package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.TreeMap;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.tokenprocessor.TokenProvider;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientApplicationDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2IntrospectionResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/TokenValidationHandler.class */
public class TokenValidationHandler {
    AuthorizationContextTokenGenerator tokenGenerator;
    private Map<String, OAuth2TokenValidator> tokenValidators = new TreeMap(String.CASE_INSENSITIVE_ORDER);
    private TokenProvider tokenValidationProcessor;
    private static final String BEARER_TOKEN_TYPE = "Bearer";
    private static final String BEARER_TOKEN_TYPE_JWT = "jwt";
    private static final String BUILD_FQU_FROM_SP_CONFIG = "OAuth.BuildSubjectIdentifierFromSPConfig";
    private static final String ENABLE_JWT_TOKEN_VALIDATION = "OAuth.EnableJWTTokenValidationDuringIntrospection";
    private static TokenValidationHandler instance = null;
    private static final Log log = LogFactory.getLog(TokenValidationHandler.class);

    private TokenValidationHandler() {
        this.tokenGenerator = null;
        this.tokenValidators.put(DefaultOAuth2TokenValidator.TOKEN_TYPE, new DefaultOAuth2TokenValidator());
        this.tokenValidators.put(RefreshTokenValidator.TOKEN_TYPE, new RefreshTokenValidator());
        for (Map.Entry<String, String> entry : OAuthServerConfiguration.getInstance().getTokenValidatorClassNames().entrySet()) {
            String str = null;
            try {
                String key = entry.getKey();
                str = entry.getValue();
                this.tokenValidators.put(key, (OAuth2TokenValidator) Thread.currentThread().getContextClassLoader().loadClass(entry.getValue()).newInstance());
            } catch (ClassNotFoundException e) {
                log.error("Class not in build path " + str, e);
            } catch (IllegalAccessException e2) {
                log.error("Class access error " + str, e2);
            } catch (InstantiationException e3) {
                log.error("Class initialization error " + str, e3);
            }
        }
        if (OAuthServerConfiguration.getInstance().isAuthContextTokGenEnabled()) {
            try {
                this.tokenGenerator = (AuthorizationContextTokenGenerator) getClass().getClassLoader().loadClass(OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass()).newInstance();
                this.tokenGenerator.init();
                if (log.isDebugEnabled()) {
                    log.debug("An instance of " + OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass() + " is created for OAuthServerConfiguration.");
                }
            } catch (ClassNotFoundException e4) {
                log.error("Class not found: " + OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass(), e4);
            } catch (IllegalAccessException e5) {
                log.error("Illegal access to: " + OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass(), e5);
            } catch (InstantiationException e6) {
                log.error("Error while instantiating: " + OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass(), e6);
            } catch (IdentityOAuth2Exception e7) {
                log.error("Error while initializing: " + OAuthServerConfiguration.getInstance().getTokenGeneratorImplClass(), e7);
            }
        }
        this.tokenValidationProcessor = OAuth2ServiceComponentHolder.getInstance().getTokenProvider();
    }

    public static TokenValidationHandler getInstance() {
        if (instance == null) {
            synchronized (TokenValidationHandler.class) {
                if (instance == null) {
                    instance = new TokenValidationHandler();
                }
            }
        }
        return instance;
    }

    public void addTokenValidator(String str, OAuth2TokenValidator oAuth2TokenValidator) {
        this.tokenValidators.put(str, oAuth2TokenValidator);
    }

    public OAuth2TokenValidationResponseDTO validate(OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO) throws IdentityOAuth2Exception {
        return findOAuthConsumerIfTokenIsValid(oAuth2TokenValidationRequestDTO).getAccessTokenValidationResponse();
    }

    @Deprecated
    public OAuth2ClientApplicationDTO findOAuthConsumerIfTokenIsValid(OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO) throws IdentityOAuth2Exception {
        OAuth2ClientApplicationDTO oAuth2ClientApplicationDTO = new OAuth2ClientApplicationDTO();
        OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO = new OAuth2TokenValidationResponseDTO();
        OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext = new OAuth2TokenValidationMessageContext(oAuth2TokenValidationRequestDTO, oAuth2TokenValidationResponseDTO);
        try {
            OAuth2TokenValidator findAccessTokenValidator = findAccessTokenValidator(oAuth2TokenValidationRequestDTO.getAccessToken());
            try {
                AccessTokenDO verifiedAccessToken = OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(oAuth2TokenValidationRequestDTO.getAccessToken().getIdentifier(), false);
                if (hasAccessTokenExpired(verifiedAccessToken)) {
                    return buildClientAppErrorResponse("Access token expired");
                }
                oAuth2TokenValidationResponseDTO.setExpiryTime(getAccessTokenExpirationTime(verifiedAccessToken));
                oAuth2TokenValidationMessageContext.addProperty("AccessTokenDO", verifiedAccessToken);
                if (!findAccessTokenValidator.validateAccessDelegation(oAuth2TokenValidationMessageContext)) {
                    return buildClientAppErrorResponse("Invalid access delegation");
                }
                if (!findAccessTokenValidator.validateScope(oAuth2TokenValidationMessageContext)) {
                    return buildClientAppErrorResponse("Scope validation failed at app level");
                }
                if (!findAccessTokenValidator.validateAccessToken(oAuth2TokenValidationMessageContext)) {
                    return buildClientAppErrorResponse("OAuth2 access token validation failed");
                }
                oAuth2TokenValidationResponseDTO.setAuthorizedUser(getAuthzUser(verifiedAccessToken));
                oAuth2TokenValidationResponseDTO.setScope(verifiedAccessToken.getScope());
                oAuth2TokenValidationResponseDTO.setValid(true);
                oAuth2TokenValidationResponseDTO.setTokenBinding(verifiedAccessToken.getTokenBinding());
                if (this.tokenGenerator != null) {
                    this.tokenGenerator.generateToken(oAuth2TokenValidationMessageContext);
                    if (log.isDebugEnabled()) {
                        log.debug(this.tokenGenerator.getClass().getName() + " generated token set to response");
                    }
                }
                oAuth2ClientApplicationDTO.setAccessTokenValidationResponse(oAuth2TokenValidationResponseDTO);
                oAuth2ClientApplicationDTO.setConsumerKey(verifiedAccessToken.getConsumerKey());
                return oAuth2ClientApplicationDTO;
            } catch (IllegalArgumentException e) {
                return buildClientAppErrorResponse(e.getMessage());
            }
        } catch (IllegalArgumentException e2) {
            return buildClientAppErrorResponse(e2.getMessage());
        }
    }

    public OAuth2IntrospectionResponseDTO buildIntrospectionResponse(OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO) throws IdentityOAuth2Exception {
        OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO = new OAuth2TokenValidationResponseDTO();
        OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = new OAuth2IntrospectionResponseDTO();
        OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext = new OAuth2TokenValidationMessageContext(oAuth2TokenValidationRequestDTO, oAuth2TokenValidationResponseDTO);
        OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken = oAuth2TokenValidationRequestDTO.getAccessToken();
        ArrayList<OAuth2TokenValidator> arrayList = new ArrayList();
        boolean isJWTTokenValidation = isJWTTokenValidation(accessToken.getIdentifier());
        if (accessToken.getTokenType() != null && this.tokenValidators.get(accessToken.getTokenType()) != null && !isSkipValidatorForJWT(this.tokenValidators.get(accessToken.getTokenType()), isJWTTokenValidation)) {
            arrayList.add(this.tokenValidators.get(accessToken.getTokenType()));
        }
        for (Map.Entry<String, OAuth2TokenValidator> entry : this.tokenValidators.entrySet()) {
            if (!StringUtils.equals(entry.getKey(), accessToken.getTokenType()) && !isSkipValidatorForJWT(entry.getValue(), isJWTTokenValidation) && entry.getValue() != null) {
                arrayList.add(entry.getValue());
            }
        }
        try {
            AccessTokenDO verifiedAccessToken = OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(accessToken.getIdentifier(), true);
            if (verifiedAccessToken != null) {
                oAuth2TokenValidationMessageContext.addProperty("AccessTokenDO", verifiedAccessToken);
            }
            Exception exc = null;
            for (OAuth2TokenValidator oAuth2TokenValidator : arrayList) {
                try {
                    if (oAuth2TokenValidator.validateAccessToken(oAuth2TokenValidationMessageContext)) {
                        if (oAuth2TokenValidator instanceof DefaultOAuth2TokenValidator) {
                            oAuth2IntrospectionResponseDTO = validateAccessToken(oAuth2TokenValidationMessageContext, oAuth2TokenValidationRequestDTO, oAuth2TokenValidator);
                        } else if (oAuth2TokenValidator instanceof RefreshTokenValidator) {
                            oAuth2IntrospectionResponseDTO = validateRefreshToken(oAuth2TokenValidationMessageContext, oAuth2TokenValidationRequestDTO, oAuth2TokenValidator);
                        }
                        if (log.isDebugEnabled()) {
                            log.debug("Introspecting token of the application:" + oAuth2IntrospectionResponseDTO.getClientId() + " using the token validator " + oAuth2TokenValidator.getClass().getName());
                        }
                        if (oAuth2IntrospectionResponseDTO.isActive()) {
                            if (log.isDebugEnabled()) {
                                log.debug("Introspecting token is active for the application:" + oAuth2IntrospectionResponseDTO.getClientId());
                            }
                            oAuth2IntrospectionResponseDTO.setTokenType(oAuth2TokenValidator.getTokenType());
                            break;
                        }
                        continue;
                    } else {
                        continue;
                    }
                } catch (Exception e) {
                    exc = e;
                }
            }
            if (!oAuth2IntrospectionResponseDTO.isActive()) {
                if (oAuth2IntrospectionResponseDTO.getError() != null) {
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", oAuth2IntrospectionResponseDTO.getError(), "validate-token", (Map) null);
                    return oAuth2IntrospectionResponseDTO;
                }
                if (exc == null) {
                    return buildIntrospectionErrorResponse("Token validation failed");
                }
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "System error occurred.", "validate-token", (Map) null);
                throw new IdentityOAuth2Exception("Error occurred while validating token.", exc);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap = new HashMap();
                hashMap.put("client_id", oAuth2IntrospectionResponseDTO.getClientId());
                Optional.of((Map) IdentityUtil.threadLocalProperties.get()).ifPresent(map -> {
                    if (map.get("TenantNameFromContext") != null) {
                        hashMap.put("tenant domain", map.get("TenantNameFromContext"));
                    }
                });
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "SUCCESS", "Token is successfully validated.", "validate-token", (Map) null);
            }
            if (oAuth2IntrospectionResponseDTO.getUsername() != null) {
                oAuth2TokenValidationResponseDTO.setAuthorizedUser(oAuth2IntrospectionResponseDTO.getUsername());
            }
            if (this.tokenGenerator != null && oAuth2TokenValidationRequestDTO.getRequiredClaimURIs() != null) {
                this.tokenGenerator.generateToken(oAuth2TokenValidationMessageContext);
                if (log.isDebugEnabled()) {
                    log.debug(this.tokenGenerator.getClass().getName() + " generated token set to response");
                }
                if (oAuth2TokenValidationResponseDTO.getAuthorizationContextToken() != null) {
                    oAuth2IntrospectionResponseDTO.setUserContext(oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString());
                }
            }
            oAuth2IntrospectionResponseDTO.getProperties().put(OAuth2Util.OAUTH2_VALIDATION_MESSAGE_CONTEXT, oAuth2TokenValidationMessageContext);
            return oAuth2IntrospectionResponseDTO;
        } catch (IllegalArgumentException e2) {
            return buildIntrospectionErrorResponse(e2.getMessage());
        }
    }

    private OAuth2IntrospectionResponseDTO validateRefreshToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext, OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO, OAuth2TokenValidator oAuth2TokenValidator) throws IdentityOAuth2Exception {
        OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = new OAuth2IntrospectionResponseDTO();
        try {
            AccessTokenDO findRefreshToken = findRefreshToken(oAuth2TokenValidationRequestDTO.getAccessToken().getIdentifier());
            if (findRefreshToken == null || hasRefreshTokenExpired(findRefreshToken)) {
                if (findRefreshToken == null) {
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Provided token is not a valid refresh token.", "validate-refresh-token", (Map) null);
                } else if (hasRefreshTokenExpired(findRefreshToken)) {
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Token is expired.", "validate-refresh-token", (Map) null);
                }
                oAuth2IntrospectionResponseDTO.setActive(false);
                return oAuth2IntrospectionResponseDTO;
            }
            oAuth2IntrospectionResponseDTO.setExp((findRefreshToken.getRefreshTokenValidityPeriodInMillis() + findRefreshToken.getRefreshTokenIssuedTime().getTime()) / 1000);
            oAuth2IntrospectionResponseDTO.setIat(findRefreshToken.getRefreshTokenIssuedTime().getTime() / 1000);
            oAuth2IntrospectionResponseDTO.setNbf(findRefreshToken.getRefreshTokenIssuedTime().getTime() / 1000);
            oAuth2IntrospectionResponseDTO.setScope(OAuth2Util.buildScopeString(findRefreshToken.getScope()));
            oAuth2IntrospectionResponseDTO.setUsername(getAuthzUser(findRefreshToken));
            oAuth2IntrospectionResponseDTO.setClientId(findRefreshToken.getConsumerKey());
            oAuth2TokenValidationMessageContext.addProperty("RefreshTokenDO", findRefreshToken);
            oAuth2IntrospectionResponseDTO.setAuthorizedUser(findRefreshToken.getAuthzUser());
            if (!oAuth2TokenValidator.validateAccessDelegation(oAuth2TokenValidationMessageContext)) {
                oAuth2IntrospectionResponseDTO.setActive(false);
                return buildIntrospectionErrorResponse("Invalid access delegation");
            }
            if (oAuth2TokenValidator.validateScope(oAuth2TokenValidationMessageContext)) {
                oAuth2IntrospectionResponseDTO.setActive(true);
                return oAuth2IntrospectionResponseDTO;
            }
            oAuth2IntrospectionResponseDTO.setActive(false);
            return buildIntrospectionErrorResponse("Scope validation failed");
        } catch (IllegalArgumentException e) {
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Provided token is not a valid refresh token.", "validate-refresh-token", (Map) null);
            return buildIntrospectionErrorResponse(e.getMessage());
        }
    }

    private OAuth2IntrospectionResponseDTO validateAccessToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext, OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO, OAuth2TokenValidator oAuth2TokenValidator) throws IdentityOAuth2Exception {
        OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = new OAuth2IntrospectionResponseDTO();
        AccessTokenDO accessTokenDO = null;
        ArrayList arrayList = new ArrayList();
        if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.REMOTE_ACCESS_TOKEN) == null || !"true".equalsIgnoreCase((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.REMOTE_ACCESS_TOKEN))) {
            try {
                String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
                accessTokenDO = OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(oAuth2TokenValidationRequestDTO.getAccessToken().getIdentifier(), false);
                if (!OAuthServerConfiguration.getInstance().isCrossTenantTokenIntrospectionAllowed() && accessTokenDO != null && !tenantDomain.equalsIgnoreCase(accessTokenDO.getAuthzUser().getTenantDomain())) {
                    throw new IllegalArgumentException("Invalid Access Token. ACTIVE access token is not found.");
                }
                List<String> allowedScopes = OAuthServerConfiguration.getInstance().getAllowedScopes();
                String[] scope = accessTokenDO.getScope();
                ArrayList arrayList2 = new ArrayList();
                if (scope != null) {
                    for (String str : scope) {
                        if (OAuth2Util.isAllowedScope(allowedScopes, str)) {
                            arrayList.add(str);
                        } else {
                            arrayList2.add(str);
                        }
                    }
                    accessTokenDO.setScope((String[]) arrayList2.toArray(new String[0]));
                }
                if (hasAccessTokenExpired(accessTokenDO)) {
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Access token is expired.", "validate-access-token", (Map) null);
                    oAuth2IntrospectionResponseDTO.setActive(false);
                    return oAuth2IntrospectionResponseDTO;
                }
                if (accessTokenDO.getValidityPeriodInMillis() < 0) {
                    oAuth2IntrospectionResponseDTO.setExp(Long.MAX_VALUE);
                } else if (accessTokenDO.getValidityPeriodInMillis() + accessTokenDO.getIssuedTime().getTime() < 0) {
                    oAuth2IntrospectionResponseDTO.setExp(Long.MAX_VALUE);
                } else {
                    oAuth2IntrospectionResponseDTO.setExp((accessTokenDO.getValidityPeriodInMillis() + accessTokenDO.getIssuedTime().getTime()) / 1000);
                }
                oAuth2IntrospectionResponseDTO.setIat(accessTokenDO.getIssuedTime().getTime() / 1000);
                oAuth2IntrospectionResponseDTO.setNbf(accessTokenDO.getIssuedTime().getTime() / 1000);
                oAuth2IntrospectionResponseDTO.setScope(OAuth2Util.buildScopeString(accessTokenDO.getScope()));
                oAuth2IntrospectionResponseDTO.setUsername(getAuthzUser(accessTokenDO));
                oAuth2IntrospectionResponseDTO.setClientId(accessTokenDO.getConsumerKey());
                if (accessTokenDO.getTokenBinding() != null) {
                    oAuth2IntrospectionResponseDTO.setBindingType(accessTokenDO.getTokenBinding().getBindingType());
                    oAuth2IntrospectionResponseDTO.setBindingReference(accessTokenDO.getTokenBinding().getBindingReference());
                }
                if (accessTokenDO.getTokenType() != null) {
                    oAuth2IntrospectionResponseDTO.setAut(accessTokenDO.getTokenType());
                }
                oAuth2TokenValidationMessageContext.addProperty("AccessTokenDO", accessTokenDO);
                oAuth2IntrospectionResponseDTO.setAuthorizedUser(accessTokenDO.getAuthzUser());
            } catch (IllegalArgumentException e) {
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Provided token is not a valid access token.", "validate-access-token", (Map) null);
                return buildIntrospectionErrorResponse(e.getMessage());
            }
        } else {
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.EXP) != null) {
                oAuth2IntrospectionResponseDTO.setExp(Long.parseLong((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.EXP)));
            }
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.IAT) != null) {
                oAuth2IntrospectionResponseDTO.setIat(Long.parseLong((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.IAT)));
            }
            if (oAuth2TokenValidationMessageContext.getProperty("scope") != null) {
                oAuth2IntrospectionResponseDTO.setScope((String) oAuth2TokenValidationMessageContext.getProperty("scope"));
            }
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.USERNAME) != null) {
                oAuth2IntrospectionResponseDTO.setUsername((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.USERNAME));
            }
            if (oAuth2TokenValidationMessageContext.getProperty("client_id") != null) {
                oAuth2IntrospectionResponseDTO.setClientId((String) oAuth2TokenValidationMessageContext.getProperty("client_id"));
            }
        }
        if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.JWT_ACCESS_TOKEN) != null && "true".equalsIgnoreCase((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.JWT_ACCESS_TOKEN))) {
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.SUB) != null) {
                oAuth2IntrospectionResponseDTO.setSub((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.SUB));
            }
            if (oAuth2TokenValidationMessageContext.getProperty("iss") != null) {
                oAuth2IntrospectionResponseDTO.setIss((String) oAuth2TokenValidationMessageContext.getProperty("iss"));
            }
            if (oAuth2TokenValidationMessageContext.getProperty("aud") != null) {
                oAuth2IntrospectionResponseDTO.setAud((String) oAuth2TokenValidationMessageContext.getProperty("aud"));
            }
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.JTI) != null) {
                oAuth2IntrospectionResponseDTO.setJti((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.JTI));
            }
            if (oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.NBF) != null) {
                oAuth2IntrospectionResponseDTO.setNbf(Long.parseLong((String) oAuth2TokenValidationMessageContext.getProperty(OAuth2Util.NBF)));
            }
        }
        if (!oAuth2TokenValidator.validateAccessDelegation(oAuth2TokenValidationMessageContext)) {
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Invalid access delegation.", "validate-access-token", (Map) null);
            oAuth2IntrospectionResponseDTO.setActive(false);
            return buildIntrospectionErrorResponse("Invalid access delegation");
        }
        if (oAuth2TokenValidator.validateScope(oAuth2TokenValidationMessageContext)) {
            addAllowedScopes(oAuth2TokenValidationMessageContext, (String[]) arrayList.toArray(new String[0]));
            if (accessTokenDO != null) {
                addScopesToIntrospectionResponse(oAuth2IntrospectionResponseDTO, accessTokenDO, (String[]) arrayList.toArray(new String[0]));
            }
            oAuth2IntrospectionResponseDTO.setActive(true);
            return oAuth2IntrospectionResponseDTO;
        }
        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Scope validation failed at application level.", "validate-access-token", (Map) null);
        oAuth2IntrospectionResponseDTO.setActive(false);
        if (log.isDebugEnabled()) {
            log.debug("Scope validation has failed at app level.");
        }
        return buildIntrospectionErrorResponse("Scope validation failed");
    }

    private String getAuthzUser(AccessTokenDO accessTokenDO) throws IdentityOAuth2Exception {
        AuthenticatedUser authzUser = accessTokenDO.getAuthzUser();
        if (authzUser.isFederatedUser()) {
            return authzUser.getAuthenticatedSubjectIdentifier();
        }
        String consumerKey = accessTokenDO.getConsumerKey();
        try {
            if (!Boolean.parseBoolean(IdentityUtil.getProperty(BUILD_FQU_FROM_SP_CONFIG))) {
                return authzUser.toFullQualifiedUsername();
            }
            ServiceProvider serviceProvider = getServiceProvider(consumerKey);
            return authzUser.getUsernameAsSubjectIdentifier(serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseUserstoreDomainInLocalSubjectIdentifier(), serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseTenantDomainInLocalSubjectIdentifier());
        } catch (IdentityApplicationManagementException | InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id:" + consumerKey, (Throwable) e);
        }
    }

    private ServiceProvider getServiceProvider(String str) throws IdentityApplicationManagementException, IdentityOAuth2Exception, InvalidOAuthClientException {
        return OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(str, OAuthApplicationMgtListener.OAUTH2, OAuth2Util.getTenantDomainOfOauthApp(str));
    }

    private OAuth2ClientApplicationDTO buildClientAppErrorResponse(String str) {
        OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO = new OAuth2TokenValidationResponseDTO();
        OAuth2ClientApplicationDTO oAuth2ClientApplicationDTO = new OAuth2ClientApplicationDTO();
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
        oAuth2TokenValidationResponseDTO.setValid(false);
        oAuth2TokenValidationResponseDTO.setErrorMsg(str);
        oAuth2ClientApplicationDTO.setAccessTokenValidationResponse(oAuth2TokenValidationResponseDTO);
        return oAuth2ClientApplicationDTO;
    }

    private OAuth2IntrospectionResponseDTO buildIntrospectionErrorResponse(String str) {
        OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO = new OAuth2IntrospectionResponseDTO();
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
        oAuth2IntrospectionResponseDTO.setActive(false);
        oAuth2IntrospectionResponseDTO.setError(str);
        return oAuth2IntrospectionResponseDTO;
    }

    private OAuth2TokenValidator findAccessTokenValidator(OAuth2TokenValidationRequestDTO.OAuth2AccessToken oAuth2AccessToken) throws IdentityOAuth2Exception {
        if (oAuth2AccessToken == null) {
            throw new IllegalArgumentException("Access token is not present in the validation request");
        }
        if (oAuth2AccessToken.getIdentifier() == null) {
            throw new IllegalArgumentException("Access token identifier is not present in the validation request");
        }
        OAuth2TokenValidator oAuth2TokenValidator = isJWTTokenValidation(oAuth2AccessToken.getIdentifier()) ? this.tokenValidators.get(BEARER_TOKEN_TYPE_JWT) : this.tokenValidators.get(oAuth2AccessToken.getTokenType());
        if (oAuth2TokenValidator == null) {
            throw new IllegalArgumentException("Unsupported access token type: " + oAuth2AccessToken.getTokenType());
        }
        return oAuth2TokenValidator;
    }

    private long getAccessTokenExpirationTime(AccessTokenDO accessTokenDO) {
        long accessTokenExpireMillis = OAuth2Util.getAccessTokenExpireMillis(accessTokenDO, false);
        if ("APPLICATION_USER".equals(accessTokenDO.getTokenType()) && OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() < 0) {
            return Long.MAX_VALUE;
        }
        if ((!"APPLICATION".equals(accessTokenDO.getTokenType()) || OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() >= 0) && accessTokenExpireMillis >= 0) {
            return accessTokenExpireMillis / 1000;
        }
        return Long.MAX_VALUE;
    }

    private boolean hasAccessTokenExpired(AccessTokenDO accessTokenDO) {
        if (accessTokenDO.getValidityPeriod() < 0) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Access Token has infinite lifetime");
            return false;
        }
        if (OAuth2Util.getAccessTokenExpireMillis(accessTokenDO, true) != 0) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Access Token has expired");
        return true;
    }

    private boolean hasRefreshTokenExpired(AccessTokenDO accessTokenDO) {
        if (accessTokenDO.getRefreshTokenValidityPeriodInMillis() < 0) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Access Token has infinite lifetime");
            return false;
        }
        if (OAuth2Util.getRefreshTokenExpireTimeMillis(accessTokenDO) != 0) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Access Token has expired");
        return true;
    }

    private AccessTokenDO findRefreshToken(String str) throws IdentityOAuth2Exception {
        return OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedRefreshToken(str);
    }

    private boolean isJWTTokenValidation(String str) {
        return Boolean.parseBoolean(IdentityUtil.getProperty(ENABLE_JWT_TOKEN_VALIDATION)) && OAuth2Util.isParsableJWT(str);
    }

    private boolean isSkipValidatorForJWT(OAuth2TokenValidator oAuth2TokenValidator, boolean z) {
        return z && BEARER_TOKEN_TYPE.equals(oAuth2TokenValidator.getTokenType());
    }

    private void addAllowedScopes(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext, String[] strArr) {
        oAuth2TokenValidationMessageContext.getResponseDTO().setScope((String[]) ArrayUtils.addAll(oAuth2TokenValidationMessageContext.getResponseDTO().getScope(), strArr));
    }

    private void addScopesToIntrospectionResponse(OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO, AccessTokenDO accessTokenDO, String[] strArr) {
        oAuth2IntrospectionResponseDTO.setScope(OAuth2Util.buildScopeString((String[]) ArrayUtils.addAll(accessTokenDO.getScope(), strArr)));
    }
}
