package com.ibm.ws.security.oidc.client;

import com.google.common.net.HttpHeaders;
import com.google.gson.JsonObject;
import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.oidc.util.MessageHelper;
import com.ibm.ws.security.oidc.util.OidcUtil;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptorExt;
import java.io.PrintWriter;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/ibm/ws/security/oidc/client/RelyingParty.class */
public class RelyingParty implements TrustAssociationInterceptor, TrustAssociationInterceptorExt {
    private static final TraceComponent tc = Tr.register(RelyingParty.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private OidcTAIConfig oidcTaiConfig = null;

    public void cleanup() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup");
            Tr.exit(tc, "cleanup");
        }
    }

    public String getType() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getType");
            Tr.exit(tc, "getType returns [Jazz Security Architecture OIDC TrustAssociationInterceptor]");
        }
        return "Jazz Security Architecture OIDC TrustAssociationInterceptor";
    }

    public String getVersion() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getVersion");
            Tr.exit(tc, "getVersion returns [1.0]");
        }
        return "1.0";
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(props[" + OidcUtil.getObjState(properties) + "])");
        }
        this.oidcTaiConfig = new OidcTAIConfig(properties);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, this.oidcTaiConfig.toString());
        }
        if (!tc.isEntryEnabled()) {
            return 0;
        }
        Tr.exit(tc, "initialize");
        return 0;
    }

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor(req[" + OidcUtil.getObjState(httpServletRequest) + "])");
        }
        if (httpServletRequest == null) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isTargetInterceptor returns [false]");
            return false;
        }
        RelyingPartyConfig relyingPartyConfig = this.oidcTaiConfig.getRelyingPartyConfig(httpServletRequest);
        if (relyingPartyConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The URL: [" + ((Object) httpServletRequest.getRequestURL()) + "] ignored by OIDC RelyingParty");
            }
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isTargetInterceptor returns [false]");
            return false;
        }
        if (relyingPartyConfig.getSslOnly() && httpServletRequest.getScheme().equals("http")) {
            if (!tc.isEntryEnabled()) {
                return false;
            }
            Tr.exit(tc, "isTargetInterceptor returns [false], HTTP request ignored as [httpsRequired] is set to true. Only HTTPS request will be intercepted");
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "The URL: [" + ((Object) httpServletRequest.getRequestURL()) + "] accepted by OIDC RelyingParty");
        }
        if (!tc.isEntryEnabled()) {
            return true;
        }
        Tr.exit(tc, "isTargetInterceptor returns [true]");
        return true;
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        TAIResult AuthenticateUsingSessionCookie;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "])");
        }
        if (httpServletRequest == null || httpServletResponse == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException();
        }
        RelyingPartyConfig relyingPartyConfig = this.oidcTaiConfig.getRelyingPartyConfig(httpServletRequest);
        if (relyingPartyConfig.getCreateHttpSession()) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Creating new session...");
            }
            try {
                httpServletRequest.getSession(true);
            } catch (Exception e) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Ignoring getSession exception");
                }
            }
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "RelyingParty processing the request for: [" + requestURI + "]");
        }
        if (!relyingPartyConfig.getEndpointsInitialized()) {
            relyingPartyConfig.setServerUrl(RelyingPartyUtils.getRedirectUrlFromServerToClient(httpServletRequest, relyingPartyConfig.getRpCallbackHostAndPort()));
            relyingPartyConfig.setSigninCB(relyingPartyConfig.getServerUrl() + relyingPartyConfig.getCbServletContext());
            if (relyingPartyConfig.getProviderId() != null) {
                relyingPartyConfig.setSigninCB(relyingPartyConfig.getSigninCB() + "/" + relyingPartyConfig.getProviderId());
            } else {
                relyingPartyConfig.setSigninCB(relyingPartyConfig.getSigninCB() + RelyingPartyConstants.SIGNINCB);
            }
            relyingPartyConfig.setSigninCBEnc(RelyingPartyUtils.urlEncode(relyingPartyConfig.getSigninCB()));
            relyingPartyConfig.setEndpointsInitialized(true);
        }
        SessionCache.CACHE.cleanup();
        if (httpServletRequest.getContextPath().equals(relyingPartyConfig.getCbServletContext())) {
            AuthenticateUsingSessionCookie = handleSigninCallback(httpServletRequest, httpServletResponse, relyingPartyConfig);
        } else {
            AuthenticateUsingSessionCookie = AuthenticateUsingSessionCookie(httpServletRequest, relyingPartyConfig);
            if (relyingPartyConfig.getAllowImplictClientFlow() && AuthenticateUsingSessionCookie == null) {
                AuthenticateUsingSessionCookie = AuthenticateUsingBasicAuth(httpServletRequest, httpServletResponse, relyingPartyConfig);
            }
            if (AuthenticateUsingSessionCookie == null && relyingPartyConfig.getIntrospectEndpoint() != null) {
                AuthenticateUsingSessionCookie = AuthenticateUsingAccessToken(httpServletRequest, httpServletResponse, relyingPartyConfig);
            }
            if (relyingPartyConfig.getAllowImplictClientFlow() && AuthenticateUsingSessionCookie == null && !RelyingPartyUtils.isRequestingClientABrowser(httpServletRequest)) {
                AuthenticateUsingSessionCookie = AuthenticateUsingLTPAToken(httpServletRequest, httpServletResponse, relyingPartyConfig);
            }
            if (AuthenticateUsingSessionCookie == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Request does not have any authentication credential... initiating Login");
                }
                AuthenticateUsingSessionCookie = initiateLogin(httpServletRequest, httpServletResponse, relyingPartyConfig);
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "negotiateValidateandEstablishTrust returns [" + OidcUtil.getObjState(AuthenticateUsingSessionCookie) + "]");
        }
        return AuthenticateUsingSessionCookie;
    }

    private TAIResult initiateLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initiateLogin(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        if (relyingPartyConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException();
        }
        String rpScope = relyingPartyConfig.getRpScope();
        if (rpScope == null || !rpScope.contains(RelyingPartyConstants.REQUIRED_SCOPE)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "RP scope custom property is either null or not valid. " + rpScope);
            }
            String message = MessageHelper.getMessage("security.oidc.client.scope.invalid", new String[]{"scope", rpScope, RelyingPartyConstants.REQUIRED_SCOPE});
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        }
        httpServletResponse.setHeader(HttpHeaders.CONTENT_TYPE, "text/html");
        httpServletResponse.setStatus(401);
        PrintWriter printWriter = null;
        try {
            try {
                try {
                    SessionData createEntry = SessionCache.CACHE.createEntry();
                    String stateId = createEntry.getStateId();
                    RelyingPartyUtils.saveInitialUrl(stateId, httpServletRequest);
                    RelyingPartyUtils.storeSessionDataInCookie(stateId, createEntry, relyingPartyConfig, httpServletResponse);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Initiating login flow with stateId: [" + stateId + "]");
                    }
                    PrintWriter writer = httpServletResponse.getWriter();
                    writer.println("<html>");
                    writer.println("<head></head>");
                    writer.println("<body onload=\"");
                    writer.println("var csrfValue = '" + stateId + "';");
                    writer.println("var redirectUri = '" + relyingPartyConfig.getSigninCB() + "';");
                    writer.println("var authRequestUri = '" + relyingPartyConfig.getAuthorizeEndpoint() + "'");
                    writer.println("+ '?response_type=code'");
                    writer.println("+ '&client_id=" + relyingPartyConfig.getClientIdEncoded() + "'");
                    writer.println("+ '&scope=' + encodeURIComponent('" + relyingPartyConfig.getRpScope() + "')");
                    writer.println("+ '&state=' + encodeURIComponent(csrfValue)");
                    writer.println("+ '&redirect_uri=' + encodeURIComponent(redirectUri);");
                    writer.println("location.replace(authRequestUri);\">");
                    writer.println("</body>");
                    writer.println("</html>");
                    if (writer != null) {
                        writer.close();
                    }
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Returning SC_UNAUTHORIZED response");
                    }
                    TAIResult create = TAIResult.create(401);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "initiateLogin returns [" + OidcUtil.getObjState(create) + "]");
                    }
                    return create;
                } catch (RelyingPartyException e) {
                    httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"Service unavailable\"");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Responding with code: 503");
                    }
                    TAIResult create2 = TAIResult.create(503);
                    if (tc.isEntryEnabled()) {
                        Tr.exit(tc, "initiateLogin returns [" + OidcUtil.getObjState(create2) + "]");
                    }
                    return create2;
                }
            } catch (Exception e2) {
                String message2 = MessageHelper.getMessage("security.oidc.client.loginflow.fail", e2.getMessage());
                Tr.error(tc, message2);
                WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(message2);
                webTrustAssociationFailedException.initCause(e2);
                throw webTrustAssociationFailedException;
            }
        } finally {
            if (0 != 0) {
                printWriter.close();
            }
        }
    }

    /* JADX WARN: Finally extract failed */
    private TAIResult handleSigninCallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        TAIResult create;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "handleSigninCallback(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        String parameter = httpServletRequest.getParameter("code");
        String parameter2 = httpServletRequest.getParameter(Constants.STATE);
        String parameter3 = httpServletRequest.getParameter(Constants.ERROR);
        if (parameter2 == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The login callback received by the server has null value for state parameter");
            }
            String message = MessageHelper.getMessage("security.oidc.client.loginflow.fail", "StateId parameter is null");
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        }
        if (parameter3 != null) {
            String message2 = MessageHelper.getMessage("security.oidc.client.loginflowcallback.error", new Object[]{parameter3, parameter2});
            Tr.error(tc, message2);
            throw new WebTrustAssociationFailedException(message2);
        }
        SessionData entryUsingStateId = SessionCache.CACHE.getEntryUsingStateId(parameter2);
        if (entryUsingStateId == null) {
            entryUsingStateId = RelyingPartyUtils.restoreSessionDataFromCookie(parameter2, httpServletRequest, httpServletResponse);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Session data retrieved from cache; deleting unneeded cookie.");
            }
            RelyingPartyUtils.deleteStateCookie(httpServletRequest, httpServletResponse, parameter2);
        }
        if (entryUsingStateId == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The TAI did not find an entry, in the cache, for the state id:[" + parameter2 + "] received in the login callback");
            }
            String message3 = MessageHelper.getMessage("security.oidc.client.loginflow.fail", "No entry in cache for stateid: " + parameter2);
            Tr.error(tc, message3);
            throw new WebTrustAssociationFailedException(message3);
        }
        if (relyingPartyConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException();
        }
        String str = "grant_type=authorization_code&code=" + parameter + "&redirect_uri=" + relyingPartyConfig.getSigninCBEnc();
        if (RelyingPartyConfig.POST.equalsIgnoreCase(relyingPartyConfig.getTokenEndpointAuthMethod())) {
            str = str + "&client_id=" + relyingPartyConfig.getClientIdEncoded() + "&client_secret=" + relyingPartyConfig.getClientSecretEncoded();
        }
        try {
            HashMap<String, String> invokePostRequestWithBasicAuth = RelyingPartyUtils.invokePostRequestWithBasicAuth(relyingPartyConfig.getTokenEndpoint(), str, relyingPartyConfig);
            String str2 = invokePostRequestWithBasicAuth.get("responseCode");
            String str3 = invokePostRequestWithBasicAuth.get("responseMsg");
            if (!str2.equals("200")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The TAI encountered failure while exchanging the authorization_code with accessToken.");
                    Tr.debug(tc, "The OP server responded with return code:[" + str2 + "] and message:[" + str3 + "]");
                }
                String message4 = MessageHelper.getMessage("security.oidc.client.loginflow.fail", "response code: " + str2);
                Tr.error(tc, message4);
                throw new WebTrustAssociationFailedException(message4);
            }
            SessionCache.CACHE.updateEntryUsingStateId(parameter2, str3, relyingPartyConfig);
            Cookie cookie = new Cookie(relyingPartyConfig.getRPCookieName(), entryUsingStateId.getSessionCookieId());
            cookie.setPath("/");
            cookie.setHttpOnly(relyingPartyConfig.getHttpOnly());
            cookie.setSecure(relyingPartyConfig.getSslOnly());
            cookie.setMaxAge(-1);
            httpServletResponse.addCookie(cookie);
            Map<String, String[]> parameterMap = entryUsingStateId.getParameterMap();
            String protectedUrlMethod = entryUsingStateId.getProtectedUrlMethod();
            String replaceLocalhostWithHostnameOrIP = RelyingPartyUtils.replaceLocalhostWithHostnameOrIP(httpServletRequest, entryUsingStateId.getProtectedUrl());
            if ("POST".equals(protectedUrlMethod) || "PUT".equals(protectedUrlMethod)) {
                httpServletResponse.setHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, must-revalidate, private, max-age=0");
                httpServletResponse.setHeader(HttpHeaders.PRAGMA, "no-cache");
                httpServletResponse.setDateHeader(HttpHeaders.EXPIRES, 0L);
                String responseContentType = relyingPartyConfig.getResponseContentType();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Setting Response Content Type: " + responseContentType);
                }
                httpServletResponse.setContentType(responseContentType);
                PrintWriter printWriter = null;
                try {
                    try {
                        printWriter = httpServletResponse.getWriter();
                        printWriter.println("<html><head></head>");
                        printWriter.println("<body onload='document.formoidcpost.submit()'>");
                        printWriter.println("<form name='formoidcpost' action='" + replaceLocalhostWithHostnameOrIP + "' method='" + protectedUrlMethod + "'>");
                        if (parameterMap != null) {
                            for (String str4 : parameterMap.keySet()) {
                                for (String str5 : parameterMap.get(str4)) {
                                    printWriter.println("<input type='hidden' name='" + str4 + "' value='" + str5 + "'>");
                                }
                            }
                        }
                        printWriter.println("</form></body></html>");
                        if (printWriter != null) {
                            printWriter.close();
                        }
                        create = TAIResult.create(401);
                    } catch (Exception e) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Failed to generate the form post html because of exception [" + e.getMessage() + "]");
                        }
                        String message5 = MessageHelper.getMessage("security.oidc.client.loginflow.fail", e.getMessage());
                        Tr.error(tc, message5);
                        WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(message5);
                        webTrustAssociationFailedException.initCause(e);
                        throw webTrustAssociationFailedException;
                    }
                } catch (Throwable th) {
                    if (printWriter != null) {
                        printWriter.close();
                    }
                    throw th;
                }
            } else {
                String str6 = "";
                if (parameterMap != null) {
                    for (String str7 : parameterMap.keySet()) {
                        for (String str8 : parameterMap.get(str7)) {
                            if (!str6.equals("")) {
                                str6 = str6 + "&";
                            }
                            str6 = str6 + str7 + "=" + str8;
                        }
                    }
                }
                if (str6.equals("")) {
                    httpServletResponse.setHeader(HttpHeaders.LOCATION, replaceLocalhostWithHostnameOrIP);
                } else {
                    httpServletResponse.setHeader(HttpHeaders.LOCATION, replaceLocalhostWithHostnameOrIP + "?" + str6);
                }
                create = TAIResult.create(302);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "handleSigninCallback returns [" + OidcUtil.getObjState(create) + "]");
            }
            return create;
        } catch (RelyingPartyException e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The TAI encountered failure while exchanging the authorization_code with accessToken. The exception was [" + e2.getMessage() + "]");
            }
            String message6 = MessageHelper.getMessage("security.oidc.client.loginflow.fail", e2.getMessage());
            Tr.error(tc, message6);
            WebTrustAssociationFailedException webTrustAssociationFailedException2 = new WebTrustAssociationFailedException(message6);
            webTrustAssociationFailedException2.initCause(e2);
            throw webTrustAssociationFailedException2;
        }
    }

    private TAIResult AuthenticateUsingSessionCookie(HttpServletRequest httpServletRequest, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "AuthenticateUsingSessionCookie(req[" + OidcUtil.getObjState(httpServletRequest) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        if (relyingPartyConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException();
        }
        TAIResult tAIResult = null;
        String cookieValue = RelyingPartyUtils.getCookieValue(httpServletRequest, relyingPartyConfig.getRPCookieName());
        if (cookieValue != null) {
            SessionData entryUsingSessionCookie = SessionCache.CACHE.getEntryUsingSessionCookie(cookieValue);
            if (entryUsingSessionCookie == null) {
                Tr.info(tc, MessageHelper.getMessage("security.oidc.client.sessioncookie.missing", cookieValue));
            } else if (entryUsingSessionCookie.hasExpired()) {
                SessionCache.CACHE.removeEntryUsingSessionCookie(cookieValue);
            } else {
                if (relyingPartyConfig.getRefreshAccessToken() && entryUsingSessionCookie.hasAccessTokenExpired(relyingPartyConfig) && entryUsingSessionCookie.getRefreshToken() != null) {
                    String str = "grant_type=refresh_token&refresh_token=" + entryUsingSessionCookie.getRefreshToken();
                    if (RelyingPartyConfig.POST.equalsIgnoreCase(relyingPartyConfig.getTokenEndpointAuthMethod())) {
                        str = str + "&client_id=" + relyingPartyConfig.getClientId() + "&client_secret=" + relyingPartyConfig.getClientSecret();
                    }
                    try {
                        HashMap<String, String> invokePostRequestWithBasicAuth = RelyingPartyUtils.invokePostRequestWithBasicAuth(relyingPartyConfig.getTokenEndpoint(), str, relyingPartyConfig);
                        String str2 = invokePostRequestWithBasicAuth.get("responseCode");
                        String str3 = invokePostRequestWithBasicAuth.get("responseMsg");
                        if (!str2.equals("200")) {
                            SessionCache.CACHE.removeEntryUsingSessionCookie(cookieValue);
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "An attempt to refresh the access token failed");
                                Tr.debug(tc, "The OP server responded with return code:[" + str2 + "] and message [" + str3 + "]");
                            }
                            throw new RelyingPartyException("Request to the OP server returned code other than 200");
                        }
                        SessionCache.CACHE.updateEntryUsingSessionCookie(cookieValue, str3, relyingPartyConfig);
                    } catch (RelyingPartyException e) {
                        Tr.info(tc, MessageHelper.getMessage("security.oidc.client.tokenrefresh.fail", new Object[]{cookieValue, e.getMessage()}));
                        SessionCache.CACHE.removeEntryUsingSessionCookie(cookieValue);
                        return null;
                    }
                }
                try {
                    tAIResult = TAIResult.create(200, entryUsingSessionCookie.getUserName(relyingPartyConfig), entryUsingSessionCookie.getJaasSubject(relyingPartyConfig));
                } catch (RelyingPartyException e2) {
                    throw new WebTrustAssociationFailedException(e2.getMessage());
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No Relying party session cookie found in the request");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "AuthenticateUsingSessionCookie returns [" + OidcUtil.getObjState(tAIResult) + "]");
        }
        return tAIResult;
    }

    private TAIResult AuthenticateUsingBasicAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "AuthenticateUsingBasicAuth(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        TAIResult tAIResult = null;
        String header = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
        if (header != null && header.startsWith("Basic")) {
            SessionData entryUsingBasicAuthHeader = SessionCache.CACHE.getEntryUsingBasicAuthHeader(header);
            if (entryUsingBasicAuthHeader == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authenticating using Basic Auth token: " + header);
                }
                tAIResult = ImplicitClientAuthentication(httpServletRequest, httpServletResponse, header, null, relyingPartyConfig);
            } else if (entryUsingBasicAuthHeader.hasExpired()) {
                SessionCache.CACHE.removeEntryUsingBasicAuth(header);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Authenticating using Basic Auth token: " + header);
                }
                tAIResult = ImplicitClientAuthentication(httpServletRequest, httpServletResponse, header, null, relyingPartyConfig);
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Found entry for basic authHeader = " + header + " in the session cache");
                }
                try {
                    tAIResult = TAIResult.create(200, entryUsingBasicAuthHeader.getUserName(relyingPartyConfig), entryUsingBasicAuthHeader.getJaasSubject(relyingPartyConfig));
                } catch (RelyingPartyException e) {
                    SessionCache.CACHE.removeEntryUsingBasicAuth(header);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Authenticating using Basic Auth token: " + header);
                    }
                    tAIResult = ImplicitClientAuthentication(httpServletRequest, httpServletResponse, header, null, relyingPartyConfig);
                }
            }
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Did not find Basic Auth header in the request");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "AuthenticateUsingBasicAuth returns [" + OidcUtil.getObjState(tAIResult) + "]");
        }
        return tAIResult;
    }

    private TAIResult AuthenticateUsingLTPAToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "AuthenticateUsingLTPAToken(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        String cookieValue = RelyingPartyUtils.getCookieValue(httpServletRequest, "LtpaToken2");
        if (cookieValue == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Did not find LTPA cookie in the request");
            return null;
        }
        TAIResult ImplicitClientAuthentication = ImplicitClientAuthentication(httpServletRequest, httpServletResponse, null, "LtpaToken2=" + cookieValue, relyingPartyConfig);
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "AuthenticateUsingBasicAuth returns [" + OidcUtil.getObjState(ImplicitClientAuthentication) + "]");
        }
        return ImplicitClientAuthentication;
    }

    private TAIResult ImplicitClientAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        TAIResult create;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "ImplicitClientAuthentication(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + ",ltpaCookie[" + OidcUtil.getObjState(str2) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        if (relyingPartyConfig == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException();
        }
        String newNonce = SessionData.getNewNonce();
        StringBuilder sb = new StringBuilder();
        sb.append("response_type=").append(RelyingPartyUtils.urlEncode("id_token token"));
        sb.append("&client_id=").append(relyingPartyConfig.getClientIdEncoded());
        sb.append("&scope=").append(RelyingPartyUtils.urlEncode(relyingPartyConfig.getRpScope()));
        sb.append("&redirect_uri=").append(relyingPartyConfig.getSigninCBEnc());
        sb.append("&prompt=none");
        sb.append("&nonce=").append(newNonce);
        String str3 = relyingPartyConfig.getAuthorizeEndpoint() + "?" + sb.toString();
        try {
            HashMap<String, String> invokeGetRequestWithLtpaCookie = str2 != null ? RelyingPartyUtils.invokeGetRequestWithLtpaCookie(str3, str2) : RelyingPartyUtils.invokeGetRequestWithBasicAuth(str3, relyingPartyConfig);
            String str4 = invokeGetRequestWithLtpaCookie.get("responseCode");
            String str5 = invokeGetRequestWithLtpaCookie.get("location");
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Implicit client authentication response Code: " + str4 + " and Location: " + str5);
            }
            if (str4.equals("302")) {
                String[] split = RelyingPartyUtils.split(str5, "#", 2);
                if (split[1].startsWith(Constants.ERROR)) {
                    Tr.error(tc, MessageHelper.getMessage("security.oidc.client.implicitclient.auth.fail", new Object[]{str2 != null ? str2 : str, split[1]}));
                    httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\"," + split[1]);
                    create = TAIResult.create(401);
                } else {
                    try {
                        SessionData createEntry = SessionCache.CACHE.createEntry();
                        if (str2 != null) {
                            createEntry.updateUsingLocationQueryString(str2, split[1], relyingPartyConfig);
                        } else {
                            createEntry.updateUsingLocationQueryString(str, split[1], relyingPartyConfig);
                        }
                        String userName = createEntry.getUserName(relyingPartyConfig);
                        Subject jaasSubject = createEntry.getJaasSubject(relyingPartyConfig);
                        if (str2 != null) {
                            SessionCache.CACHE.removeEntryUsingBasicAuth(str2);
                        }
                        create = TAIResult.create(200, userName, jaasSubject);
                    } catch (RelyingPartyException e) {
                        httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"Service unavailable\"");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Responding with code: 503");
                        }
                        TAIResult create2 = TAIResult.create(503);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create2) + "]");
                        }
                        return create2;
                    }
                }
            } else {
                httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"unexpected response from OP server\"");
                Tr.error(tc, MessageHelper.getMessage("security.oidc.client.implicitclient.auth.fail", new Object[]{str2 != null ? str2 : str, "unexpected response code from OP server"}));
                create = TAIResult.create(401);
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "ImplicitClientAuthentication returns [" + OidcUtil.getObjState(create) + "]");
            }
            return create;
        } catch (RelyingPartyException e2) {
            String message = MessageHelper.getMessage("security.oidc.client.implicitclient.auth.fail", new Object[]{str2 != null ? str2 : str, e2.getMessage()});
            Tr.error(tc, message);
            WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(message);
            webTrustAssociationFailedException.initCause(e2);
            throw webTrustAssociationFailedException;
        }
    }

    private TAIResult AuthenticateUsingAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RelyingPartyConfig relyingPartyConfig) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "AuthenticateUsingAccessToken(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "], rpConfig[" + OidcUtil.getObjState(relyingPartyConfig) + "])");
        }
        TAIResult tAIResult = null;
        String header = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
        if (header != null && header.startsWith("Bearer")) {
            String substring = header.substring("Bearer".length());
            if (substring.length() > 1) {
                String trim = substring.trim();
                SessionData entryUsingAccessToken = SessionCache.CACHE.getEntryUsingAccessToken(trim);
                if (entryUsingAccessToken != null) {
                    if (entryUsingAccessToken.hasAccessTokenExpired()) {
                        SessionCache.CACHE.removeEntryUsingAccessToken(trim);
                    } else {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Found entry for bearer token = " + header + " in the session cache");
                        }
                        try {
                            TAIResult create = TAIResult.create(200, entryUsingAccessToken.getUserName(relyingPartyConfig), entryUsingAccessToken.getJaasSubject(relyingPartyConfig));
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create) + "]");
                            }
                            return create;
                        } catch (RelyingPartyException e) {
                            SessionCache.CACHE.removeEntryUsingAccessToken(trim);
                        }
                    }
                }
                if (relyingPartyConfig == null) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "One or more of the parameters passed to this method is null");
                    }
                    throw new WebTrustAssociationFailedException();
                }
                try {
                    HashMap<String, String> invokeGetRequestWithBasicAuth = RelyingPartyUtils.invokeGetRequestWithBasicAuth(relyingPartyConfig.getIntrospectEndpoint() + "?token=" + trim, relyingPartyConfig);
                    String str = invokeGetRequestWithBasicAuth.get("responseCode");
                    String str2 = invokeGetRequestWithBasicAuth.get("responseMsg");
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Bearer token authentication response Code: " + str + " and Msg: " + str2);
                    }
                    JsonObject jsonObject = RelyingPartyUtils.getJsonObject(str2);
                    if (!str.equals("200")) {
                        if (str.equals("400")) {
                            httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=" + RelyingPartyUtils.getJsonValue(jsonObject, Constants.ERROR).getAsString());
                            if (tc.isDebugEnabled()) {
                                Tr.debug(tc, "Responding with code: 400");
                            }
                            TAIResult create2 = TAIResult.create(400);
                            if (tc.isEntryEnabled()) {
                                Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create2) + "]");
                            }
                            return create2;
                        }
                        httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"invalid_token\"");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Responding with code: 401");
                        }
                        TAIResult create3 = TAIResult.create(401);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create3) + "]");
                        }
                        return create3;
                    }
                    if (!RelyingPartyUtils.getJsonValue(jsonObject, "active").getAsBoolean()) {
                        httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"invalid_token\"");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Responding with code: 401");
                        }
                        TAIResult create4 = TAIResult.create(401);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create4) + "]");
                        }
                        return create4;
                    }
                    RelyingPartyUtils.getJsonValue(jsonObject, "scope").getAsString();
                    try {
                        SessionData createEntry = SessionCache.CACHE.createEntry();
                        createEntry.updateUsingAccessToken(trim, jsonObject, relyingPartyConfig);
                        TAIResult create5 = TAIResult.create(200, createEntry.getUserName(relyingPartyConfig), createEntry.getJaasSubject(relyingPartyConfig));
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create5) + "]");
                        }
                        return create5;
                    } catch (RelyingPartyException e2) {
                        httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"Service unavailable\"");
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "Responding with code: 503");
                        }
                        TAIResult create6 = TAIResult.create(503);
                        if (tc.isEntryEnabled()) {
                            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(create6) + "]");
                        }
                        return create6;
                    }
                } catch (RelyingPartyException e3) {
                    String message = MessageHelper.getMessage("security.oidc.client.accesstoken.auth.fail", new Object[]{trim, e3.getMessage()});
                    Tr.error(tc, message);
                    WebTrustAssociationFailedException webTrustAssociationFailedException = new WebTrustAssociationFailedException(message);
                    webTrustAssociationFailedException.initCause(e3);
                    throw webTrustAssociationFailedException;
                }
            }
            Tr.error(tc, MessageHelper.getMessage("security.oidc.client.accesstoken.invalid"));
            httpServletResponse.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"default\", error=\"invalid_request\"");
            tAIResult = TAIResult.create(400);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Did not find Bearer token in the request");
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "AuthenticateUsingAccessToken returns [" + OidcUtil.getObjState(tAIResult) + "]");
        }
        return tAIResult;
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "logout(req[" + OidcUtil.getObjState(httpServletRequest) + ",res[" + OidcUtil.getObjState(httpServletResponse) + "])");
        }
        Cookie oidcCookie = RelyingPartyUtils.getOidcCookie(httpServletRequest);
        if (oidcCookie != null) {
            SessionCache.CACHE.removeEntryUsingSessionCookie(oidcCookie.getValue());
            RelyingPartyUtils.deleteCookie(oidcCookie, httpServletResponse);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "logout");
        }
    }
}
