package com.ibm.ws.webcontainer.security.extended;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.audit.AuditEvent;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.tai.TAIService;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.SSOCookieHelper;
import com.ibm.ws.webcontainer.security.WebAppSecurityConfig;
import com.ibm.ws.webcontainer.security.WebAuthenticator;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorHelper;
import com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy;
import com.ibm.ws.webcontainer.security.WebRequest;
import com.ibm.ws.webcontainer.security.WebRequestImpl;
import com.ibm.ws.webcontainer.security.internal.SSOAuthenticator;
import com.ibm.ws.webcontainer.security.internal.TAIAuthenticator;
import com.ibm.ws.webcontainer.security.oauth20.OAuth20Service;
import com.ibm.ws.webcontainer.security.openid20.OpenidClientService;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServer;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.token.SingleSignonToken;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.openjpa.persistence.query.AbstractVisitable;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.security.provider_1.0.18.jar:com/ibm/ws/webcontainer/security/extended/WebProviderAuthenticatorProxyExtended.class */
public class WebProviderAuthenticatorProxyExtended extends WebProviderAuthenticatorProxy {
    private static final TraceComponent tc = Tr.register(WebProviderAuthenticatorProxyExtended.class);
    static final List<String> authenticatorOdering = Collections.unmodifiableList(Arrays.asList("com.ibm.ws.security.spnego", "com.ibm.ws.security.openid"));
    AuthenticationResult OAUTH_CONT;
    AuthenticationResult OPENID_CLIENT_CONT;
    AuthenticationResult OIDC_SERVER_CONT;
    AuthenticationResult OIDC_CLIENT_CONT;
    AuthenticationResult SPNEGO_CONT;
    private final AtomicServiceReference<OAuth20Service> oauthServiceRef;
    private final AtomicServiceReference<OpenidClientService> openIdClientServiceRef;
    private final AtomicServiceReference<OidcServer> oidcServerRef;
    private final AtomicServiceReference<OidcClient> oidcClientRef;
    private WebProviderAuthenticatorHelper authHelper;
    private ReferrerURLCookieHandler referrerURLCookieHandler;
    static final long serialVersionUID = -4962376951919845428L;

    public WebProviderAuthenticatorProxyExtended(AtomicServiceReference<SecurityService> atomicServiceReference, AtomicServiceReference<TAIService> atomicServiceReference2, ConcurrentServiceReferenceMap<String, TrustAssociationInterceptor> concurrentServiceReferenceMap, WebAppSecurityConfig webAppSecurityConfig, AtomicServiceReference<OAuth20Service> atomicServiceReference3, AtomicServiceReference<OpenidClientService> atomicServiceReference4, AtomicServiceReference<OidcServer> atomicServiceReference5, AtomicServiceReference<OidcClient> atomicServiceReference6, ConcurrentServiceReferenceMap<String, WebAuthenticator> concurrentServiceReferenceMap2) {
        super(atomicServiceReference, atomicServiceReference2, concurrentServiceReferenceMap, webAppSecurityConfig, concurrentServiceReferenceMap2);
        this.OAUTH_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OAuth service said continue...");
        this.OPENID_CLIENT_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID client service said continue...");
        this.OIDC_SERVER_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect server said continue...");
        this.OIDC_CLIENT_CONT = new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect client said continue...");
        this.SPNEGO_CONT = new AuthenticationResult(AuthResult.CONTINUE, "SPNEGO said continue...");
        this.referrerURLCookieHandler = null;
        this.oauthServiceRef = atomicServiceReference3;
        this.oidcServerRef = atomicServiceReference5;
        this.openIdClientServiceRef = atomicServiceReference4;
        this.oidcClientRef = atomicServiceReference6;
        this.authHelper = new WebProviderAuthenticatorHelper(atomicServiceReference);
        this.referrerURLCookieHandler = new ReferrerURLCookieHandlerExtended(webAppSecurityConfig);
    }

    public void setWebProviderAuthenticatorHelper(WebProviderAuthenticatorHelper webProviderAuthenticatorHelper) {
        this.authHelper = webProviderAuthenticatorHelper;
    }

    @Override // com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy, com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(WebRequest webRequest) {
        HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
        HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
        AuthenticationResult handleTAI = handleTAI(webRequest, true);
        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
            handleTAI = handleAccessToken(webRequest);
            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                webRequest.setCallAfterSSO(false);
                handleTAI = handleSpnego(webRequest);
                if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                    handleTAI = handleOidcClient(httpServletRequest, httpServletResponse, true);
                    if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                        handleTAI = handleSSO(webRequest, null);
                        if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                            webRequest.setCallAfterSSO(true);
                            handleTAI = handleSpnego(webRequest);
                            if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                                handleTAI = handleTAI(webRequest, false);
                                if (handleTAI.getStatus() == AuthResult.CONTINUE) {
                                    handleTAI = handleOidcClient(httpServletRequest, httpServletResponse, false);
                                }
                            }
                        }
                    }
                }
            }
        }
        return handleTAI;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy
    public AuthenticationResult handleJaspi(WebRequest webRequest, HashMap<String, Object> hashMap) {
        return super.handleJaspi(webRequest, hashMap);
    }

    @Override // com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy, com.ibm.ws.webcontainer.security.WebAuthenticator
    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HashMap<String, Object> hashMap) throws Exception {
        AuthenticationResult handleJaspi = handleJaspi(new WebRequestImpl(httpServletRequest, httpServletResponse, null, null, null, null, null), hashMap);
        if (handleJaspi.getStatus() == AuthResult.CONTINUE) {
            handleJaspi = handleOpenidClient(httpServletRequest, httpServletResponse);
        }
        return handleJaspi;
    }

    private AuthenticationResult handleAccessToken(WebRequest webRequest) {
        AuthenticationResult handleOAuth = handleOAuth(webRequest.getHttpServletRequest(), webRequest.getHttpServletResponse());
        if (handleOAuth.getStatus() != AuthResult.CONTINUE) {
            handleOAuth.setAuditCredType(AuditEvent.CRED_TYPE_OAUTH_TOKEN);
        }
        return handleOAuth;
    }

    private AuthenticationResult handleSpnego(WebRequest webRequest) {
        WebAuthenticator service;
        AuthenticationResult authenticationResult = this.SPNEGO_CONT;
        if (this.webAuthenticatorRef != null && (service = this.webAuthenticatorRef.getService("com.ibm.ws.security.spnego")) != null) {
            authenticationResult = service.authenticate(webRequest);
            if (authenticationResult.getStatus() == AuthResult.SUCCESS) {
                HttpServletRequest httpServletRequest = webRequest.getHttpServletRequest();
                HttpServletResponse httpServletResponse = webRequest.getHttpServletResponse();
                authenticationResult = this.authHelper.loginWithHashtable(httpServletRequest, httpServletResponse, authenticationResult.getSubject());
                if (AuthResult.SUCCESS == authenticationResult.getStatus()) {
                    this.webAppSecurityConfig.createSSOCookieHelper().addSSOCookiesToResponse(authenticationResult.getSubject(), httpServletRequest, httpServletResponse);
                }
            }
        }
        if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
            authenticationResult.setAuditCredType(AuditEvent.CRED_TYPE_SPNEGO);
        }
        return authenticationResult;
    }

    private AuthenticationResult handleOpenidClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        AuthenticationResult authenticationResult = this.OPENID_CLIENT_CONT;
        OpenidClientService service = this.openIdClientServiceRef.getService();
        if (service != null) {
            String openIdIdentifier = service.getOpenIdIdentifier(httpServletRequest);
            if (openIdIdentifier != null && !openIdIdentifier.isEmpty()) {
                service.createAuthRequest(httpServletRequest, httpServletResponse);
                authenticationResult = new AuthenticationResult(AuthResult.REDIRECT_TO_PROVIDER, "OpenID client creates auth request...");
            } else if (service.getRpRequestIdentifier(httpServletRequest, httpServletResponse) != null) {
                ProviderAuthenticationResult verifyOpResponse = service.verifyOpResponse(httpServletRequest, httpServletResponse);
                if (verifyOpResponse.getStatus() != AuthResult.SUCCESS) {
                    return new AuthenticationResult(AuthResult.FAILURE, "OpenID client failed with status code " + verifyOpResponse.getStatus());
                }
                authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, verifyOpResponse.getUserName(), verifyOpResponse.getSubject(), verifyOpResponse.getCustomProperties(), service.isMapIdentityToRegistryUser());
            }
        }
        if (authenticationResult.getStatus() != AuthResult.CONTINUE) {
            authenticationResult.setAuditCredType(AuditEvent.CRED_TYPE_IDTOKEN);
        }
        return authenticationResult;
    }

    private AuthenticationResult handleOidcClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) {
        AuthenticationResult authenticationResult = this.OIDC_CLIENT_CONT;
        OidcClient service = this.oidcClientRef.getService();
        if (service == null) {
            return new AuthenticationResult(AuthResult.CONTINUE, "OpenID Connect client is not available, skipping OpenID Connect client...");
        }
        if (z && !service.anyClientIsBeforeSso()) {
            return authenticationResult;
        }
        String oidcProvider = service.getOidcProvider(httpServletRequest);
        if (oidcProvider == null) {
            return new AuthenticationResult(AuthResult.CONTINUE, "not an OpenID Connect client request, skipping OpenID Connect client...");
        }
        ProviderAuthenticationResult authenticate = service.authenticate(httpServletRequest, httpServletResponse, oidcProvider, this.referrerURLCookieHandler, z);
        if (authenticate.getStatus() == AuthResult.CONTINUE) {
            return this.OIDC_CLIENT_CONT;
        }
        if (authenticate.getStatus() == AuthResult.REDIRECT_TO_PROVIDER) {
            return new AuthenticationResult(AuthResult.REDIRECT, authenticate.getRedirectUrl());
        }
        if (authenticate.getStatus() == AuthResult.FAILURE) {
            return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OpenID Connect client failed the request...") : new AuthenticationResult(AuthResult.FAILURE, "OpenID Connect client failed the request...");
        }
        if (authenticate.getStatus() != AuthResult.SUCCESS) {
            return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OpenID Connect client returned with status: " + authenticate.getStatus()) : new AuthenticationResult(AuthResult.FAILURE, "OpenID Connect client returned with status: " + authenticate.getStatus());
        }
        if (authenticate.getStatus() == AuthResult.SUCCESS && authenticate.getUserName() != null) {
            authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, authenticate.getUserName(), authenticate.getSubject(), authenticate.getCustomProperties(), service.isMapIdentityToRegistryUser(oidcProvider));
            if (AuthResult.SUCCESS == authenticationResult.getStatus()) {
                boolean isNotNullAndTrue = isNotNullAndTrue(httpServletRequest, OidcClient.PROPAGATION_TOKEN_AUTHENTICATED);
                boolean booleanValue = ((Boolean) httpServletRequest.getAttribute(OidcClient.AUTHN_SESSION_DISABLED)).booleanValue();
                String str = (String) httpServletRequest.getAttribute(OidcClient.INBOUND_PROPAGATION_VALUE);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Booleans: fisrtCall:" + z + " tokenAuthenticated:" + isNotNullAndTrue + " SessionDisabled:" + booleanValue + " inboundValue:" + str, new Object[0]);
                }
                if (("none".equals(str) && !z) || (("required".equals(str) && !booleanValue) || (OidcClient.inboundSupported.equals(str) && !isNotNullAndTrue && !z))) {
                    SSOCookieHelper createSSOCookieHelper = this.webAppSecurityConfig.createSSOCookieHelper();
                    if (((Boolean) httpServletRequest.getAttribute(OidcClient.ACCESS_TOKEN_IN_LTPA_TOKEN)).booleanValue()) {
                        addAccessTokenToTheCookie(authenticationResult, createSSOCookieHelper);
                    }
                    createSSOCookieHelper.addSSOCookiesToResponse(authenticationResult.getSubject(), httpServletRequest, httpServletResponse);
                }
            }
        }
        return authenticationResult;
    }

    private void addAccessTokenToTheCookie(AuthenticationResult authenticationResult, SSOCookieHelper sSOCookieHelper) {
        Subject subject = authenticationResult.getSubject();
        if (subject != null) {
            String accessTokenFromTheSubject = getAccessTokenFromTheSubject(subject, "access_token");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "access token from the subject = ", accessTokenFromTheSubject);
            }
            SingleSignonToken defaultSSOTokenFromSubject = sSOCookieHelper.getDefaultSSOTokenFromSubject(subject);
            if (accessTokenFromTheSubject == null || defaultSSOTokenFromSubject == null) {
                return;
            }
            defaultSSOTokenFromSubject.addAttribute(OidcClient.OIDC_ACCESS_TOKEN, accessTokenFromTheSubject);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Successfully added the access token to the single sign on token  = ", accessTokenFromTheSubject);
            }
        }
    }

    @FFDCIgnore({PrivilegedActionException.class})
    static String getAccessTokenFromTheSubject(Subject subject, String str) {
        String str2 = null;
        try {
            str2 = getCredentialAttribute(subject.getPublicCredentials(), str, "publicCredentials");
            if (str2 == null || str2.isEmpty()) {
                str2 = getCredentialAttribute(subject.getPrivateCredentials(), str, "privateCredentials");
            }
        } catch (PrivilegedActionException e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Did not find a value for the attribute (" + str + AbstractVisitable.CLOSE_BRACE, new Object[0]);
            }
        }
        return str2;
    }

    static String getCredentialAttribute(final Set<Object> set, final String str, final String str2) throws PrivilegedActionException {
        Object doPrivileged = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.webcontainer.security.extended.WebProviderAuthenticatorProxyExtended.1
            static final long serialVersionUID = 1351133135317650211L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                Object obj;
                int i = 0;
                for (Object obj2 : set) {
                    i++;
                    if (WebProviderAuthenticatorProxyExtended.tc.isDebugEnabled()) {
                        Tr.debug(WebProviderAuthenticatorProxyExtended.tc, str2 + AbstractVisitable.OPEN_BRACE + i + ") class:" + obj2.getClass().getName(), new Object[0]);
                    }
                    if ((obj2 instanceof Map) && ((Map) obj2).get("access_token") != null && (obj = ((Map) obj2).get(str)) != null) {
                        return obj;
                    }
                }
                return null;
            }
        });
        if (doPrivileged != null) {
            return doPrivileged.toString();
        }
        return null;
    }

    private AuthenticationResult handleOAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationResult authenticationResult = this.OAUTH_CONT;
        if (this.oauthServiceRef != null) {
            OAuth20Service service = this.oauthServiceRef.getService();
            if (service == null) {
                return new AuthenticationResult(AuthResult.CONTINUE, "OAuth service is not available, skipping OAuth...");
            }
            ProviderAuthenticationResult authenticate = service.authenticate(httpServletRequest, httpServletResponse);
            if (authenticate.getStatus() == AuthResult.CONTINUE) {
                return this.OAUTH_CONT;
            }
            if (authenticate.getStatus() == AuthResult.FAILURE) {
                return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OAuth service failed the request") : new AuthenticationResult(AuthResult.FAILURE, "OAuth service failed the request...");
            }
            if (authenticate.getStatus() != AuthResult.SUCCESS) {
                return 401 == authenticate.getHttpStatusCode() ? new AuthenticationResult(AuthResult.OAUTH_CHALLENGE, "OAuth service failed the request due to unsuccessful request") : new AuthenticationResult(AuthResult.FAILURE, "OAuth service returned with status: " + authenticate.getStatus());
            }
            if (authenticate.getUserName() != null) {
                authenticationResult = this.authHelper.loginWithUserName(httpServletRequest, httpServletResponse, authenticate.getUserName(), authenticate.getSubject(), authenticate.getCustomProperties(), true);
            }
        }
        return authenticationResult;
    }

    @Override // com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy
    protected TAIAuthenticator getTaiAuthenticator() {
        TAIAuthenticator tAIAuthenticator = null;
        TAIService service = this.taiServiceRef.getService();
        Iterator<TrustAssociationInterceptor> services = this.interceptorServiceRef.getServices();
        if (service != null || (services != null && services.hasNext())) {
            tAIAuthenticator = new TAIAuthenticator(service, this.interceptorServiceRef, this.securityServiceRef.getService().getAuthenticationService(), new SSOCookieHelperImplExtended(this.webAppSecurityConfig, this.oidcServerRef));
        }
        return tAIAuthenticator;
    }

    @Override // com.ibm.ws.webcontainer.security.WebProviderAuthenticatorProxy
    public WebAuthenticator getSSOAuthenticator(WebRequest webRequest, String str) {
        return new SSOAuthenticator(this.securityServiceRef.getService().getAuthenticationService(), webRequest.getSecurityMetadata(), this.webAppSecurityConfig, str != null ? new SSOCookieHelperImplExtended(this.webAppSecurityConfig, str) : new SSOCookieHelperImplExtended(this.webAppSecurityConfig, this.oidcServerRef));
    }
}
