package org.mitre.oauth2.service.impl;

import com.google.common.collect.Sets;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import org.mitre.data.AbstractPageOperationTemplate;
import org.mitre.data.DefaultPageCriteria;
import org.mitre.oauth2.model.AuthenticationHolderEntity;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.model.PKCEAlgorithm;
import org.mitre.oauth2.repository.AuthenticationHolderRepository;
import org.mitre.oauth2.repository.OAuth2TokenRepository;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.request.ConnectRequestParameters;
import org.mitre.openid.connect.service.ApprovedSiteService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.stereotype.Service;

@Service("defaultOAuth2ProviderTokenService")
/* loaded from: input_file:org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.class */
public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityService {
    private static final Logger logger = LoggerFactory.getLogger(DefaultOAuth2ProviderTokenService.class);

    @Autowired
    private OAuth2TokenRepository tokenRepository;

    @Autowired
    private AuthenticationHolderRepository authenticationHolderRepository;

    @Autowired
    private ClientDetailsEntityService clientDetailsService;

    @Autowired
    private TokenEnhancer tokenEnhancer;

    @Autowired
    private SystemScopeService scopeService;

    @Autowired
    private ApprovedSiteService approvedSiteService;

    public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String str) {
        Set<OAuth2AccessTokenEntity> allAccessTokens = this.tokenRepository.getAllAccessTokens();
        LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet();
        for (OAuth2AccessTokenEntity oAuth2AccessTokenEntity : allAccessTokens) {
            if (clearExpiredAccessToken(oAuth2AccessTokenEntity) != null && oAuth2AccessTokenEntity.getAuthenticationHolder().getAuthentication().getName().equals(str)) {
                newLinkedHashSet.add(oAuth2AccessTokenEntity);
            }
        }
        return newLinkedHashSet;
    }

    public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String str) {
        Set<OAuth2RefreshTokenEntity> allRefreshTokens = this.tokenRepository.getAllRefreshTokens();
        LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet();
        for (OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity : allRefreshTokens) {
            if (clearExpiredRefreshToken(oAuth2RefreshTokenEntity) != null && oAuth2RefreshTokenEntity.getAuthenticationHolder().getAuthentication().getName().equals(str)) {
                newLinkedHashSet.add(oAuth2RefreshTokenEntity);
            }
        }
        return newLinkedHashSet;
    }

    public OAuth2AccessTokenEntity getAccessTokenById(Long l) {
        return clearExpiredAccessToken(this.tokenRepository.getAccessTokenById(l));
    }

    public OAuth2RefreshTokenEntity getRefreshTokenById(Long l) {
        return clearExpiredRefreshToken(this.tokenRepository.getRefreshTokenById(l));
    }

    private OAuth2AccessTokenEntity clearExpiredAccessToken(OAuth2AccessTokenEntity oAuth2AccessTokenEntity) {
        if (oAuth2AccessTokenEntity == null) {
            return null;
        }
        if (!oAuth2AccessTokenEntity.isExpired()) {
            return oAuth2AccessTokenEntity;
        }
        logger.debug("Clearing expired access token: " + oAuth2AccessTokenEntity.getValue());
        revokeAccessToken(oAuth2AccessTokenEntity);
        return null;
    }

    private OAuth2RefreshTokenEntity clearExpiredRefreshToken(OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity) {
        if (oAuth2RefreshTokenEntity == null) {
            return null;
        }
        if (!oAuth2RefreshTokenEntity.isExpired()) {
            return oAuth2RefreshTokenEntity;
        }
        logger.debug("Clearing expired refresh token: " + oAuth2RefreshTokenEntity.getValue());
        revokeRefreshToken(oAuth2RefreshTokenEntity);
        return null;
    }

    /* renamed from: createAccessToken, reason: merged with bridge method [inline-methods] */
    public OAuth2AccessTokenEntity m10createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException, InvalidClientException {
        if (oAuth2Authentication == null || oAuth2Authentication.getOAuth2Request() == null) {
            throw new AuthenticationCredentialsNotFoundException("No authentication credentials found");
        }
        OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
        ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId());
        if (loadClientByClientId == null) {
            throw new InvalidClientException("Client not found: " + oAuth2Request.getClientId());
        }
        if (oAuth2Request.getExtensions().containsKey(ConnectRequestParameters.CODE_CHALLENGE)) {
            String str = (String) oAuth2Request.getExtensions().get(ConnectRequestParameters.CODE_CHALLENGE);
            PKCEAlgorithm parse = PKCEAlgorithm.parse((String) oAuth2Request.getExtensions().get(ConnectRequestParameters.CODE_CHALLENGE_METHOD));
            String str2 = (String) oAuth2Request.getRequestParameters().get(ConnectRequestParameters.CODE_VERIFIER);
            if (parse.equals(PKCEAlgorithm.plain)) {
                if (!str.equals(str2)) {
                    throw new InvalidRequestException("Code challenge and verifier do not match");
                }
            } else if (parse.equals(PKCEAlgorithm.S256)) {
                try {
                    if (!str.equals(Base64URL.encode(MessageDigest.getInstance("SHA-256").digest(str2.getBytes(StandardCharsets.US_ASCII))).toString())) {
                        throw new InvalidRequestException("Code challenge and verifier do not match");
                    }
                } catch (NoSuchAlgorithmException e) {
                    logger.error("Unknown algorithm for PKCE digest", e);
                }
            }
        }
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity = new OAuth2AccessTokenEntity();
        oAuth2AccessTokenEntity.setClient(loadClientByClientId);
        oAuth2AccessTokenEntity.setScope(this.scopeService.toStrings(this.scopeService.removeReservedScopes(this.scopeService.fromStrings(oAuth2Request.getScope()))));
        if (loadClientByClientId.getAccessTokenValiditySeconds() != null && loadClientByClientId.getAccessTokenValiditySeconds().intValue() > 0) {
            oAuth2AccessTokenEntity.setExpiration(new Date(System.currentTimeMillis() + (loadClientByClientId.getAccessTokenValiditySeconds().intValue() * 1000)));
        }
        AuthenticationHolderEntity authenticationHolderEntity = new AuthenticationHolderEntity();
        authenticationHolderEntity.setAuthentication(oAuth2Authentication);
        AuthenticationHolderEntity save = this.authenticationHolderRepository.save(authenticationHolderEntity);
        oAuth2AccessTokenEntity.setAuthenticationHolder(save);
        if (loadClientByClientId.isAllowRefresh() && oAuth2AccessTokenEntity.getScope().contains("offline_access")) {
            oAuth2AccessTokenEntity.setRefreshToken(createRefreshToken(loadClientByClientId, save));
        }
        OAuth2Request oAuth2Request2 = save.getAuthentication().getOAuth2Request();
        if (oAuth2Request2.getExtensions() != null && oAuth2Request2.getExtensions().containsKey(ConnectRequestParameters.APPROVED_SITE)) {
            oAuth2AccessTokenEntity.setApprovedSite(this.approvedSiteService.getById(Long.valueOf(Long.parseLong((String) oAuth2Request2.getExtensions().get(ConnectRequestParameters.APPROVED_SITE)))));
        }
        OAuth2AccessTokenEntity saveAccessToken = saveAccessToken((OAuth2AccessTokenEntity) this.tokenEnhancer.enhance(oAuth2AccessTokenEntity, oAuth2Authentication));
        if (saveAccessToken.getRefreshToken() != null) {
            this.tokenRepository.saveRefreshToken(saveAccessToken.getRefreshToken());
        }
        return saveAccessToken;
    }

    private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity clientDetailsEntity, AuthenticationHolderEntity authenticationHolderEntity) {
        OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity = new OAuth2RefreshTokenEntity();
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        if (clientDetailsEntity.getRefreshTokenValiditySeconds() != null) {
            Date date = new Date(System.currentTimeMillis() + (clientDetailsEntity.getRefreshTokenValiditySeconds().intValue() * 1000));
            oAuth2RefreshTokenEntity.setExpiration(date);
            builder.expirationTime(date);
        }
        builder.jwtID(UUID.randomUUID().toString());
        oAuth2RefreshTokenEntity.setJwt(new PlainJWT(builder.build()));
        oAuth2RefreshTokenEntity.setAuthenticationHolder(authenticationHolderEntity);
        oAuth2RefreshTokenEntity.setClient(clientDetailsEntity);
        return this.tokenRepository.saveRefreshToken(oAuth2RefreshTokenEntity);
    }

    /* renamed from: refreshAccessToken, reason: merged with bridge method [inline-methods] */
    public OAuth2AccessTokenEntity m9refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        OAuth2RefreshTokenEntity clearExpiredRefreshToken = clearExpiredRefreshToken(this.tokenRepository.getRefreshTokenByValue(str));
        if (clearExpiredRefreshToken == null) {
            throw new InvalidTokenException("Invalid refresh token: " + str);
        }
        ClientDetailsEntity client = clearExpiredRefreshToken.getClient();
        AuthenticationHolderEntity authenticationHolder = clearExpiredRefreshToken.getAuthenticationHolder();
        if (!client.getClientId().equals(this.clientDetailsService.loadClientByClientId(tokenRequest.getClientId()).getClientId())) {
            this.tokenRepository.removeRefreshToken(clearExpiredRefreshToken);
            throw new InvalidClientException("Client does not own the presented refresh token");
        }
        if (!client.isAllowRefresh()) {
            throw new InvalidClientException("Client does not allow refreshing access token!");
        }
        if (client.isClearAccessTokensOnRefresh()) {
            this.tokenRepository.clearAccessTokensForRefreshToken(clearExpiredRefreshToken);
        }
        if (clearExpiredRefreshToken.isExpired()) {
            this.tokenRepository.removeRefreshToken(clearExpiredRefreshToken);
            throw new InvalidTokenException("Expired refresh token: " + str);
        }
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity = new OAuth2AccessTokenEntity();
        Set removeReservedScopes = this.scopeService.removeReservedScopes(this.scopeService.fromStrings(new HashSet(clearExpiredRefreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope())));
        Set removeReservedScopes2 = this.scopeService.removeReservedScopes(this.scopeService.fromStrings(tokenRequest.getScope() == null ? new HashSet() : new HashSet(tokenRequest.getScope())));
        if (removeReservedScopes2 == null || removeReservedScopes2.isEmpty()) {
            oAuth2AccessTokenEntity.setScope(this.scopeService.toStrings(removeReservedScopes));
        } else {
            if (removeReservedScopes == null || !removeReservedScopes.containsAll(removeReservedScopes2)) {
                logger.error("Up-scoping is not allowed.");
                throw new InvalidScopeException("Up-scoping is not allowed.");
            }
            oAuth2AccessTokenEntity.setScope(this.scopeService.toStrings(removeReservedScopes2));
        }
        oAuth2AccessTokenEntity.setClient(client);
        if (client.getAccessTokenValiditySeconds() != null) {
            oAuth2AccessTokenEntity.setExpiration(new Date(System.currentTimeMillis() + (client.getAccessTokenValiditySeconds().intValue() * 1000)));
        }
        if (client.isReuseRefreshToken()) {
            oAuth2AccessTokenEntity.setRefreshToken(clearExpiredRefreshToken);
        } else {
            oAuth2AccessTokenEntity.setRefreshToken(createRefreshToken(client, authenticationHolder));
            this.tokenRepository.removeRefreshToken(clearExpiredRefreshToken);
        }
        oAuth2AccessTokenEntity.setAuthenticationHolder(authenticationHolder);
        this.tokenEnhancer.enhance(oAuth2AccessTokenEntity, authenticationHolder.getAuthentication());
        this.tokenRepository.saveAccessToken(oAuth2AccessTokenEntity);
        return oAuth2AccessTokenEntity;
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        OAuth2AccessTokenEntity clearExpiredAccessToken = clearExpiredAccessToken(this.tokenRepository.getAccessTokenByValue(str));
        if (clearExpiredAccessToken == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        return clearExpiredAccessToken.getAuthenticationHolder().getAuthentication();
    }

    /* renamed from: readAccessToken, reason: merged with bridge method [inline-methods] */
    public OAuth2AccessTokenEntity m11readAccessToken(String str) throws AuthenticationException {
        OAuth2AccessTokenEntity clearExpiredAccessToken = clearExpiredAccessToken(this.tokenRepository.getAccessTokenByValue(str));
        if (clearExpiredAccessToken == null) {
            throw new InvalidTokenException("Access token for value " + str + " was not found");
        }
        return clearExpiredAccessToken;
    }

    /* renamed from: getAccessToken, reason: merged with bridge method [inline-methods] */
    public OAuth2AccessTokenEntity m8getAccessToken(OAuth2Authentication oAuth2Authentication) {
        throw new UnsupportedOperationException("Unable to look up access token from authentication object.");
    }

    public OAuth2RefreshTokenEntity getRefreshToken(String str) throws AuthenticationException {
        OAuth2RefreshTokenEntity refreshTokenByValue = this.tokenRepository.getRefreshTokenByValue(str);
        if (refreshTokenByValue == null) {
            throw new InvalidTokenException("Refresh token for value " + str + " was not found");
        }
        return refreshTokenByValue;
    }

    public void revokeRefreshToken(OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity) {
        this.tokenRepository.clearAccessTokensForRefreshToken(oAuth2RefreshTokenEntity);
        this.tokenRepository.removeRefreshToken(oAuth2RefreshTokenEntity);
    }

    public void revokeAccessToken(OAuth2AccessTokenEntity oAuth2AccessTokenEntity) {
        this.tokenRepository.removeAccessToken(oAuth2AccessTokenEntity);
    }

    public List<OAuth2AccessTokenEntity> getAccessTokensForClient(ClientDetailsEntity clientDetailsEntity) {
        return this.tokenRepository.getAccessTokensForClient(clientDetailsEntity);
    }

    public List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity clientDetailsEntity) {
        return this.tokenRepository.getRefreshTokensForClient(clientDetailsEntity);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService$1] */
    /* JADX WARN: Type inference failed for: r0v2, types: [org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService$2] */
    /* JADX WARN: Type inference failed for: r0v3, types: [org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService$3] */
    public void clearExpiredTokens() {
        logger.debug("Cleaning out all expired tokens");
        new AbstractPageOperationTemplate<OAuth2AccessTokenEntity>("clearExpiredAccessTokens") { // from class: org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.1
            public Collection<OAuth2AccessTokenEntity> fetchPage() {
                return DefaultOAuth2ProviderTokenService.this.tokenRepository.getAllExpiredAccessTokens(new DefaultPageCriteria());
            }

            public void doOperation(OAuth2AccessTokenEntity oAuth2AccessTokenEntity) {
                DefaultOAuth2ProviderTokenService.this.revokeAccessToken(oAuth2AccessTokenEntity);
            }
        }.execute();
        new AbstractPageOperationTemplate<OAuth2RefreshTokenEntity>("clearExpiredRefreshTokens") { // from class: org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.2
            public Collection<OAuth2RefreshTokenEntity> fetchPage() {
                return DefaultOAuth2ProviderTokenService.this.tokenRepository.getAllExpiredRefreshTokens(new DefaultPageCriteria());
            }

            public void doOperation(OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity) {
                DefaultOAuth2ProviderTokenService.this.revokeRefreshToken(oAuth2RefreshTokenEntity);
            }
        }.execute();
        new AbstractPageOperationTemplate<AuthenticationHolderEntity>("clearExpiredAuthenticationHolders") { // from class: org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.3
            public Collection<AuthenticationHolderEntity> fetchPage() {
                return DefaultOAuth2ProviderTokenService.this.authenticationHolderRepository.getOrphanedAuthenticationHolders(new DefaultPageCriteria());
            }

            public void doOperation(AuthenticationHolderEntity authenticationHolderEntity) {
                DefaultOAuth2ProviderTokenService.this.authenticationHolderRepository.remove(authenticationHolderEntity);
            }
        }.execute();
    }

    public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity oAuth2AccessTokenEntity) {
        OAuth2AccessTokenEntity saveAccessToken = this.tokenRepository.saveAccessToken(oAuth2AccessTokenEntity);
        if (oAuth2AccessTokenEntity.getAdditionalInformation() != null && !oAuth2AccessTokenEntity.getAdditionalInformation().isEmpty()) {
            saveAccessToken.getAdditionalInformation().putAll(oAuth2AccessTokenEntity.getAdditionalInformation());
        }
        return saveAccessToken;
    }

    public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity) {
        return this.tokenRepository.saveRefreshToken(oAuth2RefreshTokenEntity);
    }

    public TokenEnhancer getTokenEnhancer() {
        return this.tokenEnhancer;
    }

    public void setTokenEnhancer(TokenEnhancer tokenEnhancer) {
        this.tokenEnhancer = tokenEnhancer;
    }

    public OAuth2AccessTokenEntity getRegistrationAccessTokenForClient(ClientDetailsEntity clientDetailsEntity) {
        for (OAuth2AccessTokenEntity oAuth2AccessTokenEntity : getAccessTokensForClient(clientDetailsEntity)) {
            if (oAuth2AccessTokenEntity.getScope().contains("registration-token") || oAuth2AccessTokenEntity.getScope().contains("resource-token")) {
                if (oAuth2AccessTokenEntity.getScope().size() == 1) {
                    return oAuth2AccessTokenEntity;
                }
            }
        }
        return null;
    }
}
