package com.ibm.ws.security.openid20.consumer;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationConstants;
import com.ibm.ws.security.openid20.OpenidClientAuthenticator;
import com.ibm.ws.security.openid20.OpenidClientConfig;
import com.ibm.ws.security.openid20.OpenidConstants;
import com.ibm.ws.security.openid20.TraceConstants;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.security.token.AttributeNameConstants;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.openid4java.consumer.ConsumerManager;
import org.openid4java.consumer.VerificationResult;
import org.openid4java.discovery.DiscoveryInformation;
import org.openid4java.discovery.Identifier;
import org.openid4java.message.AuthRequest;
import org.openid4java.message.AuthSuccess;
import org.openid4java.message.ParameterList;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openid20_1.0.14.jar:com/ibm/ws/security/openid20/consumer/OpenidClientAuthenticatorImpl.class */
public class OpenidClientAuthenticatorImpl implements OpenidClientAuthenticator {
    OpenidClientConfig openidClientConfig;
    ConsumerManagerFactory consumerManagerFactory = new ConsumerManagerFactory(null);
    Utils utils;
    ConsumerManager consumerManager;
    static final long serialVersionUID = 6451218519631986087L;
    static final TraceComponent tc = Tr.register(OpenidClientAuthenticatorImpl.class);
    static Map<String, Object> requestCache = null;

    @Override // com.ibm.ws.security.openid20.OpenidClientAuthenticator
    public void initialize(OpenidClientConfig openidClientConfig, SSLContext sSLContext) {
        this.openidClientConfig = openidClientConfig;
        this.consumerManager = this.consumerManagerFactory.getConsumerManager(openidClientConfig, sSLContext);
        requestCache = Collections.synchronizedMap(new BoundedHashMap(openidClientConfig.getMaxDiscoveryCacheSize()));
        this.utils = new Utils(openidClientConfig);
    }

    @Override // com.ibm.ws.security.openid20.OpenidClientAuthenticator
    public void createAuthRequest(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = (String) httpServletRequest.getAttribute(OpenidConstants.OPENID_IDENTIFIER);
        if (str == null) {
            str = httpServletRequest.getParameter(OpenidConstants.OPENID_IDENTIFIER);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "openID identifier from request parameter:" + str, new Object[0]);
            }
        } else if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "openID identifier from request attribute(TAI):" + str, new Object[0]);
        }
        DiscoveryInformation discoverOpenID = this.utils.discoverOpenID(this.consumerManager, str);
        String digest = MessageDigestUtil.getDigest();
        try {
            AuthRequest authenticate = this.consumerManager.authenticate(discoverOpenID, this.utils.createReturnToUrl(httpServletRequest, digest), this.utils.getRpRealm(httpServletRequest));
            this.utils.addUserInfoAttributes(authenticate);
            httpServletResponse.setStatus(401);
            httpServletResponse.sendRedirect(authenticate.getDestinationUrl(true));
            requestCache.put(digest, discoverOpenID);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openid20.consumer.OpenidClientAuthenticatorImpl", "104", this, new Object[]{servletRequest, servletResponse});
            Tr.error(tc, "OPENID_AUTHENTICATE_FAILED", str);
            throw new IOException(e);
        }
    }

    @Override // com.ibm.ws.security.openid20.OpenidClientAuthenticator
    public ProviderAuthenticationResult verifyResponse(ServletRequest servletRequest) throws ServletException, IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String receivingUrl = this.utils.getReceivingUrl(httpServletRequest);
        ParameterList parameterList = new ParameterList(httpServletRequest.getParameterMap());
        DiscoveryInformation discoveryInfoFromCache = getDiscoveryInfoFromCache(httpServletRequest);
        try {
            VerificationResult verify = this.consumerManager.verify(receivingUrl, parameterList, discoveryInfoFromCache);
            Identifier verifiedId = verify.getVerifiedId();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Verification identifier:" + verifiedId, new Object[0]);
            }
            if (verifiedId == null) {
                this.utils.verificationFailed(verify, discoveryInfoFromCache);
            }
            AuthSuccess authSuccess = (AuthSuccess) verify.getAuthResponse();
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "AuthSuccess:" + authSuccess, new Object[0]);
            }
            String identifier = verifiedId.getIdentifier();
            if (authSuccess == null) {
                Tr.error(tc, "OPENID_AUTHENTICATE_FAILED", identifier);
                throw new IOException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_AUTHENTICATE_FAILED", new Object[]{identifier}, "CWWKS1513E: OpenID authentication failed for identifier {0}."));
            }
            Hashtable hashtable = new Hashtable();
            Map<String, Object> receiveUserInfoAttributes = this.utils.receiveUserInfoAttributes(authSuccess);
            hashtable.put("openidProvider", this.utils.getOpEndPoint(discoveryInfoFromCache, authSuccess, receiveUserInfoAttributes));
            String resolveMapUserName = this.utils.resolveMapUserName(authSuccess, receiveUserInfoAttributes);
            if (this.openidClientConfig.isIncludeCustomCacheKeyInSubject()) {
                hashtable.put("com.ibm.wsspi.security.cred.cacheKey", resolveMapUserName + receiveUserInfoAttributes.hashCode());
                hashtable.put(AuthenticationConstants.INTERNAL_ASSERTION_KEY, Boolean.TRUE);
            }
            String realmName = this.utils.getRealmName(this.openidClientConfig, receiveUserInfoAttributes);
            if (realmName != null && !realmName.isEmpty()) {
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_REALM, realmName);
            }
            ArrayList<String> groups = this.utils.getGroups(this.openidClientConfig, receiveUserInfoAttributes, realmName);
            if (groups != null && !groups.isEmpty()) {
                hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
            }
            if (this.openidClientConfig.isIncludeUserInfoInSubject()) {
                hashtable.putAll(receiveUserInfoAttributes);
            }
            return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, resolveMapUserName, (Subject) null, hashtable, null);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openid20.consumer.OpenidClientAuthenticatorImpl", "139", this, new Object[]{servletRequest});
            Tr.error(tc, "OPENID_VERIFY_RESPONSE_FAILED", discoveryInfoFromCache.getClaimedIdentifier());
            throw new IOException(e.getLocalizedMessage());
        }
    }

    private DiscoveryInformation getDiscoveryInfoFromCache(HttpServletRequest httpServletRequest) throws IOException {
        String parameter = httpServletRequest.getParameter(OpenidConstants.RP_REQUEST_IDENTIFIER);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "uniqueKey:" + parameter, new Object[0]);
        }
        if (parameter == null || parameter.trim().isEmpty()) {
            Tr.error(tc, "OPENID_RP_REQUEST_IDENTIFIER_NULL", new Object[0]);
            throw new IOException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_RP_REQUEST_IDENTIFIER_NULL", (Object[]) null, "CWWKS1512E: OpenID replying party request identifier is null."));
        }
        DiscoveryInformation discoveryInformation = (DiscoveryInformation) requestCache.get(parameter);
        if (discoveryInformation == null) {
            Tr.error(tc, "OPENID_CACHE_MISS_FOR_UNIQUE_KEY", parameter);
            throw new IOException(TraceNLS.getFormattedMessage(getClass(), TraceConstants.MESSAGE_BUNDLE, "OPENID_CACHE_MISS_FOR_UNIQUE_KEY", (Object[]) null, "CWWKS1514E: There is no cache entry found for unique key {0}."));
        }
        requestCache.remove(parameter);
        return discoveryInformation;
    }
}
