package com.ibm.ws.security.openidconnect.clients.common;

import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.web.WebUtils;
import com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.CookieHelper;
import com.ibm.ws.webcontainer.security.PostParameterHelper;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.wsspi.ssl.SSLSupport;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.class */
public class OIDCClientAuthenticatorUtil {
    SSLSupport sslSupport;
    private Jose4jUtil jose4jUtil;
    static final long serialVersionUID = -2570500656335283905L;
    public static final TraceComponent tc = Tr.register(OIDCClientAuthenticatorUtil.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    public static final String[] OIDC_COOKIES = {ClientConstants.WAS_OIDC_STATE_KEY, ClientConstants.WAS_REQ_URL_OIDC, ClientConstants.WAS_OIDC_CODE, ClientConstants.WAS_OIDC_NONCE};

    public OIDCClientAuthenticatorUtil() {
        this.sslSupport = null;
        this.jose4jUtil = null;
    }

    public OIDCClientAuthenticatorUtil(SSLSupport sSLSupport) {
        this.sslSupport = null;
        this.jose4jUtil = null;
        this.sslSupport = sSLSupport;
        this.jose4jUtil = getJose4jUtil(this.sslSupport);
    }

    protected Jose4jUtil getJose4jUtil(SSLSupport sSLSupport) {
        return new Jose4jUtil(sSLSupport);
    }

    public ProviderAuthenticationResult handleRedirectToServer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConvergedClientConfig convergedClientConfig) {
        String authorizationEndpointUrl = convergedClientConfig.getAuthorizationEndpointUrl();
        if (!checkHttpsRequirement(convergedClientConfig, authorizationEndpointUrl)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", new Object[]{authorizationEndpointUrl});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (convergedClientConfig.createSession()) {
            try {
                httpServletRequest.getSession(true);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "82", this, new Object[]{httpServletRequest, httpServletResponse, convergedClientConfig});
            }
        }
        String str = OidcUtil.getTimeStamp() + OidcUtil.generateRandom(9);
        if (!httpServletRequest.getMethod().equalsIgnoreCase("GET") && httpServletRequest.getParameter(ClientConstants.OIDC_CLIENT) != null) {
            str = str + httpServletRequest.getParameter(ClientConstants.OIDC_CLIENT);
        }
        String createStateCookieValue = HashUtils.createStateCookieValue(convergedClientConfig, str);
        String str2 = ClientConstants.WAS_OIDC_STATE_KEY + HashUtils.getStrHashCode(str);
        boolean contains = httpServletRequest.getScheme().toLowerCase().contains("https");
        int authenticationTimeLimitInSeconds = (int) convergedClientConfig.getAuthenticationTimeLimitInSeconds();
        Cookie createCookie = OidcClientUtil.createCookie(str2, createStateCookieValue, authenticationTimeLimitInSeconds, httpServletRequest);
        if (convergedClientConfig.isHttpsRequired() && contains) {
            createCookie.setSecure(true);
        }
        httpServletResponse.addCookie(createCookie);
        String redirectUrlIfNotDefined = setRedirectUrlIfNotDefined(httpServletRequest, convergedClientConfig);
        if (!checkHttpsRequirement(convergedClientConfig, redirectUrlIfNotDefined)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", new Object[]{redirectUrlIfNotDefined});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        String parameter = httpServletRequest.getParameter("acr_values");
        try {
            boolean z = (convergedClientConfig.isSocial() || isOpenIDScopeSpecified(convergedClientConfig)) ? false : true;
            boolean z2 = convergedClientConfig.getScope() == null || convergedClientConfig.getScope().length() == 0;
            if (z || z2) {
                Tr.error(tc, "OIDC_CLIENT_REQUEST_MISSING_OPENID_SCOPE", new Object[]{convergedClientConfig.getClientId(), convergedClientConfig.getScope()});
                return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
            String buildAuthorizationUrlWithQuery = buildAuthorizationUrlWithQuery(httpServletRequest, (OidcClientRequest) httpServletRequest.getAttribute(ClientConstants.ATTRIB_OIDC_CLIENT_REQUEST), str, convergedClientConfig, redirectUrlIfNotDefined, parameter);
            new PostParameterHelper(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig()).save(httpServletRequest, httpServletResponse);
            if (convergedClientConfig.isClientSideRedirect()) {
                doClientSideRedirect(httpServletResponse, buildAuthorizationUrlWithQuery, str, OidcClientUtil.getSsoDomain(httpServletRequest));
            } else {
                Cookie createCookie2 = OidcClientUtil.createCookie(ClientConstants.WAS_REQ_URL_OIDC + HashUtils.getStrHashCode(str), getReqURL(httpServletRequest), authenticationTimeLimitInSeconds, httpServletRequest);
                if (convergedClientConfig.isHttpsRequired() && contains) {
                    createCookie.setSecure(true);
                }
                httpServletResponse.addCookie(createCookie2);
            }
            return new ProviderAuthenticationResult(AuthResult.REDIRECT_TO_PROVIDER, 200, (String) null, (Subject) null, (Hashtable) null, buildAuthorizationUrlWithQuery);
        } catch (UnsupportedEncodingException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "142", this, new Object[]{httpServletRequest, httpServletResponse, convergedClientConfig});
            Tr.error(tc, "OIDC_CLIENT_AUTHORIZE_ERR", new Object[]{convergedClientConfig.getClientId(), e2.getLocalizedMessage(), "UTF-8"});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        } catch (IOException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "145", this, new Object[]{httpServletRequest, httpServletResponse, convergedClientConfig});
            Tr.error(tc, "OIDC_CLIENT_AUTHORIZE_ERR", new Object[]{convergedClientConfig.getClientId(), e3.getLocalizedMessage(), "UTF-8"});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConvergedClientConfig convergedClientConfig) {
        if (!isEndpointValid(convergedClientConfig)) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        boolean z = false;
        if ("implicit".equals(convergedClientConfig.getGrantType())) {
            z = true;
        }
        String str = null;
        String str2 = null;
        Hashtable<String, String> hashtable = new Hashtable<>();
        String cookieValue = CookieHelper.getCookieValue(httpServletRequest.getCookies(), ClientConstants.WAS_OIDC_CODE);
        OidcClientUtil.invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, ClientConstants.WAS_OIDC_CODE);
        if (cookieValue != null && !cookieValue.isEmpty()) {
            if (!validateReqParameters(convergedClientConfig, hashtable, cookieValue)) {
                ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
                Tr.error(tc, "OIDC_CLIENT_BAD_PARAM_COOKIE", new Object[]{cookieValue, convergedClientConfig.getClientId()});
                return providerAuthenticationResult;
            }
            str = hashtable.get("code");
            str2 = hashtable.get("state");
        }
        if (str2 != null) {
            String parameter = httpServletRequest.getParameter("id_token");
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "id_token:" + parameter, new Object[0]);
            }
            if (parameter != null) {
                hashtable.put("id_token", parameter);
            }
            String parameter2 = httpServletRequest.getParameter(Constants.ACCESS_TOKEN);
            if (parameter2 != null) {
                hashtable.put(Constants.ACCESS_TOKEN, parameter2);
            }
            if (httpServletRequest.getMethod().equals(ClientConstants.REQ_METHOD_POST) && (httpServletRequest instanceof IExtendedRequest)) {
                ((IExtendedRequest) httpServletRequest).setMethod("GET");
            }
        }
        ProviderAuthenticationResult handleRedirectToServer = str2 == null ? handleRedirectToServer(httpServletRequest, httpServletResponse, convergedClientConfig) : z ? handleImplicitFlowTokens(httpServletRequest, httpServletResponse, str2, convergedClientConfig, hashtable) : new AuthorizationCodeHandler(this.sslSupport).handleAuthorizationCode(httpServletRequest, httpServletResponse, str, str2, convergedClientConfig);
        if (handleRedirectToServer.getStatus() != AuthResult.REDIRECT_TO_PROVIDER) {
            new PostParameterHelper(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig()).restore(httpServletRequest, httpServletResponse, true);
            OidcClientUtil.invalidateReferrerURLCookies(httpServletRequest, httpServletResponse, OIDC_COOKIES);
        }
        return handleRedirectToServer;
    }

    ProviderAuthenticationResult handleImplicitFlowTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, ConvergedClientConfig convergedClientConfig, Hashtable<String, String> hashtable) {
        OidcClientRequest oidcClientRequest = (OidcClientRequest) httpServletRequest.getAttribute(ClientConstants.ATTRIB_OIDC_CLIENT_REQUEST);
        ProviderAuthenticationResult verifyResponseState = verifyResponseState(httpServletRequest, httpServletResponse, str, convergedClientConfig);
        if (verifyResponseState != null) {
            return verifyResponseState;
        }
        oidcClientRequest.setTokenType("ID Token");
        ProviderAuthenticationResult createResultWithJose4J = this.jose4jUtil.createResultWithJose4J(str, hashtable, convergedClientConfig, oidcClientRequest);
        if (convergedClientConfig.getUserInfoEndpointUrl() != null) {
            SSLSocketFactory sSLSocketFactory = null;
            try {
                sSLSocketFactory = new OidcClientHttpUtil().getSSLSocketFactory(convergedClientConfig, this.sslSupport, false, convergedClientConfig.getUserInfoEndpointUrl().toLowerCase().startsWith("https"));
            } catch (SSLException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "264", this, new Object[]{httpServletRequest, httpServletResponse, str, convergedClientConfig, hashtable});
            }
            new UserInfoHelper(convergedClientConfig).getUserInfoIfPossible(createResultWithJose4J, hashtable, sSLSocketFactory);
        }
        return createResultWithJose4J;
    }

    public static boolean checkHttpsRequirement(ConvergedClientConfig convergedClientConfig, String str) {
        boolean z = true;
        if (convergedClientConfig.isHttpsRequired()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking if URL starts with https: " + str, new Object[0]);
            }
            if (str != null && !str.startsWith("https")) {
                z = false;
            }
        }
        return z;
    }

    public static boolean isEndpointValid(ConvergedClientConfig convergedClientConfig) {
        return (convergedClientConfig.getGrantType() == "implicit" ? convergedClientConfig.getTokenEndpointUrl() : convergedClientConfig.getAuthorizationEndpointUrl()) != null;
    }

    public String setRedirectUrlIfNotDefined(HttpServletRequest httpServletRequest, ConvergedClientConfig convergedClientConfig) {
        String redirectUrlFromServerToClient = convergedClientConfig.isSocial() ? getRedirectUrlFromServerToClient(convergedClientConfig.getId(), convergedClientConfig.getContextPath(), convergedClientConfig.getRedirectUrlFromServerToClient()) : convergedClientConfig.getRedirectUrlFromServerToClient();
        if (redirectUrlFromServerToClient == null || redirectUrlFromServerToClient.isEmpty()) {
            redirectUrlFromServerToClient = new OidcClientUtil().getRedirectUrl(httpServletRequest, convergedClientConfig.getContextPath() + "/redirect/" + convergedClientConfig.getId());
        }
        return convergedClientConfig.getRedirectUrlWithJunctionPath(redirectUrlFromServerToClient);
    }

    public String getRedirectUrlFromServerToClient(String str, String str2, final String str3) {
        String str4 = null;
        if (str3 != null && str3.length() > 0) {
            try {
                URL url = (URL) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil.1
                    static final long serialVersionUID = -4277573649820552558L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return new URL(str3);
                    }
                });
                int port = url.getPort();
                String path = url.getPath();
                if (path == null) {
                    path = "";
                }
                if (path.endsWith("/")) {
                    path = path.substring(0, path.length() - 1);
                }
                String str5 = path + str2 + "/redirect/" + str;
                str4 = (url.getProtocol() + "://" + url.getHost() + (port > 0 ? ":" + port : "")) + (str5.startsWith("/") ? "" : "/") + str5;
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "341", this, new Object[]{str, str2, str3});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "the value of redirectToRPHostAndPort might not valid. Please verify that the format is <protocol>://<host>:<port> " + str3 + "\n" + e.getMessage(), new Object[0]);
                }
            }
        }
        return str4;
    }

    private boolean isOpenIDScopeSpecified(ConvergedClientConfig convergedClientConfig) {
        return convergedClientConfig.getScope().contains("openid");
    }

    String buildAuthorizationUrlWithQuery(HttpServletRequest httpServletRequest, OidcClientRequest oidcClientRequest, String str, ConvergedClientConfig convergedClientConfig, String str2, String str3) throws UnsupportedEncodingException {
        String str4 = "code";
        boolean z = false;
        if ("implicit".equals(convergedClientConfig.getGrantType())) {
            z = true;
            str4 = convergedClientConfig.getResponseType();
        }
        String format = String.format("response_type=%s&client_id=%s&state=%s&redirect_uri=%s&scope=%s", URLEncoder.encode(str4, "UTF-8"), URLEncoder.encode(convergedClientConfig.getClientId() == null ? "" : convergedClientConfig.getClientId(), "UTF-8"), URLEncoder.encode(str, "UTF-8"), URLEncoder.encode(str2, "UTF-8"), URLEncoder.encode(convergedClientConfig.getScope(), "UTF-8"));
        if (convergedClientConfig.isNonceEnabled() || z) {
            String generateRandom = OidcUtil.generateRandom(20);
            OidcUtil.createNonceCookie(oidcClientRequest, generateRandom, str, convergedClientConfig);
            format = String.format("%s&nonce=%s", format, URLEncoder.encode(generateRandom, "UTF-8"));
        }
        if (str3 != null && !str3.isEmpty()) {
            format = String.format("%s&acr_values=%s", format, URLEncoder.encode(str3, "UTF-8"));
        } else if (isACRConfigured(convergedClientConfig)) {
            format = String.format("%s&acr_values=%s", format, URLEncoder.encode(convergedClientConfig.getAuthContextClassReference(), "UTF-8"));
        }
        if (convergedClientConfig.getPrompt() != null) {
            format = String.format("%s&prompt=%s", format, URLEncoder.encode(convergedClientConfig.getPrompt(), "UTF-8"));
        }
        if (z) {
            format = String.format("%s&response_mode=%s", format, URLEncoder.encode("form_post", "UTF-8"));
            String resourcesParameter = getResourcesParameter(convergedClientConfig);
            if (resourcesParameter != null) {
                format = format + resourcesParameter;
            }
        }
        String addForwardLoginParamsToQuery = addForwardLoginParamsToQuery(convergedClientConfig, httpServletRequest, handleCustomParams(convergedClientConfig, format));
        String authorizationEndpointUrl = convergedClientConfig.getAuthorizationEndpointUrl();
        String str5 = "?";
        if (authorizationEndpointUrl != null && authorizationEndpointUrl.indexOf("?") > 0) {
            str5 = "&";
        }
        return authorizationEndpointUrl + str5 + addForwardLoginParamsToQuery;
    }

    String addForwardLoginParamsToQuery(ConvergedClientConfig convergedClientConfig, HttpServletRequest httpServletRequest, String str) {
        String parameter;
        List<String> forwardLoginParameter = convergedClientConfig.getForwardLoginParameter();
        if (forwardLoginParameter == null || forwardLoginParameter.isEmpty()) {
            return str;
        }
        for (String str2 : forwardLoginParameter) {
            if (str2 != null && (parameter = httpServletRequest.getParameter(str2)) != null) {
                try {
                    str = String.format("%s&%s=%s", str, URLEncoder.encode(str2, "UTF-8"), URLEncoder.encode(parameter, "UTF-8"));
                } catch (UnsupportedEncodingException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "434", this, new Object[]{convergedClientConfig, httpServletRequest, str});
                }
            }
        }
        return str;
    }

    private String handleCustomParams(ConvergedClientConfig convergedClientConfig, String str) {
        HashMap<String, String> authzRequestParams = convergedClientConfig.getAuthzRequestParams();
        if (authzRequestParams != null && !authzRequestParams.isEmpty()) {
            for (Map.Entry<String, String> entry : authzRequestParams.entrySet()) {
                if (entry.getKey() != null && entry.getValue() != null) {
                    try {
                        str = String.format("%s&%s=%s", str, URLEncoder.encode(entry.getKey(), "UTF-8"), URLEncoder.encode(entry.getValue(), "UTF-8"));
                    } catch (UnsupportedEncodingException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil", "458", this, new Object[]{convergedClientConfig, str});
                    }
                }
            }
        }
        return str;
    }

    private boolean isACRConfigured(ConvergedClientConfig convergedClientConfig) {
        boolean z = false;
        String authContextClassReference = convergedClientConfig.getAuthContextClassReference();
        if (authContextClassReference != null && !authContextClassReference.isEmpty()) {
            z = true;
        }
        return z;
    }

    public static String getResourcesParameter(ConvergedClientConfig convergedClientConfig) throws UnsupportedEncodingException {
        String str = null;
        String resources = getResources(convergedClientConfig);
        if (resources != null && !resources.isEmpty()) {
            str = "&resource=" + URLEncoder.encode(resources, "UTF-8");
        }
        return str;
    }

    public static String getResources(ConvergedClientConfig convergedClientConfig) {
        String[] resources = convergedClientConfig.getResources();
        String str = null;
        if (resources != null && resources.length > 0) {
            str = "";
            for (int i = 0; i < resources.length; i++) {
                if (i > 0) {
                    str = str.concat(" ");
                }
                str = str.concat(resources[i]);
            }
        }
        return str;
    }

    private void doClientSideRedirect(HttpServletResponse httpServletResponse, String str, String str2, String str3) throws IOException {
        httpServletResponse.setStatus(200);
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html xmlns=\"http://www.w3.org/1999/xhtml\">");
        writer.println("<head>");
        writer.println(createJavaScriptForRedirect(str, str2, str3));
        writer.println("<title>Redirect To OP</title> ");
        writer.println("</head>");
        writer.println("<body></body>");
        writer.println("</html>");
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        writer.close();
    }

    private String createJavaScriptForRedirect(String str, String str2, String str3) {
        String str4 = ClientConstants.WAS_REQ_URL_OIDC + HashUtils.getStrHashCode(str2);
        StringBuilder sb = new StringBuilder();
        String str5 = "";
        if (str3 != null && !str3.isEmpty()) {
            str5 = "domain=" + str3 + ";";
        }
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("var loc=window.location.href;").append("document.cookie=\"").append(str4).append("=\"").append("+loc+").append("\";" + str5 + " path=/;");
        WebAppSecurityConfig globalWebAppSecurityConfig = WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig();
        if (globalWebAppSecurityConfig != null && globalWebAppSecurityConfig.getSSORequiresSSL()) {
            sb.append(" secure;");
        }
        sb.append("\"</script>");
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("window.location.replace(\"" + str + "\")").append("</script>");
        String sb2 = sb.toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "createJavaScriptForRedirect returns [" + sb2 + "]", new Object[0]);
        }
        return sb2;
    }

    String getReqURL(HttpServletRequest httpServletRequest) {
        boolean z = false;
        Integer num = null;
        if (httpServletRequest.getScheme().toLowerCase().contains("https")) {
            num = new WebUtils().getRedirectPortFromRequest(httpServletRequest);
        }
        int serverPort = httpServletRequest.getServerPort();
        if (num != null && num.intValue() != serverPort) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "serverport = " + serverPort + "real port is " + num.toString() + ", url will be rewritten to use real port", new Object[0]);
            }
            z = true;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (z) {
            requestURL = new StringBuffer();
            requestURL.append(httpServletRequest.getScheme());
            requestURL.append("://");
            requestURL.append(httpServletRequest.getServerName());
            requestURL.append(":");
            requestURL.append(num);
            requestURL.append(httpServletRequest.getRequestURI());
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append("?");
            requestURL.append(OidcUtil.encodeQuery(queryString));
        }
        return requestURL.toString();
    }

    @FFDCIgnore({IndexOutOfBoundsException.class})
    public boolean validateReqParameters(ConvergedClientConfig convergedClientConfig, Hashtable<String, String> hashtable, String str) {
        int lastIndexOf;
        boolean z = true;
        String str2 = null;
        try {
            lastIndexOf = str.lastIndexOf("_");
        } catch (IndexOutOfBoundsException e) {
            z = false;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "unexpected exception:", new Object[]{e});
            }
        }
        if (lastIndexOf < 1) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "The cookie may have been tampered with.", new Object[0]);
            if (lastIndexOf < 0) {
                Tr.debug(tc, "The cookie does not contain an underscore.", new Object[0]);
            }
            if (lastIndexOf != 0) {
                return false;
            }
            Tr.debug(tc, "The cookie does not contain a value before the underscore.", new Object[0]);
            return false;
        }
        str2 = str.substring(0, lastIndexOf);
        if (!str.equals(OidcClientUtil.calculateOidcCodeCookieValue(str2, convergedClientConfig))) {
            String str3 = "The value for the OIDC state cookie [" + ClientConstants.WAS_OIDC_CODE + "] failed validation.";
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, str3, new Object[0]);
            }
            z = false;
        }
        if (z) {
            String base64Coder = Base64Coder.toString(Base64Coder.base64DecodeString(str2));
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "decodedRequestParameters:" + base64Coder, new Object[0]);
            }
            for (Map.Entry entry : new JsonParser().parse(base64Coder).entrySet()) {
                String str4 = (String) entry.getKey();
                JsonElement jsonElement = (JsonElement) entry.getValue();
                if (jsonElement.isJsonObject() || jsonElement.isJsonPrimitive()) {
                    hashtable.put(str4, jsonElement.getAsString());
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "parameterKey:" + str4 + "  value:" + jsonElement.getAsString(), new Object[0]);
                    }
                } else {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "unexpected json element:" + jsonElement.getClass().getName(), new Object[0]);
                    }
                    z = false;
                }
            }
        }
        return z;
    }

    public ProviderAuthenticationResult verifyResponseState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, ConvergedClientConfig convergedClientConfig) {
        Boolean bool = false;
        if (str != null) {
            bool = verifyState(httpServletRequest, httpServletResponse, str, convergedClientConfig);
        }
        if (bool.booleanValue()) {
            return null;
        }
        Tr.error(tc, "OIDC_CLIENT_RESPONSE_STATE_ERR", new Object[]{str, convergedClientConfig.getClientId()});
        return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
    }

    public Boolean verifyState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, ConvergedClientConfig convergedClientConfig) {
        if (str.length() < 24) {
            return false;
        }
        long clockSkewInSeconds = convergedClientConfig.getClockSkewInSeconds() * 1000;
        long authenticationTimeLimitInSeconds = (convergedClientConfig.getAuthenticationTimeLimitInSeconds() * 1000) + clockSkewInSeconds;
        Cookie[] cookies = httpServletRequest.getCookies();
        String str2 = ClientConstants.WAS_OIDC_STATE_KEY + HashUtils.getStrHashCode(str);
        String cookieValue = CookieHelper.getCookieValue(cookies, str2);
        OidcClientUtil.invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, str2);
        String createStateCookieValue = HashUtils.createStateCookieValue(convergedClientConfig, str);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "stateKey:'" + cookieValue + "' cookieValue:'" + createStateCookieValue + "'", new Object[0]);
        }
        if (!createStateCookieValue.equals(cookieValue)) {
            return false;
        }
        long convertNormalizedTimeStampToLong = OidcUtil.convertNormalizedTimeStampToLong(str);
        long time = new Date().getTime();
        long j = time - convertNormalizedTimeStampToLong;
        if (j >= 0) {
            if (j >= authenticationTimeLimitInSeconds && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "error current: " + time + "  ran at:" + convertNormalizedTimeStampToLong, new Object[0]);
            }
            return Boolean.valueOf(j < authenticationTimeLimitInSeconds);
        }
        long j2 = j * (-1);
        if (j2 >= clockSkewInSeconds && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "error current: " + time + "  ran at:" + convertNormalizedTimeStampToLong, new Object[0]);
        }
        return Boolean.valueOf(j2 < clockSkewInSeconds);
    }

    public String getIssuerIdentifier(ConvergedClientConfig convergedClientConfig) {
        String issuerIdentifier = convergedClientConfig.getIssuerIdentifier();
        if (issuerIdentifier == null || issuerIdentifier.isEmpty()) {
            issuerIdentifier = extractIssuerFromTokenEndpointUrl(convergedClientConfig);
        }
        return issuerIdentifier;
    }

    String extractIssuerFromTokenEndpointUrl(ConvergedClientConfig convergedClientConfig) {
        String str = null;
        String tokenEndpointUrl = convergedClientConfig.getTokenEndpointUrl();
        if (tokenEndpointUrl != null) {
            int indexOf = tokenEndpointUrl.indexOf("//");
            int lastIndexOf = tokenEndpointUrl.lastIndexOf("/");
            boolean z = indexOf > -1;
            str = ((z || (lastIndexOf > -1)) && !(z && lastIndexOf == indexOf + 1)) ? tokenEndpointUrl.substring(0, lastIndexOf) : tokenEndpointUrl;
        }
        return str;
    }
}
