package com.ibm.ws.security.openidconnect.client.web;

import com.google.gson.JsonObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.web.WebUtils;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl;
import com.ibm.ws.security.openidconnect.clients.common.HashUtils;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientUtil;
import com.ibm.ws.webcontainer.security.CookieHelper;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.util.Map;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/client/web/OidcRedirectServlet.class */
public class OidcRedirectServlet extends HttpServlet {
    private static final long serialVersionUID = 1;
    public static final String METHOD_GET = "GET";
    private transient ServletContext servletContext = null;
    private transient BundleContext bundleContext = null;
    private transient ServiceReference<OidcClient> OidcClientRef = null;
    private transient OidcClient oidcClient = null;
    private static TraceComponent tc = Tr.register(OidcRedirectServlet.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    public static OidcClientImpl activatedOidcClientImpl = null;

    public static void setActivatedOidcClientImpl(OidcClientImpl oidcClientImpl) {
        activatedOidcClientImpl = oidcClientImpl;
    }

    public void init() {
        this.servletContext = getServletContext();
        this.bundleContext = (BundleContext) this.servletContext.getAttribute("osgi-bundlecontext");
        this.OidcClientRef = this.bundleContext.getServiceReference(OidcClient.class);
    }

    private synchronized OidcClient getOidcClient() throws ServletException {
        if (this.OidcClientRef == null) {
            throw new ServletException();
        }
        this.oidcClient = (OidcClient) this.bundleContext.getService(this.OidcClientRef);
        return this.oidcClient;
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (httpServletRequest.getParameter("state") != null || !METHOD_GET.equalsIgnoreCase(httpServletRequest.getMethod())) {
            doPost(httpServletRequest, httpServletResponse);
        } else if (getOidcClient().isValidRedirectUrl(httpServletRequest)) {
            getTokenFromFragment(httpServletRequest, httpServletResponse);
        } else {
            Tr.error(tc, Tr.formatMessage(tc, "OIDC_CLIENT_BAD_GET_REQUEST", new Object[]{httpServletRequest.getRequestURL()}), new Object[0]);
            httpServletResponse.sendError(500);
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String parameter = httpServletRequest.getParameter("state");
        if (parameter == null || parameter.isEmpty()) {
            Tr.error(tc, Tr.formatMessage(tc, "OIDC_CLIENT_BAD_REQUEST_NO_STATE", new Object[]{httpServletRequest.getRequestURL()}), new Object[0]);
            httpServletResponse.sendError(500);
            return;
        }
        String str = "WASReqURLOidc" + HashUtils.getStrHashCode(parameter);
        String cookieValue = CookieHelper.getCookieValue(httpServletRequest.getCookies(), str);
        OidcClientUtil.invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, str);
        if (tc.isDebugEnabled() && cookieValue != null) {
            Tr.debug(tc, "requestUrl: " + cookieValue, new Object[0]);
        }
        if (cookieValue == null || cookieValue.isEmpty()) {
            Tr.error(tc, Tr.formatMessage(tc, "OIDC_CLIENT_BAD_REQUEST_NO_COOKIE", new Object[]{httpServletRequest.getRequestURL()}), new Object[0]);
            httpServletResponse.sendError(500);
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "requestURL is not null or empty", new Object[0]);
        }
        String str2 = null;
        int lastIndexOf = httpServletRequest.getRequestURI().lastIndexOf("/");
        if (lastIndexOf > -1) {
            str2 = httpServletRequest.getRequestURI().substring(lastIndexOf + 1);
        }
        String str3 = null;
        if (parameter.length() > 24) {
            str3 = parameter.substring(24);
        }
        String parameter2 = httpServletRequest.getParameter("code");
        String parameter3 = httpServletRequest.getParameter("id_token");
        if (parameter2 == null && parameter3 == null) {
            sendError(httpServletRequest, httpServletResponse);
        } else {
            sendToRedirectUrl(httpServletRequest, httpServletResponse, cookieValue, parameter, str2, str3, parameter3);
        }
    }

    private void sendToRedirectUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, String str3, String str4, String str5) throws IOException {
        String parameter = httpServletRequest.getParameter("session_state");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Request info: state: " + str2 + " session_state: " + parameter, new Object[0]);
        }
        boolean startsWith = str.toLowerCase().startsWith("https");
        OidcClientConfigImpl oidcClientConfig = activatedOidcClientImpl.getOidcClientConfig(httpServletRequest, str3);
        new OidcClientUtil();
        OidcClientUtil.setCookieForRequestParameter(httpServletRequest, httpServletResponse, str3, str2, startsWith, oidcClientConfig);
        if ((str4 != null && !str4.isEmpty()) || str5 != null) {
            postToWASReqURL(httpServletRequest, httpServletResponse, str, str4);
            return;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "OIDC _SSO RP Servlet redirecting to [" + str + "]", new Object[0]);
        }
        httpServletResponse.sendRedirect(str);
    }

    private void sendError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter("error");
        if (parameter != null && "access_denied".equals(parameter)) {
            Tr.error(tc, Tr.formatMessage(tc, "OAUTH_REQUEST_ACCESS_DENIED", new Object[0]), new Object[0]);
            httpServletResponse.sendError(403, Tr.formatMessage(tc, "OAUTH_REQUEST_ACCESS_DENIED_ENDUSER", new Object[0]));
        } else {
            StringBuilder sb = new StringBuilder();
            if (parameter == null || !"invalid_scope".equals(parameter)) {
                sb.append("error=access_denied");
            } else {
                sb.append("error=invalid_scope");
            }
            httpServletResponse.sendError(403, sb.toString());
        }
    }

    void setCookieForRequestParameter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z) {
        String[] strArr;
        OidcClientConfigImpl oidcClientConfig = activatedOidcClientImpl.getOidcClientConfig(httpServletRequest, str);
        Map parameterMap = httpServletRequest.getParameterMap();
        JsonObject jsonObject = new JsonObject();
        for (Map.Entry entry : parameterMap.entrySet()) {
            String str3 = (String) entry.getKey();
            if (!"access_token".equals(str3) && !"id_token".equals(str3) && (strArr = (String[]) entry.getValue()) != null && strArr.length > 0) {
                jsonObject.addProperty(str3, strArr[0]);
            }
        }
        String jsonObject2 = jsonObject.toString();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "requestParameters:" + jsonObject2, new Object[0]);
        }
        String str4 = null;
        try {
            str4 = Base64Coder.toString(Base64Coder.base64Encode((jsonObject2 + HashUtils.digest(jsonObject2 + oidcClientConfig.getClientSecret())).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.web.OidcRedirectServlet", "238", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, Boolean.valueOf(z)});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "get unexpected exception", new Object[]{e});
            }
        }
        Cookie createCookie = OidcClientUtil.createCookie("WASOidcCode", str4, httpServletRequest);
        if (oidcClientConfig.isHttpsRequired() && z) {
            createCookie.setSecure(true);
        }
        httpServletResponse.addCookie(createCookie);
    }

    public void getTokenFromFragment(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<HTML xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\"><HEAD><title>Submit This Form</title></HEAD>");
        stringBuffer.append("<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">");
        stringBuffer.append("<BODY onload=\"javascript:document.forms[0].submit()\">");
        String oidcRedirectUrl = getOidcRedirectUrl(httpServletRequest);
        if (oidcRedirectUrl == null) {
            oidcRedirectUrl = httpServletRequest.getRequestURL().toString();
        }
        String htmlEncode = WebUtils.htmlEncode(oidcRedirectUrl);
        stringBuffer.append("<FORM name=\"redirectform\" id=\"redirectform\" action=\"");
        stringBuffer.append(htmlEncode);
        stringBuffer.append("\" method=\"POST\">");
        stringBuffer.append("<script type=\"text/javascript\" language=\"javascript\">");
        stringBuffer.append("function createInput(name, value) {");
        stringBuffer.append("var input = document.createElement(\"input\");");
        stringBuffer.append("input.setAttribute(\"type\", \"hidden\");");
        stringBuffer.append("input.setAttribute(\"name\", name);");
        stringBuffer.append("input.setAttribute(\"value\", value);");
        stringBuffer.append("return input;");
        stringBuffer.append("}");
        stringBuffer.append("var form=document.forms[0];");
        stringBuffer.append("var state=null;");
        stringBuffer.append("var params = {}, postBody = location.hash.substring(1),");
        stringBuffer.append("regex = /([^&=]+)=([^&]*)/g, m;");
        stringBuffer.append("while (m = regex.exec(postBody)){");
        stringBuffer.append("form.appendChild( createInput(decodeURIComponent(m[1]), decodeURIComponent(m[2])));");
        stringBuffer.append("}");
        stringBuffer.append("</script>");
        stringBuffer.append("<button type=\"submit\" name=\"redirectform\">Process Form Post</button></FORM></BODY></HTML>");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "OIDC _SSO RP redirecting (\"POST\")\n" + stringBuffer.toString(), new Object[0]);
        }
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println(stringBuffer.toString());
        writer.flush();
    }

    private String getOidcRedirectUrl(HttpServletRequest httpServletRequest) {
        OidcClientConfigImpl oidcClientConfig;
        String str = null;
        if (activatedOidcClientImpl != null) {
            String str2 = null;
            int lastIndexOf = httpServletRequest.getRequestURI().lastIndexOf("/");
            if (lastIndexOf > -1) {
                str2 = httpServletRequest.getRequestURI().substring(lastIndexOf + 1);
            }
            if (str2 != null && !str2.isEmpty() && (oidcClientConfig = activatedOidcClientImpl.getOidcClientConfig(httpServletRequest, str2)) != null) {
                str = oidcClientConfig.getRedirectUrlFromServerToClient();
            }
        }
        return str;
    }

    protected void postToWASReqURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        String parameter = httpServletRequest.getParameter("access_token");
        String parameter2 = httpServletRequest.getParameter("id_token");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "id_token:" + parameter2, new Object[0]);
        }
        StringBuffer stringBuffer = new StringBuffer("");
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        httpServletResponse.setContentType("text/html");
        stringBuffer.append("<HTML xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">");
        stringBuffer.append("<HEAD>");
        stringBuffer.append("<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"/>");
        stringBuffer.append("<meta http-equiv=\"Cache-Control\" content=\"no-cache, no-store, must-revalidate\"/>");
        stringBuffer.append("<meta http-equiv=\"Pragma\" content=\"no-cache\"/>");
        stringBuffer.append("<meta http-equiv=\"Expires\" content=\"0\"/>");
        stringBuffer.append("</HEAD>");
        stringBuffer.append("<BODY onload=\"document.forms[0].submit()\">");
        stringBuffer.append("<FORM name=\"redirectform\" id=\"redirectform\" action=\"");
        stringBuffer.append(WebUtils.htmlEncode(str));
        stringBuffer.append("\" method=\"POST\"><div>");
        if (str2 != null) {
            stringBuffer.append("<input type=\"hidden\" name=\"oidc_client\" value=\"" + WebUtils.htmlEncode(str2) + "\"/>");
        }
        if (parameter != null) {
            stringBuffer.append("<input type=\"hidden\" name=\"access_token\" value=\"" + WebUtils.htmlEncode(parameter) + "\"/>");
        }
        if (parameter2 != null) {
            stringBuffer.append("<input type=\"hidden\" name=\"id_token\" value=\"" + WebUtils.htmlEncode(parameter2) + "\"/>");
        }
        stringBuffer.append("</div>");
        stringBuffer.append("<noscript><div>");
        stringBuffer.append("<button type=\"submit\" name=\"redirectform\">Process request</button>");
        stringBuffer.append("</div></noscript>");
        stringBuffer.append("</FORM></BODY></HTML>");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "OIDC _SSO RP redirecting\n" + stringBuffer.toString(), new Object[0]);
        }
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println(stringBuffer.toString());
        writer.flush();
    }
}
