package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20DuplicateParameterException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MissingParameterException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.web.OAuth20Request;
import com.ibm.wsspi.security.registry.RegistryHelper;
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.oauth20_1.1.13.jar:com/ibm/ws/security/oauth20/web/ClientAuthentication.class */
public class ClientAuthentication {
    private static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages";
    private static final String PROVIDER_BUNDLE = "com.ibm.ws.security.oauth20.resources.ProviderMsgs";
    static final long serialVersionUID = 3683971362595960850L;
    private static TraceComponent tc = Tr.register((Class<?>) ClientAuthentication.class, "OAuth20Provider", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static final ArrayList<OAuth20Request.EndpointType> endpointTypeForInvalidClientList = new ArrayList<>(10);

    public boolean verify(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType) throws IOException, ServletException, OidcServerException {
        boolean z = false;
        try {
            ClientAuthnData clientAuthnData = new ClientAuthnData(httpServletRequest, httpServletResponse);
            try {
                String checkForRepeatedOrEmptyParameter = checkForRepeatedOrEmptyParameter(httpServletRequest, "grant_type");
                String authenticationScheme = getAuthenticationScheme(httpServletRequest);
                if (clientAuthnData.hasAuthnData()) {
                    OidcOAuth20ClientProvider clientProvider = oAuth20Provider.getClientProvider();
                    if (clientProvider == null) {
                        int i = 400;
                        if (authenticationScheme != null) {
                            i = 401;
                        }
                        sendErrorAndLogMessage(httpServletResponse, i, "invalid_client", authenticationScheme, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", "security.oauth20.error.missing.client.provider", "CWOAU0070E: A client provider was not found for the OAuth provider.", new Object[0], null, null);
                        return false;
                    }
                    String passWord = clientAuthnData.getPassWord();
                    if (passWord == null && !clientAuthnData.isBasicAuth()) {
                        passWord = "";
                    }
                    if (!oAuth20Provider.isAllowPublicClients()) {
                        z = clientProvider.validateClient(clientAuthnData.getUserName(), passWord);
                    } else if (passWord != null && passWord.length() > 0) {
                        z = clientProvider.validateClient(clientAuthnData.getUserName(), passWord);
                    } else {
                        if (grantTypeRequiresConfidentialClient(checkForRepeatedOrEmptyParameter)) {
                            int i2 = 400;
                            if (authenticationScheme != null) {
                                i2 = 401;
                            }
                            sendErrorAndLogMessage(httpServletResponse, i2, "invalid_client", authenticationScheme, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", "security.oauth20.error.granttype.requires.confidential.client", "CWOAU0071E: A public client attempted to access the " + endpointType.toString() + " endpoint using the " + checkForRepeatedOrEmptyParameter + " grant type. The client_id is: " + clientAuthnData.getUserName(), new Object[]{endpointType.toString(), checkForRepeatedOrEmptyParameter, clientAuthnData.getUserName()}, null, null);
                            return false;
                        }
                        z = clientProvider.exists(clientAuthnData.getUserName());
                    }
                    if (z) {
                        z = clientProvider.get(clientAuthnData.getUserName()).isEnabled();
                        if (!z && tc.isDebugEnabled()) {
                            Tr.debug(tc, "Client " + clientAuthnData.getUserName() + " is not enabled so cannot be verified", new Object[0]);
                        }
                    }
                } else if (!clientAuthnData.isBasicAuth()) {
                    String requestURI = httpServletRequest.getRequestURI();
                    sendErrorAndLogMessage(httpServletResponse, 400, "invalid_request", null, "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", "CWWKS1406E: The " + endpointType.toString() + " request had an invalid client credential. The request URI was {" + requestURI + "}.", new Object[]{endpointType.toString(), requestURI}, "security.oauth20.error.missing.parameter", new Object[]{"client_id"});
                    return false;
                }
                if (!z) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(tc, "ClientAuthentication with invalid_client. endpointType: " + endpointType, new Object[0]);
                    }
                    if (!endpointTypeForInvalidClientList.contains(endpointType)) {
                        WebUtils.sendErrorJSON(httpServletResponse, 401, "invalid_client", null, authenticationScheme);
                        Tr.error(tc, "security.oauth20.endpoint.client.auth.error", clientAuthnData.getUserName());
                        return false;
                    }
                    int i3 = 400;
                    if (authenticationScheme != null) {
                        i3 = 401;
                    }
                    String requestURI2 = httpServletRequest.getRequestURI();
                    sendErrorAndLogMessage(httpServletResponse, i3, "invalid_client", authenticationScheme, "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", "CWWKS1406E: The " + endpointType.toString() + " request had an invalid client credential. The request URI was {" + requestURI2 + "}.", new Object[]{endpointType.toString(), requestURI2}, "security.oauth20.endpoint.client.auth.error", new Object[]{clientAuthnData.getUserName()});
                    return false;
                }
                httpServletRequest.setAttribute("authenticatedClient", clientAuthnData.getUserName());
                if ("password".equals(checkForRepeatedOrEmptyParameter) && !oAuth20Provider.isSkipUserValidation()) {
                    try {
                        z = validateResourceOwnerCredential(httpServletRequest, httpServletResponse, endpointType);
                        if (!z) {
                            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                                Tr.debug(tc, "ClientAuthentication with invalid_resource_owner_credentials. endpointType: " + endpointType, new Object[0]);
                            }
                            if (endpointTypeForInvalidClientList.contains(endpointType)) {
                                String parameter = httpServletRequest.getParameter("username");
                                int i4 = 400;
                                if (authenticationScheme != null) {
                                    i4 = 401;
                                }
                                sendErrorAndLogMessage(httpServletResponse, i4, "invalid_client", authenticationScheme, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", "security.oauth20.endpoint.resowner.auth.error", "CWOAU0069E: The resource owner could not be verified. Either the resource owner: " + parameter + " or password is incorrect.", new Object[]{parameter}, null, null);
                            } else {
                                WebUtils.sendErrorJSON(httpServletResponse, 401, "invalid_client", null, authenticationScheme);
                            }
                        }
                    } catch (OAuth20DuplicateParameterException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "204", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
                        handleDuplicateParameterException(e, httpServletResponse);
                        return false;
                    } catch (OAuth20MissingParameterException e2) {
                        FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "207", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
                        handleMissingParameterException(e2, httpServletResponse);
                        return false;
                    }
                }
                return z;
            } catch (OAuth20DuplicateParameterException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "70", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
                handleDuplicateParameterException(e3, httpServletResponse);
                return false;
            }
        } catch (OAuth20DuplicateParameterException e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "62", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
            handleDuplicateParameterException(e4, httpServletResponse);
            return false;
        }
    }

    protected boolean grantTypeRequiresConfidentialClient(String str) {
        return "client_credentials".equalsIgnoreCase(str) || "urn:ietf:params:oauth:grant-type:jwt-bearer".equalsIgnoreCase(str);
    }

    protected boolean validateResourceOwnerCredential(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType) throws OidcServerException, OAuth20DuplicateParameterException, OAuth20MissingParameterException {
        boolean z = false;
        try {
            UserRegistry userRegistry = getUserRegistry();
            String checkForRepeatedOrEmptyParameter = checkForRepeatedOrEmptyParameter(httpServletRequest, "username");
            if (checkForRepeatedOrEmptyParameter == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "username", null);
            }
            String checkForRepeatedOrEmptyParameter2 = checkForRepeatedOrEmptyParameter(httpServletRequest, "password");
            if (checkForRepeatedOrEmptyParameter2 == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "password", null);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateResourceOwnerCredential for Username " + checkForRepeatedOrEmptyParameter, new Object[0]);
            }
            if (userRegistry.checkPassword(checkForRepeatedOrEmptyParameter, checkForRepeatedOrEmptyParameter2) != null) {
                z = true;
            }
            return z;
        } catch (OAuth20DuplicateParameterException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "295", this, new Object[]{httpServletRequest, httpServletResponse, endpointType});
            throw e;
        } catch (OAuth20MissingParameterException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "297", this, new Object[]{httpServletRequest, httpServletResponse, endpointType});
            throw e2;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "299", this, new Object[]{httpServletRequest, httpServletResponse, endpointType});
            Tr.error(tc, "security.oauth20.endpoint.resowner.auth.error", "");
            throw new OidcServerException("invalid_resource_owner_credential", "server_error", 400, e3);
        }
    }

    protected UserRegistry getUserRegistry() throws WSSecurityException {
        return RegistryHelper.getUserRegistry(null);
    }

    private void handleDuplicateParameterException(OAuth20DuplicateParameterException oAuth20DuplicateParameterException, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", oAuth20DuplicateParameterException.getMessage(), null);
        Tr.error(tc, oAuth20DuplicateParameterException.getMessage(), new Object[0]);
    }

    private void handleMissingParameterException(OAuth20MissingParameterException oAuth20MissingParameterException, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", oAuth20MissingParameterException.getMessage(), null);
        Tr.error(tc, oAuth20MissingParameterException.getMessage(), new Object[0]);
    }

    private void sendErrorAndLogMessage(HttpServletResponse httpServletResponse, int i, String str, String str2, String str3, String str4, String str5, Object[] objArr, String str6, Object[] objArr2) {
        WebUtils.sendErrorJSON(httpServletResponse, i, str, TraceNLS.getFormattedMessage(getClass(), str3, str4, objArr, str5), str2);
        if (str6 != null) {
            Tr.error(tc, str6, objArr2);
        } else {
            Tr.error(tc, str4, objArr);
        }
    }

    private String getAuthenticationScheme(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Got Authorization header: " + header, new Object[0]);
        }
        String[] split = header.split(" ");
        if (split.length <= 0) {
            return null;
        }
        String trim = split[0].trim();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Got authentication scheme: " + trim, new Object[0]);
        }
        return trim;
    }

    @Sensitive
    private String checkForRepeatedOrEmptyParameter(HttpServletRequest httpServletRequest, String str) throws OAuth20DuplicateParameterException {
        String[] parameterValues = httpServletRequest.getParameterValues(str);
        if (parameterValues != null && parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", str);
        }
        if (parameterValues == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "No values found for parameter: " + str, new Object[0]);
            return null;
        }
        String str2 = parameterValues[0];
        if (str2.isEmpty()) {
            return null;
        }
        return str2;
    }

    static {
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.authorize);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.token);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.introspect);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.revoke);
    }
}
