package org.cloudfoundry.identity.uaa.oauth;

import com.fasterxml.jackson.core.type.TypeReference;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.audit.event.TokenIssuedEvent;
import org.cloudfoundry.identity.uaa.authentication.AbstractClientParametersAuthenticationFilter;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationJsonBase;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.provider.saml.LoginSamlAuthenticationToken;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.TokenPolicy;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.DuplicateKeyException;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.class */
public class UaaTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, InitializingBean, ApplicationEventPublisherAware {
    public static final String UAA_REFRESH_TOKEN = "uaa.offline_token";
    private ApplicationEventPublisher applicationEventPublisher;
    private TokenPolicy tokenPolicy;
    private RevocableTokenProvisioning tokenProvisioning;
    private boolean restrictRefreshGrant;
    private final Log logger = LogFactory.getLog(getClass());
    private UaaUserDatabase userDatabase = null;
    private ClientServicesExtension clientDetailsService = null;
    private String issuer = null;
    private ApprovalStore approvalStore = null;
    private List<String> validIdTokenScopes = Arrays.asList("openid");
    private Set<String> excludedClaims = Collections.EMPTY_SET;
    private UaaTokenEnhancer uaaTokenEnhancer = null;

    public Set<String> getExcludedClaims() {
        return this.excludedClaims;
    }

    public void setExcludedClaims(Set<String> set) {
        this.excludedClaims = set;
    }

    public void setValidIdTokenScopes(List<String> list) {
        this.validIdTokenScopes = list;
    }

    public RevocableTokenProvisioning getTokenProvisioning() {
        return this.tokenProvisioning;
    }

    public void setTokenProvisioning(RevocableTokenProvisioning revocableTokenProvisioning) {
        this.tokenProvisioning = revocableTokenProvisioning;
    }

    public void setUaaTokenEnhancer(UaaTokenEnhancer uaaTokenEnhancer) {
        this.uaaTokenEnhancer = uaaTokenEnhancer;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.applicationEventPublisher = applicationEventPublisher;
    }

    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (null == str) {
            throw new InvalidTokenException("Invalid refresh token (empty token)");
        }
        if (!"refresh_token".equals(tokenRequest.getRequestParameters().get("grant_type"))) {
            throw new InvalidGrantException("Invalid grant type: " + ((String) tokenRequest.getRequestParameters().get("grant_type")));
        }
        TokenValidation validateToken = validateToken(str);
        Map<String, Object> claims = validateToken.getClaims();
        String encoded = validateToken.getJwt().getEncoded();
        ArrayList arrayList = (ArrayList) claims.get("scope");
        if (isRestrictRefreshGrant() && !arrayList.contains(UAA_REFRESH_TOKEN)) {
            throw new InsufficientScopeException(String.format("Expected scope %s is missing", UAA_REFRESH_TOKEN));
        }
        String str2 = (String) claims.get("cid");
        if (str2 == null || !str2.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + encoded);
        }
        String str3 = (String) claims.get("user_id");
        String str4 = (String) claims.get("jti");
        String generateUniqueTokenId = generateUniqueTokenId();
        boolean equals = "opaque".equals(tokenRequest.getRequestParameters().get("token_format"));
        boolean z = equals || (claims.get("revocable") != null && ((Boolean) claims.get("revocable")).booleanValue());
        UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str3);
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2, IdentityZoneHolder.get().getId());
        long longValue = ((Integer) claims.get("iat")).longValue() * 1000;
        long longValue2 = ((Integer) claims.get("exp")).longValue() * 1000;
        if (new Date(longValue2).before(new Date())) {
            throw new InvalidTokenException("Invalid refresh token (expired): " + encoded + " expired at " + new Date(longValue2));
        }
        Set<String> scope = tokenRequest.getScope();
        if (scope.isEmpty()) {
            scope = new HashSet<>(arrayList);
        }
        if (arrayList.isEmpty() || !arrayList.containsAll(scope)) {
            throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", new HashSet(arrayList));
        }
        String obj = claims.get("grant_type").toString();
        checkForApproval(str3, str2, scope, getAutoApprovedScopes(obj, arrayList, loadClientByClientId));
        Integer accessTokenValiditySeconds = loadClientByClientId.getAccessTokenValiditySeconds();
        String str5 = (String) claims.get("nonce");
        Map<String, String> map = (Map) claims.get("az_attr");
        Map<String, String> map2 = (Map) claims.get("ext_attr");
        String str6 = (String) claims.get("rev_sig");
        if (StringUtils.hasText(str6)) {
            String clientSecret = loadClientByClientId.getClientSecret();
            if (clientSecret != null && clientSecret.split(" ").length > 1) {
                clientSecret = clientSecret.split(" ")[1];
            }
            if (!str6.equals(UaaTokenUtils.getRevocableTokenSignature(loadClientByClientId, clientSecret, retrieveUserById))) {
                throw new TokenRevokedException(encoded);
            }
        }
        return persistRevocableToken(generateUniqueTokenId, str4, createAccessToken(generateUniqueTokenId, retrieveUserById.getId(), retrieveUserById, claims.get("auth_time") != null ? new Date(((Long) claims.get("auth_time")).longValue() * 1000) : null, accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : getZoneAccessTokenValidity(), null, scope, str2, new HashSet<>((ArrayList) claims.get("aud")), obj, encoded, str5, map, map2, new HashSet<>(), str6, false, null, null, z, null, null), new DefaultExpiringOAuth2RefreshToken(encoded, new Date(longValue2)), str2, retrieveUserById.getId(), equals, z);
    }

    private int getZoneAccessTokenValidity() {
        IdentityZoneConfiguration config = IdentityZoneHolder.get().getConfig();
        int accessTokenValidity = getTokenPolicy().getAccessTokenValidity();
        if (config != null) {
            accessTokenValidity = config.getTokenPolicy().getAccessTokenValidity() != -1 ? config.getTokenPolicy().getAccessTokenValidity() : getTokenPolicy().getAccessTokenValidity();
        }
        return accessTokenValidity;
    }

    private void checkForApproval(String str, String str2, Collection<String> collection, Collection<String> collection2) {
        if (collection2.containsAll(collection)) {
            return;
        }
        HashSet hashSet = new HashSet(collection2);
        for (Approval approval : this.approvalStore.getApprovals(str, str2, IdentityZoneHolder.get().getId())) {
            if (collection.contains(approval.getScope()) && approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                if (!approval.isCurrentlyActive()) {
                    this.logger.debug("Approval " + approval + " has expired. Need to re-approve.");
                    throw new InvalidTokenException("Invalid token (approvals expired)");
                }
                hashSet.add(approval.getScope());
            }
        }
        if (hashSet.containsAll(collection)) {
            return;
        }
        this.logger.debug("All requested scopes " + collection + " were not approved " + hashSet);
        HashSet hashSet2 = new HashSet(collection);
        hashSet2.removeAll(hashSet);
        throw new InvalidTokenException("Invalid token (some requested scopes are not approved): " + hashSet2);
    }

    private CompositeAccessToken createAccessToken(String str, String str2, UaaUser uaaUser, Date date, int i, Collection<GrantedAuthority> collection, Set<String> set, String str3, Set<String> set2, String str4, String str5, String str6, Map<String, String> map, Map<String, String> map2, Set<String> set3, String str7, boolean z, Set<String> set4, Map<String, List<String>> map3, boolean z2, Set<String> set5, Set<String> set6) throws AuthenticationException {
        CompositeAccessToken compositeAccessToken = new CompositeAccessToken(str);
        compositeAccessToken.setExpiration(new Date(System.currentTimeMillis() + (i * 1000)));
        compositeAccessToken.setRefreshToken(str5 == null ? null : new DefaultOAuth2RefreshToken(str5));
        if (null == set || set.size() == 0) {
            this.logger.debug("No scopes were granted");
            throw new InvalidTokenException("No scopes were granted");
        }
        compositeAccessToken.setScope(set);
        HashMap hashMap = new HashMap();
        hashMap.put("jti", compositeAccessToken.getValue());
        if (null != map) {
            hashMap.put("az_attr", map);
        }
        if (null != map2) {
            hashMap.put("ext_attr", map2);
        }
        if (str6 != null) {
            hashMap.put("nonce", str6);
        }
        compositeAccessToken.setAdditionalInformation(hashMap);
        Map<String, ?> createJWTAccessToken = createJWTAccessToken(compositeAccessToken, str2, uaaUser, date, collection, set, str3, set2, str4, str5, str7, z2);
        try {
            compositeAccessToken.setValue(JwtHelper.encode(JsonUtils.writeValueAsString(createJWTAccessToken), getActiveKeyInfo().getSigner()).getEncoded());
            populateIdToken(compositeAccessToken, createJWTAccessToken, set, set3, str3, z, set4, uaaUser, map3, set5, set6);
            publish(new TokenIssuedEvent(compositeAccessToken, SecurityContextHolder.getContext().getAuthentication()));
            return compositeAccessToken;
        } catch (JsonUtils.JsonUtilException e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    private KeyInfo getActiveKeyInfo() {
        return (KeyInfo) Optional.ofNullable(KeyInfo.getActiveKey()).orElseThrow(() -> {
            return new InternalAuthenticationServiceException("Unable to sign token, misconfigured JWT signing keys");
        });
    }

    private void populateIdToken(CompositeAccessToken compositeAccessToken, Map<String, ?> map, Set<String> set, Set<String> set2, String str, boolean z, Set<String> set3, UaaUser uaaUser, Map<String, List<String>> map2, Set<String> set4, Set<String> set5) {
        if (z || (set.contains("openid") && set2.contains(CompositeAccessToken.ID_TOKEN))) {
            try {
                HashMap hashMap = new HashMap(map);
                hashMap.remove(UaaAuthenticationJsonBase.AUTHORITIES);
                HashSet hashSet = new HashSet();
                for (String str2 : set) {
                    if (this.validIdTokenScopes != null && this.validIdTokenScopes.contains(str2)) {
                        hashSet.add(str2);
                    }
                }
                if (set4 != null) {
                    hashMap.put("amr", set4);
                }
                if (set5 != null && set5.size() > 0) {
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put("values", set5);
                    hashMap.put(LoginSamlAuthenticationToken.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, hashMap2);
                }
                hashMap.put("scope", hashSet);
                hashMap.put("previous_logon_time", uaaUser.getPreviousLogonTime());
                hashMap.put("aud", new HashSet(Arrays.asList(str)));
                if (set.contains("roles") && set3 != null && !set3.isEmpty()) {
                    hashMap.put("roles", set3);
                }
                if (set.contains("user_attributes") && map2 != null) {
                    hashMap.put("user_attributes", map2);
                }
                if (set.contains("profile") && uaaUser != null) {
                    String givenName = uaaUser.getGivenName();
                    if (givenName != null) {
                        hashMap.put("given_name", givenName);
                    }
                    String familyName = uaaUser.getFamilyName();
                    if (familyName != null) {
                        hashMap.put("family_name", familyName);
                    }
                    String phoneNumber = uaaUser.getPhoneNumber();
                    if (phoneNumber != null) {
                        hashMap.put("phone_number", phoneNumber);
                    }
                }
                compositeAccessToken.setIdTokenValue(JwtHelper.encode(JsonUtils.writeValueAsString(hashMap), KeyInfo.getActiveKey().getSigner()).getEncoded());
            } catch (JsonUtils.JsonUtilException e) {
                throw new IllegalStateException("Cannot convert ID token to JSON", e);
            }
        }
    }

    private Map<String, ?> createJWTAccessToken(OAuth2AccessToken oAuth2AccessToken, String str, UaaUser uaaUser, Date date, Collection<GrantedAuthority> collection, Set<String> set, String str2, Set<String> set2, String str3, String str4, String str5, boolean z) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", oAuth2AccessToken.getAdditionalInformation().get("jti"));
        linkedHashMap.putAll(oAuth2AccessToken.getAdditionalInformation());
        linkedHashMap.put("sub", str2);
        if (null != collection) {
            linkedHashMap.put(UaaAuthenticationJsonBase.AUTHORITIES, AuthorityUtils.authorityListToSet(collection));
        }
        linkedHashMap.put("scope", set);
        linkedHashMap.put(AbstractClientParametersAuthenticationFilter.CLIENT_ID, str2);
        linkedHashMap.put("cid", str2);
        linkedHashMap.put("azp", str2);
        if (z) {
            linkedHashMap.put("revocable", true);
        }
        if (null != str3) {
            linkedHashMap.put("grant_type", str3);
        }
        if (uaaUser != null && str != null) {
            linkedHashMap.put("user_id", str);
            String origin = uaaUser.getOrigin();
            if (StringUtils.hasLength(origin)) {
                linkedHashMap.put("origin", origin);
            }
            String username = uaaUser.getUsername();
            linkedHashMap.put("user_name", username == null ? str : username);
            String email = uaaUser.getEmail();
            if (email != null) {
                linkedHashMap.put("email", email);
            }
            if (date != null) {
                linkedHashMap.put("auth_time", Long.valueOf(date.getTime() / 1000));
            }
            linkedHashMap.put("sub", str);
        }
        if (StringUtils.hasText(str5)) {
            linkedHashMap.put("rev_sig", str5);
        }
        linkedHashMap.put("iat", Long.valueOf(System.currentTimeMillis() / 1000));
        linkedHashMap.put("exp", Long.valueOf(oAuth2AccessToken.getExpiration().getTime() / 1000));
        if (getTokenEndpoint() != null) {
            linkedHashMap.put("iss", getTokenEndpoint());
            linkedHashMap.put("zid", IdentityZoneHolder.get().getId());
        }
        linkedHashMap.put("aud", set2);
        Iterator<String> it = getExcludedClaims().iterator();
        while (it.hasNext()) {
            linkedHashMap.remove(it.next());
        }
        return linkedHashMap;
    }

    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        String str = null;
        Date date = null;
        UaaUser uaaUser = null;
        boolean z = false;
        Set<String> set = null;
        Set<String> set2 = null;
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(oAuth2Authentication.getOAuth2Request().getClientId(), IdentityZoneHolder.get().getId());
        Collection<GrantedAuthority> collection = null;
        if (oAuth2Authentication.isClientOnly()) {
            collection = loadClientByClientId.getAuthorities();
        } else {
            str = getUserId(oAuth2Authentication);
            uaaUser = this.userDatabase.retrieveUserById(str);
            if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
                date = new Date(((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthenticatedTime());
                set = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthenticationMethods();
                set2 = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthContextClassRef();
            }
            validateRequiredUserGroups(uaaUser, loadClientByClientId);
        }
        String clientSecret = loadClientByClientId.getClientSecret();
        if (clientSecret != null && clientSecret.split(" ").length > 1) {
            clientSecret = clientSecret.split(" ")[1];
        }
        String revocableTokenSignature = UaaTokenUtils.getRevocableTokenSignature(loadClientByClientId, clientSecret, uaaUser);
        String generateUniqueTokenId = generateUniqueTokenId();
        String str2 = generateUniqueTokenId() + "-r";
        boolean opaqueTokenRequired = opaqueTokenRequired(oAuth2Authentication);
        boolean z2 = opaqueTokenRequired || IdentityZoneHolder.get().getConfig().getTokenPolicy().isJwtRevocable();
        boolean z3 = z2 || TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(IdentityZoneHolder.get().getConfig().getTokenPolicy().getRefreshTokenFormat());
        ExpiringOAuth2RefreshToken expiringOAuth2RefreshToken = null;
        if (loadClientByClientId.getAuthorizedGrantTypes().contains("refresh_token")) {
            expiringOAuth2RefreshToken = createRefreshToken(uaaUser, str2, oAuth2Authentication, revocableTokenSignature, z3);
        }
        String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
        Set scope = oAuth2Authentication.getOAuth2Request().getScope();
        String str3 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        LinkedHashSet linkedHashSet = new LinkedHashSet(scope);
        Set<String> set3 = Collections.EMPTY_SET;
        MultiValueMap<String, String> multiValueMap = Collections.EMPTY_MAP;
        if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
            set3 = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getExternalGroups();
            multiValueMap = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getUserAttributes();
        }
        String str4 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("nonce");
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get(UaaAuthenticationJsonBase.AUTHORITIES));
        if ("authorization_code".equals(oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type")) && "code".equals(oAuth2Authentication.getOAuth2Request().getRequestParameters().get("response_type")) && oAuth2Authentication.getOAuth2Request().getRequestParameters().get("scope") != null && ((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("scope")).contains("openid")) {
            z = true;
        }
        int zoneAccessTokenValidity = getZoneAccessTokenValidity();
        Integer accessTokenValiditySeconds = loadClientByClientId.getAccessTokenValiditySeconds();
        Set<String> extractResponseTypes = extractResponseTypes(oAuth2Authentication);
        Map<String, String> map = null;
        if (this.uaaTokenEnhancer != null) {
            map = this.uaaTokenEnhancer.getExternalAttributes(oAuth2Authentication);
        }
        return persistRevocableToken(generateUniqueTokenId, str2, createAccessToken(generateUniqueTokenId, str, uaaUser, date, accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : zoneAccessTokenValidity, collection, linkedHashSet, clientId, oAuth2Authentication.getOAuth2Request().getResourceIds(), str3, expiringOAuth2RefreshToken != null ? expiringOAuth2RefreshToken.getValue() : null, str4, additionalAuthorizationAttributes, map, extractResponseTypes, revocableTokenSignature, z, set3, multiValueMap, z2, set, set2), expiringOAuth2RefreshToken, clientId, str, opaqueTokenRequired, z2);
    }

    public static void validateRequiredUserGroups(UaaUser uaaUser, ClientDetails clientDetails) {
        if (!UaaTokenUtils.hasRequiredUserAuthorities((Collection) Optional.ofNullable((Collection) clientDetails.getAdditionalInformation().get("required_user_groups")).orElse(Collections.emptySet()), uaaUser.getAuthorities())) {
            throw new InvalidTokenException("User does not meet the client's required group criteria.");
        }
    }

    public CompositeAccessToken persistRevocableToken(String str, String str2, CompositeAccessToken compositeAccessToken, OAuth2RefreshToken oAuth2RefreshToken, String str3, String str4, boolean z, boolean z2) {
        OAuth2RefreshToken defaultOAuth2RefreshToken;
        String obj = compositeAccessToken.getScope().toString();
        long currentTimeMillis = System.currentTimeMillis();
        if (z2) {
            RevocableToken value = new RevocableToken().setTokenId(str).setClientId(str3).setExpiresAt(compositeAccessToken.getExpiration().getTime()).setIssuedAt(currentTimeMillis).setFormat(z ? RevocableToken.TokenFormat.OPAQUE.name() : RevocableToken.TokenFormat.JWT.name()).setResponseType(RevocableToken.TokenType.ACCESS_TOKEN).setZoneId(IdentityZoneHolder.get().getId()).setUserId(str4).setScope(obj).setValue(compositeAccessToken.getValue());
            try {
                this.tokenProvisioning.create(value, IdentityZoneHolder.get().getId());
            } catch (DuplicateKeyException e) {
                this.tokenProvisioning.update(str, value, IdentityZoneHolder.get().getId());
            }
        }
        boolean z3 = z || TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(IdentityZoneHolder.get().getConfig().getTokenPolicy().getRefreshTokenFormat());
        boolean z4 = z3 || IdentityZoneHolder.get().getConfig().getTokenPolicy().isJwtRevocable();
        boolean isRefreshTokenUnique = IdentityZoneHolder.get().getConfig().getTokenPolicy().isRefreshTokenUnique();
        if (oAuth2RefreshToken != null && z4) {
            RevocableToken value2 = new RevocableToken().setTokenId(str2).setClientId(str3).setExpiresAt(((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration().getTime()).setIssuedAt(currentTimeMillis).setFormat(z3 ? RevocableToken.TokenFormat.OPAQUE.name() : RevocableToken.TokenFormat.JWT.name()).setResponseType(RevocableToken.TokenType.REFRESH_TOKEN).setZoneId(IdentityZoneHolder.get().getId()).setUserId(str4).setScope(obj).setValue(oAuth2RefreshToken.getValue());
            if (isRefreshTokenUnique) {
                try {
                    this.tokenProvisioning.deleteRefreshTokensForClientAndUserId(str3, str4, IdentityZoneHolder.get().getId());
                } catch (DuplicateKeyException e2) {
                }
            }
            this.tokenProvisioning.create(value2, IdentityZoneHolder.get().getId());
        }
        CompositeAccessToken compositeAccessToken2 = new CompositeAccessToken(z ? str : compositeAccessToken.getValue());
        compositeAccessToken2.setIdTokenValue(compositeAccessToken.getIdTokenValue());
        compositeAccessToken2.setExpiration(compositeAccessToken.getExpiration());
        compositeAccessToken2.setAdditionalInformation(compositeAccessToken.getAdditionalInformation());
        compositeAccessToken2.setScope(compositeAccessToken.getScope());
        compositeAccessToken2.setTokenType(compositeAccessToken.getTokenType());
        if (oAuth2RefreshToken == null) {
            defaultOAuth2RefreshToken = null;
        } else {
            defaultOAuth2RefreshToken = new DefaultOAuth2RefreshToken(z3 ? str2 : oAuth2RefreshToken.getValue());
        }
        compositeAccessToken2.setRefreshToken(defaultOAuth2RefreshToken);
        return compositeAccessToken2;
    }

    protected boolean opaqueTokenRequired(OAuth2Authentication oAuth2Authentication) {
        Map requestParameters = oAuth2Authentication.getOAuth2Request().getRequestParameters();
        return "opaque".equals(requestParameters.get("token_format")) || "user_token".equals(requestParameters.get("grant_type"));
    }

    protected Set<String> extractResponseTypes(OAuth2Authentication oAuth2Authentication) {
        Set<String> responseTypes = oAuth2Authentication.getOAuth2Request().getResponseTypes();
        if (responseTypes != null && responseTypes.size() == 1) {
            String next = responseTypes.iterator().next();
            String str = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("response_type");
            if ("code".equals(next) && str != null) {
                responseTypes = OAuth2Utils.parseParameterList(str);
            }
        }
        return responseTypes;
    }

    private Map<String, String> getAdditionalAuthorizationAttributes(String str) {
        if (!StringUtils.hasLength(str)) {
            return null;
        }
        try {
            return (Map) ((Map) JsonUtils.readValue(str, new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.oauth.UaaTokenServices.1
            })).get("az_attr");
        } catch (Throwable th) {
            this.logger.error("Unable to read additionalAuthorizationAttributes", th);
            return null;
        }
    }

    private ExpiringOAuth2RefreshToken createRefreshToken(UaaUser uaaUser, String str, OAuth2Authentication oAuth2Authentication, String str2, boolean z) {
        String str3 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        if (!isRefreshTokenSupported(str3, oAuth2Authentication.getOAuth2Request().getScope())) {
            return null;
        }
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get(UaaAuthenticationJsonBase.AUTHORITIES));
        DefaultExpiringOAuth2RefreshToken defaultExpiringOAuth2RefreshToken = new DefaultExpiringOAuth2RefreshToken(str, new Date(System.currentTimeMillis() + (getRefreshTokenValiditySeconds(oAuth2Authentication.getOAuth2Request()) * 1000)));
        Map<String, String> map = null;
        if (this.uaaTokenEnhancer != null) {
            map = this.uaaTokenEnhancer.getExternalAttributes(oAuth2Authentication);
        }
        try {
            return new DefaultExpiringOAuth2RefreshToken(JwtHelper.encode(JsonUtils.writeValueAsString(createJWTRefreshToken(defaultExpiringOAuth2RefreshToken, str, uaaUser, oAuth2Authentication.getOAuth2Request().getScope(), oAuth2Authentication.getOAuth2Request().getClientId(), str3, additionalAuthorizationAttributes, oAuth2Authentication.getOAuth2Request().getResourceIds(), str2, z, map)), getActiveKeyInfo().getSigner()).getEncoded(), defaultExpiringOAuth2RefreshToken.getExpiration());
        } catch (JsonUtils.JsonUtilException e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    protected String getUserId(OAuth2Authentication oAuth2Authentication) {
        return Origin.getUserId(oAuth2Authentication.getUserAuthentication());
    }

    private Map<String, ?> createJWTRefreshToken(OAuth2RefreshToken oAuth2RefreshToken, String str, UaaUser uaaUser, Set<String> set, String str2, String str3, Map<String, String> map, Set<String> set2, String str4, boolean z, Map<String, String> map2) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", str);
        linkedHashMap.put("sub", uaaUser.getId());
        linkedHashMap.put("scope", set);
        if (null != map) {
            linkedHashMap.put("az_attr", map);
        }
        if (null != map2) {
            linkedHashMap.put("ext_attr", map2);
        }
        linkedHashMap.put("iat", Long.valueOf(System.currentTimeMillis() / 1000));
        if (((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration() != null) {
            linkedHashMap.put("exp", Long.valueOf(((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration().getTime() / 1000));
        }
        linkedHashMap.put("cid", str2);
        linkedHashMap.put(AbstractClientParametersAuthenticationFilter.CLIENT_ID, str2);
        if (getTokenEndpoint() != null) {
            linkedHashMap.put("iss", getTokenEndpoint());
            linkedHashMap.put("zid", IdentityZoneHolder.get().getId());
        }
        if (z) {
            linkedHashMap.put("revocable", true);
        }
        if (null != str3) {
            linkedHashMap.put("grant_type", str3);
        }
        if (uaaUser != null) {
            linkedHashMap.put("user_name", uaaUser.getUsername());
            linkedHashMap.put("origin", uaaUser.getOrigin());
            linkedHashMap.put("user_id", uaaUser.getId());
        }
        if (StringUtils.hasText(str4)) {
            linkedHashMap.put("rev_sig", str4);
        }
        linkedHashMap.put("aud", set2);
        return linkedHashMap;
    }

    protected String generateUniqueTokenId() {
        return UUID.randomUUID().toString().replace("-", "");
    }

    protected boolean isRefreshTokenSupported(String str, Set<String> set) {
        return !isRestrictRefreshGrant() ? "authorization_code".equals(str) || "password".equals(str) || "user_token".equals(str) || "refresh_token".equals(str) || "urn:ietf:params:oauth:grant-type:saml2-bearer".equals(str) : set.contains(UAA_REFRESH_TOKEN);
    }

    protected int getRefreshTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer refreshTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId(), IdentityZoneHolder.get().getId()).getRefreshTokenValiditySeconds();
        if (refreshTokenValiditySeconds != null) {
            return refreshTokenValiditySeconds.intValue();
        }
        IdentityZoneConfiguration config = IdentityZoneHolder.get().getConfig();
        int refreshTokenValidity = getTokenPolicy().getRefreshTokenValidity();
        if (config != null) {
            refreshTokenValidity = config.getTokenPolicy().getRefreshTokenValidity() != -1 ? config.getTokenPolicy().getRefreshTokenValidity() : this.tokenPolicy.getRefreshTokenValidity();
        }
        return refreshTokenValidity;
    }

    public void afterPropertiesSet() throws URISyntaxException {
        Assert.notNull(this.clientDetailsService, "clientDetailsService must be set");
        Assert.notNull(this.issuer, "issuer must be set");
        Assert.notNull(this.approvalStore, "approvalStore must be set");
        new URI(this.issuer);
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        if (StringUtils.isEmpty(str)) {
            throw new InvalidTokenException("Invalid access token value, must be at least 30 characters:" + str);
        }
        TokenValidation validateToken = validateToken(str);
        Map<String, Object> claims = validateToken.getClaims();
        String encoded = validateToken.getJwt().getEncoded();
        if (((Integer) claims.get("exp")) != null && new Date(r0.intValue() * 1000).before(new Date())) {
            throw new InvalidTokenException("Invalid access token (expired): " + encoded + " expired at " + new Date(r0.intValue() * 1000));
        }
        AuthorizationRequest authorizationRequest = new AuthorizationRequest((String) claims.get(AbstractClientParametersAuthenticationFilter.CLIENT_ID), (ArrayList) claims.get("scope"));
        ArrayList arrayList = (ArrayList) claims.get("aud");
        authorizationRequest.setResourceIds(Collections.unmodifiableSet(arrayList == null ? new HashSet() : new HashSet(arrayList)));
        authorizationRequest.setApproved(true);
        List commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString(IdentityZoneHolder.get().getConfig().getUserConfig().getDefaultGroups()));
        if (claims.containsKey(UaaAuthenticationJsonBase.AUTHORITIES)) {
            Object obj = claims.get(UaaAuthenticationJsonBase.AUTHORITIES);
            if (obj instanceof String) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList((String) obj);
            }
            if (obj instanceof Collection) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection) obj));
            }
        }
        UaaAuthentication uaaAuthentication = null;
        if (claims.containsKey("user_id")) {
            uaaAuthentication = new UaaAuthentication(new UaaPrincipal(this.userDatabase.retrieveUserById((String) claims.get("user_id"))), UaaAuthority.USER_AUTHORITIES, null);
        } else {
            authorizationRequest.setAuthorities(commaSeparatedStringToAuthorityList);
        }
        UaaOauth2Authentication uaaOauth2Authentication = new UaaOauth2Authentication(encoded, IdentityZoneHolder.get().getId(), authorizationRequest.createOAuth2Request(), uaaAuthentication);
        uaaOauth2Authentication.setAuthenticated(true);
        return uaaOauth2Authentication;
    }

    public OAuth2AccessToken readAccessToken(String str) {
        TokenValidation validateToken = validateToken(str);
        Map<String, Object> claims = validateToken.getClaims();
        CompositeAccessToken compositeAccessToken = new CompositeAccessToken(validateToken.getJwt().getEncoded());
        compositeAccessToken.setTokenType("Bearer");
        Integer num = (Integer) claims.get("exp");
        if (null != num) {
            compositeAccessToken.setExpiration(new Date(num.longValue() * 1000));
        }
        ArrayList arrayList = (ArrayList) claims.get("scope");
        if (null != arrayList && arrayList.size() > 0) {
            compositeAccessToken.setScope(new HashSet(arrayList));
        }
        String str2 = (String) claims.get("cid");
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2, IdentityZoneHolder.get().getId());
        String str3 = (String) claims.get("user_id");
        if (null != str3) {
            ArrayList arrayList2 = (ArrayList) claims.get("scope");
            checkForApproval(str3, str2, arrayList2, getAutoApprovedScopes(claims.get("grant_type"), arrayList2, loadClientByClientId));
        }
        return compositeAccessToken;
    }

    private Set<String> getAutoApprovedScopes(Object obj, Collection<String> collection, ClientDetails clientDetails) {
        return (obj == null || !"password".equals(obj.toString())) ? UaaTokenUtils.retainAutoApprovedScopes(collection, ((BaseClientDetails) clientDetails).getAutoApproveScopes()) : new HashSet(collection);
    }

    protected TokenValidation validateToken(String str) {
        if (!UaaTokenUtils.isJwtToken(str)) {
            try {
                str = this.tokenProvisioning.retrieve(str, IdentityZoneHolder.get().getId()).getValue();
            } catch (EmptyResultDataAccessException e) {
                throw new TokenRevokedException("The token expired, was revoked, or the token ID is incorrect: " + str);
            }
        }
        TokenValidation throwIfInvalid = TokenValidation.validate(str).checkRevocableTokenStore(this.tokenProvisioning).throwIfInvalid();
        String kid = throwIfInvalid.getJwt().getHeader().getKid();
        KeyInfo key = kid != null ? KeyInfo.getKey(kid) : KeyInfo.getActiveKey();
        if (key == null) {
            throw new InvalidTokenException("Invalid key ID: " + kid);
        }
        throwIfInvalid.checkSignature(key.getVerifier()).throwIfInvalid();
        Map<String, Object> claims = throwIfInvalid.getClaims();
        throwIfInvalid.checkIssuer(getTokenEndpoint()).throwIfInvalid();
        String str2 = (String) claims.get("cid");
        String str3 = (String) claims.get("user_id");
        try {
            ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2, IdentityZoneHolder.get().getId());
            UaaUser uaaUser = null;
            if (UaaTokenUtils.isUserToken(claims)) {
                try {
                    uaaUser = this.userDatabase.retrieveUserById(str3);
                } catch (UsernameNotFoundException e2) {
                    throw new InvalidTokenException("Token bears a non-existent user ID: " + str3);
                }
            }
            throwIfInvalid.checkClientAndUser(loadClientByClientId, uaaUser).throwIfInvalid();
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            if (loadClientByClientId.getClientSecret() != null) {
                arrayList.addAll(Arrays.asList(loadClientByClientId.getClientSecret().split(" ")));
            } else {
                arrayList2.add(UaaTokenUtils.getRevocableTokenSignature(loadClientByClientId, null, uaaUser));
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(UaaTokenUtils.getRevocableTokenSignature(loadClientByClientId, (String) it.next(), uaaUser));
            }
            TokenValidation checkRevocationSignature = throwIfInvalid.checkRevocationSignature(arrayList2);
            checkRevocationSignature.throwIfInvalid();
            return checkRevocationSignature;
        } catch (NoSuchClientException e3) {
            throw new InvalidTokenException("Invalid client ID " + str2);
        }
    }

    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        return null;
    }

    public void setIssuer(String str) throws URISyntaxException {
        Assert.notNull(str);
        UaaTokenUtils.constructTokenEndpointUrl(str);
        this.issuer = str;
    }

    public String getIssuer() {
        return this.issuer;
    }

    public String getTokenEndpoint() {
        try {
            return UaaTokenUtils.constructTokenEndpointUrl(this.issuer);
        } catch (URISyntaxException e) {
            this.logger.error("Failed to get token endpoint for issuer " + this.issuer, e);
            throw new IllegalArgumentException(e);
        }
    }

    public void setClientDetailsService(ClientServicesExtension clientServicesExtension) {
        this.clientDetailsService = clientServicesExtension;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    private void publish(TokenIssuedEvent tokenIssuedEvent) {
        if (this.applicationEventPublisher != null) {
            this.applicationEventPublisher.publishEvent(tokenIssuedEvent);
        }
    }

    public void setTokenPolicy(TokenPolicy tokenPolicy) {
        this.tokenPolicy = tokenPolicy;
    }

    public TokenPolicy getTokenPolicy() {
        return this.tokenPolicy;
    }

    public boolean isRestrictRefreshGrant() {
        return this.restrictRefreshGrant;
    }

    public void setRestrictRefreshGrant(boolean z) {
        this.restrictRefreshGrant = z;
    }
}
