package io.openliberty.security.jakartasec.identitystore;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import io.openliberty.cdi40.internal.utils.CDI40Utils;
import io.openliberty.security.jakartasec.JakartaSec30Constants;
import io.openliberty.security.jakartasec.TraceConstants;
import io.openliberty.security.jakartasec.credential.OidcTokensCredential;
import io.openliberty.security.jakartasec.tokens.AccessTokenImpl;
import io.openliberty.security.jakartasec.tokens.IdentityTokenImpl;
import io.openliberty.security.jakartasec.tokens.OpenIdClaimsImpl;
import io.openliberty.security.jakartasec.tokens.RefreshTokenImpl;
import io.openliberty.security.oidcclientcore.client.ClaimsMappingConfig;
import io.openliberty.security.oidcclientcore.client.Client;
import io.openliberty.security.oidcclientcore.client.OidcClientConfig;
import io.openliberty.security.oidcclientcore.config.MetadataUtils;
import io.openliberty.security.oidcclientcore.exceptions.OidcClientConfigurationException;
import io.openliberty.security.oidcclientcore.exceptions.OidcDiscoveryException;
import io.openliberty.security.oidcclientcore.token.TokenResponse;
import io.openliberty.security.oidcclientcore.userinfo.UserInfoHandler;
import jakarta.json.JsonObject;
import jakarta.security.enterprise.credential.Credential;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.openid.AccessToken;
import jakarta.security.enterprise.identitystore.openid.IdentityToken;
import jakarta.security.enterprise.identitystore.openid.OpenIdClaims;
import jakarta.security.enterprise.identitystore.openid.OpenIdContext;
import jakarta.servlet.http.HttpServletRequest;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:io/openliberty/security/jakartasec/identitystore/OidcIdentityStore.class */
public class OidcIdentityStore implements IdentityStore {
    public static final TraceComponent tc = Tr.register(OidcIdentityStore.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    static final long serialVersionUID = -3598182764074126354L;

    @FFDCIgnore({Exception.class})
    public CredentialValidationResult validate(Credential credential) {
        if (!(credential instanceof OidcTokensCredential)) {
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        if (credential.isValid()) {
            OidcTokensCredential oidcTokensCredential = (OidcTokensCredential) credential;
            TokenResponse tokenResponse = oidcTokensCredential.getTokenResponse();
            Client client = oidcTokensCredential.getClient();
            if (tokenResponse != null && client != null && tokenResponse.getAccessTokenString() != null) {
                try {
                    HttpServletRequest request = oidcTokensCredential.getRequest();
                    JwtClaims validate = client.validate(tokenResponse, request, oidcTokensCredential.getResponse());
                    OidcClientConfig oidcClientConfig = client.getOidcClientConfig();
                    long tokenMinValidity = oidcClientConfig.getTokenMinValidity();
                    AccessToken createAccessTokenFromTokenResponse = createAccessTokenFromTokenResponse(tokenMinValidity, tokenResponse);
                    IdentityToken createIdentityTokenFromTokenResponse = createIdentityTokenFromTokenResponse(tokenMinValidity, tokenResponse, validate);
                    OpenIdClaims createOpenIdClaimsFromUserInfoResponse = createOpenIdClaimsFromUserInfoResponse(oidcClientConfig, createAccessTokenFromTokenResponse);
                    CredentialValidationResult createCredentialValidationResult = createCredentialValidationResult(client.getOidcClientConfig(), createAccessTokenFromTokenResponse, validate, createOpenIdClaimsFromUserInfoResponse);
                    setOpenIdContext(oidcTokensCredential.getOpenIdContext(), createCredentialValidationResult.getCallerUniqueId(), tokenResponse, createAccessTokenFromTokenResponse, createIdentityTokenFromTokenResponse, createOpenIdClaimsFromUserInfoResponse, getProviderMetadataAsJsonObject(client.getOidcClientConfig()), request.getParameter("state"), oidcClientConfig.isUseSession(), client.getOidcClientConfig().getClientId());
                    return createCredentialValidationResult;
                } catch (Exception e) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "validate", new Object[]{"Exception occurred for client " + client.getOidcClientConfig().getClientId(), e});
                    }
                    Tr.error(tc, "CREDENTIAL_VALIDATION_ERROR", new Object[]{client.getOidcClientConfig().getClientId(), e.toString()});
                    return CredentialValidationResult.INVALID_RESULT;
                }
            }
        }
        return CredentialValidationResult.INVALID_RESULT;
    }

    private void setOpenIdContext(OpenIdContext openIdContext, String str, TokenResponse tokenResponse, AccessToken accessToken, IdentityToken identityToken, OpenIdClaims openIdClaims, JsonObject jsonObject, String str2, boolean z, String str3) {
        OpenIdContextImpl openIdContextImpl = (OpenIdContextImpl) CDI40Utils.getContextualInstanceFromProxy(openIdContext);
        Map asMap = tokenResponse.asMap();
        long j = 0;
        if (asMap.containsKey("expires_in")) {
            j = Long.parseLong((String) asMap.get("expires_in"));
        }
        openIdContextImpl.setSubject(str);
        openIdContextImpl.setTokenType((String) asMap.get("token_type"));
        openIdContextImpl.setAccessToken(accessToken);
        openIdContextImpl.setIdentityToken(identityToken);
        openIdContextImpl.setExpiresIn(Long.valueOf(j));
        openIdContextImpl.setClaims(openIdClaims);
        openIdContextImpl.setProviderMetadata(jsonObject);
        openIdContextImpl.setState(str2);
        openIdContextImpl.setUseSession(z);
        openIdContextImpl.setClientId(str3);
        String refreshTokenString = tokenResponse.getRefreshTokenString();
        if (refreshTokenString != null) {
            openIdContextImpl.setRefreshToken(new RefreshTokenImpl(refreshTokenString));
        } else {
            openIdContextImpl.setRefreshToken(null);
        }
    }

    @FFDCIgnore({Exception.class})
    protected AccessToken createAccessTokenFromTokenResponse(long j, TokenResponse tokenResponse) {
        Map asMap = tokenResponse.asMap();
        long j2 = 0;
        if (asMap != null && asMap.containsKey("expires_in")) {
            j2 = Long.parseLong((String) asMap.get("expires_in"));
        }
        String accessTokenString = tokenResponse.getAccessTokenString();
        boolean z = false;
        Map map = null;
        String[] split = accessTokenString.split(Pattern.quote(JakartaSec30Constants.DELIMITER));
        try {
            if (split.length > 1) {
                try {
                    JwtClaims.parse(new String(Base64.getDecoder().decode(split[0]), "UTF-8")).getClaimsMap();
                    z = true;
                } catch (Exception e) {
                    map = JwtClaims.parse(new String(Base64.getDecoder().decode(split[1]), "UTF-8")).getClaimsMap();
                    z = true;
                }
            }
        } catch (Exception e2) {
        }
        if (!z) {
            return new AccessTokenImpl(accessTokenString, tokenResponse.getResponseGenerationTime(), Long.valueOf(j2), Long.valueOf(j));
        }
        if (map == null) {
            try {
                map = JwtClaims.parse(new String(Base64.getDecoder().decode(split[1]), "UTF-8")).getClaimsMap();
            } catch (Exception e3) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "createAccessTokenFromTokenResponse", new Object[]{"The tokenResponse accessTokenString was parsable for the first part, but couldn't parse out a claimsMap.", e3});
                }
            }
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "createAccessTokenFromTokenResponse", new Object[]{"Creating a jwt access token based on the tokenResponse accessTokenString"});
        }
        return new AccessTokenImpl(accessTokenString, map, tokenResponse.getResponseGenerationTime(), Long.valueOf(j2), Long.valueOf(j));
    }

    private IdentityToken createIdentityTokenFromTokenResponse(long j, TokenResponse tokenResponse, JwtClaims jwtClaims) {
        String idTokenString = tokenResponse.getIdTokenString();
        if (idTokenString == null) {
            return null;
        }
        return new IdentityTokenImpl(idTokenString, jwtClaims.getClaimsMap(), Long.valueOf(j));
    }

    @FFDCIgnore({Exception.class})
    private OpenIdClaims createOpenIdClaimsFromUserInfoResponse(OidcClientConfig oidcClientConfig, AccessToken accessToken) {
        Map map = null;
        try {
            map = getUserInfoHandler().getUserInfoClaims(oidcClientConfig, accessToken.getToken());
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The {0} OpenID Connect client cannot create claims from the UserInfo data that was returned from the OpenID Connect provider. {1}", new Object[]{oidcClientConfig.getClientId(), e.toString()});
            }
        }
        if (map == null) {
            return null;
        }
        return new OpenIdClaimsImpl(map);
    }

    UserInfoHandler getUserInfoHandler() {
        return new UserInfoHandler();
    }

    CredentialValidationResult createCredentialValidationResult(OidcClientConfig oidcClientConfig, AccessToken accessToken, JwtClaims jwtClaims, OpenIdClaims openIdClaims) throws MalformedClaimException {
        String issuer = getIssuer(oidcClientConfig, accessToken, jwtClaims, openIdClaims);
        String callerName = getCallerName(oidcClientConfig, accessToken, jwtClaims, openIdClaims);
        if (callerName != null) {
            return new CredentialValidationResult(issuer, callerName, (String) null, callerName, getCallerGroups(oidcClientConfig, accessToken, jwtClaims, openIdClaims));
        }
        Tr.error(tc, "CREDENTIAL_VALIDATION_CALLER_MISSING", new Object[]{getCallerNameClaim(oidcClientConfig)});
        return CredentialValidationResult.INVALID_RESULT;
    }

    @FFDCIgnore({OidcDiscoveryException.class})
    private JsonObject getProviderMetadataAsJsonObject(OidcClientConfig oidcClientConfig) {
        try {
            return OpenIdContextUtils.convertJsonObject(MetadataUtils.getProviderDiscoveryMetaData(oidcClientConfig));
        } catch (OidcClientConfigurationException | OidcDiscoveryException e) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "getProviderMetadataAsJsonObject", new Object[]{"getProviderDiscoveryMetaData threw an exception, the providerMetadata JsonObject will be null.", e});
            return null;
        }
    }

    String getIssuer(OidcClientConfig oidcClientConfig, AccessToken accessToken, JwtClaims jwtClaims, OpenIdClaims openIdClaims) throws MalformedClaimException {
        String str = (String) getClaimValueFromTokens("iss", accessToken, jwtClaims, openIdClaims, String.class);
        if (str == null || str.isEmpty()) {
            str = issuerFromProviderMetadata(oidcClientConfig);
        }
        return str;
    }

    private String issuerFromProviderMetadata(OidcClientConfig oidcClientConfig) {
        return oidcClientConfig.getProviderMetadata().getIssuer();
    }

    String getCallerName(OidcClientConfig oidcClientConfig, AccessToken accessToken, JwtClaims jwtClaims, OpenIdClaims openIdClaims) throws MalformedClaimException {
        String callerNameClaim = getCallerNameClaim(oidcClientConfig);
        if (callerNameClaim == null || callerNameClaim.isEmpty()) {
            return null;
        }
        return (String) getClaimValueFromTokens(callerNameClaim, accessToken, jwtClaims, openIdClaims, String.class);
    }

    Set<String> getCallerGroups(OidcClientConfig oidcClientConfig, AccessToken accessToken, JwtClaims jwtClaims, OpenIdClaims openIdClaims) throws MalformedClaimException {
        List list;
        String callerGroupsClaim = getCallerGroupsClaim(oidcClientConfig);
        if (callerGroupsClaim == null || callerGroupsClaim.isEmpty() || (list = (List) getClaimValueFromTokens(callerGroupsClaim, accessToken, jwtClaims, openIdClaims, List.class)) == null) {
            return null;
        }
        return Set.copyOf(list);
    }

    String getCallerNameClaim(OidcClientConfig oidcClientConfig) {
        ClaimsMappingConfig claimsMappingConfig = oidcClientConfig.getClaimsMappingConfig();
        if (claimsMappingConfig != null) {
            return claimsMappingConfig.getCallerNameClaim();
        }
        return null;
    }

    String getCallerGroupsClaim(OidcClientConfig oidcClientConfig) {
        ClaimsMappingConfig claimsMappingConfig = oidcClientConfig.getClaimsMappingConfig();
        if (claimsMappingConfig != null) {
            return claimsMappingConfig.getCallerGroupsClaim();
        }
        return null;
    }

    <T> T getClaimValueFromTokens(String str, AccessToken accessToken, JwtClaims jwtClaims, OpenIdClaims openIdClaims, Class<T> cls) throws MalformedClaimException {
        T t = (T) getClaimFromAccessToken(accessToken, str);
        if (valueExistsAndIsNotEmpty(t, cls)) {
            return t;
        }
        T t2 = (T) getClaimFromIdToken(jwtClaims, str, cls);
        if (valueExistsAndIsNotEmpty(t2, cls)) {
            return t2;
        }
        T t3 = (T) getClaimFromUserInfo(openIdClaims, str, cls);
        if (valueExistsAndIsNotEmpty(t3, cls)) {
            return t3;
        }
        return null;
    }

    <T> T getClaimFromAccessToken(AccessToken accessToken, String str) {
        if (accessToken.isJWT()) {
            return (T) accessToken.getClaim(str);
        }
        return null;
    }

    <T> T getClaimFromIdToken(JwtClaims jwtClaims, String str, Class<T> cls) throws MalformedClaimException {
        return (T) jwtClaims.getClaimValue(str, cls);
    }

    <T> T getClaimFromUserInfo(OpenIdClaims openIdClaims, String str, Class<T> cls) {
        if (openIdClaims == null) {
            return null;
        }
        if (!cls.equals(String.class)) {
            if (cls.equals(List.class)) {
                return (T) openIdClaims.getArrayStringClaim(str);
            }
            return null;
        }
        Optional stringClaim = openIdClaims.getStringClaim(str);
        if (stringClaim.isPresent()) {
            return (T) stringClaim.get();
        }
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    <T> boolean valueExistsAndIsNotEmpty(T t, Class<T> cls) {
        if (t == 0) {
            return false;
        }
        if (cls.equals(String.class) && ((String) t).isEmpty()) {
            return false;
        }
        if (cls.equals(Set.class) && ((Set) t).isEmpty()) {
            return false;
        }
        return (cls.equals(List.class) && ((List) t).isEmpty()) ? false : true;
    }
}
