package com.ibm.ws.security.openidconnect.clients.common;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.jose4j.util.OidcTokenImplBase;
import com.ibm.ws.security.openidconnect.token.Payload;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import java.util.ArrayList;
import java.util.Date;
import java.util.Hashtable;
import java.util.Iterator;
import javax.security.auth.Subject;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/clients/common/AttributeToSubject.class */
public class AttributeToSubject {
    public static final TraceComponent tc = Tr.register(AttributeToSubject.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    public static final String JOBJ_TYPE = "jobj";
    public static final String PAYLOAD_TYPE = "payload";
    protected String realm;
    protected String uniqueSecurityName;
    protected String userName;
    protected String tokenString;
    protected String customCacheKey;
    protected String clientId;
    protected ArrayList<String> groupIds;
    protected ConvergedClientConfig clientConfig;
    static final long serialVersionUID = -1960751261544162843L;

    public AttributeToSubject() {
        this.realm = null;
        this.uniqueSecurityName = null;
        this.userName = null;
        this.tokenString = null;
        this.customCacheKey = null;
        this.clientId = null;
        this.groupIds = null;
    }

    public AttributeToSubject(ConvergedClientConfig convergedClientConfig, JSONObject jSONObject, String str) {
        this.realm = null;
        this.uniqueSecurityName = null;
        this.userName = null;
        this.tokenString = null;
        this.customCacheKey = null;
        this.clientId = null;
        this.groupIds = null;
        earlyinit(convergedClientConfig, str);
        initialize(convergedClientConfig, jSONObject, str);
    }

    public void earlyinit(ConvergedClientConfig convergedClientConfig, String str) {
        this.tokenString = str;
        this.clientConfig = convergedClientConfig;
        this.clientId = convergedClientConfig.getClientId();
    }

    public void initialize(ConvergedClientConfig convergedClientConfig, JSONObject jSONObject, String str) {
        if (this.userName == null || this.userName.isEmpty()) {
            this.userName = getTheUserName(convergedClientConfig, jSONObject);
        }
        if (this.userName != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user name = ", new Object[]{this.userName});
            }
            this.customCacheKey = this.userName + this.tokenString.hashCode();
            if (convergedClientConfig.isMapIdentityToRegistryUser()) {
                return;
            }
            if (this.realm == null || this.realm.isEmpty()) {
                this.realm = getTheRealmName(convergedClientConfig, jSONObject, null);
            }
            if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
                this.uniqueSecurityName = getTheUniqueSecurityName(convergedClientConfig, jSONObject, null);
            }
            if (this.groupIds == null || this.groupIds.isEmpty()) {
                if (jSONObject.get(convergedClientConfig.getGroupIdentifier()) != null) {
                    if (jSONObject.get(convergedClientConfig.getGroupIdentifier()) instanceof ArrayList) {
                        this.groupIds = (ArrayList) jSONObject.get(convergedClientConfig.getGroupIdentifier());
                    } else {
                        try {
                            String str2 = (String) jSONObject.get(convergedClientConfig.getGroupIdentifier());
                            this.groupIds = new ArrayList<>();
                            this.groupIds.add(str2);
                        } catch (ClassCastException e) {
                            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.AttributeToSubject", "91", this, new Object[]{convergedClientConfig, jSONObject, str});
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "can not get meaningful group due to CCE.", new Object[0]);
                            }
                        }
                    }
                }
                if (this.groupIds != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "groups size = ", new Object[]{Integer.valueOf(this.groupIds.size())});
                }
            }
        }
    }

    public AttributeToSubject(ConvergedClientConfig convergedClientConfig, Payload payload, String str) {
        this.realm = null;
        this.uniqueSecurityName = null;
        this.userName = null;
        this.tokenString = null;
        this.customCacheKey = null;
        this.clientId = null;
        this.groupIds = null;
        earlyinit(convergedClientConfig, str);
        initializep(convergedClientConfig, payload, str);
    }

    public void initializep(ConvergedClientConfig convergedClientConfig, Payload payload, String str) {
        if (this.userName == null || this.userName.isEmpty()) {
            Object obj = "userIdentifier";
            String userIdentifier = convergedClientConfig.getUserIdentifier();
            if (userIdentifier == null || userIdentifier.isEmpty()) {
                obj = "userIdentityToCreateSubject";
                userIdentifier = convergedClientConfig.getUserIdentityToCreateSubject();
                if (userIdentifier == null || userIdentifier.isEmpty()) {
                    userIdentifier = "sub";
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The userIdentityToCreateSubject config attribute is null or empty; defaulting to " + userIdentifier, new Object[0]);
                    }
                }
                this.userName = (String) payload.get(userIdentifier);
            } else {
                this.userName = (String) payload.get(userIdentifier);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user name = '" + this.userName + "' and the user identifier = " + userIdentifier + " " + (this.userName == null), new Object[0]);
            }
            if (this.userName == null) {
                Tr.error(tc, "OIDC_CLIENT_ID_TOKEN_MISSING_CLAIM", new Object[]{this.clientId, userIdentifier, obj});
                return;
            }
        }
        this.customCacheKey = this.userName + this.tokenString.toString().hashCode();
        if (convergedClientConfig.isMapIdentityToRegistryUser()) {
            return;
        }
        if (this.realm == null || this.realm.isEmpty()) {
            this.realm = getTheRealmName(convergedClientConfig, null, payload);
        }
        if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
            this.uniqueSecurityName = getTheUniqueSecurityName(convergedClientConfig, null, payload);
        }
        if (this.groupIds == null || this.groupIds.isEmpty()) {
            this.groupIds = (ArrayList) payload.get(convergedClientConfig.getGroupIdentifier());
            if (this.groupIds != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "groups size = ", new Object[]{Integer.valueOf(this.groupIds.size())});
            }
        }
    }

    public boolean checkUserNameForNull() {
        if (this.userName != null && !this.userName.isEmpty()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "There is no principal", new Object[0]);
        return true;
    }

    public Hashtable<String, Object> handleCustomProperties() {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        if (this.clientConfig.isIncludeCustomCacheKeyInSubject()) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", this.customCacheKey);
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        return hashtable;
    }

    public ProviderAuthenticationResult doMapping(Hashtable<String, Object> hashtable, Subject subject) {
        if (!this.clientConfig.isMapIdentityToRegistryUser()) {
            Object stringBuffer = new StringBuffer("user:").append(this.realm).append("/").append(this.uniqueSecurityName).toString();
            ArrayList arrayList = new ArrayList();
            if (this.groupIds != null && !this.groupIds.isEmpty()) {
                Iterator<String> it = this.groupIds.iterator();
                while (it.hasNext()) {
                    arrayList.add(new StringBuffer("group:").append(this.realm).append("/").append(it.next()).toString());
                }
            }
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", stringBuffer);
            if (this.realm != null && !this.realm.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.realm", this.realm);
            }
            if (arrayList != null && !arrayList.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList);
            }
        }
        if (!hashtable.containsKey("com.ibm.wssi.security.oidc.client.credential.storing.utc.time.milliseconds")) {
            long time = new Date().getTime();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find custom property for credential storage time, so recording current time = " + time, new Object[0]);
            }
            hashtable.put("com.ibm.wssi.security.oidc.client.credential.storing.utc.time.milliseconds", Long.valueOf(time));
        }
        return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, this.userName, subject, hashtable, (String) null);
    }

    public boolean checkForNullRealm() {
        if (this.realm != null && !this.realm.isEmpty()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "There is no realm", new Object[0]);
        return true;
    }

    protected String getTheUserName(ConvergedClientConfig convergedClientConfig, JSONObject jSONObject) {
        if (jSONObject == null) {
            return null;
        }
        String userIdentifier = convergedClientConfig.getUserIdentifier();
        if (userIdentifier == null || userIdentifier.isEmpty()) {
            String userIdentityToCreateSubject = convergedClientConfig.getUserIdentityToCreateSubject();
            if (jSONObject.get(userIdentityToCreateSubject) == null) {
                Tr.error(tc, "PROPAGATION_TOKEN_MISSING_USERID", new Object[]{userIdentityToCreateSubject, "userIdentityToCreateSubject"});
            } else if (jSONObject.get(userIdentityToCreateSubject) instanceof String) {
                this.userName = (String) jSONObject.get(userIdentityToCreateSubject);
            } else {
                Tr.error(tc, "PROPAGATION_TOKEN_INCORRECT_CLAIM_TYPE", new Object[]{userIdentityToCreateSubject, "userIdentityToCreateSubject"});
            }
        } else if (jSONObject.get(userIdentifier) == null) {
            Tr.error(tc, "PROPAGATION_TOKEN_MISSING_USERID", new Object[]{convergedClientConfig.getUserIdentifier(), "userIdentifier"});
        } else if (jSONObject.get(userIdentifier) instanceof String) {
            this.userName = (String) jSONObject.get(userIdentifier);
        } else {
            Tr.error(tc, "PROPAGATION_TOKEN_INCORRECT_CLAIM_TYPE", new Object[]{convergedClientConfig.getUserIdentifier(), "userIdentifier"});
        }
        return this.userName;
    }

    protected String getTheRealmName(ConvergedClientConfig convergedClientConfig, JSONObject jSONObject, Payload payload) {
        if (jSONObject != null) {
            String realmName = convergedClientConfig.getRealmName();
            if (realmName == null || realmName.isEmpty()) {
                if (jSONObject.get(convergedClientConfig.getRealmIdentifier()) != null && (jSONObject.get(convergedClientConfig.getRealmIdentifier()) instanceof String)) {
                    this.realm = (String) jSONObject.get(convergedClientConfig.getRealmIdentifier());
                }
                if (this.realm == null || this.realm.isEmpty()) {
                    this.realm = (String) jSONObject.get("iss");
                }
            } else {
                this.realm = realmName;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "realm name = ", new Object[]{this.realm});
            }
            return this.realm;
        }
        if (payload == null) {
            return null;
        }
        String realmName2 = convergedClientConfig.getRealmName();
        if (realmName2 == null || realmName2.isEmpty()) {
            this.realm = (String) payload.get(convergedClientConfig.getRealmIdentifier());
            if (this.realm == null || this.realm.isEmpty()) {
                this.realm = (String) payload.get("iss");
            }
        } else {
            this.realm = realmName2;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "realm name = ", new Object[]{this.realm});
        }
        return this.realm;
    }

    protected String getTheUniqueSecurityName(ConvergedClientConfig convergedClientConfig, JSONObject jSONObject, Payload payload) {
        if (jSONObject != null) {
            if (jSONObject.get(convergedClientConfig.getUniqueUserIdentifier()) != null && (jSONObject.get(convergedClientConfig.getUniqueUserIdentifier()) instanceof String)) {
                this.uniqueSecurityName = (String) jSONObject.get(convergedClientConfig.getUniqueUserIdentifier());
            }
            if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
                this.uniqueSecurityName = this.userName;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "unique security name = ", new Object[]{this.uniqueSecurityName});
            }
            return this.uniqueSecurityName;
        }
        if (payload == null) {
            return null;
        }
        this.uniqueSecurityName = (String) payload.get(convergedClientConfig.getUniqueUserIdentifier());
        if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
            this.uniqueSecurityName = this.userName;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "unique security name = ", new Object[]{this.uniqueSecurityName});
        }
        return this.uniqueSecurityName;
    }

    public AttributeToSubject(ConvergedClientConfig convergedClientConfig, OidcTokenImplBase oidcTokenImplBase) {
        this.realm = null;
        this.uniqueSecurityName = null;
        this.userName = null;
        this.tokenString = null;
        this.customCacheKey = null;
        this.clientId = null;
        this.groupIds = null;
        this.clientConfig = convergedClientConfig;
        this.clientId = convergedClientConfig.getClientId();
        this.tokenString = oidcTokenImplBase.getAllClaimsAsJson();
        String str = null;
        Object obj = "userIdentifier";
        if (this.userName == null || this.userName.isEmpty()) {
            str = convergedClientConfig.getUserIdentifier();
            if (str == null || str.isEmpty()) {
                obj = "userIdentityToCreateSubject";
                str = convergedClientConfig.getUserIdentityToCreateSubject();
                if (str != null && !str.isEmpty()) {
                    this.userName = (String) oidcTokenImplBase.getClaim(str);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "The userIdentityToCreateSubject config attribute is used", new Object[0]);
                    }
                }
            } else {
                this.userName = (String) oidcTokenImplBase.getClaim(str);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user name = '" + this.userName + "' and the user identifier = " + str, new Object[0]);
            }
        }
        if (this.userName == null) {
            Tr.error(tc, "OIDC_CLIENT_JWT_MISSING_CLAIM", new Object[]{this.clientId, str, obj});
            return;
        }
        this.customCacheKey = this.userName + this.tokenString.toString().hashCode();
        if (convergedClientConfig.isMapIdentityToRegistryUser()) {
            return;
        }
        if (this.realm == null || this.realm.isEmpty()) {
            this.realm = convergedClientConfig.getRealmName();
            if (this.realm == null) {
                if (oidcTokenImplBase.getClaim(convergedClientConfig.getRealmIdentifier()) != null && (oidcTokenImplBase.getClaim(convergedClientConfig.getRealmIdentifier()) instanceof String)) {
                    this.realm = (String) oidcTokenImplBase.getClaim(convergedClientConfig.getRealmIdentifier());
                }
                if (this.realm == null || this.realm.isEmpty()) {
                    this.realm = (String) oidcTokenImplBase.getClaim("iss");
                }
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "realm name = ", new Object[]{this.realm});
            }
        }
        if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
            if (oidcTokenImplBase.getClaim(convergedClientConfig.getUniqueUserIdentifier()) instanceof String) {
                this.uniqueSecurityName = (String) oidcTokenImplBase.getClaim(convergedClientConfig.getUniqueUserIdentifier());
            }
            if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
                this.uniqueSecurityName = this.userName;
            }
        }
        if (this.groupIds == null || this.groupIds.isEmpty()) {
            Object claim = oidcTokenImplBase.getClaim(convergedClientConfig.getGroupIdentifier());
            if (claim != null) {
                if (claim instanceof ArrayList) {
                    this.groupIds = (ArrayList) claim;
                } else {
                    if (this.groupIds == null) {
                        this.groupIds = new ArrayList<>();
                    }
                    this.groupIds.add((String) claim);
                }
            }
            if (this.groupIds != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "objGroupIds" + claim + " groups size = ", new Object[]{Integer.valueOf(this.groupIds.size())});
            }
        }
    }
}
