package com.ibm.ws.security.openidconnect.client;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.common.web.WebUtils;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl;
import com.ibm.ws.security.openidconnect.client.jose4j.OidcTokenImpl;
import com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil;
import com.ibm.ws.security.openidconnect.client.jose4j.util.OidcTokenImplBase;
import com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler;
import com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientConfig;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientUtil;
import com.ibm.ws.security.openidconnect.clients.common.OidcUtil;
import com.ibm.ws.security.openidconnect.token.Payload;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/openidconnect/client/OidcClientAuthenticator.class */
public class OidcClientAuthenticator {
    private static final TraceComponent tc = Tr.register(OidcClientAuthenticator.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    OidcClientUtil oidcClientUtil;
    private SSLSupport sslSupport;
    private final JwKRetriever retriever;
    private Jose4jUtil jose4jUtil;
    private OIDCClientAuthenticatorUtil authenticatorUtil;
    private static final String SIGNATURE_ALG_HS256 = "HS256";
    private static final String SIGNATURE_ALG_RS256 = "RS256";
    private static final String SIGNATURE_ALG_NONE = "none";
    private final AuthorizationCodeHandler authzCodeHandler;
    static final long serialVersionUID = -8207639822773439459L;

    public OidcClientAuthenticator() {
        this.oidcClientUtil = new OidcClientUtil();
        this.retriever = null;
        this.jose4jUtil = null;
        this.authenticatorUtil = null;
        this.authzCodeHandler = null;
        this.authenticatorUtil = new OIDCClientAuthenticatorUtil();
    }

    public OidcClientAuthenticator(AtomicServiceReference<SSLSupport> atomicServiceReference) {
        this.oidcClientUtil = new OidcClientUtil();
        this.retriever = null;
        this.jose4jUtil = null;
        this.authenticatorUtil = null;
        this.authzCodeHandler = null;
        this.sslSupport = (SSLSupport) atomicServiceReference.getService();
        this.jose4jUtil = new Jose4jUtil(this.sslSupport);
        this.authenticatorUtil = new OIDCClientAuthenticatorUtil(this.sslSupport);
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig) {
        return invokeUserResolverSPI(fixSubject(discoverOPAgain(this.authenticatorUtil.authenticate(httpServletRequest, httpServletResponse, oidcClientConfig), oidcClientConfig)), oidcClientConfig);
    }

    private ProviderAuthenticationResult discoverOPAgain(ProviderAuthenticationResult providerAuthenticationResult, OidcClientConfig oidcClientConfig) {
        OidcClientConfigImpl oidcClientConfigImpl = (OidcClientConfigImpl) oidcClientConfig;
        if (providerAuthenticationResult.getStatus() != AuthResult.SUCCESS && oidcClientConfigImpl.isDiscoveryInUse() && System.currentTimeMillis() > oidcClientConfigImpl.getNextDiscoveryTime()) {
            oidcClientConfigImpl.handleDiscoveryEndpoint(oidcClientConfigImpl.getDiscoveryEndpointUrl());
        } else if (providerAuthenticationResult.getStatus() == AuthResult.SUCCESS && oidcClientConfigImpl.isDiscoveryInUse()) {
            oidcClientConfigImpl.setNextDiscoveryTime();
        }
        return providerAuthenticationResult;
    }

    private ProviderAuthenticationResult invokeUserResolverSPI(ProviderAuthenticationResult providerAuthenticationResult, OidcClientConfig oidcClientConfig) {
        OidcTokenImplBase oidcTokenImplBase;
        if (providerAuthenticationResult.getCustomProperties() != null && (oidcTokenImplBase = (OidcTokenImplBase) providerAuthenticationResult.getCustomProperties().get("id_token_object")) != null) {
            providerAuthenticationResult.getCustomProperties().remove("id_token_object");
            AttributeToSubjectExt attributeToSubjectExt = new AttributeToSubjectExt(oidcClientConfig, oidcTokenImplBase);
            if (!attributeToSubjectExt.isTokenMappingSpi()) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "token mapping SPI is not active", new Object[0]);
                }
                return providerAuthenticationResult;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "token mapping SPI is active, updating mapping.", new Object[0]);
            }
            Hashtable customProperties = providerAuthenticationResult.getCustomProperties();
            customProperties.remove("com.ibm.wsspi.security.cred.uniqueId");
            customProperties.remove("com.ibm.wsspi.security.cred.realm");
            customProperties.remove("com.ibm.wsspi.security.cred.groups");
            return attributeToSubjectExt.doMapping(providerAuthenticationResult.getCustomProperties(), providerAuthenticationResult.getSubject());
        }
        return providerAuthenticationResult;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProviderAuthenticationResult fixSubject(ProviderAuthenticationResult providerAuthenticationResult) {
        if (providerAuthenticationResult.getSubject() == null) {
            return providerAuthenticationResult;
        }
        Set<Object> privateCredentials = providerAuthenticationResult.getSubject().getPrivateCredentials();
        if (privateCredentials.size() > 0) {
            Object next = privateCredentials.iterator().next();
            if (next instanceof OidcTokenImplBase) {
                privateCredentials.remove(next);
                privateCredentials.add(new OidcTokenImpl((OidcTokenImplBase) next));
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "idToken in subject is replaced with OidcTokenImpl", new Object[0]);
                }
            }
        }
        return providerAuthenticationResult;
    }

    ProviderAuthenticationResult handleRedirectToServer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig) {
        return this.authenticatorUtil.handleRedirectToServer(httpServletRequest, httpServletResponse, oidcClientConfig);
    }

    Hashtable<String, String> getAuthzCodeAndStateFromCookie(IExtendedRequest iExtendedRequest, HttpServletResponse httpServletResponse) {
        byte[] cookieValueAsBytes = iExtendedRequest.getCookieValueAsBytes("WASOidcCode");
        if (cookieValueAsBytes == null || cookieValueAsBytes.length == 0) {
            return null;
        }
        OidcClientUtil.invalidateReferrerURLCookie(iExtendedRequest, httpServletResponse, "WASOidcCode");
        Hashtable<String, String> hashtable = null;
        try {
            hashtable = (Hashtable) new ObjectInputStream(new ByteArrayInputStream(Base64Coder.base64Decode(cookieValueAsBytes))).readObject();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "218", this, new Object[]{iExtendedRequest, httpServletResponse});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthzCodeAndState encounted an un-expected exception: " + e, new Object[0]);
            }
        } catch (ClassNotFoundException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "222", this, new Object[]{iExtendedRequest, httpServletResponse});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthzCodeAndState encounted an un-expected exception: " + e2, new Object[0]);
            }
        }
        return hashtable;
    }

    void doIdAssertion(Hashtable<String, Object> hashtable, Payload payload, OidcClientConfig oidcClientConfig) {
        if (oidcClientConfig.isMapIdentityToRegistryUser() || payload == null) {
            return;
        }
        String str = (String) payload.get(oidcClientConfig.getRealmIdentifier());
        if (str == null || str.isEmpty()) {
            str = (String) payload.get("iss");
        }
        String str2 = (String) payload.get(oidcClientConfig.getUniqueUserIdentifier());
        if (str2 == null || str2.isEmpty()) {
            str2 = (String) payload.get(oidcClientConfig.getUserIdentityToCreateSubject());
        }
        Object stringBuffer = new StringBuffer("user:").append(str).append("/").append(str2).toString();
        ArrayList arrayList = (ArrayList) payload.get(oidcClientConfig.getGroupIdentifier());
        ArrayList arrayList2 = new ArrayList();
        if (arrayList != null && !arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(new StringBuffer("group:").append(str).append("/").append(it.next()).toString());
            }
        }
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", stringBuffer);
        if (str != null && !str.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.realm", str);
        }
        if (arrayList2 != null && !arrayList2.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList2);
        }
        if (oidcClientConfig.isDisableLtpaCookie()) {
            hashtable.put("com.ibm.ws.authentication.internal.disable.ltpa.sso.cache", Boolean.TRUE);
        }
    }

    public String getIssuerIdentifier(OidcClientConfig oidcClientConfig) {
        return this.authenticatorUtil.getIssuerIdentifier(oidcClientConfig);
    }

    String getReqURL(HttpServletRequest httpServletRequest) {
        boolean z = false;
        Integer num = null;
        if (httpServletRequest.getScheme().toLowerCase().contains("https")) {
            num = new WebUtils().getRedirectPortFromRequest(httpServletRequest);
        }
        int serverPort = httpServletRequest.getServerPort();
        if (num != null && num.intValue() != serverPort) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "serverport = " + serverPort + "real port is " + num.toString() + ", url will be rewritten to use real port", new Object[0]);
            }
            z = true;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (z) {
            requestURL = new StringBuffer();
            requestURL.append(httpServletRequest.getScheme());
            requestURL.append("://");
            requestURL.append(httpServletRequest.getServerName());
            requestURL.append(":");
            requestURL.append(num);
            requestURL.append(httpServletRequest.getRequestURI());
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append("?");
            requestURL.append(OidcUtil.encodeQuery(queryString));
        }
        return requestURL.toString();
    }

    protected SSLContext getSSLContext(String str, String str2, String str3) throws SSLException {
        SSLContext sSLContext = null;
        JSSEHelper jSSEHelper = getJSSEHelper();
        if (jSSEHelper != null) {
            sSLContext = jSSEHelper.getSSLContext(str2, (Map) null, (SSLConfigChangeListener) null, true);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "sslContext () get: " + sSLContext, new Object[0]);
            }
        }
        if (sSLContext == null && str != null && str.startsWith("https")) {
            throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", new Object[]{"Null ssl conext", str3}));
        }
        return sSLContext;
    }

    protected JSSEHelper getJSSEHelper() throws SSLException {
        if (this.sslSupport != null) {
            return this.sslSupport.getJSSEHelper();
        }
        return null;
    }
}
