package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.oauth.core.api.OAuthConstants;
import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.api.oauth20.token.OAuth20Token;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.oauth.core.internal.oauth20.OAuth20Util;
import com.ibm.oauth.core.util.RateLimiter;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.audit.context.AuditManager;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.audit.Audit;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.error.impl.OAuth20TokenRequestExceptionHandler;
import com.ibm.ws.security.oauth20.exception.OAuth20BadParameterException;
import com.ibm.ws.security.oauth20.plugins.OAuth20TokenImpl;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.util.HashUtils;
import com.ibm.ws.security.oauth20.util.OIDCConstants;
import com.ibm.ws.security.oauth20.util.OidcOAuth20Util;
import com.ibm.ws.security.oauth20.util.UtilConstants;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/oauth20/web/TokenExchange.class */
public class TokenExchange {
    protected static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages";
    public static final String CT_APPLICATION_JSON_UTF8 = "application/json;charset=UTF-8";
    public static final String HDR_AUTHORIZATION = "Authorization";
    public static final String CT_APPLICATION_URLENC = "application/x-www-form-urlencoded";
    public static final int PARAM_MAX_LENGTH = 255;
    public static final String HTTP_METHOD_DELETE = "DELETE";
    public static final String HTTP_METHOD_POST = "POST";
    public static final String HTTP_METHOD_GET = "GET";
    public static final String CACHE_CONTROL = "Cache-Control";
    public static final String NO_STORE = "no-store";
    public static final String NO_CACHE = "no-cache";
    public static final String PRAGMA = "Pragma";
    public static final String APP_ID_LOOKUP_KEY = "com.ibm.wsspi.security.oidc.external.claims:app_id";
    public static final String APP_TOKEN_LOOKUP_KEY = "com.ibm.wsspi.security.oidc.external.claims:app_id";
    public static final String ROLE_REQUIRED = "tokenManager";
    public static final String[] ALLOWED_AT_GT = {"authorization_code", "implicit", OAuth20Constants.GRANT_TYPE_IMPLICIT_INTERNAL, "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer"};
    public static final HashSet<String> ALLOWED_AT_GT_SET = new HashSet<>(Arrays.asList(ALLOWED_AT_GT));
    public static final String[] ALLOWED_RT_GT = {"authorization_code", "implicit"};
    public static final HashSet<String> ALLOWED_RT_GT_SET = new HashSet<>(Arrays.asList(ALLOWED_RT_GT));
    private static TraceComponent tc = Tr.register(TokenExchange.class, "OAUTH", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static final ThreadLocal<Map<String, Object>> auditMap = new ThreadLocal<Map<String, Object>>() { // from class: com.ibm.ws.security.oauth20.web.TokenExchange.1
        static final long serialVersionUID = -4689953052342383386L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class, "OAUTH", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Map<String, Object> initialValue() {
            return new HashMap(32);
        }
    };
    public int numberRevoked = 0;
    private final AuditManager auditManager = new AuditManager();
    static final long serialVersionUID = -4021061408705720439L;

    /* JADX INFO: Access modifiers changed from: private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    @TraceOptions
    /* loaded from: input_file:com/ibm/ws/security/oauth20/web/TokenExchange$AuthResult.class */
    public final class AuthResult {
        final boolean isAdmin;
        final String user;
        final String targetUser;
        final String clientId;
        final String appOrTokenId;
        static final long serialVersionUID = -1679603630094096518L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AuthResult.class, "OAUTH", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");

        AuthResult(boolean z, String str, String str2, String str3, String str4) {
            this.isAdmin = z;
            this.user = setToNullIfEmpty(str);
            this.targetUser = setToNullIfEmpty(str2);
            this.clientId = setToNullIfEmpty(str3);
            this.appOrTokenId = setToNullIfEmpty(str4);
            ((Map) TokenExchange.auditMap.get()).put("isAdmin", Boolean.valueOf(z));
            ((Map) TokenExchange.auditMap.get()).put("user", str);
            ((Map) TokenExchange.auditMap.get()).put("targetUser", str2);
            ((Map) TokenExchange.auditMap.get()).put("clientId", str3);
            ((Map) TokenExchange.auditMap.get()).put("appOrTokenId", this.appOrTokenId);
            ((Map) TokenExchange.auditMap.get()).put("applicationId", str4);
        }

        private String setToNullIfEmpty(String str) {
            if (str == null || str.length() != 0) {
                return str;
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processAppPassword(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        processCommon(true, oAuth20Provider, httpServletRequest, httpServletResponse);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processAppToken(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        processCommon(false, oAuth20Provider, httpServletRequest, httpServletResponse);
    }

    private void processCommonAudit(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        auditMap.get().clear();
        auditMap.get().put("isAppPasswordRequest", Boolean.valueOf(z));
        auditMap.get().put(UtilConstants.PROVIDER, oAuth20Provider.getID());
        auditMap.get().put("request", httpServletRequest);
        auditMap.get().put("response", httpServletResponse);
        auditMap.get().put("endpoint", z ? OAuth20Constants.APP_PASSWORD_URI : OAuth20Constants.APP_TOKEN_URI);
        if (OidcOAuth20Util.isJwtToken(httpServletRequest.getHeader("access_token"))) {
            auditMap.get().put("credentialType", "JWT");
        }
    }

    private void processCommon(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        processCommonAudit(z, oAuth20Provider, httpServletRequest, httpServletResponse);
        if (httpServletRequest.getMethod().equalsIgnoreCase(HTTP_METHOD_GET)) {
            processCommonGet(z, oAuth20Provider, httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getMethod().equalsIgnoreCase(HTTP_METHOD_POST)) {
            processCommonPost(z, oAuth20Provider, httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getMethod().equalsIgnoreCase(HTTP_METHOD_DELETE)) {
            processCommonDelete(z, oAuth20Provider, httpServletRequest, httpServletResponse);
            return;
        }
        String formattedMessage = TraceNLS.getFormattedMessage(TokenExchange.class, "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_UNSUPPORTED_METHOD", new Object[]{httpServletRequest.getMethod(), z ? OAuth20Constants.APP_PASSWORD_URI : OAuth20Constants.APP_TOKEN_URI}, "CWWKS1433E: The HTTP method {0} is not supported for the  {1} endpoint.");
        Tr.error(tc, formattedMessage, new Object[0]);
        httpServletResponse.sendError(400, formattedMessage);
        auditMap.get().put("auditOutcome", "failure");
        auditMap.get().put("detaileError", "bad request: unsupported HTTP method for endpoint");
        Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
    }

    private String processAuditRole(HttpServletRequest httpServletRequest) {
        String str;
        str = "";
        str = httpServletRequest.isUserInRole("tokenManager") ? str + "tokenManager".concat(", ") : "";
        if (httpServletRequest.isUserInRole(RegistrationEndpointServices.ROLE_REQUIRED)) {
            str = str + RegistrationEndpointServices.ROLE_REQUIRED.concat(", ");
        }
        if (httpServletRequest.isUserInRole(OAuth20EndpointServices.AUTHENTICATED)) {
            str = str + OAuth20EndpointServices.AUTHENTICATED.concat(", ");
        }
        return str;
    }

    private void processCommonDelete(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String[] extractClientIdAndSecretFromAuthHeader = extractClientIdAndSecretFromAuthHeader(httpServletRequest, httpServletResponse);
        if (extractClientIdAndSecretFromAuthHeader != null && extractClientIdAndSecretFromAuthHeader[0] != null) {
            auditMap.get().put("clientId", extractClientIdAndSecretFromAuthHeader[0]);
        }
        String processAuditRole = processAuditRole(httpServletRequest);
        if (processAuditRole.length() > 0) {
            auditMap.get().put("initiatorRole", processAuditRole.substring(0, processAuditRole.length() - 2));
        }
        AuthResult validateClientAndAuthenticate = validateClientAndAuthenticate(z, oAuth20Provider, httpServletRequest, httpServletResponse);
        if (validateClientAndAuthenticate == null) {
            auditMap.get().put("auditOutcome", "failure");
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        if (!deleteAppPasswordOrToken(z, validateClientAndAuthenticate, oAuth20Provider)) {
            sendHttp500(httpServletResponse);
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        httpServletResponse.setStatus(200);
        auditMap.get().put("auditOutcome", OIDCConstants.OIDC_AUTHZ_PARAM_ID_TOKEN_HINT_STATUS_SUCCESS);
        auditMap.get().put("numberRevoked", Integer.valueOf(this.numberRevoked));
        Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
        try {
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenExchange", "236", this, new Object[]{Boolean.valueOf(z), oAuth20Provider, httpServletRequest, httpServletResponse});
        }
    }

    private void processCommonPost(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String[] extractClientIdAndSecretFromAuthHeader = extractClientIdAndSecretFromAuthHeader(httpServletRequest, httpServletResponse);
        if (extractClientIdAndSecretFromAuthHeader != null && extractClientIdAndSecretFromAuthHeader[0] != null) {
            auditMap.get().put("clientId", extractClientIdAndSecretFromAuthHeader[0]);
        }
        String processAuditRole = processAuditRole(httpServletRequest);
        if (processAuditRole.length() > 0) {
            auditMap.get().put("initiatorRole", processAuditRole.substring(0, processAuditRole.length() - 2));
        }
        if (!checkContentType("application/x-www-form-urlencoded", httpServletRequest)) {
            sendInvalidRequestError(null, httpServletResponse);
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        AuthResult validateClientAndAuthenticate = validateClientAndAuthenticate(z, oAuth20Provider, httpServletRequest, httpServletResponse);
        if (validateClientAndAuthenticate == null) {
            auditMap.get().put("auditOutcome", "failure");
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        String htmlEncode = httpServletRequest.getParameter(OAuth20Constants.APP_NAME) == null ? null : WebUtils.htmlEncode(httpServletRequest.getParameter(OAuth20Constants.APP_NAME));
        auditMap.get().put("appName", htmlEncode);
        Collection<OAuth20Token> tokensForUser = getTokensForUser(z, validateClientAndAuthenticate, oAuth20Provider);
        String checkAppNameValidAndNotInUse = checkAppNameValidAndNotInUse(z, validateClientAndAuthenticate, htmlEncode, oAuth20Provider, tokensForUser);
        if (checkAppNameValidAndNotInUse != null) {
            Tr.error(tc, checkAppNameValidAndNotInUse, new Object[0]);
            sendInvalidRequestError(checkAppNameValidAndNotInUse, httpServletResponse);
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        String checkTokenQuantityLimit = checkTokenQuantityLimit(z, validateClientAndAuthenticate, oAuth20Provider, tokensForUser);
        if (checkTokenQuantityLimit != null) {
            Tr.error(tc, checkTokenQuantityLimit, new Object[0]);
            sendInvalidRequestError(checkTokenQuantityLimit, httpServletResponse);
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        OAuthResult requestAppPasswordOrTokenJson = requestAppPasswordOrTokenJson(z, validateClientAndAuthenticate, htmlEncode, oAuth20Provider, httpServletRequest, httpServletResponse);
        if (requestAppPasswordOrTokenJson.getStatus() != 0) {
            new OAuth20TokenRequestExceptionHandler().handleResultException(httpServletRequest, httpServletResponse, requestAppPasswordOrTokenJson);
            auditMap.get().put("auditOutcome", "failure");
            auditMap.get().put("detaileError", "failure to return request");
        } else {
            if (this.auditManager != null) {
                auditMap.get().put("respBody", this.auditManager.getAgent());
            }
            auditMap.get().put("auditOutcome", OIDCConstants.OIDC_AUTHZ_PARAM_ID_TOKEN_HINT_STATUS_SUCCESS);
        }
        Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
    }

    private String checkTokenQuantityLimit(boolean z, AuthResult authResult, OAuth20Provider oAuth20Provider, Collection<OAuth20Token> collection) {
        if (((long) collection.size()) < oAuth20Provider.getAppTokenOrPasswordLimit()) {
            return null;
        }
        String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_REQUEST_TOO_MANY_TOKENS", new Object[]{authResult.user}, (String) null);
        return formattedMessage != null ? formattedMessage : "Error- maximum quantity of tokens reached";
    }

    private void processCommonGet(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str;
        String[] extractClientIdAndSecretFromAuthHeader = extractClientIdAndSecretFromAuthHeader(httpServletRequest, httpServletResponse);
        if (extractClientIdAndSecretFromAuthHeader != null && extractClientIdAndSecretFromAuthHeader[0] != null) {
            auditMap.get().put("clientId", extractClientIdAndSecretFromAuthHeader[0]);
        }
        str = "";
        str = httpServletRequest.isUserInRole("tokenManager") ? str + "tokenManager".concat(", ") : "";
        if (httpServletRequest.isUserInRole(RegistrationEndpointServices.ROLE_REQUIRED)) {
            str = str + RegistrationEndpointServices.ROLE_REQUIRED.concat(", ");
        }
        if (httpServletRequest.isUserInRole(OAuth20EndpointServices.AUTHENTICATED)) {
            str = str + OAuth20EndpointServices.AUTHENTICATED.concat(", ");
        }
        if (str.length() > 0) {
            auditMap.get().put("initiatorRole", str.substring(0, str.length() - 2));
        }
        AuthResult validateClientAndAuthenticate = validateClientAndAuthenticate(z, oAuth20Provider, httpServletRequest, httpServletResponse);
        auditMap.get().put("authResult", validateClientAndAuthenticate);
        if (validateClientAndAuthenticate == null) {
            auditMap.get().put("auditOutcome", "failure");
            if (httpServletResponse.getStatus() == 400) {
                auditMap.get().put("detaileError", "bad request");
            } else if (httpServletResponse.getStatus() == 401) {
                auditMap.get().put("detaileError", "invalid client");
            }
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
            return;
        }
        String listTokensJson = listTokensJson(z, validateClientAndAuthenticate, oAuth20Provider);
        if (listTokensJson != null) {
            sendGoodResponse(listTokensJson, httpServletResponse);
            auditMap.get().put("auditOutcome", OIDCConstants.OIDC_AUTHZ_PARAM_ID_TOKEN_HINT_STATUS_SUCCESS);
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
        } else {
            sendHttp500(httpServletResponse);
            auditMap.get().put("auditOutcome", "failure");
            auditMap.get().put("detaileError", "internal error");
            Audit.audit(Audit.EventID.APPLICATION_PASSWORD_TOKEN_01, new Object[]{auditMap.get()});
        }
    }

    private AuthResult validateClientAndAuthenticate(boolean z, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String[] extractClientIdAndSecretFromAuthHeader = extractClientIdAndSecretFromAuthHeader(httpServletRequest, httpServletResponse);
        if (extractClientIdAndSecretFromAuthHeader == null) {
            return null;
        }
        if (!isAccessTokenPresent(httpServletRequest)) {
            String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_REQUEST_NO_TOKEN", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
            Tr.error(tc, formattedMessage, new Object[0]);
            RateLimiter.limit();
            sendInvalidRequestError(formattedMessage, httpServletResponse);
            return null;
        }
        if (!clientIdAndSecretValid(oAuth20Provider, extractClientIdAndSecretFromAuthHeader)) {
            String formattedMessage2 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_REQUEST_AUTHN_FAIL", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
            Tr.error(tc, formattedMessage2, new Object[0]);
            RateLimiter.limit();
            sendInvalidClientError(formattedMessage2, httpServletResponse);
            return null;
        }
        String authenticate = authenticate(oAuth20Provider, httpServletRequest.getHeader("access_token"), httpServletRequest, httpServletResponse, extractClientIdAndSecretFromAuthHeader);
        if (authenticate == null) {
            RateLimiter.limit();
            return null;
        }
        String str = extractClientIdAndSecretFromAuthHeader[0];
        if (!checkClientAuthorization(z, oAuth20Provider, str, httpServletRequest.getMethod())) {
            String formattedMessage3 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_UNAUTHORIZED_CLIENT", new Object[]{str}, (String) null);
            Tr.error(tc, formattedMessage3, new Object[0]);
            sendUnauthorizedClientError(formattedMessage3, httpServletResponse);
            return null;
        }
        boolean z2 = false;
        String str2 = null;
        if (!httpServletRequest.getMethod().equalsIgnoreCase(HTTP_METHOD_POST)) {
            str2 = httpServletRequest.getParameter(OAuth20Constants.PARAM_USER_ID);
        }
        if (str2 != null) {
            if (!checkParamLength(OAuth20Constants.PARAM_USER_ID, str2, httpServletRequest.getRequestURI(), httpServletResponse)) {
                return null;
            }
            str2 = escapeIllegalCharacters(str2);
            z2 = isAdminUser(authenticate, httpServletRequest);
            if (!z2 && !str2.equals(authenticate)) {
                String formattedMessage4 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_SERVER_USERNAME_PARAM_NOT_SUPPORTED", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
                Tr.error(tc, formattedMessage4, new Object[0]);
                sendInvalidRequestError(formattedMessage4, httpServletResponse);
                return null;
            }
        }
        String appIdOrTokenId = getAppIdOrTokenId(httpServletRequest);
        return new AuthResult(z2, authenticate, str2, str, appIdOrTokenId != null ? WebUtils.htmlEncode(appIdOrTokenId) : null);
    }

    private String getAppIdOrTokenId(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.getMethod().equalsIgnoreCase(HTTP_METHOD_DELETE)) {
            return null;
        }
        String str = null;
        String pathInfo = httpServletRequest.getPathInfo();
        int indexOf = pathInfo.indexOf("/app-passwords/");
        int indexOf2 = pathInfo.indexOf("/app-tokens/");
        if (indexOf > 0) {
            str = pathInfo.substring(indexOf + "/app-passwords/".length());
        } else if (indexOf2 > 0) {
            str = pathInfo.substring(indexOf2 + "/app-tokens/".length());
        }
        if (str == null || str.length() == 0) {
            return null;
        }
        return str;
    }

    private boolean isAccessTokenPresent(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("access_token");
        return (header == null || header.isEmpty()) ? false : true;
    }

    @FFDCIgnore({OAuth20BadParameterException.class, OAuthException.class})
    private String authenticate(OAuth20Provider oAuth20Provider, String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String[] strArr) {
        String str2 = str;
        if (OidcOAuth20Util.isJwtToken(str)) {
            str2 = HashUtils.digest(str);
        }
        OAuth20Token oAuth20Token = oAuth20Provider.getTokenCache().get(str2);
        if (oAuth20Token == null) {
            handleInvalidAccessTokenError(httpServletRequest, httpServletResponse, "OAUTH_INVALID_ATINREQUEST_AUTHN_FAIL");
            return null;
        }
        String type = oAuth20Token.getType();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "token type: " + type, new Object[0]);
        }
        if (!type.equals("access_token")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token type not an access token, return null", new Object[0]);
            }
            handleInvalidAccessTokenError(httpServletRequest, httpServletResponse, "OAUTH_INVALID_ATINREQUEST_AUTHN_FAIL");
            return null;
        }
        String grantType = oAuth20Token.getGrantType();
        String refreshTokenKey = ((OAuth20TokenImpl) oAuth20Token).getRefreshTokenKey();
        OAuth20Token oAuth20Token2 = null;
        if (refreshTokenKey != null) {
            oAuth20Token2 = oAuth20Provider.getTokenCache().get(refreshTokenKey);
        }
        if (!validateGrantType(grantType, oAuth20Token, oAuth20Token2, httpServletRequest, httpServletResponse)) {
            return null;
        }
        if (!clientInAccessTokenMatchesClientInAuthHeader(oAuth20Token, strArr)) {
            handleInvalidAccessTokenError(httpServletRequest, httpServletResponse, "OAUTH_CLIENTINREQ_DONOT_MATCH_AT");
            return null;
        }
        String username = oAuth20Token.getUsername();
        if (username != null && HTTP_METHOD_POST.equalsIgnoreCase(httpServletRequest.getMethod())) {
            try {
                buildAndSaveAttributeList(oAuth20Token, httpServletRequest, httpServletResponse);
            } catch (OAuth20BadParameterException e) {
                username = null;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "token user name reset to null due to an exception: " + ((String) null), new Object[0]);
                }
            } catch (OAuthException e2) {
                username = null;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "token user name reset to null due to an exception: " + ((String) null), new Object[0]);
                }
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "token user name : " + username, new Object[0]);
        }
        return username;
    }

    private boolean validateGrantType(String str, OAuth20Token oAuth20Token, OAuth20Token oAuth20Token2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (str == null || !isGrantTypeInAllowedGrantTypes(str)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "grantType is not one we accept: " + str + ",  return false", new Object[0]);
            }
            handleInvalidAccessTokenError(httpServletRequest, httpServletResponse, "OAUTH_INVALID_ATINREQUEST_AUTHN_FAIL");
            return false;
        }
        if (!"refresh_token".equals(str)) {
            return true;
        }
        if (oAuth20Token2 != null && validateRefreshTokenGrantType(oAuth20Token2)) {
            return true;
        }
        handleInvalidAccessTokenError(httpServletRequest, httpServletResponse, "OAUTH_INVALID_ATINREQUEST_AUTHN_FAIL");
        return false;
    }

    private boolean validateRefreshTokenGrantType(OAuth20Token oAuth20Token) {
        return ALLOWED_RT_GT_SET.contains(getRefreshTokenOriginalGrantType(oAuth20Token));
    }

    private String getRefreshTokenOriginalGrantType(OAuth20Token oAuth20Token) {
        String[] extensionProperty = oAuth20Token.getExtensionProperty("com.ibm.wsspi.security.oidc.external.claims:originalGrantType");
        if (extensionProperty == null) {
            return null;
        }
        return extensionProperty[0];
    }

    private boolean isGrantTypeInAllowedGrantTypes(String str) {
        return ALLOWED_AT_GT_SET.contains(str);
    }

    private boolean clientInAccessTokenMatchesClientInAuthHeader(OAuth20Token oAuth20Token, String[] strArr) {
        return oAuth20Token.getClientId() != null && oAuth20Token.getClientId().equals(strArr[0]);
    }

    private void handleInvalidAccessTokenError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", str, new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
        Tr.error(tc, formattedMessage, new Object[0]);
        sendInvalidRequestError(formattedMessage, httpServletResponse);
    }

    private void buildAndSaveAttributeList(OAuth20Token oAuth20Token, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthException {
        if (oAuth20Token != null) {
            AttributeList attributeList = (AttributeList) httpServletRequest.getAttribute(OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST);
            boolean z = true;
            if (attributeList == null) {
                attributeList = new AttributeList();
                z = false;
            }
            addUserToAttributeList(oAuth20Token.getUsername(), attributeList);
            addTokenExtensionAttributes(httpServletRequest, attributeList, httpServletResponse);
            String[] scope = oAuth20Token.getScope();
            if (scope != null) {
                attributeList.setAttribute("scope", OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, scope);
            }
            String redirectUri = oAuth20Token.getRedirectUri();
            if (redirectUri != null) {
                attributeList.setAttribute(OAuth20Constants.REDIRECT_URI, OAuthConstants.ATTRTYPE_PARAM_OAUTH, new String[]{redirectUri});
            }
            if (z) {
                return;
            }
            httpServletRequest.setAttribute(OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, attributeList);
        }
    }

    private void addTokenExtensionAttributes(HttpServletRequest httpServletRequest, AttributeList attributeList, HttpServletResponse httpServletResponse) throws OAuthException {
        addUsedByExtensionAttribute(httpServletRequest, attributeList, httpServletResponse);
        String parameter = httpServletRequest.getParameter(OAuth20Constants.APP_NAME);
        if (parameter != null) {
            attributeList.setAttribute("com.ibm.wsspi.security.oidc.external.claims:app_name", OAuth20Constants.EXTERNAL_CLAIMS, new String[]{escapeIllegalCharacters(parameter)});
        }
    }

    private String escapeIllegalCharacters(String str) {
        return str.replaceAll("<", "&lt;").replaceAll(">", "&gt;").replace("'", "&#39;").replaceAll("\"", "&quot;");
    }

    private boolean checkParamLength(String str, String str2, String str3, HttpServletResponse httpServletResponse) {
        if (str2.length() <= 255) {
            return true;
        }
        String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_PARAMETER_VALUE_LENGTH_TOO_LONG", new Object[]{str, str3, Integer.valueOf(PARAM_MAX_LENGTH)}, (String) null);
        Tr.error(tc, formattedMessage, new Object[0]);
        sendInvalidRequestError(formattedMessage, httpServletResponse);
        return false;
    }

    private void addUsedByExtensionAttribute(HttpServletRequest httpServletRequest, AttributeList attributeList, HttpServletResponse httpServletResponse) throws OAuth20BadParameterException {
        String parameter = httpServletRequest.getParameter(OAuth20Constants.USED_BY);
        if (parameter == null) {
            return;
        }
        if (!checkParamLength(OAuth20Constants.USED_BY, parameter, httpServletRequest.getRequestURI(), httpServletResponse)) {
            throw new OAuth20BadParameterException(TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_PARAMETER_VALUE_LENGTH_TOO_LONG", new Object[]{OAuth20Constants.USED_BY, httpServletRequest.getRequestURI(), Integer.valueOf(PARAM_MAX_LENGTH)}, (String) null), new Object[]{OAuth20Constants.USED_BY, parameter});
        }
        attributeList.setAttribute("com.ibm.wsspi.security.oidc.external.claims:used_by", OAuth20Constants.EXTERNAL_CLAIMS, WebUtils.htmlEncode(parameter).split(","));
    }

    private void addUserToAttributeList(String str, AttributeList attributeList) throws OAuthException {
        OAuth20Util.validateRequiredAttribute("username", str);
        attributeList.setAttribute("username", OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, new String[]{str});
    }

    private boolean isAdminUser(String str, HttpServletRequest httpServletRequest) {
        return httpServletRequest.isUserInRole("tokenManager");
    }

    private void sendInvalidRequestError(String str, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", null);
        auditMap.get().put("auditOutcome", "failure");
        auditMap.get().put("detaileError", "invalid_request");
    }

    private void sendInvalidClientError(String str, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 401, "invalid_client", null);
        auditMap.get().put("auditOutcome", "failure");
        auditMap.get().put("detaileError", "invalid_client");
    }

    private void sendUnauthorizedClientError(String str, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "unauthorized_client", null);
        auditMap.get().put("auditOutcome", "failure");
        auditMap.get().put("detaileError", "unauthorized_client");
    }

    private boolean checkClientAuthorization(boolean z, OAuth20Provider oAuth20Provider, String str, String str2) {
        OidcBaseClient oidcBaseClient;
        boolean z2 = false;
        try {
            oidcBaseClient = oAuth20Provider.getClientProvider().get(str);
        } catch (OidcServerException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenExchange", "861", this, new Object[]{Boolean.valueOf(z), oAuth20Provider, str, str2});
        }
        if (oidcBaseClient == null) {
            return false;
        }
        if (HTTP_METHOD_POST.equalsIgnoreCase(str2)) {
            z2 = oidcBaseClient.isEnabled() && (z ? oidcBaseClient.isAppPasswordAllowed() : oidcBaseClient.isAppTokenAllowed());
        } else {
            z2 = oidcBaseClient.isEnabled();
        }
        return z2;
    }

    boolean clientIdAndSecretValid(OAuth20Provider oAuth20Provider, @Sensitive String[] strArr) {
        try {
            OidcOAuth20ClientProvider clientProvider = oAuth20Provider.getClientProvider();
            if (clientProvider == null) {
                return false;
            }
            OidcBaseClient oidcBaseClient = clientProvider.get(strArr[0]);
            String str = null;
            if (oidcBaseClient != null) {
                str = oidcBaseClient.getClientSecret();
            }
            if (str == null) {
                return false;
            }
            return str.equals(strArr[1]);
        } catch (OidcServerException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenExchange", "880", this, new Object[]{oAuth20Provider, "<sensitive java.lang.String[]>"});
            return false;
        }
    }

    @Sensitive
    private String[] extractClientIdAndSecretFromAuthHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String substring;
        String str = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_REQUEST_NO_AUTHHEADER", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
            Tr.error(tc, formattedMessage, new Object[0]);
            sendInvalidClientError(formattedMessage, httpServletResponse);
            return null;
        }
        if (!header.startsWith("Basic ")) {
            String formattedMessage2 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_AUTH_HEADER_NOT_BASIC_AUTH", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
            Tr.error(tc, formattedMessage2, new Object[0]);
            sendInvalidClientError(formattedMessage2, httpServletResponse);
            return null;
        }
        String decodeAuthorizationHeader = ClientAuthnData.decodeAuthorizationHeader(header, httpServletRequest.getHeader(ClientAuthnData.AUTHORIZATION_ENCODING));
        int indexOf = decodeAuthorizationHeader.indexOf(58);
        if (indexOf < 0) {
            substring = decodeAuthorizationHeader;
        } else {
            substring = decodeAuthorizationHeader.substring(0, indexOf);
            str = decodeAuthorizationHeader.substring(indexOf + 1);
        }
        boolean z = substring != null && substring.length() > 0 && str != null && str.length() > 0;
        if (!z) {
            String formattedMessage3 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_REQUEST_NO_ID_SECRET", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI()}, (String) null);
            Tr.error(tc, formattedMessage3, new Object[0]);
            sendInvalidClientError(formattedMessage3, httpServletResponse);
        }
        if (z) {
            return new String[]{substring, str};
        }
        return null;
    }

    private void sendGoodResponse(String str, HttpServletResponse httpServletResponse) {
        httpServletResponse.setHeader("Cache-Control", "no-store");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        httpServletResponse.setStatus(200);
        try {
            httpServletResponse.getOutputStream().write(str.getBytes(com.ibm.oauth.core.internal.OAuthConstants.UTF8));
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenExchange", "949", this, new Object[]{str, httpServletResponse});
        }
    }

    private void sendHttp500(HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(500);
        auditMap.get().put("auditOutcome", "failure");
        auditMap.get().put("detaileError", "internal error");
        try {
            httpServletResponse.getOutputStream().print("INTERNAL SERVER ERROR");
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenExchange", "962", this, new Object[]{httpServletResponse});
        }
    }

    private boolean deleteAppPasswordOrToken(boolean z, AuthResult authResult, OAuth20Provider oAuth20Provider) {
        Collection<OAuth20Token> tokensForUser = getTokensForUser(z, authResult, oAuth20Provider);
        String str = authResult.appOrTokenId;
        this.numberRevoked = 0;
        for (OAuth20Token oAuth20Token : tokensForUser) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "considering removing token: " + oAuth20Token.getId(), new Object[0]);
            }
            boolean z2 = z && str != null && str.equals(getAppIdFromToken(oAuth20Token));
            boolean z3 = (z || str == null || !str.equals(getTokenIdFromToken(oAuth20Token))) ? false : true;
            if (str == null || z2 || z3) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "removing token: " + oAuth20Token.getId(), new Object[0]);
                }
                String id = oAuth20Token.getId();
                if (oAuth20Provider.isLocalStoreUsed()) {
                    String accessTokenEncoding = oAuth20Provider.getAccessTokenEncoding();
                    id = "plain".equals(accessTokenEncoding) ? EndpointUtils.computeTokenHash(id) : EndpointUtils.computeTokenHash(id, accessTokenEncoding);
                }
                oAuth20Provider.getTokenCache().removeByHash(id);
                this.numberRevoked++;
            }
        }
        return true;
    }

    private boolean checkContentType(String str, HttpServletRequest httpServletRequest) {
        return true;
    }

    private String checkAppNameValidAndNotInUse(boolean z, AuthResult authResult, String str, OAuth20Provider oAuth20Provider, Collection<OAuth20Token> collection) {
        boolean z2 = false;
        if (str == null || str.length() == 0) {
            String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_COVERAGE_MAP_MISSING_TOKEN_PARAM", new Object[]{OAuth20Constants.APP_NAME}, (String) null);
            return formattedMessage != null ? formattedMessage : "Error- required request paramater app_name missing";
        }
        boolean z3 = str.length() > 255;
        if (!z3) {
            z2 = isAppNameInUse(collection, str);
        }
        if (!z3 && !z2) {
            return null;
        }
        String formattedMessage2 = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_SERVER_APPNAME_IN_USE_OR_TOO_LONG", new Object[]{str, oAuth20Provider.getID()}, (String) null);
        return formattedMessage2 != null ? formattedMessage2 : "Error- appname invalid or in use";
    }

    private OAuthResult requestAppPasswordOrTokenJson(boolean z, AuthResult authResult, String str, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletRequest.setAttribute("user", authResult.user);
        return oAuth20Provider.getComponent().processAppTokenRequest(z, authResult.clientId, httpServletRequest, httpServletResponse);
    }

    private String listTokensJson(boolean z, AuthResult authResult, OAuth20Provider oAuth20Provider) {
        return tokensToJson(z, getTokensForUser(z, authResult, oAuth20Provider));
    }

    private Collection<OAuth20Token> getTokensForUser(boolean z, AuthResult authResult, OAuth20Provider oAuth20Provider) {
        return EndpointUtils.getTokensForUser(z, false, authResult.targetUser != null ? authResult.targetUser : authResult.user, authResult.clientId, oAuth20Provider);
    }

    private boolean isAppNameInUse(Collection<OAuth20Token> collection, String str) {
        Iterator<OAuth20Token> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().getAppName().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private String tokensToJson(boolean z, Collection<OAuth20Token> collection) {
        StringBuffer stringBuffer = new StringBuffer();
        boolean z2 = false;
        String str = z ? "\"app-passwords\"" : "\"app-tokens\"";
        stringBuffer.append("{");
        stringBuffer.append(str);
        stringBuffer.append(":[");
        Iterator<OAuth20Token> it = collection.iterator();
        while (it.hasNext()) {
            z2 = true;
            stringBuffer.append(tokenToJson(it.next()));
            stringBuffer.append(",");
        }
        if (z2) {
            stringBuffer.deleteCharAt(stringBuffer.length() - 1);
        }
        stringBuffer.append("]}");
        return stringBuffer.toString();
    }

    private String tokenToJson(OAuth20Token oAuth20Token) {
        StringBuffer stringBuffer = new StringBuffer();
        if (oAuth20Token == null) {
            return null;
        }
        String appIdFromToken = getAppIdFromToken(oAuth20Token);
        stringBuffer.append("{");
        stringBuffer.append("\"user\":\"");
        stringBuffer.append(EndpointUtils.escapeQuotesForJson(oAuth20Token.getUsername()));
        stringBuffer.append("\",\"name\":\"");
        stringBuffer.append(EndpointUtils.escapeQuotesForJson(oAuth20Token.getAppName()));
        stringBuffer.append("\"");
        if (appIdFromToken != null) {
            stringBuffer.append(",\"app_id\":\"");
            stringBuffer.append(appIdFromToken);
            stringBuffer.append("\"");
        }
        stringBuffer.append(",\"created_at\":");
        stringBuffer.append(oAuth20Token.getCreatedAt());
        stringBuffer.append(",\"expires_at\":");
        stringBuffer.append((oAuth20Token.getLifetimeSeconds() * 1000) + oAuth20Token.getCreatedAt());
        if (oAuth20Token.getUsedBy() != null) {
            stringBuffer.append(",\"used_by\":\"");
            stringBuffer.append(oAuth20Token.getUsedBy()[0]);
            stringBuffer.append("\"");
        }
        stringBuffer.append("}");
        return stringBuffer.toString();
    }

    private String getAppIdFromToken(OAuth20Token oAuth20Token) {
        String str = null;
        String[] strArr = oAuth20Token.getExtensionProperties().get("com.ibm.wsspi.security.oidc.external.claims:app_id");
        if (strArr != null) {
            str = strArr[0];
        }
        return str;
    }

    private String getTokenIdFromToken(OAuth20Token oAuth20Token) {
        String str = null;
        String[] strArr = oAuth20Token.getExtensionProperties().get("com.ibm.wsspi.security.oidc.external.claims:app_id");
        if (strArr != null) {
            str = strArr[0];
        }
        return str;
    }
}
