package com.ibm.ws.security.social.tai;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.websphere.security.jwt.Claims;
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.websphere.security.social.UserProfile;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.subject.mapping.AttributeToSubject;
import com.ibm.ws.security.common.structures.Cache;
import com.ibm.ws.security.jwt.builder.utils.BuilderUtils;
import com.ibm.ws.security.social.SocialLoginConfig;
import com.ibm.ws.security.social.error.SocialLoginException;
import com.ibm.ws.security.social.internal.utils.CacheToken;
import com.ibm.ws.security.social.internal.utils.ClientConstants;
import com.ibm.ws.security.social.internal.utils.SocialHashUtils;
import com.ibm.wsspi.security.tai.TAIResult;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/social/tai/TAISubjectUtils.class */
public class TAISubjectUtils {
    public static final TraceComponent tc = Tr.register(TAISubjectUtils.class, "SOCIAL", "com.ibm.ws.security.social.resources.SocialMessages");
    private static Cache tokenCache = new Cache(50000, 600000);
    TAIWebUtils taiWebUtils;
    TAIEncryptionUtils taiEncryptionUtils;
    private String username;

    @Sensitive
    private String accessToken;
    private JwtToken jwt;
    private JwtToken issuedJwt;

    @Sensitive
    private Map<String, Object> userApiResponseTokens;
    private String userApiResponse;
    static final long serialVersionUID = 9054878627471500539L;

    /* JADX INFO: Access modifiers changed from: package-private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:com/ibm/ws/security/social/tai/TAISubjectUtils$SettingCustomPropertiesException.class */
    public static class SettingCustomPropertiesException extends Exception {
        private static final long serialVersionUID = 1;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(SettingCustomPropertiesException.class);

        SettingCustomPropertiesException() {
        }
    }

    public TAISubjectUtils(AuthorizationCodeAuthenticator authorizationCodeAuthenticator) {
        this(authorizationCodeAuthenticator.getAccessToken(), authorizationCodeAuthenticator.getJwt(), authorizationCodeAuthenticator.getIssuedJwt(), authorizationCodeAuthenticator.getTokens(), authorizationCodeAuthenticator.getUserApiResponse());
    }

    public TAISubjectUtils(@Sensitive String str, JwtToken jwtToken, JwtToken jwtToken2, @Sensitive Map<String, Object> map, String str2) {
        this.taiWebUtils = new TAIWebUtils();
        this.taiEncryptionUtils = new TAIEncryptionUtils();
        this.username = null;
        this.accessToken = null;
        this.jwt = null;
        this.issuedJwt = null;
        this.userApiResponseTokens = null;
        this.userApiResponse = null;
        this.accessToken = str;
        this.jwt = jwtToken;
        this.issuedJwt = jwtToken2;
        this.userApiResponseTokens = map;
        this.userApiResponse = str2;
    }

    @FFDCIgnore({SettingCustomPropertiesException.class})
    public TAIResult createResult(HttpServletResponse httpServletResponse, SocialLoginConfig socialLoginConfig) throws WebTrustAssociationFailedException, SocialLoginException {
        new Hashtable();
        try {
            return TAIResult.create(200, this.username, buildSubject(socialLoginConfig, setAllCustomProperties(socialLoginConfig)));
        } catch (SettingCustomPropertiesException e) {
            return this.taiWebUtils.sendToErrorPage(httpServletResponse, TAIResult.create(401));
        }
    }

    Hashtable<String, Object> setAllCustomProperties(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        Hashtable<String, Object> usernameAndCustomProperties = setUsernameAndCustomProperties(socialLoginConfig);
        if (this.username == null) {
            Tr.error(tc, "USERNAME_NOT_FOUND", new Object[0]);
            throw new SettingCustomPropertiesException();
        }
        if (this.accessToken == null) {
            Tr.error(tc, "ACCESS_TOKEN_MISSING", new Object[]{this.username});
            throw new SettingCustomPropertiesException();
        }
        usernameAndCustomProperties.put("com.ibm.wsspi.security.cred.securityName", this.username);
        usernameAndCustomProperties.put("access_token", this.accessToken);
        return usernameAndCustomProperties;
    }

    Hashtable<String, Object> setUsernameAndCustomProperties(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        return this.userApiResponse != null ? setUsernameAndCustomPropertiesUsingAttributeToSubjectMapping(socialLoginConfig) : setUsernameAndCustomPropertiesUsingJwt(socialLoginConfig);
    }

    Hashtable<String, Object> setUsernameAndCustomPropertiesUsingAttributeToSubjectMapping(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        AttributeToSubject createAttributeToSubject = createAttributeToSubject(socialLoginConfig);
        this.username = createAttributeToSubject.getMappedUser();
        return !socialLoginConfig.getMapToUserRegistry() ? createCustomPropertiesFromSubjectMapping(socialLoginConfig, createAttributeToSubject) : new Hashtable<>();
    }

    AttributeToSubject createAttributeToSubject(SocialLoginConfig socialLoginConfig) {
        return new AttributeToSubject(this.userApiResponse, socialLoginConfig.getUserNameAttribute(), socialLoginConfig.getUserUniqueIdAttribute(), socialLoginConfig.getRealmName(), socialLoginConfig.getRealmNameAttribute(), socialLoginConfig.getGroupNameAttribute(), socialLoginConfig.getMapToUserRegistry(), socialLoginConfig.getUserApiResponseIdentifier());
    }

    Hashtable<String, Object> createCustomPropertiesFromSubjectMapping(SocialLoginConfig socialLoginConfig, AttributeToSubject attributeToSubject) throws SettingCustomPropertiesException {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        String realm = getRealm(attributeToSubject, socialLoginConfig);
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", getUserAccessId(attributeToSubject, realm));
        if (realm != null && !realm.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.realm", realm);
        }
        List<String> groupsListWithRealm = getGroupsListWithRealm(attributeToSubject, realm);
        if (!groupsListWithRealm.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.groups", groupsListWithRealm);
        }
        return hashtable;
    }

    Hashtable<String, Object> setUsernameAndCustomPropertiesUsingJwt(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        setUserNameFromJwtClaims(socialLoginConfig);
        return (this.username == null || socialLoginConfig.getMapToUserRegistry()) ? new Hashtable<>() : createCustomPropertiesFromConfig(socialLoginConfig);
    }

    void setUserNameFromJwtClaims(SocialLoginConfig socialLoginConfig) {
        Claims claims;
        if (this.jwt == null || (claims = this.jwt.getClaims()) == null) {
            return;
        }
        this.username = (String) claims.get(socialLoginConfig.getUserNameAttribute());
    }

    Hashtable<String, Object> createCustomPropertiesFromConfig(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        String realm = getRealm(socialLoginConfig);
        hashtable.put("com.ibm.wsspi.security.cred.realm", realm);
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", "user:" + realm + "/" + this.username);
        return hashtable;
    }

    String getRealm(AttributeToSubject attributeToSubject, SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        String mappedRealm = attributeToSubject.getMappedRealm();
        if (mappedRealm == null) {
            mappedRealm = getDefaultRealmFromAuthorizationEndpoint(socialLoginConfig);
        }
        return mappedRealm;
    }

    String getRealm(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        String realmName = socialLoginConfig.getRealmName();
        if (realmName == null) {
            realmName = getDefaultRealmFromAuthorizationEndpoint(socialLoginConfig);
        }
        return realmName;
    }

    String getDefaultRealmFromAuthorizationEndpoint(SocialLoginConfig socialLoginConfig) throws SettingCustomPropertiesException {
        String authorizationEndpoint = getAuthorizationEndpoint(socialLoginConfig);
        if (isValidAuthorizationEndpoint(authorizationEndpoint)) {
            return extractRealmFromAuthorizationEndpoint(authorizationEndpoint);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Authorization endpoint [" + authorizationEndpoint + "] is either empty or too short to be a valid URL", new Object[0]);
        }
        Tr.error(tc, "REALM_NOT_FOUND", new Object[0]);
        throw new SettingCustomPropertiesException();
    }

    Subject buildSubject(SocialLoginConfig socialLoginConfig, Hashtable<String, Object> hashtable) throws SocialLoginException {
        Subject subject = new Subject();
        if (this.jwt != null) {
            subject.getPrivateCredentials().add(this.jwt);
        }
        if (this.issuedJwt != null) {
            hashtable.put(ClientConstants.ISSUED_JWT_TOKEN, this.issuedJwt.compact());
        }
        subject.getPrivateCredentials().add(hashtable);
        String str = null;
        String str2 = null;
        UserProfile createUserProfile = createUserProfile(socialLoginConfig);
        if (createUserProfile != null) {
            str = createUserProfile.getEncryptedAccessToken();
            str2 = createUserProfile.getAccessTokenAlias();
            subject.getPrivateCredentials().add(createUserProfile);
        }
        CacheToken createCacheToken = createCacheToken(socialLoginConfig);
        if (str != null) {
            tokenCache.put(str, createCacheToken);
        }
        if (str2 != null) {
            tokenCache.put(str2, createCacheToken);
        }
        return subject;
    }

    @FFDCIgnore({Exception.class})
    UserProfile createUserProfile(SocialLoginConfig socialLoginConfig) throws SocialLoginException {
        Hashtable<String, Object> createCustomProperties = createCustomProperties(socialLoginConfig, true);
        Claims claims = null;
        try {
            claims = new BuilderUtils().parseJwtForClaims(this.userApiResponse);
        } catch (Exception e) {
        }
        return new UserProfile(this.jwt, createCustomProperties, claims);
    }

    Hashtable<String, Object> createCustomProperties(SocialLoginConfig socialLoginConfig, boolean z) throws SocialLoginException {
        if (this.userApiResponseTokens == null) {
            throw new SocialLoginException("SOCIAL_LOGIN_RESULT_MISSING_ACCESS_TOKEN", null, new Object[0]);
        }
        Hashtable<String, Object> hashtable = new Hashtable<>();
        String accessTokenAndAddCustomProp = getAccessTokenAndAddCustomProp(hashtable);
        if (z) {
            addRefreshTokenCustomProp(hashtable);
            addIdTokenCustomProp(hashtable);
        }
        addAccessTokenLifetimeCustomProp(hashtable);
        addSocialMediaNameCustomProp(hashtable, socialLoginConfig);
        addScopeCustomProp(hashtable, socialLoginConfig);
        addEncryptedAccessTokenCustomProp(hashtable, socialLoginConfig, accessTokenAndAddCustomProp);
        addAccessTokenAliasCustomProp(hashtable, accessTokenAndAddCustomProp);
        return hashtable;
    }

    String getAccessTokenAndAddCustomProp(Hashtable<String, Object> hashtable) throws SocialLoginException {
        String str = (String) this.userApiResponseTokens.get("access_token");
        if (str == null) {
            throw new SocialLoginException("SOCIAL_LOGIN_RESULT_MISSING_ACCESS_TOKEN", null, new Object[0]);
        }
        hashtable.put("access_token", str);
        return str;
    }

    void addRefreshTokenCustomProp(Hashtable<String, Object> hashtable) {
        addNonNullNonEmptyCustomProperty(hashtable, ClientConstants.REFRESH_TOKEN, (String) this.userApiResponseTokens.get(ClientConstants.REFRESH_TOKEN));
    }

    void addIdTokenCustomProp(Hashtable<String, Object> hashtable) {
        addNonNullNonEmptyCustomProperty(hashtable, ClientConstants.ID_TOKEN, (String) this.userApiResponseTokens.get(ClientConstants.ID_TOKEN));
    }

    void addAccessTokenLifetimeCustomProp(Hashtable<String, Object> hashtable) {
        Long l = (Long) this.userApiResponseTokens.get(ClientConstants.EXPIRES_IN);
        if (l != null) {
            hashtable.put(ClientConstants.EXPIRES_IN, l);
        }
    }

    void addSocialMediaNameCustomProp(Hashtable<String, Object> hashtable, SocialLoginConfig socialLoginConfig) {
        addNonNullNonEmptyCustomProperty(hashtable, "social_media", socialLoginConfig.getUniqueId());
    }

    void addScopeCustomProp(Hashtable<String, Object> hashtable, SocialLoginConfig socialLoginConfig) {
        String scope;
        if (addNonNullNonEmptyCustomProperty(hashtable, "scope", (String) this.userApiResponseTokens.get("scope")) || (scope = socialLoginConfig.getScope()) == null) {
            return;
        }
        addNonNullNonEmptyCustomProperty(hashtable, "scope", scope);
    }

    @FFDCIgnore({SocialLoginException.class})
    void addEncryptedAccessTokenCustomProp(Hashtable<String, Object> hashtable, SocialLoginConfig socialLoginConfig, String str) throws SocialLoginException {
        try {
            addNonNullNonEmptyCustomProperty(hashtable, ClientConstants.ENCRYPTED_TOKEN, this.taiEncryptionUtils.getEncryptedAccessToken(socialLoginConfig, str));
        } catch (SocialLoginException e) {
            throw new SocialLoginException("ERROR_GETTING_ENCRYPTED_ACCESS_TOKEN", e, new Object[]{socialLoginConfig.getUniqueId(), e.getLocalizedMessage()});
        }
    }

    void addAccessTokenAliasCustomProp(Hashtable<String, Object> hashtable, String str) {
        addNonNullNonEmptyCustomProperty(hashtable, ClientConstants.ACCESS_TOKEN_ALIAS, SocialHashUtils.digest(str));
    }

    CacheToken createCacheToken(SocialLoginConfig socialLoginConfig) {
        CacheToken cacheToken = new CacheToken(this.accessToken, socialLoginConfig.getUniqueId());
        String str = this.userApiResponseTokens != null ? (String) this.userApiResponseTokens.get(ClientConstants.ID_TOKEN) : null;
        if (str != null && !str.trim().isEmpty()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caching ID token", new Object[0]);
            }
            cacheToken.setIdToken(str);
        }
        return cacheToken;
    }

    private String getUserAccessId(AttributeToSubject attributeToSubject, String str) {
        return new StringBuffer("user:").append(str).append("/").append(attributeToSubject.getMappedUniqueUser()).toString();
    }

    private List<String> getGroupsListWithRealm(AttributeToSubject attributeToSubject, String str) {
        ArrayList arrayList = new ArrayList();
        ArrayList mappedGroups = attributeToSubject.getMappedGroups();
        if (mappedGroups != null && !mappedGroups.isEmpty()) {
            Iterator it = mappedGroups.iterator();
            while (it.hasNext()) {
                arrayList.add("group:" + str + "/" + ((String) it.next()));
            }
        }
        return arrayList;
    }

    @FFDCIgnore({SocialLoginException.class})
    private String getAuthorizationEndpoint(SocialLoginConfig socialLoginConfig) {
        try {
            return this.taiWebUtils.getAuthorizationEndpoint(socialLoginConfig);
        } catch (SocialLoginException e) {
            e.logErrorMessage();
            return null;
        }
    }

    private boolean isValidAuthorizationEndpoint(String str) {
        return (str == null || str.isEmpty() || str.length() <= "https://".length()) ? false : true;
    }

    private String extractRealmFromAuthorizationEndpoint(String str) {
        int length = "https://".length();
        int indexOf = str.substring(length).indexOf("/", 0);
        return indexOf > 0 ? str.substring(0, indexOf + length) : str;
    }

    private boolean addNonNullNonEmptyCustomProperty(Hashtable<String, Object> hashtable, String str, String str2) {
        if (str2 == null || str2.trim().isEmpty()) {
            return false;
        }
        hashtable.put(str, str2);
        return true;
    }
}
