package com.ibm.ws.security.openidconnect.client;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.message.BasicNameValuePair;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.openidconnect.client_1.0.12.cl50920160718-1415.jar:com/ibm/ws/security/openidconnect/client/AccessTokenAuthenticator.class */
public class AccessTokenAuthenticator {
    private static final TraceComponent tc = Tr.register(AccessTokenAuthenticator.class);
    private static final String Authorization_Header = "Authorization";
    private static final String ACCESS_TOKEN = "access_token";
    OidcClientUtil oidcClientUtil;
    SSLSupport sslSupport;
    ReferrerURLCookieHandler referrerURLCookieHandler;
    static final long serialVersionUID = -2192955226764926058L;

    public AccessTokenAuthenticator() {
        this.oidcClientUtil = new OidcClientUtil();
        this.sslSupport = null;
        this.referrerURLCookieHandler = null;
    }

    public AccessTokenAuthenticator(AtomicServiceReference<SSLSupport> atomicServiceReference, OidcClientConfig oidcClientConfig) {
        this.oidcClientUtil = new OidcClientUtil();
        this.sslSupport = null;
        this.referrerURLCookieHandler = null;
        this.sslSupport = atomicServiceReference.getService();
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig, ReferrerURLCookieHandler referrerURLCookieHandler) {
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        this.referrerURLCookieHandler = referrerURLCookieHandler;
        String bearerAccessTokenToken = getBearerAccessTokenToken(httpServletRequest);
        if (bearerAccessTokenToken == null) {
            httpServletResponse.setHeader("WWW-Authenticate", getErrorMessage());
            return providerAuthenticationResult;
        }
        ProviderAuthenticationResult introspectToken = introspectToken(oidcClientConfig, bearerAccessTokenToken);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Token is owned by ", introspectToken.getUserName());
        }
        return introspectToken;
    }

    protected ProviderAuthenticationResult introspectToken(OidcClientConfig oidcClientConfig, String str) {
        ProviderAuthenticationResult providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.FAILURE, 401);
        new ArrayList().add(new BasicNameValuePair("token", str));
        try {
            JSONObject parse = JSONObject.parse(this.oidcClientUtil.checkToken(oidcClientConfig.getAccessTokenValidationEndpointUrl(), oidcClientConfig.getClientId(), oidcClientConfig.getClientSecret(), str, oidcClientConfig.isHostNameVerificationEnabled(), ClientConstants.METHOD_BASIC));
            if (!validateJsonResponse(parse, oidcClientConfig)) {
                return providerAuthenticationResult;
            }
            providerAuthenticationResult = createProviderAuthenticationResult(parse, oidcClientConfig, str);
            return providerAuthenticationResult;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AccessTokenAuthenticator", "114", this, new Object[]{oidcClientConfig, str});
            return providerAuthenticationResult;
        }
    }

    protected boolean validateJsonResponse(JSONObject jSONObject, OidcClientConfig oidcClientConfig) {
        return ((Boolean) jSONObject.get("active")).booleanValue();
    }

    protected ProviderAuthenticationResult createProviderAuthenticationResult(JSONObject jSONObject, OidcClientConfig oidcClientConfig, String str) {
        Hashtable hashtable = new Hashtable();
        String str2 = (String) jSONObject.get("sub");
        if (oidcClientConfig.getUserIdentityToCreateSubject() != null) {
            str2 = (String) jSONObject.get(oidcClientConfig.getUserIdentityToCreateSubject());
        }
        hashtable.put("com.ibm.wsspi.security.cred.cacheKey", str2 + str.hashCode());
        hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        hashtable.put("access_token", str);
        if (oidcClientConfig.isMapIdentityToRegistryUser()) {
            return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, str2, new Subject(), hashtable, (String) null);
        }
        String str3 = (String) jSONObject.get(oidcClientConfig.getRealmIdentifier());
        if (str3 == null || str3.isEmpty()) {
            str3 = (String) jSONObject.get("iss");
        }
        String str4 = (String) jSONObject.get(oidcClientConfig.getUniqueUserIdentifier());
        if (str4 == null || str4.isEmpty()) {
            str4 = (String) jSONObject.get(oidcClientConfig.getUserIdentityToCreateSubject());
        }
        String stringBuffer = new StringBuffer("user:").append(str3).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append(str4).toString();
        ArrayList arrayList = (ArrayList) jSONObject.get(oidcClientConfig.getGroupIdentifier());
        ArrayList arrayList2 = new ArrayList();
        if (arrayList != null && !arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(new StringBuffer("group:").append(str3).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append(it.next()).toString());
            }
        }
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", stringBuffer);
        if (str3 != null && !str3.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.realm", str3);
        }
        if (arrayList2 != null && !arrayList2.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList2);
        }
        return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, str2, new Subject(), hashtable, (String) null);
    }

    public static String getBearerAccessTokenToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return (header == null || !header.startsWith("Bearer ")) ? httpServletRequest.getParameter("access_token") : header.substring(7);
    }

    static String getErrorMessage() {
        return ("Bearer realm=\"OAuth\",\n                  error=\"invalid_token\",\n") + "                  error_description=\"Check access token\"";
    }
}
