package com.ibm.ws.security.openidconnect.clients.common;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil;
import com.ibm.ws.security.openidconnect.client.jose4j.util.OidcTokenImplBase;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.ssl.SSLSupport;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.MalformedURLException;
import java.util.HashMap;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/clients/common/AuthorizationCodeHandler.class */
public class AuthorizationCodeHandler {
    private static final TraceComponent tc = Tr.register(AuthorizationCodeHandler.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    private OidcClientUtil oidcClientUtil;
    private OIDCClientAuthenticatorUtil authenticatorUtil;
    private SSLSupport sslSupport;
    private Jose4jUtil jose4jUtil;
    static final long serialVersionUID = -4789649376728612881L;

    public AuthorizationCodeHandler(SSLSupport sSLSupport) {
        this.oidcClientUtil = null;
        this.authenticatorUtil = null;
        this.sslSupport = null;
        this.jose4jUtil = null;
        this.oidcClientUtil = getOidcClientUtil();
        this.authenticatorUtil = getOIDCClientAuthenticatorUtil();
        this.sslSupport = sSLSupport;
        this.jose4jUtil = getJose4jUtil(this.sslSupport);
    }

    protected OidcClientUtil getOidcClientUtil() {
        return new OidcClientUtil();
    }

    protected OIDCClientAuthenticatorUtil getOIDCClientAuthenticatorUtil() {
        return new OIDCClientAuthenticatorUtil();
    }

    protected Jose4jUtil getJose4jUtil(SSLSupport sSLSupport) {
        return new Jose4jUtil(sSLSupport);
    }

    public ProviderAuthenticationResult handleAuthorizationCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, ConvergedClientConfig convergedClientConfig) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String tokenEndpointUrl;
        String clientId = convergedClientConfig.getClientId();
        OidcClientRequest oidcClientRequest = (OidcClientRequest) httpServletRequest.getAttribute(ClientConstants.ATTRIB_OIDC_CLIENT_REQUEST);
        ProviderAuthenticationResult verifyResponseState = this.authenticatorUtil.verifyResponseState(httpServletRequest, httpServletResponse, str2, convergedClientConfig);
        if (verifyResponseState != null) {
            return verifyResponseState;
        }
        if (!OIDCClientAuthenticatorUtil.checkHttpsRequirement(convergedClientConfig, convergedClientConfig.getTokenEndpointUrl())) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", new Object[]{convergedClientConfig.getTokenEndpointUrl()});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        String redirectUrlIfNotDefined = this.authenticatorUtil.setRedirectUrlIfNotDefined(httpServletRequest, convergedClientConfig);
        if (!OIDCClientAuthenticatorUtil.checkHttpsRequirement(convergedClientConfig, redirectUrlIfNotDefined)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", new Object[]{redirectUrlIfNotDefined});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        try {
            SSLSocketFactory sSLSocketFactory = getSSLSocketFactory(convergedClientConfig.getTokenEndpointUrl(), convergedClientConfig.getSSLConfigurationName(), clientId);
            try {
                tokenEndpointUrl = convergedClientConfig.getTokenEndpointUrl();
            } catch (BadPostRequestException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "143", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, convergedClientConfig});
                Tr.error(tc, "OIDC_CLIENT_TOKEN_REQUEST_FAILURE", new Object[]{e.getErrorMessage(), clientId, convergedClientConfig.getTokenEndpointUrl()});
                sendErrorJSON(httpServletResponse, e.getStatusCode(), "invalid_request", e.getErrorMessage());
                providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, e.getStatusCode());
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "147", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, convergedClientConfig});
                Tr.error(tc, "OIDC_CLIENT_TOKEN_REQUEST_FAILURE", new Object[]{e2.getLocalizedMessage(), clientId, convergedClientConfig.getTokenEndpointUrl()});
                providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
            if (tokenEndpointUrl == null || tokenEndpointUrl.length() == 0) {
                throw new MalformedURLException("MalformedURLException");
            }
            HashMap<String, String> tokensFromAuthzCode = this.oidcClientUtil.getTokensFromAuthzCode(tokenEndpointUrl, clientId, convergedClientConfig.getClientSecret(), redirectUrlIfNotDefined, str, convergedClientConfig.getGrantType(), sSLSocketFactory, convergedClientConfig.isHostNameVerificationEnabled(), convergedClientConfig.getTokenEndpointAuthMethod(), OIDCClientAuthenticatorUtil.getResources(convergedClientConfig), convergedClientConfig.getTokenRequestParams(), convergedClientConfig.getUseSystemPropertiesForHttpClientConnections());
            oidcClientRequest.setTokenType("ID Token");
            providerAuthenticationResult = this.jose4jUtil.createResultWithJose4J(str2, tokensFromAuthzCode, convergedClientConfig, oidcClientRequest);
            UserInfoHelper userInfoHelper = new UserInfoHelper(convergedClientConfig);
            if (userInfoHelper.willRetrieveUserInfo()) {
                OidcTokenImplBase oidcTokenImplBase = null;
                if (providerAuthenticationResult.getCustomProperties() != null) {
                    oidcTokenImplBase = (OidcTokenImplBase) providerAuthenticationResult.getCustomProperties().get(Constants.ID_TOKEN_OBJECT);
                }
                String str3 = null;
                if (oidcTokenImplBase != null) {
                    str3 = oidcTokenImplBase.getSubject();
                }
                if (str3 != null) {
                    userInfoHelper.getUserInfo(providerAuthenticationResult, sSLSocketFactory, tokensFromAuthzCode.get(Constants.ACCESS_TOKEN), str3);
                }
            }
            return providerAuthenticationResult;
        } catch (SSLException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "97", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, convergedClientConfig});
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = e3.getMessage() != null ? e3.getMessage() : "invalid ssl context";
            objArr[1] = convergedClientConfig.getClientId();
            Tr.error(traceComponent, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", objArr);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
    }

    protected SSLSocketFactory getSSLSocketFactory(String str, String str2, String str3) throws SSLException {
        try {
            SSLSocketFactory sSLSocketFactory = this.sslSupport.getSSLSocketFactory(str2);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "sslSocketFactory () get: " + sSLSocketFactory, new Object[0]);
            }
            if (sSLSocketFactory == null && str != null && str.startsWith("https")) {
                throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", new Object[]{"Null ssl socket factory", str3}));
            }
            return sSLSocketFactory;
        } catch (javax.net.ssl.SSLException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "159", this, new Object[]{str, str2, str3});
            throw new SSLException(e.getMessage());
        }
    }

    private void sendErrorJSON(HttpServletResponse httpServletResponse, int i, String str, String str2) {
        try {
            if (str != null) {
                httpServletResponse.setStatus(i);
                httpServletResponse.setHeader(ClientConstants.REQ_CONTENT_TYPE_NAME, "application/json;charset=UTF-8");
                JSONObject jSONObject = new JSONObject();
                jSONObject.put(Constants.ERROR, str);
                if (str2 != null) {
                    jSONObject.put(Constants.ERROR_DESCRIPTION, str2);
                }
                PrintWriter writer = httpServletResponse.getWriter();
                writer.write(jSONObject.toString());
                writer.flush();
            } else {
                httpServletResponse.sendError(i);
            }
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "196", this, new Object[]{httpServletResponse, Integer.valueOf(i), str, str2});
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Internal error sending error message", new Object[]{e});
            }
            try {
                httpServletResponse.sendError(500);
            } catch (IOException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.clients.common.AuthorizationCodeHandler", "201", this, new Object[]{httpServletResponse, Integer.valueOf(i), str, str2});
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "yet another internal error, give up", new Object[]{e2});
                }
            }
        }
    }
}
