package com.ibm.ws.security.jwt.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.impl.JWKSet;
import com.ibm.ws.security.jwt.config.ConsumerUtils;
import com.ibm.ws.security.jwt.config.JwtConfigUtil;
import com.ibm.ws.security.jwt.config.JwtConsumerConfig;
import com.ibm.ws.security.jwt.utils.JwtUtils;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {JwtConsumerConfig.class}, immediate = true, configurationPolicy = ConfigurationPolicy.REQUIRE, configurationPid = {"com.ibm.ws.security.jwt.consumer"}, name = "jwtConsumerConfig", property = {"service.vendor=IBM"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwt/internal/JwtConsumerConfigImpl.class */
public class JwtConsumerConfigImpl implements JwtConsumerConfig {
    private static final TraceComponent tc = Tr.register(JwtConsumerConfigImpl.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    private String id;

    @Sensitive
    private String sharedKey;
    private List<String> audiences;
    private String sigAlg;
    private String trustStoreRef;
    private String trustedAlias;
    private long clockSkewMilliSeconds;
    private boolean jwkEnabled;
    private String jwkEndpointUrl;
    private List<String> amrClaim;
    private String keyManagementKeyAlias;
    String sslRef;
    public static final String KEY_KEYSTORE_SERVICE = "keyStoreService";
    static final long serialVersionUID = -5975214654065314075L;
    private String issuer = null;
    private boolean validationRequired = true;
    private boolean useSystemPropertiesForHttpClientConnections = false;
    private ConsumerUtils consumerUtil = null;
    private JWKSet jwkSet = null;
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>("keyStoreService");

    @Reference(service = KeyStoreService.class, name = "keyStoreService", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(Map<String, Object> map, ComponentContext componentContext) {
        this.keyStoreServiceRef.activate(componentContext);
        process(map);
    }

    @Modified
    protected void modify(Map<String, Object> map) {
        process(map);
    }

    @Deactivate
    protected void deactivate(int i, ComponentContext componentContext) {
        this.keyStoreServiceRef.deactivate(componentContext);
        this.consumerUtil = null;
    }

    private void process(Map<String, Object> map) {
        if (map == null || map.isEmpty()) {
            return;
        }
        this.id = JwtUtils.trimIt((String) map.get("id"));
        this.issuer = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_ISSUER));
        this.sharedKey = JwtConfigUtil.processProtectedString(map, JwtUtils.CFG_KEY_SHARED_KEY);
        this.audiences = JwtUtils.trimIt((String[]) map.get(JwtUtils.CFG_KEY_AUDIENCES));
        this.sigAlg = JwtConfigUtil.getSignatureAlgorithm(getId(), map, JwtUtils.CFG_KEY_SIGNATURE_ALGORITHM);
        this.trustStoreRef = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_TRUSTSTORE_REF));
        this.trustedAlias = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_TRUSTED_ALIAS));
        this.clockSkewMilliSeconds = ((Long) map.get(JwtUtils.CFG_KEY_CLOCK_SKEW)).longValue();
        this.validationRequired = ((Boolean) map.get(JwtUtils.CFG_KEY_VALIDATION_REQUIRED)).booleanValue();
        this.jwkEnabled = ((Boolean) map.get(JwtUtils.CFG_KEY_JWK_ENABLED)).booleanValue();
        this.jwkEndpointUrl = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_JWK_ENDPOINT_URL));
        this.sslRef = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_SSL_REF));
        this.useSystemPropertiesForHttpClientConnections = ((Boolean) map.get(JwtUtils.CFG_KEY_USE_SYSPROPS_FOR_HTTPCLIENT_CONNECTONS)).booleanValue();
        this.amrClaim = JwtUtils.trimIt((String[]) map.get(JwtUtils.CFG_AMR_CLAIM));
        this.keyManagementKeyAlias = JwtUtils.trimIt((String) map.get(JwtUtils.CFG_KEY_KEY_MANAGEMENT_KEY_ALIAS));
        this.consumerUtil = new ConsumerUtils(this.keyStoreServiceRef);
        this.jwkSet = null;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getId() {
        return this.id;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getIssuer() {
        return this.issuer;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    @Sensitive
    public String getSharedKey() {
        return this.sharedKey;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public List<String> getAudiences() {
        return this.audiences;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean ignoreAudClaimIfNotConfigured() {
        return false;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getSignatureAlgorithm() {
        return this.sigAlg;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getTrustStoreRef() {
        return this.trustStoreRef;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getKeyStoreRef() {
        String str = null;
        String sslRef = getSslRef();
        if (sslRef == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "sslRef not configured, so will use server-wide keystore", new Object[0]);
            return null;
        }
        Properties sslConfigProperties = getSslConfigProperties(sslRef);
        if (sslConfigProperties != null) {
            str = sslConfigProperties.getProperty("com.ibm.ssl.keyStoreName");
        }
        return str;
    }

    @FFDCIgnore({Exception.class})
    Properties getSslConfigProperties(final String str) {
        final SSLSupport sSLSupportService = JwtUtils.getSSLSupportService();
        if (sSLSupportService == null) {
            return null;
        }
        try {
            return (Properties) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.jwt.internal.JwtConsumerConfigImpl.1
                static final long serialVersionUID = -7973616266041212833L;
                private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jwt.internal.JwtConsumerConfigImpl$1", AnonymousClass1.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return sSLSupportService.getJSSEHelper().getProperties(str);
                }
            });
        } catch (Exception e) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting SSL properties: " + e, new Object[0]);
            return null;
        }
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getTrustedAlias() {
        return this.trustedAlias;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public long getClockSkew() {
        return this.clockSkewMilliSeconds;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean getJwkEnabled() {
        return this.jwkEnabled;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getJwkEndpointUrl() {
        return this.jwkEndpointUrl;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public ConsumerUtils getConsumerUtils() {
        return this.consumerUtil;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean isValidationRequired() {
        return this.validationRequired;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getSslRef() {
        return this.sslRef;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean isHostNameVerificationEnabled() {
        return true;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public JWKSet getJwkSet() {
        if (this.jwkSet == null) {
            this.jwkSet = new JWKSet();
        }
        return this.jwkSet;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean getTokenReuse() {
        return false;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public boolean getUseSystemPropertiesForHttpClientConnections() {
        return this.useSystemPropertiesForHttpClientConnections;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public List<String> getAMRClaim() {
        return this.amrClaim;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public String getKeyManagementKeyAlias() {
        return this.keyManagementKeyAlias;
    }

    @Override // com.ibm.ws.security.jwt.config.JwtConsumerConfig
    public Key getJweDecryptionKey() throws GeneralSecurityException {
        String keyManagementKeyAlias = getKeyManagementKeyAlias();
        if (keyManagementKeyAlias != null) {
            return JwtUtils.getPrivateKey(keyManagementKeyAlias, getKeyStoreRef());
        }
        return null;
    }
}
