package org.wso2.is.key.manager.tokenpersistence.processor;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.sql.Timestamp;
import java.util.Optional;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.util.JWTUtils;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.is.key.manager.tokenpersistence.PersistenceConstants;
import org.wso2.is.key.manager.tokenpersistence.internal.ServiceReferenceHolder;
import org.wso2.is.key.manager.tokenpersistence.utils.OpaqueTokenUtil;
import org.wso2.is.key.manager.tokenpersistence.utils.TokenMgtUtil;

/* loaded from: input_file:org/wso2/is/key/manager/tokenpersistence/processor/InMemoryTokenProvider.class */
public class InMemoryTokenProvider implements TokenProvider {
    private static final Log log = LogFactory.getLog(InMemoryTokenProvider.class);

    public AccessTokenDO getVerifiedAccessToken(String str, boolean z) throws IdentityOAuth2Exception {
        if (!JWTUtils.isJWT(str)) {
            return getMigratedAccessToken(str, z);
        }
        SignedJWT parseJWT = TokenMgtUtil.parseJWT(str);
        JWTClaimsSet tokenJWTClaims = TokenMgtUtil.getTokenJWTClaims(parseJWT);
        String tokenIdentifier = TokenMgtUtil.getTokenIdentifier(tokenJWTClaims);
        String str2 = (String) tokenJWTClaims.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY);
        if (tokenJWTClaims.getClaim("entity_id") == null) {
            return getMigratedAccessToken(tokenIdentifier, z);
        }
        AccessTokenDO accessTokenDO = null;
        if (!TokenMgtUtil.isRefreshTokenType(tokenJWTClaims)) {
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug(String.format("Validating JWT access token: %s with expiry: %s", Boolean.valueOf(z), DigestUtils.sha256Hex(tokenIdentifier)));
                } else {
                    log.debug(String.format("Validating JWT access token with expiry: %s", Boolean.valueOf(z)));
                }
            }
            AuthenticatedUser authenticatedUser = TokenMgtUtil.getAuthenticatedUser(tokenJWTClaims);
            TokenMgtUtil.validateJWTSignature(parseJWT, tokenJWTClaims, authenticatedUser);
            boolean z2 = true;
            if (!JWTUtils.checkExpirationTime(tokenJWTClaims.getExpirationTime())) {
                if (!z) {
                    handleInvalidAccessTokenError(tokenIdentifier);
                }
                z2 = false;
            }
            JWTUtils.checkNotBeforeTime(tokenJWTClaims.getNotBeforeTime());
            if (TokenMgtUtil.isTokenRevokedDirectly(tokenIdentifier, str2) || TokenMgtUtil.isTokenRevokedIndirectly(tokenJWTClaims, authenticatedUser)) {
                if (z) {
                    return null;
                }
                handleInvalidAccessTokenError(tokenIdentifier);
                return null;
            }
            Optional<AccessTokenDO> tokenDOFromCache = TokenMgtUtil.getTokenDOFromCache(tokenIdentifier);
            if (tokenDOFromCache.isPresent()) {
                accessTokenDO = tokenDOFromCache.get();
                if (log.isDebugEnabled()) {
                    if (IdentityUtil.isTokenLoggable("AccessToken")) {
                        log.debug(String.format("Retrieved access token(hashed): %s from OAuthCache to verify.", DigestUtils.sha256Hex(accessTokenDO.getAccessToken())));
                    } else {
                        log.debug("Retrieved access token from cache to verify.");
                    }
                }
            } else {
                accessTokenDO = new AccessTokenDO();
                accessTokenDO.setAccessToken(tokenIdentifier);
                accessTokenDO.setConsumerKey(str2);
                accessTokenDO.setIssuedTime(new Timestamp(tokenJWTClaims.getIssueTime().getTime()));
                accessTokenDO.setValidityPeriodInMillis(tokenJWTClaims.getExpirationTime().getTime() - tokenJWTClaims.getIssueTime().getTime());
                accessTokenDO.setScope(TokenMgtUtil.getScopes(tokenJWTClaims.getClaim(PersistenceConstants.JWTClaim.SCOPE)));
                accessTokenDO.setAuthzUser(authenticatedUser);
                try {
                    accessTokenDO.setTenantID(ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(authenticatedUser.getTenantDomain()));
                    if (z2) {
                        accessTokenDO.setTokenState("ACTIVE");
                    } else {
                        accessTokenDO.setTokenState("EXPIRED");
                    }
                    if (OAuth2ServiceComponentHolder.isConsentedTokenColumnEnabled()) {
                        accessTokenDO.setIsConsentedToken(((Boolean) tokenJWTClaims.getClaim(PersistenceConstants.JWTClaim.IS_CONSENTED)).booleanValue());
                    }
                    accessTokenDO.setTokenId(TokenMgtUtil.getTokenId(tokenJWTClaims));
                    TokenMgtUtil.addTokenToCache(tokenIdentifier, accessTokenDO);
                } catch (UserStoreException e) {
                    throw new IdentityOAuth2Exception("Error while getting tenant ID from tenant domain:" + authenticatedUser.getTenantDomain(), e);
                }
            }
        } else if (!z) {
            handleInvalidAccessTokenError(tokenIdentifier);
        }
        return accessTokenDO;
    }

    public RefreshTokenValidationDataDO getVerifiedRefreshToken(String str, String str2) throws IdentityOAuth2Exception {
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = null;
        if (!JWTUtils.isJWT(str)) {
            log.debug("Refresh token is not a JWT. Hence, validating as an migrated opaque token from database.");
            RefreshTokenValidationDataDO validateOpaqueRefreshToken = OpaqueTokenUtil.validateOpaqueRefreshToken(str, str2);
            OpaqueTokenUtil.validateTokenConsent(validateOpaqueRefreshToken);
            return validateOpaqueRefreshToken;
        }
        SignedJWT parseJWT = TokenMgtUtil.parseJWT(str);
        JWTClaimsSet tokenJWTClaims = TokenMgtUtil.getTokenJWTClaims(parseJWT);
        if (!StringUtils.equals(str2, (String) tokenJWTClaims.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY))) {
            throw new IdentityOAuth2Exception("Invalid refresh token. Consumer key does not match.");
        }
        if (TokenMgtUtil.isRefreshTokenType(tokenJWTClaims)) {
            refreshTokenValidationDataDO = validateJWTRefreshToken(tokenJWTClaims, parseJWT);
        }
        return refreshTokenValidationDataDO;
    }

    public AccessTokenDO getVerifiedRefreshToken(String str) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDO = null;
        if (!OAuth2Util.isJWT(str)) {
            log.debug("Refresh token is not a JWT. Hence, finding as an migrated opaque token from database.");
            return OpaqueTokenUtil.findRefreshToken(str);
        }
        SignedJWT parseJWT = TokenMgtUtil.parseJWT(str);
        JWTClaimsSet tokenJWTClaims = TokenMgtUtil.getTokenJWTClaims(parseJWT);
        if (TokenMgtUtil.isRefreshTokenType(tokenJWTClaims)) {
            RefreshTokenValidationDataDO validateJWTRefreshToken = validateJWTRefreshToken(tokenJWTClaims, parseJWT);
            if (StringUtils.equals("ACTIVE", validateJWTRefreshToken.getRefreshTokenState())) {
                accessTokenDO = new AccessTokenDO();
                accessTokenDO.setRefreshTokenValidityPeriodInMillis(validateJWTRefreshToken.getValidityPeriodInMillis());
                accessTokenDO.setRefreshTokenIssuedTime(validateJWTRefreshToken.getIssuedTime());
                accessTokenDO.setScope(validateJWTRefreshToken.getScope());
                accessTokenDO.setAuthzUser(validateJWTRefreshToken.getAuthorizedUser());
                accessTokenDO.setConsumerKey((String) tokenJWTClaims.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY));
                try {
                    accessTokenDO.setTenantID(ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(validateJWTRefreshToken.getAuthorizedUser().getTenantDomain()));
                    accessTokenDO.setTokenId(TokenMgtUtil.getTokenId(tokenJWTClaims));
                } catch (UserStoreException e) {
                    throw new IdentityOAuth2Exception("Error while getting tenant ID from tenant domain:" + validateJWTRefreshToken.getAuthorizedUser().getTenantDomain(), e);
                }
            }
        }
        return accessTokenDO;
    }

    private void handleInvalidAccessTokenError(String str) {
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug(String.format("Failed to validate the JWT Access Token %s in memory.", DigestUtils.sha256Hex(str)));
            } else {
                log.debug("Failed to validate the JWT Access Token in memory.");
            }
        }
        throw new IllegalArgumentException("Invalid Access Token. Access token is not ACTIVE.");
    }

    private RefreshTokenValidationDataDO validateJWTRefreshToken(JWTClaimsSet jWTClaimsSet, SignedJWT signedJWT) throws IdentityOAuth2Exception {
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = new RefreshTokenValidationDataDO();
        String str = (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY);
        String tokenIdentifier = TokenMgtUtil.getTokenIdentifier(jWTClaimsSet);
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("RefreshToken")) {
                log.debug(String.format("Validating JWT refresh token (hashed): %s", DigestUtils.sha256Hex(tokenIdentifier)));
            } else {
                log.debug("Validating JWT refresh token.");
            }
        }
        AuthenticatedUser authenticatedUser = TokenMgtUtil.getAuthenticatedUser(jWTClaimsSet);
        TokenMgtUtil.validateJWTSignature(signedJWT, jWTClaimsSet, authenticatedUser);
        if (!JWTUtils.checkExpirationTime(jWTClaimsSet.getExpirationTime())) {
            refreshTokenValidationDataDO.setRefreshTokenState("EXPIRED");
        } else if (TokenMgtUtil.isTokenRevokedDirectly(tokenIdentifier, str) || TokenMgtUtil.isTokenRevokedIndirectly(jWTClaimsSet, authenticatedUser)) {
            refreshTokenValidationDataDO.setRefreshTokenState("REVOKED");
        } else {
            refreshTokenValidationDataDO.setRefreshTokenState("ACTIVE");
        }
        refreshTokenValidationDataDO.setIssuedTime(new Timestamp(jWTClaimsSet.getIssueTime().getTime()));
        refreshTokenValidationDataDO.setValidityPeriodInMillis(jWTClaimsSet.getExpirationTime().getTime() - jWTClaimsSet.getIssueTime().getTime());
        refreshTokenValidationDataDO.setScope(TokenMgtUtil.getScopes(jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.SCOPE)));
        if (OAuth2ServiceComponentHolder.isConsentedTokenColumnEnabled() && jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.IS_CONSENTED) != null) {
            refreshTokenValidationDataDO.setConsented(((Boolean) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.IS_CONSENTED)).booleanValue());
        }
        refreshTokenValidationDataDO.setAuthorizedUser(authenticatedUser);
        refreshTokenValidationDataDO.setRefreshToken(tokenIdentifier);
        refreshTokenValidationDataDO.setTokenId(TokenMgtUtil.getTokenId(jWTClaimsSet));
        return refreshTokenValidationDataDO;
    }

    private AccessTokenDO getMigratedAccessToken(String str, boolean z) throws IdentityOAuth2Exception {
        AccessTokenDO findAccessToken = OAuth2Util.findAccessToken(str, z);
        if (findAccessToken != null) {
            findAccessToken.addProperty(PersistenceConstants.IS_PERSISTED, true);
        }
        return findAccessToken;
    }
}
