package com.ibm.ws.security.mp.jwt.impl;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.ManualTrace;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.config.CommonConfigUtils;
import com.ibm.ws.security.common.jwk.impl.JWKSet;
import com.ibm.ws.security.jwt.config.ConsumerUtils;
import com.ibm.ws.security.jwt.config.JwtConsumerConfig;
import com.ibm.ws.security.jwt.utils.JwtUtils;
import com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig;
import com.ibm.ws.security.mp.jwt.MicroProfileJwtService;
import com.ibm.ws.security.mp.jwt.SslRefInfo;
import com.ibm.ws.security.mp.jwt.error.MpJwtProcessingException;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(name = "com.ibm.ws.security.mp.jwt", configurationPid = {"com.ibm.ws.security.mp.jwt"}, configurationPolicy = ConfigurationPolicy.REQUIRE, immediate = true, service = {MicroProfileJwtConfig.class, JwtConsumerConfig.class}, property = {"service.vendor=IBM", "type=microProfileJwtConfig"})
/* loaded from: input_file:com/ibm/ws/security/mp/jwt/impl/MicroProfileJwtConfigImpl.class */
public class MicroProfileJwtConfigImpl implements MicroProfileJwtConfig {
    private static TraceComponent tc = Tr.register(MicroProfileJwtConfigImpl.class, "MPJWT", "com.ibm.ws.security.mp.jwt.resources.MicroProfileJwtMessages");
    protected static final String KEY_UNIQUE_ID = "id";
    public static final String KEY_sslRef = "sslRef";
    protected String sslRef;
    public static final String KEY_jwksUri = "jwksUri";
    static final String KEY_MP_JWT_SERVICE = "microProfileJwtService";
    public static final String KEY_ISSUER = "issuer";
    public static final String KEY_AUDIENCE = "audiences";
    public static final String CFG_KEY_HOST_NAME_VERIFICATION_ENABLED = "hostNameVerificationEnabled";
    public static final String KEY_TRUSTED_ALIAS = "keyName";
    public static final String KEY_userNameAttribute = "userNameAttribute";
    public static final String KEY_groupNameAttribute = "groupNameAttribute";
    public static final String CFG_KEY_TOKEN_REUSE = "tokenReuse";
    public static final String CFG_KEY_CLOCK_SKEW = "clockSkew";
    private long clockSkewMilliSeconds;
    public static final String CFG_KEY_IGNORE_APP_AUTH_METHOD = "ignoreApplicationAuthMethod";
    public static final String CFG_KEY_mapToUserRegistry = "mapToUserRegistry";
    public static final String CFG_KEY_SIGALG = "signatureAlgorithm";

    @Sensitive
    private String sharedKey;
    static final long serialVersionUID = 7243489252612213660L;
    protected final boolean IS_REQUIRED = true;
    protected final boolean IS_NOT_REQUIRED = false;
    protected String uniqueId = null;
    protected SSLContext sslContext = null;
    protected SSLSocketFactory sslSocketFactory = null;
    protected SslRefInfo sslRefInfo = null;
    protected String jwksUri = null;
    final AtomicServiceReference<MicroProfileJwtService> mpJwtServiceRef = new AtomicServiceReference<>(KEY_MP_JWT_SERVICE);
    ConsumerUtils consumerUtils = null;
    JWKSet jwkSet = null;
    String issuer = null;
    String[] audience = null;
    protected boolean hostNameVerificationEnabled = false;
    private String trustAliasName = null;
    protected String userNameAttribute = null;
    protected String groupNameAttribute = null;
    protected boolean tokenReuse = true;
    protected boolean ignoreApplicationAuthMethod = true;
    protected boolean mapToUserRegistry = false;
    String signatureAlgorithm = "RS256";
    protected CommonConfigUtils configUtils = new CommonConfigUtils();

    @Reference(service = MicroProfileJwtService.class, name = KEY_MP_JWT_SERVICE, cardinality = ReferenceCardinality.MANDATORY)
    protected void setMicroProfileJwtService(ServiceReference<MicroProfileJwtService> serviceReference) {
        this.mpJwtServiceRef.setReference(serviceReference);
    }

    protected void unsetMicroProfileJwtService(ServiceReference<MicroProfileJwtService> serviceReference) {
        this.mpJwtServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) throws MpJwtProcessingException {
        this.mpJwtServiceRef.activate(componentContext);
        this.uniqueId = (String) map.get("id");
        initProps(componentContext, map);
        Tr.info(tc, "MPJWT_CONFIG_PROCESSED", new Object[]{this.uniqueId});
    }

    @Modified
    protected void modified(ComponentContext componentContext, Map<String, Object> map) throws MpJwtProcessingException {
        initProps(componentContext, map);
        Tr.info(tc, "MPJWT_CONFIG_MODIFIED", new Object[]{this.uniqueId});
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        this.mpJwtServiceRef.deactivate(componentContext);
        Tr.info(tc, "MPJWT_CONFIG_DEACTIVATED", new Object[]{this.uniqueId});
    }

    @ManualTrace
    public void initProps(ComponentContext componentContext, Map<String, Object> map) throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "initProps", new Object[]{componentContext, map});
        }
        this.issuer = this.configUtils.getRequiredConfigAttribute(map, KEY_ISSUER);
        this.audience = this.configUtils.getStringArrayConfigAttribute(map, KEY_AUDIENCE);
        this.jwksUri = this.configUtils.getConfigAttribute(map, KEY_jwksUri);
        this.userNameAttribute = this.configUtils.getConfigAttribute(map, KEY_userNameAttribute);
        this.groupNameAttribute = this.configUtils.getConfigAttribute(map, KEY_groupNameAttribute);
        this.clockSkewMilliSeconds = this.configUtils.getLongConfigAttribute(map, CFG_KEY_CLOCK_SKEW, this.clockSkewMilliSeconds);
        this.sslRef = this.configUtils.getConfigAttribute(map, KEY_sslRef);
        this.sslRefInfo = null;
        this.sslContext = null;
        this.trustAliasName = this.configUtils.getConfigAttribute(map, KEY_TRUSTED_ALIAS);
        this.hostNameVerificationEnabled = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_HOST_NAME_VERIFICATION_ENABLED, this.hostNameVerificationEnabled);
        this.tokenReuse = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_TOKEN_REUSE, this.tokenReuse);
        this.ignoreApplicationAuthMethod = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_IGNORE_APP_AUTH_METHOD, this.ignoreApplicationAuthMethod);
        this.mapToUserRegistry = this.configUtils.getBooleanConfigAttribute(map, CFG_KEY_mapToUserRegistry, this.mapToUserRegistry);
        this.jwkSet = null;
        this.consumerUtils = null;
        this.signatureAlgorithm = this.configUtils.getConfigAttribute(map, CFG_KEY_SIGALG);
        this.sharedKey = JwtUtils.processProtectedString(map, "sharedKey");
        debug();
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "initProps");
        }
    }

    protected void debug() {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "issuer: " + this.issuer, new Object[0]);
            Tr.debug(tc, "hostNameVerificationEnabled: " + this.hostNameVerificationEnabled, new Object[0]);
            Tr.debug(tc, "tokenReuse: " + this.tokenReuse, new Object[0]);
            Tr.debug(tc, "keyName: " + this.trustAliasName, new Object[0]);
            Tr.debug(tc, "jwksUri:" + this.jwksUri, new Object[0]);
            Tr.debug(tc, "userNameAttribute:" + this.userNameAttribute, new Object[0]);
            Tr.debug(tc, "groupNameAttribute:" + this.groupNameAttribute, new Object[0]);
            Tr.debug(tc, "mapToUserRegistry:" + this.mapToUserRegistry, new Object[0]);
            Tr.debug(tc, "sslRef = " + this.sslRef, new Object[0]);
            Tr.debug(tc, "sigAlg = " + this.signatureAlgorithm, new Object[0]);
            Tr.debug(tc, new StringBuilder().append("sharedKey").append(this.sharedKey).toString() == null ? "null" : "*********", new Object[0]);
        }
    }

    public boolean isHostNameVerificationEnabled() {
        return this.hostNameVerificationEnabled;
    }

    public String getId() {
        return getUniqueId();
    }

    public String getIssuer() {
        return this.issuer;
    }

    public String getSharedKey() {
        return this.sharedKey;
    }

    public List<String> getAudiences() {
        if (this.audience == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : this.audience) {
            arrayList.add(str);
        }
        return arrayList;
    }

    public String getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    @FFDCIgnore({MpJwtProcessingException.class})
    public String getTrustStoreRef() {
        if (this.sslRefInfo == null) {
            MicroProfileJwtService microProfileJwtService = (MicroProfileJwtService) this.mpJwtServiceRef.getService();
            if (microProfileJwtService == null) {
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "MP JWT service is not available", new Object[0]);
                return null;
            }
            this.sslRefInfo = new SslRefInfoImpl(microProfileJwtService.getSslSupport(), microProfileJwtService.getKeyStoreServiceRef(), this.sslRef, this.trustAliasName);
        }
        try {
            return this.sslRefInfo.getTrustStoreName();
        } catch (MpJwtProcessingException e) {
            return null;
        }
    }

    public String getTrustedAlias() {
        return this.trustAliasName;
    }

    public boolean getJwkEnabled() {
        return this.jwksUri != null;
    }

    public String getJwkEndpointUrl() {
        return this.jwksUri;
    }

    public ConsumerUtils getConsumerUtils() {
        if (this.consumerUtils == null) {
            MicroProfileJwtService microProfileJwtService = (MicroProfileJwtService) this.mpJwtServiceRef.getService();
            if (microProfileJwtService != null) {
                this.consumerUtils = new ConsumerUtils(microProfileJwtService.getKeyStoreServiceRef());
            } else {
                Tr.warning(tc, "SERVICE_NOT_FOUND_JWT_CONSUMER_NOT_AVAILABLE", new Object[]{this.uniqueId});
            }
        }
        return this.consumerUtils;
    }

    public JWKSet getJwkSet() {
        if (this.jwkSet == null) {
            this.jwkSet = new JWKSet();
        }
        return this.jwkSet;
    }

    @Override // com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig
    public String getUniqueId() {
        return this.uniqueId;
    }

    public String getSslRef() {
        return this.sslRef;
    }

    @ManualTrace
    public HashMap<String, PublicKey> getPublicKeys() throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getPublicKeys", new Object[0]);
        }
        if (this.sslRefInfo == null) {
            MicroProfileJwtService microProfileJwtService = (MicroProfileJwtService) this.mpJwtServiceRef.getService();
            if (microProfileJwtService == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "MP JWT service is not available", new Object[0]);
                }
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getPublicKeys", (Object) null);
                return null;
            }
            this.sslRefInfo = new SslRefInfoImpl(microProfileJwtService.getSslSupport(), microProfileJwtService.getKeyStoreServiceRef(), this.sslRef, this.trustAliasName);
        }
        HashMap<String, PublicKey> publicKeys = this.sslRefInfo.getPublicKeys();
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getPublicKeys", publicKeys);
        }
        return publicKeys;
    }

    @ManualTrace
    public SSLContext getSSLContext() throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getSSLContext", new Object[0]);
        }
        if (this.sslContext == null) {
            MicroProfileJwtService microProfileJwtService = (MicroProfileJwtService) this.mpJwtServiceRef.getService();
            if (microProfileJwtService == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "MP JWT service is not available", new Object[0]);
                }
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getSSLContext", (Object) null);
                return null;
            }
            SSLSupport sslSupport = microProfileJwtService.getSslSupport();
            if (sslSupport == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SSL support could not be found for microprofile jwt service", new Object[0]);
                }
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getSSLContext", (Object) null);
                return null;
            }
            try {
                JSSEHelper jSSEHelper = sslSupport.getJSSEHelper();
                if (jSSEHelper != null) {
                    this.sslContext = jSSEHelper.getSSLContext(this.sslRef, (Map) null, (SSLConfigChangeListener) null, true);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "sslContext (" + this.sslRef + ") get: " + this.sslContext, new Object[0]);
                    }
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.mp.jwt.impl.MicroProfileJwtConfigImpl", "383", this, new Object[0]);
                throw new MpJwtProcessingException(Tr.formatMessage(tc, "FAILED_TO_GET_SSL_CONTEXT", new Object[]{this.uniqueId, e.getLocalizedMessage()}), e);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getSSLContext", this.sslContext);
        }
        return this.sslContext;
    }

    @ManualTrace
    public SSLSocketFactory getSSLSocketFactory() throws MpJwtProcessingException {
        if (tc.isDebugEnabled()) {
            Tr.entry(tc, "getSSLSocketFactory", new Object[0]);
        }
        if (this.sslContext == null) {
            MicroProfileJwtService microProfileJwtService = (MicroProfileJwtService) this.mpJwtServiceRef.getService();
            if (microProfileJwtService == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Social login service is not available", new Object[0]);
                }
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getSSLSocketFactory", (Object) null);
                return null;
            }
            SSLSupport sslSupport = microProfileJwtService.getSslSupport();
            if (sslSupport == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SSL support could not be found for microprofile jwt service", new Object[0]);
                }
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.exit(tc, "getSSLSocketFactory", (Object) null);
                return null;
            }
            try {
                this.sslSocketFactory = sslSupport.getSSLSocketFactory(this.sslRef);
                sslSupport.getJSSEHelper();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "sslSocketFactory (" + this.sslRef + ") get: " + this.sslSocketFactory, new Object[0]);
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.mp.jwt.impl.MicroProfileJwtConfigImpl", "428", this, new Object[0]);
                throw new MpJwtProcessingException(Tr.formatMessage(tc, "FAILED_TO_GET_SSL_CONTEXT", new Object[]{this.uniqueId, e.getLocalizedMessage()}), e);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.exit(tc, "getSSLSocketFactory", this.sslSocketFactory);
        }
        return this.sslSocketFactory;
    }

    @Override // com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig
    public String getUserNameAttribute() {
        return this.userNameAttribute;
    }

    @Override // com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig
    public String getGroupNameAttribute() {
        return this.groupNameAttribute;
    }

    public boolean isValidationRequired() {
        return true;
    }

    public long getClockSkew() {
        return this.clockSkewMilliSeconds;
    }

    public boolean getTokenReuse() {
        return this.tokenReuse;
    }

    @Override // com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig
    public boolean ignoreApplicationAuthMethod() {
        return this.ignoreApplicationAuthMethod;
    }

    @Override // com.ibm.ws.security.mp.jwt.MicroProfileJwtConfig
    public boolean getMapToUserRegistry() {
        return this.mapToUserRegistry;
    }
}
