package com.ibm.ws.security.openidconnect.client;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl;
import com.ibm.ws.security.openidconnect.token.JsonTokenUtil;
import com.ibm.ws.security.openidconnect.token.Payload;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.oauth20.UserCredentialResolver;
import com.ibm.wsspi.security.oauth20.UserIdentityException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.openidconnect.client_1.0.13.cl160220160718-1411.jar:com/ibm/ws/security/openidconnect/client/AttributeToSubject.class */
public class AttributeToSubject {
    public static final String JOBJ_TYPE = "jobj";
    public static final String PAYLOAD_TYPE = "payload";
    String realm;
    String uniqueSecurityName;
    String userName;
    String tokenString;
    String customCacheKey;
    String clientId;
    ArrayList<String> groupIds;
    OidcClientConfig clientConfig;
    public static final String KEY_USER_RESOLVER = "userResolver";
    static final long serialVersionUID = 2094814910918087333L;
    public static final TraceComponent tc = Tr.register((Class<?>) AttributeToSubject.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.client.internal.resources.OidcClientMessages");
    static ConcurrentServiceReferenceMap<String, UserCredentialResolver> activatedUserResolverRef = new ConcurrentServiceReferenceMap<>("userResolver");

    public static void setActivatedUserResolverRef(ConcurrentServiceReferenceMap<String, UserCredentialResolver> concurrentServiceReferenceMap) {
        activatedUserResolverRef = concurrentServiceReferenceMap;
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "activatedUserResolverRef size():" + activatedUserResolverRef.size(), new Object[0]);
        }
    }

    @FFDCIgnore({UserIdentityException.class, IOException.class})
    public AttributeToSubject(OidcClientConfig oidcClientConfig, JSONObject jSONObject, String str) {
        this.tokenString = str;
        this.clientConfig = oidcClientConfig;
        this.clientId = oidcClientConfig.getClientId();
        if (isTokenMappingSpi()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "activatedUserResolverRef size():" + activatedUserResolverRef.size(), new Object[0]);
            }
            try {
                getTheTokenMappingFromSpi(jSONObject.serialize(), oidcClientConfig);
            } catch (UserIdentityException e) {
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "SPI implementation throws an exception for user mapping!!", jSONObject.toString());
                }
                Tr.error(tc, "PROPAGATION_TOKEN_INTERNAL_ERR", e.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
                return;
            } catch (IOException e2) {
                Tr.error(tc, "PROPAGATION_TOKEN_INTERNAL_ERR", e2.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
                return;
            }
        }
        if (this.userName == null || this.userName.isEmpty()) {
            this.userName = getTheUserName(oidcClientConfig, jSONObject);
        }
        if (this.userName != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user name = ", this.userName);
            }
            this.customCacheKey = this.userName + this.tokenString.hashCode();
            if (oidcClientConfig.isMapIdentityToRegistryUser()) {
                return;
            }
            if (this.realm == null || this.realm.isEmpty()) {
                this.realm = getTheRealmName(oidcClientConfig, jSONObject, null);
            }
            if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
                this.uniqueSecurityName = getTheUniqueSecurityName(oidcClientConfig, jSONObject, null);
            }
            if (this.groupIds == null || this.groupIds.isEmpty()) {
                if (jSONObject.get(oidcClientConfig.getGroupIdentifier()) != null && (jSONObject.get(oidcClientConfig.getGroupIdentifier()) instanceof ArrayList)) {
                    this.groupIds = (ArrayList) jSONObject.get(oidcClientConfig.getGroupIdentifier());
                }
                if (this.groupIds != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "groups size = ", Integer.valueOf(this.groupIds.size()));
                }
            }
        }
    }

    public AttributeToSubject(OidcClientConfig oidcClientConfig, Payload payload, String str) {
        this.tokenString = str;
        this.clientConfig = oidcClientConfig;
        this.clientId = oidcClientConfig.getClientId();
        if (isTokenMappingSpi()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "activatedUserResolverRef size():" + activatedUserResolverRef.size(), new Object[0]);
            }
            try {
                String[] splitTokenString = JsonTokenUtil.splitTokenString(str);
                if (splitTokenString.length > 1) {
                    getTheTokenMappingFromSpi(Base64Coder.base64Decode(splitTokenString[1]), oidcClientConfig);
                }
            } catch (UserIdentityException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.AttributeToSubject", "148", this, new Object[]{oidcClientConfig, payload, str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "SPI implementation throws an exception for user mapping!!", new Object[0]);
                }
                Tr.error(tc, "PROPAGATION_TOKEN_INTERNAL_ERR", e.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
                return;
            } catch (Exception e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.AttributeToSubject", "154", this, new Object[]{oidcClientConfig, payload, str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "SPI implementation throws an exception for user mapping!!", new Object[0]);
                }
                Tr.error(tc, "PROPAGATION_TOKEN_INTERNAL_ERR", e2.getLocalizedMessage(), oidcClientConfig.getValidationMethod(), oidcClientConfig.getValidationEndpointUrl());
                return;
            }
        }
        if (this.userName == null || this.userName.isEmpty()) {
            String userIdentifier = oidcClientConfig.getUserIdentifier();
            if (userIdentifier == null || userIdentifier.isEmpty()) {
                userIdentifier = oidcClientConfig.getUserIdentityToCreateSubject();
                this.userName = (String) payload.get(userIdentifier);
            } else {
                this.userName = (String) payload.get(userIdentifier);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "user name = ", this.userName, "and the user identifier = ", userIdentifier);
            }
        }
        if (this.userName == null) {
            Tr.error(tc, "OIDC_CLIENT_MISSING_PRINCIPAL_ERR", this.clientId);
            return;
        }
        this.customCacheKey = this.userName + this.tokenString.toString().hashCode();
        if (oidcClientConfig.isMapIdentityToRegistryUser()) {
            return;
        }
        if (this.realm == null || this.realm.isEmpty()) {
            this.realm = getTheRealmName(oidcClientConfig, null, payload);
        }
        if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
            this.uniqueSecurityName = getTheUniqueSecurityName(oidcClientConfig, null, payload);
        }
        if (this.groupIds == null || this.groupIds.isEmpty()) {
            this.groupIds = (ArrayList) payload.get(oidcClientConfig.getGroupIdentifier());
            if (this.groupIds != null && TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "groups size = ", Integer.valueOf(this.groupIds.size()));
            }
        }
    }

    public boolean checkUserNameForNull() {
        if (this.userName != null && !this.userName.isEmpty()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "There is no principal", new Object[0]);
        return true;
    }

    public Hashtable<String, Object> handleCustomProperties() {
        Hashtable<String, Object> hashtable = new Hashtable<>();
        if (this.clientConfig.isIncludeCustomCacheKeyInSubject()) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", this.customCacheKey);
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        return hashtable;
    }

    public ProviderAuthenticationResult doMapping(Hashtable<String, Object> hashtable, Subject subject) {
        if (!this.clientConfig.isMapIdentityToRegistryUser()) {
            Object stringBuffer = new StringBuffer("user:").append(this.realm).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append(this.uniqueSecurityName).toString();
            ArrayList arrayList = new ArrayList();
            if (this.groupIds != null && !this.groupIds.isEmpty()) {
                Iterator<String> it = this.groupIds.iterator();
                while (it.hasNext()) {
                    arrayList.add(new StringBuffer("group:").append(this.realm).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append((Object) it.next()).toString());
                }
            }
            hashtable.put("com.ibm.wsspi.security.cred.uniqueId", stringBuffer);
            if (this.realm != null && !this.realm.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.realm", this.realm);
            }
            if (arrayList != null && !arrayList.isEmpty()) {
                hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList);
            }
        }
        hashtable.put(ClientConstants.CREDENTIAL_STORING_TIME_MILLISECONDS, Long.valueOf(new Date().getTime()));
        return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, this.userName, subject, hashtable, (String) null);
    }

    public boolean checkForNullRealm() {
        if (this.realm != null && !this.realm.isEmpty()) {
            return false;
        }
        if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
            return true;
        }
        Tr.debug(tc, "There is no realm", new Object[0]);
        return true;
    }

    String getUserFromUserResolver(String str) throws UserIdentityException {
        String str2 = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            str2 = services.next().mapToUser(str);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "spi returns user id = ", str2);
        }
        return str2;
    }

    private String getRealmFromUserResolver(String str) throws UserIdentityException {
        String str2 = null;
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            str2 = services.next().mapToRealm(str);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "spi returns the realm = ", str2);
        }
        return str2;
    }

    boolean isTokenMappingSpi() {
        return activatedUserResolverRef.size() > 0;
    }

    private void getTheTokenMappingFromSpi(String str, OidcClientConfig oidcClientConfig) throws UserIdentityException {
        Iterator<UserCredentialResolver> services = activatedUserResolverRef.getServices();
        if (services.hasNext()) {
            UserCredentialResolver next = services.next();
            this.userName = next.mapToUser(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "spi returns user id = ", this.userName);
            }
            if (oidcClientConfig.isMapIdentityToRegistryUser()) {
                return;
            }
            this.realm = next.mapToRealm(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "spi returns the realm = ", this.realm);
            }
            this.uniqueSecurityName = next.mapToUserUniqueID(str);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "spi returns the unique security name = ", this.uniqueSecurityName);
            }
            List mapToGroups = next.mapToGroups(str);
            if (mapToGroups == null || mapToGroups.isEmpty()) {
                return;
            }
            this.groupIds = new ArrayList<>(mapToGroups);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "spi returns the groups and size = ", Integer.valueOf(this.groupIds.size()));
            }
        }
    }

    private String getTheUserName(OidcClientConfig oidcClientConfig, JSONObject jSONObject) {
        if (jSONObject == null) {
            return null;
        }
        String userIdentifier = oidcClientConfig.getUserIdentifier();
        String userIdentityToCreateSubject = oidcClientConfig.getUserIdentityToCreateSubject();
        if (userIdentifier == null || userIdentifier.isEmpty()) {
            if (jSONObject.get(userIdentityToCreateSubject) == null) {
                Tr.error(tc, "PROPAGATION_TOKEN_MISSING_USERID", userIdentityToCreateSubject, OidcClientConfigImpl.CFG_KEY_USER_IDENTITY_TO_CREATE_SUBJECT);
            } else if (jSONObject.get(userIdentityToCreateSubject) instanceof String) {
                this.userName = (String) jSONObject.get(userIdentityToCreateSubject);
            } else {
                Tr.error(tc, "PROPAGATION_TOKEN_INCORRECT_CLAIM_TYPE", userIdentityToCreateSubject, OidcClientConfigImpl.CFG_KEY_USER_IDENTITY_TO_CREATE_SUBJECT);
            }
        } else if (jSONObject.get(userIdentifier) == null) {
            Tr.error(tc, "PROPAGATION_TOKEN_MISSING_USERID", oidcClientConfig.getUserIdentifier(), OidcClientConfigImpl.CFG_KEY_USER_IDENTIFIER);
        } else if (jSONObject.get(userIdentifier) instanceof String) {
            this.userName = (String) jSONObject.get(userIdentifier);
        } else {
            Tr.error(tc, "PROPAGATION_TOKEN_INCORRECT_CLAIM_TYPE", oidcClientConfig.getUserIdentifier(), OidcClientConfigImpl.CFG_KEY_USER_IDENTIFIER);
        }
        return this.userName;
    }

    private String getTheRealmName(OidcClientConfig oidcClientConfig, JSONObject jSONObject, Payload payload) {
        if (jSONObject != null) {
            String realmName = oidcClientConfig.getRealmName();
            if (realmName == null || realmName.isEmpty()) {
                if (jSONObject.get(oidcClientConfig.getRealmIdentifier()) != null && (jSONObject.get(oidcClientConfig.getRealmIdentifier()) instanceof String)) {
                    this.realm = (String) jSONObject.get(oidcClientConfig.getRealmIdentifier());
                }
                if (this.realm == null || this.realm.isEmpty()) {
                    this.realm = (String) jSONObject.get("iss");
                }
            } else {
                this.realm = realmName;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "realm name = ", this.realm);
            }
            return this.realm;
        }
        if (payload == null) {
            return null;
        }
        String realmName2 = oidcClientConfig.getRealmName();
        if (realmName2 == null || realmName2.isEmpty()) {
            this.realm = (String) payload.get(oidcClientConfig.getRealmIdentifier());
            if (this.realm == null || this.realm.isEmpty()) {
                this.realm = (String) payload.get("iss");
            }
        } else {
            this.realm = realmName2;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "realm name = ", this.realm);
        }
        return this.realm;
    }

    private String getTheUniqueSecurityName(OidcClientConfig oidcClientConfig, JSONObject jSONObject, Payload payload) {
        if (jSONObject != null) {
            if (jSONObject.get(oidcClientConfig.getUniqueUserIdentifier()) != null && (jSONObject.get(oidcClientConfig.getUniqueUserIdentifier()) instanceof String)) {
                this.uniqueSecurityName = (String) jSONObject.get(oidcClientConfig.getUniqueUserIdentifier());
            }
            if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
                this.uniqueSecurityName = this.userName;
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "unique security name = ", this.uniqueSecurityName);
            }
            return this.uniqueSecurityName;
        }
        if (payload == null) {
            return null;
        }
        this.uniqueSecurityName = (String) payload.get(oidcClientConfig.getUniqueUserIdentifier());
        if (this.uniqueSecurityName == null || this.uniqueSecurityName.isEmpty()) {
            this.uniqueSecurityName = this.userName;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "unique security name = ", this.uniqueSecurityName);
        }
        return this.uniqueSecurityName;
    }
}
