package com.ibm.ws.security.oidc.client;

import com.google.common.primitives.Shorts;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.crypto.InvalidPasswordDecodingException;
import com.ibm.websphere.crypto.PasswordUtil;
import com.ibm.websphere.crypto.UnsupportedCryptoAlgorithmException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.oidc.client.filter.OidcResourceProtectionFilter;
import com.ibm.ws.security.oidc.util.MessageHelper;
import com.ibm.ws.security.oidc.util.OidcUtil;
import com.ibm.ws.security.openidconnect.jwk.JWKSet;
import java.util.ArrayList;
import java.util.Properties;

/* loaded from: input_file:com/ibm/ws/security/oidc/client/RelyingPartyConfig.class */
public class RelyingPartyConfig {
    private static final TraceComponent tc = Tr.register(RelyingParty.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private JWKSet jwkset;
    private String prompt;
    protected OidcResourceProtectionFilter filter;
    public static final String POST = "post";
    public static final String BASIC = "basic";
    private ArrayList<String> protectedContextPaths = null;
    private ArrayList<String> excludedPathFilter = null;
    private String clientId = null;
    private String clientSecret = null;
    private String clientBasicAuth = null;
    private String serverUrl = null;
    private String signinCB = null;
    private String signinCBEnc = null;
    private String introspectEndpoint = null;
    private String authorizeEndpoint = null;
    private String tokenEndpoint = null;
    private String cbServletContext = null;
    private boolean endpointsInitialized = false;
    private String RPCookieName = null;
    private String rpScope = null;
    private String rpCallbackHostAndPort = null;
    private boolean allowImplictClientFlow = false;
    private boolean sslOnly = true;
    private boolean httpOnly = true;
    private String providerId = null;
    private String jsonWebKey = null;
    private String jwkEndpoint = null;
    private String tokenEndpointAuthMethod = POST;
    private long clockSkew = 0;
    private boolean nonceEnabled = false;
    private JwKRetriever jwkRetriver = null;
    private String realmIdentifier = null;
    private String uniqueUserIdentifier = null;
    private String userIdentifier = null;
    private String groupIdentifier = null;
    private boolean mapIdentityToRegistry = false;
    private String issuerIdentifier = null;
    private String idtokenSigningAlg = "HS256";
    private boolean urlEncodeEnabled = false;
    private String verifyingAlias = null;
    private int postParameterCookieSize = Shorts.MAX_POWER_OF_TWO;
    private int POST_PARAMETER_COOKIE_SIZE_DEFAULT = Shorts.MAX_POWER_OF_TWO;
    private boolean createHttpSession = false;
    private boolean refreshAccessToken = true;
    private long timeBeforeExpires = 0;
    private String responseContentType = "text/html; charset=UTF-8";

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(props[" + OidcUtil.getObjState(properties) + "])");
        }
        this.protectedContextPaths = RelyingPartyUtils.getUris(properties, RelyingPartyConstants.INTERCEPTED_PATH_FILTER);
        this.clientId = OidcUtil.getProperty(properties, RelyingPartyConstants.CLIENT_ID, null);
        this.authorizeEndpoint = OidcUtil.getProperty(properties, RelyingPartyConstants.AUTHORIZE_ENDPOINT, null);
        this.tokenEndpoint = OidcUtil.getProperty(properties, RelyingPartyConstants.TOKEN_ENDPOINT, null);
        this.introspectEndpoint = OidcUtil.getOptionalProperty(properties, RelyingPartyConstants.INTROSPECT_ENDPOINT, false);
        this.cbServletContext = OidcUtil.getProperty(properties, RelyingPartyConstants.CB_SERVLET_CONTEXT, "/oidcclient");
        this.excludedPathFilter = RelyingPartyUtils.getUris(properties, RelyingPartyConstants.EXCLUDED_PATH_FILTER);
        this.rpScope = OidcUtil.getProperty(properties, "scope", "openid profile");
        this.sslOnly = Boolean.parseBoolean(OidcUtil.getProperty(properties, RelyingPartyConstants.SSLONLY, "true"));
        this.httpOnly = Boolean.parseBoolean(OidcUtil.getProperty(properties, RelyingPartyConstants.HTTPONLY, "true"));
        this.rpCallbackHostAndPort = OidcUtil.getProperty(properties, RelyingPartyConstants.RP_CALLBACK_HOST_PORT);
        if (this.rpCallbackHostAndPort != null) {
            RelyingPartyUtils.validateHostAndPort(this.rpCallbackHostAndPort);
        }
        this.mapIdentityToRegistry = Boolean.parseBoolean(OidcUtil.getProperty(properties, RelyingPartyConstants.MAP_IDENTITY_TO_REGISTRY, "false"));
        this.createHttpSession = Boolean.parseBoolean(OidcUtil.getProperty(properties, RelyingPartyConstants.CREATE_SESSION, "false"));
        this.refreshAccessToken = Boolean.parseBoolean(OidcUtil.getProperty(properties, RelyingPartyConstants.REFRESH_EXPIRED_ACCESS_TOKEN, "true"));
        this.timeBeforeExpires = OidcUtil.processLongProperty(RelyingPartyConstants.REFRESH_TIME_BEFORE_AT_EXPIRES, OidcUtil.getProperty(properties, RelyingPartyConstants.REFRESH_TIME_BEFORE_AT_EXPIRES), 0L);
        this.issuerIdentifier = OidcUtil.getProperty(properties, RelyingPartyConstants.ISSUER_IDENTIFIER, this.authorizeEndpoint.substring(0, this.authorizeEndpoint.lastIndexOf("/")));
        this.groupIdentifier = OidcUtil.getProperty(properties, RelyingPartyConstants.GROUP_IDENTIFIER, "groupIds");
        this.userIdentifier = OidcUtil.getProperty(properties, RelyingPartyConstants.USER_IDENTIFIER, "sub");
        this.uniqueUserIdentifier = OidcUtil.getProperty(properties, RelyingPartyConstants.UID_IDENTIFIER, "uniqueSecurityName");
        this.realmIdentifier = OidcUtil.getProperty(properties, RelyingPartyConstants.REALM_IDENTIFIER, "realmName");
        this.filter = new OidcResourceProtectionFilter(OidcUtil.getProperty(properties, RelyingPartyConstants.FILTER), false);
        RelyingPartyUtils.checkHttpsRequirement(this.sslOnly, this.authorizeEndpoint);
        RelyingPartyUtils.checkHttpsRequirement(this.sslOnly, this.tokenEndpoint);
        RelyingPartyUtils.checkHttpsRequirement(this.sslOnly, this.introspectEndpoint);
        this.providerId = OidcUtil.getOptionalProperty(properties, RelyingPartyConstants.PROVIDER_ID, false);
        this.idtokenSigningAlg = OidcUtil.getProperty(properties, RelyingPartyConstants.IDTOKEN_SIGNING_ALG, "HS256");
        RelyingPartyUtils.validateIdtokenSigningAlg(this.idtokenSigningAlg);
        this.responseContentType = OidcUtil.getProperty(properties, RelyingPartyConstants.RESPONSE_CONTENT_TYPE, "text/html; charset=UTF-8");
        String secretProperty = OidcUtil.getSecretProperty(properties, RelyingPartyConstants.CLIENT_SECRET, null);
        try {
            if ("xor".equals(PasswordUtil.getCryptoAlgorithm(secretProperty))) {
                this.clientSecret = PasswordUtil.decode(secretProperty);
            } else {
                this.clientSecret = secretProperty;
            }
            this.allowImplictClientFlow = Boolean.parseBoolean(OidcUtil.getSecretProperty(properties, RelyingPartyConstants.ALLOW_IMPLICIT_CLIENT_FLOW, "false"));
            if (!this.cbServletContext.startsWith("/")) {
                this.cbServletContext = "/" + this.cbServletContext;
            }
            this.RPCookieName = "OIDCSESSIONID_" + this.clientId;
            this.clientBasicAuth = RelyingPartyUtils.getBasicAuthHeader(this.clientId, this.clientSecret);
            this.prompt = OidcUtil.getProperty(properties, RelyingPartyConstants.PROMPT);
            this.jwkEndpoint = OidcUtil.getProperty(properties, RelyingPartyConstants.JWK_ENDPOINT);
            this.jsonWebKey = OidcUtil.getProperty(properties, RelyingPartyConstants.JWK_KEY);
            this.tokenEndpointAuthMethod = OidcUtil.getProperty(properties, RelyingPartyConstants.TOKEN_ENDPOINT_AUTHN_METHOD, POST);
            this.clockSkew = OidcUtil.processLongProperty(RelyingPartyConstants.CLOCK_SKEW, OidcUtil.getProperty(properties, RelyingPartyConstants.CLOCK_SKEW), 180L);
            this.nonceEnabled = OidcUtil.isTrue(OidcUtil.getProperty(properties, RelyingPartyConstants.NONCE_ENABLED));
            this.jwkset = new JWKSet();
            this.jwkRetriver = new JwKRetriever();
            this.urlEncodeEnabled = OidcUtil.getIsTrueProperty(properties, RelyingPartyConstants.ENCODE_PARAMETERS);
            this.verifyingAlias = OidcUtil.getProperty(properties, RelyingPartyConstants.VERIFYING_ALIAS);
            String property = OidcUtil.getProperty(properties, RelyingPartyConstants.POSTPARAMETERCOOKIESIZE);
            if (OidcUtil.hasValue(property)) {
                this.postParameterCookieSize = (int) OidcUtil.processLongProperty(RelyingPartyConstants.POSTPARAMETERCOOKIESIZE, property, this.POST_PARAMETER_COOKIE_SIZE_DEFAULT);
            }
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "initialize");
            return 0;
        } catch (InvalidPasswordDecodingException e) {
            String message = MessageHelper.getMessage("security.oidc.client.invalidpasswordencoding");
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        } catch (UnsupportedCryptoAlgorithmException e2) {
            String message2 = MessageHelper.getMessage("security.oidc.client.invalidpasswordencoding");
            Tr.error(tc, message2);
            throw new WebTrustAssociationFailedException(message2);
        }
    }

    public ArrayList<String> getProtectedContextPaths() {
        return this.protectedContextPaths;
    }

    public ArrayList<String> getExcludedPathFilter() {
        return this.excludedPathFilter;
    }

    public String getClientId() {
        return this.clientId;
    }

    public String getClientIdEncoded() throws WebTrustAssociationFailedException {
        return this.urlEncodeEnabled ? RelyingPartyUtils.urlEncode(getClientId()) : getClientId();
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    public String getClientSecretEncoded() throws WebTrustAssociationFailedException {
        return this.urlEncodeEnabled ? RelyingPartyUtils.urlEncode(getClientSecret()) : getClientSecret();
    }

    public String getClientBasicAuth() {
        return this.clientBasicAuth;
    }

    public String getServerUrl() {
        return this.serverUrl;
    }

    public String getSigninCB() {
        return this.signinCB;
    }

    public String getSigninCBEnc() {
        return this.signinCBEnc;
    }

    public String getIntrospectEndpoint() {
        return this.introspectEndpoint;
    }

    public String getAuthorizeEndpoint() {
        return this.authorizeEndpoint;
    }

    public String getAuthorizeEndpointEncoded() throws WebTrustAssociationFailedException {
        return this.urlEncodeEnabled ? RelyingPartyUtils.urlEncode(getAuthorizeEndpoint()) : getAuthorizeEndpoint();
    }

    public String getTokenEndpoint() {
        return this.tokenEndpoint;
    }

    public String getCbServletContext() {
        return this.cbServletContext;
    }

    public boolean getEndpointsInitialized() {
        return this.endpointsInitialized;
    }

    public String getRPCookieName() {
        return this.RPCookieName;
    }

    public String getRpScope() {
        return this.rpScope;
    }

    public String getRpCallbackHostAndPort() {
        return this.rpCallbackHostAndPort;
    }

    public boolean getAllowImplictClientFlow() {
        return this.allowImplictClientFlow;
    }

    public boolean getSslOnly() {
        return this.sslOnly;
    }

    public boolean getHttpOnly() {
        return this.httpOnly;
    }

    public String getProviderId() {
        return this.providerId;
    }

    public void setProtectedContextPaths(ArrayList<String> arrayList) {
        this.protectedContextPaths = arrayList;
    }

    public void setExcludedPathFilter(ArrayList<String> arrayList) {
        this.excludedPathFilter = arrayList;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public void setClientSecret(String str) {
        this.clientSecret = str;
    }

    public void setClientBasicAuth(String str) {
        this.clientBasicAuth = str;
    }

    public void setServerUrl(String str) {
        this.serverUrl = str;
    }

    public void setSigninCB(String str) {
        this.signinCB = str;
    }

    public void setSigninCBEnc(String str) {
        this.signinCBEnc = str;
    }

    public void setIntrospectEndpoint(String str) {
        this.introspectEndpoint = str;
    }

    public void setAuthorizeEndpoint(String str) {
        this.authorizeEndpoint = str;
    }

    public void setTokenEndpoint(String str) {
        this.tokenEndpoint = str;
    }

    public void setCbServletContext(String str) {
        this.cbServletContext = str;
    }

    public void setEndpointsInitialized(boolean z) {
        this.endpointsInitialized = z;
    }

    public void setRPCookieName(String str) {
        this.RPCookieName = str;
    }

    public void setRpScope(String str) {
        this.rpScope = str;
    }

    public void setRpCallbackHostAndPort(String str) {
        this.rpCallbackHostAndPort = str;
    }

    public void setAllowImplictClientFlow(boolean z) {
        this.allowImplictClientFlow = z;
    }

    public void setSslOnly(boolean z) {
        this.sslOnly = z;
    }

    public void setHttpOnly(boolean z) {
        this.httpOnly = z;
    }

    public void setProviderId(String str) {
        this.providerId = str;
    }

    public String getJwkEndpointUrl() {
        return this.jwkEndpoint;
    }

    public String getJsonWebKey() {
        return this.jsonWebKey;
    }

    public String getTokenEndpointAuthMethod() {
        return this.tokenEndpointAuthMethod;
    }

    public long getClockSkew() {
        return this.clockSkew;
    }

    public boolean isNonceEnabled() {
        return this.nonceEnabled;
    }

    public JWKSet getJwkSet() {
        return this.jwkset;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public JwKRetriever getJwKRetriever() {
        return this.jwkRetriver;
    }

    public String getRealmIdentifier() {
        return this.realmIdentifier;
    }

    public String getUniqueUserIdentifier() {
        return this.uniqueUserIdentifier;
    }

    public String getUserIdentifier() {
        return this.userIdentifier;
    }

    public String getGroupIdentifier() {
        return this.groupIdentifier;
    }

    public boolean getMapIdentityToRegistry() {
        return this.mapIdentityToRegistry;
    }

    public OidcResourceProtectionFilter getFilter() {
        return this.filter;
    }

    public void setUrlEncodeEnabled(boolean z) {
        this.urlEncodeEnabled = z;
    }

    public boolean getUrlEncodeEnabled() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getUrlEncodeEnabled returns [" + this.urlEncodeEnabled + "]");
        }
        return this.urlEncodeEnabled;
    }

    public boolean getCreateHttpSession() {
        return this.createHttpSession;
    }

    public boolean getRefreshAccessToken() {
        return this.refreshAccessToken;
    }

    public long getTimeBeforeExpires() {
        return this.timeBeforeExpires;
    }

    public String getIssuerIdentifier() {
        return this.issuerIdentifier;
    }

    public String getSignatureAlgorithm() {
        return this.idtokenSigningAlg;
    }

    public String getVerifyingAlias() {
        return this.verifyingAlias;
    }

    public String getResponseContentType() {
        return this.responseContentType;
    }

    public int getPostParameterCookieSize() {
        return this.postParameterCookieSize;
    }

    public String toString() {
        StringBuffer append = new StringBuffer(getClass().getName()).append("(");
        append.append("protectedContextPaths=[").append(OidcUtil.getObjState(getProtectedContextPaths())).append("], ");
        append.append("excludedPathFilter=[").append(OidcUtil.getObjState(getExcludedPathFilter())).append("], ");
        append.append("clientId=[").append(getClientId()).append("], ");
        append.append("clientSecret=[").append(OidcUtil.getObjState(getClientSecret())).append("], ");
        append.append("clientBasicAuth=[").append(getClientBasicAuth()).append("], ");
        append.append("serverUrl=[").append(getServerUrl()).append("], ");
        append.append("signinCB=[").append(getSigninCB()).append("], ");
        append.append("signinCBEnc=[").append(getSigninCBEnc()).append("], ");
        append.append("introspectEndpoint=[").append(getIntrospectEndpoint()).append("], ");
        append.append("authorizeEndpoint=[").append(getAuthorizeEndpoint()).append("], ");
        append.append("tokenEndpoint=[").append(getTokenEndpoint()).append("], ");
        append.append("cbServletContext=[").append(getCbServletContext()).append("], ");
        append.append("endpointsInitialized=[").append(getEndpointsInitialized()).append("], ");
        append.append("RPCookieName=[").append(getRPCookieName()).append("], ");
        append.append("rpScope=[").append(getRpScope()).append("], ");
        append.append("rpCallbackHostAndPort=[").append(getRpCallbackHostAndPort()).append("], ");
        append.append("allowImplictClientFlow=[").append(getAllowImplictClientFlow()).append("], ");
        append.append("urlEncodeEnabled=[").append(getUrlEncodeEnabled()).append("], ");
        append.append("createHttpSession=[").append(getCreateHttpSession()).append("], ");
        append.append("refreshAccessToken=[").append(getRefreshAccessToken()).append("], ");
        append.append("postParameterCookieSize=[").append(getPostParameterCookieSize()).append("], ");
        append.append("sslOnly=[").append(getSslOnly()).append("], ");
        append.append("httpOnly=[").append(getHttpOnly()).append("], ");
        append.append("verifyingAlias=[").append(getVerifyingAlias()).append("], ");
        append.append(")");
        return append.toString();
    }
}
