, "JWT_NOT_FOUND_IN_REQUEST", new Object[0]);
        TAIResult sendToErrorPage = sendToErrorPage(httpServletResponse, TAIResult.create(401));
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getAndValidateMicroProfileJwt", sendToErrorPage);
        }
        return sendToErrorPage;
    }

    @FFDCIgnore({Exception.class})
    @ManualTrace
    public TAIResult handleMicroProfileJwtValidation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, MicroProfileJwtConfig microProfileJwtConfig, String str, boolean z) throws WebTrustAssociationFailedException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "handleMicroProfileJwtValidation", new Object[]{httpServletRequest, httpServletResponse, microProfileJwtConfig, str});
        }
        JwtToken jwtToken = null;
        String str2 = null;
        if (str != null) {
            try {
                Map<String, String> mpConfig = this.mpConfigUtil.getMpConfig(httpServletRequest);
                jwtToken = !mpConfig.isEmpty() ? microProfileJwtConfig.getConsumerUtils().parseJwt(str, microProfileJwtConfig, mpConfig) : this.taiJwtUtils.createJwt(str, microProfileJwtConfig.getUniqueId());
                str2 = JsonUtils.decodeFromBase64String(JsonUtils.getPayload(str));
            } catch (Exception e) {
                Tr.error(tc, "ERROR_CREATING_JWT_USING_TOKEN_IN_REQ", new Object[]{e.getLocalizedMessage()});
                return sendToErrorPage(httpServletResponse, TAIResult.create(401));
            }
        }
        try {
            TAIResult createResult = createResult(httpServletResponse, microProfileJwtConfig, jwtToken, str2, z);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "handleMicroProfileJwtValidation", createResult);
            }
            return createResult;
        } catch (Exception e2) {
            if (e2 instanceof MpJwtProcessingException) {
                FFDCFilter.processException(e2, MicroProfileJwtTAI.class.getName(), "387");
            }
            Tr.error(tc, "ERROR_CREATING_RESULT", new Object[]{microProfileJwtConfig.getUniqueId(), e2.getLocalizedMessage()});
            return sendToErrorPage(httpServletResponse, TAIResult.create(401));
        }
    }

    @ManualTrace
    TAIResult createResult(HttpServletResponse httpServletResponse, MicroProfileJwtConfig microProfileJwtConfig, @Sensitive JwtToken jwtToken, @Sensitive String str, boolean z) throws WebTrustAssociationFailedException, MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "createResult", new Object[]{httpServletResponse, microProfileJwtConfig, jwtToken, str});
        }
        TAIMappingHelper tAIMappingHelper = new TAIMappingHelper(str, microProfileJwtConfig);
        tAIMappingHelper.createJwtPrincipalAndPopulateCustomProperties(jwtToken, z);
        TAIResult create = TAIResult.create(200, tAIMappingHelper.getUsername(), tAIMappingHelper.createSubjectFromCustomProperties(z));
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "createResult", create);
        }
        return create;
    }

    TAIResult sendToErrorPage(HttpServletResponse httpServletResponse, TAIResult tAIResult) {
        return httpServletResponse != null ? ErrorHandlerImpl.getInstance().handleErrorResponse(httpServletResponse, tAIResult) : tAIResult;
    }
}
