package com.ibm.ws.security.oauth20.web;

import com.ibm.ejs.ras.TraceNLS;
import com.ibm.oauth.core.api.error.OidcServerException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20DuplicateParameterException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MissingParameterException;
import com.ibm.oauth.core.api.oauth20.token.OAuth20Token;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.oauth.core.util.RateLimiter;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.UserRegistry;
import com.ibm.websphere.security.WSSecurityException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.oauth20.api.OAuth20EnhancedTokenCache;
import com.ibm.ws.security.oauth20.api.OAuth20Provider;
import com.ibm.ws.security.oauth20.api.OidcOAuth20ClientProvider;
import com.ibm.ws.security.oauth20.plugins.OidcBaseClient;
import com.ibm.ws.security.oauth20.web.OAuth20Request;
import com.ibm.wsspi.security.registry.RegistryHelper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/oauth20/web/ClientAuthentication.class */
public class ClientAuthentication {
    private static final String MESSAGE_BUNDLE = "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages";
    private static final String PROVIDER_BUNDLE = "com.ibm.ws.security.oauth20.resources.ProviderMsgs";
    static boolean appPasswordMisConfigEvaluated;
    static final long serialVersionUID = 8428890518344195308L;
    private static TraceComponent tc = Tr.register(ClientAuthentication.class, "OAuth20Provider", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");
    private static final ArrayList<OAuth20Request.EndpointType> endpointTypeForInvalidClientList = new ArrayList<>(10);

    /* JADX INFO: Access modifiers changed from: private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    @TraceOptions
    /* loaded from: input_file:com/ibm/ws/security/oauth20/web/ClientAuthentication$ClientAuthenticationDataException.class */
    public class ClientAuthenticationDataException extends Exception {
        static final long serialVersionUID = 8136921912117992841L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.oauth20.web.ClientAuthentication$ClientAuthenticationDataException", ClientAuthenticationDataException.class, "OAUTH", "com.ibm.ws.security.oauth20.resources.ProviderMsgs");

        private ClientAuthenticationDataException() {
        }
    }

    @FFDCIgnore({ClientAuthenticationDataException.class})
    public boolean verify(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType) throws IOException, ServletException, OidcServerException {
        try {
            ClientAuthnData clientAuthnData = new ClientAuthnData(httpServletRequest, httpServletResponse);
            try {
                String checkForRepeatedOrEmptyParameter = checkForRepeatedOrEmptyParameter(httpServletRequest, "grant_type");
                String authenticationScheme = getAuthenticationScheme(httpServletRequest);
                try {
                    boolean isClientAuthenticationDataValid = isClientAuthenticationDataValid(oAuth20Provider, httpServletRequest, httpServletResponse, endpointType, clientAuthnData, checkForRepeatedOrEmptyParameter, authenticationScheme);
                    if (!isClientAuthenticationDataValid) {
                        sendErrorAndLogMessageForInvalidClient(httpServletRequest, httpServletResponse, endpointType, clientAuthnData, authenticationScheme);
                        return false;
                    }
                    httpServletRequest.setAttribute("authenticatedClient", clientAuthnData.getUserName());
                    if ("password".equals(checkForRepeatedOrEmptyParameter) && !oAuth20Provider.isSkipUserValidation()) {
                        isClientAuthenticationDataValid = isResourceOwnerCredentialValid(oAuth20Provider, httpServletRequest, httpServletResponse, endpointType, clientAuthnData, authenticationScheme);
                    }
                    return isClientAuthenticationDataValid;
                } catch (ClientAuthenticationDataException e) {
                    return false;
                }
            } catch (OAuth20DuplicateParameterException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "84", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
                handleDuplicateParameterException(e2, httpServletResponse);
                return false;
            }
        } catch (OAuth20DuplicateParameterException e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "76", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
            handleDuplicateParameterException(e3, httpServletResponse);
            return false;
        }
    }

    private boolean isClientAuthenticationDataValid(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, ClientAuthnData clientAuthnData, String str, String str2) throws OidcServerException, ClientAuthenticationDataException {
        boolean z = false;
        if (clientAuthnData.hasAuthnData()) {
            z = isProvidedClientAuthenticationDataValid(oAuth20Provider, httpServletResponse, endpointType, clientAuthnData, str, str2);
        } else if (!clientAuthnData.isBasicAuth()) {
            String requestURI = httpServletRequest.getRequestURI();
            sendErrorAndLogMessage(httpServletResponse, 400, "invalid_request", null, "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", "CWWKS1406E: The " + endpointType.toString() + " request had an invalid client credential. The request URI was {" + requestURI + "}.", new Object[]{endpointType.toString(), requestURI}, "security.oauth20.error.missing.parameter", new Object[]{"client_id"});
            throw new ClientAuthenticationDataException();
        }
        return z;
    }

    private boolean isProvidedClientAuthenticationDataValid(OAuth20Provider oAuth20Provider, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, ClientAuthnData clientAuthnData, String str, String str2) throws ClientAuthenticationDataException, OidcServerException {
        OidcOAuth20ClientProvider clientProvider = oAuth20Provider.getClientProvider();
        if (clientProvider == null) {
            int i = 400;
            if (str2 != null) {
                i = 401;
            }
            sendErrorAndLogMessage(httpServletResponse, i, "invalid_client", str2, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", "security.oauth20.error.missing.client.provider", "CWOAU0070E: A client provider was not found for the OAuth provider.", new Object[0], null, null);
            throw new ClientAuthenticationDataException();
        }
        String passWord = clientAuthnData.getPassWord();
        if (passWord == null && !clientAuthnData.isBasicAuth()) {
            passWord = "";
        }
        boolean isValidPublicClient = (oAuth20Provider.isAllowPublicClients() || isPublicClient(clientProvider, clientAuthnData)) ? isValidPublicClient(httpServletResponse, passWord, clientProvider, clientAuthnData, endpointType, str, str2) : clientProvider.validateClient(clientAuthnData.getUserName(), passWord);
        if (isValidPublicClient) {
            isValidPublicClient = clientProvider.get(clientAuthnData.getUserName()).isEnabled();
            if (!isValidPublicClient && tc.isDebugEnabled()) {
                Tr.debug(tc, "Client " + clientAuthnData.getUserName() + " is not enabled so cannot be verified", new Object[0]);
            }
        } else {
            RateLimiter.limit();
        }
        return isValidPublicClient;
    }

    private boolean isPublicClient(OidcOAuth20ClientProvider oidcOAuth20ClientProvider, ClientAuthnData clientAuthnData) {
        OidcBaseClient oidcBaseClient = null;
        try {
            oidcBaseClient = oidcOAuth20ClientProvider.get(clientAuthnData.getUserName());
        } catch (OidcServerException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "196", this, new Object[]{oidcOAuth20ClientProvider, clientAuthnData});
        }
        return oidcBaseClient != null && oidcBaseClient.isPublicClient();
    }

    private boolean isValidPublicClient(HttpServletResponse httpServletResponse, String str, OidcOAuth20ClientProvider oidcOAuth20ClientProvider, ClientAuthnData clientAuthnData, OAuth20Request.EndpointType endpointType, String str2, String str3) throws OidcServerException, ClientAuthenticationDataException {
        boolean exists;
        if (str != null && str.length() > 0) {
            exists = oidcOAuth20ClientProvider.validateClient(clientAuthnData.getUserName(), str);
        } else {
            if (grantTypeRequiresConfidentialClient(str2)) {
                int i = 400;
                if (str3 != null) {
                    i = 401;
                }
                sendErrorAndLogMessage(httpServletResponse, i, "invalid_client", str3, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", "security.oauth20.error.granttype.requires.confidential.client", "CWOAU0071E: A public client attempted to access the " + endpointType.toString() + " endpoint using the " + str2 + " grant type. The client_id is: " + clientAuthnData.getUserName(), new Object[]{endpointType.toString(), str2, clientAuthnData.getUserName()}, null, null);
                throw new ClientAuthenticationDataException();
            }
            exists = oidcOAuth20ClientProvider.exists(clientAuthnData.getUserName());
        }
        return exists;
    }

    private void sendErrorAndLogMessageForInvalidClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, ClientAuthnData clientAuthnData, String str) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ClientAuthentication with invalid_client. endpointType: " + endpointType, new Object[0]);
        }
        if (!endpointTypeForInvalidClientList.contains(endpointType)) {
            WebUtils.sendErrorJSON(httpServletResponse, 401, "invalid_client", (String) null, str);
            Tr.error(tc, "security.oauth20.endpoint.client.auth.error", new Object[]{clientAuthnData.getUserName()});
            return;
        }
        int i = 400;
        if (str != null) {
            i = 401;
        }
        String requestURI = httpServletRequest.getRequestURI();
        sendErrorAndLogMessage(httpServletResponse, i, "invalid_client", str, "com.ibm.ws.security.oauth20.internal.resources.OAuthMessages", "OAUTH_INVALID_CLIENT", "CWWKS1406E: The " + endpointType.toString() + " request had an invalid client credential. The request URI was {" + requestURI + "}.", new Object[]{endpointType.toString(), requestURI}, "security.oauth20.endpoint.client.auth.error", new Object[]{clientAuthnData.getUserName()});
    }

    private boolean isResourceOwnerCredentialValid(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, ClientAuthnData clientAuthnData, String str) throws OidcServerException {
        appPasswordMisConfigurationCheck(oAuth20Provider, clientAuthnData);
        try {
            boolean validateResourceOwnerCredentialWithAppPassword = oAuth20Provider.isPasswordGrantRequiresAppPassword() ? validateResourceOwnerCredentialWithAppPassword(httpServletRequest, httpServletResponse, endpointType, oAuth20Provider, clientAuthnData) : validateResourceOwnerCredential(oAuth20Provider, httpServletRequest, httpServletResponse, endpointType);
            if (validateResourceOwnerCredentialWithAppPassword) {
                String parameter = EndpointUtils.getParameter(httpServletRequest, "username");
                String userName = clientAuthnData.getUserName();
                if (EndpointUtils.reachedTokenLimit(oAuth20Provider, httpServletRequest, parameter, userName)) {
                    validateResourceOwnerCredentialWithAppPassword = false;
                    createTokenLimitReachedError(httpServletRequest, httpServletResponse, userName, endpointType, str);
                }
            } else {
                sendErrorForInvalidResourceOwnerCredentials(httpServletRequest, httpServletResponse, endpointType, str, oAuth20Provider.isPasswordGrantRequiresAppPassword());
            }
            return validateResourceOwnerCredentialWithAppPassword;
        } catch (OAuth20DuplicateParameterException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "278", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType, clientAuthnData, str});
            handleDuplicateParameterException(e, httpServletResponse);
            return false;
        } catch (OAuth20MissingParameterException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "281", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType, clientAuthnData, str});
            handleMissingParameterException(e2, httpServletResponse);
            return false;
        }
    }

    void appPasswordMisConfigurationCheck(OAuth20Provider oAuth20Provider, ClientAuthnData clientAuthnData) {
        if (appPasswordMisConfigEvaluated) {
            return;
        }
        OidcBaseClient oidcBaseClient = null;
        boolean isPasswordGrantRequiresAppPassword = oAuth20Provider.isPasswordGrantRequiresAppPassword();
        boolean z = false;
        String userName = clientAuthnData.getUserName();
        OidcOAuth20ClientProvider clientProvider = oAuth20Provider.getClientProvider();
        if ((clientProvider != null) & (userName != null)) {
            try {
                oidcBaseClient = clientProvider.get(userName);
            } catch (OidcServerException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "318", this, new Object[]{oAuth20Provider, clientAuthnData});
            }
        }
        if (oidcBaseClient != null && oidcBaseClient.isAppPasswordAllowed()) {
            z = true;
        }
        if (z && !isPasswordGrantRequiresAppPassword) {
            Tr.warning(tc, "security.oauth20.apppassword.config.c1p0.warning", new Object[]{oidcBaseClient.getClientId(), oAuth20Provider.getID()});
        }
        if (!z && isPasswordGrantRequiresAppPassword) {
            Tr.warning(tc, "security.oauth20.apppassword.config.c0p1.warning", new Object[]{oidcBaseClient.getClientId(), oAuth20Provider.getID()});
        }
        appPasswordMisConfigEvaluated = true;
    }

    private void createTokenLimitReachedError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, OAuth20Request.EndpointType endpointType, String str2) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ClientAuthentication with too many token requests. endpointType: " + endpointType, new Object[0]);
        }
        if (endpointTypeForInvalidClientList.contains(endpointType)) {
            WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", null);
        }
    }

    private void sendErrorForInvalidResourceOwnerCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, String str, boolean z) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ClientAuthentication with invalid_resource_owner_credentials. endpointType: " + endpointType, new Object[0]);
        }
        if (!endpointTypeForInvalidClientList.contains(endpointType)) {
            WebUtils.sendErrorJSON(httpServletResponse, 401, "invalid_client", (String) null, str);
            return;
        }
        String parameter = httpServletRequest.getParameter("username");
        int i = 400;
        if (str != null) {
            i = 401;
        }
        String str2 = "security.oauth20.endpoint.resowner.auth.error";
        String str3 = "CWOAU0069E: The resource owner could not be verified. Either the resource owner: " + parameter + " or password is incorrect.";
        if (z) {
            str2 = "security.oauth20.endpoint.resowner.apppassword.error";
            str3 = "CWOAU0074E: The application password exchange request for user [{0}] could not be completed because the application password could not be verified. The password is either incorrect, expired, deleted, or is supplied with the wrong client credentials.";
        }
        sendErrorAndLogMessage(httpServletResponse, i, "invalid_client", str, "com.ibm.ws.security.oauth20.resources.ProviderMsgs", str2, str3, new Object[]{parameter}, null, null);
    }

    protected boolean grantTypeRequiresConfidentialClient(String str) {
        return "client_credentials".equalsIgnoreCase(str) || "urn:ietf:params:oauth:grant-type:jwt-bearer".equalsIgnoreCase(str);
    }

    protected boolean validateResourceOwnerCredential(OAuth20Provider oAuth20Provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType) throws OidcServerException, OAuth20DuplicateParameterException, OAuth20MissingParameterException {
        boolean z = false;
        try {
            UserRegistry userRegistry = getUserRegistry();
            String checkForRepeatedOrEmptyParameter = checkForRepeatedOrEmptyParameter(httpServletRequest, "username");
            if (checkForRepeatedOrEmptyParameter == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "username", null);
            }
            String checkForRepeatedOrEmptyParameter2 = checkForRepeatedOrEmptyParameter(httpServletRequest, "password");
            if (checkForRepeatedOrEmptyParameter2 == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "password", null);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateResourceOwnerCredential for Username " + checkForRepeatedOrEmptyParameter, new Object[0]);
            }
            if (userRegistry.checkPassword(checkForRepeatedOrEmptyParameter, checkForRepeatedOrEmptyParameter2) != null) {
                z = true;
            }
            if (z && oAuth20Provider.isROPCPreferUserSecurityName()) {
                String userSecurityName = userRegistry.getUserSecurityName(checkForRepeatedOrEmptyParameter);
                if (!userSecurityName.equals(checkForRepeatedOrEmptyParameter)) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "setting attribute to override user name to " + userSecurityName, new Object[0]);
                    }
                    httpServletRequest.setAttribute(OAuth20Constants.RESOURCE_OWNER_OVERRIDDEN_USERNAME, userSecurityName);
                }
            }
            return z;
        } catch (OAuth20DuplicateParameterException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "450", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
            throw e;
        } catch (OAuth20MissingParameterException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "452", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
            throw e2;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "454", this, new Object[]{oAuth20Provider, httpServletRequest, httpServletResponse, endpointType});
            Tr.error(tc, "security.oauth20.endpoint.resowner.auth.error", new Object[]{""});
            throw new OidcServerException("invalid_resource_owner_credential", "server_error", 400, e3);
        }
    }

    protected boolean validateResourceOwnerCredentialWithAppPassword(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20Request.EndpointType endpointType, OAuth20Provider oAuth20Provider, ClientAuthnData clientAuthnData) throws OidcServerException, OAuth20DuplicateParameterException, OAuth20MissingParameterException {
        boolean z = false;
        try {
            String checkForRepeatedOrEmptyParameter = checkForRepeatedOrEmptyParameter(httpServletRequest, "username");
            if (checkForRepeatedOrEmptyParameter == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "username", null);
            }
            String checkForRepeatedOrEmptyParameter2 = checkForRepeatedOrEmptyParameter(httpServletRequest, "password");
            if (checkForRepeatedOrEmptyParameter2 == null) {
                throw new OAuth20MissingParameterException("security.oauth20.error.missing.parameter", "password", null);
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "validateResourceOwnerCredential for Username " + checkForRepeatedOrEmptyParameter, new Object[0]);
            }
            if (checkAppPassword(checkForRepeatedOrEmptyParameter, checkForRepeatedOrEmptyParameter2, oAuth20Provider, clientAuthnData) != null) {
                z = true;
            }
            return z;
        } catch (OAuth20DuplicateParameterException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "498", this, new Object[]{httpServletRequest, httpServletResponse, endpointType, oAuth20Provider, clientAuthnData});
            throw e;
        } catch (OAuth20MissingParameterException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "500", this, new Object[]{httpServletRequest, httpServletResponse, endpointType, oAuth20Provider, clientAuthnData});
            throw e2;
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.oauth20.web.ClientAuthentication", "502", this, new Object[]{httpServletRequest, httpServletResponse, endpointType, oAuth20Provider, clientAuthnData});
            Tr.error(tc, "security.oauth20.endpoint.resowner.apppassword.error", new Object[]{""});
            throw new OidcServerException("invalid_resource_owner_credential", "server_error", 400, e3);
        }
    }

    private Object checkAppPassword(String str, String str2, OAuth20Provider oAuth20Provider, ClientAuthnData clientAuthnData) {
        String accessTokenEncoding = oAuth20Provider.getAccessTokenEncoding();
        OAuth20Token oAuth20Token = oAuth20Provider.getTokenCache().get("plain".equals(accessTokenEncoding) ? EndpointUtils.computeTokenHash(str2) : EndpointUtils.computeTokenHash(str2, accessTokenEncoding));
        if (oAuth20Token == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Access token was not found in the provider's token cache", new Object[0]);
            return null;
        }
        OAuth20Token assertTokenIsUsedByAllowedClient = assertTokenIsUsedByAllowedClient(oAuth20Token, clientAuthnData, oAuth20Provider);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checkAppPassword obtained access token: " + assertTokenIsUsedByAllowedClient, new Object[0]);
        }
        if (assertTokenIsUsedByAllowedClient == null) {
            return null;
        }
        if (!assertTokenIsUsedByAllowedClient.getGrantType().equals("app_password")) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "checkAppPassword access token is not for app password, return null", new Object[0]);
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "checkAppPassword obtained access token for an app password " + assertTokenIsUsedByAllowedClient, new Object[0]);
        }
        if (assertTokenIsUsedByAllowedClient.getUsername().equals(str)) {
            return assertTokenIsUsedByAllowedClient;
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "UserName from token request: " + str + " does not match userName of app password: " + assertTokenIsUsedByAllowedClient.getUsername() + ", return null", new Object[0]);
        return null;
    }

    private OAuth20Token assertTokenIsUsedByAllowedClient(OAuth20Token oAuth20Token, ClientAuthnData clientAuthnData, OAuth20Provider oAuth20Provider) {
        String userName = clientAuthnData.getUserName();
        String[] usedBy = oAuth20Token.getUsedBy();
        if (usedBy != null) {
            List asList = Arrays.asList(usedBy);
            if (!asList.contains(userName)) {
                Tr.error(tc, "security.oauth20.apppassword.exchange.wrongclient", new Object[]{usedBy[0], userName});
                if (!tc.isDebugEnabled()) {
                    return null;
                }
                Tr.debug(tc, "Client ID [" + userName + "] not found in used_by list of allowed clients for this token " + asList, new Object[0]);
                return null;
            }
        } else {
            Map<String, String[]> extensionProperties = oAuth20Token.getExtensionProperties();
            if (extensionProperties != null) {
                extensionProperties.put("com.ibm.wsspi.security.oidc.external.claims:used_by", new String[]{userName});
                if (!oAuth20Provider.isLocalStoreUsed()) {
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "persist the token : " + oAuth20Token.getId() + " to database after adding usedBy ext with the client : " + userName, new Object[0]);
                    }
                    OAuth20EnhancedTokenCache tokenCache = oAuth20Provider.getTokenCache();
                    tokenCache.removeByHash(oAuth20Token.getId());
                    tokenCache.addByHash(oAuth20Token.getId(), oAuth20Token, oAuth20Token.getLifetimeSeconds());
                }
            }
        }
        return oAuth20Token;
    }

    protected UserRegistry getUserRegistry() throws WSSecurityException {
        return RegistryHelper.getUserRegistry((String) null);
    }

    private void handleDuplicateParameterException(OAuth20DuplicateParameterException oAuth20DuplicateParameterException, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", oAuth20DuplicateParameterException.getMessage(), (String) null);
        Tr.error(tc, oAuth20DuplicateParameterException.getMessage(), new Object[0]);
    }

    private void handleMissingParameterException(OAuth20MissingParameterException oAuth20MissingParameterException, HttpServletResponse httpServletResponse) {
        WebUtils.sendErrorJSON(httpServletResponse, 400, "invalid_request", oAuth20MissingParameterException.getMessage(), (String) null);
        Tr.error(tc, oAuth20MissingParameterException.getMessage(), new Object[0]);
    }

    private void sendErrorAndLogMessage(HttpServletResponse httpServletResponse, int i, String str, String str2, String str3, String str4, String str5, Object[] objArr, String str6, Object[] objArr2) {
        WebUtils.sendErrorJSON(httpServletResponse, i, str, TraceNLS.getFormattedMessage(getClass(), str3, str4, objArr, str5), str2);
        if (str6 != null) {
            Tr.error(tc, str6, objArr2);
        } else {
            Tr.error(tc, str4, objArr);
        }
    }

    private String getAuthenticationScheme(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Got Authorization header: " + header, new Object[0]);
        }
        String[] split = header.split(" ");
        if (split.length <= 0) {
            return null;
        }
        String trim = split[0].trim();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Got authentication scheme: " + trim, new Object[0]);
        }
        return trim;
    }

    @Sensitive
    private String checkForRepeatedOrEmptyParameter(HttpServletRequest httpServletRequest, String str) throws OAuth20DuplicateParameterException {
        String[] parameterValues = httpServletRequest.getParameterValues(str);
        if (parameterValues != null && parameterValues.length > 1) {
            throw new OAuth20DuplicateParameterException("security.oauth20.error.duplicate.parameter", str);
        }
        if (parameterValues == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "No values found for parameter: " + str, new Object[0]);
            return null;
        }
        String str2 = parameterValues[0];
        if (str2.isEmpty()) {
            return null;
        }
        return str2;
    }

    static {
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.authorize);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.token);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.introspect);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.revoke);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.app_password);
        endpointTypeForInvalidClientList.add(OAuth20Request.EndpointType.app_token);
        appPasswordMisConfigEvaluated = false;
    }
}
