package com.ibm.ws.security.oauth20.plugins.custom;

import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.oauth20.store.OAuthClient;
import com.ibm.websphere.security.oauth20.store.OAuthStore;
import com.ibm.websphere.security.oauth20.store.OAuthStoreException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClientValidator;
import com.ibm.ws.security.oauth20.util.HashSecretUtils;
import com.ibm.ws.security.oauth20.util.OidcOAuth20Util;
import com.ibm.ws.security.oauth20.web.RegistrationEndpointServices;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/oauth20/plugins/custom/OauthClientStore.class */
public class OauthClientStore implements OidcOAuth20ClientProvider {
    private static TraceComponent tc = Tr.register(OauthClientStore.class, "OAUTH", "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages");
    private final OAuthStore oauthStore;
    private final String componentId;
    private final boolean updateXORtoHash = true;
    private String hashType;
    private final int numIterations = 2048;
    private final int keylength = 32;
    static final long serialVersionUID = 4338658427820836653L;

    public OauthClientStore(String str, OAuthStore oAuthStore) {
        this.updateXORtoHash = true;
        this.hashType = OAuth20Constants.XOR;
        this.numIterations = HashSecretUtils.DEFAULT_ITERATIONS;
        this.keylength = 32;
        this.componentId = str;
        this.oauthStore = oAuthStore;
    }

    public OauthClientStore(String str, OAuthStore oAuthStore, String str2) {
        this.updateXORtoHash = true;
        this.hashType = OAuth20Constants.XOR;
        this.numIterations = HashSecretUtils.DEFAULT_ITERATIONS;
        this.keylength = 32;
        this.componentId = str;
        this.oauthStore = oAuthStore;
        this.hashType = str2;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Client secret hash type is " + str2, new Object[0]);
        }
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public void initialize() {
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public void init(OAuthComponentConfiguration oAuthComponentConfiguration) {
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public OidcBaseClient put(OidcBaseClient oidcBaseClient) throws OidcServerException {
        OidcBaseClient oidcBaseClient2 = null;
        try {
            this.oauthStore.create(getOauthClient(oidcBaseClient));
            oidcBaseClient2 = oidcBaseClient;
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "90", this, new Object[]{oidcBaseClient});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_CREATE_CLIENT", oidcBaseClient.getClientId());
        }
        return oidcBaseClient2;
    }

    private OAuthClient getOauthClient(OidcBaseClient oidcBaseClient) throws OidcServerException {
        String asString;
        JsonObject jsonObj = OidcOAuth20Util.getJsonObj(oidcBaseClient);
        String str = null;
        if (isPBKDF2WithHmacSHA512Configured()) {
            HashSecretUtils.processMetatypeForHashInfo(jsonObj, oidcBaseClient.getClientId(), this.hashType, HashSecretUtils.DEFAULT_ITERATIONS, 32);
            HashSecretUtils.hashClientMetaTypeSecret(jsonObj, oidcBaseClient.getClientId(), true);
            str = HashSecretUtils.hashSecret(oidcBaseClient.getClientSecret(), oidcBaseClient.getClientId(), true, jsonObj);
        } else if (isXORConfigured()) {
            str = oidcBaseClient.getClientSecret();
            if (str != null && !str.isEmpty()) {
                str = PasswordUtil.passwordEncode(str);
            }
            if (jsonObj != null && jsonObj.has("client_secret") && (asString = jsonObj.get("client_secret").getAsString()) != null && !asString.isEmpty()) {
                jsonObj.addProperty("client_secret", PasswordUtil.passwordEncode(asString));
            }
        } else {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "The client secret type is unknown, attempt to hash. " + this.hashType, new Object[0]);
            }
            logMessageAndThrowOidcServerException(new OAuthStoreException("Unknown hash type provided, " + this.hashType + ", the new client cannot be registered: " + oidcBaseClient.getClientId()), "ERROR_PERFORMING_OAUTH_STORE_CREATE_CLIENT", oidcBaseClient.getClientId());
        }
        return new OAuthClient(this.componentId, oidcBaseClient.getClientId(), str, oidcBaseClient.getClientName(), oidcBaseClient.isEnabled(), jsonObj.toString());
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public OidcBaseClient update(OidcBaseClient oidcBaseClient) throws OidcServerException {
        OidcBaseClient oidcBaseClient2 = null;
        try {
            this.oauthStore.update(getOauthClient(oidcBaseClient));
            oidcBaseClient2 = oidcBaseClient;
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "139", this, new Object[]{oidcBaseClient});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_UPDATE_CLIENT", oidcBaseClient.getClientId());
        }
        return oidcBaseClient2;
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public OidcBaseClient get(String str) throws OidcServerException {
        OidcBaseClient oidcBaseClient = null;
        try {
            oidcBaseClient = createClient(this.oauthStore.readClient(this.componentId, str));
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "153", this, new Object[]{str});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_READ_CLIENT", str);
        }
        return oidcBaseClient;
    }

    private OidcBaseClient getInternal(String str) throws OidcServerException {
        OidcBaseClient oidcBaseClient = null;
        try {
            oidcBaseClient = createClient(this.oauthStore.readClient(this.componentId, str), false);
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "171", this, new Object[]{str});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_READ_CLIENT", str);
        }
        return oidcBaseClient;
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public Collection<OidcBaseClient> getAll() throws OidcServerException {
        return getAll(null);
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public Collection<OidcBaseClient> getAll(HttpServletRequest httpServletRequest) throws OidcServerException {
        ArrayList arrayList = new ArrayList();
        try {
            Collection<OAuthClient> readAllClients = this.oauthStore.readAllClients(this.componentId, "");
            if (readAllClients != null) {
                Iterator<OAuthClient> it = readAllClients.iterator();
                while (it.hasNext()) {
                    OidcBaseClient createClient = createClient(it.next());
                    if (httpServletRequest != null) {
                        RegistrationEndpointServices.processClientRegistationUri(createClient, httpServletRequest);
                    }
                    arrayList.add(createClient);
                }
            }
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "201", this, new Object[]{httpServletRequest});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_READ_ALL_CLIENTS", new Object[0]);
        }
        return arrayList;
    }

    private OidcBaseClient createClient(OAuthClient oAuthClient) {
        return createClient(oAuthClient, true);
    }

    private OidcBaseClient createClient(OAuthClient oAuthClient, boolean z) {
        String cryptoAlgorithm;
        OidcBaseClient oidcBaseClient = null;
        if (oAuthClient != null) {
            JsonObject asJsonObject = new JsonParser().parse(oAuthClient.getClientMetadata()).getAsJsonObject();
            if (z) {
                asJsonObject.remove(OAuth20Constants.HASH_ALGORITHM);
                asJsonObject.remove(OAuth20Constants.SALT);
                asJsonObject.remove(OAuth20Constants.HASH_ITERATIONS);
                asJsonObject.remove(OAuth20Constants.HASH_LENGTH);
            }
            OidcBaseClient oidcBaseClient2 = (OidcBaseClient) OidcOAuth20Util.GSON_RAW.fromJson(asJsonObject, OidcBaseClient.class);
            oidcBaseClient2.setComponentId(oAuthClient.getProviderId());
            oidcBaseClient2.setEnabled(oAuthClient.isEnabled());
            String clientSecret = oidcBaseClient2.getClientSecret();
            if (clientSecret != null && !clientSecret.isEmpty() && ((cryptoAlgorithm = PasswordUtil.getCryptoAlgorithm(clientSecret)) == null || cryptoAlgorithm.equals(OAuth20Constants.XOR))) {
                oidcBaseClient2.setClientSecret(PasswordUtil.passwordDecode(clientSecret));
            }
            oidcBaseClient = OidcBaseClientValidator.getInstance(oidcBaseClient2).setDefaultsForOmitted();
        }
        return oidcBaseClient;
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public boolean exists(String str) throws OidcServerException {
        boolean z = false;
        try {
            z = this.oauthStore.readClient(this.componentId, str) != null;
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "248", this, new Object[]{str});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_READ_CLIENT", str);
        }
        return z;
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public boolean validateClient(String str, @Sensitive String str2) throws OidcServerException {
        OidcBaseClient internal;
        boolean z = false;
        if (str2 != null && !str2.trim().isEmpty() && (internal = getInternal(str)) != null && internal.isConfidential()) {
            String clientSecret = internal.getClientSecret();
            boolean z2 = true;
            String cryptoAlgorithm = PasswordUtil.getCryptoAlgorithm(clientSecret);
            if (cryptoAlgorithm != null && cryptoAlgorithm.equals("hash")) {
                z2 = false;
                str2 = HashSecretUtils.hashSecret(str2, str, false, internal.getSalt(), internal.getAlgorithm(), internal.getIterations(), internal.getLength());
            }
            if (clientSecret != null && clientSecret.equals(str2)) {
                z = true;
                if (z2 && !isXORConfigured()) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "Converting client secret for " + str + " to hash during a validateClient request", new Object[0]);
                    }
                    update(internal);
                }
            }
        }
        return z;
    }

    @Override // com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider
    public boolean delete(String str) throws OidcServerException {
        boolean z = false;
        try {
            this.oauthStore.deleteClient(this.componentId, str);
            z = true;
        } catch (OAuthStoreException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.plugins.custom.OauthClientStore", "297", this, new Object[]{str});
            logMessageAndThrowOidcServerException(e, "ERROR_PERFORMING_OAUTH_STORE_DELETE_CLIENT", str);
        }
        return z;
    }

    void logMessageAndThrowOidcServerException(OAuthStoreException oAuthStoreException, String str, Object... objArr) throws OidcServerException {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "There was a problem invoking the OAuthStore", new Object[]{oAuthStoreException.getMessage(), oAuthStoreException});
        }
        Object[] appendStringMessageToArgs = appendStringMessageToArgs(oAuthStoreException.getLocalizedMessage(), objArr);
        if (TraceComponent.isAnyTracingEnabled() && tc.isErrorEnabled()) {
            Tr.error(tc, str, appendStringMessageToArgs);
        }
        throw new OidcServerException(Tr.formatMessage(tc, str, appendStringMessageToArgs("", objArr)), "server_error", 500, oAuthStoreException);
    }

    Object[] appendStringMessageToArgs(String str, Object... objArr) {
        Object[] objArr2 = new Object[1];
        if (objArr != null) {
            objArr2 = new Object[objArr.length + 1];
            for (int i = 0; i < objArr.length; i++) {
                objArr2[i] = objArr[i];
            }
        }
        objArr2[objArr2.length - 1] = str;
        return objArr2;
    }

    private boolean isPBKDF2WithHmacSHA512Configured() {
        return this.hashType.equals("PBKDF2WithHmacSHA512");
    }

    private boolean isXORConfigured() {
        return this.hashType.equals(OAuth20Constants.XOR);
    }
}
