package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.web.OAuth20Request;
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.1.jar:com/ibm/ws/security/oauth20/web/ClientAuthentication.class */
public class ClientAuthentication {
    private static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages";
    static final long serialVersionUID = -2124964641048288942L;
    private static TraceComponent tc = Tr.register((Class<?>) ClientAuthentication.class, "OAuth20Provider", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static final ArrayList<OAuth20Request.EndpointType> endpointTypeForInvalidClientList = new ArrayList<>(10);

    public boolean verify(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType) throws IOException, ServletException, OidcServerException {
        OidcOAuth20ClientProvider clientProvider;
        boolean z = false;
        ClientAuthnData clientAuthnData = new ClientAuthnData(httpServletRequest, httpServletResponse);
        String parameter = httpServletRequest.getParameter("grant_type");
        if (clientAuthnData.hasAuthnData() && (clientProvider = oAuth20Provider.getClientProvider()) != null) {
            if (!oAuth20Provider.isAllowPublicClients()) {
                z = clientProvider.validateClient(clientAuthnData.getUserName(), clientAuthnData.getPassWord());
            } else if (clientAuthnData.getPassWord() != null && clientAuthnData.getPassWord().trim().length() > 0) {
                z = clientProvider.validateClient(clientAuthnData.getUserName(), clientAuthnData.getPassWord());
            } else if (!"client_credentials".equalsIgnoreCase(parameter) && !"urn:ietf:params:oauth:grant-type:jwt-bearer".equalsIgnoreCase(parameter)) {
                z = clientProvider.exists(clientAuthnData.getUserName());
            }
        }
        if (z) {
            httpServletRequest.setAttribute("authenticatedClient", clientAuthnData.getUserName());
        } else {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "ClientAuthentication with invalid_client. endpointType: " + endpointType, new Object[0]);
            }
            if (endpointTypeForInvalidClientList.contains(endpointType)) {
                String requestURI = httpServletRequest.getRequestURI();
                WebUtils.sendErrorJSON(httpServletResponse, (OAuth20Request.EndpointType.introspect.equals(endpointType) || OAuth20Request.EndpointType.revoke.equals(endpointType)) ? 400 : 401, "invalid_client", TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", new Object[]{endpointType.toString(), requestURI}, "CWWKS1406E: The " + endpointType.toString() + " request had an invalid client credential. The request URI was {" + requestURI + "}."));
            } else {
                httpServletResponse.sendError(401);
            }
            Tr.error(tc, "security.oauth20.endpoint.client.auth.error", clientAuthnData.getUserName());
        }
        return z;
    }

    static {
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.authorize);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.token);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.introspect);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.revoke);
    }
}
