package com.ibm.ws.security.openidconnect.client.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.security.auth.CredentialDestroyedException;
import com.ibm.websphere.security.cred.WSCredential;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.SecurityService;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.security.authentication.AuthenticationData;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.authentication.AuthenticationService;
import com.ibm.ws.security.authentication.WSAuthenticationData;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.authentication.filter.AuthenticationFilter;
import com.ibm.ws.security.authentication.utility.JaasLoginConfigConstants;
import com.ibm.ws.security.authentication.utility.SubjectHelper;
import com.ibm.ws.security.context.SubjectManager;
import com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator;
import com.ibm.ws.security.openidconnect.client.AttributeToSubject;
import com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator;
import com.ibm.ws.security.openidconnect.client.OidcClientCache;
import com.ibm.ws.security.openidconnect.client.OidcClientConfig;
import com.ibm.ws.security.openidconnect.client.OidcClientHttpUtil;
import com.ibm.ws.security.openidconnect.client.OidcClientRequest;
import com.ibm.ws.security.openidconnect.client.web.OidcRedirectServlet;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.UnprotectedResourceService;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.oauth20.UserCredentialResolver;
import com.ibm.wsspi.ssl.SSLSupport;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openidconnect.client_1.0.14.jar:com/ibm/ws/security/openidconnect/client/internal/OidcClientImpl.class */
public class OidcClientImpl implements OidcClient, UnprotectedResourceService {
    static final String KEY_SECURITY_SERVICE = "securityService";
    public static final String CFG_KEY_OPENID_CONNECT_CLIENT_CONFIG = "oidcClientConfig";
    public static final String KEY_FILTER = "authFilter";
    protected static final String KEY_SERVICE_PID = "service.pid";
    public static final String CFG_KEY_ID = "id";
    public static final String KEY_SSL_SUPPORT = "sslSupport";
    OidcClientAuthenticator oidcClientAuthenticator;
    AccessTokenAuthenticator accessTokenAuthenticator;
    static final String URI_PREFIX = "oidcclient/redirect/";
    public static final String KEY_USER_RESOLVER = "userResolver";
    static final long serialVersionUID = -5040578621778298306L;
    private static final TraceComponent tc = Tr.register(OidcClientImpl.class);
    static final String KEY_AUTH_CACHE_SERVICE = "authCacheService";
    static final AtomicServiceReference<AuthCacheService> authCacheServiceRef = new AtomicServiceReference<>(KEY_AUTH_CACHE_SERVICE);
    static SubjectHelper subjectHelper = new SubjectHelper();
    protected final AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>("sslSupport");
    boolean initOidcClientAuth = false;
    private String initOidcClientAuthLock = "Initialize OidcClientAuthenticator";
    private final AtomicServiceReference<SecurityService> securityServiceRef = new AtomicServiceReference<>("securityService");
    SecurityService securityService = null;
    private final ConcurrentServiceReferenceMap<String, OidcClientConfig> oidcClientConfigRef = new ConcurrentServiceReferenceMap<>(CFG_KEY_OPENID_CONNECT_CLIENT_CONFIG);
    protected final ConcurrentServiceReferenceMap<String, AuthenticationFilter> authFilterServiceRef = new ConcurrentServiceReferenceMap<>("authFilter");
    protected final ConcurrentServiceReferenceMap<String, UserCredentialResolver> userResolverRef = new ConcurrentServiceReferenceMap<>("userResolver");

    protected void setOidcClientConfig(ServiceReference<OidcClientConfig> serviceReference) {
        this.oidcClientConfigRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void updatedOidcClientConfig(ServiceReference<OidcClientConfig> serviceReference) {
        this.oidcClientConfigRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void unsetOidcClientConfig(ServiceReference<OidcClientConfig> serviceReference) {
        this.oidcClientConfigRef.removeReference((String) serviceReference.getProperty("id"), serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void setSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void updatedSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void unsetSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
        this.initOidcClientAuth = true;
    }

    protected void setSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.setReference(serviceReference);
        this.securityService = this.securityServiceRef.getService();
        this.initOidcClientAuth = true;
    }

    protected void unsetSecurityService(ServiceReference<SecurityService> serviceReference) {
        this.securityServiceRef.unsetReference(serviceReference);
        this.securityService = null;
        this.initOidcClientAuth = true;
    }

    protected void setOidcClientAuthenticator(OidcClientAuthenticator oidcClientAuthenticator) {
        this.oidcClientAuthenticator = oidcClientAuthenticator;
    }

    protected OidcClientAuthenticator getOidcClientAuthenticator() {
        return this.oidcClientAuthenticator;
    }

    protected void setAccessTokenAuthenticator(AccessTokenAuthenticator accessTokenAuthenticator) {
        this.accessTokenAuthenticator = accessTokenAuthenticator;
    }

    protected AccessTokenAuthenticator getAccessTokenAuthenticator() {
        return this.accessTokenAuthenticator;
    }

    protected void setAuthFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "setAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void updatedAuthenticationFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "updatedAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.putReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void unsetAuthFilter(ServiceReference<AuthenticationFilter> serviceReference) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "unsetAuthenticationFilter id:" + serviceReference.getProperty("id"), new Object[0]);
        }
        this.authFilterServiceRef.removeReference((String) serviceReference.getProperty("id"), serviceReference);
    }

    protected void setAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        authCacheServiceRef.setReference(serviceReference);
    }

    protected void unsetAuthCacheService(ServiceReference<AuthCacheService> serviceReference) {
        authCacheServiceRef.unsetReference(serviceReference);
    }

    protected void setUserResolver(ServiceReference<UserCredentialResolver> serviceReference) {
        String str = (String) serviceReference.getProperty("service.pid");
        synchronized (this.userResolverRef) {
            this.userResolverRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " setUserResolver id:" + str, new Object[0]);
        }
    }

    protected void updatedUserResolver(ServiceReference<UserCredentialResolver> serviceReference) {
        String str = (String) serviceReference.getProperty("service.pid");
        synchronized (this.userResolverRef) {
            this.userResolverRef.putReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " updateUserResolver id:" + str, new Object[0]);
        }
    }

    protected void unsetUserResolver(ServiceReference<UserCredentialResolver> serviceReference) {
        String str = (String) serviceReference.getProperty("service.pid");
        synchronized (this.userResolverRef) {
            this.userResolverRef.removeReference(str, serviceReference);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, " unsetUserResolverRef id:" + str, new Object[0]);
        }
    }

    protected void activate(ComponentContext componentContext) {
        this.oidcClientConfigRef.activate(componentContext);
        this.sslSupportRef.activate(componentContext);
        this.securityServiceRef.activate(componentContext);
        this.authFilterServiceRef.activate(componentContext);
        authCacheServiceRef.activate(componentContext);
        this.userResolverRef.activate(componentContext);
        AttributeToSubject.setActivatedUserResolverRef(this.userResolverRef);
        this.initOidcClientAuth = true;
        OidcRedirectServlet.setActivatedOidcClientImpl(this);
    }

    protected synchronized void modify(Map<String, Object> map) {
    }

    protected synchronized void deactivate(ComponentContext componentContext) {
        this.oidcClientConfigRef.deactivate(componentContext);
        this.sslSupportRef.deactivate(componentContext);
        this.securityServiceRef.deactivate(componentContext);
        this.authFilterServiceRef.deactivate(componentContext);
        authCacheServiceRef.deactivate(componentContext);
        this.oidcClientAuthenticator = null;
    }

    @Override // com.ibm.ws.webcontainer.security.openidconnect.OidcClient
    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, ReferrerURLCookieHandler referrerURLCookieHandler, boolean z) {
        ProviderAuthenticationResult authenticate;
        OidcClientConfig service = this.oidcClientConfigRef.getService(str);
        OidcClientRequest oidcClientRequest = new OidcClientRequest(httpServletRequest, httpServletResponse, service, referrerURLCookieHandler);
        httpServletRequest.setAttribute("com.ibm.wsspi.security.oidc.client.request", oidcClientRequest);
        if (!z) {
            authenticate = !service.isDisableLtpaCookie() ? authenticate(httpServletRequest, httpServletResponse, str, oidcClientRequest) : new ProviderAuthenticationResult(AuthResult.CONTINUE, 200);
        } else if (service.isDisableLtpaCookie()) {
            OidcClientCache oidcClientCache = new OidcClientCache(authCacheServiceRef.getService(), service, oidcClientRequest);
            Subject backValidSubject = oidcClientCache.getBackValidSubject(httpServletRequest, service);
            if (backValidSubject != null) {
                String userNameFromSubject = OidcUtil.getUserNameFromSubject(backValidSubject);
                Hashtable hashtable = new Hashtable();
                String customCacheKey = oidcClientCache.getCustomCacheKey();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "customCacheKey is :" + customCacheKey, new Object[0]);
                }
                hashtable.put("com.ibm.wsspi.security.cred.cacheKey", customCacheKey);
                hashtable.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
                authenticate = new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, userNameFromSubject, null, hashtable, null);
            } else {
                authenticate = authenticate(httpServletRequest, httpServletResponse, str, oidcClientRequest);
                if (authenticate.getStatus() == AuthResult.SUCCESS) {
                    oidcClientRequest.createOidcClientCookieIfAnyAndDisableLtpa();
                }
            }
        } else {
            authenticate = "required".equalsIgnoreCase(service.getInboundPropagation()) ? authenticate(httpServletRequest, httpServletResponse, str, oidcClientRequest) : new ProviderAuthenticationResult(AuthResult.CONTINUE, 200);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "result httpStatusCode:" + authenticate.getHttpStatusCode() + " status:" + authenticate.getStatus() + " result:" + authenticate, new Object[0]);
        }
        return authenticate;
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, OidcClientRequest oidcClientRequest) {
        OidcClientConfig oidcClientConfig = oidcClientRequest.getOidcClientConfig();
        if (this.initOidcClientAuth) {
            synchronized (this.initOidcClientAuthLock) {
                if (this.initOidcClientAuth) {
                    this.oidcClientAuthenticator = new OidcClientAuthenticator(this.sslSupportRef, oidcClientConfig);
                    this.accessTokenAuthenticator = new AccessTokenAuthenticator(this.sslSupportRef, oidcClientConfig);
                    this.initOidcClientAuth = false;
                }
            }
        }
        if (!oidcClientConfig.getInboundPropagation().equalsIgnoreCase("none")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Token propagation is supported or required. Will attempt to authenticate using a provided token", new Object[0]);
            }
            ProviderAuthenticationResult authenticate = this.accessTokenAuthenticator.authenticate(httpServletRequest, httpServletResponse, oidcClientConfig, oidcClientRequest);
            if (authenticate.getHttpStatusCode() == 200) {
                return authenticate;
            }
            if (oidcClientConfig.getInboundPropagation().equalsIgnoreCase("required")) {
                oidcClientRequest.setWWWAuthenticate();
                return authenticate;
            }
            Tr.warning(tc, "OIDC_CLIENT_BAD_RS_TOKEN", oidcClientRequest.getRsFailMsg(), str);
        }
        return this.oidcClientAuthenticator.authenticate(httpServletRequest, httpServletResponse, oidcClientConfig, oidcClientRequest.getReferrerURLCookieHandler());
    }

    @Override // com.ibm.ws.webcontainer.security.openidconnect.OidcClient
    public String getOidcProvider(HttpServletRequest httpServletRequest) {
        return getProviderConfig(this.oidcClientConfigRef.getServices(), getReqProviderHint(httpServletRequest), httpServletRequest);
    }

    String getReqProviderHint(HttpServletRequest httpServletRequest) {
        String header = getHeader(httpServletRequest, "oidcAuthnHint");
        if (header == null || header.isEmpty()) {
            header = getHeader(httpServletRequest, "oidc_client");
        }
        if (header == null || header.isEmpty()) {
            header = OidcClientHttpUtil.safeGetRequestParameter(httpServletRequest, "oidc_client");
            if (header != null) {
                header = header.trim();
            }
        }
        return header;
    }

    String getHeader(HttpServletRequest httpServletRequest, String str) {
        String header = httpServletRequest.getHeader(str);
        if (header != null) {
            header = header.trim();
        }
        return header;
    }

    protected String getProviderConfig(Iterator<OidcClientConfig> it, String str, HttpServletRequest httpServletRequest) {
        while (it.hasNext()) {
            OidcClientConfig next = it.next();
            if (next.isValidConfig()) {
                String id = next.getId();
                if (str == null) {
                    String authFilter = authFilter(next, httpServletRequest, id);
                    if (authFilter != null) {
                        return authFilter;
                    }
                } else {
                    if (str.equalsIgnoreCase(id) && authFilter(next, httpServletRequest, id) != null) {
                        return id;
                    }
                    if (str.equals(next.getIssuerIdentifier()) && authFilter(next, httpServletRequest, id) != null) {
                        return id;
                    }
                }
            }
        }
        return null;
    }

    String authFilter(OidcClientConfig oidcClientConfig, HttpServletRequest httpServletRequest, String str) {
        String authFilterId = oidcClientConfig.getAuthFilterId();
        if (authFilterId != null && authFilterId.length() > 0) {
            AuthenticationFilter service = this.authFilterServiceRef.getService(authFilterId);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "authFilter id:" + authFilterId + " authFilter:" + service, new Object[0]);
            }
            if (service != null && !service.isAccepted(httpServletRequest)) {
                return null;
            }
        }
        return str;
    }

    @Override // com.ibm.ws.webcontainer.security.openidconnect.OidcClient
    public boolean isMapIdentityToRegistryUser(String str) {
        return this.oidcClientConfigRef.getService(str).isMapIdentityToRegistryUser();
    }

    @Override // com.ibm.ws.webcontainer.security.openidconnect.OidcClient
    public boolean isValidRedirectUrl(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Validate Request URI:" + requestURI, new Object[0]);
        }
        int indexOf = requestURI.indexOf(URI_PREFIX);
        if (indexOf <= -1) {
            return false;
        }
        String substring = requestURI.substring(indexOf + URI_PREFIX.length());
        if (this.oidcClientConfigRef.getService(substring) == null) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "Configuration id:" + this.oidcClientConfigRef.getService(substring).getId(), new Object[0]);
        return true;
    }

    @Override // com.ibm.ws.webcontainer.security.UnprotectedResourceService
    public boolean isAuthenticationRequired(HttpServletRequest httpServletRequest) {
        return false;
    }

    @Override // com.ibm.ws.webcontainer.security.UnprotectedResourceService
    public boolean logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        boolean z = false;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "logout() userName:" + str, new Object[0]);
        }
        synchronized (this.oidcClientConfigRef) {
            Iterator<OidcClientConfig> services = this.oidcClientConfigRef.getServices();
            while (services.hasNext()) {
                if (handleOidcCookie((IExtendedRequest) httpServletRequest, httpServletResponse, new OidcClientRequest(httpServletRequest, httpServletResponse, services.next(), (ReferrerURLCookieHandler) null), str, z)) {
                    z = true;
                }
            }
        }
        return z;
    }

    @FFDCIgnore({CredentialExpiredException.class, CredentialDestroyedException.class})
    boolean handleOidcCookie(IExtendedRequest iExtendedRequest, HttpServletResponse httpServletResponse, OidcClientRequest oidcClientRequest, String str, boolean z) {
        WSCredential wSCredential;
        boolean z2 = false;
        OidcClientConfig oidcClientConfig = oidcClientRequest.getOidcClientConfig();
        if (oidcClientConfig.isDisableLtpaCookie()) {
            OidcClientCache oidcClientCache = new OidcClientCache(authCacheServiceRef.getService(), oidcClientConfig, oidcClientRequest);
            String preKeyValue = oidcClientCache.getPreKeyValue(iExtendedRequest);
            if (preKeyValue == null || preKeyValue.isEmpty()) {
                return false;
            }
            Subject backCachedSubject = oidcClientCache.getBackCachedSubject(iExtendedRequest, preKeyValue);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "subject from cache is:" + backCachedSubject, new Object[0]);
            }
            if (backCachedSubject == null) {
                OidcUtil.removeCookie(oidcClientRequest);
                return false;
            }
            if (str != null && !z && (wSCredential = getWSCredential(backCachedSubject)) != null) {
                try {
                    String accessId = wSCredential.getAccessId();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "wsCredential user:" + accessId, new Object[0]);
                    }
                    if (sameUser(str, accessId)) {
                        WSAuthenticationData wSAuthenticationData = new WSAuthenticationData();
                        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_REQUEST, iExtendedRequest);
                        wSAuthenticationData.set(AuthenticationData.HTTP_SERVLET_RESPONSE, httpServletResponse);
                        wSAuthenticationData.set(AuthenticationData.TOKEN64, oidcClientCache.getCustomCacheKey());
                        if (authenticateSubject(backCachedSubject, iExtendedRequest, httpServletResponse, wSAuthenticationData)) {
                            z2 = true;
                        }
                    }
                } catch (CredentialExpiredException e) {
                } catch (CredentialDestroyedException e2) {
                }
            }
            oidcClientCache.removeSubject(iExtendedRequest);
        }
        return z2;
    }

    boolean authenticateSubject(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationData authenticationData) {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "subject from oidcCookie is:" + subject, new Object[0]);
        }
        return authenticateWithSubject(httpServletRequest, httpServletResponse, subject, this.securityServiceRef.getService().getAuthenticationService(), authenticationData);
    }

    @FFDCIgnore({AuthenticationException.class})
    boolean authenticateWithSubject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Subject subject, AuthenticationService authenticationService, AuthenticationData authenticationData) {
        try {
            new SubjectManager().setCallerSubject(authenticationService.authenticate(JaasLoginConfigConstants.SYSTEM_WEB_INBOUND, authenticationData, subject));
            return true;
        } catch (AuthenticationException e) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "authenticationException:" + e, new Object[0]);
            return false;
        }
    }

    protected WSCredential getWSCredential(Subject subject) {
        if (subject == null) {
            return null;
        }
        return (WSCredential) subject.getPublicCredentials(WSCredential.class).iterator().next();
    }

    protected boolean sameUser(String str, String str2) {
        if (str == null) {
            return false;
        }
        return str.equals(str2);
    }

    public OidcClientConfigImpl getOidcClientConfig(HttpServletRequest httpServletRequest, String str) {
        Iterator<OidcClientConfig> services = this.oidcClientConfigRef.getServices();
        while (services.hasNext()) {
            OidcClientConfig next = services.next();
            if (next.isValidConfig() && next.getId().equals(str)) {
                return (OidcClientConfigImpl) next;
            }
        }
        return null;
    }
}
