package com.ibm.ws.webcontainer.security;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.common.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TAIAuthenticator;
import com.ibm.ws.webcontainer.security.metadata.LoginConfiguration;
import com.ibm.ws.webcontainer.security.oauth20.OAuth20Service;
import com.ibm.ws.webcontainer.security.openid20.OpenidClientService;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServer;
import com.ibm.ws.webcontainer.security.util.SSOAuthFilter;
import com.ibm.ws.webcontainer.srt.ISRTServletRequest;
import com.ibm.wsspi.http.channel.values.HttpHeaderKeys;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/webcontainer/security/WebProviderAuthenticatorProxy.class */
public class WebProviderAuthenticatorProxy implements WebAuthenticator {
    protected final AtomicServiceReference<SecurityService> securityServiceRef;
    protected final AtomicServiceReference<TAIService> taiServiceRef;
    protected final ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> interceptorServiceRef;
    protected final AtomicServiceReference<OAuth20Service> oauthServiceRef;
    private final AtomicServiceReference<OpenidClientService> openIdClientServiceRef;
    private final AtomicServiceReference<OidcServer> oidcServerRef;
    private final AtomicServiceReference<OidcClient> oidcClientRef;
    private final AtomicServiceReference<SSOAuthFilter> ssoAuthFilterRef;
    private WebProviderAuthenticatorHelper authHelper;
    private ReferrerURLCookieHandler referrerURLCookieHandler;
    private WebAppSecurityConfig webAppSecurityConfig;
    protected final ConcurrentServiceReferenceMap<String, WebAuthenticator> webAuthenticatorRef;
    static final long serialVersionUID = 7286148024038209452L;
    private static final TraceComponent tc = Tr.register(WebProviderAuthenticatorProxy.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    static final List<String> authenticatorOdering = Collections.unmodifiableList(Arrays.asList("com.ibm.ws.security.spnego", "com.ibm.ws.security.openid"));
    AuthenticationResult JASPI_CONT = new AuthenticationResult(AuthResult.CONTINUE, "JASPI said continue...");
    AuthenticationResult OAUTH_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OAuth service said continue...");
    AuthenticationResult OPENID_CLIENT_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID client service said continue...");
    AuthenticationResult OIDC_SERVER_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect server said continue...");
    AuthenticationResult OIDC_CLIENT_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect client said continue...");
    AuthenticationResult SPNEGO_CONT = new AuthenticationResult(AuthResult.CONTINUE, "SPNEGO said continue...");

    public WebProviderAuthenticatorProxy(AtomicServiceReference<SecurityService> atomicServiceReference, AtomicServiceReference<TAIService> atomicServiceReference2, ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> concurrentServiceReferenceMap, WebAppSecurityConfig webAppSecurityConfig, AtomicServiceReference<OAuth20Service> atomicServiceReference3, AtomicServiceReference<OpenidClientService> atomicServiceReference4, AtomicServiceReference<OidcServer> atomicServiceReference5, AtomicServiceReference<OidcClient> atomicServiceReference6, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap2, AtomicServiceReference<SSOAuthFilter> atomicServiceReference7) {
        this.referrerURLCookieHandler = null;
        this.webAppSecurityConfig = null;
        this.securityServiceRef = atomicServiceReference;
        this.taiServiceRef = atomicServiceReference2;
        this.interceptorServiceRef = concurrentServiceReferenceMap;
        this.webAppSecurityConfig = webAppSecurityConfig;
        this.webAuthenticatorRef = concurrentServiceReferenceMap2;
        this.webAppSecurityConfig = webAppSecurityConfig;
        this.oauthServiceRef = atomicServiceReference3;
        this.oidcServerRef = atomicServiceReference5;
        this.openIdClientServiceRef = atomicServiceReference4;
        this.oidcClientRef = atomicServiceReference6;
        this.ssoAuthFilterRef = atomicServiceReference7;
        this.authHelper = new WebProviderAuthenticatorHelper(atomicServiceReference);
        this.referrerURLCookieHandler = new ReferrerURLCookieHandler(webAppSecurityConfig);
    }

    public void setWebProviderAuthenticatorHelper(WebProviderAuthenticatorHelper webProviderAuthenticatorHelper) {
        this.authHelper = webProviderAuthenticatorHelper;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationResult handleJaspi(final WebRequest webRequest, final HashMap<String, Object> hashMap) {
        JaspiService jaspiService;
        AuthenticationResult authenticationResult = this.JASPI_CONT;
        if (this.webAuthenticatorRef != null && (jaspiService = (JaspiService) this.webAuthenticatorRef.getService("com.ibm.ws.security.jaspi")) != null) {
            webRequest.getHttpServletRequest();
            authenticationResult = hashMap == null ? authenticateForOtherMechanisms(webRequest, authenticationResult, jaspiService) : authenticateForFormMechanism(webRequest, hashMap, jaspiService);
            if (authenticationResult.getStatus() == AuthResult.SUCCESS) {
                if (System.getSecurityManager() == null) {
                    processAuthenticationSuccess(webRequest, hashMap, authenticationResult);
                } else {
                    final AuthenticationResult authenticationResult2 = authenticationResult;
                    AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.1
                        static final long serialVersionUID = 3397013613883367688L;
                        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy$1", AnonymousClass1.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

                        @Override // java.security.PrivilegedAction
                        public Object run() {
                            WebProviderAuthenticatorProxy.this.processAuthenticationSuccess(webRequest, hashMap, authenticationResult2);
                            return null;
                        }
                    });
                }
            }
        }
        return authenticationResult;
    }

    private AuthenticationResult authenticateForOtherMechanisms(WebRequest webRequest, AuthenticationResult authenticationResult, JaspiService jaspiService) {
        AuthenticationResult handleSSO = handleSSO(webRequest, null);
        if (AuthResult.SUCCESS.equals(handleSSO.getStatus()) && this.webAppSecurityConfig.isUseLtpaSSOForJaspic()) {
            return handleSSO;
        }
        Subject subject = handleSSO.getSubject();
        List<String> list = null;
        if (subject != null) {
            list = getTokenUsageFromSSOToken(subject, this.webAppSecurityConfig.createSSOCookieHelper());
            if (!isJaspicSessionOrJsr375Form(list)) {
                clearCacheData(subject);
            }
        }
        boolean isProcessingNewAuthentication = jaspiService.isProcessingNewAuthentication(webRequest.getHttpServletRequest());
        if (!isJaspicForm(list)) {
            if (!isProcessingNewAuthentication && isJaspicSessionOrJsr375Form(list)) {
                HashMap hashMap = new HashMap();
                hashMap.put("javax.servlet.http.registerSession.subject", subject);
                webRequest.setProperties(hashMap);
            }
            handleSSO = jaspiService.authenticate(webRequest);
        }
        AuthResult status = handleSSO.getStatus();
        if (status != AuthResult.CONTINUE && !isProcessingNewAuthentication) {
            if (LoginConfiguration.BASIC.equals(handleSSO.getAuditAuthConfigProviderAuthType())) {
                String header = ISRTServletRequest.getHeader(webRequest.getHttpServletRequest(), HttpHeaderKeys.HDR_AUTHORIZATION);
                if (header != null && header.startsWith("Basic ")) {
                    String decodeCookieString = decodeCookieString(header.substring(6));
                    handleSSO.setAuditCredValue(decodeCookieString.substring(0, decodeCookieString.indexOf(58)));
                }
                if (status == AuthResult.SEND_401) {
                    handleSSO.setAuditOutcome("challenge");
                }
            }
            if (status == AuthResult.RETURN) {
                handleSSO.setAuditOutcome("denied");
            }
            handleSSO.setAuditCredType("JASPIC");
        }
        return handleSSO;
    }

    private AuthenticationResult authenticateForFormMechanism(WebRequest webRequest, HashMap<String, Object> hashMap, JaspiService jaspiService) {
        AuthenticationResult authenticationResult;
        try {
            HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
            authenticationResult = jaspiService.authenticate(httpServletRequest, webRequest.getHttpServletResponse(), hashMap);
            if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
                String header = ISRTServletRequest.getHeader(webRequest.getHttpServletRequest(), HttpHeaderKeys.HDR_AUTHORIZATION);
                if (header == null || !header.startsWith("Basic ")) {
                    String parameter = httpServletRequest.getParameter("j_username");
                    if (parameter != null) {
                        authenticationResult.setAuditCredValue(parameter);
                    }
                } else {
                    String decodeCookieString = decodeCookieString(header.substring(6));
                    authenticationResult.setAuditCredValue(decodeCookieString.substring(0, decodeCookieString.indexOf(58)));
                }
                authenticationResult.setAuditCredType("JASPIC");
                authenticationResult.setAuditOutcome("denied");
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "236", this, new Object[]{webRequest, hashMap, jaspiService});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error handling JASPI request", new Object[]{e});
            }
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, e.getMessage());
        }
        return authenticationResult;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void processAuthenticationSuccess(WebRequest webRequest, HashMap<String, Object> hashMap, AuthenticationResult authenticationResult) {
        Subject subject = authenticationResult.getSubject();
        attemptToRestorePostParams(webRequest);
        boolean z = false;
        Map<String, Object> properties = webRequest.getProperties();
        if (properties != null) {
            z = Boolean.valueOf((String) properties.get("javax.servlet.http.registerSession")).booleanValue();
        }
        SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
        if (z) {
            registerSession(webRequest, subject, createSSOCookieHelper);
            return;
        }
        List<String> tokenUsageFromSSOToken = getTokenUsageFromSSOToken(subject, createSSOCookieHelper);
        if (!isJaspicAttribute(tokenUsageFromSSOToken)) {
            if (this.webAppSecurityConfig.isUseLtpaSSOForJaspic()) {
                return;
            }
            attemptToRemoveLtpaToken(webRequest, hashMap);
        } else if (isFormLogin(hashMap)) {
            registerSession(webRequest, subject, createSSOCookieHelper);
        } else {
            if (isJaspicSession(tokenUsageFromSSOToken) || this.webAppSecurityConfig.isUseLtpaSSOForJaspic()) {
                return;
            }
            createSSOCookieHelper.createLogoutCookies(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        }
    }

    private void registerSession(final WebRequest webRequest, final Subject subject, final SSOCookieHelper sSOCookieHelper) {
        if (System.getSecurityManager() == null) {
            sSOCookieHelper.addSSOCookiesToResponse(subject, webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        } else {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.2
                static final long serialVersionUID = 2061544974763019296L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy$2", AnonymousClass2.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

                @Override // java.security.PrivilegedAction
                public Object run() {
                    sSOCookieHelper.addSSOCookiesToResponse(subject, webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
                    return null;
                }
            });
        }
    }

    private HttpServletResponse attemptToRestorePostParams(WebRequest webRequest) {
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        if (!httpServletResponse.isCommitted()) {
            restorePostParams(webRequest);
        }
        return httpServletResponse;
    }

    protected void restorePostParams(WebRequest webRequest) {
        new PostParameterHelper(this.webAppSecurityConfig).restore(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
    }

    private void attemptToRemoveLtpaToken(WebRequest webRequest, HashMap<String, Object> hashMap) {
        SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
        if (isFormLogin(hashMap)) {
            return;
        }
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        if (httpServletResponse.isCommitted()) {
            return;
        }
        createSSOCookieHelper.removeSSOCookieFromResponse(httpServletResponse);
    }

    public AuthenticationResult authenticate1(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        return handleJaspi(new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, null), hashMap);
    }

    protected AuthenticationResult handleTAI(WebRequest webRequest, boolean z) {
        AuthenticationResult authenticate;
        TAIAuthenticator taiAuthenticator = getTaiAuthenticator();
        if (taiAuthenticator == null) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "TAI invoke " + (z ? "before" : "after") + " SSO is not available, skipping TAI...");
        } else {
            authenticate = taiAuthenticator.authenticate(webRequest, z);
            if (authenticate.getStatus() != AuthResult.CONTINUE) {
                authenticate.setAuditCredType("TrustAssociationInterceptor");
            }
        }
        return authenticate;
    }

    protected AuthenticationResult handleSSO(WebRequest webRequest, String str) {
        AuthenticationResult authenticate = getSSOAuthenticator(webRequest, str).authenticate(webRequest);
        if (authenticate == null || authenticate.getStatus() != AuthResult.SUCCESS) {
            authenticate = new AuthenticationResult(AuthResult.CONTINUE, "SSO did not succeed, so continue ...");
        }
        return authenticate;
    }

    protected boolean isNotNullAndTrue(HttpServletRequest httpServletRequest, String str) {
        Boolean bool = (Boolean) httpServletRequest.getAttribute(str);
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    public ConcurrentServiceReferenceMap<String, WebAuthenticator> getWebAuthenticatorRefs() {
        return this.webAuthenticatorRef;
    }

    @Sensitive
    private String decodeCookieString(@Sensitive String str) {
        try {
            return Base64Coder.base64Decode(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "382", this, new Object[]{"<sensitive java.lang.String>"});
            return null;
        }
    }

    private List<String> getTokenUsageFromSSOToken(Subject subject, SSOCookieHelper sSOCookieHelper) {
        String[] attributes;
        SingleSignonToken defaultSSOTokenFromSubject = sSOCookieHelper.getDefaultSSOTokenFromSubject(subject);
        if (defaultSSOTokenFromSubject == null || (attributes = defaultSSOTokenFromSubject.getAttributes("com.ibm.ws.authentication.internal.auth.provider")) == null) {
            return null;
        }
        return Arrays.asList(attributes);
    }

    private boolean isJaspicSessionOrJsr375Form(List<String> list) {
        if (list != null) {
            return list.contains("jaspic") || list.contains("jsr375Form");
        }
        return false;
    }

    private boolean isJaspicSession(List<String> list) {
        return list != null && list.contains("jaspic");
    }

    private boolean isJaspicForm(List<String> list) {
        return list != null && list.contains("jaspicForm");
    }

    private boolean isJaspicAttribute(List<String> list) {
        if (list != null) {
            return list.contains("jaspic") || list.contains("jsr375Form") || list.contains("jaspicForm");
        }
        return false;
    }

    private boolean isFormLogin(Map<String, Object> map) {
        return map != null && "FORM_LOGIN".equals(map.get("authType"));
    }

    private void clearCacheData(Subject subject) {
        AuthCacheService authCacheService = ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService().getAuthCacheService();
        WSCredential wSCredential = (WSCredential) subject.getPublicCredentials(WSCredential.class).iterator().next();
        try {
            String str = wSCredential.getRealmName() + ":" + wSCredential.getSecurityName();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Deleting cache entry of user : " + str, new Object[0]);
            }
            authCacheService.remove(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy", "444", this, new Object[]{subject});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "A cache entry cannot be deleted. An exception is caught : " + e, new Object[0]);
            }
        }
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        AuthenticationResult handleTAI = handleTAI(webRequest, true);
        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
            handleTAI = handleAccessToken(webRequest);
            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                webRequest.setCallAfterSSO(false);
                handleTAI = handleSpnego(webRequest);
                if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                    handleTAI = handleOidcClient(httpServletRequest, httpServletResponse, true);
                    if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                        handleTAI = handleSSO(webRequest, null);
                        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                            webRequest.setCallAfterSSO(true);
                            handleTAI = handleSpnego(webRequest);
                            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                                handleTAI = handleTAI(webRequest, false);
                                if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                                    handleTAI = handleOidcClient(httpServletRequest, httpServletResponse, false);
                                }
                            }
                        }
                    }
                }
            }
        }
        return handleTAI;
    }

    @Override // com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        AuthenticationResult handleJaspi;
        WebRequestImpl webRequestImpl = new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, this.webAppSecurityConfig);
        if (hashMap == null || !hashMap.get("authType").equals("com.ibm.ws.security.spnego")) {
            handleJaspi = handleJaspi(webRequestImpl, hashMap);
            if (handleJaspi.getStatus() == AuthResult.CONTINUE) {
                handleJaspi = handleOpenidClient(httpServletRequest, httpServletResponse);
            }
        } else {
            handleJaspi = handleSpnego(webRequestImpl);
        }
        return handleJaspi;
    }

    private AuthenticationResult handleAccessToken(WebRequest webRequest) {
        AuthenticationResult handleOAuth = handleOAuth(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        if (handleOAuth.getStatus() != AuthResult.CONTINUE) {
            handleOAuth.setAuditCredType("OAuth token");
        }
        return handleOAuth;
    }

    public AuthenticationResult handleSpnego(WebRequest webRequest) {
        WebAuthenticator spnegoAuthenticator;
        AuthenticationResult authenticationResult = this.SPNEGO_CONT;
        if (this.webAuthenticatorRef != null && (spnegoAuthenticator = getSpnegoAuthenticator()) != null) {
            authenticationResult = spnegoAuthenticator.authenticate(webRequest);
            if (authenticationResult.getStatus() == AuthResult.SUCCESS) {
                HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
                HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
                authenticationResult = this.authHelper.loginWithHashtable(httpServletRequest, httpServletResponse, authenticationResult.getSubject());
                if (AuthResult.SUCCESS == authenticationResult.getStatus()) {
                    this.webAppSecurityConfig.createSSOCookieHelper().addSSOCookiesToResponse(authenticationResult.getSubject(), httpServletRequest, httpServletResponse);
                }
            }
        }
        if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
            authenticationResult.setAuditCredType("SPNEGO");
        }
        return authenticationResult;
    }

    public WebAuthenticator getSpnegoAuthenticator() {
        return (WebAuthenticator) this.webAuthenticatorRef.getService("com.ibm.ws.security.spnego");
    }

    private AuthenticationResult handleOpenidClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        AuthenticationResult authenticationResult = this.OPENID_CLIENT_CONT;
        OpenidClientService openidClientService = (OpenidClientService) this.openIdClientServiceRef.getService();
        if (openidClientService != null) {
            String openIdIdentifier = openidClientService.getOpenIdIdentifier(httpServletRequest);
            if (openIdIdentifier != null && !openIdIdentifier.isEmpty()) {
                openidClientService.createAuthRequest(httpServletRequest, httpServletResponse);
                authenticationResult = new AuthenticationResult(AuthResult.REDIRECT_TO_PROVIDER, "OpenID client creates auth request...");
            } else if (openidClientService.getRpRequestIdentifier(httpServletRequest, httpServletResponse) != null) {
                ProviderAuthenticationResult verifyOpResponse = openidClientService.verifyOpResponse(httpServletRequest, httpServletResponse);
                if (verifyOpResponse.getStatus() != AuthResult.SUCCESS) {
                    return new AuthenticationResult(AuthResult.FAILURE, "OpenID client failed with status code " + verifyOpResponse.getStatus());
                }
                authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, verifyOpResponse.getUserName(), verifyOpResponse.getSubject(), verifyOpResponse.getCustomProperties(), openidClientService.isMapIdentityToRegistryUser());
            }
        }
        if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
            authenticationResult.setAuditCredType("IDToken");
        }
        return authenticationResult;
    }

    private AuthenticationResult handleOidcClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        AuthenticationResult authenticationResult = this.OIDC_CLIENT_CONT;
        OidcClient oidcClient = (OidcClient) this.oidcClientRef.getService();
        if (oidcClient == null) {
            return new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect client is not available, skipping OpenID Connect client...");
        }
        if (z) {
            oidcClient.logoutIfSessionInvalidated(httpServletRequest);
            if (!oidcClient.anyClientIsBeforeSso()) {
                return authenticationResult;
            }
        }
        String oidcProvider = oidcClient.getOidcProvider(httpServletRequest);
        if (oidcProvider == null) {
            return new AuthenticationResult(AuthResult.CONTINUE, "not an OpenID Connect client request, skipping OpenID Connect client...");
        }
        ProviderAuthenticationResult authenticate = oidcClient.authenticate(httpServletRequest, httpServletResponse, oidcProvider, this.referrerURLCookieHandler, z);
        if (authenticate.getStatus() == AuthResult.CONTINUE) {
            return this.OIDC_CLIENT_CONT;
        }
        if (authenticate.getStatus() == AuthResult.REDIRECT_TO_PROVIDER) {
            return new AuthenticationResult(AuthResult.REDIRECT, authenticate.getRedirectUrl());
        }
        if (authenticate.getStatus() == AuthResult.FAILURE) {
            return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OpenID Connect client failed the request...") : new AuthenticationResult(AuthResult.FAILURE, "OpenID Connect client failed the request...");
        }
        if (authenticate.getStatus() != AuthResult.SUCCESS) {
            return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OpenID Connect client returned with status: " + authenticate.getStatus()) : new AuthenticationResult(AuthResult.FAILURE, "OpenID Connect client returned with status: " + authenticate.getStatus());
        }
        if (authenticate.getStatus() == AuthResult.SUCCESS && authenticate.getUserName() != null) {
            authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, authenticate.getUserName(), authenticate.getSubject(), authenticate.getCustomProperties(), oidcClient.isMapIdentityToRegistryUser(oidcProvider));
            if (AuthResult.SUCCESS == authenticationResult.getStatus()) {
                boolean isNotNullAndTrue = isNotNullAndTrue(httpServletRequest, OidcClient.PROPAGATION_TOKEN_AUTHENTICATED);
                boolean booleanValue = ((Boolean) httpServletRequest.getAttribute(OidcClient.AUTHN_SESSION_DISABLED)).booleanValue();
                String str = (String) httpServletRequest.getAttribute(OidcClient.INBOUND_PROPAGATION_VALUE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Booleans: fisrtCall:" + z + " tokenAuthenticated:" + isNotNullAndTrue + " SessionDisabled:" + booleanValue + " inboundValue:" + str, new Object[0]);
                }
                boolean booleanValue2 = ((Boolean) httpServletRequest.getAttribute(OidcClient.ACCESS_TOKEN_IN_LTPA_TOKEN)).booleanValue();
                if ((OidcClient.inboundNone.equals(str) && !z) || ((OidcClient.inboundRequired.equals(str) && !booleanValue) || ((OidcClient.inboundSupported.equals(str) && !isNotNullAndTrue && !z) || (booleanValue2 && OidcClient.inboundSupported.equals(str))))) {
                    SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
                    if (booleanValue2) {
                        addAccessTokenToTheCookie(authenticationResult, createSSOCookieHelper);
                    }
                    createSSOCookieHelper.addSSOCookiesToResponse(authenticationResult.getSubject(), httpServletRequest, httpServletResponse);
                }
            }
        }
        return authenticationResult;
    }

    private void addAccessTokenToTheCookie(AuthenticationResult authenticationResult, SSOCookieHelper sSOCookieHelper) {
        Subject subject = authenticationResult.getSubject();
        if (subject != null) {
            String accessTokenFromTheSubject = getAccessTokenFromTheSubject(subject, "access_token");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "access token from the subject = ", new Object[]{accessTokenFromTheSubject});
            }
            SingleSignonToken defaultSSOTokenFromSubject = sSOCookieHelper.getDefaultSSOTokenFromSubject(subject);
            if (accessTokenFromTheSubject == null || defaultSSOTokenFromSubject == null) {
                return;
            }
            if (defaultSSOTokenFromSubject.getAttributes(OidcClient.OIDC_ACCESS_TOKEN) == null || defaultSSOTokenFromSubject.getAttributes(OidcClient.OIDC_ACCESS_TOKEN).length < 1) {
                defaultSSOTokenFromSubject.addAttribute(OidcClient.OIDC_ACCESS_TOKEN, accessTokenFromTheSubject);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Successfully added the access token to the single sign on token  = ", new Object[]{accessTokenFromTheSubject});
            }
        }
    }

    @FFDCIgnore({PrivilegedActionException.class})
    static String getAccessTokenFromTheSubject(Subject subject, String str) {
        String str2 = null;
        try {
            str2 = getCredentialAttribute(subject.getPublicCredentials(), str, "publicCredentials");
            if (str2 == null || str2.isEmpty()) {
                str2 = getCredentialAttribute(subject.getPrivateCredentials(), str, "privateCredentials");
            }
        } catch (PrivilegedActionException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find a value for the attribute (" + str + ")", new Object[0]);
            }
        }
        return str2;
    }

    static String getCredentialAttribute(final Set<Object> set, final String str, final String str2) throws PrivilegedActionException {
        Object doPrivileged = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy.3
            static final long serialVersionUID = -4778002191149095386L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy$3", AnonymousClass3.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);

            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                Object obj;
                int i = 0;
                for (Object obj2 : set) {
                    i++;
                    if (WebProviderAuthenticatorProxy.tc.isDebugEnabled()) {
                        Tr.debug(WebProviderAuthenticatorProxy.tc, str2 + "(" + i + ") class:" + obj2.getClass().getName(), new Object[0]);
                    }
                    if ((obj2 instanceof Map) && ((Map) obj2).get("access_token") != null && (obj = ((Map) obj2).get(str)) != null) {
                        return obj;
                    }
                }
                return null;
            }
        });
        if (doPrivileged != null) {
            return doPrivileged.toString();
        }
        return null;
    }

    private AuthenticationResult handleOAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult = this.OAUTH_CONT;
        if (this.oauthServiceRef != null) {
            OAuth20Service oAuth20Service = (OAuth20Service) this.oauthServiceRef.getService();
            if (oAuth20Service == null) {
                return new AuthenticationResult(AuthResult.CONTINUE, "OAuth service is not available, skipping OAuth...");
            }
            ProviderAuthenticationResult authenticate = oAuth20Service.authenticate(httpServletRequest, httpServletResponse);
            if (authenticate.getStatus() == AuthResult.CONTINUE) {
                return this.OAUTH_CONT;
            }
            if (authenticate.getStatus() == AuthResult.FAILURE) {
                return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OAuth service failed the request") : new AuthenticationResult(AuthResult.FAILURE, "OAuth service failed the request...");
            }
            if (authenticate.getStatus() != AuthResult.SUCCESS) {
                return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OAuth service failed the request due to unsuccessful request") : new AuthenticationResult(AuthResult.FAILURE, "OAuth service returned with status: " + authenticate.getStatus());
            }
            if (authenticate.getUserName() != null) {
                authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, authenticate.getUserName(), authenticate.getSubject(), authenticate.getCustomProperties(), true);
            }
        }
        return authenticationResult;
    }

    protected TAIAuthenticator getTaiAuthenticator() {
        TAIAuthenticator tAIAuthenticator = null;
        TAIService tAIService = (TAIService) this.taiServiceRef.getService();
        Iterator services = this.interceptorServiceRef.getServices();
        if (tAIService != null || (services != null && services.hasNext())) {
            tAIAuthenticator = new TAIAuthenticator(tAIService, this.interceptorServiceRef, ((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), new SSOCookieHelperImpl(this.webAppSecurityConfig));
        }
        return tAIAuthenticator;
    }

    public WebAuthenticator getSSOAuthenticator(WebRequest webRequest, String str) {
        return new SSOAuthenticator(((SecurityService) this.securityServiceRef.getService()).getAuthenticationService(), webRequest.getSecurityMetadata(), this.webAppSecurityConfig, str != null ? new SSOCookieHelperImpl(this.webAppSecurityConfig, str) : new SSOCookieHelperImpl(this.webAppSecurityConfig), this.ssoAuthFilterRef);
    }
}
