package com.ibm.ws.security.openid20.client;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.websphere.security.WebTrustAssociationException;
import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.security.openid20.util.MessageHelper;
import com.ibm.ws.security.openid20.util.OidUtil;
import com.ibm.ws.security.web.CookieHelper;
import com.ibm.wsspi.security.tai.TAIResult;
import com.ibm.wsspi.security.tai.TrustAssociationInterceptor;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpHost;
import org.apache.http.HttpStatus;
import org.openid4java.message.Message;

/* loaded from: input_file:com/ibm/ws/security/openid20/client/OpenIDRelyingPartyTAI.class */
public class OpenIDRelyingPartyTAI implements TrustAssociationInterceptor {
    private static final TraceComponent tc = Tr.register(OpenIDRelyingPartyTAI.class, MessageHelper._TR_GROUP, MessageHelper._MSG_FILE);
    private OpenIDClientConfig openidClientConfig = null;
    private OpenIDClientAuthenticator openidAuthenticator = null;

    public void cleanup() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "cleanup");
            Tr.exit(tc, "cleanup");
        }
    }

    public String getType() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getType");
            Tr.exit(tc, "getType returns [OpenId 2.0 TrustAssociationInterceptor]");
        }
        return "OpenId 2.0 TrustAssociationInterceptor";
    }

    public String getVersion() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "getVersion");
            Tr.exit(tc, "getVersion returns [1.0]");
        }
        return "1.0";
    }

    public int initialize(Properties properties) throws WebTrustAssociationFailedException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "initialize(props[" + OidUtil.getObjState(properties) + "])");
        }
        try {
            this.openidClientConfig = new OpenIDClientConfig(properties);
            this.openidAuthenticator = new OpenIDClientAuthenticator(this.openidClientConfig);
            if (!tc.isEntryEnabled()) {
                return 0;
            }
            Tr.exit(tc, "initialize");
            return 0;
        } catch (OpenIDRelyingPartyException e) {
            String message = MessageHelper.getMessage("security.openid20.client.initializationfailed", e.getMessage());
            Tr.error(tc, message);
            throw new WebTrustAssociationFailedException(message);
        }
    }

    public boolean isTargetInterceptor(HttpServletRequest httpServletRequest) throws WebTrustAssociationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "isTargetInterceptor(req[" + OidUtil.getObjState(httpServletRequest) + "])");
        }
        if (httpServletRequest != null) {
            if (this.openidClientConfig.ishttpsRequired() && httpServletRequest.getScheme().equals(HttpHost.DEFAULT_SCHEME_NAME)) {
                if (!tc.isDebugEnabled()) {
                    return false;
                }
                Tr.debug(tc, "isTargetInterceptor returns [false], HTTP request ignored as httpsRequired is set to true. Only HTTPS request will be intercepted");
                return false;
            }
            boolean z = false;
            boolean z2 = false;
            String requestURI = httpServletRequest.getRequestURI();
            if (requestURI == null) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The url [" + requestURI + "] is null");
                }
                if (!tc.isEntryEnabled()) {
                    return false;
                }
                Tr.exit(tc, "isTargetInterceptor returns [false]");
                return false;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Evaluating for request uri: [" + requestURI + "]");
            }
            Iterator<String> it = this.openidClientConfig.getEffectiveUriList().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (requestURI.matches(it.next())) {
                    z = true;
                    break;
                }
            }
            ArrayList<String> excludedUriList = this.openidClientConfig.getExcludedUriList();
            if (excludedUriList != null) {
                Iterator<String> it2 = excludedUriList.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    if (requestURI.matches(it2.next())) {
                        z2 = true;
                        break;
                    }
                }
            }
            if (z && !z2) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The url [" + requestURI + "] is being intercepted by OpenID RelyingParty");
                }
                if (!tc.isEntryEnabled()) {
                    return true;
                }
                Tr.exit(tc, "isTargetInterceptor returns [true]");
                return true;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The URL: [" + requestURI + "] ignored by OpenId RelyingParty");
            }
        }
        if (!tc.isEntryEnabled()) {
            return false;
        }
        Tr.exit(tc, "isTargetInterceptor returns [false]");
        return false;
    }

    public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws WebTrustAssociationFailedException {
        String cookieValue;
        RequestData requestData;
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "negotiateValidateandEstablishTrust(req[" + OidUtil.getObjState(httpServletRequest) + ",res[" + OidUtil.getObjState(httpServletResponse) + "])");
        }
        if (httpServletRequest == null || httpServletResponse == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "One or more of the parameters passed to this method is null");
            }
            throw new WebTrustAssociationFailedException("One or more parameters passed to this method is null");
        }
        RequestCache.CACHE.cleanup();
        String characterEncoding = this.openidClientConfig.getCharacterEncoding();
        try {
            if (httpServletRequest.getCharacterEncoding() == null) {
                httpServletRequest.setCharacterEncoding(characterEncoding);
            }
        } catch (UnsupportedEncodingException e) {
            if (tc.isWarningEnabled()) {
                Tr.warning(tc, "Failed to set the encoding of the incoming request to " + characterEncoding, e);
            }
        }
        String requestURI = httpServletRequest.getRequestURI();
        TAIResult tAIResult = null;
        String parameter = httpServletRequest.getParameter("openid.mode");
        if (parameter == null) {
            ArrayList<String> basicAuthUriList = this.openidClientConfig.getBasicAuthUriList();
            if (basicAuthUriList != null) {
                Iterator<String> it = basicAuthUriList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (requestURI.matches(it.next())) {
                        tAIResult = BasicAuthAuthenticator.authenticate(httpServletRequest, httpServletResponse, this.openidClientConfig);
                        break;
                    }
                }
            }
            if (tAIResult == null && (cookieValue = CookieHelper.getCookieValue(httpServletRequest.getCookies(), OpenIDConstants.RP_COOKIE_NAME)) != null && (requestData = RequestCache.CACHE.get(cookieValue)) != null) {
                Subject subject = requestData.getSubject();
                String userName = requestData.getUserName();
                RequestCache.CACHE.purge(cookieValue);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Received rp_identifier cookie for this request for user: " + userName + " responding with success");
                }
                tAIResult = TAIResult.create(HttpStatus.SC_OK, userName, subject);
            }
            if (tAIResult == null) {
                try {
                    tAIResult = this.openidAuthenticator.createAuthRequest(httpServletRequest, httpServletResponse);
                } catch (OpenIDRelyingPartyException e2) {
                    String message = MessageHelper.getMessage("security.openid20.client.authrequestfailed", e2.getMessage());
                    Tr.error(tc, message);
                    throw new WebTrustAssociationFailedException(message);
                }
            }
        } else if (parameter.equals(Message.MODE_IDRES)) {
            try {
                tAIResult = this.openidAuthenticator.verifyResponse(httpServletRequest, httpServletResponse);
            } catch (OpenIDRelyingPartyException e3) {
                String message2 = MessageHelper.getMessage("security.openid20.client.verifyauthresponsefailed", e3.getMessage());
                Tr.error(tc, message2);
                throw new WebTrustAssociationFailedException(message2);
            }
        } else if (parameter.equals(Message.MODE_CANCEL)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "received openid.mode = cancel, indicating that the authentication failed");
            }
            tAIResult = TAIResult.create(HttpStatus.SC_FORBIDDEN);
        } else {
            String parameter2 = httpServletRequest.getParameter("openid.error");
            if (parameter2 == null) {
                parameter2 = "The response either has missing parameters or has parameters with an error message";
            }
            Tr.error(tc, MessageHelper.getMessage("security.openid20.client.invalidresponse", parameter2));
            httpServletResponse.addHeader("WWW-Authenticate", "Bearer realm=\"" + this.openidClientConfig.getRealmName() + "\", error=" + parameter2);
            tAIResult = TAIResult.create(HttpStatus.SC_BAD_REQUEST);
        }
        if (tc.isEntryEnabled()) {
            Tr.debug(tc, "TAI Response: " + tAIResult.getStatus());
            Tr.exit(tc, "negotiateValidateandEstablishTrust returns [" + OidUtil.getObjState(tAIResult) + "]");
        }
        return tAIResult;
    }
}
