package com.ibm.ws.security.oauth20.web;

import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.form.FormRenderer;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.util.BoundedConsentCache;
import com.ibm.ws.security.oauth20.util.ConsentCacheKey;
import com.ibm.ws.security.oauth20.util.Nonce;
import com.ibm.ws.security.oauth20.util.TemplateRetriever;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth.2.0_1.1.18.jar:com/ibm/ws/security/oauth20/web/Consent.class */
public class Consent {
    private static TraceComponent tc = Tr.register(Consent.class);
    public static final Pattern FORWARD_TEMPLATE_PATTERN = Pattern.compile("\\{(/[\\w-/]+)\\}(/.+)");
    public static final String PARAM_AUTHZ_FORM_TEMPLATE = "oauth20.authorization.form.template";
    private static final String ATTR_CONSENT_CACHE = "consentCache";
    private static final String ATTR_NONCE = "consentNonce";
    private static final String ATTR_RESOURCE = "consentResource";
    private static final String ATTR_OAUTH_CLIENT = "oauthClient";
    public static final String HEADER_ACCEPT_LANGUAGE = "Accept-Language";
    static final long serialVersionUID = 5742476363057045229L;

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleConsent(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, Prompt prompt, String str) {
        if (!prompt.hasPrompt() || prompt.hasConsent()) {
            return;
        }
        String parameter = httpServletRequest.getParameter(OAuth20Constants.REDIRECT_URI);
        String parameter2 = httpServletRequest.getParameter("resource");
        String parameter3 = httpServletRequest.getParameter("scope");
        String[] scope = getScope(parameter3);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Caching consent response for scopes: " + parameter3, new Object[0]);
        }
        int consentCacheEntryLifetime = (int) oAuth20Provider.getConsentCacheEntryLifetime();
        if (!oAuth20Provider.isLocalStoreUsed()) {
            oAuth20Provider.getConsentCache().add(str, httpServletRequest.getUserPrincipal().getName(), parameter3, parameter2, oAuth20Provider.getID(), consentCacheEntryLifetime);
            return;
        }
        BoundedConsentCache consentCacheFromSession = getConsentCacheFromSession(httpServletRequest, oAuth20Provider);
        for (String str2 : scope) {
            ConsentCacheKey consentCacheKey = new ConsentCacheKey(str, parameter, parameter3, parameter2, consentCacheEntryLifetime);
            if (!consentCacheFromSession.contains(consentCacheKey)) {
                consentCacheFromSession.put(consentCacheKey);
            }
        }
        httpServletRequest.getSession().setAttribute(ATTR_CONSENT_CACHE, consentCacheFromSession);
    }

    public boolean isCachedAndValid(OAuthResult oAuthResult, OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (oAuthResult == null) {
            return false;
        }
        String[] attributeValuesByName = oAuthResult.getAttributeList() != null ? oAuthResult.getAttributeList().getAttributeValuesByName("scope") : null;
        if (attributeValuesByName == null || attributeValuesByName.length == 0) {
            return false;
        }
        String attributeValueByName = oAuthResult.getAttributeList().getAttributeValueByName("client_id");
        String attributeValueByName2 = oAuthResult.getAttributeList().getAttributeValueByName(OAuth20Constants.REDIRECT_URI);
        String attributeValueByName3 = oAuthResult.getAttributeList().getAttributeValueByName("resource");
        int consentCacheEntryLifetime = (int) oAuth20Provider.getConsentCacheEntryLifetime();
        boolean z = true;
        if (oAuth20Provider.isLocalStoreUsed()) {
            BoundedConsentCache consentCacheFromSession = getConsentCacheFromSession(httpServletRequest, oAuth20Provider);
            for (String str : attributeValuesByName) {
                ConsentCacheKey consentCacheKey = new ConsentCacheKey(attributeValueByName, attributeValueByName2, str, attributeValueByName3, consentCacheEntryLifetime);
                synchronized (consentCacheFromSession) {
                    z = isCacheKeyValid(consentCacheFromSession, consentCacheFromSession.get(consentCacheKey), str, consentCacheEntryLifetime);
                    if (!z) {
                        consentCacheFromSession.remove(consentCacheKey);
                        z = false;
                    }
                }
            }
            httpServletRequest.getSession().setAttribute(ATTR_CONSENT_CACHE, consentCacheFromSession);
        } else {
            z = oAuth20Provider.getConsentCache().get(attributeValueByName, httpServletRequest.getUserPrincipal().getName(), oAuth20Provider.getID(), attributeValuesByName, attributeValueByName3, consentCacheEntryLifetime);
        }
        return z;
    }

    public boolean isCacheKeyValid(BoundedConsentCache boundedConsentCache, ConsentCacheKey consentCacheKey, String str, int i) {
        return consentCacheKey != null && consentCacheKey.isValid() && consentCacheKey.getLifetime() == i;
    }

    public BoundedConsentCache getConsentCacheFromSession(HttpServletRequest httpServletRequest, OAuth20Provider oAuth20Provider) {
        int consentCacheSize = (int) oAuth20Provider.getConsentCacheSize();
        BoundedConsentCache boundedConsentCache = (BoundedConsentCache) httpServletRequest.getSession().getAttribute(ATTR_CONSENT_CACHE);
        if (boundedConsentCache == null) {
            boundedConsentCache = new BoundedConsentCache(consentCacheSize);
        } else if (consentCacheSize != boundedConsentCache.getCapacity()) {
            boundedConsentCache.updateCapacity(consentCacheSize);
        }
        return boundedConsentCache;
    }

    public void renderConsentForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider, String str, Nonce nonce, AttributeList attributeList, ServletContext servletContext) throws IOException, ServletException, OidcServerException {
        renderConsentForm(httpServletRequest, httpServletResponse, oAuth20Provider, str, nonce, attributeList, servletContext, null);
    }

    protected void renderConsentForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider, String str, Nonce nonce, AttributeList attributeList, ServletContext servletContext, FormRenderer formRenderer) throws IOException, ServletException, OidcServerException {
        OidcBaseClient oidcBaseClient = oAuth20Provider.getClientProvider().get(str);
        String authorizationFormTemplate = oAuth20Provider.getAuthorizationFormTemplate();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "templateUrl from configuration is " + authorizationFormTemplate, new Object[0]);
        }
        byte[] defaultAuthorizationFormTemplateContent = oAuth20Provider.getDefaultAuthorizationFormTemplateContent();
        boolean z = defaultAuthorizationFormTemplateContent != null;
        Matcher matcher = FORWARD_TEMPLATE_PATTERN.matcher(authorizationFormTemplate);
        if (matcher.matches()) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            httpServletRequest.setAttribute("oauthClient", oidcBaseClient);
            httpServletRequest.setAttribute("consentNonce", nonce);
            RequestDispatcher dispatcher = getDispatcher(servletContext, group, group2);
            if (dispatcher != null) {
                dispatcher.forward(httpServletRequest, httpServletResponse);
                return;
            } else {
                Tr.error(tc, "security.oauth20.endpoint.template.forward.error", "oauth20.authorization.form.template", group, group2);
                return;
            }
        }
        String normallizeTemplateUrl = z ? null : TemplateRetriever.normallizeTemplateUrl(httpServletRequest, authorizationFormTemplate);
        String header = httpServletRequest.getHeader("Accept-Language");
        if (formRenderer == null) {
            formRenderer = new FormRenderer();
        }
        String contextPath = httpServletRequest.getContextPath();
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        formRenderer.renderForm(oidcBaseClient, normallizeTemplateUrl, contextPath, stringBuffer, nonce, attributeList, header, httpServletResponse, defaultAuthorizationFormTemplateContent);
    }

    private RequestDispatcher getDispatcher(ServletContext servletContext, String str, String str2) {
        RequestDispatcher requestDispatcher = null;
        ServletContext context = servletContext.getContext(str);
        if (context != null) {
            requestDispatcher = context.getRequestDispatcher(str2);
        }
        return requestDispatcher;
    }

    protected String[] getScope(String str) {
        String[] strArr = null;
        if (str != null) {
            strArr = str.split(" ");
        }
        return strArr;
    }

    public void handleNonceError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (isNonceExpired(httpServletRequest)) {
            httpServletResponse.sendError(408);
        } else {
            httpServletResponse.sendError(500);
        }
    }

    public boolean isNonceValid(HttpServletRequest httpServletRequest, String str) {
        Nonce sessionNonce = getSessionNonce(httpServletRequest);
        if (sessionNonce != null) {
            return sessionNonce.isValid(str);
        }
        return false;
    }

    boolean isNonceExpired(HttpServletRequest httpServletRequest) {
        Nonce sessionNonce = getSessionNonce(httpServletRequest);
        if (sessionNonce != null) {
            return sessionNonce.isExpired();
        }
        return false;
    }

    public Nonce setNonce(HttpServletRequest httpServletRequest) {
        Nonce nonce = Nonce.getInstance();
        httpServletRequest.getSession(true).setAttribute("consentNonce", nonce);
        httpServletRequest.setAttribute("consentNonce", nonce.getValue());
        return nonce;
    }

    private Nonce getSessionNonce(HttpServletRequest httpServletRequest) {
        return (Nonce) httpServletRequest.getSession().getAttribute("consentNonce");
    }
}
