package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.common.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.jwtsso.token.proxy.JwtSSOTokenHelper;
import com.ibm.ws.security.util.ByteArray;
import com.ibm.ws.webcontainer.security.internal.LoggedOutJwtSsoCookieCache;
import com.ibm.ws.webcontainer.security.internal.StringUtil;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServer;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.token.SingleSignonToken;
import com.ibm.wsspi.webcontainer.WebContainerRequestState;
import com.ibm.wsspi.webcontainer.servlet.IExtendedResponse;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/webcontainer/security/SSOCookieHelperImpl.class */
public class SSOCookieHelperImpl implements SSOCookieHelper {
    private static final String OIDC_BROWSER_STATE_COOKIE = "oidc_bsc";
    private final AtomicServiceReference<OidcServer> oidcServerRef;
    private String cookieName;
    protected final WebAppSecurityConfig config;
    static final long serialVersionUID = 6579450566000043629L;
    private static final TraceComponent tc = Tr.register(SSOCookieHelperImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static final String[] disableSsoLtpaCookie = {"com.ibm.ws.authentication.internal.sso.disable.ltpa.cookie"};
    protected static final ConcurrentMap<ByteArray, String> cookieByteStringCache = new ConcurrentHashMap(20);
    private static int MAX_COOKIE_STRING_ENTRIES = 100;

    public SSOCookieHelperImpl(WebAppSecurityConfig webAppSecurityConfig) {
        this(webAppSecurityConfig, (String) null);
    }

    public SSOCookieHelperImpl(WebAppSecurityConfig webAppSecurityConfig, String str) {
        this.oidcServerRef = null;
        this.cookieName = null;
        this.config = webAppSecurityConfig;
        this.cookieName = str;
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public boolean addJwtSsoCookiesToResponse(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = false;
        if (JwtSSOTokenHelper.isDisableJwtCookie()) {
            return false;
        }
        String jwtSSOToken = JwtSSOTokenHelper.getJwtSSOToken(subject);
        if (jwtSSOToken != null) {
            String jwtSsoTokenFromCookies = getJwtSsoTokenFromCookies(httpServletRequest, getJwtCookieName());
            if (!(jwtSsoTokenFromCookies != null && jwtSsoTokenFromCookies.equals(jwtSSOToken))) {
                z = addJwtCookies(jwtSSOToken, httpServletRequest, httpServletResponse);
            }
        }
        return z;
    }

    protected boolean addJwtCookies(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String jwtCookieName = getJwtCookieName();
        if (jwtCookieName == null) {
            return false;
        }
        if (!httpServletRequest.isSecure() && getJwtCookieSecure()) {
            Tr.warning(tc, "JWT_COOKIE_SECURITY_MISMATCH", new Object[0]);
        }
        String[] splitString = splitString(str, 3900);
        String str2 = jwtCookieName;
        for (int i = 0; i < splitString.length; i++) {
            if (i > 98) {
                FFDCFilter.processException(new Exception("Too many jwt cookies created"), getClass().getName(), "132");
                return true;
            }
            httpServletResponse.addCookie(createCookie(httpServletRequest, str2, splitString[i], getJwtCookieSecure()));
            str2 = jwtCookieName + (i + 2 < 10 ? "0" : "") + (i + 2);
        }
        return true;
    }

    protected String getJwtCookieName() {
        return JwtSSOTokenHelper.getJwtCookieName();
    }

    protected boolean getJwtCookieSecure() {
        return JwtSSOTokenHelper.isCookieSecured();
    }

    public Cookie createCookie(HttpServletRequest httpServletRequest, String str) {
        return createCookie(httpServletRequest, getSSOCookiename(), str, this.config.getSSORequiresSSL());
    }

    public Cookie createCookie(HttpServletRequest httpServletRequest, String str, String str2, boolean z) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setMaxAge(-1);
        cookie.setPath("/");
        cookie.setSecure(z);
        cookie.setHttpOnly(this.config.getHttpOnlyCookies());
        String sSODomainName = getSSODomainName(httpServletRequest, this.config.getSSODomainList(), this.config.getSSOUseDomainFromURL());
        if (sSODomainName != null) {
            cookie.setDomain(sSODomainName);
        }
        String sameSiteCookie = this.config.getSameSiteCookie();
        if (sameSiteCookie != null && !sameSiteCookie.equals("Disabled")) {
            WebContainerRequestState.getInstance(true).setCookieAttributes(str, "SameSite=" + sameSiteCookie);
            if (sameSiteCookie.equals(WebAppSecurityConfig.POST_PARAM_SAVE_TO_NONE)) {
                cookie.setSecure(true);
            }
        }
        return cookie;
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public boolean allowToAddCookieToResponse(HttpServletRequest httpServletRequest) {
        if (!this.config.isSingleSignonEnabled()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "SSO is not enabled. Not setting the SSO Cookie", new Object[0]);
            return false;
        }
        boolean isSecure = httpServletRequest.isSecure();
        if (!this.config.getSSORequiresSSL() || isSecure) {
            return true;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return false;
        }
        Tr.debug(tc, "SSO requires SSL. The cookie will not be sent back because the request is not over https.", new Object[0]);
        return false;
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public void removeSSOCookieFromResponse(HttpServletResponse httpServletResponse) {
        if (httpServletResponse instanceof IExtendedResponse) {
            ((IExtendedResponse) httpServletResponse).removeCookie(getSSOCookiename());
            removeJwtSSOCookies((IExtendedResponse) httpServletResponse);
        }
    }

    protected void removeJwtSSOCookies(IExtendedResponse iExtendedResponse) {
        String jwtCookieName = getJwtCookieName();
        if (jwtCookieName == null) {
            return;
        }
        iExtendedResponse.removeCookie(jwtCookieName);
        int i = 2;
        while (i <= 99) {
            iExtendedResponse.removeCookie(jwtCookieName + (i < 10 ? "0" : "") + i);
            i++;
        }
    }

    protected synchronized void updateCookieCache(ByteArray byteArray, String str) {
        if (cookieByteStringCache.size() > MAX_COOKIE_STRING_ENTRIES) {
            cookieByteStringCache.clear();
        }
        if (str != null) {
            cookieByteStringCache.put(byteArray, str);
        }
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public void createLogoutCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        Cookie[] cookies = httpServletRequest.getCookies();
        ArrayList<Cookie> arrayList = new ArrayList<>();
        if (cookies != null) {
            String resolveCookieName = resolveCookieName(cookies);
            for (int i = 0; i < cookies.length; i++) {
                if (cookies[i].getName().equalsIgnoreCase(resolveCookieName)) {
                    cookies[i].setValue((String) null);
                    addLogoutCookieToList(httpServletRequest, resolveCookieName, arrayList);
                }
            }
            if (z) {
                logoutJwtCookies(httpServletRequest, cookies, arrayList);
            }
            Iterator<Cookie> it = arrayList.iterator();
            while (it.hasNext()) {
                httpServletResponse.addCookie(it.next());
            }
        }
    }

    protected void logoutJwtCookies(HttpServletRequest httpServletRequest, Cookie[] cookieArr, ArrayList<Cookie> arrayList) {
        String jwtCookieName = getJwtCookieName();
        if (jwtCookieName != null) {
            String jwtSsoTokenFromCookies = getJwtSsoTokenFromCookies(httpServletRequest, jwtCookieName);
            if (jwtSsoTokenFromCookies != null) {
                LoggedOutJwtSsoCookieCache.put(jwtSsoTokenFromCookies);
            }
            for (int i = 0; i < cookieArr.length; i++) {
                if (isJwtCookie(jwtCookieName, cookieArr[i].getName())) {
                    cookieArr[i].setValue((String) null);
                    addLogoutCookieToList(httpServletRequest, cookieArr[i].getName(), arrayList);
                }
            }
        }
    }

    protected boolean isJwtCookie(String str, String str2) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        if (str2.startsWith(str) && str2.length() == str.length() + 2) {
            return str2.substring(str.length()).matches("\\d\\d");
        }
        return false;
    }

    protected String resolveCookieName(Cookie[] cookieArr) {
        boolean z = false;
        String sSOCookiename = getSSOCookiename();
        if (cookieArr != null) {
            int i = 0;
            while (true) {
                if (i >= cookieArr.length) {
                    break;
                }
                if (cookieArr[i].getName().equalsIgnoreCase(sSOCookiename)) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return (z || this.config.isUseOnlyCustomCookieName()) ? sSOCookiename : "LtpaToken2";
    }

    protected void addLogoutCookieToList(HttpServletRequest httpServletRequest, String str, ArrayList<Cookie> arrayList) {
        Cookie cookie = new Cookie(str, "");
        cookie.setMaxAge(0);
        cookie.setPath("/");
        cookie.setSecure(httpServletRequest.isSecure());
        if (this.config.getHttpOnlyCookies()) {
            cookie.setHttpOnly(true);
        }
        String sSODomainName = getSSODomainName(httpServletRequest, this.config.getSSODomainList(), this.config.getSSOUseDomainFromURL());
        if (sSODomainName != null) {
            cookie.setDomain(sSODomainName);
        }
        arrayList.add(cookie);
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public SingleSignonToken getDefaultSSOTokenFromSubject(final Subject subject) {
        if (subject == null) {
            return null;
        }
        r11 = null;
        try {
            for (SingleSignonToken singleSignonToken : (Set) AccessController.doPrivileged(new PrivilegedAction() { // from class: com.ibm.ws.webcontainer.security.SSOCookieHelperImpl.1
                static final long serialVersionUID = -7306312076967563729L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.webcontainer.security.SSOCookieHelperImpl$1", AnonymousClass1.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

                @Override // java.security.PrivilegedAction
                public Object run() {
                    return subject.getPrivateCredentials(SingleSignonToken.class);
                }
            })) {
                if (singleSignonToken.getName().equals(getSSOCookiename())) {
                    break;
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.SSOCookieHelperImpl", "374", this, new Object[]{subject});
        }
        return singleSignonToken;
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public String getSSOCookiename() {
        return this.cookieName != null ? this.cookieName : this.config.getSSOCookieName();
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public String getSSODomainName(HttpServletRequest httpServletRequest, List<String> list, boolean z) {
        try {
            String hostNameFromRequestURL = getHostNameFromRequestURL(httpServletRequest);
            if (isIpV4Format(hostNameFromRequestURL) || hostNameFromRequestURL.indexOf(".") == -1) {
                if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "URL host is an IP or locahost, no SSO domain will be set.", new Object[0]);
                return null;
            }
            String substring = hostNameFromRequestURL.indexOf(".") < hostNameFromRequestURL.lastIndexOf(".") ? hostNameFromRequestURL.substring(hostNameFromRequestURL.indexOf(".")) : "" + hostNameFromRequestURL;
            if (list != null && !list.isEmpty()) {
                for (String str : list) {
                    if (substring.endsWith(str)) {
                        return str;
                    }
                }
            }
            if (z) {
                return substring;
            }
            return null;
        } catch (MalformedURLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.SSOCookieHelperImpl", "424", this, new Object[]{httpServletRequest, list, Boolean.valueOf(z)});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Unexpected exception getting request SSO domain", new Object[]{e});
            return null;
        }
    }

    static boolean isIpV4Format(String str) {
        return Pattern.compile("^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$").matcher(str).find();
    }

    @FFDCIgnore({UnknownHostException.class})
    private String getHostIPAddr(String str) {
        String str2 = "";
        try {
            str2 = InetAddress.getByName(str).getHostAddress().trim();
        } catch (UnknownHostException e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception in getting IP address for URL host, assuming URL host is not an IP", new Object[]{e});
            }
        }
        return str2;
    }

    private String getHostNameFromRequestURL(HttpServletRequest httpServletRequest) throws MalformedURLException {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "URL: " + stringBuffer, new Object[0]);
        }
        return new URL(stringBuffer).getHost().trim();
    }

    @Trivial
    protected String[] splitString(String str, int i) {
        ArrayList arrayList = new ArrayList();
        if (i <= 0 || str == null || str.length() == 0) {
            return (String[]) arrayList.toArray(new String[0]);
        }
        int i2 = 0;
        int i3 = 0;
        int length = str.length();
        while (true) {
            i3 = i2 + (length - i3 < i ? length - i3 : i);
            arrayList.add(str.substring(i2, i3));
            if (i3 >= length) {
                return (String[]) arrayList.toArray(new String[0]);
            }
            i2 += i3 - i2;
        }
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public String getJwtSsoTokenFromCookies(HttpServletRequest httpServletRequest, String str) {
        StringBuffer stringBuffer = new StringBuffer();
        String str2 = str;
        int i = 1;
        while (i <= 99) {
            if (i > 1) {
                str2 = str + (i < 10 ? "0" : "") + i;
            }
            String cookieValue = getCookieValue(httpServletRequest, str2);
            if (cookieValue == null) {
                break;
            }
            if (cookieValue.length() > 0) {
                stringBuffer.append(cookieValue);
            }
            i++;
        }
        if (stringBuffer.length() > 0) {
            return stringBuffer.toString();
        }
        return null;
    }

    protected String getCookieValue(HttpServletRequest httpServletRequest, String str) {
        String[] cookieValues = CookieHelper.getCookieValues(getCookies(httpServletRequest), str);
        String str2 = null;
        if (cookieValues != null) {
            int i = 0;
            while (true) {
                if (i < cookieValues.length) {
                    String str3 = cookieValues[i];
                    if (str3 != null && str3.length() > 0) {
                        str2 = str3;
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
        }
        return str2;
    }

    private Cookie[] getCookies(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getCookies();
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public void addSSOCookiesToResponse(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (allowToAddCookieToResponse(httpServletRequest)) {
            addJwtSsoCookiesToResponse(subject, httpServletRequest, httpServletResponse);
            if (JwtSSOTokenHelper.shouldAlsoIncludeLtpaCookie()) {
                if (!isDisableLtpaCookie(subject)) {
                    addLtpaSsoCookiesToResponse(subject, httpServletRequest, httpServletResponse);
                }
                if (this.oidcServerRef == null || this.oidcServerRef.getService() == null || !isBrowserStateEnabled(httpServletRequest)) {
                    return;
                }
                removeBrowserStateCookie(httpServletRequest, httpServletResponse);
            }
        }
    }

    private boolean isDisableLtpaCookie(Subject subject) {
        Hashtable hashtableFromSubject = new SubjectHelper().getHashtableFromSubject(subject, disableSsoLtpaCookie);
        return hashtableFromSubject != null && ((Boolean) hashtableFromSubject.get("com.ibm.ws.authentication.internal.sso.disable.ltpa.cookie")).booleanValue();
    }

    private void addLtpaSsoCookiesToResponse(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        byte[] bytes;
        SingleSignonToken defaultSSOTokenFromSubject = getDefaultSSOTokenFromSubject(subject);
        if (defaultSSOTokenFromSubject == null || (bytes = defaultSSOTokenFromSubject.getBytes()) == null) {
            return;
        }
        ByteArray byteArray = new ByteArray(bytes);
        String str = cookieByteStringCache.get(byteArray);
        if (str == null) {
            str = StringUtil.toString(Base64Coder.base64Encode(bytes));
            updateCookieCache(byteArray, str);
        }
        httpServletResponse.addCookie(createCookie(httpServletRequest, str));
    }

    @Override // com.ibm.ws.webcontainer.security.SSOCookieHelper
    public void createLogoutCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        ArrayList<Cookie> arrayList = new ArrayList<>();
        if (cookies != null) {
            String resolveCookieName = resolveCookieName(cookies);
            for (int i = 0; i < cookies.length; i++) {
                if (cookies[i].getName().equalsIgnoreCase(resolveCookieName)) {
                    cookies[i].setValue((String) null);
                    addLogoutCookieToList(httpServletRequest, resolveCookieName, arrayList);
                } else if (cookies[i].getName().equalsIgnoreCase(OIDC_BROWSER_STATE_COOKIE) && this.oidcServerRef != null && this.oidcServerRef.getService() != null) {
                    removeBrowserStateCookie(httpServletRequest, httpServletResponse);
                }
            }
            logoutJwtCookies(httpServletRequest, cookies, arrayList);
            Iterator<Cookie> it = arrayList.iterator();
            while (it.hasNext()) {
                httpServletResponse.addCookie(it.next());
            }
        }
    }

    protected boolean isBrowserStateEnabled(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return false;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equalsIgnoreCase(OIDC_BROWSER_STATE_COOKIE)) {
                return true;
            }
        }
        return false;
    }

    protected void removeBrowserStateCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(OIDC_BROWSER_STATE_COOKIE, "");
        cookie.setMaxAge(0);
        cookie.setPath("/");
        cookie.setSecure(httpServletRequest.isSecure());
        httpServletResponse.addCookie(cookie);
    }
}
