package com.ibm.ws.security.social.internal.utils;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.jwt.JwtBuilder;
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.social.SocialLoginConfig;
import com.ibm.ws.security.social.error.SocialLoginException;
import com.ibm.ws.security.social.internal.Oauth2LoginConfigImpl;
import com.ibm.ws.webcontainer.internalRuntimeExport.srt.IPrivateRequestAttributes;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.ParseException;
import org.apache.http.StatusLine;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.lang.JoseException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/social/internal/utils/OAuthClientUtil.class */
public class OAuthClientUtil {
    private static final long serialVersionUID = 1;
    private static final TraceComponent tc = Tr.register(OAuthClientUtil.class, "SOCIAL", "com.ibm.ws.security.social.resources.SocialMessages");
    public static final String ERROR = "error";
    public static final String ERROR_DESCRIPTION = "error_description";
    private final List<NameValuePair> commonHeaders = new ArrayList();
    private final List<NameValuePair> commonPostHeaders = new ArrayList();
    OAuthClientHttpUtil httpUtil = null;

    public OAuthClientUtil() {
        this.commonHeaders.add(new BasicNameValuePair("Accept", "application/json"));
        this.commonPostHeaders.add(new BasicNameValuePair("Accept", "application/json"));
        this.commonPostHeaders.add(new BasicNameValuePair("Content-Type", "application/x-www-form-urlencoded"));
        init(OAuthClientHttpUtil.getInstance());
    }

    void init(OAuthClientHttpUtil oAuthClientHttpUtil) {
        this.httpUtil = oAuthClientHttpUtil;
    }

    final List<NameValuePair> getCommonHeaders() {
        return this.commonHeaders;
    }

    public Map<String, Object> getTokensFromAuthzCode(String str, String str2, @Sensitive String str3, String str4, String str5, String str6, SSLSocketFactory sSLSocketFactory, boolean z, String str7, String str8, boolean z2) throws SocialLoginException {
        if (str == null || str.isEmpty()) {
            throw new SocialLoginException("TOKEN_ENDPOINT_NULL_OR_EMPTY", null, new Object[0]);
        }
        SocialUtil.validateEndpointWithQuery(str);
        if (str2 == null || str2.isEmpty()) {
            Tr.warning(tc, "OUTGOING_REQUEST_MISSING_PARAMETER", new Object[]{str, ClientConstants.CLIENT_ID});
            str2 = "";
        }
        if (str3 == null || str3.isEmpty()) {
            Tr.warning(tc, "OUTGOING_REQUEST_MISSING_PARAMETER", new Object[]{str, ClientConstants.CLIENT_SECRET});
            str3 = "";
        }
        ArrayList arrayList = new ArrayList();
        if (str6 != null) {
            arrayList.add(new BasicNameValuePair(ClientConstants.GRANT_TYPE, str6));
        }
        if (str8 != null) {
            arrayList.add(new BasicNameValuePair(Oauth2LoginConfigImpl.KEY_resource, str8));
        }
        if (str4 != null) {
            arrayList.add(new BasicNameValuePair(ClientConstants.REDIRECT_URI, str4));
        }
        if (str5 != null) {
            arrayList.add(new BasicNameValuePair(ClientConstants.CODE, str5));
        }
        if (str7 != null && str7.equals("client_secret_post")) {
            arrayList.add(new BasicNameValuePair(ClientConstants.CLIENT_ID, str2));
            arrayList.add(new BasicNameValuePair(ClientConstants.CLIENT_SECRET, str3));
        }
        Map<String, Object> postToEndpoint = this.httpUtil.postToEndpoint(str, arrayList, str2, str3, null, sSLSocketFactory, this.commonPostHeaders, z, str7, z2);
        String extractTokensFromResponse = this.httpUtil.extractTokensFromResponse(postToEndpoint);
        if (extractTokensFromResponse == null) {
            Tr.warning(tc, "POST_RESPONSE_NULL", new Object[]{str, postToEndpoint});
            return new HashMap();
        }
        try {
            return JsonUtil.parseJson(extractTokensFromResponse);
        } catch (JoseException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.social.internal.utils.OAuthClientUtil", "148", this, new Object[]{str, str2, "<sensitive java.lang.String>", str4, str5, str6, sSLSocketFactory, Boolean.valueOf(z), str7, str8, Boolean.valueOf(z2)});
            Tr.warning(tc, "ENDPOINT_RESPONSE_NOT_JSON", new Object[]{str, e.getMessage(), extractTokensFromResponse});
            return new HashMap();
        }
    }

    public Map<String, Object> checkToken(String str, String str2, @Sensitive String str3, @Sensitive String str4, boolean z, String str5, SSLSocketFactory sSLSocketFactory, boolean z2) throws SocialLoginException {
        ArrayList arrayList = new ArrayList();
        if (str4 != null) {
            arrayList.add(new BasicNameValuePair(ClientConstants.TOKEN, str4));
        }
        if (str5 != null && str5.equals("client_secret_post")) {
            arrayList.add(new BasicNameValuePair(ClientConstants.CLIENT_ID, str2));
            arrayList.add(new BasicNameValuePair(ClientConstants.CLIENT_SECRET, str3));
        }
        return postToCheckTokenEndpoint(str, arrayList, str2, str3, z, str5, sSLSocketFactory, z2);
    }

    public Map<String, Object> getUserApi(String str, @Sensitive String str2, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2, boolean z3) throws Exception {
        ArrayList arrayList = new ArrayList();
        if (str2 != null) {
            arrayList.add(new BasicNameValuePair("access_token", str2));
        }
        return getFromUserApiEndpoint(str, arrayList, str2, sSLSocketFactory, z, z2, z3);
    }

    public String getUserApiResponse(String str, @Sensitive String str2, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2, boolean z3) throws Exception {
        return getJsonStringResponse(getUserApi(str, str2, sSLSocketFactory, z, z2, z3), str);
    }

    public JwtToken getUserApiAsJwtToken(String str, @Sensitive String str2, SSLSocketFactory sSLSocketFactory, boolean z, SocialLoginConfig socialLoginConfig) throws Exception {
        String jsonStringResponse = getJsonStringResponse(getUserApi(str, str2, sSLSocketFactory, z, socialLoginConfig.getUserApiNeedsSpecialHeader(), socialLoginConfig.getUseSystemPropertiesForHttpClientConnections()), str);
        if (jsonStringResponse != null) {
            return createJwtTokenFromJson(jsonStringResponse, socialLoginConfig.getJwtRef());
        }
        throw new SocialLoginException("USERAPI_NULL_RESP_STR", null, new Object[]{str});
    }

    protected String getJsonStringResponse(Map<String, Object> map, String str) throws SocialLoginException {
        String str2 = null;
        if (map == null) {
            return null;
        }
        if (map.containsKey(ClientConstants.RESPONSEMAP_CODE)) {
            HttpResponse httpResponse = (HttpResponse) map.get(ClientConstants.RESPONSEMAP_CODE);
            if (isErrorResponse(httpResponse)) {
                handleError(httpResponse, str);
            } else {
                HttpEntity entity = httpResponse.getEntity();
                if (entity != null) {
                    try {
                        str2 = EntityUtils.toString(entity);
                    } catch (IOException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.social.internal.utils.OAuthClientUtil", "226", this, new Object[]{map, str});
                        throw new SocialLoginException("USERAPI_RESP_PROCESS_ERR", e, new Object[]{str, e.getLocalizedMessage()});
                    } catch (ParseException e2) {
                        FFDCFilter.processException(e2, "com.ibm.ws.security.social.internal.utils.OAuthClientUtil", "224", this, new Object[]{map, str});
                        throw new SocialLoginException("USERAPI_RESP_PROCESS_ERR", e2, new Object[]{str, e2.getLocalizedMessage()});
                    }
                }
            }
        }
        return str2;
    }

    void handleError(HttpResponse httpResponse, String str) throws SocialLoginException {
        int statusCode;
        String extractErrorDescription;
        Object obj = null;
        if (httpResponse == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "HttpResponse is null so nothing to do", new Object[0]);
                return;
            }
            return;
        }
        try {
            StatusLine statusLine = httpResponse.getStatusLine();
            if (statusLine == null) {
                statusCode = 403;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "StatusLine object not returned from response, so defaulting to status code of 403", new Object[0]);
                }
            } else {
                statusCode = statusLine.getStatusCode();
            }
            String entityUtils = EntityUtils.toString(httpResponse.getEntity());
            if (entityUtils != null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "error response from the user api ep: ", new Object[]{entityUtils});
                }
                Map parseJson = JsonUtil.parseJson(entityUtils);
                obj = parseJson.get("error");
                extractErrorDescription = (String) parseJson.get("error_description");
                if (obj == null && extractErrorDescription == null && entityUtils != null) {
                    obj = entityUtils;
                }
            } else {
                Header firstHeader = httpResponse.getFirstHeader("WWW-Authenticate");
                extractErrorDescription = extractErrorDescription(firstHeader == null ? null : firstHeader.getValue());
            }
            throw new SocialLoginException("USERAPI_RESP_INVALID_STATUS", null, new Object[]{str, Integer.valueOf(statusCode), obj, extractErrorDescription});
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.social.internal.utils.OAuthClientUtil", "291", this, new Object[]{httpResponse, str});
            throw new SocialLoginException("USERAPI_ERROR_RESPONSE", e, new Object[]{str, e.getLocalizedMessage()});
        }
    }

    protected String extractErrorDescription(String str) {
        if (str == null) {
            return null;
        }
        Matcher matcher = Pattern.compile("(?:.*[^a-zA-Z0-9])?error_description=(.*)").matcher(str);
        if (!matcher.matches()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Response did not appear to contain an error description formatted as expected. Returning response as-is", new Object[0]);
            }
            return str;
        }
        String str2 = null;
        if (matcher.groupCount() > 0) {
            str2 = matcher.group(1);
            if (str2 != null && str2.length() > 1 && str2.charAt(0) == '\"' && str2.charAt(str2.length() - 1) == '\"') {
                str2 = str2.substring(1, str2.length() - 1);
            }
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Extracted description: [" + str2 + "]", new Object[0]);
        }
        return str2;
    }

    boolean isErrorResponse(HttpResponse httpResponse) {
        StatusLine statusLine = httpResponse.getStatusLine();
        return statusLine == null || statusLine.getStatusCode() != 200;
    }

    public JwtToken getJwtTokenFromJson(String str, SocialLoginConfig socialLoginConfig) throws Exception {
        return createJwtTokenFromJson(str, socialLoginConfig.getJwtRef());
    }

    protected JwtToken createJwtTokenFromJson(String str, String str2) throws Exception {
        return JwtBuilder.create(str2).claimFrom(str).buildJwt();
    }

    public JwtToken createJwtToken(String str) throws Exception {
        return JwtBuilder.create().claim(parseJwtWithoutValidation(str, 180L).getJwtClaims().getClaimsMap()).buildJwt();
    }

    protected JwtContext parseJwtWithoutValidation(String str, long j) throws Exception {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setSkipAllValidators();
        jwtConsumerBuilder.setDisableRequireSignature();
        jwtConsumerBuilder.setSkipSignatureVerification();
        jwtConsumerBuilder.setAllowedClockSkewInSeconds((int) (j / 1000));
        return jwtConsumerBuilder.build().process(str);
    }

    Map<String, Object> postToTokenEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, SSLSocketFactory sSLSocketFactory, boolean z, String str4, boolean z2) throws Exception {
        return this.httpUtil.postToEndpoint(str, list, str2, str3, null, sSLSocketFactory, this.commonHeaders, z, str4, z2);
    }

    Map<String, Object> getToTokenEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, SSLSocketFactory sSLSocketFactory, boolean z, String str4, boolean z2) throws Exception {
        return this.httpUtil.getToEndpoint(str, list, str2, str3, null, sSLSocketFactory, this.commonHeaders, z, str4, z2);
    }

    Map<String, Object> postToCheckTokenEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, boolean z, String str4, SSLSocketFactory sSLSocketFactory, boolean z2) throws SocialLoginException {
        return this.httpUtil.postToIntrospectEndpoint(str, list, str2, str3, null, sSLSocketFactory, this.commonHeaders, z, str4, z2);
    }

    Map<String, Object> getFromUserApiEndpoint(String str, @Sensitive List<NameValuePair> list, @Sensitive String str2, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2, boolean z3) throws ClientProtocolException, IOException, SocialLoginException {
        return getFromEndpoint(str, list, null, null, str2, sSLSocketFactory, z, z2, z3);
    }

    Map<String, Object> getFromEndpoint(String str, @Sensitive List<NameValuePair> list, String str2, @Sensitive String str3, @Sensitive String str4, SSLSocketFactory sSLSocketFactory, boolean z, boolean z2, boolean z3) throws ClientProtocolException, IOException, SocialLoginException {
        SocialUtil.validateEndpointWithQuery(str);
        if (list == null) {
            list = new ArrayList();
        }
        String format = URLEncodedUtils.format(list, "UTF-8");
        if (format != null && !format.isEmpty()) {
            if (!str.endsWith("?")) {
                str = str.contains("?") ? str + "&" : str + "?";
            }
            str = str + format;
        }
        HttpGet httpGet = new HttpGet(str);
        for (NameValuePair nameValuePair : this.commonHeaders) {
            httpGet.addHeader(nameValuePair.getName(), nameValuePair.getValue());
        }
        if (z2) {
            httpGet.addHeader("x-li-format", "json");
            httpGet.addHeader(ClientConstants.AUTHORIZATION, "Bearer " + str4);
        }
        HttpResponse execute = (str2 != null ? this.httpUtil.createHTTPClient(sSLSocketFactory, str, z, str2, str3, z3) : this.httpUtil.createHTTPClient(sSLSocketFactory, str, z, z3)).execute(httpGet);
        HashMap hashMap = new HashMap();
        hashMap.put(ClientConstants.RESPONSEMAP_CODE, execute);
        hashMap.put(ClientConstants.RESPONSEMAP_METHOD, httpGet);
        return hashMap;
    }

    protected Integer getRedirectPortFromRequest(HttpServletRequest httpServletRequest) {
        IPrivateRequestAttributes wrappedServletRequestObject = getWrappedServletRequestObject(httpServletRequest);
        if (wrappedServletRequestObject instanceof IPrivateRequestAttributes) {
            return (Integer) wrappedServletRequestObject.getPrivateAttribute("SecurityRedirectPort");
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "getRedirectUrl called for non-IPrivateRequestAttributes object", new Object[]{httpServletRequest});
        return null;
    }

    private static HttpServletRequest getWrappedServletRequestObject(HttpServletRequest httpServletRequest) {
        if (httpServletRequest instanceof HttpServletRequestWrapper) {
            ServletRequest request = ((HttpServletRequestWrapper) httpServletRequest).getRequest();
            while (true) {
                httpServletRequest = (HttpServletRequest) request;
                if (!(httpServletRequest instanceof HttpServletRequestWrapper)) {
                    break;
                }
                request = ((HttpServletRequestWrapper) httpServletRequest).getRequest();
            }
        }
        return httpServletRequest;
    }
}
