package com.ibm.ws.security.oauth20.web;

import com.google.gson.JsonArray;
import com.ibm.oauth.core.api.OAuthConstants;
import com.ibm.oauth.core.api.OAuthResult;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.error.oauth20.OAuth20BadParameterFormatException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20DuplicateParameterException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20Exception;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidClientException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidGrantTypeException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidResponseTypeException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidScopeException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MissingParameterException;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.oauth.core.internal.oauth20.OAuth20Util;
import com.ibm.oauth.core.internal.oauth20.OAuthResultImpl;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OidcOAuth20Client;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClientScopeReducer;
import com.ibm.ws.security.oauth20.util.OidcOAuth20Util;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.oauth20_1.1.13.cl160220160718-1411.jar:com/ibm/ws/security/oauth20/web/ClientAuthorization.class */
public class ClientAuthorization {
    private static TraceComponent tc = Tr.register((Class<?>) ClientAuthorization.class, "OAUTH", "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages");
    private static final Set<String> requiredAttributes = Collections.unmodifiableSet(new HashSet(Arrays.asList("client_id", "client_secret", "response_type", "state", "scope")));
    static final long serialVersionUID = -2503683542006944532L;

    public OAuthResult validateAuthorization(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String[] parameterValues;
        OidcBaseClient validateClientId;
        String clientId;
        String validateResponseTypeAndReturn;
        String requestedGrantType;
        OAuthResultImpl oAuthResultImpl = null;
        AttributeList attributeList = new AttributeList();
        try {
            validateUsername(httpServletRequest, attributeList);
            parameterValues = httpServletRequest.getParameterValues("state");
            if (parameterValues != null) {
                attributeList.setAttribute("state", OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues);
            }
            validateClientId = validateClientId(httpServletRequest, attributeList, oAuth20Provider);
            clientId = validateClientId.getClientId();
            validateRedirectUri(httpServletRequest, attributeList, validateClientId);
            validateResponseTypeAndReturn = validateResponseTypeAndReturn(httpServletRequest, oAuth20Provider, clientId);
            requestedGrantType = getRequestedGrantType(httpServletRequest, validateResponseTypeAndReturn);
            validateGrantTypes(oAuth20Provider, httpServletRequest, clientId, validateResponseTypeAndReturn);
        } catch (OAuth20Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthorization", "117", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse});
            oAuthResultImpl = new OAuthResultImpl(1, attributeList, e);
        }
        if (!isValidResponseTypeForAuthorizationCodeGrantType(validateResponseTypeAndReturn, requestedGrantType) && !isValidResponseTypeForImplicitGrantType(validateResponseTypeAndReturn, requestedGrantType)) {
            throw new OAuth20InvalidResponseTypeException("security.oauth20.error.invalid.responsetype", validateResponseTypeAndReturn);
        }
        attributeList.setAttribute("response_type", OAuthConstants.ATTRTYPE_PARAM_QUERY, new String[]{validateResponseTypeAndReturn});
        if (parameterValues != null && parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "state");
        }
        validateScopes(httpServletRequest, attributeList, validateClientId, clientId);
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            if (!requiredAttributes.contains(str)) {
                attributeList.setAttribute(str, OAuthConstants.ATTRTYPE_REQUEST, httpServletRequest.getParameterValues(str));
            }
        }
        if (oAuthResultImpl == null) {
            oAuthResultImpl = new OAuthResultImpl(0, attributeList);
        }
        return oAuthResultImpl;
    }

    private void validateUsername(HttpServletRequest httpServletRequest, AttributeList attributeList) {
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        attributeList.setAttribute("username", OAuthConstants.ATTRTYPE_REQUEST, new String[]{userPrincipal == null ? null : userPrincipal.getName()});
    }

    private OidcBaseClient validateClientId(HttpServletRequest httpServletRequest, AttributeList attributeList, OAuth20Provider oAuth20Provider) throws OAuth20Exception {
        String[] parameterValues = httpServletRequest.getParameterValues("client_id");
        if (parameterValues == null) {
            throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "client_id", null);
        }
        attributeList.setAttribute("client_id", OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues);
        if (parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "client_id");
        }
        String str = parameterValues[0];
        if (str == null || str.length() == 0) {
            throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "client_id", null);
        }
        OidcBaseClient oidcOAuth20Client = getOidcOAuth20Client(oAuth20Provider, str);
        if (oidcOAuth20Client == null || !oidcOAuth20Client.isEnabled()) {
            throw new OAuth20InvalidClientException("security.oauth20.error.invalid.client", str, false);
        }
        return oidcOAuth20Client;
    }

    private void validateRegisteredRedirectUri(AttributeList attributeList, JsonArray jsonArray) throws OAuth20Exception {
        if (jsonArray == null || jsonArray.size() != 1) {
            throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "redirect_uri", null);
        }
        if (!OidcOAuth20Util.validateRedirectUris(jsonArray)) {
            throw new OAuth20InvalidRedirectUriException("security.oauth20.error.invalid.registered.redirecturi", OidcOAuth20Util.getSpaceDelimitedString(jsonArray), null);
        }
        attributeList.setAttribute("redirect_uri", OAuthConstants.ATTRTYPE_PARAM_QUERY, new String[]{jsonArray.get(0).getAsString()});
    }

    private void validateRedirectUri(HttpServletRequest httpServletRequest, AttributeList attributeList, OidcBaseClient oidcBaseClient) throws OAuth20Exception {
        String[] parameterValues = httpServletRequest.getParameterValues("redirect_uri");
        if (parameterValues != null) {
            attributeList.setAttribute("redirect_uri", OAuthConstants.ATTRTYPE_PARAM_QUERY, parameterValues);
        }
        if (parameterValues != null && parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "redirect_uri");
        }
        String str = parameterValues == null ? null : parameterValues[0];
        JsonArray redirectUris = oidcBaseClient.getRedirectUris();
        if (str == null || str.length() == 0) {
            validateRegisteredRedirectUri(attributeList, redirectUris);
        } else {
            if (!OAuth20Util.validateRedirectUri(str)) {
                throw new OAuth20InvalidRedirectUriException("security.oauth20.error.invalid.redirecturi", str, null);
            }
            if (redirectUris == null || redirectUris.size() == 0 || !OidcOAuth20Util.jsonArrayContainsString(redirectUris, str)) {
                throw new OAuth20InvalidRedirectUriException("security.oauth20.error.invalid.redirecturi.mismatch", str, OidcOAuth20Util.getSpaceDelimitedString(redirectUris), null);
            }
        }
    }

    private void validateScopes(HttpServletRequest httpServletRequest, AttributeList attributeList, OidcBaseClient oidcBaseClient, String str) throws OAuth20Exception {
        if (httpServletRequest.getAttribute("OidcRequest") != null) {
            checkForMissingScopeInTheRequest(httpServletRequest);
            checkForEmptyRegisteredScopeSet(oidcBaseClient, str);
        }
        String[] reducedScopes = getReducedScopes((OidcOAuth20Client) oidcBaseClient, httpServletRequest, str, true);
        if (reducedScopes != null) {
            attributeList.setAttribute("scope", OAuthConstants.ATTRTYPE_REQUEST, reducedScopes);
        }
    }

    protected boolean isValidResponseTypeForAuthorizationCodeGrantType(String str, String str2) {
        return str != null && str2 != null && "code".equals(str) && str2.equals("authorization_code");
    }

    protected boolean isValidResponseTypeForImplicitGrantType(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        boolean z = false;
        for (String str3 : str.split(" ")) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking individual response type: " + str3, new Object[0]);
            }
            if (str3.equals("token") || str3.equals("id_token")) {
                z = true;
                break;
            }
        }
        return z && str2.equals("implicit");
    }

    protected void checkForEmptyRegisteredScopeSet(OidcBaseClient oidcBaseClient, String str) throws OAuth20InvalidScopeException {
        if (oidcBaseClient != null) {
            String scope = oidcBaseClient.getScope();
            if (scope == null || scope.trim().length() == 0) {
                throw new OAuth20InvalidScopeException("security.oauth20.error.missing.registered.scope", (String) null, str);
            }
        }
    }

    protected void checkForMissingScopeInTheRequest(HttpServletRequest httpServletRequest) throws OAuth20InvalidScopeException {
        String[] parameterValues = httpServletRequest.getParameterValues("scope");
        if (parameterValues == null) {
            throw new OAuth20InvalidScopeException("security.oauth20.error.missing.scope", "OpenID Connect request");
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "IDC Request scopeParams:" + OAuth20Util.arrayToSpaceString(parameterValues), new Object[0]);
        }
    }

    public OAuthResult validateAndHandle2LegsScope(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String[] parameterValues;
        AttributeList attributeList = new AttributeList();
        OAuthResultImpl oAuthResultImpl = new OAuthResultImpl(0, attributeList);
        try {
            parameterValues = httpServletRequest.getParameterValues("grant_type");
        } catch (OAuth20Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthorization", "427", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, str});
            oAuthResultImpl = new OAuthResultImpl(1, attributeList, e);
        }
        if (!validateGrantTypes(oAuth20Provider, httpServletRequest, str)) {
            throw new OAuth20InvalidGrantTypeException("security.oauth20.error.invalid.granttype", parameterValues[0]);
        }
        String str2 = parameterValues == null ? null : parameterValues[0];
        if (!"client_credentials".equals(str2) && !"urn:ietf:params:oauth:grant-type:jwt-bearer".equals(str2) && !"password".equals(str2)) {
            return oAuthResultImpl;
        }
        if (httpServletRequest.getAttribute("OidcRequest") == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "This is an OAuth20 request", new Object[0]);
            }
            attributeList.setAttribute(OAuth20Constants.REQUEST_FEATURE, OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, new String[]{OAuth20Constants.REQUEST_FEATURE_OAUTH2});
            if ("client_credentials".equals(str2) || "password".equals(str2)) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Since this is OAuth20 request, client_credetinals and resource_owner will go back to the old behavior", new Object[0]);
                }
                String[] parameterValues2 = httpServletRequest.getParameterValues("scope");
                if (parameterValues2 != null && parameterValues2.length > 1) {
                    throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "scope");
                }
                if (parameterValues2 != null && parameterValues2.length == 1) {
                    attributeList.setAttribute("scope", OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, getUniqueArray(parameterValues2[0].split(" ")));
                    httpServletRequest.setAttribute(OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, attributeList);
                }
                return oAuthResultImpl;
            }
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "This is an OIDC request", new Object[0]);
            }
            attributeList.setAttribute(OAuth20Constants.REQUEST_FEATURE, OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, new String[]{OAuth20Constants.REQUEST_FEATURE_OIDC});
            checkForMissingScopeInTheRequest(httpServletRequest);
        }
        OidcBaseClient oidcOAuth20Client = getOidcOAuth20Client(oAuth20Provider, str);
        if (oidcOAuth20Client == null) {
            throw new OAuth20InvalidClientException("security.oauth20.error.invalid.client", str, false);
        }
        String[] reducedScopes = getReducedScopes((OidcOAuth20Client) oidcOAuth20Client, httpServletRequest, str, false);
        checkForEmptyScopeList(reducedScopes, httpServletRequest, oidcOAuth20Client, str);
        if (isClientAutoAuthorized(oAuth20Provider, httpServletRequest, str)) {
            attributeList.setAttribute("scope", OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, getUniqueArray(reducedScopes));
            httpServletRequest.setAttribute(OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, attributeList);
        } else {
            String preAuthorizedScope = oidcOAuth20Client.getPreAuthorizedScope();
            if (preAuthorizedScope == null || preAuthorizedScope.isEmpty()) {
                Tr.error(tc, "JWT_SERVER_NO_PRE_AUTHORIZED_SCOPE_ERR", str);
                throw new OAuth20Exception(OAuth20Exception.INVALID_SCOPE, Tr.formatMessage(tc, "JWT_SERVER_NO_PRE_AUTHORIZED_SCOPE_ERR", str), null);
            }
            OidcBaseClientScopeReducer oidcBaseClientScopeReducer = new OidcBaseClientScopeReducer(oidcOAuth20Client);
            for (String str3 : reducedScopes) {
                if (str3 != null && str3.length() > 0 && !oidcBaseClientScopeReducer.hasClientPreAuthorizedScope(str3)) {
                    Tr.error(tc, "JWT_SERVER_SCOPE_NOT_PRE_AUTHORIZED_ERR", str3, str);
                    throw new OAuth20Exception(OAuth20Exception.INVALID_SCOPE, Tr.formatMessage(tc, "JWT_SERVER_SCOPE_NOT_PRE_AUTHORIZED_EXTERNAL_ERR", str), null);
                }
            }
            attributeList.setAttribute("scope", OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, reducedScopes);
            httpServletRequest.setAttribute(OAuth20Constants.ATTRTYPE_PARAM_OAUTH_REQUEST, attributeList);
        }
        return oAuthResultImpl;
    }

    public String getRequestedScopes(HttpServletRequest httpServletRequest) {
        String[] parameterValues = httpServletRequest.getParameterValues("scope");
        if (parameterValues != null) {
            return parameterValues[0];
        }
        return null;
    }

    public boolean validateGrantTypes(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, String str) throws OAuth20Exception {
        return validateGrantTypes(oAuth20Provider, httpServletRequest, str, null);
    }

    public boolean validateGrantTypes(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, String str, String str2) throws OAuth20Exception {
        String requestedGrantType = getRequestedGrantType(httpServletRequest, str2);
        if (requestedGrantType == null) {
            return false;
        }
        boolean z = false;
        String[] split = requestedGrantType.split(" ");
        Set<String> reducedGrantTypes = getReducedGrantTypes(oAuth20Provider, str);
        for (String str3 : split) {
            String trim = str3.trim();
            if (trim != null && trim.length() > 0) {
                if (!isRequestedGrantTypeRegistered(trim, reducedGrantTypes)) {
                    throw new OAuth20InvalidGrantTypeException("security.oauth20.error.invalid.granttype", trim);
                }
                z = true;
            }
        }
        return z;
    }

    private Set<String> getRegisteredGrantTypes(OAuth20Provider oAuth20Provider, String str) throws OAuth20Exception {
        OidcOAuth20ClientProvider clientProvider;
        OidcBaseClient oidcBaseClient;
        JsonArray grantTypes;
        HashSet hashSet = new HashSet();
        if (oAuth20Provider != null && (clientProvider = oAuth20Provider.getClientProvider()) != null && (oidcBaseClient = clientProvider.get(str)) != null && (grantTypes = oidcBaseClient.getGrantTypes()) != null) {
            for (int i = 0; i < grantTypes.size(); i++) {
                hashSet.add(grantTypes.get(i).getAsString());
            }
        }
        return hashSet;
    }

    private Set<String> getGrantTypesAllowed(OAuth20Provider oAuth20Provider) throws OAuth20Exception {
        String[] grantTypesAllowed;
        HashSet hashSet = new HashSet();
        if (oAuth20Provider != null && (grantTypesAllowed = oAuth20Provider.getGrantTypesAllowed()) != null) {
            for (String str : grantTypesAllowed) {
                hashSet.add(str.toString());
            }
        }
        return hashSet;
    }

    private Set<String> getSetIntersection(Set<String> set, Set<String> set2) throws OAuth20Exception {
        HashSet hashSet = new HashSet(set);
        hashSet.retainAll(set2);
        return hashSet;
    }

    public Set<String> getReducedGrantTypes(OAuth20Provider oAuth20Provider, String str) throws OAuth20Exception {
        return getSetIntersection(getRegisteredGrantTypes(oAuth20Provider, str), getGrantTypesAllowed(oAuth20Provider));
    }

    private boolean isRequestedGrantTypeRegistered(String str, Set<String> set) {
        if (set == null || set.isEmpty()) {
            return true;
        }
        return set.contains(str);
    }

    public String[] getUniqueArray(String[] strArr) {
        HashSet hashSet = new HashSet();
        for (int i = 0; strArr != null && i < strArr.length; i++) {
            hashSet.add(strArr[i]);
        }
        return (String[]) hashSet.toArray(new String[hashSet.size()]);
    }

    public String[] getReducedScopes(OidcOAuth20Client oidcOAuth20Client, HttpServletRequest httpServletRequest, String str, boolean z) throws OAuth20Exception {
        String[] parameterValues = httpServletRequest.getParameterValues("scope");
        if (parameterValues != null && parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "scope");
        }
        if (parameterValues == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Scope parameter was not found", new Object[0]);
            return null;
        }
        if (oidcOAuth20Client == null) {
            throw new OAuth20InvalidClientException("security.oauth20.error.invalid.client", str, false);
        }
        OidcBaseClientScopeReducer oidcBaseClientScopeReducer = new OidcBaseClientScopeReducer((OidcBaseClient) oidcOAuth20Client);
        String[] split = parameterValues[0].split(" ");
        HashSet hashSet = new HashSet();
        for (String str2 : split) {
            String trim = str2.trim();
            if (trim != null && trim.length() > 0) {
                if (!OAuth20Util.validateScopeString(trim)) {
                    throw new OAuth20BadParameterFormatException("security.oauth20.error.parameter.format", "scope", trim);
                }
                if (isScopeRegistered(oidcBaseClientScopeReducer, trim, z)) {
                    hashSet.add(trim);
                } else if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The requested scope [" + trim + "] is not registered and is therefore ignored.", new Object[0]);
                }
            }
        }
        return (String[]) hashSet.toArray(new String[0]);
    }

    public String getRegisteredScopes(OidcOAuth20Client oidcOAuth20Client) {
        if (oidcOAuth20Client != null) {
            return oidcOAuth20Client.getScope();
        }
        return null;
    }

    public OidcBaseClient getOidcOAuth20Client(OAuth20Provider oAuth20Provider, String str) throws OAuth20Exception {
        OidcOAuth20ClientProvider clientProvider;
        if (oAuth20Provider == null || (clientProvider = oAuth20Provider.getClientProvider()) == null) {
            return null;
        }
        return clientProvider.get(str);
    }

    protected boolean urlsMatch(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        if (str.equals(str2)) {
            return true;
        }
        if (str.startsWith("https:") && str.contains(":443/")) {
            str = str.replace(":443/", WsLocationConstants.LOC_VIRTUAL_ROOT);
        }
        if (str2.startsWith("https:") && str2.contains(":443/")) {
            str2 = str2.replace(":443/", WsLocationConstants.LOC_VIRTUAL_ROOT);
        }
        if (str.startsWith("http:") && str.contains(":80/")) {
            str = str.replace(":80/", WsLocationConstants.LOC_VIRTUAL_ROOT);
        }
        if (str2.startsWith("http:") && str2.contains(":80/")) {
            str2 = str2.replace(":80/", WsLocationConstants.LOC_VIRTUAL_ROOT);
        }
        return str.equals(str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isClientAutoAuthorized(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest) {
        return isClientAutoAuthorized(oAuth20Provider, httpServletRequest, httpServletRequest.getParameter("client_id"));
    }

    boolean isClientAutoAuthorized(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, String str) {
        String autoAuthorizeParam = oAuth20Provider.getAutoAuthorizeParam();
        if (autoAuthorizeParam == null || autoAuthorizeParam.isEmpty()) {
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Auto authorize param configured, checking if set to true", new Object[0]);
        }
        String parameter = httpServletRequest.getParameter(autoAuthorizeParam);
        if (!oAuth20Provider.isAutoAuthorize() && !"true".equalsIgnoreCase(parameter)) {
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Auto authorize param is true, loading whitelisted clients", new Object[0]);
        }
        String[] autoAuthorizeClients = oAuth20Provider.getAutoAuthorizeClients();
        if (autoAuthorizeClients == null || autoAuthorizeClients.length < 1) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Authauthz param enabled but no whitelisted clients, strange to see an autoauthz request.", new Object[0]);
            return false;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Checking if client [" + str + "] is whitelisted", new Object[0]);
        }
        for (String str2 : autoAuthorizeClients) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Checking against whitelisted client: " + str2, new Object[0]);
            }
            if (str != null && str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isScopeRegistered(OidcBaseClientScopeReducer oidcBaseClientScopeReducer, String str, boolean z) throws OAuth20Exception {
        boolean z2 = false;
        if (oidcBaseClientScopeReducer.isNullEmptyScope()) {
            z2 = z;
        } else if (oidcBaseClientScopeReducer.hasClientScope(str)) {
            z2 = true;
        }
        return z2;
    }

    public boolean isPreAuthorizedScope(OAuth20Provider oAuth20Provider, String str, String[] strArr) throws OAuth20Exception {
        OidcOAuth20ClientProvider clientProvider;
        if (strArr == null || strArr.length == 0) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Null or no scopes provided", new Object[0]);
            return false;
        }
        if (oAuth20Provider == null || (clientProvider = oAuth20Provider.getClientProvider()) == null) {
            return false;
        }
        OidcBaseClient oidcBaseClient = clientProvider.get(str);
        if (oidcBaseClient == null) {
            throw new OAuth20InvalidClientException("security.oauth20.error.invalid.client", str, false);
        }
        String preAuthorizedScope = oidcBaseClient.getPreAuthorizedScope();
        if (preAuthorizedScope == null || preAuthorizedScope.isEmpty()) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "No pre-authorized scopes found in the client configuration", new Object[0]);
            return false;
        }
        OidcBaseClientScopeReducer oidcBaseClientScopeReducer = new OidcBaseClientScopeReducer(oidcBaseClient);
        for (String str2 : strArr) {
            String trim = str2.trim();
            if (trim != null && trim.length() > 0 && !oidcBaseClientScopeReducer.hasClientPreAuthorizedScope(trim)) {
                if (!tc.isDebugEnabled()) {
                    return false;
                }
                Tr.debug(tc, "Scope [" + trim + "] was not a client pre-authorized scope", new Object[0]);
                return false;
            }
        }
        return true;
    }

    public Set<String> getRegisteredClientResponseTypes(OAuth20Provider oAuth20Provider, String str) throws OAuth20Exception {
        OidcOAuth20ClientProvider clientProvider;
        OidcBaseClient oidcBaseClient;
        JsonArray responseTypes;
        HashSet hashSet = new HashSet();
        if (oAuth20Provider != null && (clientProvider = oAuth20Provider.getClientProvider()) != null && (oidcBaseClient = clientProvider.get(str)) != null && (responseTypes = oidcBaseClient.getResponseTypes()) != null) {
            for (int i = 0; i < responseTypes.size(); i++) {
                hashSet.add(responseTypes.get(i).getAsString());
            }
        }
        return hashSet;
    }

    public String validateResponseTypeAndReturn(HttpServletRequest httpServletRequest, OAuth20Provider oAuth20Provider, String str) throws OAuth20Exception {
        String[] parameterValues = httpServletRequest.getParameterValues("response_type");
        if (parameterValues == null) {
            throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "response_type", null);
        }
        if (parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "response_type");
        }
        String str2 = parameterValues[0];
        if (str2 == null || str2.length() == 0) {
            throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "response_type", null);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Got response type from request: [" + str2 + "]", new Object[0]);
        }
        Set<String> registeredClientResponseTypes = getRegisteredClientResponseTypes(oAuth20Provider, str);
        for (String str3 : str2.split(" ")) {
            Boolean bool = false;
            for (String str4 : registeredClientResponseTypes) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Checking requested response type [" + str3 + "] against registered response type: [" + str4 + "]", new Object[0]);
                }
                String[] split = str4.split(" ");
                int length = split.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (split[i].equals(str3)) {
                        bool = true;
                        break;
                    }
                    i++;
                }
                if (bool.booleanValue()) {
                    break;
                }
            }
            if (!bool.booleanValue()) {
                throw new OAuth20InvalidResponseTypeException("security.oauth20.error.invalid.responsetype", str2);
            }
        }
        return str2;
    }

    public String getRequestedGrantType(HttpServletRequest httpServletRequest, String str) throws OAuth20Exception {
        String[] parameterValues = httpServletRequest.getParameterValues("grant_type");
        if (parameterValues == null) {
            return str == null ? "unknown" : str.equals("code") ? "authorization_code" : isValidResponseTypeForImplicitGrantType(str, "implicit") ? "implicit" : "unknown";
        }
        if (parameterValues.length <= 1) {
            return parameterValues[0];
        }
        Tr.error(tc, "JWT_SERVER_DUPLICATED_PARAMETERS_ERR", "grant_type");
        throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", "grant_type");
    }

    public OAuthResult checkForEmptyScopeSetAfterConsent(String[] strArr, OAuthResult oAuthResult, HttpServletRequest httpServletRequest, OAuth20Provider oAuth20Provider, String str) {
        try {
            checkForEmptyScopeList(strArr, httpServletRequest, getOidcOAuth20Client(oAuth20Provider, str), str);
            return oAuthResult;
        } catch (OAuth20Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthorization", "973", this, new Object[]{strArr, oAuthResult, httpServletRequest, oAuth20Provider, str});
            return oAuthResult != null ? new OAuthResultImpl(1, oAuthResult.getAttributeList(), e) : new OAuthResultImpl(1, new AttributeList(), e);
        }
    }

    private void checkForEmptyScopeList(String[] strArr, HttpServletRequest httpServletRequest, OidcBaseClient oidcBaseClient, String str) throws OAuth20Exception {
        if (strArr == null || strArr.length == 0) {
            String requestedScopes = getRequestedScopes(httpServletRequest);
            String[] strArr2 = null;
            if (requestedScopes != null) {
                strArr2 = requestedScopes.split(" ");
            }
            String registeredScopes = getRegisteredScopes(oidcBaseClient);
            String[] strArr3 = null;
            if (registeredScopes != null) {
                strArr3 = registeredScopes.split(" ");
            }
            throw new OAuth20InvalidScopeException("security.oauth20.error.empty.scope", strArr2, strArr3, str);
        }
    }

    public String[] getReducedScopes(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, String str, boolean z) throws OAuth20Exception {
        return getReducedScopes(getOidcOAuth20Client(oAuth20Provider, str), httpServletRequest, str, z);
    }
}
