package com.ibm.ws.security.openidconnect.clients.common;

import com.google.gson.JsonObject;
import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.web.WebUtils;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.security.openidconnect.token.IDToken;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpException;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.message.BasicNameValuePair;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/openidconnect/clients/common/OidcClientUtil.class */
public class OidcClientUtil {
    private static final long serialVersionUID = 1;
    private final List<NameValuePair> commonHeaders = new ArrayList();
    OidcClientHttpUtil oidcHttpUtil = null;
    private static final TraceComponent tc = Tr.register(OidcClientUtil.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    static AtomicReference<ReferrerURLCookieHandler> referrerURLCookieHandlerRef = new AtomicReference<>();
    static AtomicReference<WebAppSecurityConfig> webAppSecurityConfigRef = new AtomicReference<>();

    public OidcClientUtil() {
        this.commonHeaders.add(new BasicNameValuePair("Accept", "application/json"));
        init(OidcClientHttpUtil.getInstance());
    }

    void init(OidcClientHttpUtil oidcClientHttpUtil) {
        this.oidcHttpUtil = oidcClientHttpUtil;
    }

    final List<NameValuePair> getCommonHeaders() {
        return this.commonHeaders;
    }

    public HashMap<String, String> getTokensFromAuthzCode(String str, String str2, @Sensitive String str3, String str4, String str5, String str6, SSLSocketFactory sSLSocketFactory, boolean z, String str7, String str8, HashMap<String, String> hashMap, boolean z2) throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("grant_type", str6));
        if (str8 != null) {
            arrayList.add(new BasicNameValuePair("resource", str8));
        }
        arrayList.add(new BasicNameValuePair("redirect_uri", str4));
        arrayList.add(new BasicNameValuePair("code", str5));
        this.oidcHttpUtil.setClientId(str2);
        if (str7.equals(ClientConstants.METHOD_POST) || str7.equals(ClientConstants.METHOD_CLIENT_SECRET_POST)) {
            arrayList.add(new BasicNameValuePair("client_id", str2));
            arrayList.add(new BasicNameValuePair("client_secret", str3));
        }
        handleCustomParams(arrayList, hashMap);
        HashMap<String, String> hashMap2 = new HashMap<>();
        for (Map.Entry entry : JSONObject.parse(this.oidcHttpUtil.extractTokensFromResponse(postToTokenEndpoint(str, arrayList, str2, str3, sSLSocketFactory, z, str7, z2))).entrySet()) {
            if (entry.getKey() instanceof String) {
                Object value = entry.getValue();
                if (value == null) {
                    value = "";
                }
                hashMap2.put((String) entry.getKey(), value.toString());
            }
        }
        return hashMap2;
    }

    public void handleCustomParams(@Sensitive List<NameValuePair> list, HashMap<String, String> hashMap) {
        if (hashMap == null || hashMap.isEmpty()) {
            return;
        }
        for (Map.Entry<String, String> entry : hashMap.entrySet()) {
            if (entry.getKey() != null && entry.getValue() != null) {
                list.add(new BasicNameValuePair(entry.getKey(), entry.getValue()));
            }
        }
    }

    public Map<String, Object> checkToken(String str, String str2, @Sensitive String str3, String str4, boolean z, String str5, SSLSocketFactory sSLSocketFactory, boolean z2) throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(ClientConstants.TOKEN, str4));
        if (str5.equals(ClientConstants.METHOD_POST)) {
            arrayList.add(new BasicNameValuePair("client_id", str2));
            arrayList.add(new BasicNameValuePair("client_secret", str3));
        }
        return postToCheckTokenEndpoint(str, arrayList, str2, str3, z, str5, sSLSocketFactory, z2);
    }

    public Map<String, Object> getUserinfo(String str, String str2, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2) throws Exception {
        return getFromUserinfoEndpoint(str, new ArrayList(), str2, sSLSocketFactory, z, z2);
    }

    Map<String, Object> postToTokenEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, SSLSocketFactory sSLSocketFactory, boolean z, String str4, boolean z2) throws Exception {
        return this.oidcHttpUtil.postToEndpoint(str, list, str2, str3, null, sSLSocketFactory, this.commonHeaders, z, str4, z2);
    }

    Map<String, Object> postToCheckTokenEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, boolean z, String str4, SSLSocketFactory sSLSocketFactory, boolean z2) throws Exception {
        return this.oidcHttpUtil.postToIntrospectEndpoint(str, list, str2, str3, null, sSLSocketFactory, this.commonHeaders, z, str4, z2);
    }

    Map<String, Object> getFromUserinfoEndpoint(String str, List<NameValuePair> list, String str2, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2) throws HttpException, IOException {
        return getFromEndpoint(str, list, null, null, str2, sSLSocketFactory, z, z2);
    }

    Map<String, Object> getFromEndpoint(String str, List<NameValuePair> list, String str2, @Sensitive String str3, String str4, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2) throws HttpException, IOException {
        String format = list != null ? URLEncodedUtils.format(list, "UTF-8") : null;
        if (format != null) {
            if (!str.endsWith("?")) {
                str = str + "?";
            }
            str = str + format;
        }
        HttpGet httpGet = new HttpGet(str);
        for (NameValuePair nameValuePair : this.commonHeaders) {
            httpGet.addHeader(nameValuePair.getName(), nameValuePair.getValue());
        }
        if (str4 != null) {
            httpGet.setHeader(ClientConstants.AUTHORIZATION, ClientConstants.BEARER + str4);
        }
        HttpResponse execute = (str2 != null ? this.oidcHttpUtil.createHTTPClient(sSLSocketFactory, str, z, str2, str3, z2) : this.oidcHttpUtil.createHTTPClient(sSLSocketFactory, str, z, z2)).execute(httpGet);
        HashMap hashMap = new HashMap();
        hashMap.put(ClientConstants.RESPONSEMAP_CODE, execute);
        hashMap.put(ClientConstants.RESPONSEMAP_METHOD, httpGet);
        return hashMap;
    }

    public String getRedirectUrl(HttpServletRequest httpServletRequest, String str) {
        String serverName = httpServletRequest.getServerName();
        Integer redirectPortFromRequest = new WebUtils().getRedirectPortFromRequest(httpServletRequest);
        if (redirectPortFromRequest != null || !httpServletRequest.isSecure()) {
            return "https://" + serverName + (redirectPortFromRequest == null ? "" : ":" + redirectPortFromRequest) + str;
        }
        int serverPort = httpServletRequest.getServerPort();
        return httpServletRequest.getScheme() + "://" + serverName + ((serverPort <= 0 || serverPort == 443) ? "" : ":" + serverPort) + str;
    }

    public IDToken createIDToken(String str, @Sensitive Object obj, String str2, String str3, String str4, String str5) {
        return new IDToken(str, obj, str2, str3, str4, str5);
    }

    public static Cookie createCookie(String str, @Sensitive String str2, HttpServletRequest httpServletRequest) {
        return createCookie(str, str2, -1, httpServletRequest);
    }

    public static Cookie createCookie(String str, @Sensitive String str2, int i, HttpServletRequest httpServletRequest) {
        Cookie createCookie = getReferrerURLCookieHandler().createCookie(str, str2, httpServletRequest);
        String ssoDomain = getSsoDomain(httpServletRequest);
        if (ssoDomain != null && !ssoDomain.isEmpty()) {
            createCookie.setDomain(ssoDomain);
        }
        createCookie.setMaxAge(i);
        return createCookie;
    }

    public static void invalidateReferrerURLCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str == null || httpServletRequest == null || httpServletResponse == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "invalidateReferrerURLCookie param is null, return", new Object[0]);
                return;
            }
            return;
        }
        Cookie createCookie = createCookie(str, "", httpServletRequest);
        String ssoDomain = getSsoDomain(httpServletRequest);
        if (ssoDomain != null && !ssoDomain.isEmpty()) {
            createCookie.setDomain(ssoDomain);
        }
        createCookie.setMaxAge(0);
        httpServletResponse.addCookie(createCookie);
    }

    public static void invalidateReferrerURLCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String[] strArr) {
        if (strArr == null || httpServletRequest == null || httpServletResponse == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "invalidateReferrerURLCookies param is null, return", new Object[0]);
            }
        } else {
            for (String str : strArr) {
                invalidateReferrerURLCookie(httpServletRequest, httpServletResponse, str);
            }
        }
    }

    public static String getSsoDomain(HttpServletRequest httpServletRequest) {
        return getWebAppSecurityConfig().createSSOCookieHelper().getSSODomainName(httpServletRequest, getWebAppSecurityConfig().getSSODomainList(), getWebAppSecurityConfig().getSSOUseDomainFromURL());
    }

    static WebAppSecurityConfig getWebAppSecurityConfig() {
        if (webAppSecurityConfigRef.get() == null) {
            webAppSecurityConfigRef.set(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig());
        }
        return webAppSecurityConfigRef.get();
    }

    public static ReferrerURLCookieHandler getReferrerURLCookieHandler() {
        ReferrerURLCookieHandler referrerURLCookieHandler = referrerURLCookieHandlerRef.get();
        if (referrerURLCookieHandler == null) {
            referrerURLCookieHandler = getWebAppSecurityConfig().createReferrerURLCookieHandler();
            referrerURLCookieHandlerRef.set(referrerURLCookieHandler);
        }
        return referrerURLCookieHandler;
    }

    public static void setReferrerURLCookieHandler(ReferrerURLCookieHandler referrerURLCookieHandler) {
        if (getReferrerURLCookieHandler() != referrerURLCookieHandler) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Old and new CookieHandler", new Object[]{getReferrerURLCookieHandler(), referrerURLCookieHandler});
            }
            webAppSecurityConfigRef.set(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig());
            referrerURLCookieHandlerRef.set(referrerURLCookieHandler);
        }
    }

    public static void setWebAppSecurityConfig(WebAppSecurityConfig webAppSecurityConfig) {
        webAppSecurityConfigRef.set(webAppSecurityConfig);
    }

    public static void setCookieForRequestParameter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, boolean z, ConvergedClientConfig convergedClientConfig) {
        String[] strArr;
        Map parameterMap = httpServletRequest.getParameterMap();
        JsonObject jsonObject = new JsonObject();
        for (Map.Entry entry : parameterMap.entrySet()) {
            String str3 = (String) entry.getKey();
            if (!Constants.ACCESS_TOKEN.equals(str3) && !"id_token".equals(str3) && (strArr = (String[]) entry.getValue()) != null && strArr.length > 0) {
                jsonObject.addProperty(str3, strArr[0]);
            }
        }
        String jsonObject2 = jsonObject.toString();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "requestParameters:" + jsonObject2, new Object[0]);
        }
        String str4 = null;
        try {
            str4 = Base64Coder.toString(Base64Coder.base64Encode(jsonObject2.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.clients.common.OidcClientUtil", "404", (Object) null, new Object[]{httpServletRequest, httpServletResponse, str, str2, Boolean.valueOf(z), convergedClientConfig});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "get unexpected exception", new Object[]{e});
            }
        }
        Cookie createCookie = createCookie(ClientConstants.WAS_OIDC_CODE, str4 != null ? calculateOidcCodeCookieValue(str4, convergedClientConfig) : null, httpServletRequest);
        if (convergedClientConfig.isHttpsRequired() && z) {
            createCookie.setSecure(true);
        }
        httpServletResponse.addCookie(createCookie);
    }

    public static String calculateOidcCodeCookieValue(String str, ConvergedClientConfig convergedClientConfig) {
        String str2 = new String(str);
        String obj = convergedClientConfig.toString();
        if (convergedClientConfig.getClientSecret() != null) {
            obj = obj.concat(convergedClientConfig.getClientSecret());
        }
        return str2.concat("_").concat(HashUtils.digest(new String(str).concat("_").concat(obj)));
    }
}
