package com.ibm.ws.security.openidconnect.client;

import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.security.openidconnect.token.IdToken;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.cache.AuthCacheService;
import com.ibm.ws.security.openidconnect.client.internal.OidcUtil;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.openidconnect.client_1.0.13.cl160220160718-1411.jar:com/ibm/ws/security/openidconnect/client/OidcClientCache.class */
public class OidcClientCache {
    private static final TraceComponent tc = Tr.register(OidcClientCache.class);
    static final String UTF8 = "UTF-8";
    AuthCacheService authCache;
    OidcClientConfig clientCfg;
    OidcClientRequest oidcClientRequest;
    String preKeyValue = null;

    @Sensitive
    String customCacheKey = null;
    static final long serialVersionUID = 290405663520607286L;

    public OidcClientCache(AuthCacheService authCacheService, OidcClientConfig oidcClientConfig, OidcClientRequest oidcClientRequest) {
        this.authCache = null;
        this.clientCfg = null;
        this.oidcClientRequest = null;
        this.authCache = authCacheService;
        this.clientCfg = oidcClientConfig;
        this.oidcClientRequest = oidcClientRequest;
    }

    public Subject getBackValidSubject(HttpServletRequest httpServletRequest, OidcClientConfig oidcClientConfig) {
        String preKeyValue = getPreKeyValue(httpServletRequest);
        if (preKeyValue == null || preKeyValue.isEmpty()) {
            return null;
        }
        Subject backCachedSubject = getBackCachedSubject(httpServletRequest, preKeyValue);
        if (backCachedSubject != null && !isValid(backCachedSubject, oidcClientConfig.getReAuthnCushion(), oidcClientConfig.isReAuthnOnAccessTokenExpire())) {
            removeSubject(httpServletRequest);
            backCachedSubject = null;
        }
        return backCachedSubject;
    }

    public Subject getBackCachedSubject(HttpServletRequest httpServletRequest, String str) {
        Subject subject = null;
        this.customCacheKey = this.oidcClientRequest.getCustomCookieValue(str);
        if (this.customCacheKey != null && !this.customCacheKey.isEmpty()) {
            subject = this.authCache.getSubject(this.customCacheKey);
        }
        return subject;
    }

    public void removeSubject(HttpServletRequest httpServletRequest) {
        if (this.customCacheKey == null) {
            this.customCacheKey = this.oidcClientRequest.getCustomCookieValue(getPreKeyValue(httpServletRequest));
        }
        if (this.customCacheKey != null && !this.customCacheKey.isEmpty()) {
            this.authCache.remove(this.customCacheKey);
        }
        OidcUtil.removeCookie(this.oidcClientRequest);
    }

    boolean isValid(Subject subject, long j, boolean z) {
        boolean z2 = true;
        IdToken idToken = getIdToken(subject);
        if (idToken != null) {
            z2 = isIdTokenValid(idToken, j);
        }
        if (z2 && z) {
            z2 = isAccessTokenValid(subject, j);
        }
        return z2;
    }

    boolean isIdTokenValid(IdToken idToken, long j) {
        long expirationTimeSeconds = idToken.getExpirationTimeSeconds();
        Date date = new Date();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "date(" + date.getTime() + ") expSec(" + expirationTimeSeconds + ") cushionMillisec(" + j + ")", new Object[0]);
        }
        return (expirationTimeSeconds * 1000) - j > date.getTime();
    }

    boolean isAccessTokenValid(Subject subject, long j) {
        String str = (String) getOAuthAttribute(subject, OAuth20Constants.EXPIRES_IN);
        if (str == null || str.isEmpty()) {
            return false;
        }
        long j2 = 0;
        try {
            j2 = Long.parseLong(str) * 1000;
        } catch (NumberFormatException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientCache", "130", this, new Object[]{subject, Long.valueOf(j)});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "hit unexpected exception", e);
            }
        }
        Long l = (Long) getOAuthAttribute(subject, ClientConstants.CREDENTIAL_STORING_TIME_MILLISECONDS);
        Date date = new Date();
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "date(" + date.getTime() + ") storeMilli(" + l + ") cushion(" + j + ")", new Object[0]);
        }
        return (l.longValue() + j2) - j > date.getTime();
    }

    protected IdToken getIdToken(Subject subject) {
        IdToken idToken = null;
        if (subject != null) {
            Iterator it = subject.getPublicCredentials(IdToken.class).iterator();
            if (it.hasNext()) {
                idToken = (IdToken) it.next();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "public IdToken:" + idToken, new Object[0]);
                }
            }
            if (idToken == null) {
                Iterator it2 = subject.getPrivateCredentials(IdToken.class).iterator();
                if (it2.hasNext()) {
                    idToken = (IdToken) it2.next();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "private IdToken:" + idToken, new Object[0]);
                    }
                }
            }
        }
        return idToken;
    }

    protected Object getOAuthAttribute(Subject subject, String str) {
        Object obj;
        Object obj2;
        int i = 0;
        for (Object obj3 : subject.getPublicCredentials()) {
            i++;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "publicCredential(" + i + ") class:" + obj3.getClass().getName(), new Object[0]);
            }
            if ((obj3 instanceof Map) && (obj2 = ((Map) obj3).get(str)) != null) {
                return obj2;
            }
        }
        for (Object obj4 : subject.getPrivateCredentials()) {
            i++;
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "privateCredential(" + i + ") class:" + obj4.getClass().getName(), new Object[0]);
            }
            if ((obj4 instanceof Map) && (obj = ((Map) obj4).get(str)) != null) {
                return obj;
            }
        }
        return (String) null;
    }

    public String getPreKeyValue(HttpServletRequest httpServletRequest) {
        if (this.preKeyValue == null) {
            try {
                byte[] cookieValueAsBytes = ((IExtendedRequest) httpServletRequest).getCookieValueAsBytes(this.oidcClientRequest.getOidcClientCookieName());
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "cookieValueBytes is null:" + (cookieValueAsBytes == null), new Object[0]);
                }
                if (cookieValueAsBytes != null && cookieValueAsBytes.length > 0) {
                    this.preKeyValue = new String(cookieValueAsBytes, "UTF-8");
                }
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientCache", "215", this, new Object[]{httpServletRequest});
                return null;
            }
        }
        return this.preKeyValue;
    }

    @Trivial
    public String getCustomCacheKey() {
        return this.customCacheKey;
    }
}
