package com.ibm.ws.security.openid20.internal;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openid20.OpenidClientAuthenticator;
import com.ibm.ws.security.openid20.OpenidClientConfig;
import com.ibm.ws.security.openid20.OpenidConstants;
import com.ibm.ws.security.openid20.TraceConstants;
import com.ibm.ws.security.openid20.consumer.OpenidClientAuthenticatorImpl;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.openid20.OpenidClientService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.ssl.SSLConfiguration;
import com.ibm.wsspi.ssl.SSLSupport;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openid20_1.0.14.jar:com/ibm/ws/security/openid20/internal/OpenidClientServiceImpl.class */
public class OpenidClientServiceImpl implements OpenidClientService {
    private static final TraceComponent tc = Tr.register(OpenidClientServiceImpl.class);
    public static final String KEY_OPENID_CLIENT_CONFIG = "openidClientConfig";
    public static final String KEY_SSL_SUPPORT = "sslSupport";
    public static final String KEY_SSL_CONFIG = "sslConfig";
    static final String CFG_ID = "id";
    private OpenidClientAuthenticator openidAuthenticator;
    static final long serialVersionUID = -1040239966328546688L;
    protected final AtomicServiceReference<OpenidClientConfig> openidClientConfigRef = new AtomicServiceReference<>("openidClientConfig");
    protected final AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>("sslSupport");
    protected final ConcurrentServiceReferenceMap<String, SSLConfiguration> sslConfigRef = new ConcurrentServiceReferenceMap<>(KEY_SSL_CONFIG);
    private OpenidClientConfig openidClientConfig = null;
    private String defaultSslConfig = null;
    private boolean lazyInitOpenidAuth = false;

    protected void setOpenidAuthenticator(OpenidClientAuthenticator openidClientAuthenticator) {
        this.openidAuthenticator = openidClientAuthenticator;
    }

    protected void setOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.setReference(serviceReference);
        this.openidClientConfig = this.openidClientConfigRef.getService();
    }

    protected void updatedOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.setReference(serviceReference);
        this.openidClientConfig = this.openidClientConfigRef.getService();
        this.lazyInitOpenidAuth = true;
    }

    protected void unsetOpenidClientConfig(ServiceReference<OpenidClientConfig> serviceReference) {
        this.openidClientConfigRef.unsetReference(serviceReference);
        this.openidClientConfig = null;
    }

    protected void setSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        this.defaultSslConfig = (String) serviceReference.getProperty("sslRef");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "defaultSslConfig: " + this.defaultSslConfig, new Object[0]);
        }
        this.lazyInitOpenidAuth = true;
    }

    protected void updatedSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
        this.defaultSslConfig = (String) serviceReference.getProperty("sslRef");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "defaultSslConfig: " + this.defaultSslConfig, new Object[0]);
        }
        this.lazyInitOpenidAuth = true;
    }

    protected void unsetSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
        this.defaultSslConfig = null;
        this.lazyInitOpenidAuth = true;
    }

    protected void updatedSslConfig(ServiceReference<SSLConfiguration> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        this.sslConfigRef.putReference(str, serviceReference);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "sslConfig:" + str, new Object[0]);
        }
        initOpenidAuthIfNeeded(str);
    }

    protected void setSslConfig(ServiceReference<SSLConfiguration> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        this.sslConfigRef.putReference(str, serviceReference);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "sslConfig: " + str, new Object[0]);
        }
        initOpenidAuthIfNeeded(str);
    }

    protected void unsetSslConfig(ServiceReference<SSLConfiguration> serviceReference) {
        String str = (String) serviceReference.getProperty("id");
        this.sslConfigRef.removeReference(str, serviceReference);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "sslConfig: " + str, new Object[0]);
        }
        initOpenidAuthIfNeeded(str);
    }

    protected synchronized void activate(ComponentContext componentContext) {
        this.openidClientConfigRef.activate(componentContext);
        this.sslSupportRef.activate(componentContext);
        this.sslConfigRef.activate(componentContext);
        this.openidAuthenticator = new OpenidClientAuthenticatorImpl();
        this.lazyInitOpenidAuth = true;
    }

    protected synchronized void modify(Map<String, Object> map) {
    }

    protected synchronized void deactivate(ComponentContext componentContext) {
        this.openidClientConfigRef.deactivate(componentContext);
        this.sslSupportRef.deactivate(componentContext);
        this.sslConfigRef.deactivate(componentContext);
        this.openidAuthenticator = null;
    }

    @Override // com.ibm.ws.webcontainer.security.openid20.OpenidClientService
    public String getOpenIdIdentifier(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(OpenidConstants.OPENID_IDENTIFIER);
    }

    @Override // com.ibm.ws.webcontainer.security.openid20.OpenidClientService
    public void createAuthRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (this.lazyInitOpenidAuth) {
            try {
                this.openidAuthenticator.initialize(this.openidClientConfig, getSSLContext());
                this.lazyInitOpenidAuth = false;
            } catch (SSLException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openid20.internal.OpenidClientServiceImpl", "170", this, new Object[]{httpServletRequest, httpServletResponse});
                throw new Exception(e.getMessage());
            }
        }
        if (httpServletRequest.getCharacterEncoding() == null) {
            try {
                httpServletRequest.setCharacterEncoding(this.openidClientConfig.getCharacterEncoding());
            } catch (UnsupportedEncodingException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.openid20.internal.OpenidClientServiceImpl", "180", this, new Object[]{httpServletRequest, httpServletResponse});
                if (tc.isWarningEnabled()) {
                    Tr.warning(tc, e2.getMessage(), new Object[0]);
                }
            }
        }
        this.openidAuthenticator.createAuthRequest(httpServletRequest, httpServletResponse);
    }

    @Override // com.ibm.ws.webcontainer.security.openid20.OpenidClientService
    public String getRpRequestIdentifier(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return httpServletRequest.getParameter(OpenidConstants.RP_REQUEST_IDENTIFIER);
    }

    @Override // com.ibm.ws.webcontainer.security.openid20.OpenidClientService
    public ProviderAuthenticationResult verifyOpResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        return this.openidAuthenticator.verifyResponse(httpServletRequest);
    }

    @Override // com.ibm.ws.webcontainer.security.openid20.OpenidClientService
    public boolean isMapIdentityToRegistryUser() {
        if (this.openidClientConfig == null) {
            return false;
        }
        return this.openidClientConfig.isMapIdentityToRegistryUser();
    }

    protected SSLContext getSSLContext() throws SSLException {
        SSLContext sSLContext = null;
        this.openidClientConfig = this.openidClientConfigRef.getService();
        JSSEHelper jSSEHelper = getJSSEHelper(this.openidClientConfig);
        if (jSSEHelper != null) {
            String sslRef = this.openidClientConfig.getSslRef();
            if (sslRef != null && !jSSEHelper.doesSSLConfigExist(sslRef)) {
                Tr.error(tc, "OPENID_RP_CONFIG_INVALID_SSLREF", sslRef);
                throw new SSLException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_RP_CONFIG_INVALID_SSLREF", new Object[]{sslRef}, "CWWKS1507E: OpenID configuration requires SSL but sslRef {0} does not exist or is blank."));
            }
            sSLContext = jSSEHelper.getSSLContext(sslRef, null, null);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "sslContext (" + sslRef + ") get: " + sSLContext, new Object[0]);
            }
            if (sSLContext == null && this.openidClientConfig.ishttpsRequired()) {
                Tr.error(tc, "OPENID_HTTPS_WITH_SSLCONTEXT_NULL", new Object[0]);
                throw new SSLException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_HTTPS_WITH_SSLCONTEXT_NULL", (Object[]) null, "CWWKS1509E: OpenID configuration requires SSL but SSL is not properly configured."));
            }
        }
        return sSLContext;
    }

    protected JSSEHelper getJSSEHelper(OpenidClientConfig openidClientConfig) throws SSLException {
        SSLSupport service = this.sslSupportRef.getService();
        if (service != null) {
            return service.getJSSEHelper();
        }
        if (!openidClientConfig.ishttpsRequired()) {
            return null;
        }
        Tr.error(tc, "OPENID_HTTPS_WITHOUT_SSL_SERVICE", new Object[0]);
        throw new SSLException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_HTTPS_NO_SSL_SERVICE", (Object[]) null, "CWWKS1508E: OpenID configuration requires SSL but SSL service is not available."));
    }

    protected boolean initOpenidAuthIfNeeded(String str) {
        OpenidClientConfig service = this.openidClientConfigRef.getService();
        if (service != null && str.equalsIgnoreCase(service.getSslRef())) {
            this.lazyInitOpenidAuth = true;
        } else if (this.defaultSslConfig != null && str.equalsIgnoreCase(this.defaultSslConfig)) {
            this.lazyInitOpenidAuth = true;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "lazyInitConsumer:" + this.lazyInitOpenidAuth, new Object[0]);
        }
        return this.lazyInitOpenidAuth;
    }
}
