package com.ibm.ws.security.openid20.tai;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.filter.AuthenticationFilter;
import com.ibm.ws.security.openid20.OpenidClientConfig;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorHelper;
import com.ibm.ws.webcontainer.security.openid20.OpenidClientService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.security.Principal;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/openid20/tai/OpenidTAI.class */
public class OpenidTAI implements TrustAssociationInterceptor {
    private static final TraceComponent tc = Tr.register(OpenidTAI.class, (String) null, (String) null);
    static final String openid_identifier = "openid_identifier";
    public static final String KEY_OPENID_CLIENT_CONFIG = "openidClientConfig";
    public static final String KEY_OPENID_CLIENT_SERVICE = "openidClientService";
    public static final String KEY_SECURITY_SERVICE = "securityService";
    public static final String KEY_FILTER = "authenticationFilter";
    protected final AtomicServiceReference<OpenidClientConfig> openidClientConfigRef = new AtomicServiceReference<>("openidClientConfig");
    private final AtomicServiceReference<OpenidClientService> openIdClientServiceRef = new AtomicServiceReference<>(KEY_OPENID_CLIENT_SERVICE);
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>(KEY_SECURITY_SERVICE);
    protected final ConcurrentServiceReferenceMap<String, AuthenticationFilter> authFilterServiceRef = new ConcurrentServiceReferenceMap<>(KEY_FILTER);
    private WebProviderAuthenticatorHelper authHelper;
    static final long serialVersionUID = 302308549612212877L;

    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.openidClientConfigRef.activate(componentContext);
        this.openIdClientServiceRef.activate(componentContext);
        this.securityServiceRef.activate(componentContext);
        this.authFilterServiceRef.activate(componentContext);
        this.authHelper = new WebProviderAuthenticatorHelper(this.securityServiceRef);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "authHelper:" + this.authHelper, new Object[0]);
        }
    }

    protected void deactivate(ComponentContext componentContext) {
        this.openidClientConfigRef.deactivate(componentContext);
        this.openIdClientServiceRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
        this.authFilterServiceRef.deactivate(componentContext);
    }

    protected void setOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.setReference(serviceReference);
    }

    protected void updatedOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.setReference(serviceReference);
    }

    protected void unsetOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.unsetReference(serviceReference);
    }

    protected void setOpenidClientService(ServiceReference<OpenidClientService> serviceReference) {
        this.openIdClientServiceRef.setReference(serviceReference);
    }

    protected void unsetOpenidClientService(ServiceReference<OpenidClientService> serviceReference) {
        this.openIdClientServiceRef.unsetReference(serviceReference);
    }

    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
    }

    protected void setAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "setAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void updatedAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "updatedAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void unsetAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "unsetAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.removeReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    public void cleanup() {
    }

    public String getType() {
        return "OpenidTAI";
    }

    public String getVersion() {
        return "1.0";
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        return 0;
    }

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        OpenidClientConfig openidClientConfig = (OpenidClientConfig) this.openidClientConfigRef.getService();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "openidClientConfig:(" + openidClientConfig + ")", new Object[0]);
        }
        if (openidClientConfig == null) {
            return false;
        }
        String authFilterId = openidClientConfig.getAuthFilterId();
        if (authFilterId != null && authFilterId.length() > 0) {
            AuthenticationFilter authenticationFilter = (AuthenticationFilter) this.authFilterServiceRef.getService(authFilterId);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authFilter id:" + authFilterId + " authFilter:" + authenticationFilter, new Object[0]);
            }
            if (authenticationFilter != null && !authenticationFilter.isAccepted(httpServletRequest)) {
                return false;
            }
        }
        String providerIdentifier = openidClientConfig.getProviderIdentifier();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "providerIdentifier(openid_identifier):(" + providerIdentifier + ")", new Object[0]);
        }
        return (providerIdentifier == null || providerIdentifier.isEmpty()) ? false : true;
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        String providerIdentifier = ((OpenidClientConfig) this.openidClientConfigRef.getService()).getProviderIdentifier();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "negotiateValidate...(" + providerIdentifier + ")", new Object[0]);
        }
        OpenidClientService openidClientService = (OpenidClientService) this.openIdClientServiceRef.getService();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "openIdClientService:" + openidClientService, new Object[0]);
        }
        if (openidClientService == null) {
            return TAIResult.create(100);
        }
        try {
            if (openidClientService.getRpRequestIdentifier(httpServletRequest, httpServletResponse) == null) {
                TAIResult basicAuthorizationHeader = basicAuthorizationHeader(httpServletRequest, httpServletResponse);
                if (basicAuthorizationHeader.getStatus() != 100) {
                    return basicAuthorizationHeader;
                }
                httpServletRequest.setAttribute("openid_identifier", providerIdentifier);
                openidClientService.createAuthRequest(httpServletRequest, httpServletResponse);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "... expect to be redirected by the browser", new Object[0]);
                }
                return TAIResult.create(403);
            }
            ProviderAuthenticationResult verifyOpResponse = openidClientService.verifyOpResponse(httpServletRequest, httpServletResponse);
            if (verifyOpResponse.getStatus() != AuthResult.SUCCESS) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "verify failed:" + verifyOpResponse, new Object[0]);
                }
                return TAIResult.create(403);
            }
            AuthenticationResult loginWithUserName = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, verifyOpResponse.getUserName(), verifyOpResponse.getSubject(), verifyOpResponse.getCustomProperties(), openidClientService.isMapIdentityToRegistryUser());
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authHelper authResult:" + loginWithUserName, new Object[0]);
            }
            if (loginWithUserName.getStatus() != AuthResult.SUCCESS) {
                return TAIResult.create(403);
            }
            Subject subject = loginWithUserName.getSubject();
            return TAIResult.create(200, getUserName(subject), subject);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openid20.tai.OpenidTAI", "251", this, new Object[]{httpServletRequest, httpServletResponse});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "negotiateValidateandEstablishTrust() get Exception", new Object[]{e});
            }
            return TAIResult.create(500);
        }
    }

    protected TAIResult basicAuthorizationHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        OpenidClientConfig openidClientConfig = (OpenidClientConfig) this.openidClientConfigRef.getService();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "basicAuthorizationHeader:(" + openidClientConfig + ")", new Object[0]);
        }
        if (openidClientConfig != null && openidClientConfig.allowBasicAuthentication()) {
            ClientAuthnData clientAuthnData = new ClientAuthnData(httpServletRequest, httpServletResponse);
            if (clientAuthnData.hasAuthnData()) {
                try {
                    AuthenticationResult authenticate = getBasicAuthenticator().authenticate(httpServletRequest, httpServletResponse, (HashMap) null);
                    if (authenticate.getStatus().equals(AuthResult.SUCCESS)) {
                        return TAIResult.create(200, authenticate.getUserName(), authenticate.getSubject());
                    }
                } catch (Exception e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.openid20.tai.OpenidTAI", "281", this, new Object[]{httpServletRequest, httpServletResponse});
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Failed to authenticate using basic auth token " + e.getMessage(), new Object[0]);
                    }
                }
                if (!openidClientConfig.isTryOpenIDIfBasicAuthFails()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "user authentication for " + clientAuthnData.getUserName() + " failed... No attemping openid", new Object[0]);
                    }
                    httpServletResponse.addHeader("WWW-Authenticate", "Basic error=Username and password do not match");
                    return TAIResult.create(403);
                }
            }
        }
        return TAIResult.create(100);
    }

    public WebAuthenticator getBasicAuthenticator() {
        return WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig().createWebAuthenticatorProxy().getBasicAuthAuthenticator();
    }

    public String getUserName(Subject subject) {
        if (subject == null) {
            return null;
        }
        Iterator<Principal> it = subject.getPrincipals().iterator();
        if (it.hasNext()) {
            return it.next().getName();
        }
        return null;
    }
}
