package com.ibm.ws.security.oauth20.internal;

import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidScopeException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.InjectedTrace;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderConfiguration;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderFactory;
import com.ibm.ws.security.oauth20.tai.RequestMode;
import com.ibm.ws.security.oauth20.tai.TokenUtil;
import com.ibm.ws.security.oauth20.token.impl.WSOAuth20TokenHelper;
import com.ibm.ws.security.oauth20.util.Constants;
import com.ibm.ws.webcontainer.security.oauth20.OAuthAuthenticationResult;
import com.ibm.wsspi.security.oauth20.token.WSOAuth20Token;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Hashtable;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@TraceOptions(traceGroups = {"OAUTH"}, traceGroup = "", messageBundle = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", traceExceptionThrow = false, traceExceptionHandling = false)
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.0.4.jar:com/ibm/ws/security/oauth20/internal/OAuth20Authenticator.class */
public class OAuth20Authenticator {
    private static final TraceComponent tc = Tr.register(OAuth20Authenticator.class);
    static final String comp = "security.tai";
    private static final String CHARACTER_ENCODING = "characterEncoding";
    private static final String AUTH_WITH_OAUTH_ONLY = "oauthOnly";
    private static final String INCLUDE_TOKEN = "includeToken";
    static final String WSCREDENTIAL_CACHE_KEY_INTERNAL_ASSERTION = "com.ibm.ws.authentication.internal.key.assertion";
    static final long serialVersionUID = 5184990557009075748L;

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public OAuth20Authenticator() {
    }

    /* JADX WARN: Multi-variable type inference failed */
    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    public OAuthAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpServletRequest httpServletRequest2;
        boolean z = false;
        OAuthAuthenticationResult oAuthAuthenticationResult = new OAuthAuthenticationResult(2, 200, null, null);
        OAuth20Provider provider = getProvider(httpServletRequest);
        if (provider != null) {
            OAuth20ProviderConfiguration configuration = provider.getConfiguration();
            String configPropertyValue = configuration.getConfigPropertyValue("characterEncoding");
            if (httpServletRequest.getCharacterEncoding() == null && (httpServletRequest2 = configPropertyValue) != null) {
                try {
                    httpServletRequest2 = httpServletRequest;
                    httpServletRequest2.setCharacterEncoding(configPropertyValue);
                } catch (UnsupportedEncodingException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.internal.OAuth20Authenticator", "77", this, new Object[]{httpServletRequest, httpServletResponse});
                    UnsupportedEncodingException unsupportedEncodingException = httpServletRequest2;
                    if (tc.isWarningEnabled()) {
                        Tr.warning(tc, unsupportedEncodingException.getMessage(), new Object[0]);
                    }
                }
            }
            if (configuration.getConfigPropertyBooleanValue("oauthOnly")) {
                if (!RequestMode.isTokenRequest(httpServletRequest)) {
                    z = true;
                }
            } else if (RequestMode.isProtectedResourceRequest(httpServletRequest)) {
                z = true;
            } else if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no access token, falling back to available authentication.", new Object[0]);
            }
            if (z) {
                oAuthAuthenticationResult = checkAccess(httpServletRequest, httpServletResponse, provider);
            }
        }
        return oAuthAuthenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private OAuthAuthenticationResult checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider) {
        OAuthAuthenticationResult oAuthAuthenticationResult;
        String bearerAccessTokenToken = TokenUtil.getBearerAccessTokenToken(httpServletRequest);
        if (bearerAccessTokenToken == null || bearerAccessTokenToken.trim().length() == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no OAuth token in the request.", new Object[0]);
            }
            oAuthAuthenticationResult = new OAuthAuthenticationResult(1, 401, null, null);
        } else {
            OAuthResult validateOAuthToken = validateOAuthToken(httpServletRequest, httpServletResponse, oAuth20Provider.getID());
            if (validateOAuthToken.getStatus() == 1) {
                oAuthAuthenticationResult = new OAuthAuthenticationResult(1, validateOAuthToken.getCause() instanceof OAuth20InvalidScopeException ? 403 : 401, null, null);
                httpServletResponse.setHeader("WWW-Authenticate", ("Bearer realm=\"OAuth\",\n                  error=\"invalid_token\",\n") + "                  error_description=\"Check access token\"");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "OAuth Token validation fails: " + validateOAuthToken.getCause().getMessage(), new Object[0]);
                }
            } else {
                oAuthAuthenticationResult = createResult(httpServletRequest, httpServletResponse, validateOAuthToken, oAuth20Provider);
            }
        }
        return oAuthAuthenticationResult;
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private OAuthAuthenticationResult createResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthResult oAuthResult, OAuth20Provider oAuth20Provider) {
        Subject subject = new Subject();
        WSOAuth20Token createToken = WSOAuth20TokenHelper.createToken(httpServletRequest, httpServletResponse, oAuthResult, oAuth20Provider.getID());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "OAuth Token is " + createToken, new Object[0]);
        }
        String cacheKey = createToken.getCacheKey();
        if (oAuth20Provider.getConfiguration().getConfigPropertyBooleanValue("includeToken")) {
            addToSubjectAsPrivateCredential(subject, createToken);
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", cacheKey);
        hashtable.put(WSCREDENTIAL_CACHE_KEY_INTERNAL_ASSERTION, Boolean.TRUE);
        hashtable.put(Constants.OAUTH_PROVIDER_NAME, oAuth20Provider.getID());
        addToSubjectAsPrivateCredential(subject, hashtable);
        return new OAuthAuthenticationResult(0, 200, subject, createToken.getUser());
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private OAuthResult validateOAuthToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        return OAuth20ProviderFactory.getOAuth20Provider(str).getComponent().processResourceRequest(httpServletRequest);
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private void addToSubjectAsPrivateCredential(final Subject subject, final Object obj) {
        if (obj != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.oauth20.internal.OAuth20Authenticator.1
                static final long serialVersionUID = 4808278205251759798L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                @Override // java.security.PrivilegedAction
                @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
                public Object run() {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                }
            });
        }
    }

    @InjectedTrace({"com.ibm.ws.ras.instrument.internal.bci.FFDCMethodAdapter"})
    private OAuth20Provider getProvider(HttpServletRequest httpServletRequest) {
        for (OAuth20Provider oAuth20Provider : OAuth20ProviderFactory.getAllOAuth20Providers().values()) {
            if (oAuth20Provider.getConfiguration().getFilter().isAccepted(httpServletRequest)) {
                return oAuth20Provider;
            }
        }
        return null;
    }
}
