package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.oauth.core.api.oauth20.client.OAuth20ClientProvider;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OAuth20ProviderFactory;
import com.ibm.ws.security.oauth20.util.MessageFormatHelper;
import com.ibm.ws.security.oauth20.web.OAuth20Request;
import java.io.IOException;
import java.util.Locale;
import java.util.ResourceBundle;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:WebSphereOauth20SPWeb.war:WEB-INF/lib/oauth20.web.jar:com/ibm/ws/security/oauth20/web/ClientAuthnFilter.class */
public class ClientAuthnFilter implements Filter {
    private static TraceComponent tc = Tr.register(ClientAuthnFilter.class, "OAuth20Provider", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static Logger logger = Logger.getLogger(OAuth20ProviderFactory.class.getName());
    private static ResourceBundle resBundle = ResourceBundle.getBundle("com.ibm.ws.security.oauth20.resources.ProviderMsgs", Locale.getDefault());

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        OAuth20Provider oAuth20Provider;
        OAuth20ClientProvider clientProvider;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "doFilter");
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        ClientAuthnData clientAuthnData = new ClientAuthnData((HttpServletRequest) servletRequest, httpServletResponse, true);
        boolean z = false;
        OAuth20Request oAuth20Request = (OAuth20Request) servletRequest.getAttribute("OAuth20Request");
        if (oAuth20Request == null) {
            httpServletResponse.sendError(401);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "doFilter :not an OAuth request");
                return;
            }
            return;
        }
        if (!OAuth20Request.Type.token.equals(oAuth20Request.getType())) {
            filterChain.doFilter(servletRequest, servletResponse);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "doFilter : not token request type.");
                return;
            }
            return;
        }
        if (clientAuthnData.hasProvided() && (oAuth20Provider = OAuth20ProviderFactory.getOAuth20Provider(oAuth20Request.getProviderName())) != null && (clientProvider = oAuth20Provider.getClientProvider()) != null) {
            z = allowPublicClient(oAuth20Provider) ? (clientAuthnData.getPassWord() == null || clientAuthnData.getPassWord().trim().length() <= 0) ? clientProvider.exists(clientAuthnData.getUserName()) : clientProvider.validateClient(clientAuthnData.getUserName(), clientAuthnData.getPassWord()) : clientProvider.validateClient(clientAuthnData.getUserName(), clientAuthnData.getPassWord());
        }
        if (z) {
            filterChain.doFilter(servletRequest, servletResponse);
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "doFilter: client has been authenticated.");
                return;
            }
            return;
        }
        httpServletResponse.sendError(401);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "doFilter: Client could not be verified. Either ID(" + clientAuthnData.getUserName() + ") or secret is incorrect.");
        }
        logger.log(Level.SEVERE, MessageFormatHelper.getFormattedMessage(resBundle, "security.oauth20.endpoint.client.auth.error", new Object[]{clientAuthnData.getUserName()}));
    }

    private boolean allowPublicClient(OAuth20Provider oAuth20Provider) {
        return oAuth20Provider.getConfiguration().getConfigPropertyBooleanValue("oauth20.allow.public.clients");
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }
}
