package com.ibm.ws.security.jwtsso.token;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.principals.WSPrincipal;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.common.crypto.HashUtils;
import com.ibm.ws.security.jwtsso.config.JwtSsoBuilderConfig;
import com.ibm.ws.security.jwtsso.config.JwtSsoConfig;
import com.ibm.ws.security.jwtsso.token.proxy.JwtSSOTokenProxy;
import com.ibm.ws.security.jwtsso.utils.JwtSsoTokenUtils;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {JwtSSOTokenProxy.class}, name = JwtSSOTokenCredentialProvider.JSON_WEB_TOKEN_SSO_PROXY, immediate = true, property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwtsso/token/JwtSSOTokenImpl.class */
public class JwtSSOTokenImpl implements JwtSSOTokenProxy {
    public static final String UNAUTHENTICATED = "UNAUTHENTICATED";
    private final SubjectHelper subjectHelper = new SubjectHelper();
    static final long serialVersionUID = -2805714517291641964L;
    private static final TraceComponent tc = Tr.register(JwtSSOTokenImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    public static final String JSON_WEB_TOKEN_SSO_CONFIG = "jwtSsoConfig";
    protected static final AtomicServiceReference<JwtSsoConfig> jwtSSOConfigRef = new AtomicServiceReference<>(JSON_WEB_TOKEN_SSO_CONFIG);
    public static final String JSON_WEB_TOKEN_SSO_BUILDER_CONFIG = "jwtSsoBuilderConfig";
    protected static final AtomicServiceReference<JwtSsoBuilderConfig> jwtSSOBuilderConfigRef = new AtomicServiceReference<>(JSON_WEB_TOKEN_SSO_BUILDER_CONFIG);
    public static final String MP_JSON_WEB_TOKEN_TAI = "microProfileJwtTAI";
    protected static final AtomicServiceReference<TrustAssociationInterceptor> mpJwtTaiServiceRef = new AtomicServiceReference<>(MP_JSON_WEB_TOKEN_TAI);
    private static final String[] hashtableProperties = {"com.ibm.wsspi.security.cred.cacheKey"};

    @Reference(service = TrustAssociationInterceptor.class, name = MP_JSON_WEB_TOKEN_TAI, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setTrustAssociationInterceptor(ServiceReference<TrustAssociationInterceptor> serviceReference) {
        mpJwtTaiServiceRef.setReference(serviceReference);
    }

    protected void unsetTrustAssociationInterceptor(ServiceReference<TrustAssociationInterceptor> serviceReference) {
        mpJwtTaiServiceRef.unsetReference(serviceReference);
    }

    @Reference(service = JwtSsoBuilderConfig.class, name = JSON_WEB_TOKEN_SSO_BUILDER_CONFIG, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setJwtSsoBuilderConfig(ServiceReference<JwtSsoBuilderConfig> serviceReference) {
        jwtSSOBuilderConfigRef.setReference(serviceReference);
    }

    protected void unsetJwtSsoBuilderConfig(ServiceReference<JwtSsoBuilderConfig> serviceReference) {
        jwtSSOBuilderConfigRef.unsetReference(serviceReference);
    }

    @Reference(service = JwtSsoConfig.class, name = JSON_WEB_TOKEN_SSO_CONFIG, cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    protected void setJwtSsoConfig(ServiceReference<JwtSsoConfig> serviceReference) {
        jwtSSOConfigRef.setReference(serviceReference);
    }

    protected void unsetJwtSsoConfig(ServiceReference<JwtSsoConfig> serviceReference) {
        jwtSSOConfigRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext) {
        jwtSSOConfigRef.activate(componentContext);
        jwtSSOBuilderConfigRef.activate(componentContext);
        mpJwtTaiServiceRef.activate(componentContext);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Jwt SSO config consumer service is activated", new Object[0]);
            Tr.debug(tc, "Jwt SSO config builder service is activated", new Object[0]);
            Tr.debug(tc, "MicroProfile Jwt TAI service is activated", new Object[0]);
            Tr.debug(tc, "Jwt SSO token (impl) service is being activated!!", new Object[0]);
        }
    }

    @Modified
    protected void modified(Map<String, Object> map) {
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        jwtSSOConfigRef.deactivate(componentContext);
        jwtSSOBuilderConfigRef.deactivate(componentContext);
        mpJwtTaiServiceRef.deactivate(componentContext);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Jwt SSO config consumer service is deactivated", new Object[0]);
            Tr.debug(tc, "Jwt SSO config builder service is deactivated", new Object[0]);
            Tr.debug(tc, "MicroProfile Jwt TAI service is deactivated", new Object[0]);
            Tr.debug(tc, "Jwt SSO token (impl) service is being deactivated!!", new Object[0]);
        }
    }

    public void createJwtSSOToken(Subject subject) throws WSLoginFailedException {
        if (subject == null || isSubjectUnauthenticated(subject) || subjectHasJwtPrincipal(subject)) {
            return;
        }
        JwtSsoTokenUtils jwtSsoTokenBuilderUtils = getJwtSsoTokenBuilderUtils();
        if (jwtSsoTokenBuilderUtils == null) {
            throw new WSLoginFailedException(Tr.formatMessage(tc, "JWTSSO_CONFIG_INVALID", new Object[0]));
        }
        try {
            updateSubject(subject, jwtSsoTokenBuilderUtils.buildTokenFromSecuritySubject(subject));
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwtsso.token.JwtSSOTokenImpl", "143", this, new Object[]{subject});
            throw new WSLoginFailedException(e.getLocalizedMessage());
        }
    }

    protected JwtSsoTokenUtils getJwtSsoTokenBuilderUtils() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        String str = null;
        if (jwtSSOBuilderConfig != null) {
            str = getJwtBuilder(jwtSSOBuilderConfig);
        }
        if (str != null) {
            return new JwtSsoTokenUtils(str);
        }
        return null;
    }

    private void updateSubject(Subject subject, JsonWebToken jsonWebToken) {
        if (subject == null || jsonWebToken == null) {
            return;
        }
        addJwtSSOTokenToSubject(subject, jsonWebToken);
    }

    private boolean subjectHasJwtPrincipal(Subject subject) {
        return !getJwtPrincipals(subject).isEmpty();
    }

    private boolean isSubjectUnauthenticated(Subject subject) {
        Set<WSPrincipal> wSPrincipals = getWSPrincipals(subject);
        return wSPrincipals == null || wSPrincipals.isEmpty() || UNAUTHENTICATED.equals(wSPrincipals.iterator().next().getName());
    }

    private void addJwtSSOTokenToSubject(Subject subject, JsonWebToken jsonWebToken) {
        if (subject == null || jsonWebToken == null) {
            return;
        }
        subject.getPrincipals().add(jsonWebToken);
    }

    protected JwtSsoTokenUtils getJwtSsoTokenConsumerUtils() {
        JwtSsoConfig jwtSSOConsumerConfig = getJwtSSOConsumerConfig();
        String str = null;
        if (jwtSSOConsumerConfig != null) {
            str = getJwtConsumer(jwtSSOConsumerConfig);
        }
        if (str == null) {
            return null;
        }
        JwtSsoTokenUtils jwtSsoTokenUtils = new JwtSsoTokenUtils(str, mpJwtTaiServiceRef);
        if (jwtSsoTokenUtils.isValid()) {
            return jwtSsoTokenUtils;
        }
        return null;
    }

    private JwtSsoTokenUtils getSimpleJwtSsoTokenUtils() {
        return new JwtSsoTokenUtils();
    }

    private String getJwtConsumer(JwtSsoConfig jwtSsoConfig) {
        return jwtSsoConfig.getJwtConsumerRef();
    }

    private String getJwtBuilder(JwtSsoBuilderConfig jwtSsoBuilderConfig) {
        return jwtSsoBuilderConfig.getJwtBuilderRef();
    }

    protected JwtSsoConfig getJwtSSOConsumerConfig() {
        if (jwtSSOConfigRef.getService() != null) {
            return (JwtSsoConfig) jwtSSOConfigRef.getService();
        }
        return null;
    }

    protected JwtSsoBuilderConfig getJwtSSOBuilderConfig() {
        if (jwtSSOBuilderConfigRef.getService() != null) {
            return (JwtSsoBuilderConfig) jwtSSOBuilderConfigRef.getService();
        }
        return null;
    }

    public String getJwtSSOToken(Subject subject) {
        String str = null;
        Set<JsonWebToken> jwtPrincipals = getJwtPrincipals(subject);
        if (jwtPrincipals != null && !jwtPrincipals.isEmpty() && !hasMultiplePrincipals(jwtPrincipals)) {
            str = convertToEncoded(jwtPrincipals.iterator().next());
        }
        return str;
    }

    private String convertToEncoded(JsonWebToken jsonWebToken) {
        return getRawJwtToken(jsonWebToken);
    }

    private String getRawJwtToken(JsonWebToken jsonWebToken) {
        if (jsonWebToken != null) {
            return jsonWebToken.getRawToken();
        }
        return null;
    }

    private boolean hasMultiplePrincipals(Set<JsonWebToken> set) {
        return false;
    }

    private Set<JsonWebToken> getJwtPrincipals(Subject subject) {
        if (subject != null) {
            return subject.getPrincipals(JsonWebToken.class);
        }
        return null;
    }

    private Set<WSPrincipal> getWSPrincipals(Subject subject) {
        if (subject != null) {
            return subject.getPrincipals(WSPrincipal.class);
        }
        return null;
    }

    public Subject handleJwtSSOTokenValidation(Subject subject, String str) throws WSLoginFailedException {
        Subject handleJwtSsoTokenValidation;
        String formatMessage = Tr.formatMessage(tc, "JWTSSO_CONFIG_INVALID_OR_TOKEN_INVALID", new Object[0]);
        JwtSsoTokenUtils jwtSsoTokenConsumerUtils = getJwtSsoTokenConsumerUtils();
        if (jwtSsoTokenConsumerUtils == null || str == null) {
            throw new WSLoginFailedException(formatMessage);
        }
        if (subject != null) {
            try {
                handleJwtSsoTokenValidation = jwtSsoTokenConsumerUtils.handleJwtSsoTokenValidationWithSubject(subject, str);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jwtsso.token.JwtSSOTokenImpl", "368", this, new Object[]{subject, str});
                throw new WSLoginFailedException(e.getLocalizedMessage());
            }
        } else {
            try {
                handleJwtSsoTokenValidation = jwtSsoTokenConsumerUtils.handleJwtSsoTokenValidation(str);
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.jwtsso.token.JwtSSOTokenImpl", "374", this, new Object[]{subject, str});
                throw new WSLoginFailedException(e2.getLocalizedMessage());
            }
        }
        if (handleJwtSsoTokenValidation == null) {
            throw new WSLoginFailedException(formatMessage);
        }
        return handleJwtSsoTokenValidation;
    }

    public String getCustomCacheKeyFromJwtSSOToken(String str) {
        JwtSsoTokenUtils simpleJwtSsoTokenUtils = getSimpleJwtSsoTokenUtils();
        if (str != null) {
            return simpleJwtSsoTokenUtils.getCustomCacheKeyFromToken(str);
        }
        return null;
    }

    public String getCacheKeyForJwtSSOToken(Subject subject, String str) {
        String jwtSSOToken;
        if (str != null) {
            return HashUtils.digest(str);
        }
        if (subject == null || (jwtSSOToken = getJwtSSOToken(subject)) == null) {
            return null;
        }
        return HashUtils.digest(jwtSSOToken);
    }

    public void addAttributesToJwtSSOToken(Subject subject) throws WSLoginFailedException {
        Set<JsonWebToken> jwtPrincipals = getJwtPrincipals(subject);
        if (jwtPrincipals != null && !jwtPrincipals.isEmpty()) {
            subject.getPrincipals().removeAll(jwtPrincipals);
        }
        createJwtSSOToken(subject);
    }

    public boolean isSubjectValid(Subject subject) {
        String jwtSSOToken = getJwtSSOToken(subject);
        JwtSsoTokenUtils jwtSsoTokenConsumerUtils = getJwtSsoTokenConsumerUtils();
        if (jwtSsoTokenConsumerUtils == null || jwtSSOToken == null) {
            return false;
        }
        return jwtSsoTokenConsumerUtils.isJwtValid(jwtSSOToken);
    }

    public String getJwtCookieName() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.getCookieName();
        }
        return null;
    }

    public boolean isCookieSecured() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.isCookieSecured();
        }
        return true;
    }

    public long getValidTimeInMinutes() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.getValidTime() * 60;
        }
        return 0L;
    }

    public boolean shouldSetJwtCookiePathToWebAppContext() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.isSetCookiePathToWebAppContextPath();
        }
        return false;
    }

    public boolean shouldAlsoIncludeLtpaCookie() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.isIncludeLtpaCookie();
        }
        return true;
    }

    public boolean shouldUseLtpaIfJwtAbsent() {
        JwtSsoBuilderConfig jwtSSOBuilderConfig = getJwtSSOBuilderConfig();
        if (jwtSSOBuilderConfig != null) {
            return jwtSSOBuilderConfig.isUseLtpaIfJwtAbsent();
        }
        return true;
    }
}
