package com.ibm.ws.security.openidconnect.client;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.internal.HashUtils;
import com.ibm.ws.security.openidconnect.client.internal.OidcUtil;
import com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest;
import com.ibm.ws.security.openidconnect.token.IDTokenValidationFailedException;
import com.ibm.ws.security.openidconnect.token.JWTTokenValidationFailedException;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import com.ibm.ws.webcontainer.security.openidconnect.OidcClient;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.persistence.internal.oxm.Constants;

@InjectedFFDC
@TraceObjectField(fieldName = "tcClient", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openidconnect.client_1.0.14.jar:com/ibm/ws/security/openidconnect/client/OidcClientRequest.class */
public class OidcClientRequest extends OidcCommonClientRequest {
    private static final TraceComponent tcClient = Tr.register((Class<?>) OidcClientRequest.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    protected HttpServletRequest request;
    protected HttpServletResponse response;
    protected OidcClientConfig oidcClientConfig;
    protected ReferrerURLCookieHandler referrerURLCookieHandler;
    protected String clientConfigId;
    protected String preCookieValue;
    protected boolean authnSessionDisabled;
    protected String inboundValue;
    protected String tokenType;
    protected String tokenTypeNoSpace;
    boolean bSecuredHttp;
    String httpHostStr;
    int serverPort;
    static final long serialVersionUID = 4158135374422800651L;

    OidcClientRequest() {
        this.preCookieValue = null;
        this.authnSessionDisabled = true;
        this.inboundValue = "none";
        this.tokenType = "ID Token";
        this.tokenTypeNoSpace = "IDToken";
        this.bSecuredHttp = false;
        this.httpHostStr = null;
        this.serverPort = -1;
    }

    public OidcClientRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig, ReferrerURLCookieHandler referrerURLCookieHandler) {
        this.preCookieValue = null;
        this.authnSessionDisabled = true;
        this.inboundValue = "none";
        this.tokenType = "ID Token";
        this.tokenTypeNoSpace = "IDToken";
        this.bSecuredHttp = false;
        this.httpHostStr = null;
        this.serverPort = -1;
        this.oidcClientConfig = oidcClientConfig;
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.referrerURLCookieHandler = referrerURLCookieHandler;
        this.clientConfigId = oidcClientConfig.getId();
        this.authnSessionDisabled = oidcClientConfig.isAuthnSessionDisabled_propagation();
        this.inboundValue = oidcClientConfig.getInboundPropagation();
        httpServletRequest.setAttribute(OidcClient.AUTHN_SESSION_DISABLED, Boolean.valueOf(this.authnSessionDisabled));
        httpServletRequest.setAttribute(OidcClient.INBOUND_PROPAGATION_VALUE, this.inboundValue);
    }

    public void createOidcClientCookieIfAnyAndDisableLtpa() {
        if (this.oidcClientConfig.isDisableLtpaCookie()) {
            Boolean bool = (Boolean) this.request.getAttribute(OidcClient.PROPAGATION_TOKEN_AUTHENTICATED);
            if (bool == null ? false : bool.booleanValue()) {
                return;
            }
            String oidcClientCookieName = getOidcClientCookieName();
            String str = this.preCookieValue;
            if (oidcClientCookieName == null || str == null) {
                return;
            }
            createCookie(this.request, this.response, oidcClientCookieName, str);
        }
    }

    public String getOidcClientCookieName() {
        return this.oidcClientConfig.getOidcClientCookieName();
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("OidcClientRequest [clientId:").append(this.clientConfigId).append(" request:").append(this.request).append(Constants.XPATH_INDEX_CLOSED);
        return sb.toString();
    }

    public static void createCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        httpServletResponse.addCookie(new ReferrerURLCookieHandler(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig()).createCookie(str, str2, httpServletRequest));
    }

    @Trivial
    public String generatePreCookieValue() {
        if (this.preCookieValue == null) {
            this.preCookieValue = OidcUtil.generateRandom();
            return this.preCookieValue;
        }
        if (!tcClient.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tcClient, "preCookieValue exists:" + this.preCookieValue, new Object[0]);
        return null;
    }

    @Trivial
    public String getAndSetCustomCacheKeyValue() {
        return getCustomCookieValue(generatePreCookieValue());
    }

    @Sensitive
    @Trivial
    public String getCustomCookieValue(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        return HashUtils.digest(this.clientConfigId + "_" + str + "_ibm");
    }

    public HttpServletRequest getRequest() {
        return this.request;
    }

    public HttpServletResponse getResponse() {
        return this.response;
    }

    public OidcClientConfig getOidcClientConfig() {
        return this.oidcClientConfig;
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public String getTokenType() {
        return this.tokenType;
    }

    public String getTokenTypeNoSpace() {
        return this.tokenTypeNoSpace;
    }

    public void setTokenType(String str) {
        this.tokenType = str;
        if (str.equalsIgnoreCase("ID Token")) {
            this.bInboundSupported = false;
            this.bInboundRequired = false;
            this.tokenTypeNoSpace = "IDToken";
        } else if (str.equalsIgnoreCase("Json Web Token")) {
            this.bInboundRequired = "required".equalsIgnoreCase(this.inboundValue);
            this.bInboundSupported = "supported".equalsIgnoreCase(this.inboundValue);
            this.tokenTypeNoSpace = "JsonWebToken";
        } else {
            this.bInboundRequired = "required".equalsIgnoreCase(this.inboundValue);
            this.bInboundSupported = "supported".equalsIgnoreCase(this.inboundValue);
            this.tokenTypeNoSpace = "AccessToken";
        }
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public String getInboundPropagation() {
        return this.oidcClientConfig.getInboundPropagation();
    }

    public ReferrerURLCookieHandler getReferrerURLCookieHandler() {
        return this.referrerURLCookieHandler;
    }

    public boolean isInboundRequired() {
        return this.bInboundRequired;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public JWTTokenValidationFailedException error(boolean z, TraceComponent traceComponent, String[] strArr, Object[] objArr) throws JWTTokenValidationFailedException {
        Object[] objArr2 = false;
        if (!"ID Token".equals(getTokenType())) {
            objArr2 = true;
        }
        return error(z, traceComponent, strArr[objArr2 == true ? 1 : 0], objArr);
    }

    public JWTTokenValidationFailedException error(boolean z, TraceComponent traceComponent, String str, Object[] objArr) throws JWTTokenValidationFailedException {
        if (z && !this.bInboundSupported) {
            Tr.error(tcClient, str, objArr);
        }
        return "ID Token".equals(getTokenType()) ? IDTokenValidationFailedException.format(traceComponent, str, objArr) : JWTTokenValidationFailedException.format(traceComponent, str, objArr);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void error(String[] strArr, Object[] objArr) {
        if (this.bInboundSupported) {
            return;
        }
        Object[] objArr2 = false;
        if (!"ID Token".equals(getTokenType())) {
            objArr2 = true;
        }
        Tr.error(tcClient, strArr[objArr2 == true ? 1 : 0], objArr);
    }

    String getErrorMessage() {
        String str = (getRealmMessage() + ", error=\"invalid_token\",") + " error_description=\"";
        return (this.tokenType.equals("Json Web Token") ? str + "Check JWT token" : str + "Check access token") + "\"";
    }

    String getRealmMessage() {
        return "Bearer realm=\"" + (this.tokenType.equals("Json Web Token") ? "jwt" : "oauth") + "\"";
    }

    public void setWWWAuthenticate() {
        this.response.setHeader("WWW-Authenticate", OidcCommonClientRequest.NO_TOKEN.equals(getHeaderFailMsg()) ? getRealmMessage() : getErrorMessage());
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public String[] getAudiences() {
        return this.oidcClientConfig.getAudiences();
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public boolean isPreServiceUrl(String str) {
        if (this.httpHostStr == null) {
            this.bSecuredHttp = this.request.isSecure();
            this.httpHostStr = (this.bSecuredHttp ? "https://" : "http://") + this.request.getServerName();
            this.serverPort = this.request.getServerPort();
        }
        if (!str.startsWith(this.httpHostStr)) {
            return false;
        }
        String substring = str.substring(this.httpHostStr.length());
        if (substring.isEmpty() || substring.startsWith("/")) {
            if (this.serverPort == -1) {
                return true;
            }
            return this.bSecuredHttp ? this.serverPort == 443 : this.serverPort == 80;
        }
        if (!substring.startsWith(":")) {
            return false;
        }
        String str2 = ":" + this.serverPort;
        if (substring.startsWith(str2)) {
            return substring.length() <= str2.length() || substring.charAt(str2.length()) == '/';
        }
        return false;
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public boolean allowedAllAudiences() {
        return this.oidcClientConfig.allowedAllAudiences();
    }

    @Override // com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest
    public boolean disableIssChecking() {
        return this.oidcClientConfig.disableIssChecking();
    }
}
