package com.ibm.ws.security.jwt.web;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.crypto.KeyAlgorithmChecker;
import com.ibm.ws.security.jwt.config.JwtConfig;
import com.ibm.ws.security.jwt.utils.TokenBuilder;
import com.ibm.ws.security.jwt.web.JwtRequest;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {JwtEndpointServices.class}, name = "com.ibm.ws.security.jwt.web.JwtEndpointServices", immediate = true, configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
/* loaded from: input_file:com/ibm/ws/security/jwt/web/JwtEndpointServices.class */
public class JwtEndpointServices {
    private static TraceComponent tc = Tr.register(JwtEndpointServices.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    public static final String KEY_ID = "id";
    public static final String KEY_JWT_CONFIG = "jwtConfig";
    private final ConcurrentServiceReferenceMap<String, JwtConfig> jwtConfigRef = new ConcurrentServiceReferenceMap<>(KEY_JWT_CONFIG);
    static final long serialVersionUID = 1246208993612745366L;

    @Reference(service = JwtConfig.class, name = KEY_JWT_CONFIG, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY)
    protected void setJwtConfig(ServiceReference<JwtConfig> serviceReference) {
        synchronized (this.jwtConfigRef) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Setting reference for " + serviceReference.getProperty("id"), new Object[0]);
            }
            this.jwtConfigRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
        }
    }

    protected void unsetJwtConfig(ServiceReference<JwtConfig> serviceReference) {
        synchronized (this.jwtConfigRef) {
            this.jwtConfigRef.removeReference((String) serviceReference.getProperty("id"), serviceReference);
        }
    }

    @Activate
    protected void activate(ComponentContext componentContext) {
        this.jwtConfigRef.activate(componentContext);
        Tr.info(tc, "JWT_ENDPOINT_SERVICE_ACTIVATED", new Object[0]);
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        this.jwtConfigRef.deactivate(componentContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleEndpointRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServletContext servletContext) throws IOException {
        JwtConfig jwtConfig;
        JwtRequest jwtRequest = getJwtRequest(httpServletRequest, httpServletResponse);
        if (jwtRequest == null || (jwtConfig = getJwtConfig(httpServletResponse, jwtRequest.getJwtConfigId())) == null) {
            return;
        }
        handleJwtRequest(httpServletRequest, httpServletResponse, servletContext, jwtConfig, jwtRequest.getType());
    }

    private JwtRequest getJwtRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        JwtRequest jwtRequest = (JwtRequest) httpServletRequest.getAttribute(WebConstants.JWT_REQUEST_ATTR);
        if (jwtRequest == null) {
            String formatMessage = Tr.formatMessage(tc, "JWT_REQUEST_ATTRIBUTE_MISSING", new Object[]{httpServletRequest.getRequestURI(), WebConstants.JWT_REQUEST_ATTR});
            Tr.error(tc, formatMessage, new Object[0]);
            httpServletResponse.sendError(404, formatMessage);
        }
        return jwtRequest;
    }

    private JwtConfig getJwtConfig(HttpServletResponse httpServletResponse, String str) throws IOException {
        JwtConfig jwtConfig = (JwtConfig) this.jwtConfigRef.getService(str);
        if (jwtConfig == null) {
            String formatMessage = Tr.formatMessage(tc, "JWT_CONFIG_SERVICE_NOT_AVAILABLE", new Object[]{str});
            Tr.error(tc, formatMessage, new Object[0]);
            httpServletResponse.sendError(404, formatMessage);
        }
        return jwtConfig;
    }

    protected void handleJwtRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServletContext servletContext, JwtConfig jwtConfig, JwtRequest.EndpointType endpointType) throws IOException {
        if (jwtConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No JwtConfig object provided", new Object[0]);
                return;
            }
            return;
        }
        switch (endpointType) {
            case jwk:
                processJWKRequest(httpServletResponse, jwtConfig);
                return;
            case token:
                try {
                    if (!isTransportSecure(httpServletRequest)) {
                        String stringBuffer = httpServletRequest.getRequestURL().toString();
                        Tr.error(tc, "SECURITY.JWT.ERROR.WRONG.HTTP.SCHEME", new Object[]{stringBuffer});
                        httpServletResponse.sendError(404, Tr.formatMessage(tc, "SECURITY.JWT.ERROR.WRONG.HTTP.SCHEME", new Object[]{stringBuffer}));
                        return;
                    } else {
                        boolean authenticate = httpServletRequest.authenticate(httpServletResponse);
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "request.authenticate result: " + authenticate, new Object[0]);
                        }
                        if (authenticate) {
                            processTokenRequest(httpServletResponse, jwtConfig);
                            return;
                        }
                        return;
                    }
                } catch (ServletException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.jwt.web.JwtEndpointServices", "185", this, new Object[]{httpServletRequest, httpServletResponse, servletContext, jwtConfig, endpointType});
                    return;
                }
            default:
                return;
        }
    }

    private boolean isTransportSecure(HttpServletRequest httpServletRequest) {
        httpServletRequest.getRequestURL().toString();
        if (httpServletRequest.getScheme().equals("https")) {
            return true;
        }
        String header = httpServletRequest.getHeader("X-Forwarded-Proto");
        return header != null && header.toLowerCase().equals("https");
    }

    private void processTokenRequest(HttpServletResponse httpServletResponse, JwtConfig jwtConfig) throws IOException {
        String createTokenString = new TokenBuilder().createTokenString(jwtConfig);
        addNoCacheHeaders(httpServletResponse);
        httpServletResponse.setStatus(200);
        if (createTokenString == null) {
            return;
        }
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            httpServletResponse.setHeader("Content-Type", "application/json;charset=UTF-8");
            writer.write("{\"token\": \"" + createTokenString + "\"}");
            writer.flush();
            writer.close();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.web.JwtEndpointServices", "242", this, new Object[]{httpServletResponse, jwtConfig});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught an exception attempting to get the response writer: " + e.getLocalizedMessage(), new Object[0]);
            }
        }
    }

    private void processJWKRequest(HttpServletResponse httpServletResponse, JwtConfig jwtConfig) throws IOException {
        String signatureAlgorithm = jwtConfig.getSignatureAlgorithm();
        if (!isPossibleJwkAlgorithm(signatureAlgorithm)) {
            String formatMessage = Tr.formatMessage(tc, "JWK_ENDPOINT_WRONG_ALGORITHM", new Object[]{jwtConfig.getId(), signatureAlgorithm, getAcceptableJwkSignatureAlgorithms()});
            Tr.error(tc, formatMessage, new Object[0]);
            httpServletResponse.sendError(400, formatMessage);
            return;
        }
        String jwkJsonString = jwtConfig.getJwkJsonString();
        addNoCacheHeaders(httpServletResponse);
        httpServletResponse.setStatus(200);
        if (jwkJsonString == null) {
            return;
        }
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            httpServletResponse.setHeader("Content-Type", "application/json;charset=UTF-8");
            writer.write(jwkJsonString);
            writer.flush();
            writer.close();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.web.JwtEndpointServices", "291", this, new Object[]{httpServletResponse, jwtConfig});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught an exception attempting to get the response writer: " + e.getLocalizedMessage(), new Object[0]);
            }
        }
    }

    boolean isPossibleJwkAlgorithm(String str) {
        return KeyAlgorithmChecker.isRSAlgorithm(str) || KeyAlgorithmChecker.isESAlgorithm(str);
    }

    String getAcceptableJwkSignatureAlgorithms() {
        return "RS256, RS384, RS512, ES256, ES384, ES512";
    }

    protected void addNoCacheHeaders(HttpServletResponse httpServletResponse) {
        String header = httpServletResponse.getHeader("Cache-Control");
        httpServletResponse.setHeader("Cache-Control", (header == null || header.isEmpty()) ? "no-store" : header + ", no-store");
        httpServletResponse.setHeader("Pragma", "no-cache");
    }
}
