package com.ibm.ws.security.openidconnect.clients.common;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import java.util.Map;
import javax.net.ssl.SSLSocketFactory;
import org.apache.http.HttpResponse;
import org.apache.http.util.EntityUtils;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/clients/common/UserInfoHelper.class */
public class UserInfoHelper {
    private static final TraceComponent tc = Tr.register(UserInfoHelper.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    private ConvergedClientConfig clientConfig;
    static final long serialVersionUID = 932675445799467539L;

    public UserInfoHelper(ConvergedClientConfig convergedClientConfig) {
        this.clientConfig = null;
        this.clientConfig = convergedClientConfig;
    }

    public boolean willRetrieveUserInfo() {
        return this.clientConfig.getUserInfoEndpointUrl() != null && this.clientConfig.isUserInfoEnabled();
    }

    public boolean getUserInfo(ProviderAuthenticationResult providerAuthenticationResult, SSLSocketFactory sSLSocketFactory, String str, String str2) {
        String userInfoFromURL;
        if (!willRetrieveUserInfo() || str == null || (userInfoFromURL = getUserInfoFromURL(this.clientConfig, sSLSocketFactory, str)) == null || !isUserInfoValid(userInfoFromURL, str2)) {
            return false;
        }
        updateAuthenticationResultPropertiesWithUserInfo(providerAuthenticationResult, userInfoFromURL);
        return true;
    }

    protected void updateAuthenticationResultPropertiesWithUserInfo(ProviderAuthenticationResult providerAuthenticationResult, String str) {
        providerAuthenticationResult.getCustomProperties().put(Constants.USERINFO_STR, str);
    }

    protected boolean isUserInfoValid(String str, String str2) {
        String userInfoSubClaim = getUserInfoSubClaim(str);
        if (userInfoSubClaim != null && str2 != null && userInfoSubClaim.compareTo(str2) == 0) {
            return true;
        }
        Tr.error(tc, "USERINFO_INVALID", new Object[]{str, str2});
        return false;
    }

    protected String getUserInfoSubClaim(String str) {
        JSONObject jSONObject = null;
        try {
            jSONObject = JSONObject.parse(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.UserInfoHelper", "86", this, new Object[]{str});
        }
        if (jSONObject == null) {
            return null;
        }
        return (String) jSONObject.get("sub");
    }

    protected String getUserInfoFromURL(ConvergedClientConfig convergedClientConfig, SSLSocketFactory sSLSocketFactory, String str) {
        Map<String, Object> userinfo;
        String userInfoEndpointUrl = convergedClientConfig.getUserInfoEndpointUrl();
        boolean isHostNameVerificationEnabled = convergedClientConfig.isHostNameVerificationEnabled();
        if (!userInfoEndpointUrl.toLowerCase().startsWith("https:") && convergedClientConfig.isHttpsRequired()) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", new Object[]{userInfoEndpointUrl});
            return null;
        }
        int i = 0;
        String str2 = null;
        try {
            userinfo = new OidcClientUtil().getUserinfo(userInfoEndpointUrl, str, sSLSocketFactory, isHostNameVerificationEnabled, convergedClientConfig.getUseSystemPropertiesForHttpClientConnections());
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.UserInfoHelper", "121", this, new Object[]{convergedClientConfig, sSLSocketFactory, str});
        }
        if (userinfo == null) {
            throw new Exception("result map from getUserinfo is null");
        }
        HttpResponse httpResponse = (HttpResponse) userinfo.get(ClientConstants.RESPONSEMAP_CODE);
        if (httpResponse == null) {
            throw new Exception("HttpResponse from getUserinfo is null");
        }
        i = httpResponse.getStatusLine().getStatusCode();
        str2 = EntityUtils.toString(httpResponse.getEntity(), "UTF-8");
        if (i == 200) {
            return str2;
        }
        Tr.error(tc, "USERINFO_RETREIVE_FAILED", new Object[]{userInfoEndpointUrl, Integer.toString(i), str2});
        return null;
    }
}
