package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.json.java.JSONArray;
import com.ibm.json.java.JSONObject;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20DuplicateParameterException;
import com.ibm.oauth.core.api.oauth20.token.OAuth20Token;
import com.ibm.oauth.core.internal.oauth20.token.OAuth20TokenHelper;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.claims.UserClaims;
import com.ibm.ws.security.common.claims.UserClaimsRetrieverService;
import com.ibm.ws.security.oauth20.api.Constants;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.internal.AuthnContextImpl;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.util.ConfigUtils;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.security.oauth20.TokenIntrospectProvider;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.oauth20_1.1.13.cl160220160718-1411.jar:com/ibm/ws/security/oauth20/web/TokenIntrospect.class */
public class TokenIntrospect {
    protected static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages";
    private static final String DEFAULT_GROUP_IDENTIFIER = "groupIds";
    public static final String KEY_TOKEN_INTROSPECT_PROVIDER = "tokenIntrospectProvider";
    static final long serialVersionUID = -3686053681741267790L;
    private static TraceComponent tc = Tr.register(TokenIntrospect.class);
    private static TraceComponent tcMsg = Tr.register((Class<?>) TokenIntrospect.class, "OAUTH", "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages");
    private static ConcurrentServiceReferenceMap<String, TokenIntrospectProvider> tokenIntrospectProviderRef = new ConcurrentServiceReferenceMap<>("tokenIntrospectProvider");

    public static void setTokenIntrospect(ConcurrentServiceReferenceMap<String, TokenIntrospectProvider> concurrentServiceReferenceMap) {
        tokenIntrospectProviderRef = concurrentServiceReferenceMap;
    }

    public void introspect(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OidcServerException, IOException {
        String parameter = httpServletRequest.getParameter("token");
        if (parameter == null || parameter.isEmpty()) {
            String formattedMessage = TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INTROSPECT_NO_TOKEN", new Object[]{httpServletRequest.getRequestURI()}, "CWWKS1405E: The introspect request did not have a token parameter. The request URI was {0}.");
            WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", formattedMessage);
            Tr.error(tc, formattedMessage, new Object[0]);
            return;
        }
        JSONObject jSONObject = new JSONObject();
        OAuth20Token oAuth20Token = oAuth20Provider.getTokenCache().get(parameter);
        if (oAuth20Token != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "token type: " + oAuth20Token.getType(), new Object[0]);
            }
            if (!oAuth20Token.getType().equals("access_token")) {
                jSONObject.put("active", false);
                WebUtils.setJSONResponse(httpServletResponse, 200, jSONObject);
                return;
            }
        }
        try {
            ClientAuthnData clientAuthnData = new ClientAuthnData(httpServletRequest, httpServletResponse);
            if (!clientAuthnData.hasAuthnData()) {
                WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_client", TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", new Object[]{httpServletRequest.getRequestURI()}, "CWWKS1406E: The introspect request had an invalid client credential. The request URI was {0}."));
                Tr.error(tc, "security.oauth20.endpoint.client.auth.error", oAuth20Token.getClientId());
                return;
            }
            OidcBaseClient oidcBaseClient = oAuth20Provider.getClientProvider().get(clientAuthnData.getUserName());
            if (!oidcBaseClient.isIntrospectTokens()) {
                WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_client", TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INTROSPECT_CLIENT_NOT_AUTHORIZED", new Object[]{httpServletRequest.getRequestURI()}, "CWWKS1419E: The client is not authorized to introspect access tokens. The request URI was {0}."));
                Tr.error(tc, TraceNLS.getFormattedMessage(getClass(), "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INTROSPECT_CLIENT_NOT_AUTHORIZED_SERVER_LOG", new Object[]{clientAuthnData.getUserName(), httpServletRequest.getRequestURI()}, "CWWKS1420E: The client {0} is not authorized to introspect access tokens. The request URI was {1}."), new Object[0]);
                return;
            }
            if (oAuth20Token == null || OAuth20TokenHelper.isTokenExpired(oAuth20Token)) {
                jSONObject.put("active", false);
                Tr.error(tcMsg, "OAUTH_SERVER_INVALID_ACCESS_TOKEN", new Object[0]);
                WebUtils.setJSONResponse(httpServletResponse, 200, jSONObject);
            } else if (tokenIntrospectProviderRef.isEmpty()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "tokenIntrospectProviderRef.isEmpty", new Object[0]);
                }
                introspectActive(oAuth20Provider, httpServletRequest, httpServletResponse, oAuth20Token, oidcBaseClient);
            } else {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "tokenIntrospectProviderRef is not Empty", new Object[0]);
                }
                callTokenIntrospect(httpServletRequest, httpServletResponse, oAuth20Token);
            }
        } catch (OAuth20DuplicateParameterException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenIntrospect", "110", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse});
            WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", e.getMessage());
            Tr.error(tc, e.getMessage(), new Object[0]);
        }
    }

    void callTokenIntrospect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Token oAuth20Token) throws IOException {
        TokenIntrospectProvider tokenIntrospectProvider = null;
        Iterator<TokenIntrospectProvider> services = tokenIntrospectProviderRef.getServices();
        JSONObject jSONObject = null;
        int size = tokenIntrospectProviderRef.size();
        while (true) {
            if (!services.hasNext()) {
                break;
            }
            tokenIntrospectProvider = services.next();
            jSONObject = getJsonObjectFromTokenIntrospectProvider(oAuth20Token, tokenIntrospectProvider, httpServletRequest, httpServletResponse);
            if (jSONObject != null) {
                if (size > 1) {
                    Tr.info(tcMsg, "OAUTH_SERVER_MULTIPLE_TOKEN_INTROSPECT_PROVIDER_CONFIGURED", new Object[0]);
                }
            }
        }
        if (jSONObject != null) {
            WebUtils.setJSONResponse(httpServletResponse, 200, jSONObject);
        } else {
            httpServletResponse.sendError(500);
            Tr.error(tcMsg, "OAUTH_SERVER_TOKEN_INTROSPECT_PROVIDER_INTERNAL_ERROR", oAuth20Token.getUsername(), tokenIntrospectProvider.getClass().getName());
        }
    }

    private JSONObject getJsonObjectFromTokenIntrospectProvider(OAuth20Token oAuth20Token, TokenIntrospectProvider tokenIntrospectProvider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String userInfo = tokenIntrospectProvider.getUserInfo(new AuthnContextImpl(httpServletRequest, httpServletResponse, oAuth20Token.getTokenString(), oAuth20Token.getScope(), oAuth20Token.getCreatedAt(), oAuth20Token.getLifetimeSeconds(), oAuth20Token.getUsername(), oAuth20Token.getExtensionProperties()));
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "getUserInfo:'" + userInfo + "'", new Object[0]);
        }
        if (userInfo == null) {
            return (JSONObject) null;
        }
        try {
            return JSONObject.parse(userInfo);
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.TokenIntrospect", "245", this, new Object[]{oAuth20Token, tokenIntrospectProvider, httpServletRequest, httpServletResponse});
            return (JSONObject) null;
        }
    }

    public void introspectActive(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Token oAuth20Token, OidcBaseClient oidcBaseClient) throws OidcServerException, IOException {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("active", true);
        jSONObject.put("sub", oAuth20Token.getUsername());
        jSONObject.put("client_id", oAuth20Token.getClientId());
        jSONObject.put("scope", getScopes(oAuth20Token));
        long createdAt = oAuth20Token.getCreatedAt() / 1000;
        jSONObject.put("iat", Long.valueOf(createdAt));
        jSONObject.put("exp", Long.valueOf(createdAt + oAuth20Token.getLifetimeSeconds()));
        jSONObject.put("token_type", "Bearer");
        jSONObject.put("iss", getCalculatedIssuerId(httpServletRequest));
        Map<String, Object> userClaims = getUserClaims(oAuth20Provider, jSONObject, oAuth20Token, false);
        if (userClaims != null) {
            jSONObject.putAll(userClaims);
        }
        String grantType = oAuth20Token.getGrantType();
        if (grantType != null && !grantType.isEmpty()) {
            jSONObject.put("grant_type", grantType);
            if (grantType.equals("client_credentials")) {
                OidcBaseClient oidcBaseClient2 = oAuth20Provider.getClientProvider().get(oAuth20Token.getClientId());
                if (oidcBaseClient2.getFunctionalUserId() != null) {
                    jSONObject.put(Constants.INTROSPECT_CLAIM_FUNCTIONAL_USERID, oidcBaseClient2.getFunctionalUserId());
                    if (oidcBaseClient2.getFunctionalUserGroupIds() != null && !oidcBaseClient2.getFunctionalUserGroupIds().isJsonNull() && oidcBaseClient2.getFunctionalUserGroupIds().size() > 0) {
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "client.getFunctionalUserGroupIds(): " + oidcBaseClient2.getFunctionalUserGroupIds(), new Object[0]);
                        }
                        JSONArray parse = JSONArray.parse(oidcBaseClient2.getFunctionalUserGroupIds().toString());
                        if (tc.isDebugEnabled()) {
                            Tr.debug(tc, "groupIds: " + parse, new Object[0]);
                        }
                        jSONObject.put("functional_user_groupIds", parse);
                    }
                }
            }
        }
        WebUtils.setJSONResponse(httpServletResponse, 200, jSONObject);
    }

    private String getCalculatedIssuerId(HttpServletRequest httpServletRequest) {
        String serverName = httpServletRequest.getServerName();
        String scheme = httpServletRequest.getScheme();
        int localPort = httpServletRequest.getLocalPort();
        String requestURI = httpServletRequest.getRequestURI();
        return scheme + "://" + serverName + ":" + localPort + requestURI.substring(0, requestURI.lastIndexOf(WsLocationConstants.LOC_VIRTUAL_ROOT));
    }

    private String getScopes(OAuth20Token oAuth20Token) {
        StringBuffer stringBuffer = new StringBuffer();
        String[] scope = oAuth20Token.getScope();
        if (scope != null) {
            for (String str : scope) {
                stringBuffer.append(str);
                stringBuffer.append(" ");
            }
        }
        return stringBuffer.toString().trim();
    }

    protected static Map<String, Object> getUserClaims(OAuth20Provider oAuth20Provider, JSONObject jSONObject, OAuth20Token oAuth20Token, boolean z) throws IOException {
        return getUserClaimsMap(getUserClaimsObj(oAuth20Provider, jSONObject, oAuth20Token), z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Map<String, Object> getUserClaimsMap(UserClaims userClaims, boolean z) throws IOException {
        Map<String, Object> map = null;
        if (userClaims != null) {
            String groupIdentifier = userClaims.getGroupIdentifier();
            Map<String, Object> asMap = userClaims.asMap();
            map = z ? new HashMap() : asMap;
            if (asMap.get(groupIdentifier) != null) {
                JSONArray jSONArray = new JSONArray();
                jSONArray.addAll(userClaims.getGroups());
                map.put(groupIdentifier, jSONArray);
            }
        }
        return map;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static UserClaims getUserClaimsObj(OAuth20Provider oAuth20Provider, JSONObject jSONObject, OAuth20Token oAuth20Token) throws IOException {
        UserClaims userClaims = null;
        UserClaimsRetrieverService userClaimsRetrieverService = ConfigUtils.getUserClaimsRetrieverService();
        if (userClaimsRetrieverService != null) {
            userClaims = userClaimsRetrieverService.getUserClaims(oAuth20Token.getUsername(), getGroupIdentifier(oAuth20Provider));
        }
        return userClaims;
    }

    private static String getGroupIdentifier(OAuth20Provider oAuth20Provider) {
        OidcServerConfig oidcServerConfigForOAuth20Provider = ConfigUtils.getOidcServerConfigForOAuth20Provider(oAuth20Provider.getID());
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "OidcServerConfig: " + oidcServerConfigForOAuth20Provider, new Object[0]);
        }
        return oidcServerConfigForOAuth20Provider != null ? oidcServerConfigForOAuth20Provider.getGroupIdentifier() : "groupIds";
    }
}
