package com.ibm.ws.security.oauth20.tai;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidScopeException;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderFactory;
import com.ibm.ws.security.oauth20.impl.OAuth20ProviderFactoryManager;
import com.ibm.ws.security.oauth20.token.impl.WSOAuth20TokenHelper;
import com.ibm.ws.security.oauth20.util.Constants;
import com.ibm.ws.security.oauth20.util.MessageFormatHelper;
import com.ibm.wsspi.security.oauth20.token.WSOAuth20Token;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Hashtable;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.0.3.jar:com/ibm/ws/security/oauth20/tai/OAuthTAI.class */
public class OAuthTAI implements TrustAssociationInterceptor {
    static final String comp = "security.tai";
    protected OAuthTAIConfig taiConfig = null;
    static final TraceComponent tc = Tr.register((Class<?>) OAuthTAI.class, Constants.TR_GROUP, Constants.NLS_MSG_FILE);
    protected static boolean taiEnabled = false;
    protected static boolean isInitialized = false;

    private String getMsg(String str) {
        return MessageFormatHelper.getFormattedMessage("security.tai." + str);
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor");
        }
        boolean z = false;
        if (this.taiConfig.getOAuthProviderName(httpServletRequest) != null) {
            OAuthResourceProtectionConfig oAuthResourceProtectionConfig = this.taiConfig.getOAuthResourceProtectionConfig(httpServletRequest);
            String characterEncoding = oAuthResourceProtectionConfig.getCharacterEncoding();
            if (httpServletRequest.getCharacterEncoding() == null && characterEncoding != null) {
                try {
                    httpServletRequest.setCharacterEncoding(characterEncoding);
                } catch (UnsupportedEncodingException e) {
                    if (tc.isWarningEnabled()) {
                        Tr.warning(tc, e.getMessage());
                    }
                }
            }
            if (oAuthResourceProtectionConfig.useOauthOnly()) {
                if (!RequestMode.isTokenRequest(httpServletRequest)) {
                    z = true;
                }
            } else if (RequestMode.isProtectedResourceRequest(httpServletRequest)) {
                z = true;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no access token, fallback to available authn.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "isTargetInterceptor=" + z);
        }
        return z;
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust");
        }
        TAIResult resourceAccessAuthn = resourceAccessAuthn(httpServletRequest, httpServletResponse);
        if (tc.isEntryEnabled()) {
            if (resourceAccessAuthn != null) {
                Tr.exit(tc, "negotiateValidateandEstablishTrust:" + resourceAccessAuthn.getAuthenticatedPrincipal());
            } else {
                Tr.exit(tc, "negotiateValidateandEstablishTrust fails");
            }
        }
        return resourceAccessAuthn;
    }

    protected TAIResult resourceAccessAuthn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        TAIResult createResult;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "resourceAccessAuthn");
        }
        String bearerAccessTokenToken = TokenUtil.getBearerAccessTokenToken(httpServletRequest);
        if (bearerAccessTokenToken == null || bearerAccessTokenToken.trim().length() == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no OAuth token in the request.");
            }
            throw new WebTrustAssociationFailedException(getMsg("notoken"));
        }
        String oAuthProviderName = this.taiConfig.getOAuthProviderName(httpServletRequest);
        OAuthResult validateOAuthToken = validateOAuthToken(httpServletRequest, httpServletResponse, oAuthProviderName);
        if (validateOAuthToken.getStatus() == 1) {
            createResult = TAIResult.create(validateOAuthToken.getCause() instanceof OAuth20InvalidScopeException ? 403 : 401);
            httpServletResponse.setHeader("WWW-Authenticate", ("Bearer realm=\"OAuth\",\n                  error=\"invalid_token\",\n") + "                  error_description=\"Check access token\"");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "OAuth Token validation fails: " + validateOAuthToken.getCause().getMessage());
            }
        } else {
            createResult = createResult(httpServletRequest, httpServletResponse, validateOAuthToken, oAuthProviderName);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "resourceAccessAuthn:" + createResult.getAuthenticatedPrincipal());
        }
        return createResult;
    }

    protected TAIResult tokenRequestAuthn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        return null;
    }

    protected TAIResult createResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthResult oAuthResult, String str) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "createResult");
        }
        Subject subject = new Subject();
        WSOAuth20Token createToken = WSOAuth20TokenHelper.createToken(httpServletRequest, httpServletResponse, oAuthResult, str);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "OAuth Token is " + createToken);
        }
        String cacheKey = createToken.getCacheKey();
        OAuthResourceProtectionConfig oAuthResourceProtectionConfig = this.taiConfig.getOAuthResourceProtectionConfig(httpServletRequest);
        if (oAuthResourceProtectionConfig.includeTokenInSubject()) {
            addToSubjectAsPrivateCredentials(subject, createToken);
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", cacheKey);
        hashtable.put(Constants.OAUTH_PROVIDER_NAME, oAuthResourceProtectionConfig.getProviderName());
        addToSubjectAsPrivateCredentials(subject, hashtable);
        TAIResult create = TAIResult.create(200, createToken.getUser(), subject);
        if (!this.taiConfig.getOAuthResourceProtectionConfig(httpServletRequest).includeLtpa) {
            deleteLtpaCookie(httpServletRequest, httpServletResponse);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "LTPA cookie will be deleted.");
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "createResult");
        }
        return create;
    }

    protected OAuthResult validateOAuthToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validateOAuthToken");
        }
        OAuthResult processResourceRequest = OAuth20ProviderFactory.getOAuth20Provider(str).getComponent().processResourceRequest(httpServletRequest);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validateOAuthToken:" + processResourceRequest.getStatus());
        }
        return processResourceRequest;
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize");
        }
        this.taiConfig = new OAuthTAIConfig(properties);
        OAuth20ProviderFactoryManager.registerTAI(this.taiConfig);
        if (!tc.isEntryEnabled()) {
            return 0;
        }
        Tr.exit(tc, "initialize");
        return 0;
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public String getVersion() {
        return "1.0";
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public String getType() {
        return getClass().getName();
    }

    @Override // com.ibm.wsspi.security.tai.TrustAssociationInterceptor
    public void cleanup() {
    }

    private static void addToSubjectAsPrivateCredentials(final Subject subject, final Object obj) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "addToSubjectAsPrivateCredentials");
        }
        if (obj != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.oauth20.tai.OAuthTAI.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                }
            });
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "addToSubjectAsPrivateCredentials");
        }
    }

    protected void deleteLtpaCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "deleteLtpaCookie");
        }
        Cookie cookie = new Cookie("LtpaToken", "");
        cookie.setPath("/");
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
        Cookie cookie2 = new Cookie("LtpaToken2", "");
        cookie2.setPath("/");
        cookie2.setMaxAge(0);
        httpServletResponse.addCookie(cookie2);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "deleteLtpaCookie");
        }
    }
}
