package com.ibm.ws.security.common.config;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.json.java.JSONArray;
import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.TraceConstants;
import com.ibm.ws.security.common.crypto.HashUtils;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/common/config/DiscoveryConfigUtils.class */
public class DiscoveryConfigUtils {
    public static final TraceComponent tc = Tr.register(DiscoveryConfigUtils.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private JSONObject discoveryjson;
    private String tokenEndpointAuthMethod;
    private String scope;
    private String signatureAlgorithm;
    private String id;
    private String discoveryURL;
    private CommonConfigUtils configUtils = new CommonConfigUtils();
    private String discoveryDocumentHash;
    private long discoveryPollingRate;
    public static final String OPDISCOVERY_AUTHZ_EP_URL = "authorization_endpoint";
    public static final String OPDISCOVERY_TOKEN_EP_URL = "token_endpoint";
    public static final String OPDISCOVERY_INTROSPECTION_EP_URL = "introspection_endpoint";
    public static final String OPDISCOVERY_JWKS_EP_URL = "jwks_uri";
    public static final String OPDISCOVERY_USERINFO_EP_URL = "userinfo_endpoint";
    public static final String OPDISCOVERY_ISSUER = "issuer";
    public static final String OPDISCOVERY_TOKEN_EP_AUTH = "token_endpoint_auth_methods_supported";
    public static final String OPDISCOVERY_SCOPES = "scopes_supported";
    public static final String OPDISCOVERY_IDTOKEN_SIGN_ALG = "id_token_signing_alg_values_supported";
    public static final String CFG_KEY_SCOPE = "scope";
    public static final String CFG_KEY_TOKEN_ENDPOINT_AUTH_METHOD = "tokenEndpointAuthMethod";
    public static final String CFG_KEY_SIGNATURE_ALGORITHM = "signatureAlgorithm";
    public static final String KEY_authorizationEndpoint = "authorizationEndpoint";
    public static final String KEY_tokenEndpoint = "tokenEndpoint";
    public static final String KEY_USERINFO_ENDPOINT = "userInfoEndpoint";
    public static final String KEY_jwksUri = "jwksUri";
    public static final String KEY_ISSUER = "issuer";
    public static final String KEY_DISCOVERY_ENDPOINT = "discoveryEndpoint";
    static final long serialVersionUID = 140011431640492629L;

    public DiscoveryConfigUtils initialConfig(String str, String str2, long j) {
        this.id = str;
        this.discoveryURL = str2;
        this.discoveryPollingRate = j;
        return this;
    }

    public DiscoveryConfigUtils discoveredConfig(String str, String str2, String str3) {
        this.signatureAlgorithm = str;
        this.tokenEndpointAuthMethod = str2;
        this.scope = str3;
        return this;
    }

    public DiscoveryConfigUtils discoveryDocumentHash(String str) {
        this.discoveryDocumentHash = str;
        return this;
    }

    public DiscoveryConfigUtils discoveryDocumentResult(JSONObject jSONObject) {
        this.discoveryjson = jSONObject;
        return this;
    }

    public String adjustTokenEndpointAuthMethod() {
        ArrayList<String> discoverOPConfig = discoverOPConfig(this.discoveryjson.get(OPDISCOVERY_TOKEN_EP_AUTH));
        if (isSocialRPUsingDefault("authMethod") && !opHasSocialRPDefault("authMethod", discoverOPConfig)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "See if we need to adjusted the token endpoint authmethod. The original is : " + this.tokenEndpointAuthMethod, new Object[0]);
            }
            String socialRPSupportsOPConfig = socialRPSupportsOPConfig("authMethod", discoverOPConfig);
            if (socialRPSupportsOPConfig != null) {
                Tr.info(tc, "OIDC_CLIENT_DISCOVERY_OVERRIDE_DEFAULT", new Object[]{this.tokenEndpointAuthMethod, CFG_KEY_TOKEN_ENDPOINT_AUTH_METHOD, socialRPSupportsOPConfig, getId()});
                this.tokenEndpointAuthMethod = socialRPSupportsOPConfig;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The adjusted value is : " + this.tokenEndpointAuthMethod, new Object[0]);
                }
            }
        }
        return this.tokenEndpointAuthMethod;
    }

    private String getId() {
        return this.id;
    }

    public String adjustScopes() {
        ArrayList<String> discoverOPConfig = discoverOPConfig(this.discoveryjson.get(OPDISCOVERY_SCOPES));
        if (isSocialRPUsingDefault("scope") && !opHasSocialRPDefault("scope", discoverOPConfig)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "See if we need to adjusted the scopes. The original is : " + this.scope, new Object[0]);
            }
            String socialRPSupportsOPConfig = socialRPSupportsOPConfig("scope", discoverOPConfig);
            if (socialRPSupportsOPConfig != null) {
                Tr.info(tc, "OIDC_CLIENT_DISCOVERY_OVERRIDE_DEFAULT", new Object[]{this.scope, "scope", socialRPSupportsOPConfig, getId()});
                this.scope = socialRPSupportsOPConfig;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The adjusted value is : " + this.scope, new Object[0]);
                }
            }
        }
        return this.scope;
    }

    private boolean isSocialRPUsingDefault(String str) {
        if ("authMethod".equals(str)) {
            return matches("client_secret_post", this.tokenEndpointAuthMethod);
        }
        if ("alg".equals(str)) {
            return matches("RS256", this.signatureAlgorithm);
        }
        if ("scope".equals(str)) {
            return matchesMultipleValues("openid profile email", this.scope);
        }
        return false;
    }

    private String socialRPSupportsOPConfig(String str, ArrayList<String> arrayList) {
        if ("alg".equals(str) && arrayList != null) {
            Iterator<String> it = arrayList.iterator();
            while (it.hasNext()) {
                String next = it.next();
                if ("RS256".contains(next)) {
                    return next;
                }
            }
        }
        if ("authMethod".equals(str) && arrayList != null) {
            Iterator<String> it2 = arrayList.iterator();
            while (it2.hasNext()) {
                String next2 = it2.next();
                if ("client_secret_post client_secret_basic".contains(next2)) {
                    return next2;
                }
            }
        }
        if (!"scope".equals(str) || arrayList == null) {
            return null;
        }
        String str2 = null;
        Iterator<String> it3 = arrayList.iterator();
        while (it3.hasNext()) {
            String next3 = it3.next();
            if ("openid profile email".contains(next3)) {
                str2 = str2 == null ? next3 : str2 + " " + next3;
            }
        }
        return str2;
    }

    private String matchingRPValue(String str) {
        return "client_secret_post".equals(str) ? "post" : "client_secret_basic".equals(str) ? "basic" : str;
    }

    private ArrayList<String> discoverOPConfig(Object obj) {
        return jsonValue(obj);
    }

    private ArrayList<String> jsonValue(Object obj) {
        ArrayList<String> arrayList = new ArrayList<>();
        if (obj == null) {
            return null;
        }
        if (obj instanceof String) {
            arrayList.add(0, (String) obj);
            return arrayList;
        }
        if (obj instanceof JSONArray) {
            return parseJsonArray((JSONArray) obj);
        }
        return null;
    }

    private ArrayList<String> parseJsonArray(JSONArray jSONArray) {
        ArrayList<String> arrayList = new ArrayList<>();
        int i = 0;
        if (jSONArray != null) {
            Iterator it = jSONArray.iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof String) {
                    arrayList.add(i, (String) next);
                    i++;
                }
            }
        }
        return arrayList;
    }

    private boolean opHasRPDefault(String str, ArrayList<String> arrayList) {
        return "authMethod".equals(str) ? matches("client_secret_post", arrayList) : "alg".equals(str) ? matches("HS256", arrayList) : "scope".equals(str) && matches("openid", arrayList) && matches("profile", arrayList);
    }

    private boolean opHasSocialRPDefault(String str, ArrayList<String> arrayList) {
        return "authMethod".equals(str) ? matches("client_secret_post", arrayList) : "alg".equals(str) ? matches("RS256", arrayList) : "scope".equals(str) && matches("openid", arrayList) && matches("profile", arrayList) && matches("email", arrayList);
    }

    private boolean matches(String str, ArrayList<String> arrayList) {
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            if (str.equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean matches(String str, String str2) {
        return str2.equals(str);
    }

    private boolean matchesMultipleValues(String str, String str2) {
        String[] split = str2.split(" ");
        if (split.length != 3) {
            return false;
        }
        for (String str3 : split) {
            if (!str.contains(str3)) {
                return false;
            }
        }
        return true;
    }

    private boolean isRPUsingDefault(String str) {
        if ("authMethod".equals(str)) {
            return matches("post", this.tokenEndpointAuthMethod);
        }
        if ("alg".equals(str)) {
            return matches("HS256", this.signatureAlgorithm);
        }
        if ("scope".equals(str)) {
            return matches("openid profile", this.scope);
        }
        return false;
    }

    public String discoverOPConfigSingleValue(Object obj) {
        if (obj != null) {
            return jsonValue(obj).get(0);
        }
        return null;
    }

    public void logDiscoveryWarning(Map<String, Object> map) {
        String str;
        str = "";
        CommonConfigUtils commonConfigUtils = this.configUtils;
        str = CommonConfigUtils.trim((String) map.get(KEY_authorizationEndpoint)) != null ? buildDiscoveryWarning(str, KEY_authorizationEndpoint) : "";
        CommonConfigUtils commonConfigUtils2 = this.configUtils;
        if (CommonConfigUtils.trim((String) map.get(KEY_tokenEndpoint)) != null) {
            str = buildDiscoveryWarning(str, KEY_tokenEndpoint);
        }
        CommonConfigUtils commonConfigUtils3 = this.configUtils;
        if (CommonConfigUtils.trim((String) map.get(KEY_USERINFO_ENDPOINT)) != null) {
            str = buildDiscoveryWarning(str, KEY_USERINFO_ENDPOINT);
        }
        CommonConfigUtils commonConfigUtils4 = this.configUtils;
        if (CommonConfigUtils.trim((String) map.get(KEY_jwksUri)) != null) {
            str = buildDiscoveryWarning(str, KEY_jwksUri);
        }
        if (!str.isEmpty()) {
            logWarning("OIDC_CLIENT_DISCOVERY_OVERRIDE_EP", str);
        }
        CommonConfigUtils commonConfigUtils5 = this.configUtils;
        if (CommonConfigUtils.trim((String) map.get("issuer")) != null) {
            logWarning("OIDC_CLIENT_DISCOVERY_OVERRIDE_ISSUER", "issuer");
        }
    }

    private void logWarning(String str, String str2) {
        Tr.warning(tc, str, new Object[]{this.discoveryURL, str2, getId()});
    }

    private String buildDiscoveryWarning(String str, String str2) {
        return str.concat(str2).concat(", ");
    }

    public void logDiscoveryMessage(String str, String str2, String str3) {
        if (str2 != null) {
            Tr.info(tc, str2, new Object[0]);
        } else {
            Tr.info(tc, getNlsMessage(str, str3), new Object[0]);
        }
    }

    private String getNlsMessage(String str, String str2) {
        return TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, str, new Object[]{getId(), this.discoveryURL}, str2);
    }

    public boolean calculateDiscoveryDocumentHash(JSONObject jSONObject) {
        String digest = HashUtils.digest(jSONObject.toString());
        String str = "CWWKS6111I: The client [{" + getId() + "}] configuration has been updated with the new information received from the discovery endpoint URL [{" + this.discoveryURL + "}].";
        boolean z = false;
        if (this.discoveryDocumentHash == null || !this.discoveryDocumentHash.equals(digest)) {
            if (this.discoveryDocumentHash != null) {
                logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_UPDATED_CONFIG", null, str);
            }
            z = true;
            this.discoveryDocumentHash = digest;
        } else if (this.discoveryDocumentHash != null && this.discoveryDocumentHash.equals(digest)) {
            logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_NOT_UPDATED_CONFIG", null, "CWWKS6112I: The client [{" + getId() + "}] configuration is consistent with the information from the discovery endpoint URL [{" + this.discoveryURL + "}], so no configuration updates are needed.");
        }
        return z;
    }

    public String getDiscoveryDocumentHash() {
        return this.discoveryDocumentHash;
    }
}
