package org.wso2.carbon.identity.oauth.tokenprocessor;

import java.sql.Timestamp;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.RefreshTokenValidator;
import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;

/* loaded from: input_file:org/wso2/carbon/identity/oauth/tokenprocessor/DefaultRefreshTokenGrantProcessor.class */
public class DefaultRefreshTokenGrantProcessor implements RefreshTokenGrantProcessor {
    private static final Log log = LogFactory.getLog(DefaultRefreshTokenGrantProcessor.class);
    public static final String PREV_ACCESS_TOKEN = "previousAccessToken";
    public static final int LAST_ACCESS_TOKEN_RETRIEVAL_LIMIT = 10;

    @Override // org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor
    public RefreshTokenValidationDataDO validateRefreshToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        RefreshTokenValidationDataDO validateRefreshToken = OAuthTokenPersistenceFactory.getInstance().getTokenManagementDAO().validateRefreshToken(oauth2AccessTokenReqDTO.getClientId(), oauth2AccessTokenReqDTO.getRefreshToken());
        validatePersistedAccessToken(validateRefreshToken, oauth2AccessTokenReqDTO.getClientId());
        return validateRefreshToken;
    }

    @Override // org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor
    public void persistNewToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessTokenDO accessTokenDO, String str, String str2) throws IdentityOAuth2Exception {
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken");
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug(String.format("Previous access token (hashed): %s", DigestUtils.sha256Hex(refreshTokenValidationDataDO.getAccessToken())));
        }
        OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().invalidateAndCreateNewAccessToken(refreshTokenValidationDataDO.getTokenId(), "INACTIVE", str2, UUID.randomUUID().toString(), accessTokenDO, str, refreshTokenValidationDataDO.getGrantType());
    }

    @Override // org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor
    public AccessTokenDO createAccessTokenBean(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO, String str) throws IdentityOAuth2Exception {
        Timestamp timestamp = new Timestamp(new Date().getTime());
        String uuid = UUID.randomUUID().toString();
        AccessTokenDO accessTokenDO = new AccessTokenDO();
        accessTokenDO.setConsumerKey(oAuth2AccessTokenReqDTO.getClientId());
        accessTokenDO.setAuthzUser(oAuthTokenReqMessageContext.getAuthorizedUser());
        accessTokenDO.setScope(oAuthTokenReqMessageContext.getScope());
        accessTokenDO.setTokenType(str);
        accessTokenDO.setTokenState("ACTIVE");
        accessTokenDO.setTokenId(uuid);
        accessTokenDO.setGrantType(oAuth2AccessTokenReqDTO.getGrantType());
        accessTokenDO.setIssuedTime(timestamp);
        accessTokenDO.setTokenBinding(oAuthTokenReqMessageContext.getTokenBinding());
        if (OAuth2ServiceComponentHolder.isConsentedTokenColumnEnabled()) {
            String grantType = refreshTokenValidationDataDO.getGrantType();
            if (RefreshTokenValidator.TOKEN_TYPE.equals(grantType)) {
                accessTokenDO.setIsConsentedToken(OAuth2Util.getAccessTokenDOFromTokenIdentifier(refreshTokenValidationDataDO.getAccessToken(), false).isConsentedToken());
            } else if (OIDCClaimUtil.isConsentBasedClaimFilteringApplicable(grantType)) {
                accessTokenDO.setIsConsentedToken(true);
            }
            if (accessTokenDO.isConsentedToken()) {
                oAuthTokenReqMessageContext.setConsentedToken(true);
            }
        }
        return accessTokenDO;
    }

    private boolean validatePersistedAccessToken(RefreshTokenValidationDataDO refreshTokenValidationDataDO, String str) throws IdentityOAuth2Exception {
        if (refreshTokenValidationDataDO.getAccessToken() != null) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Invalid Refresh Token provided for Client with Client Id : %s", str));
        }
        throw new IdentityOAuth2Exception("Persisted access token data not found");
    }

    @Override // org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor
    public boolean isLatestRefreshToken(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO, String str) throws IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("RefreshToken")) {
                log.debug(String.format("Evaluating refresh token. Token value(hashed): %s, Token state: %s", DigestUtils.sha256Hex(oAuth2AccessTokenReqDTO.getRefreshToken()), refreshTokenValidationDataDO.getRefreshTokenState()));
            } else {
                log.debug(String.format("Evaluating refresh token. Token state: %s", refreshTokenValidationDataDO.getRefreshTokenState()));
            }
        }
        if ("ACTIVE".equals(refreshTokenValidationDataDO.getRefreshTokenState())) {
            return true;
        }
        for (AccessTokenDO accessTokenDO : getAccessTokenBeans(oAuth2AccessTokenReqDTO, refreshTokenValidationDataDO, str)) {
            if (oAuth2AccessTokenReqDTO.getRefreshToken() != null && oAuth2AccessTokenReqDTO.getRefreshToken().equals(accessTokenDO.getRefreshToken()) && ("ACTIVE".equals(accessTokenDO.getTokenState()) || Constants.EXPIRED.equals(accessTokenDO.getTokenState()))) {
                return true;
            }
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(String.format("Refresh token: %s is not the latest", oAuth2AccessTokenReqDTO.getRefreshToken()));
        return false;
    }

    private List<AccessTokenDO> getAccessTokenBeans(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO, String str) throws IdentityOAuth2Exception {
        List<AccessTokenDO> latestAccessTokens = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().getLatestAccessTokens(oAuth2AccessTokenReqDTO.getClientId(), refreshTokenValidationDataDO.getAuthorizedUser(), str, OAuth2Util.buildScopeString(refreshTokenValidationDataDO.getScope()), refreshTokenValidationDataDO.getTokenBindingReference(), true, 10);
        if (latestAccessTokens != null && !latestAccessTokens.isEmpty()) {
            return latestAccessTokens;
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("No previous access tokens found. User: %s, client: %s, scope: %s", refreshTokenValidationDataDO.getAuthorizedUser(), oAuth2AccessTokenReqDTO.getClientId(), OAuth2Util.buildScopeString(refreshTokenValidationDataDO.getScope())));
        }
        throw new IdentityOAuth2Exception("No previous access tokens found");
    }

    @Override // org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor
    public void addUserAttributesToCache(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken");
        if (refreshTokenValidationDataDO.getAccessToken() == null) {
            return;
        }
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(refreshTokenValidationDataDO.getAccessToken());
        if (log.isDebugEnabled()) {
            log.debug("Getting AuthorizationGrantCacheEntry using access token id: " + accessTokenDO.getTokenId());
        }
        AuthorizationGrantCacheEntry valueFromCacheByTokenId = AuthorizationGrantCache.getInstance().getValueFromCacheByTokenId(authorizationGrantCacheKey, refreshTokenValidationDataDO.getTokenId());
        if (valueFromCacheByTokenId != null) {
            if (log.isDebugEnabled()) {
                log.debug("Getting user attributes cached against the previous access token with access token id: " + refreshTokenValidationDataDO.getTokenId());
            }
            AuthorizationGrantCacheKey authorizationGrantCacheKey2 = new AuthorizationGrantCacheKey(accessTokenDO.getAccessToken());
            if (StringUtils.isNotBlank(accessTokenDO.getTokenId())) {
                valueFromCacheByTokenId.setTokenId(accessTokenDO.getTokenId());
            } else {
                valueFromCacheByTokenId.setTokenId(null);
            }
            valueFromCacheByTokenId.setValidityPeriod(TimeUnit.MILLISECONDS.toNanos(accessTokenDO.getValidityPeriodInMillis()));
            AuthorizationGrantCache.getInstance().clearCacheEntryByTokenId(authorizationGrantCacheKey, refreshTokenValidationDataDO.getTokenId());
            AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey2, valueFromCacheByTokenId);
        }
    }
}
