package com.ibm.ws.security.openidconnect.server.plugins;

import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.oauth20.token.OAuth20Token;
import com.ibm.oauth.core.internal.OAuthConstants;
import com.ibm.oauth.core.internal.OAuthUtil;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.oauth.core.internal.oauth20.OAuth20Util;
import com.ibm.oauth.core.internal.oauth20.token.OAuth20TokenHelper;
import com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.claims.UserClaims;
import com.ibm.ws.security.common.claims.UserClaimsRetrieverService;
import com.ibm.ws.security.oauth20.plugins.jose4j.JWTData;
import com.ibm.ws.security.oauth20.plugins.jose4j.JwtCreator;
import com.ibm.ws.security.oauth20.util.ConfigUtils;
import com.ibm.ws.security.openidconnect.jwk.JWK;
import com.ibm.ws.security.openidconnect.server.ServerConstants;
import com.ibm.ws.security.openidconnect.server.internal.HashUtils;
import com.ibm.ws.security.openidconnect.server.internal.OidcUserClaims;
import com.ibm.ws.security.openidconnect.token.IDToken;
import com.ibm.ws.security.openidconnect.token.JWSHeader;
import com.ibm.ws.security.openidconnect.token.JsonTokenUtil;
import com.ibm.ws.security.openidconnect.token.Payload;
import com.ibm.ws.webcontainer.security.openidconnect.JSONWebKey;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;
import com.ibm.wsspi.security.openidconnect.IDTokenMediator;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.jose4j.keys.HmacKey;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openidconnect.server_1.0.14.jar:com/ibm/ws/security/openidconnect/server/plugins/IDTokenHandler.class */
public class IDTokenHandler implements OAuth20TokenTypeHandler {
    private static final TraceComponent tc = Tr.register(IDTokenHandler.class);
    private static final String CFG_KEY_ISSUER_IDENTIFIER = "issuerIdentifier";
    private static final String JTI_CLAIM = "jti";
    private static final String SIGNATURE_ALG_NONE = "none";
    private static final String SIGNATURE_ALG_HS256 = "HS256";
    private static final String SIGNATURE_ALG_RS256 = "RS256";
    private static final String SHARED_KEY = "sharedKey";
    public static final String AT_HASH = "at_hash";
    private static final int IDTOKEN_LIFETIME_DEFAULT = 7200;
    static final long serialVersionUID = 8568032913744872137L;

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public void init(OAuthComponentConfiguration oAuthComponentConfiguration) {
    }

    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
    }

    protected void deactivate(ComponentContext componentContext, Map<String, Object> map) {
    }

    protected void modified(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public String getTypeTokenType() {
        return "id_token";
    }

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public OAuth20Token createToken(@Sensitive Map<String, String[]> map) {
        String valueFromMap = OAuth20Util.getValueFromMap("sharedKey", map);
        String valueFromMap2 = OAuth20Util.getValueFromMap(OAuth20Constants.COMPONENTID, map);
        String valueFromMap3 = OAuth20Util.getValueFromMap("access_token", map);
        String valueFromMap4 = OAuth20Util.getValueFromMap("client_id", map);
        String valueFromMap5 = OAuth20Util.getValueFromMap("username", map);
        String valueFromMap6 = OAuth20Util.getValueFromMap("redirect_uri", map);
        String stateId = getStateId(map);
        String[] strArr = map.get("scope");
        String valueFromMap7 = OAuth20Util.getValueFromMap("grant_type", map);
        OidcServerConfig oidcServerConfigForOAuth20Provider = OIDCProvidersConfig.getOidcServerConfigForOAuth20Provider(valueFromMap2);
        int lifetime = getLifetime(oidcServerConfigForOAuth20Provider);
        String str = null;
        String signatureAlgorithm = oidcServerConfigForOAuth20Provider.getSignatureAlgorithm();
        if (ServerConstants.JAVA_VERSION_6 || "none".equals(signatureAlgorithm)) {
            str = createIdTokenAsString(createPayload(map, oidcServerConfigForOAuth20Provider), signatureAlgorithm, getSigningKey(signatureAlgorithm, valueFromMap, oidcServerConfigForOAuth20Provider), valueFromMap3);
        } else {
            String str2 = null;
            if (valueFromMap3 != null) {
                str2 = JsonTokenUtil.accessTokenHash(valueFromMap3);
            }
            JWTData jWTData = new JWTData(valueFromMap, oidcServerConfigForOAuth20Provider, "ID Token");
            String str3 = null;
            if (isIDTokenMediatorSpi()) {
                str3 = getIDTokenClaimsFromMediatorSpi(map);
                if (str3 != null) {
                    str = JwtCreator.createJwtAsStringForSpi(str3, oidcServerConfigForOAuth20Provider, valueFromMap4, valueFromMap5, strArr, lifetime, map, valueFromMap7, str2, jWTData);
                }
            }
            if (str3 == null) {
                Map<String, Object> customClaims = getCustomClaims(map, oidcServerConfigForOAuth20Provider);
                if (str2 != null) {
                    customClaims.put("at_hash", str2);
                }
                str = JwtCreator.createJwtAsString(oidcServerConfigForOAuth20Provider, valueFromMap4, valueFromMap5, strArr, lifetime, map, customClaims, jWTData);
            }
        }
        IDTokenImpl iDTokenImpl = new IDTokenImpl(HashUtils.digest(str), str, valueFromMap2, valueFromMap4, valueFromMap5, valueFromMap6, stateId, strArr, lifetime, OAuth20TokenHelper.getExternalClaims(map), valueFromMap7);
        if (iDTokenImpl != null) {
            iDTokenImpl.setAccessTokenKey(valueFromMap3);
        }
        return iDTokenImpl;
    }

    private boolean isIDTokenMediatorSpi() {
        if (ConfigUtils.getIdTokenMediatorService().size() <= 0) {
            return false;
        }
        if (!ServerConstants.JAVA_VERSION_6) {
            return true;
        }
        Tr.warning(tc, "IDT_MEDIATOR_SPI_REQUIRES_JDK", ServerConstants.JAVA_VERSION);
        return false;
    }

    protected String getIDTokenClaimsFromMediatorSpi(Map<String, String[]> map) {
        String str = null;
        Iterator<IDTokenMediator> services = ConfigUtils.getIdTokenMediatorService().getServices();
        if (services.hasNext()) {
            str = services.next().mediateToken(map);
        }
        return str;
    }

    private int getLifetime(OidcServerConfig oidcServerConfig) {
        int i = 7200;
        if (oidcServerConfig != null) {
            Long valueOf = Long.valueOf(oidcServerConfig.getIdTokenLifetime());
            if (valueOf.longValue() >= 2147483647L || valueOf.longValue() <= 0) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "The value of idTokenLifetime exceeds maximum number of integer: " + valueOf, new Object[0]);
                }
                throw new RuntimeException("The value of idTokenLifetime exceeds maximum number of integer: " + valueOf);
            }
            i = valueOf.intValue();
        }
        return i;
    }

    private String getStateId(Map<String, String[]> map) {
        String valueFromMap = OAuth20Util.getValueFromMap(OAuthConstants.STATE_ID, map);
        if (valueFromMap == null) {
            valueFromMap = OAuth20Util.generateUUID();
        }
        return valueFromMap;
    }

    private Payload createPayload(@Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        Payload payload = new Payload();
        addRequiredClaims(payload, map, oidcServerConfig);
        validateRequiredClaims(payload);
        addOptionalClaims(payload, map, oidcServerConfig);
        addCustomClaims(payload, map, oidcServerConfig);
        addExternalClaims(payload, map);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "debug:" + payload, new Object[0]);
        }
        return payload;
    }

    private void addExternalClaims(Payload payload, Map<String, String[]> map) {
        Iterator<Map.Entry<String, String[]>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            String key = it.next().getKey();
            if (key.startsWith(OAuth20Constants.EXTERNAL_CLAIMS_PREFIX)) {
                String substring = key.substring(OAuth20Constants.EXTERNAL_CLAIMS_PREFIX_LENGTH);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, " longKey:" + key + " shortKey:" + substring, new Object[0]);
                }
                List<String> listFromMap = getListFromMap(key, map);
                if (!listFromMap.isEmpty()) {
                    if (listFromMap.size() > 1) {
                        payload.put(substring, listFromMap);
                    } else {
                        payload.put(substring, OAuth20Util.getValueFromMap(key, map));
                    }
                }
            }
        }
    }

    List<String> getListFromMap(String str, Map<String, String[]> map) {
        ArrayList arrayList = new ArrayList();
        String[] strArr = map.get(str);
        if (strArr != null && strArr.length > 0) {
            for (String str2 : strArr) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    private void addRequiredClaims(Payload payload, @Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        payload.setIssuer(getIssuerIdentifier(map, oidcServerConfig));
        payload.setSubject(OAuth20Util.getValueFromMap("username", map));
        payload.setAudience((Object) OAuth20Util.getValueFromMap("client_id", map));
        long issuedAtTimeInSeconds = getIssuedAtTimeInSeconds();
        payload.setIssuedAtTimeSeconds(Long.valueOf(issuedAtTimeInSeconds));
        payload.setExpirationTimeSeconds(Long.valueOf(issuedAtTimeInSeconds + getLifetime(oidcServerConfig)));
        String valueFromMap = OAuth20Util.getValueFromMap("nonce", map);
        if (valueFromMap != null) {
            payload.setNonce(valueFromMap);
        }
    }

    private String getIssuerIdentifier(@Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        String issuerIdentifier = oidcServerConfig.getIssuerIdentifier();
        if (issuerIdentifier == null || issuerIdentifier.isEmpty()) {
            issuerIdentifier = OAuth20Util.getValueFromMap("issuerIdentifier", map);
        }
        return issuerIdentifier;
    }

    private long getIssuedAtTimeInSeconds() {
        return new Date().getTime() / 1000;
    }

    protected void validateRequiredClaims(Payload payload) {
        StringBuffer stringBuffer = new StringBuffer("ID Token is missing required claims:");
        boolean z = true;
        for (String str : new String[]{"iss", "sub", "aud", "exp", "iat"}) {
            if (payload.get(str) == null) {
                stringBuffer.append(" ");
                stringBuffer.append(str);
                z = false;
            }
        }
        if (!z) {
            throw new RuntimeException(stringBuffer.toString());
        }
    }

    private void addOptionalClaims(Payload payload, @Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        if (oidcServerConfig.isJTIClaimEnabled()) {
            payload.put("jti", OAuthUtil.getRandom(16));
        }
    }

    private void addCustomClaims(Payload payload, @Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        Map<String, Object> customClaims = getCustomClaims(map, oidcServerConfig);
        if (customClaims != null) {
            payload.putAll(customClaims);
        }
    }

    private Map<String, Object> getCustomClaims(@Sensitive Map<String, String[]> map, OidcServerConfig oidcServerConfig) {
        UserClaimsRetrieverService userClaimsRetrieverService;
        UserClaims userClaims;
        if (!oidcServerConfig.isCustomClaimsEnabled() || (userClaimsRetrieverService = ConfigUtils.getUserClaimsRetrieverService()) == null || (userClaims = userClaimsRetrieverService.getUserClaims(OAuth20Util.getValueFromMap("username", map), oidcServerConfig.getGroupIdentifier())) == null) {
            return new HashMap();
        }
        if (!userClaims.isEnabled()) {
            return userClaims.asMap();
        }
        OidcUserClaims oidcUserClaims = new OidcUserClaims(userClaims);
        oidcUserClaims.addExtraClaims(oidcServerConfig);
        return oidcUserClaims.asMap();
    }

    @Sensitive
    private Object getSigningKey(String str, @Sensitive String str2, OidcServerConfig oidcServerConfig) {
        Object obj = null;
        if (oidcServerConfig.isJwkEnabled() && "RS256".equals(str)) {
            obj = oidcServerConfig.getJSONWebKey();
        } else if ("HS256".equals(str)) {
            obj = Base64Coder.getBytes(str2);
        } else if ("RS256".equals(str)) {
            obj = getRSAPrivateKey(oidcServerConfig);
        }
        return obj;
    }

    @FFDCIgnore({Exception.class})
    @Sensitive
    public static JWTData getSigningKey(@Sensitive String str, OidcServerConfig oidcServerConfig) {
        Key key = null;
        String str2 = null;
        String signatureAlgorithm = oidcServerConfig.getSignatureAlgorithm();
        if (oidcServerConfig.isJwkEnabled() && "RS256".equals(signatureAlgorithm)) {
            JSONWebKey jSONWebKey = oidcServerConfig.getJSONWebKey();
            key = jSONWebKey.getPrivateKey();
            str2 = jSONWebKey.getKeyID();
        } else if ("HS256".equals(signatureAlgorithm)) {
            try {
                key = new HmacKey(str.getBytes("UTF-8"));
            } catch (UnsupportedEncodingException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.plugins.IDTokenHandler", "402", null, new Object[]{"<sensitive java.lang.String>", oidcServerConfig});
            }
        } else if ("RS256".equals(signatureAlgorithm)) {
            try {
                key = oidcServerConfig.getPrivateKey();
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "RSAPrivateKey: " + (key instanceof RSAPrivateKey), new Object[0]);
                }
            } catch (Exception e2) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception obtaining the private key: " + e2, new Object[0]);
                }
                throw new RuntimeException("Unable to create signed ID token due to exception: " + e2);
            }
        }
        return new JWTData(key, str2);
    }

    private String createIdTokenAsString(Payload payload, String str, @Sensitive Object obj, @Sensitive String str2) {
        try {
            return requiresSigning(str) ? createSignedIdToken(payload, str, obj, str2) : createPlainTextIdToken(payload);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.plugins.IDTokenHandler", "432", this, new Object[]{payload, str, "<sensitive java.lang.Object>", "<sensitive java.lang.String>"});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception creating the id_token string: " + e, new Object[0]);
            }
            throw new RuntimeException("Exception creating the id_token string: " + e);
        }
    }

    private boolean requiresSigning(String str) {
        return !"none".equals(str);
    }

    private String createSignedIdToken(Payload payload, String str, @Sensitive Object obj, @Sensitive String str2) throws InvalidKeyException, SignatureException {
        JWSHeader jWSHeader = new JWSHeader();
        jWSHeader.setAlgorithm(str);
        if (obj instanceof JWK) {
            JWK jwk = (JWK) obj;
            obj = jwk.getPrivateKey();
            jWSHeader.setKeyId(jwk.getKeyID());
        }
        return new IDToken(jWSHeader, payload, obj, str2).getSignedJWTString();
    }

    @FFDCIgnore({Exception.class})
    @Sensitive
    private Object getRSAPrivateKey(OidcServerConfig oidcServerConfig) {
        try {
            PrivateKey privateKey = oidcServerConfig.getPrivateKey();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "RSAPrivateKey: " + (privateKey instanceof RSAPrivateKey), new Object[0]);
            }
            return privateKey;
        } catch (Exception e) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception obtaining the private key: " + e, new Object[0]);
            }
            throw new RuntimeException("Unable to create signed ID token due to exception: " + e);
        }
    }

    private String createPlainTextIdToken(Payload payload) {
        return new IDToken(new JWSHeader(), payload).getJWTString();
    }

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public List<String> getKeysTokenType(AttributeList attributeList) throws OAuthException {
        return Collections.emptyList();
    }

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public void validateRequestTokenType(AttributeList attributeList, List<OAuth20Token> list) throws OAuthException {
    }

    @Override // com.ibm.oauth.core.internal.oauth20.tokentype.OAuth20TokenTypeHandler
    public void buildResponseTokenType(AttributeList attributeList, List<OAuth20Token> list) {
    }
}
