package com.ibm.ws.security.oauth20.internal;

import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidScopeException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.claims.UserClaims;
import com.ibm.ws.security.common.claims.UserClaimsRetrieverService;
import com.ibm.ws.security.oauth20.ProvidersService;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.token.impl.WSOAuth20TokenHelper;
import com.ibm.ws.security.oauth20.util.ConfigUtils;
import com.ibm.ws.security.oauth20.util.UtilConstants;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.oauth20.OAuth20Authenticator;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.oauth20.token.WSOAuth20Token;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.io.UnsupportedEncodingException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Hashtable;
import java.util.List;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.1.13.jar:com/ibm/ws/security/oauth20/internal/OAuth20AuthenticatorImpl.class */
public class OAuth20AuthenticatorImpl implements OAuth20Authenticator {
    private static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.resources.ProviderMsgs";
    private static final TraceComponent tc = Tr.register((Class<?>) OAuth20AuthenticatorImpl.class, "OAuth20Provider", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static final String DEFAULT_GROUP_IDENTIFIER = "groupIds";
    private static final String Authorization_Header = "Authorization";
    static final long serialVersionUID = 3091596127897086152L;

    @Override // com.ibm.ws.webcontainer.security.oauth20.OAuth20Authenticator
    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return authenticate(httpServletRequest, httpServletResponse, null);
    }

    @Override // com.ibm.ws.webcontainer.security.oauth20.OAuth20Authenticator
    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConcurrentServiceReferenceMap<String, OidcServerConfig> concurrentServiceReferenceMap) {
        boolean z = false;
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.CONTINUE, 200);
        List<OAuth20Provider> providers = getProviders(httpServletRequest);
        if (providers != null && !providers.isEmpty()) {
            if (providers.size() == 1) {
                OAuth20Provider oAuth20Provider = providers.get(0);
                String characterEncoding = oAuth20Provider.getCharacterEncoding();
                if (httpServletRequest.getCharacterEncoding() == null && characterEncoding != null) {
                    try {
                        httpServletRequest.setCharacterEncoding(characterEncoding);
                    } catch (UnsupportedEncodingException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.internal.OAuth20AuthenticatorImpl", "81", this, new Object[]{httpServletRequest, httpServletResponse, concurrentServiceReferenceMap});
                        if (tc.isWarningEnabled()) {
                            Tr.warning(tc, e.getMessage(), new Object[0]);
                        }
                    }
                }
                if (oAuth20Provider.isOauthOnly()) {
                    if (!isTokenRequest(httpServletRequest)) {
                        z = true;
                    }
                } else if (isProtectedResourceRequest(httpServletRequest)) {
                    z = true;
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "There is no access token, falling back to available authentication.", new Object[0]);
                }
                if (z) {
                    providerAuthenticationResult = checkAccess(httpServletRequest, httpServletResponse, oAuth20Provider);
                }
            } else {
                providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 500);
                StringBuffer stringBuffer = null;
                for (OAuth20Provider oAuth20Provider2 : providers) {
                    if (stringBuffer == null) {
                        stringBuffer = new StringBuffer(oAuth20Provider2.getID());
                    } else {
                        stringBuffer.append(", ").append(oAuth20Provider2.getID());
                    }
                }
                Tr.error(tc, "security.oauth20.error.filter.multiple.matching", stringBuffer.toString());
            }
        }
        return providerAuthenticationResult;
    }

    private ProviderAuthenticationResult checkAccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Provider oAuth20Provider) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String bearerAccessTokenToken = getBearerAccessTokenToken(httpServletRequest);
        if (bearerAccessTokenToken == null || bearerAccessTokenToken.trim().length() == 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no OAuth token in the request.", new Object[0]);
            }
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        } else {
            OAuthResult processResourceRequest = oAuth20Provider.processResourceRequest(httpServletRequest);
            if (processResourceRequest.getStatus() == 1) {
                providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, processResourceRequest.getCause() instanceof OAuth20InvalidScopeException ? 403 : 401);
                httpServletResponse.setHeader("WWW-Authenticate", ("Bearer realm=\"OAuth\", error=\"invalid_token\",") + " error_description=\"Check access token\"");
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "OAuth Token validation fails: " + processResourceRequest.getCause().getMessage(), new Object[0]);
                }
            } else {
                providerAuthenticationResult = createResult(httpServletRequest, httpServletResponse, processResourceRequest, oAuth20Provider);
            }
        }
        return providerAuthenticationResult;
    }

    private ProviderAuthenticationResult createResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuthResult oAuthResult, OAuth20Provider oAuth20Provider) {
        UserClaims userClaims;
        List list;
        Subject subject = new Subject();
        WSOAuth20Token createToken = WSOAuth20TokenHelper.createToken(httpServletRequest, httpServletResponse, oAuthResult, oAuth20Provider.getID());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "OAuth Token is " + createToken, new Object[0]);
        }
        String cacheKey = createToken.getCacheKey();
        if (oAuth20Provider.isIncludeTokenInSubject()) {
            addToSubjectAsPrivateCredential(subject, createToken);
        }
        Hashtable hashtable = new Hashtable();
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", cacheKey);
        hashtable.put(UtilConstants.OAUTH_PROVIDER_NAME, oAuth20Provider.getID());
        String user = createToken.getUser();
        UserClaimsRetrieverService userClaimsRetrieverService = ConfigUtils.getUserClaimsRetrieverService();
        if (userClaimsRetrieverService != null && (userClaims = userClaimsRetrieverService.getUserClaims(user, "groupIds")) != null && (list = (List) userClaims.asMap().get("groupIds")) != null && list.size() > 0) {
            hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, list);
        }
        return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, user, subject, hashtable, null);
    }

    private void addToSubjectAsPrivateCredential(final Subject subject, final Object obj) {
        if (obj != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.ibm.ws.security.oauth20.internal.OAuth20AuthenticatorImpl.1
                static final long serialVersionUID = 4526095989886869201L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                @Override // java.security.PrivilegedAction
                public Object run() {
                    subject.getPrivateCredentials().add(obj);
                    return null;
                }
            });
        }
    }

    protected List<OAuth20Provider> getProviders(HttpServletRequest httpServletRequest) {
        return ProvidersService.getProvidersMatchingRequest(httpServletRequest);
    }

    private boolean isTokenRequest(HttpServletRequest httpServletRequest) {
        boolean z = false;
        if ("authorization_code".equals(httpServletRequest.getParameter("grant_type")) || "authorization_code".equals(httpServletRequest.getHeader("grant_type")) || "token".equals(httpServletRequest.getParameter("response_type")) || "token".equals(httpServletRequest.getHeader("response_type")) || "password".equals(httpServletRequest.getParameter("grant_type")) || "password".equals(httpServletRequest.getHeader("grant_type")) || "client_credentials".equals(httpServletRequest.getParameter("grant_type")) || "client_credentials".equals(httpServletRequest.getHeader("grant_type"))) {
            z = true;
        }
        return z;
    }

    private boolean isProtectedResourceRequest(HttpServletRequest httpServletRequest) {
        boolean z = false;
        if (hasOAuthToken(httpServletRequest) && !isTokenRequest(httpServletRequest)) {
            z = true;
        }
        return z;
    }

    private boolean hasOAuthToken(HttpServletRequest httpServletRequest) {
        boolean z = false;
        String bearerAccessTokenToken = getBearerAccessTokenToken(httpServletRequest);
        if (bearerAccessTokenToken != null && bearerAccessTokenToken.trim().length() != 0) {
            z = true;
        }
        return z;
    }

    private String getBearerAccessTokenToken(HttpServletRequest httpServletRequest) {
        String header;
        String header2 = httpServletRequest.getHeader("Authorization");
        if (header2 == null || !header2.startsWith("Bearer ")) {
            header = httpServletRequest.getHeader("access_token");
            if (header == null || header.trim().length() == 0) {
                header = httpServletRequest.getParameter("access_token");
            }
        } else {
            header = header2.substring(7);
        }
        return header;
    }
}
