package com.ibm.ws.security.jwt.internal;

import com.ibm.websphere.kernel.server.ServerInfoMBean;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.impl.JWKProvider;
import com.ibm.ws.security.jwt.config.JwtConfig;
import com.ibm.ws.security.jwt.utils.Constants;
import com.ibm.ws.security.jwt.utils.JwtUtils;
import com.ibm.ws.security.jwt.web.JwtEndpointServices;
import com.ibm.ws.webcontainer.security.jwk.JSONWebKey;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.List;
import java.util.Map;
import javax.management.DynamicMBean;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {JwtConfig.class}, immediate = true, configurationPolicy = ConfigurationPolicy.REQUIRE, configurationPid = {"com.ibm.ws.security.jwt.builder"}, name = JwtEndpointServices.KEY_JWT_CONFIG, property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwt/internal/JwtComponent.class */
public class JwtComponent implements JwtConfig {
    private static final TraceComponent tc = Tr.register(JwtComponent.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    private long valid;
    private long expiresInSeconds;
    private boolean isJwkEnabled;
    private boolean jti;
    private List<String> audiences;
    private String sigAlg;
    private List<String> claims;
    private String scope;
    private String sharedKey;
    private String keyStoreRef;
    private String trustStoreRef;
    private String keyAlias;
    private String trustedAlias;
    private long jwkRotationTime;
    private int jwkSigningKeySize;
    private DynamicMBean httpsendpointInfoMBean;
    private DynamicMBean httpendpointInfoMBean;
    private ServerInfoMBean serverInfoMBean;
    static final long serialVersionUID = 808297298611896000L;
    private String issuer = null;
    private String issuerUrl = null;
    private PublicKey publicKey = null;
    private PrivateKey privateKey = null;
    private JWKProvider jwkProvider = null;

    @Reference(target = "(jmx.objectname=WebSphere:feature=channelfw,type=endpoint,name=defaultHttpEndpoint)", cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setEndPointInfoMBean(DynamicMBean dynamicMBean) {
        this.httpendpointInfoMBean = dynamicMBean;
    }

    protected void unsetEndPointInfoMBean(DynamicMBean dynamicMBean) {
        if (this.httpendpointInfoMBean == dynamicMBean) {
            this.httpendpointInfoMBean = null;
        }
    }

    @Reference(target = "(jmx.objectname=WebSphere:feature=channelfw,type=endpoint,name=defaultHttpEndpoint-ssl)", cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setHttpsEndPointInfoMBean(DynamicMBean dynamicMBean) {
        this.httpsendpointInfoMBean = dynamicMBean;
    }

    protected void unsetHttpsEndPointInfoMBean(DynamicMBean dynamicMBean) {
        if (this.httpsendpointInfoMBean == dynamicMBean) {
            this.httpsendpointInfoMBean = null;
        }
    }

    @Reference(target = "(jmx.objectname=WebSphere:feature=kernel,name=ServerInfo)", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY)
    protected void setServerInfoMBean(ServerInfoMBean serverInfoMBean) {
        this.serverInfoMBean = serverInfoMBean;
    }

    protected void unsetServerInfoMBean(ServerInfoMBean serverInfoMBean) {
        if (this.serverInfoMBean == serverInfoMBean) {
            this.serverInfoMBean = null;
        }
    }

    @Activate
    protected void activate(Map<String, Object> map, ComponentContext componentContext) {
        process(map);
    }

    @Modified
    protected void modify(Map<String, Object> map) {
        process(map);
    }

    @Deactivate
    protected void deactivate(int i, ComponentContext componentContext) {
    }

    private void process(Map<String, Object> map) {
        if (map == null || map.isEmpty()) {
            return;
        }
        this.issuer = JwtUtils.trimIt((String) map.get("id"));
        this.issuerUrl = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_ISSUER));
        this.isJwkEnabled = ((Boolean) map.get(JwtUtils.CFG_KEY_JWK_ENABLED)).booleanValue();
        this.jti = ((Boolean) map.get("jti")).booleanValue();
        this.valid = ((Long) map.get(JwtUtils.CFG_KEY_VALID)).longValue();
        this.expiresInSeconds = ((Long) map.get(JwtUtils.CFG_KEY_EXPIRES_IN_SECONDS)).longValue();
        this.sigAlg = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_SIGNATURE_ALGORITHM));
        this.audiences = JwtUtils.trimIt((String[]) map.get(JwtUtils.CFG_KEY_AUDIENCES));
        this.scope = JwtUtils.trimIt((String) map.get("scope"));
        this.claims = JwtUtils.trimIt((String[]) map.get(JwtUtils.CFG_KEY_CLAIMS));
        this.sharedKey = JwtConfigUtil.processProtectedString(map, JwtUtils.CFG_KEY_SHARED_KEY);
        this.keyStoreRef = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_KEYSTORE_REF));
        this.keyAlias = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_KEY_ALIAS_NAME));
        this.trustStoreRef = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_TRUSTSTORE_REF));
        this.trustedAlias = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_TRUSTED_ALIAS));
        this.jwkRotationTime = ((Long) map.get(JwtUtils.CFG_KEY_JWK_ROTATION_TIME)).longValue();
        this.jwkRotationTime = this.jwkRotationTime * 60 * 1000;
        this.jwkSigningKeySize = ((Long) map.get(JwtUtils.CFG_KEY_JWK_SIGNING_KEY_SIZE)).intValue();
        if (Constants.SIGNATURE_ALG_RS256.equals(this.sigAlg)) {
            initializeJwkProvider(this);
        }
        if (this.expiresInSeconds > -1) {
            this.valid = this.expiresInSeconds;
        } else {
            this.valid *= 3600;
        }
    }

    private void initializeJwkProvider(JwtConfig jwtConfig) {
        if (jwtConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "No config object found", new Object[0]);
            }
        } else if (jwtConfig.isJwkEnabled()) {
            this.jwkProvider = new JWKProvider(jwtConfig.getJwkSigningKeySize(), jwtConfig.getSignatureAlgorithm(), jwtConfig.getJwkRotationTime());
        }
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getId() {
        return this.issuer;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getIssuerUrl() {
        return this.issuerUrl;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public long getValidTime() {
        return this.valid;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public List<String> getAudiences() {
        return this.audiences;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getSignatureAlgorithm() {
        return this.sigAlg;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public List<String> getClaims() {
        return this.claims;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getScope() {
        return this.scope;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public boolean getJti() {
        return this.jti;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getTrustStoreRef() {
        return this.trustStoreRef;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getKeyStoreRef() {
        return this.keyStoreRef;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getKeyAlias() {
        return this.keyAlias;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getTrustedAlias() {
        return this.trustedAlias;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    @Sensitive
    public String getSharedKey() {
        return this.sharedKey;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getJwkJsonString() {
        if (!isJwkEnabled() && this.jwkProvider == null) {
            try {
                this.privateKey = JwtUtils.getPrivateKey(this.keyAlias, this.keyStoreRef);
                this.publicKey = JwtUtils.getPublicKey(this.keyAlias, this.keyStoreRef);
            } catch (KeyStoreException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.JwtComponent", "286", this, new Object[0]);
            } catch (CertificateException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.jwt.internal.JwtComponent", "288", this, new Object[0]);
            } catch (Exception e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.jwt.internal.JwtComponent", "290", this, new Object[0]);
            }
            if (this.publicKey != null && this.privateKey != null) {
                this.jwkProvider = new JWKProvider(getJwkSigningKeySize(), getSignatureAlgorithm(), getJwkRotationTime(), this.publicKey, this.privateKey);
            }
        }
        if (this.jwkProvider != null) {
            return this.jwkProvider.getJwkSetString();
        }
        return null;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public JSONWebKey getJSONWebKey() {
        if (this.jwkProvider != null) {
            return this.jwkProvider.getJWK();
        }
        return null;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public long getJwkRotationTime() {
        return this.jwkRotationTime;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public int getJwkSigningKeySize() {
        return this.jwkSigningKeySize;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public boolean isJwkEnabled() {
        return this.isJwkEnabled;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConfig
    public String getResolvedHostAndPortUrl() {
        if (this.httpsendpointInfoMBean != null) {
            try {
                return "https://" + resolveHost((String) this.httpsendpointInfoMBean.getAttribute("Host")) + ":" + ((Integer) this.httpsendpointInfoMBean.getAttribute("Port")).intValue();
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.JwtComponent", "329", this, new Object[0]);
            }
        }
        if (this.httpendpointInfoMBean == null) {
            return null;
        }
        try {
            return "http://" + resolveHost((String) this.httpendpointInfoMBean.getAttribute("Host")) + ":" + ((Integer) this.httpendpointInfoMBean.getAttribute("Port")).intValue();
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.jwt.internal.JwtComponent", "338", this, new Object[0]);
            return null;
        }
    }

    protected String resolveHost(String str) {
        if ("*".equals(str)) {
            if (this.serverInfoMBean != null) {
                str = this.serverInfoMBean.getDefaultHostname();
                if (str == null || str.equals("localhost")) {
                    str = getLocalHostIpAddress();
                }
            } else {
                str = getLocalHostIpAddress();
            }
        }
        return (str == null || str.trim().isEmpty()) ? "localhost" : str;
    }

    protected String getLocalHostIpAddress() {
        try {
            return (String) AccessController.doPrivileged(new PrivilegedExceptionAction<String>() { // from class: com.ibm.ws.security.jwt.internal.JwtComponent.1
                static final long serialVersionUID = -1428599966923050645L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jwt.internal.JwtComponent$1", AnonymousClass1.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public String run() throws UnknownHostException {
                    return InetAddress.getLocalHost().getHostAddress();
                }
            });
        } catch (PrivilegedActionException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.JwtComponent", "385", this, new Object[0]);
            return null;
        }
    }
}
