package org.wso2.is.key.manager.tokenpersistence.issuer;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
import java.util.UUID;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.is.key.manager.tokenpersistence.PersistenceConstants;

/* loaded from: input_file:org/wso2/is/key/manager/tokenpersistence/issuer/ExtendedJWTTokenIssuer.class */
public class ExtendedJWTTokenIssuer extends JWTTokenIssuer {
    private static final Log log = LogFactory.getLog(ExtendedJWTTokenIssuer.class);
    private final Algorithm signatureAlgorithm = mapSignatureAlgorithm(OAuthServerConfiguration.getInstance().getSignatureAlgorithm());

    public String refreshToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Refresh token request with authorization request message context message context. Authorized user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().getLoggableUserId());
        }
        try {
            return buildJWTTokenForRefreshTokens(oAuthAuthzReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            throw new OAuthSystemException(e);
        }
    }

    public String refreshToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Refresh token request with token request message context. Authorized user " + oAuthTokenReqMessageContext.getAuthorizedUser().getLoggableUserId());
        }
        try {
            if (OAuthServerConfiguration.getInstance().getValueForIsRefreshTokenAllowed(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType())) {
                return buildJWTTokenForRefreshTokens(oAuthTokenReqMessageContext);
            }
            return null;
        } catch (IdentityOAuth2Exception e) {
            throw new OAuthSystemException(e);
        }
    }

    protected String buildJWTTokenForRefreshTokens(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(createJWTClaimSetForRefreshTokens(oAuthAuthzReqMessageContext, null, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey()));
        if (oAuthAuthzReqMessageContext.getApprovedScope() != null && Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()).contains(PersistenceConstants.JWTClaim.AUDIENCE)) {
            builder.audience(Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()));
        }
        JWTClaimsSet build = builder.build();
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(build).serialize() : signJWT(build, null, oAuthAuthzReqMessageContext);
    }

    protected String buildJWTTokenForRefreshTokens(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(createJWTClaimSetForRefreshTokens(null, oAuthTokenReqMessageContext, oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()));
        if (oAuthTokenReqMessageContext.getScope() != null && Arrays.asList(oAuthTokenReqMessageContext.getScope()).contains(PersistenceConstants.JWTClaim.AUDIENCE)) {
            builder.audience(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
        }
        JWTClaimsSet build = builder.build();
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(build).serialize() : signJWT(build, oAuthTokenReqMessageContext, null);
    }

    protected JWTClaimsSet createJWTClaimSetForRefreshTokens(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str) throws IdentityOAuth2Exception {
        try {
            String tenantDomain = oAuthAuthzReqMessageContext != null ? oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain() : oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
            String idTokenIssuer = OAuth2Util.getIdTokenIssuer(tenantDomain);
            AuthenticatedUser authenticatedUser = getAuthenticatedUser(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext);
            String subjectClaim = getSubjectClaim(authenticatedUser);
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            builder.issuer(idTokenIssuer);
            builder.subject(subjectClaim);
            builder.claim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY, str);
            long refreshTokenLifeTimeInMillis = oAuthTokenReqMessageContext != null ? getRefreshTokenLifeTimeInMillis(appInformationByClientId, oAuthTokenReqMessageContext) : getRefreshTokenLifeTimeInMillis(appInformationByClientId, oAuthAuthzReqMessageContext);
            long timeInMillis = Calendar.getInstance(TimeZone.getTimeZone(PersistenceConstants.UTC)).getTimeInMillis();
            builder.issueTime(getRefreshTokenIssuedTime(oAuthTokenReqMessageContext, appInformationByClientId, new Date(timeInMillis)));
            builder.expirationTime(calculateRefreshTokenExpiryTime(Long.valueOf(refreshTokenLifeTimeInMillis), Long.valueOf(timeInMillis)));
            builder.jwtID(UUID.randomUUID().toString());
            builder.claim(PersistenceConstants.JWTClaim.CLIENT_ID, str);
            String scope = getScope(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext, subjectClaim);
            if (StringUtils.isNotEmpty(scope)) {
                builder.claim(PersistenceConstants.JWTClaim.SCOPE, scope);
            }
            builder.claim(PersistenceConstants.JWTClaim.TOKEN_TYPE_ELEM, PersistenceConstants.REFRESH_TOKEN);
            builder.audience(OAuth2Util.getOIDCAudience(str, appInformationByClientId));
            setClaimsForNonPersistence(builder, oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext, authenticatedUser, appInformationByClientId);
            return builder.build();
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for clientId: " + str, e);
        }
    }

    private long getRefreshTokenLifeTimeInMillisFromConfig(OAuthAppDO oAuthAppDO) {
        long refreshTokenValidityPeriodInSeconds;
        String oauthConsumerKey = oAuthAppDO.getOauthConsumerKey();
        if (oAuthAppDO.getRefreshTokenExpiryTime() != 0) {
            refreshTokenValidityPeriodInSeconds = oAuthAppDO.getRefreshTokenExpiryTime() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oauthConsumerKey + ", refresh token validity time " + refreshTokenValidityPeriodInSeconds + "ms");
            }
        } else {
            refreshTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000;
        }
        return refreshTokenValidityPeriodInSeconds;
    }

    private long getRefreshTokenLifeTimeInMillis(OAuthAppDO oAuthAppDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String oauthConsumerKey = oAuthAppDO.getOauthConsumerKey();
        long j = 0;
        long refreshTokenvalidityPeriod = oAuthTokenReqMessageContext.getRefreshTokenvalidityPeriod();
        if (refreshTokenvalidityPeriod > 0) {
            j = refreshTokenvalidityPeriod * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oauthConsumerKey + ", using refresh token validity period configured from OAuthTokenReqMessageContext: " + j + " ms");
            }
        } else if (oAuthTokenReqMessageContext.getProperty(PersistenceConstants.PREV_ACCESS_TOKEN) != null) {
            RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty(PersistenceConstants.PREV_ACCESS_TOKEN);
            if (isRenewRefreshToken(oAuthAppDO.getRenewRefreshTokenEnabled()) && !OAuthServerConfiguration.getInstance().isExtendRenewedTokenExpiryTimeEnabled()) {
                j = refreshTokenValidationDataDO.getValidityPeriodInMillis();
            }
        }
        if (j == 0) {
            j = getRefreshTokenLifeTimeInMillisFromConfig(oAuthAppDO);
        }
        if (log.isDebugEnabled()) {
            log.debug("JWT Self Signed Refresh Token Life time set to : " + j + "ms.");
        }
        return j;
    }

    private long getRefreshTokenLifeTimeInMillis(OAuthAppDO oAuthAppDO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        long j = 0;
        if (oAuthAuthzReqMessageContext.getRefreshTokenvalidityPeriod() > 0) {
            j = oAuthAuthzReqMessageContext.getRefreshTokenvalidityPeriod() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oAuthAppDO.getOauthConsumerKey() + ", using refresh token validity period configured from OAuthAuthzReqMessageContext: " + j + " ms");
            }
        }
        if (j == 0) {
            j = getRefreshTokenLifeTimeInMillisFromConfig(oAuthAppDO);
        }
        if (log.isDebugEnabled()) {
            log.debug("JWT Self Signed Refresh Token Life time set to : " + j + "ms.");
        }
        return j;
    }

    private Date getRefreshTokenIssuedTime(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO, Date date) {
        Date date2 = date;
        if (oAuthTokenReqMessageContext != null && oAuthTokenReqMessageContext.getProperty(PersistenceConstants.PREV_ACCESS_TOKEN) != null) {
            RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty(PersistenceConstants.PREV_ACCESS_TOKEN);
            if (isRenewRefreshToken(oAuthAppDO.getRenewRefreshTokenEnabled()) && !OAuthServerConfiguration.getInstance().isExtendRenewedTokenExpiryTimeEnabled()) {
                date2 = refreshTokenValidationDataDO.getIssuedTime();
            }
            if (date2 == null) {
                date2 = date;
            }
        }
        return date2;
    }

    private boolean isRenewRefreshToken(String str) {
        if (StringUtils.isNotBlank(str)) {
            if (log.isDebugEnabled()) {
                log.debug("Reading the Oauth application specific renew refresh token value as " + str + " from the IDN_OIDC_PROPERTY table");
            }
            return Boolean.parseBoolean(str);
        }
        if (log.isDebugEnabled()) {
            log.debug("Reading the global renew refresh token value from the identity.xml");
        }
        return OAuthServerConfiguration.getInstance().isRefreshTokenRenewalEnabled();
    }

    protected AuthenticatedUser getAuthenticatedUser(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        AuthenticatedUser user = oAuthAuthzReqMessageContext != null ? oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser() : oAuthTokenReqMessageContext.getAuthorizedUser();
        if (user == null) {
            throw new IdentityOAuth2Exception("Authenticated user is null for the request.");
        }
        return user;
    }

    protected String getScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str) {
        String str2 = null;
        String[] scope = oAuthTokenReqMessageContext != null ? oAuthTokenReqMessageContext.getScope() : oAuthAuthzReqMessageContext.getApprovedScope();
        if (ArrayUtils.isNotEmpty(scope)) {
            str2 = OAuth2Util.buildScopeString(scope);
            if (log.isDebugEnabled()) {
                log.debug("Scope exist for the jwt access token with subject " + str + " and the scope is " + str2);
            }
        }
        return str2;
    }

    protected String getSubjectClaim(AuthenticatedUser authenticatedUser) {
        return authenticatedUser.getAuthenticatedSubjectIdentifier();
    }

    private Date calculateRefreshTokenExpiryTime(Long l, Long l2) {
        Date date = l2.longValue() + l.longValue() < l2.longValue() ? new Date(Long.MAX_VALUE) : new Date(l2.longValue() + l.longValue());
        if (log.isDebugEnabled()) {
            log.debug("Refresh token expiry time : " + date + "ms.");
        }
        return date;
    }
}
