package com.ibm.ws.security.mp.jwt.tai;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.crypto.HashUtils;
import com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig;
import com.ibm.ws.security.mp.jwt.error.MpJwtProcessingException;
import com.ibm.ws.security.mp.jwt.impl.utils.JwtPrincipalMapping;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import org.eclipse.microprofile.jwt.JsonWebToken;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/mp/jwt/tai/TAIMappingHelper.class */
public class TAIMappingHelper {
    private static TraceComponent tc = Tr.register(TAIMappingHelper.class, "MPJWT", "com.ibm.ws.security.mp.jwt.resources.MicroProfileJwtMessages");

    @Sensitive
    String decodedTokenPayload;
    JwtPrincipalMapping claimToPrincipalMapping;
    MicroProfileJwtConfig config;
    protected static final String CCK_CLAIM = "sid";
    protected static final String APR_CLAIM = "apr";
    static final long serialVersionUID = -1498846004862557922L;
    String INTERNAL_DISABLE_SSO_LTPA_CACHE = "com.ibm.ws.authentication.internal.sso.disable.ltpa.cache";
    String username = null;
    String realm = null;
    JsonWebToken jwtPrincipal = null;
    Hashtable<String, Object> customProperties = new Hashtable<>();
    TAIJwtUtils taiJwtUtils = new TAIJwtUtils();

    public TAIMappingHelper(@Sensitive String str) throws MpJwtProcessingException {
        this.decodedTokenPayload = null;
        this.claimToPrincipalMapping = null;
        this.config = null;
        this.decodedTokenPayload = str;
        this.config = null;
        if (this.decodedTokenPayload != null) {
            this.claimToPrincipalMapping = new JwtPrincipalMapping(this.decodedTokenPayload, "upn", "groups", false);
            setUsername();
            setRealm();
        }
    }

    @ManualTrace
    public TAIMappingHelper(@Sensitive String str, MicroProfileJwtConfig microProfileJwtConfig) throws MpJwtProcessingException {
        this.decodedTokenPayload = null;
        this.claimToPrincipalMapping = null;
        this.config = null;
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "<init>", new Object[]{str, microProfileJwtConfig});
        }
        this.decodedTokenPayload = str;
        this.config = microProfileJwtConfig;
        if (this.decodedTokenPayload != null) {
            this.claimToPrincipalMapping = new JwtPrincipalMapping(this.decodedTokenPayload, this.config.getUserNameAttribute(), this.config.getGroupNameAttribute(), this.config.getMapToUserRegistry());
            setUsername();
            setRealm();
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "<init>");
        }
    }

    private void setRealm() {
        this.realm = this.claimToPrincipalMapping.getMappedRealm();
    }

    @ManualTrace
    public void createJwtPrincipalAndPopulateCustomProperties(@Sensitive JwtToken jwtToken, boolean z) throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "createJwtPrincipalAndPopulateCustomProperties", new Object[]{jwtToken});
        }
        this.jwtPrincipal = createJwtPrincipal(jwtToken);
        this.customProperties = populateCustomProperties(getIssuer(this.jwtPrincipal), getmaptoURconfig(), z);
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "createJwtPrincipalAndPopulateCustomProperties");
        }
    }

    private boolean getmaptoURconfig() {
        if (this.config != null) {
            return this.config.getMapToUserRegistry();
        }
        return false;
    }

    @ManualTrace
    public Subject createSubjectFromCustomProperties(boolean z) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "createSubjectFromCustomProperties", new Object[]{Boolean.valueOf(z)});
        }
        Subject subject = new Subject();
        if (z) {
            subject.getPrincipals().add(this.jwtPrincipal);
            this.customProperties.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        this.customProperties.put("com.ibm.ws.authentication.internal.json.web.token", this.jwtPrincipal);
        subject.getPrivateCredentials().add(this.customProperties);
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "createSubjectFromCustomProperties", subject);
        }
        return subject;
    }

    public String getUsername() {
        return this.username;
    }

    public Hashtable<String, Object> getCustomProperties() {
        return this.customProperties;
    }

    public JsonWebToken getJwtPrincipal() {
        return this.jwtPrincipal;
    }

    void setUsername() throws MpJwtProcessingException {
        if (this.claimToPrincipalMapping != null) {
            this.username = this.claimToPrincipalMapping.getMappedUser();
        }
        if (this.username == null) {
            String formatMessage = Tr.formatMessage(tc, "USERNAME_NOT_FOUND", new Object[0]);
            Tr.error(tc, formatMessage, new Object[0]);
            throw new MpJwtProcessingException(formatMessage);
        }
    }

    @ManualTrace
    JsonWebToken createJwtPrincipal(@Sensitive JwtToken jwtToken) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "createJwtPrincipal", new Object[]{jwtToken});
        }
        if (this.claimToPrincipalMapping != null) {
            JsonWebToken createJwtPrincipal = this.taiJwtUtils.createJwtPrincipal(this.username, this.claimToPrincipalMapping.getMappedGroups(), jwtToken);
            if (tc.isDebugEnabled()) {
                Tr.exit(tc, "createJwtPrincipal", createJwtPrincipal);
            }
            return createJwtPrincipal;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Claim to principal mapping object not initialized", new Object[0]);
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.exit(tc, "createJwtPrincipal", (Object) null);
        return null;
    }

    @ManualTrace
    String getIssuer(@Sensitive JsonWebToken jsonWebToken) throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getIssuer", new Object[]{jsonWebToken});
        }
        if (jsonWebToken != null) {
            return jsonWebToken.getIssuer();
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "jwtPrincipal is null", new Object[0]);
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.exit(tc, "getIssuer", (Object) null);
        return null;
    }

    @ManualTrace
    Hashtable<String, Object> populateCustomProperties(String str, boolean z, boolean z2) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "populateCustomProperties", new Object[]{str});
        }
        Hashtable<String, Object> hashtable = new Hashtable<>();
        if (z) {
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
            hashtable.put("com.ibm.wsspi.security.cred.userId", this.username);
        } else {
            if (this.realm == null && str != null) {
                this.realm = getRealm(str);
            }
            Object uniqueId = getUniqueId(this.realm);
            List<String> groupsWithRealm = getGroupsWithRealm(this.realm);
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", uniqueId);
            if (this.realm != null && !this.realm.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.realm", this.realm);
            }
            if (!groupsWithRealm.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.groups", groupsWithRealm);
            }
            hashtable.put("com.ibm.wsspi.security.cred.securityName", this.username);
        }
        if (z2) {
            addCustomClaimsFromToken(hashtable);
        } else {
            addCustomCacheKey(hashtable);
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "populateCustomProperties", hashtable);
        }
        return hashtable;
    }

    public void addDisableSsoLtpaCacheProp() {
        this.customProperties.put(this.INTERNAL_DISABLE_SSO_LTPA_CACHE, true);
    }

    private void addCustomClaimsFromToken(Hashtable<String, Object> hashtable) {
        String customCacheKey = getCustomCacheKey();
        if (customCacheKey != null) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", customCacheKey);
        }
        String customAuthProvider = getCustomAuthProvider();
        if (customAuthProvider != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "apr claim is set in the token : ", new Object[]{customAuthProvider});
            }
            hashtable.put("com.ibm.ws.authentication.internal.auth.provider", customAuthProvider);
        }
    }

    private String getCustomAuthProvider() {
        Object claim;
        if (this.jwtPrincipal == null || (claim = this.jwtPrincipal.getClaim(APR_CLAIM)) == null || !(claim instanceof String)) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "apr claim is set in the token : ", new Object[]{(String) claim});
        }
        return (String) claim;
    }

    private void addCustomCacheKey(Hashtable<String, Object> hashtable) {
        if (this.jwtPrincipal != null) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", HashUtils.digest(this.jwtPrincipal.getRawToken()));
        }
    }

    private String getCustomCacheKey() {
        Object claim;
        if (this.jwtPrincipal == null || (claim = this.jwtPrincipal.getClaim(CCK_CLAIM)) == null) {
            return null;
        }
        return (String) claim;
    }

    @ManualTrace
    String getRealm(String str) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getRealm", new Object[]{str});
        }
        String str2 = str;
        if (isRealmEndsWithSlash(str2)) {
            str2 = updateRealm(str2);
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getRealm", str2);
        }
        return str2;
    }

    private boolean isRealmEndsWithSlash(String str) {
        return str != null && str.length() > 1 && str.endsWith("/");
    }

    private String updateRealm(String str) {
        return str.substring(0, str.length() - 1);
    }

    @ManualTrace
    String getUniqueId(String str) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getUniqueId", new Object[]{str});
        }
        String str2 = null;
        if (this.claimToPrincipalMapping != null) {
            str2 = this.claimToPrincipalMapping.getMappedUser();
        }
        String stringBuffer = new StringBuffer("user:").append(str).append("/").append(str2).toString();
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getUniqueId", stringBuffer);
        }
        return stringBuffer;
    }

    @ManualTrace
    List<String> getGroupsWithRealm(String str) {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getGroupsWithRealm", new Object[]{str});
        }
        ArrayList<String> arrayList = null;
        if (this.claimToPrincipalMapping != null) {
            arrayList = this.claimToPrincipalMapping.getMappedGroups();
        }
        ArrayList arrayList2 = new ArrayList();
        if (arrayList != null) {
            Iterator<String> it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(new StringBuffer("group:").append(str).append("/").append(it.next()).toString());
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getGroupsWithRealm", arrayList2);
        }
        return arrayList2;
    }
}
