package com.ibm.ws.security.openidconnect.server.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.config.CommonConfigUtils;
import com.ibm.ws.security.common.jwk.impl.JWKProvider;
import com.ibm.ws.security.openidconnect.common.ConfigUtils;
import com.ibm.ws.security.openidconnect.server.ServerConstants;
import com.ibm.ws.security.openidconnect.server.plugins.OIDCProvidersConfig;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.ws.webcontainer.security.jwk.JSONWebKey;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import io.openliberty.security.openidconnect.server.config.OidcEndpointSettings;
import java.io.IOException;
import java.security.AccessController;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.regex.Pattern;
import org.osgi.framework.ServiceReference;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.ComponentContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/openidconnect/server/internal/OidcServerConfigImpl.class */
public class OidcServerConfigImpl implements OidcServerConfig {
    public static final String KEY_HTTPS_REQUIRED = "httpsRequired";
    public static final String CFG_KEY_ID = "id";
    public static final String CFG_KEY_OAUTH_PROVIDER_REF = "oauthProviderRef";
    public static final String CFG_KEY_UNIQUE_USER_IDENTIFIER = "uniqueUserIdentifier";
    public static final String CFG_KEY_ISSUER_IDENTIFIER = "issuerIdentifier";
    public static final String CFG_KEY_AUDIENCE = "audience";
    public static final String CFG_KEY_USER_IDENTITY = "userIdentity";
    public static final String CFG_KEY_GROUP_IDENTIFIER = "groupIdentifier";
    public static final String CFG_KEY_DEFAULT_SCOPE = "defaultScope";
    public static final String CFG_KEY_EXTERNAL_CLAIM_NAMES = "externalClaimNames";
    public static final String CFG_KEY_SIGNATURE_ALGORITHM = "signatureAlgorithm";
    public static final String CFG_KEY_CUSTOM_CLAIMS_ENABLED = "customClaimsEnabled";
    public static final String CFG_KEY_CUSTOM_CLAIMS = "customClaims";
    public static final String CFG_KEY_JTI_CLAIM_ENABLED = "jtiClaimEnabled";
    public static final String CFG_KEY_KEYSTORE_REF = "keyStoreRef";
    public static final String CFG_KEYSTORE_REF_DEFAULT = "opKeyStore";
    public static final String CFG_KEY_KEY_ALIAS_NAME = "keyAliasName";
    public static final String CFG_KEY_TRUSTSTORE_REF = "trustStoreRef";
    public static final String CFG_KEY_SESSION_MANAGED = "sessionManaged";
    public static final String CFG_KEY_ID_TOKEN_LIFETIME = "idTokenLifetime";
    public static final String CFG_KEY_CHECK_SESSION_IFRAME_ENDPOINT_URL = "checkSessionIframeEndpointUrl";
    public static final String CFG_KEY_PROTECTED_ENDPOINTS = "protectedEndpoints";
    public static final String CFG_KEY_CACHE_IDTOKEN = "idTokenCacheEnabled";
    public static final String CFG_KEY_RESPONSE_TYPES_SUPPORTED = "responseTypesSupported";
    public static final String CFG_KEY_SUBJECT_TYPES_SUPPORTED = "subjectTypesSupported";
    public static final String CFG_KEY_ID_TOKEN_SIGNING_ALG_VAL_SUPPORTED = "idTokenSigningAlgValuesSupported";
    public static final String CFG_KEY_SCOPES_SUPPORTED = "scopesSupported";
    public static final String CFG_KEY_CLAIMS_SUPPORTED = "claimsSupported";
    public static final String CFG_KEY_RESPONSE_MODES_SUPPORTED = "responseModesSupported";
    public static final String CFG_KEY_GRANT_TYPES_SUPPORTED = "grantTypesSupported";
    public static final String CFG_KEY_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED = "tokenEndpointAuthMethodsSupported";
    public static final String CFG_KEY_DISPLAY_VALUES_SUPPORTED = "displayValuesSupported";
    public static final String CFG_KEY_CLAIM_TYPES_SUPPORTED = "claimTypesSupported";
    public static final String CFG_KEY_CLAIMS_PARAMETERS_SUPPORTED = "claimsParameterSupported";
    public static final String CFG_KEY_REQUEST_PARAMETERS_SUPPORTED = "requestParameterSupported";
    public static final String CFG_KEY_REQUEST_URI_PARAMETER_SUPPORTED = "requestUriParameterSupported";
    public static final String CFG_KEY_REQUIRE_REQUEST_URI_REGISTRATION = "requireRequestUriRegistration";
    public static final String CFG_KEY_BACKING_IDP_URI_PREFIX = "backingIdpUriPrefix";
    public static final String CFG_KEY_AUTH_PROXY_ENDPOINT_URL = "authProxyEndpointUrl";
    public static final String CFG_KEY_REQUIRE_OPENID_SCOPE_FOR_USERINFO = "requireOpenidScopeForUserInfo";
    public static final String CFG_KEY_OIDC_ENDPOINT = "oidcEndpoint";
    public static final String CFG_KEY_JWK_ENABLED = "jwkEnabled";
    public static final String CFG_KEY_JWK_ROTATION = "jwkRotationTime";
    public static final String CFG_KEY_JWK_SIGNING_KEY_SIZE = "jwkSigningKeySize";
    public static final String CFG_KEY_SSO_COOKIE_NAME = "allowDefaultSsoCookieName";
    public static final String KEY_CONFIGURATION_ADMIN = "configurationAdmin";
    public static final String KEY_KEYSTORE_SERVICE = "keyStoreService";
    public static final String KEY_SSL_SUPPORT = "sslSupport";
    private ConfigUtils configUtils;
    private String providerId;
    private String oauthProviderRef;
    private String userIdentifier;
    private String uniqueUserIdentifier;
    private String issuerIdentifier;
    private String audience;
    private String userIdentity;
    private String groupIdentifier;
    private String defaultScope;
    private String externalClaimNames;
    private Properties scopeToClaimMap;
    private Properties claimToUserRegistryMap;
    private String signatureAlgorithm;
    private boolean customClaimsEnabled;
    private boolean cacheIDToken;
    private Set<String> customClaims;
    private boolean jtiClaimEnabled;
    private boolean sessionManaged;
    private String keyStoreRef;
    private String keyAliasName;
    private String trustStoreRef;
    private long idTokenLifetime;
    private String checkSessionIframeEndpointUrl;
    private String protectedEndpoints;
    Pattern patternProtectedEndpoints;
    Pattern patternOidcEndpoints;
    Pattern patternNonOidcEndpoints;
    private Properties discovery;
    private String[] responseTypesSupported;
    private String[] subjectTypesSupported;
    private String idTokenSigningAlgValuesSupported;
    private String[] scopesSupported;
    private String[] claimsSupported;
    private String[] responseModesSupported;
    private String[] grantTypesSupported;
    private String[] tokenEndpointAuthMethodsSupported;
    private String[] displayValuesSupported;
    private String[] claimTypesSupported;
    private boolean claimsParameterSupported;
    private boolean requestParameterSupported;
    private boolean requestUriParameterSupported;
    private boolean requireRequestUriRegistration;
    private String backingIdpUriPrefix;
    private String authProxyEndpointUrl;
    private JWKProvider jwkProvider;
    private OidcEndpointSettings oidcEndpointSettings;
    static final long serialVersionUID = 7116152326512086978L;
    private static final TraceComponent tc = Tr.register(OidcServerConfigImpl.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.server.internal.resources.OidcServerMessages");
    static final Set<String> defaultCustomClaims = new HashSet();
    private final AtomicServiceReference<ConfigurationAdmin> configAdminRef = new AtomicServiceReference<>(KEY_CONFIGURATION_ADMIN);
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>(KEY_KEYSTORE_SERVICE);
    protected final AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>(KEY_SSL_SUPPORT);
    private final CommonConfigUtils commonConfigUtils = new CommonConfigUtils();
    private boolean jwkEnabled = false;
    private long jwkRotationTime = 0;
    private int jwkSigningKeySize = 0;
    private boolean allowLtpaToken2Name = false;
    private boolean requireOpenidScopeForUserInfo = true;
    private final ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock();
    private final ReentrantReadWriteLock.WriteLock writeLock = this.reentrantReadWriteLock.writeLock();
    private final ReentrantReadWriteLock.ReadLock readLock = this.reentrantReadWriteLock.readLock();

    protected void setConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.writeLock.lock();
        try {
            this.configAdminRef.setReference(serviceReference);
        } finally {
            this.writeLock.unlock();
        }
    }

    protected void unsetConfigurationAdmin(ServiceReference<ConfigurationAdmin> serviceReference) {
        this.writeLock.lock();
        try {
            this.configAdminRef.unsetReference(serviceReference);
        } finally {
            this.writeLock.unlock();
        }
    }

    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.writeLock.lock();
        try {
            this.keyStoreServiceRef.setReference(serviceReference);
        } finally {
            this.writeLock.unlock();
        }
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.writeLock.lock();
        try {
            this.keyStoreServiceRef.unsetReference(serviceReference);
        } finally {
            this.writeLock.unlock();
        }
    }

    protected void setSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
    }

    protected void updatedSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
    }

    protected void unsetSslSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
    }

    protected synchronized void activate(ComponentContext componentContext, Map<String, Object> map) {
        this.writeLock.lock();
        try {
            this.configAdminRef.activate(componentContext);
            this.configUtils = new ConfigUtils(this.configAdminRef);
            this.keyStoreServiceRef.activate(componentContext);
            this.sslSupportRef.activate(componentContext);
            processConfigProps(map);
            Tr.info(tc, "OIDC_SERVER_CONFIG_PROCESSED", new Object[]{this.providerId});
        } finally {
            this.writeLock.unlock();
        }
    }

    protected synchronized void modify(Map<String, Object> map) {
        this.writeLock.lock();
        try {
            processConfigProps(map);
            Tr.info(tc, "OIDC_SERVER_CONFIG_MODIFIED", new Object[]{this.providerId});
        } finally {
            this.writeLock.unlock();
        }
    }

    protected synchronized void deactivate(ComponentContext componentContext) {
        this.writeLock.lock();
        try {
            this.configAdminRef.deactivate(componentContext);
            this.keyStoreServiceRef.deactivate(componentContext);
            this.sslSupportRef.deactivate(componentContext);
            OIDCProvidersConfig.removeOidcServerConfig(this.providerId);
        } finally {
            this.writeLock.unlock();
        }
    }

    private String processIssuerIdentifier(String str) {
        if (str == null || str.isEmpty()) {
            return str;
        }
        try {
            if (((Boolean) ((ConfigurationAdmin) this.configAdminRef.getService()).getConfiguration(this.oauthProviderRef, (String) null).getProperties().get(KEY_HTTPS_REQUIRED)).booleanValue() && !str.contains("https:")) {
                Tr.warning(tc, "OIDC_SERVER_ISSUER_IDENTIFIER_NOT_HTTPS", new Object[]{str});
                str = null;
            }
            return str;
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl", "290", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Invalid oauthProviderRef configuration", new Object[]{e});
            return null;
        }
    }

    private void processConfigProps(Map<String, Object> map) {
        if (map == null || map.isEmpty()) {
            return;
        }
        this.providerId = trimIt((String) map.get("id"));
        this.oauthProviderRef = trimIt((String) map.get(CFG_KEY_OAUTH_PROVIDER_REF));
        this.userIdentifier = trimIt((String) map.get(CFG_KEY_UNIQUE_USER_IDENTIFIER));
        this.uniqueUserIdentifier = trimIt((String) map.get(CFG_KEY_UNIQUE_USER_IDENTIFIER));
        this.issuerIdentifier = processIssuerIdentifier(trimIt((String) map.get(CFG_KEY_ISSUER_IDENTIFIER)));
        this.audience = trimIt((String) map.get(CFG_KEY_AUDIENCE));
        this.userIdentity = trimIt((String) map.get(CFG_KEY_USER_IDENTITY));
        this.groupIdentifier = trimIt((String) map.get(CFG_KEY_GROUP_IDENTIFIER));
        this.defaultScope = trimIt((String) map.get(CFG_KEY_DEFAULT_SCOPE));
        this.externalClaimNames = trimIt((String) map.get(CFG_KEY_EXTERNAL_CLAIM_NAMES));
        this.signatureAlgorithm = trimIt((String) map.get(CFG_KEY_SIGNATURE_ALGORITHM));
        this.customClaimsEnabled = ((Boolean) map.get(CFG_KEY_CUSTOM_CLAIMS_ENABLED)).booleanValue();
        this.customClaims = newCustomClaims((String[]) map.get(CFG_KEY_CUSTOM_CLAIMS));
        this.jtiClaimEnabled = ((Boolean) map.get(CFG_KEY_JTI_CLAIM_ENABLED)).booleanValue();
        this.sessionManaged = ((Boolean) map.get(CFG_KEY_SESSION_MANAGED)).booleanValue();
        this.keyStoreRef = trimIt(fixUpKeyStoreRef((String) map.get(CFG_KEY_KEYSTORE_REF)));
        this.keyAliasName = trimIt((String) map.get(CFG_KEY_KEY_ALIAS_NAME));
        this.trustStoreRef = trimIt((String) map.get(CFG_KEY_TRUSTSTORE_REF));
        this.idTokenLifetime = ((Long) map.get(CFG_KEY_ID_TOKEN_LIFETIME)).longValue();
        this.checkSessionIframeEndpointUrl = trimIt((String) map.get(CFG_KEY_CHECK_SESSION_IFRAME_ENDPOINT_URL));
        this.cacheIDToken = ((Boolean) map.get(CFG_KEY_CACHE_IDTOKEN)).booleanValue();
        if (map.get(CFG_KEY_SSO_COOKIE_NAME) != null) {
            this.allowLtpaToken2Name = ((Boolean) map.get(CFG_KEY_SSO_COOKIE_NAME)).booleanValue();
        }
        String trimIt = trimIt((String) map.get(CFG_KEY_PROTECTED_ENDPOINTS));
        if (!trimIt.equals(this.protectedEndpoints)) {
            this.protectedEndpoints = trimIt;
            this.patternProtectedEndpoints = handleNewPattern(trimIt);
        }
        this.patternOidcEndpoints = handleOidcPattern();
        this.patternNonOidcEndpoints = handleNonOidcPattern();
        this.scopeToClaimMap = this.configUtils.processFlatProps(map, "scopeToClaimMap");
        this.claimToUserRegistryMap = this.configUtils.processFlatProps(map, "claimToUserRegistryMap");
        this.discovery = this.configUtils.processDiscoveryProps(map, "discovery");
        processDiscoveryRefElement();
        if (map.containsKey(CFG_KEY_REQUIRE_OPENID_SCOPE_FOR_USERINFO)) {
            this.requireOpenidScopeForUserInfo = ((Boolean) map.get(CFG_KEY_REQUIRE_OPENID_SCOPE_FOR_USERINFO)).booleanValue();
        }
        this.jwkEnabled = ((Boolean) map.get(CFG_KEY_JWK_ENABLED)).booleanValue();
        this.jwkRotationTime = ((Long) map.get(CFG_KEY_JWK_ROTATION)).longValue();
        this.jwkRotationTime = this.jwkRotationTime * 60 * 1000;
        this.jwkSigningKeySize = ((Long) map.get(CFG_KEY_JWK_SIGNING_KEY_SIZE)).intValue();
        buildJwk();
        this.oidcEndpointSettings = populateOidcEndpointSettings(map, CFG_KEY_OIDC_ENDPOINT);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "providerId: " + this.providerId, new Object[0]);
            Tr.debug(tc, "oauthProviderRef: " + this.oauthProviderRef, new Object[0]);
            Tr.debug(tc, "userIdentifier: " + this.userIdentifier, new Object[0]);
            Tr.debug(tc, "uniqueUserIdentifier: " + this.uniqueUserIdentifier, new Object[0]);
            Tr.debug(tc, "issuerIdentifier: " + this.issuerIdentifier, new Object[0]);
            Tr.debug(tc, "audience: " + this.audience, new Object[0]);
            Tr.debug(tc, "userIdentity: " + this.userIdentity, new Object[0]);
            Tr.debug(tc, "groupIdentifier: " + this.groupIdentifier, new Object[0]);
            Tr.debug(tc, "customClaimsEnabled: " + this.customClaimsEnabled, new Object[0]);
            Tr.debug(tc, "customClaims: " + this.customClaims, new Object[0]);
            Tr.debug(tc, "jtiClaimEnabled: " + this.jtiClaimEnabled, new Object[0]);
            Tr.debug(tc, "defaultScope: " + this.defaultScope, new Object[0]);
            Tr.debug(tc, "externalClaimNames: " + this.externalClaimNames, new Object[0]);
            Tr.debug(tc, "mapScopeToClaims: " + this.scopeToClaimMap, new Object[0]);
            Tr.debug(tc, "claimToUserRegistryAttributeMappings: " + this.claimToUserRegistryMap, new Object[0]);
            Tr.debug(tc, "signatureAlgorithm: " + this.signatureAlgorithm, new Object[0]);
            Tr.debug(tc, "keyStoreRef: " + this.keyStoreRef, new Object[0]);
            Tr.debug(tc, "keyAliasName: " + this.keyAliasName, new Object[0]);
            Tr.debug(tc, "trustStoreRef: " + this.trustStoreRef, new Object[0]);
            Tr.debug(tc, "sessionManaged: " + this.sessionManaged, new Object[0]);
            Tr.debug(tc, "idTokenLifetime: " + this.idTokenLifetime, new Object[0]);
            Tr.debug(tc, "checkSessionIframeEndpointUrl: " + this.checkSessionIframeEndpointUrl, new Object[0]);
            Tr.debug(tc, "protectedEndpoints: " + trimIt, new Object[0]);
            Tr.debug(tc, "jwkRotationTime: " + this.jwkRotationTime, new Object[0]);
            Tr.debug(tc, "jwkEnabled: " + this.jwkEnabled, new Object[0]);
            Tr.debug(tc, "allowLtpaToken2Name: " + this.allowLtpaToken2Name, new Object[0]);
            Tr.debug(tc, "cacheIDToken: " + this.cacheIDToken, new Object[0]);
        }
        OIDCProvidersConfig.putOidcServerConfig(this.providerId, this);
    }

    private OidcEndpointSettings populateOidcEndpointSettings(Map<String, Object> map, String str) {
        OidcEndpointSettings oidcEndpointSettings = null;
        String[] stringArrayConfigAttribute = this.commonConfigUtils.getStringArrayConfigAttribute(map, str);
        if (stringArrayConfigAttribute != null && stringArrayConfigAttribute.length > 0) {
            oidcEndpointSettings = populateOidcEndpointSettings(stringArrayConfigAttribute);
        }
        return oidcEndpointSettings;
    }

    private OidcEndpointSettings populateOidcEndpointSettings(String[] strArr) {
        OidcEndpointSettings oidcEndpointSettings = new OidcEndpointSettings();
        for (String str : strArr) {
            oidcEndpointSettings.addOidcEndpointSettings(getConfigurationFromConfigAdmin(str));
        }
        return oidcEndpointSettings;
    }

    Configuration getConfigurationFromConfigAdmin(String str) {
        Configuration configuration = null;
        try {
            ConfigurationAdmin configurationAdmin = (ConfigurationAdmin) this.configAdminRef.getService();
            if (configurationAdmin != null) {
                configuration = configurationAdmin.getConfiguration(str, "");
            }
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl", "420", this, new Object[]{str});
        }
        return configuration;
    }

    protected Set<String> newCustomClaims(String[] strArr) {
        HashSet hashSet = new HashSet();
        if (strArr != null) {
            for (String str : strArr) {
                String trim = str.trim();
                if (!defaultCustomClaims.contains(trim)) {
                    hashSet.add(trim);
                }
            }
        }
        return hashSet;
    }

    private void processDiscoveryRefElement() {
        this.responseTypesSupported = (String[]) this.discovery.get(CFG_KEY_RESPONSE_TYPES_SUPPORTED);
        this.subjectTypesSupported = (String[]) this.discovery.get(CFG_KEY_SUBJECT_TYPES_SUPPORTED);
        this.idTokenSigningAlgValuesSupported = this.signatureAlgorithm;
        this.scopesSupported = (String[]) this.discovery.get(CFG_KEY_SCOPES_SUPPORTED);
        this.claimsSupported = (String[]) this.discovery.get(CFG_KEY_CLAIMS_SUPPORTED);
        this.responseModesSupported = (String[]) this.discovery.get(CFG_KEY_RESPONSE_MODES_SUPPORTED);
        this.grantTypesSupported = (String[]) this.discovery.get(CFG_KEY_GRANT_TYPES_SUPPORTED);
        this.tokenEndpointAuthMethodsSupported = (String[]) this.discovery.get(CFG_KEY_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED);
        this.displayValuesSupported = (String[]) this.discovery.get(CFG_KEY_DISPLAY_VALUES_SUPPORTED);
        this.claimTypesSupported = (String[]) this.discovery.get(CFG_KEY_CLAIM_TYPES_SUPPORTED);
        this.claimsParameterSupported = ((Boolean) this.discovery.get(CFG_KEY_CLAIMS_PARAMETERS_SUPPORTED)).booleanValue();
        this.requestParameterSupported = ((Boolean) this.discovery.get(CFG_KEY_REQUEST_PARAMETERS_SUPPORTED)).booleanValue();
        this.requestUriParameterSupported = ((Boolean) this.discovery.get(CFG_KEY_REQUEST_URI_PARAMETER_SUPPORTED)).booleanValue();
        this.requireRequestUriRegistration = ((Boolean) this.discovery.get(CFG_KEY_REQUIRE_REQUEST_URI_REGISTRATION)).booleanValue();
        this.backingIdpUriPrefix = trimIt((String) this.discovery.get(CFG_KEY_BACKING_IDP_URI_PREFIX));
        this.authProxyEndpointUrl = trimIt(this.discovery.getProperty(CFG_KEY_AUTH_PROXY_ENDPOINT_URL));
    }

    public String getProviderId() {
        this.readLock.lock();
        try {
            return this.providerId;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getOauthProviderName() {
        this.readLock.lock();
        try {
            return getOauthProviderName(this.oauthProviderRef);
        } finally {
            this.readLock.unlock();
        }
    }

    private String getOauthProviderName(String str) {
        try {
            Dictionary properties = ((ConfigurationAdmin) this.configAdminRef.getService()).getConfiguration(str, (String) null).getProperties();
            if (properties == null) {
                return null;
            }
            return (String) properties.get("id");
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl", "491", this, new Object[]{str});
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Invalid oauthProviderRef configuration", new Object[]{e});
            return null;
        }
    }

    public String getOauthProviderPid() {
        this.readLock.lock();
        try {
            return this.oauthProviderRef;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getUserIdentifier() {
        this.readLock.lock();
        try {
            return this.userIdentifier;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getIssuerIdentifier() {
        this.readLock.lock();
        try {
            return this.issuerIdentifier;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getGroupIdentifier() {
        this.readLock.lock();
        try {
            return this.groupIdentifier;
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isCustomClaimsEnabled() {
        this.readLock.lock();
        try {
            return this.customClaimsEnabled;
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isJTIClaimEnabled() {
        this.readLock.lock();
        try {
            return this.jtiClaimEnabled;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getDefaultScope() {
        this.readLock.lock();
        try {
            return this.defaultScope;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getExternalClaimNames() {
        this.readLock.lock();
        try {
            return this.externalClaimNames;
        } finally {
            this.readLock.unlock();
        }
    }

    public Properties getScopeToClaimMap() {
        this.readLock.lock();
        try {
            return this.scopeToClaimMap;
        } finally {
            this.readLock.unlock();
        }
    }

    public Properties getClaimToUserRegistryMap() {
        this.readLock.lock();
        try {
            return this.claimToUserRegistryMap;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getSignatureAlgorithm() {
        this.readLock.lock();
        try {
            return this.signatureAlgorithm;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getUniqueUserIdentifier() {
        this.readLock.lock();
        try {
            return this.uniqueUserIdentifier;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getAudience() {
        this.readLock.lock();
        try {
            return this.audience;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getUserIdentity() {
        this.readLock.lock();
        try {
            return this.userIdentity;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getTrustStoreRef() {
        this.readLock.lock();
        try {
            return this.trustStoreRef;
        } finally {
            this.readLock.unlock();
        }
    }

    public SSLSupport getSSLSupportService() {
        return (SSLSupport) this.sslSupportRef.getService();
    }

    public String getDefaultKeyStoreName(String str) {
        String str2 = null;
        SSLSupport sSLSupportService = getSSLSupportService();
        JSSEHelper jSSEHelper = null;
        if (sSLSupportService != null) {
            jSSEHelper = sSLSupportService.getJSSEHelper();
        }
        Properties properties = null;
        final JSSEHelper jSSEHelper2 = jSSEHelper;
        final HashMap hashMap = new HashMap();
        hashMap.put("com.ibm.ssl.direction", "inbound");
        if (jSSEHelper2 != null) {
            try {
                properties = (Properties) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl.1
                    static final long serialVersionUID = 673550988537273538L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl$1", AnonymousClass1.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.server.internal.resources.OidcServerMessages");

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return jSSEHelper2.getProperties("", hashMap, (SSLConfigChangeListener) null, true);
                    }
                });
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.server.internal.OidcServerConfigImpl", "701", this, new Object[]{str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting properties from jssehelper!!!", new Object[0]);
                }
            }
            if (properties != null) {
                str2 = properties.getProperty(str);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStore name from default ssl config = " + str2, new Object[0]);
                }
            }
        }
        return str2;
    }

    private String fixUpKeyStoreRef(String str) {
        return !str.equals(CFG_KEYSTORE_REF_DEFAULT) ? str : (keyStoreExists(str) || !onlyOneKeyStore()) ? str : getDefaultKeyStoreName("com.ibm.ssl.keyStoreName");
    }

    @FFDCIgnore({KeyStoreException.class})
    private boolean keyStoreExists(String str) {
        try {
            ((KeyStoreService) this.keyStoreServiceRef.getService()).getKeyStoreLocation(str);
            return true;
        } catch (KeyStoreException e) {
            return false;
        }
    }

    private boolean onlyOneKeyStore() {
        return ((KeyStoreService) this.keyStoreServiceRef.getService()).getKeyStoreCount() == 1;
    }

    @Sensitive
    public PrivateKey getPrivateKey() throws KeyStoreException, CertificateException {
        this.readLock.lock();
        try {
            KeyStoreService keyStoreService = (KeyStoreService) this.keyStoreServiceRef.getService();
            if (this.keyStoreRef == null) {
                this.keyStoreRef = getDefaultKeyStoreName("com.ibm.ssl.keyStoreName");
            }
            return this.keyAliasName != null ? keyStoreService.getPrivateKeyFromKeyStore(this.keyStoreRef, this.keyAliasName, (String) null) : keyStoreService.getPrivateKeyFromKeyStore(this.keyStoreRef);
        } finally {
            this.readLock.unlock();
        }
    }

    @Sensitive
    public PublicKey getPublicKey(String str) throws KeyStoreException, CertificateException {
        this.readLock.lock();
        try {
            KeyStoreService keyStoreService = (KeyStoreService) this.keyStoreServiceRef.getService();
            if (keyStoreService == null || !this.signatureAlgorithm.equals("RS256")) {
                this.readLock.unlock();
                return null;
            }
            if (this.trustStoreRef == null) {
                this.trustStoreRef = getDefaultKeyStoreName("com.ibm.ssl.trustStoreName");
            }
            if (str != null) {
                PublicKey publicKey = keyStoreService.getCertificateFromKeyStore(this.trustStoreRef, str).getPublicKey();
                this.readLock.unlock();
                return publicKey;
            }
            Collection trustedCertEntriesInKeyStore = keyStoreService.getTrustedCertEntriesInKeyStore(this.trustStoreRef);
            if (trustedCertEntriesInKeyStore == null || trustedCertEntriesInKeyStore.size() == 0) {
                X509Certificate x509CertificateFromKeyStore = keyStoreService.getX509CertificateFromKeyStore(this.trustStoreRef);
                if (x509CertificateFromKeyStore == null) {
                    return null;
                }
                PublicKey publicKey2 = x509CertificateFromKeyStore.getPublicKey();
                this.readLock.unlock();
                return publicKey2;
            }
            if (trustedCertEntriesInKeyStore.size() > 1) {
                this.readLock.unlock();
                return null;
            }
            X509Certificate x509CertificateFromKeyStore2 = keyStoreService.getX509CertificateFromKeyStore(this.trustStoreRef, (String) trustedCertEntriesInKeyStore.iterator().next());
            if (x509CertificateFromKeyStore2 == null) {
                this.readLock.unlock();
                return null;
            }
            PublicKey publicKey3 = x509CertificateFromKeyStore2.getPublicKey();
            this.readLock.unlock();
            return publicKey3;
        } finally {
            this.readLock.unlock();
        }
    }

    @FFDCIgnore({KeyStoreException.class, CertificateException.class})
    @Sensitive
    public PublicKey getX509PublicKey() {
        this.readLock.lock();
        PublicKey publicKey = null;
        try {
            String str = this.keyStoreRef;
            KeyStoreService keyStoreService = (KeyStoreService) this.keyStoreServiceRef.getService();
            if (keyStoreService != null) {
                String[] allKeyStoreAliases = keyStoreService.getAllKeyStoreAliases();
                if (this.keyStoreRef != null && this.keyStoreRef.equals(CFG_KEYSTORE_REF_DEFAULT)) {
                    boolean z = false;
                    int i = 0;
                    while (true) {
                        if (i >= allKeyStoreAliases.length) {
                            break;
                        }
                        if (allKeyStoreAliases[i].equals(this.keyStoreRef)) {
                            z = true;
                            break;
                        }
                        i++;
                    }
                    if (!z) {
                        str = null;
                    }
                }
                if (str == null && allKeyStoreAliases.length == 1) {
                    str = allKeyStoreAliases[0];
                }
                if (str != null) {
                    X509Certificate x509CertificateFromKeyStore = this.keyAliasName == null ? keyStoreService.getX509CertificateFromKeyStore(str) : keyStoreService.getX509CertificateFromKeyStore(str, this.keyAliasName);
                    if (x509CertificateFromKeyStore != null) {
                        publicKey = x509CertificateFromKeyStore.getPublicKey();
                    }
                }
            }
            this.readLock.unlock();
        } catch (KeyStoreException e) {
            this.readLock.unlock();
        } catch (CertificateException e2) {
            this.readLock.unlock();
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
        return publicKey;
    }

    public boolean isSessionManaged() {
        this.readLock.lock();
        try {
            return this.sessionManaged;
        } finally {
            this.readLock.unlock();
        }
    }

    public long getIdTokenLifetime() {
        this.readLock.lock();
        try {
            return this.idTokenLifetime;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getCheckSessionIframeEndpointUrl() {
        this.readLock.lock();
        try {
            return this.checkSessionIframeEndpointUrl;
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getResponseTypesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.responseTypesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getSubjectTypesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.subjectTypesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String getIdTokenSigningAlgValuesSupported() {
        this.readLock.lock();
        try {
            return this.idTokenSigningAlgValuesSupported;
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getScopesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.scopesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getClaimsSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.claimsSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getResponseModesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.responseModesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getGrantTypesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.grantTypesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getTokenEndpointAuthMethodsSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.tokenEndpointAuthMethodsSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getDisplayValuesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.displayValuesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public String[] getClaimTypesSupported() {
        this.readLock.lock();
        try {
            return (String[]) this.claimTypesSupported.clone();
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isClaimsParameterSupported() {
        this.readLock.lock();
        try {
            return this.claimsParameterSupported;
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isRequestParameterSupported() {
        this.readLock.lock();
        try {
            return this.requestParameterSupported;
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isRequestUriParameterSupported() {
        this.readLock.lock();
        try {
            return this.requestUriParameterSupported;
        } finally {
            this.readLock.unlock();
        }
    }

    public boolean isRequireRequestUriRegistration() {
        this.readLock.lock();
        try {
            return this.requireRequestUriRegistration;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getBackingIdpUriPrefix() {
        this.readLock.lock();
        try {
            return this.backingIdpUriPrefix;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getAuthProxyEndpointUrl() {
        this.readLock.lock();
        try {
            return this.authProxyEndpointUrl;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getKeyStoreRef() {
        this.readLock.lock();
        try {
            return this.keyStoreRef;
        } finally {
            this.readLock.unlock();
        }
    }

    public String getKeyAliasName() {
        this.readLock.lock();
        try {
            return this.keyAliasName;
        } finally {
            this.readLock.unlock();
        }
    }

    public Pattern getProtectedEndpointsPattern() {
        return this.patternProtectedEndpoints;
    }

    public Pattern getEndpointsPattern() {
        return this.patternOidcEndpoints;
    }

    public Pattern getNonEndpointsPattern() {
        return this.patternNonOidcEndpoints;
    }

    public boolean isOpenidScopeRequiredForUserInfo() {
        return this.requireOpenidScopeForUserInfo;
    }

    private Pattern handleNewPattern(String str) {
        String str2 = "/oidc/(endpoint|providers)/" + this.providerId + "/(";
        StringTokenizer stringTokenizer = new StringTokenizer(str, " ");
        boolean z = false;
        while (stringTokenizer.hasMoreTokens()) {
            if (z) {
                str2 = str2.concat("|");
            }
            String nextToken = stringTokenizer.nextToken();
            str2 = "authorize".equals(nextToken) ? str2.concat(nextToken) : str2.concat(nextToken + "|" + nextToken + "/.*");
            z = true;
        }
        String concat = str2.concat(")");
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Pattern:" + concat, new Object[0]);
        }
        return Pattern.compile(concat);
    }

    private Pattern handleOidcPattern() {
        String str = "/oidc/(endpoint|providers)/" + this.providerId + "/.*";
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Pattern:" + str, new Object[0]);
        }
        return Pattern.compile(str);
    }

    private Pattern handleNonOidcPattern() {
        String str = "/oidc/(endpoint|providers)/" + this.providerId + "/(end_session|check_session_iframe)";
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Non Pattern:" + str, new Object[0]);
        }
        return Pattern.compile(str);
    }

    public boolean isJwkEnabled() {
        return this.jwkEnabled;
    }

    private void buildJwk() {
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "buildJwk: jwkEnabled=" + this.jwkEnabled, new Object[0]);
        }
        if (this.jwkEnabled) {
            this.jwkProvider = new JWKProvider(this.jwkSigningKeySize, this.signatureAlgorithm, this.jwkRotationTime);
        } else {
            this.jwkProvider = null;
        }
    }

    public String getJwkJsonString() {
        if (isJwkEnabled()) {
            return this.jwkProvider.getJwkSetString();
        }
        this.jwkProvider = getJwkProviderWithX509();
        if (this.jwkProvider != null) {
            return this.jwkProvider.getJwkSetString();
        }
        Tr.warning(tc, "OIDC_SERVER_JWK_NOT_AVAILABLE", new Object[0]);
        return null;
    }

    public JSONWebKey getJSONWebKey() {
        if (isJwkEnabled()) {
            return this.jwkProvider.getJWK();
        }
        this.jwkProvider = getJwkProviderWithX509();
        if (this.jwkProvider != null) {
            return this.jwkProvider.getJWK();
        }
        return null;
    }

    @FFDCIgnore({KeyStoreException.class, CertificateException.class})
    private JWKProvider getJwkProviderWithX509() {
        JWKProvider jWKProvider = null;
        if (this.signatureAlgorithm.equals("RS256")) {
            PublicKey publicKey = null;
            PrivateKey privateKey = null;
            try {
                publicKey = getX509PublicKey();
                privateKey = getPrivateKey();
            } catch (KeyStoreException e) {
            } catch (CertificateException e2) {
            }
            if (publicKey != null) {
                jWKProvider = new JWKProvider(this.jwkSigningKeySize, this.signatureAlgorithm, this.jwkRotationTime, publicKey, privateKey);
            }
        }
        return jWKProvider;
    }

    public long getJwkRotationTime() {
        return this.jwkRotationTime;
    }

    public int getJwkSigningKeySize() {
        return this.jwkSigningKeySize;
    }

    public Set<String> getCustomClaims() {
        return new HashSet(this.customClaims);
    }

    public boolean allowDefaultSsoCookieName() {
        return this.allowLtpaToken2Name;
    }

    @Trivial
    String trimIt(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (trim.isEmpty()) {
            trim = null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "trimIt(" + str + ") returns [" + trim + "]", new Object[0]);
        }
        return trim;
    }

    public boolean cacheIDToken() {
        return this.cacheIDToken;
    }

    public OidcEndpointSettings getOidcEndpointSettings() {
        return this.oidcEndpointSettings;
    }

    static {
        defaultCustomClaims.add(ServerConstants.REALM_NAME);
        defaultCustomClaims.add(ServerConstants.UNIQUE_SECURITY_NAME);
        defaultCustomClaims.add(ServerConstants.GROUPS_ID);
    }
}
