package com.ibm.ws.security.openidconnect.client;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl;
import com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil;
import com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientConfig;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientRequest;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientUtil;
import com.ibm.ws.security.openidconnect.clients.common.UserInfoHelper;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import java.io.IOException;
import java.util.Date;
import java.util.Hashtable;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.ParseException;
import org.apache.http.StatusLine;
import org.apache.http.util.EntityUtils;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/client/AccessTokenAuthenticator.class */
public class AccessTokenAuthenticator {
    private static final TraceComponent tc = Tr.register(AccessTokenAuthenticator.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    private static final String Authorization_Header = "Authorization";
    private static final String ACCESS_TOKEN = "access_token";
    private static final String INVALID_CLIENT = "invalid_client";
    private static final String INVALID_TOKEN = "invalid_token";
    private static final String JWT_SEGMENTS = "-segments";
    private static final String JWT_SEGMENT_INDEX = "-";
    OidcClientUtil oidcClientUtil;
    SSLSupport sslSupport;
    private Jose4jUtil jose4jUtil;
    static final long serialVersionUID = -8567537341111337969L;

    public AccessTokenAuthenticator() {
        this.oidcClientUtil = new OidcClientUtil();
        this.sslSupport = null;
        this.jose4jUtil = null;
    }

    public AccessTokenAuthenticator(AtomicServiceReference<SSLSupport> atomicServiceReference) {
        this.oidcClientUtil = new OidcClientUtil();
        this.sslSupport = null;
        this.jose4jUtil = null;
        this.sslSupport = (SSLSupport) atomicServiceReference.getService();
        this.jose4jUtil = new Jose4jUtil(this.sslSupport);
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) {
        oidcClientRequest.setTokenType("Access Token");
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        String str = null;
        if (oidcClientConfig.getAccessTokenInLtpaCookie()) {
            str = getAccessTokenFromReqAsAttribute(httpServletRequest);
        }
        if (str == null) {
            str = getBearerAccessTokenToken(httpServletRequest, oidcClientConfig);
        }
        if (str == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "access token in the request as attribute: ", new Object[]{str});
            }
            oidcClientRequest.setRsFailMsg("", "suppress_CWWKS1704W");
            return providerAuthenticationResult;
        }
        String validationMethod = oidcClientConfig.getValidationMethod();
        if (str.indexOf(".") >= 0) {
            validationMethod = "local";
            oidcClientRequest.setTokenType("Json Web Token");
        }
        try {
            SSLSocketFactory sSLSocketFactory = getSSLSocketFactory(getPropagationValidationURL(oidcClientConfig, validationMethod), oidcClientConfig.getSSLConfigurationName(), oidcClientConfig.getClientId());
            if (validationMethod.equalsIgnoreCase("local")) {
                providerAuthenticationResult = parseJwtToken(oidcClientConfig, str, sSLSocketFactory, oidcClientRequest);
            } else {
                String validationEndpointUrl = oidcClientConfig.getValidationEndpointUrl();
                if (validationEndpointUrl == null || validationEndpointUrl.isEmpty()) {
                    logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_INVALID_VALIDATION_URL", validationEndpointUrl);
                } else {
                    if (!OIDCClientAuthenticatorUtil.checkHttpsRequirement(oidcClientConfig, validationEndpointUrl)) {
                        logError(oidcClientConfig, oidcClientRequest, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", validationEndpointUrl);
                        return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
                    }
                    if (validationMethod.equalsIgnoreCase("introspect")) {
                        providerAuthenticationResult = introspectToken(oidcClientConfig, str, sSLSocketFactory, oidcClientRequest);
                        new UserInfoHelper(oidcClientConfig).getUserInfoIfPossible(providerAuthenticationResult, str, providerAuthenticationResult.getUserName(), sSLSocketFactory);
                    } else if (validationMethod.equalsIgnoreCase("userinfo")) {
                        providerAuthenticationResult = getUserInfoFromToken(oidcClientConfig, str, sSLSocketFactory, oidcClientRequest);
                    }
                }
            }
            if (AuthResult.SUCCESS == providerAuthenticationResult.getStatus()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "attribute:com.ibm.ws.webcontainer.security.openidconnect.propagation.token.authenticated", new Object[0]);
                }
                providerAuthenticationResult = fixSubject(providerAuthenticationResult);
                httpServletRequest.setAttribute("com.ibm.ws.webcontainer.security.openidconnect.propagation.token.authenticated", Boolean.TRUE);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "oidcResult httpStatusCode:" + providerAuthenticationResult.getHttpStatusCode() + " status:" + providerAuthenticationResult.getStatus() + " result:" + providerAuthenticationResult, new Object[0]);
                Tr.debug(tc, "Token is owned by '" + providerAuthenticationResult.getUserName() + "'", new Object[0]);
            }
            return providerAuthenticationResult;
        } catch (SSLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "127", this, new Object[]{httpServletRequest, httpServletResponse, oidcClientConfig, oidcClientRequest});
            Object[] objArr = new Object[2];
            objArr[0] = e.getMessage() != null ? e.getMessage() : "invalid ssl context";
            objArr[1] = oidcClientConfig.getClientId();
            logError(oidcClientConfig, oidcClientRequest, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", objArr);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
    }

    ProviderAuthenticationResult fixSubject(ProviderAuthenticationResult providerAuthenticationResult) {
        return new OidcClientAuthenticator().fixSubject(providerAuthenticationResult);
    }

    private String getAccessTokenFromReqAsAttribute(HttpServletRequest httpServletRequest) {
        String str = null;
        if (httpServletRequest.getAttribute("oidc_access_token") != null) {
            str = (String) httpServletRequest.getAttribute("oidc_access_token");
            httpServletRequest.removeAttribute("oidc_access_token");
        }
        return str;
    }

    String getPropagationValidationURL(OidcClientConfig oidcClientConfig, String str) {
        return (str.equalsIgnoreCase("introspect") || str.equalsIgnoreCase("userinfo")) ? oidcClientConfig.getValidationEndpointUrl() : str.equalsIgnoreCase("local") ? oidcClientConfig.getJwkEndpointUrl() : oidcClientConfig.getTokenEndpointUrl();
    }

    protected SSLContext getSSLContext(String str, String str2, String str3) throws SSLException {
        SSLContext sSLContext = null;
        JSSEHelper jSSEHelper = null;
        if (this.sslSupport != null) {
            jSSEHelper = this.sslSupport.getJSSEHelper();
        }
        if (jSSEHelper != null) {
            sSLContext = jSSEHelper.getSSLContext(str2, (Map) null, (SSLConfigChangeListener) null, true);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "sslContext () get: " + sSLContext, new Object[0]);
            }
        }
        if (sSLContext == null && str != null && str.startsWith("https")) {
            throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", new Object[]{"Null ssl conext", str3}));
        }
        return sSLContext;
    }

    protected SSLSocketFactory getSSLSocketFactory(String str, String str2, String str3) throws SSLException {
        SSLSocketFactory sSLSocketFactory = null;
        if (this.sslSupport != null) {
            try {
                sSLSocketFactory = this.sslSupport.getSSLSocketFactory(str2);
                if (sSLSocketFactory != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "sslSocketFactory () get: " + sSLSocketFactory, new Object[0]);
                }
            } catch (javax.net.ssl.SSLException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "231", this, new Object[]{str, str2, str3});
                throw new SSLException(e.getMessage());
            }
        }
        if (sSLSocketFactory == null && str != null && str.startsWith("https")) {
            throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", new Object[]{"Null ssl socket factory", str3}));
        }
        return sSLSocketFactory;
    }

    @FFDCIgnore({IOException.class})
    JSONObject handleResponseMap(Map<String, Object> map, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) throws ParseException, IOException {
        String str = null;
        JSONObject jSONObject = null;
        if (map.get("RESPONSEMAP_CODE") != null) {
            HttpResponse httpResponse = (HttpResponse) map.get("RESPONSEMAP_CODE");
            if (isErrorResponse(httpResponse)) {
                HttpEntity entity = httpResponse.getEntity();
                if (entity != null) {
                    str = EntityUtils.toString(entity);
                    if (str != null) {
                        try {
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "received error from OP =", new Object[]{str});
                            }
                            logErrorMessage(JSONObject.parse(str), oidcClientConfig, oidcClientRequest);
                            return null;
                        } catch (IOException e) {
                        }
                    }
                }
                if (str == null || str.isEmpty()) {
                    str = httpResponse.getFirstHeader("WWW-Authenticate").getValue();
                }
                if (str != null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "received error from OP and extracted it from the header =", new Object[]{str});
                    }
                    if (str.contains(INVALID_TOKEN)) {
                        logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_NOT_ACTIVE", oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
                    }
                    String extractErrorDescription = extractErrorDescription(str);
                    if (extractErrorDescription != null && tc.isDebugEnabled()) {
                        Tr.debug(tc, "the original error from OP =", new Object[]{extractErrorDescription});
                    }
                    logError(oidcClientConfig, oidcClientRequest, "OIDC_PROPAGATION_FAIL", extractErrorDescription, oidcClientConfig.getValidationEndpointUrl());
                } else {
                    logError(oidcClientConfig, oidcClientRequest, "OIDC_PROPAGATION_FAIL", "", oidcClientConfig.getValidationEndpointUrl());
                }
                jSONObject = null;
            } else {
                HttpEntity entity2 = httpResponse.getEntity();
                if (entity2 != null) {
                    str = EntityUtils.toString(entity2);
                }
                try {
                    jSONObject = JSONObject.parse(str);
                } catch (IOException e2) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "the response from OP is not in JSON format = ", new Object[]{str});
                    }
                    logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_INVALID_VALIDATION_URL", oidcClientConfig.getValidationEndpointUrl());
                }
            }
        }
        return jSONObject;
    }

    protected String extractErrorDescription(String str) {
        if (str == null) {
            return null;
        }
        Matcher matcher = Pattern.compile("(?:.*[^a-zA-Z0-9])?error_description=(.*)").matcher(str);
        if (!matcher.matches()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Response did not appear to contain an error description formatted as expected. Returning response as-is", new Object[0]);
            }
            return str;
        }
        String str2 = null;
        if (matcher.groupCount() > 0) {
            str2 = matcher.group(1);
            if (str2 != null && str2.length() > 1 && str2.charAt(0) == '\"' && str2.charAt(str2.length() - 1) == '\"') {
                str2 = str2.substring(1, str2.length() - 1);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Extracted description: [" + str2 + "]", new Object[0]);
        }
        return str2;
    }

    protected ProviderAuthenticationResult introspectToken(OidcClientConfig oidcClientConfig, String str, SSLSocketFactory sSLSocketFactory, OidcClientRequest oidcClientRequest) {
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        try {
            JSONObject handleResponseMap = handleResponseMap(this.oidcClientUtil.checkToken(oidcClientConfig.getValidationEndpointUrl(), oidcClientConfig.getClientId(), oidcClientConfig.getClientSecret(), str, oidcClientConfig.isHostNameVerificationEnabled(), oidcClientConfig.getTokenEndpointAuthMethod(), sSLSocketFactory, oidcClientConfig.getUseSystemPropertiesForHttpClientConnections()), oidcClientConfig, oidcClientRequest);
            if (handleResponseMap != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "introspectToken=", new Object[]{handleResponseMap.serialize()});
                }
                if (!validateJsonResponse(handleResponseMap, oidcClientConfig, oidcClientRequest)) {
                    logErrorMessage(handleResponseMap, oidcClientConfig, oidcClientRequest);
                    return providerAuthenticationResult;
                }
                providerAuthenticationResult = createProviderAuthenticationResult(handleResponseMap, oidcClientConfig, str);
            }
            return providerAuthenticationResult;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "410", this, new Object[]{oidcClientConfig, str, sSLSocketFactory, oidcClientRequest});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "exception during introspectToken =", new Object[]{e.getMessage()});
            }
            logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_INTERNAL_ERR", e.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
            return providerAuthenticationResult;
        }
    }

    protected ProviderAuthenticationResult parseJwtToken(OidcClientConfig oidcClientConfig, String str, SSLSocketFactory sSLSocketFactory, OidcClientRequest oidcClientRequest) {
        new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        oidcClientRequest.setTokenType("Json Web Token");
        return this.jose4jUtil.createResultWithJose4JForJwt(str, oidcClientConfig, oidcClientRequest);
    }

    private boolean isErrorResponse(HttpResponse httpResponse) {
        StatusLine statusLine = httpResponse.getStatusLine();
        return statusLine == null || statusLine.getStatusCode() != 200;
    }

    private void logErrorMessage(JSONObject jSONObject, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) {
        String str;
        Object[] objArr;
        String str2 = (String) jSONObject.get("error");
        String inboundPropagation = oidcClientConfig.getInboundPropagation();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "rs_err:" + str2 + " inboundPropagation:" + inboundPropagation, new Object[0]);
        }
        boolean equals = "supported".equals(inboundPropagation);
        if (str2 == null) {
            return;
        }
        if (INVALID_CLIENT.equals(str2)) {
            str = "PROPAGATION_TOKEN_INVALID_CLIENTID";
            objArr = new Object[]{oidcClientConfig.getClientId(), oidcClientConfig.getValidationEndpointUrl()};
        } else if (INVALID_TOKEN.equals(str2)) {
            str = "PROPAGATION_TOKEN_NOT_ACTIVE";
            objArr = new Object[]{oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl()};
        } else {
            String str3 = null;
            if (((String) jSONObject.get("error_description")) != null) {
                str3 = (String) jSONObject.get("error_description");
            }
            str = "OIDC_PROPAGATION_FAIL";
            objArr = new Object[]{str3, oidcClientConfig.getValidationEndpointUrl()};
        }
        if (str != null) {
            if (oidcClientRequest != null) {
                oidcClientRequest.setRsFailMsg((String) null, Tr.formatMessage(tc, str, objArr));
            }
            if (equals) {
                return;
            }
            Tr.error(tc, str, objArr);
        }
    }

    protected ProviderAuthenticationResult getUserInfoFromToken(OidcClientConfig oidcClientConfig, String str, SSLSocketFactory sSLSocketFactory, OidcClientRequest oidcClientRequest) {
        String serialize;
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        try {
            JSONObject handleResponseMap = handleResponseMap(this.oidcClientUtil.getUserinfo(oidcClientConfig.getValidationEndpointUrl(), str, sSLSocketFactory, oidcClientConfig.isHostNameVerificationEnabled(), oidcClientConfig.getUseSystemPropertiesForHttpClientConnections()), oidcClientConfig, oidcClientRequest);
            if (handleResponseMap != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "userinfo=", new Object[]{handleResponseMap.serialize()});
                }
                if (!validateUserinfoJsonResponse(handleResponseMap, oidcClientConfig, oidcClientRequest)) {
                    return providerAuthenticationResult;
                }
                providerAuthenticationResult = createProviderAuthenticationResult(handleResponseMap, oidcClientConfig, str);
            }
            if (handleResponseMap == null) {
                serialize = null;
            } else {
                try {
                    serialize = handleResponseMap.serialize();
                } catch (IOException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "536", this, new Object[]{oidcClientConfig, str, sSLSocketFactory, oidcClientRequest});
                }
            }
            String str2 = serialize;
            if (providerAuthenticationResult != null && providerAuthenticationResult.getUserName() != null && str2 != null) {
                providerAuthenticationResult.getCustomProperties().put("userinfo_string", str2);
            }
            return providerAuthenticationResult;
        } catch (IllegalArgumentException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "515", this, new Object[]{oidcClientConfig, str, sSLSocketFactory, oidcClientRequest});
            Tr.error(tc, "PROPAGATION_TOKEN_INVALID_VALIDATION_URL", new Object[]{oidcClientConfig.getValidationEndpointUrl()});
            oidcClientRequest.setRsFailMsg((String) null, Tr.formatMessage(tc, "PROPAGATION_TOKEN_INVALID_VALIDATION_URL", new Object[]{oidcClientConfig.getValidationEndpointUrl()}));
            return providerAuthenticationResult;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "520", this, new Object[]{oidcClientConfig, str, sSLSocketFactory, oidcClientRequest});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "exception while getting the userInfo =", new Object[]{e3.getLocalizedMessage()});
            }
            logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_INTERNAL_ERR", e3.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
            return providerAuthenticationResult;
        }
    }

    private boolean validateUserinfoJsonResponse(JSONObject jSONObject, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) {
        if (((String) jSONObject.get("error")) != null) {
            logErrorMessage(jSONObject, oidcClientConfig, oidcClientRequest);
            return false;
        }
        String str = (String) jSONObject.get("iss");
        String str2 = null;
        if (str == null) {
            return true;
        }
        if (!str.isEmpty()) {
            String issuerIdentifier = getIssuerIdentifier(oidcClientConfig);
            str2 = issuerIdentifier;
            if (issuerIdentifier != null && !notContains(str2, str)) {
                return true;
            }
        }
        logError(oidcClientConfig, oidcClientRequest, "PROPAGATION_TOKEN_ISS_ERROR", str2, str);
        return false;
    }

    boolean notContains(String str, String str2) {
        if (str.equals(str2)) {
            return false;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str, " ,");
        while (stringTokenizer.hasMoreTokens()) {
            if (str2.equals(stringTokenizer.nextToken())) {
                return false;
            }
        }
        return true;
    }

    protected boolean validateJsonResponse(JSONObject jSONObject, OidcClientConfig oidcClientConfig) {
        return validateJsonResponse(jSONObject, oidcClientConfig, null);
    }

    protected boolean validateJsonResponse(JSONObject jSONObject, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) {
        Long l;
        Long l2;
        Long l3;
        if (jSONObject.get("active") != null && !((Boolean) jSONObject.get("active")).booleanValue()) {
            logError(oidcClientConfig, "PROPAGATION_TOKEN_NOT_ACTIVE", oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
            if (oidcClientRequest == null) {
                return false;
            }
            oidcClientRequest.setRsFailMsg("", Tr.formatMessage(tc, "PROPAGATION_TOKEN_NOT_ACTIVE", new Object[]{oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl()}));
            return false;
        }
        Date date = new Date();
        if (jSONObject.get("exp") == null || (l = getLong(jSONObject.get("exp"))) == null) {
            logError(oidcClientConfig, "PROPAGATION_TOKEN_MISSING_REQUIRED_CLAIM_ERR", "exp", "iss, iat, exp");
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "exp = ", new Object[]{l});
        }
        if (!verifyExpirationTime(l, date, oidcClientConfig.getClockSkewInSeconds(), oidcClientConfig)) {
            return false;
        }
        if (jSONObject.get("iat") == null || (l2 = getLong(jSONObject.get("iat"))) == null) {
            logError(oidcClientConfig, "PROPAGATION_TOKEN_MISSING_REQUIRED_CLAIM_ERR", "iat", "iss, iat, exp");
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "iat = ", new Object[]{l2});
        }
        if (!checkIssueatTime(l2, date, oidcClientConfig.getClockSkewInSeconds(), oidcClientConfig) || !issuerChecking(jSONObject, oidcClientConfig)) {
            return false;
        }
        if (jSONObject.get("nbf") == null || (l3 = getLong(jSONObject.get("nbf"))) == null) {
            return true;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "nbf = ", new Object[]{l3});
        }
        return checkNotBeforeTime(l3, date, oidcClientConfig.getClockSkewInSeconds(), oidcClientConfig);
    }

    boolean issuerChecking(JSONObject jSONObject, OidcClientConfig oidcClientConfig) {
        String str = (String) jSONObject.get("iss");
        String str2 = null;
        if (oidcClientConfig.disableIssChecking()) {
            if (str == null) {
                return true;
            }
            logError(oidcClientConfig, "PROPAGATION_TOKEN_ISS_CLAIM_NOT_REQUIRED_ERR", oidcClientConfig.getValidationEndpointUrl(), "iss", OidcClientConfigImpl.CFG_KEY_DISABLE_ISS_CHECKING);
            return false;
        }
        if (str == null) {
            logError(oidcClientConfig, "PROPAGATION_TOKEN_MISSING_REQUIRED_CLAIM_ERR", "iss", "iss, iat, exp");
            return false;
        }
        if (!str.isEmpty()) {
            String issuerIdentifier = getIssuerIdentifier(oidcClientConfig);
            str2 = issuerIdentifier;
            if (issuerIdentifier != null && !notContains(str2, str)) {
                return true;
            }
        }
        logError(oidcClientConfig, "PROPAGATION_TOKEN_ISS_ERROR", str2, str);
        return false;
    }

    String getIssuerIdentifier(OidcClientConfig oidcClientConfig) {
        String validationEndpointUrl;
        String issuerIdentifier = oidcClientConfig.getIssuerIdentifier();
        if ((issuerIdentifier == null || issuerIdentifier.isEmpty()) && (validationEndpointUrl = oidcClientConfig.getValidationEndpointUrl()) != null) {
            issuerIdentifier = validationEndpointUrl.substring(0, validationEndpointUrl.lastIndexOf("/"));
        }
        return issuerIdentifier;
    }

    protected Long getLong(Object obj) {
        if (obj == null || (obj instanceof Long)) {
            return (Long) obj;
        }
        if (obj instanceof Integer) {
            return Long.valueOf(((Integer) obj).intValue());
        }
        Long l = null;
        try {
            l = Long.valueOf(obj instanceof String[] ? ((String[]) obj)[0] : (String) obj);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "728", this, new Object[]{obj});
        }
        return l;
    }

    private boolean checkNotBeforeTime(Long l, Date date, long j, OidcClientConfig oidcClientConfig) {
        Date date2 = new Date(l.longValue() * 1000);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "AccessToken nbf : " + date2 + ", currentDate:" + date, new Object[0]);
        }
        Date date3 = new Date(date.getTime() + (j * 1000));
        if (!date2.after(date3)) {
            return true;
        }
        logError(oidcClientConfig, true, "PROPAGATION_TOKEN_NBF_ERR", date2.toString(), date3.toString());
        return false;
    }

    protected boolean verifyExpirationTime(Long l, Date date, long j, OidcClientConfig oidcClientConfig) {
        Date date2 = new Date(l.longValue() * 1000);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "AccessToken exp: " + date2 + ", currentDate:" + date, new Object[0]);
        }
        Date date3 = new Date(date.getTime() - (j * 1000));
        if (!date2.before(date3)) {
            return true;
        }
        logError(oidcClientConfig, true, "PROPAGATION_TOKEN_EXPIRED_ERR", date2.toString(), date3.toString());
        return false;
    }

    protected boolean checkIssueatTime(Long l, Date date, long j, OidcClientConfig oidcClientConfig) {
        Date date2 = new Date(l.longValue() * 1000);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "AccessToken iat : " + date2 + ", currentDate:" + date, new Object[0]);
        }
        Date date3 = new Date(date.getTime() + (j * 1000));
        if (!date2.after(date3)) {
            return true;
        }
        logError(oidcClientConfig, true, "PROPAGATION_TOKEN_FUTURE_TOKEN_ERR", date2.toString(), date3.toString());
        return false;
    }

    protected ProviderAuthenticationResult createProviderAuthenticationResult(JSONObject jSONObject, OidcClientConfig oidcClientConfig, String str) {
        AttributeToSubjectExt attributeToSubjectExt = new AttributeToSubjectExt(oidcClientConfig, jSONObject, str);
        if (attributeToSubjectExt.checkUserNameForNull()) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        Hashtable handleCustomProperties = attributeToSubjectExt.handleCustomProperties();
        handleCustomProperties.put(ACCESS_TOKEN, str);
        return attributeToSubjectExt.doMapping(handleCustomProperties, new Subject());
    }

    public static String getBearerAccessTokenToken(HttpServletRequest httpServletRequest, OidcClientConfig oidcClientConfig) {
        String headerName = oidcClientConfig.getHeaderName();
        if (headerName == null) {
            String header = httpServletRequest.getHeader(Authorization_Header);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Authorization header=", new Object[]{header});
            }
            if (header != null && header.startsWith("Bearer ")) {
                header = header.substring(7);
            } else if ("POST".equalsIgnoreCase(httpServletRequest.getMethod()) && "application/x-www-form-urlencoded".equals(httpServletRequest.getHeader("Content-Type"))) {
                header = httpServletRequest.getParameter(ACCESS_TOKEN);
            }
            return header;
        }
        String header2 = httpServletRequest.getHeader(headerName);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, headerName + " content=", new Object[]{header2});
        }
        if (header2 != null) {
            if (header2.startsWith("Bearer ")) {
                header2 = header2.substring(7);
            }
            return header2.trim();
        }
        StringBuffer stringBuffer = new StringBuffer(headerName);
        stringBuffer.append(JWT_SEGMENTS);
        String header3 = httpServletRequest.getHeader(stringBuffer.toString());
        if (header3 == null) {
            return null;
        }
        try {
            int parseInt = Integer.parseInt(header3);
            StringBuffer stringBuffer2 = new StringBuffer();
            for (int i = 1; i < parseInt + 1; i++) {
                StringBuffer stringBuffer3 = new StringBuffer(headerName);
                stringBuffer3.append(JWT_SEGMENT_INDEX).append(i);
                String header4 = httpServletRequest.getHeader(stringBuffer3.toString());
                if (header4 != null) {
                    stringBuffer2.append(header4.trim());
                }
            }
            header2 = stringBuffer2.toString();
            if (header2 != null) {
                if (header2.isEmpty()) {
                    header2 = null;
                }
            }
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "853", (Object) null, new Object[]{httpServletRequest, oidcClientConfig});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Fail to read Header Segments:", new Object[]{e.getMessage()});
            }
        }
        return header2;
    }

    void logError(OidcClientConfig oidcClientConfig, String str, Object... objArr) {
        logError(oidcClientConfig, false, str, objArr);
    }

    void logError(OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest, String str, Object... objArr) {
        logError(oidcClientConfig, false, oidcClientRequest, str, objArr);
    }

    void logError(OidcClientConfig oidcClientConfig, boolean z, String str, Object... objArr) {
        logError(oidcClientConfig, z, null, str, objArr);
    }

    void logError(OidcClientConfig oidcClientConfig, boolean z, OidcClientRequest oidcClientRequest, String str, Object... objArr) {
        String inboundPropagation = oidcClientConfig.getInboundPropagation();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "ac_err msg:" + str + " inboundPropagation:" + inboundPropagation + " warning?:" + z, new Object[0]);
        }
        if (!"supported".equalsIgnoreCase(inboundPropagation)) {
            Tr.error(tc, str, objArr);
        } else if (z) {
            Tr.warning(tc, str, objArr);
        }
        if (oidcClientRequest != null) {
            String rsFailMsg = oidcClientRequest.getRsFailMsg();
            if (rsFailMsg == null) {
                oidcClientRequest.setRsFailMsg((String) null, Tr.formatMessage(tc, str, objArr));
            } else {
                Tr.debug(tc, "Not setting new RS fail message since one was already found: " + rsFailMsg, new Object[0]);
            }
        }
    }
}
