package org.wso2.carbon.identity.oauth2.token;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AppInfoCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.event.OAuthEventInterceptor;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.ResponseHeader;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.class */
public class AccessTokenIssuer {
    private static AccessTokenIssuer instance;
    private static Log log = LogFactory.getLog(AccessTokenIssuer.class);
    private Map<String, AuthorizationGrantHandler> authzGrantHandlers;
    private List<ClientAuthenticationHandler> clientAuthenticationHandlers;
    private AppInfoCache appInfoCache = AppInfoCache.getInstance();

    private AccessTokenIssuer() throws IdentityOAuth2Exception {
        this.authzGrantHandlers = new Hashtable();
        this.clientAuthenticationHandlers = new ArrayList();
        this.authzGrantHandlers = OAuthServerConfiguration.getInstance().getSupportedGrantTypes();
        this.clientAuthenticationHandlers = OAuthServerConfiguration.getInstance().getSupportedClientAuthHandlers();
        if (this.appInfoCache == null) {
            log.error("Error while creating AppInfoCache");
        } else if (log.isDebugEnabled()) {
            log.debug("Successfully created AppInfoCache under OAuthCacheManager");
        }
    }

    public static AccessTokenIssuer getInstance() throws IdentityOAuth2Exception {
        CarbonUtils.checkSecurity();
        if (instance == null) {
            synchronized (AccessTokenIssuer.class) {
                if (instance == null) {
                    instance = new AccessTokenIssuer();
                }
            }
        }
        return instance;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r19v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    /* JADX WARN: Type inference failed for: r20v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityException, InvalidOAuthClientException {
        String grantType = oAuth2AccessTokenReqDTO.getGrantType();
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = null;
        AuthorizationGrantHandler authorizationGrantHandler = this.authzGrantHandlers.get(grantType);
        OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(oAuth2AccessTokenReqDTO.getClientId());
        oAuth2AccessTokenReqDTO.setTenantDomain(OAuth2Util.getTenantDomainOfOauthApp(appInformationByClientId));
        OAuthTokenReqMessageContext oAuthTokenReqMessageContext = new OAuthTokenReqMessageContext(oAuth2AccessTokenReqDTO);
        oAuthTokenReqMessageContext.addProperty("OAuthAppDO", appInformationByClientId);
        boolean equals = GrantType.REFRESH_TOKEN.toString().equals(grantType);
        triggerPreListeners(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, equals);
        int i = -1;
        for (int i2 = 0; i2 < this.clientAuthenticationHandlers.size(); i2++) {
            if (this.clientAuthenticationHandlers.get(i2).canAuthenticate(oAuthTokenReqMessageContext)) {
                if (i > -1) {
                    log.debug("Multiple Client Authentication Methods used for client id : " + oAuth2AccessTokenReqDTO.getClientId());
                    OAuth2AccessTokenRespDTO handleError = handleError(OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", oAuth2AccessTokenReqDTO);
                    setResponseHeaders(oAuthTokenReqMessageContext, handleError);
                    triggerPostListeners(oAuth2AccessTokenReqDTO, handleError, oAuthTokenReqMessageContext, equals);
                    return handleError;
                }
                i = i2;
            }
        }
        if (i < 0 && authorizationGrantHandler.isConfidentialClient()) {
            log.debug("Confidential client cannot be authenticated for client id : " + oAuth2AccessTokenReqDTO.getClientId());
            OAuth2AccessTokenRespDTO handleError2 = handleError(OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError2);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError2, oAuthTokenReqMessageContext, equals);
            return handleError2;
        }
        ClientAuthenticationHandler clientAuthenticationHandler = i > -1 ? this.clientAuthenticationHandlers.get(i) : null;
        if (!(clientAuthenticationHandler != null ? clientAuthenticationHandler.authenticateClient(oAuthTokenReqMessageContext) : true)) {
            if (log.isDebugEnabled()) {
                log.debug("Client Authentication failed for client Id: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError3 = handleError(OAuth2ErrorCodes.INVALID_CLIENT, "Client credentials are invalid.", oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError3);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError3, oAuthTokenReqMessageContext, equals);
            return handleError3;
        }
        if (!authorizationGrantHandler.isOfTypeApplicationUser()) {
            oAuthTokenReqMessageContext.setAuthorizedUser(appInformationByClientId.getUser());
        }
        boolean z = false;
        String str = "The authenticated client is not authorized to use this authorization grant type";
        try {
            z = authorizationGrantHandler.isAuthorizedClient(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while validating client for authorization", e);
            }
            str = e.getMessage();
        }
        if (!z) {
            if (log.isDebugEnabled()) {
                log.debug("Client Id: " + oAuth2AccessTokenReqDTO.getClientId() + " is not authorized to use grant type: " + oAuth2AccessTokenReqDTO.getGrantType());
            }
            OAuth2AccessTokenRespDTO handleError4 = handleError(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, str, oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError4);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError4, oAuthTokenReqMessageContext, equals);
            return handleError4;
        }
        boolean z2 = false;
        String str2 = "Provided Authorization Grant is invalid";
        try {
            z2 = authorizationGrantHandler.validateGrant(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e2) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while validating grant", e2);
            }
            str2 = e2.getMessage();
        }
        if (!z2) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid Grant provided by the client Id: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError5 = handleError("invalid_grant", str2, oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError5);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError5, oAuthTokenReqMessageContext, equals);
            return handleError5;
        }
        if (!authorizationGrantHandler.authorizeAccessDelegation(oAuthTokenReqMessageContext)) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid authorization for client Id = " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError6 = handleError(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, "Unauthorized Client!", oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError6);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError6, oAuthTokenReqMessageContext, equals);
            return handleError6;
        }
        if (!authorizationGrantHandler.validateScope(oAuthTokenReqMessageContext)) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid scope provided by client Id: " + oAuth2AccessTokenReqDTO.getClientId());
            }
            OAuth2AccessTokenRespDTO handleError7 = handleError("invalid_scope", "Invalid Scope!", oAuth2AccessTokenReqDTO);
            setResponseHeaders(oAuthTokenReqMessageContext, handleError7);
            triggerPostListeners(oAuth2AccessTokenReqDTO, handleError7, oAuthTokenReqMessageContext, equals);
            return handleError7;
        }
        try {
            OAuth2Util.setTokenRequestContext(oAuthTokenReqMessageContext);
            oAuth2AccessTokenRespDTO = authorizationGrantHandler.issue(oAuthTokenReqMessageContext);
            if (oAuth2AccessTokenRespDTO.isError()) {
                setResponseHeaders(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO);
                triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
                OAuth2Util.clearTokenRequestContext();
                return oAuth2AccessTokenRespDTO;
            }
            triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
            OAuth2Util.clearTokenRequestContext();
            oAuth2AccessTokenRespDTO.setCallbackURI(appInformationByClientId.getCallbackUrl());
            String[] scope = oAuthTokenReqMessageContext.getScope();
            if (scope != null && scope.length > 0) {
                StringBuilder sb = new StringBuilder("");
                for (String str3 : scope) {
                    sb.append(str3);
                    sb.append(" ");
                }
                oAuth2AccessTokenRespDTO.setAuthorizedScopes(sb.toString().trim());
            }
            setResponseHeaders(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO);
            if (log.isDebugEnabled()) {
                log.debug("Access token issued to client Id: " + oAuth2AccessTokenReqDTO.getClientId() + " username: " + oAuthTokenReqMessageContext.getAuthorizedUser() + " and scopes: " + oAuth2AccessTokenRespDTO.getAuthorizedScopes());
            }
            if (oAuthTokenReqMessageContext.getScope() != null && OAuth2Util.isOIDCAuthzRequest(oAuthTokenReqMessageContext.getScope())) {
                oAuth2AccessTokenRespDTO.setIDToken(OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder().buildIDToken(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO));
            }
            if (oAuth2AccessTokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) {
                addUserAttributesToCache(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO);
            }
            return oAuth2AccessTokenRespDTO;
        } catch (Throwable th) {
            triggerPostListeners(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, equals);
            OAuth2Util.clearTokenRequestContext();
            throw th;
        }
    }

    private void triggerPreListeners(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        HashMap hashMap = new HashMap();
        if (z) {
            oAuthEventInterceptorProxy.onPreTokenRenewal(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, hashMap);
        } else {
            oAuthEventInterceptorProxy.onPreTokenIssue(oAuth2AccessTokenReqDTO, oAuthTokenReqMessageContext, hashMap);
        }
    }

    private void triggerPostListeners(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, boolean z) {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (z) {
            if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
                return;
            }
            try {
                oAuthEventInterceptorProxy.onPostTokenRenewal(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, new HashMap());
                return;
            } catch (IdentityOAuth2Exception e) {
                log.error("Oauth post renewal listener failed", e);
                return;
            }
        }
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        try {
            oAuthEventInterceptorProxy.onPostTokenIssue(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, new HashMap());
        } catch (IdentityOAuth2Exception e2) {
            log.error("Oauth post issuer listener failed.", e2);
        }
    }

    private void addUserAttributesToCache(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(oAuth2AccessTokenReqDTO.getAuthorizationCode());
        if (authorizationGrantCacheKey.getUserAttributesId() != null) {
            AuthorizationGrantCacheEntry valueFromCacheByCode = AuthorizationGrantCache.getInstance().getValueFromCacheByCode(authorizationGrantCacheKey);
            AuthorizationGrantCacheKey authorizationGrantCacheKey2 = new AuthorizationGrantCacheKey(oAuth2AccessTokenRespDTO.getAccessToken());
            if (valueFromCacheByCode != null) {
                valueFromCacheByCode.setTokenId(oAuth2AccessTokenRespDTO.getTokenId());
                if (AuthorizationGrantCache.getInstance().getValueFromCacheByToken(authorizationGrantCacheKey2) == null) {
                    if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("AccessToken")) {
                        log.debug("No AuthorizationGrantCache entry found for the access token:" + authorizationGrantCacheKey2.getUserAttributesId() + ", hence adding to cache");
                    }
                    AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey2, valueFromCacheByCode);
                    AuthorizationGrantCache.getInstance().clearCacheEntryByCode(authorizationGrantCacheKey);
                }
            }
        }
    }

    private OAuth2AccessTokenRespDTO handleError(String str, String str2, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("OAuth-Error-Code=" + str + " client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " grant-type=" + oAuth2AccessTokenReqDTO.getGrantType() + " scope=" + OAuth2Util.buildScopeString(oAuth2AccessTokenReqDTO.getScope()));
        }
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
        oAuth2AccessTokenRespDTO.setError(true);
        oAuth2AccessTokenRespDTO.setErrorCode(str);
        oAuth2AccessTokenRespDTO.setErrorMsg(str2);
        return oAuth2AccessTokenRespDTO;
    }

    private void setResponseHeaders(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        if (oAuthTokenReqMessageContext.getProperty("RESPONSE_HEADERS") != null) {
            oAuth2AccessTokenRespDTO.setResponseHeaders((ResponseHeader[]) oAuthTokenReqMessageContext.getProperty("RESPONSE_HEADERS"));
        }
    }
}
