package org.wso2.carbon.identity.oauth2.token.handlers.grant;

import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeValidationResult;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.AuthzCodeDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCConstants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/AuthorizationCodeGrantHandler.class */
public class AuthorizationCodeGrantHandler extends AbstractAuthorizationGrantHandler {
    private static final String AUTHZ_CODE = "AuthorizationCode";
    private static final int ALLOWED_MINIMUM_VALIDITY_PERIOD = 1000;
    private static final Log log = LogFactory.getLog(AuthorizationCodeGrantHandler.class);
    private static final Log diagnosticLog = LogFactory.getLog("diagnostics");

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        super.validateGrant(oAuthTokenReqMessageContext);
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        AuthzCodeDO persistedAuthzCode = getPersistedAuthzCode(oauth2AccessTokenReqDTO);
        validateAuthzCodeFromRequest(persistedAuthzCode, oauth2AccessTokenReqDTO.getClientId(), oauth2AccessTokenReqDTO.getAuthorizationCode());
        try {
            validateCallbackUrlFromRequest(oauth2AccessTokenReqDTO.getCallbackURI(), persistedAuthzCode.getCallbackUrl());
            validatePKCECode(persistedAuthzCode, oauth2AccessTokenReqDTO.getPkceCodeVerifier());
            setPropertiesForTokenGeneration(oAuthTokenReqMessageContext, oauth2AccessTokenReqDTO, persistedAuthzCode);
            oAuthTokenReqMessageContext.addProperty(OIDCConstants.CODE_ID, persistedAuthzCode.getAuthzCodeId());
            revokeAuthorizationCode(persistedAuthzCode);
            if (log.isDebugEnabled()) {
                log.debug("Found Authorization Code for Client : " + oauth2AccessTokenReqDTO.getClientId() + ", authorized user : " + persistedAuthzCode.getAuthorizedUser() + ", scope : " + OAuth2Util.buildScopeString(persistedAuthzCode.getScope()));
            }
            diagnosticLog.info("Found Authorization Code for Client : " + oauth2AccessTokenReqDTO.getClientId() + ", authorized user : " + persistedAuthzCode.getAuthorizedUser() + ", scope : " + OAuth2Util.buildScopeString(persistedAuthzCode.getScope()));
            return true;
        } catch (Throwable th) {
            oAuthTokenReqMessageContext.addProperty(OIDCConstants.CODE_ID, persistedAuthzCode.getAuthzCodeId());
            revokeAuthorizationCode(persistedAuthzCode);
            throw th;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenRespDTO issue = super.issue(oAuthTokenReqMessageContext);
        String retrieveAuthzCode = retrieveAuthzCode(oAuthTokenReqMessageContext);
        deactivateAuthzCode(oAuthTokenReqMessageContext, issue.getTokenId(), retrieveAuthzCode);
        clearAuthzCodeCache(oAuthTokenReqMessageContext, retrieveAuthzCode);
        return issue;
    }

    private void setPropertiesForTokenGeneration(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, AuthzCodeDO authzCodeDO) {
        oAuthTokenReqMessageContext.setAuthorizedUser(authzCodeDO.getAuthorizedUser());
        oAuthTokenReqMessageContext.setScope(authzCodeDO.getScope());
        oAuthTokenReqMessageContext.addProperty(AUTHZ_CODE, oAuth2AccessTokenReqDTO.getAuthorizationCode());
    }

    private boolean validateCallbackUrlFromRequest(String str, String str2) throws IdentityOAuth2Exception {
        if (StringUtils.isEmpty(str2)) {
            diagnosticLog.info("Persisted callback URL is empty. Hence callback URL from request validation is successful.");
            return true;
        }
        if (str2.equals(str)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Received callback url in the request : " + str + " is not matching with persisted callback url " + str2);
        }
        diagnosticLog.info("Received callback url in the request : " + str + " is not matching with persisted callback url " + str2);
        throw new IdentityOAuth2Exception("Callback url mismatch");
    }

    private void clearAuthzCodeCache(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str) {
        if (this.cacheEnabled) {
            String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForAuthzCode(clientId, str)));
            if (log.isDebugEnabled()) {
                log.debug("Cache was cleared for authorization code info for client id : " + clientId);
            }
        }
    }

    private void deactivateAuthzCode(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str, String str2) throws IdentityOAuth2Exception {
        try {
            AuthzCodeDO authzCodeDO = new AuthzCodeDO();
            authzCodeDO.setAuthorizationCode(str2);
            authzCodeDO.setOauthTokenId(str);
            authzCodeDO.setAuthzCodeId(oAuthTokenReqMessageContext.getProperty(OIDCConstants.CODE_ID).toString());
            OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().deactivateAuthorizationCode(authzCodeDO);
            if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(AUTHZ_CODE)) {
                log.debug("Deactivated authorization code : " + str2);
            }
        } catch (IdentityException e) {
            throw new IdentityOAuth2Exception("Error occurred while deactivating authorization code", (Throwable) e);
        }
    }

    private boolean isExistingTokenUsed(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        if (oAuthTokenReqMessageContext.getProperty("existingTokenUsed") != null) {
            if (log.isDebugEnabled()) {
                log.debug("Token request message context has 'existingTokenUsed' value : " + oAuthTokenReqMessageContext.getProperty("existingTokenUsed").toString());
            }
            return ((Boolean) oAuthTokenReqMessageContext.getProperty("existingTokenUsed")).booleanValue();
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("'existingTokenUsed' property not set in token request message context");
        return false;
    }

    private String retrieveAuthzCode(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String str = (String) oAuthTokenReqMessageContext.getProperty(AUTHZ_CODE);
        if (str == null) {
            if (log.isDebugEnabled()) {
                log.debug("authorization code is not saved in the token request message context for client : " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
            }
            str = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAuthorizationCode();
        }
        return str;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler
    protected void storeAccessToken(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, String str, AccessTokenDO accessTokenDO, String str2, AccessTokenDO accessTokenDO2) throws IdentityOAuth2Exception {
        try {
            accessTokenDO.setAuthorizationCode(oAuth2AccessTokenReqDTO.getAuthorizationCode());
            OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().insertAccessToken(str2, oAuth2AccessTokenReqDTO.getClientId(), accessTokenDO, accessTokenDO2, str);
        } catch (IdentityException e) {
            throw new IdentityOAuth2Exception("Error occurred while storing new access token", (Throwable) e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getValueForIsRefreshTokenAllowed(OAuthAdminServiceImpl.AUTHORIZATION_CODE);
    }

    private AuthzCodeDO getPersistedAuthzCode(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuth2Exception {
        if (this.cacheEnabled) {
            AuthzCodeDO authzCodeDO = (AuthzCodeDO) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForAuthzCode(oAuth2AccessTokenReqDTO.getClientId(), oAuth2AccessTokenReqDTO.getAuthorizationCode())));
            if (authzCodeDO != null) {
                return authzCodeDO;
            }
            if (log.isDebugEnabled()) {
                log.debug("Authorization Code Info was not available in cache for client id : " + oAuth2AccessTokenReqDTO.getClientId());
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Retrieving authorization code information from db for client id : " + oAuth2AccessTokenReqDTO.getClientId());
        }
        AuthorizationCodeValidationResult validateAuthorizationCode = OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().validateAuthorizationCode(oAuth2AccessTokenReqDTO.getClientId(), oAuth2AccessTokenReqDTO.getAuthorizationCode());
        if (validateAuthorizationCode == null) {
            return null;
        }
        if (!validateAuthorizationCode.isActiveCode()) {
            String accessTokenByTokenId = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().getAccessTokenByTokenId(validateAuthorizationCode.getTokenId());
            revokeExistingAccessTokens(validateAuthorizationCode.getTokenId(), validateAuthorizationCode.getAuthzCodeDO());
            clearTokenCache(accessTokenByTokenId, validateAuthorizationCode.getTokenId());
            OAuthUtil.clearOAuthCache(oAuth2AccessTokenReqDTO.getClientId(), (User) validateAuthorizationCode.getAuthzCodeDO().getAuthorizedUser(), OAuth2Util.buildScopeString(validateAuthorizationCode.getAuthzCodeDO().getScope()));
        }
        return validateAuthorizationCode.getAuthzCodeDO();
    }

    private void revokeExistingAccessTokens(String str, AuthzCodeDO authzCodeDO) throws IdentityOAuth2Exception {
        OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().revokeAccessToken(str, authzCodeDO.getAuthorizedUser().toString());
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable(AUTHZ_CODE)) {
                log.debug("Validated authorization code(hashed): " + DigestUtils.sha256Hex(authzCodeDO.getAuthorizationCode()) + " for client: " + authzCodeDO.getConsumerKey() + " is not active. So revoking the access tokens issued for the authorization code.");
            } else {
                log.debug("Validated authorization code for client: " + authzCodeDO.getConsumerKey() + " is not active. So revoking the access tokens issued for the authorization code.");
            }
        }
        diagnosticLog.info("Validated authorization code for client: " + authzCodeDO.getConsumerKey() + " is not active. So revoking the access tokens issued for the authorization code.");
    }

    private String buildCacheKeyForToken(String str, AuthzCodeDO authzCodeDO) {
        return OAuth2Util.buildCacheKeyStringForToken(str, OAuth2Util.buildScopeString(authzCodeDO.getScope()), authzCodeDO.getAuthorizedUser().toString(), authzCodeDO.getAuthorizedUser().getFederatedIdPName(), authzCodeDO.getTokenBindingReference());
    }

    private boolean validateAuthzCodeFromRequest(AuthzCodeDO authzCodeDO, String str, String str2) throws IdentityOAuth2Exception {
        if (authzCodeDO == null) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid token request for client id: " + str + "and couldn't find persisted data for authorization code: " + str2);
            }
            diagnosticLog.info("Invalid token request for client id: " + str + "and couldn't find persisted data for authorization code: " + str2);
            throw new IdentityOAuth2Exception("Invalid authorization code received from token request");
        }
        if (isInactiveAuthzCode(authzCodeDO)) {
            clearTokenCache(authzCodeDO, str);
            diagnosticLog.info("Inactive authorization code received from token request");
            throw new IdentityOAuth2Exception("Inactive authorization code received from token request");
        }
        if (!isAuthzCodeExpired(authzCodeDO) && !isAuthzCodeRevoked(authzCodeDO)) {
            return true;
        }
        diagnosticLog.info("Expired or Revoked authorization code received from token request.");
        throw new IdentityOAuth2Exception("Expired or Revoked authorization code received from token request");
    }

    private void clearTokenCache(AuthzCodeDO authzCodeDO, String str) {
        if (this.cacheEnabled) {
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(buildCacheKeyForToken(str, authzCodeDO)));
            if (log.isDebugEnabled()) {
                log.debug("Removed token from cache for user : " + authzCodeDO.getAuthorizedUser().toString() + ", for client : " + str);
            }
        }
    }

    private void clearTokenCache(String str, String str2) {
        if (this.cacheEnabled) {
            if (str == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Received token alias is null. Skipping clearing token cache with token alias for tokenId : " + str2);
                    return;
                }
                return;
            }
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(str));
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Removed token from cache for token alias : " + str);
                } else {
                    log.debug("Removed token from cache for token alias associated with tokenId : " + str2);
                }
            }
        }
    }

    private boolean isInactiveAuthzCode(AuthzCodeDO authzCodeDO) {
        if (!"INACTIVE".equals(authzCodeDO.getState())) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Inactive authorization code : " + authzCodeDO.getAuthorizationCode());
        }
        diagnosticLog.info("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Inactive authorization code : " + authzCodeDO.getAuthorizationCode());
        return true;
    }

    private boolean isAuthzCodeRevoked(AuthzCodeDO authzCodeDO) {
        if (!"REVOKED".equals(authzCodeDO.getState())) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Revoked authorization code : " + authzCodeDO.getAuthorizationCode());
        }
        diagnosticLog.info("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Revoked authorization code : " + authzCodeDO.getAuthorizationCode());
        return true;
    }

    private boolean isAuthzCodeExpired(AuthzCodeDO authzCodeDO) throws IdentityOAuth2Exception {
        if (Constants.EXPIRED.equals(authzCodeDO.getState())) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Expired authorization code : " + authzCodeDO.getAuthorizationCode());
            }
            diagnosticLog.info("Invalid access token request with Client Id : " + authzCodeDO.getConsumerKey() + ", Expired authorization code : " + authzCodeDO.getAuthorizationCode());
            return true;
        }
        long time = authzCodeDO.getIssuedTime().getTime();
        long validityPeriod = authzCodeDO.getValidityPeriod();
        if (OAuth2Util.getTimeToExpire(time, validityPeriod) >= 1000) {
            return false;
        }
        markAsExpired(authzCodeDO);
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Authorization Code Issued Time(ms): " + time + ", Validity Period: " + validityPeriod + ", Timestamp Skew: " + (OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000) + ", Current Time: " + System.currentTimeMillis());
        return true;
    }

    private void markAsExpired(AuthzCodeDO authzCodeDO) throws IdentityOAuth2Exception {
        OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().updateAuthorizationCodeState(authzCodeDO.getAuthorizationCode(), Constants.EXPIRED);
        if (log.isDebugEnabled()) {
            log.debug("Changed state of authorization code : " + authzCodeDO.getAuthorizationCode() + " to expired");
        }
        diagnosticLog.info("Changed state of authorization code : " + authzCodeDO.getAuthorizationCode() + " to expired");
        if (this.cacheEnabled) {
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForAuthzCode(authzCodeDO.getConsumerKey(), authzCodeDO.getAuthorizationCode())));
            if (log.isDebugEnabled()) {
                log.debug("Expired Authorization code issued for client " + authzCodeDO.getConsumerKey() + " was removed from the cache.");
            }
        }
    }

    private boolean validatePKCECode(AuthzCodeDO authzCodeDO, String str) throws IdentityOAuth2Exception {
        if (OAuth2Util.validatePKCE(authzCodeDO.getPkceCodeChallenge(), str, authzCodeDO.getPkceCodeChallengeMethod(), getOAuthAppDO(authzCodeDO.getConsumerKey()))) {
            return true;
        }
        log.warn("Failed PKCE Verification for oAuth 2.0 request");
        if (log.isDebugEnabled()) {
            log.debug("PKCE code verification failed for client : " + authzCodeDO.getConsumerKey());
        }
        diagnosticLog.info("PKCE code verification failed for Client Id : " + authzCodeDO.getConsumerKey());
        throw new IdentityOAuth2Exception("PKCE validation failed");
    }

    private void revokeAuthorizationCode(AuthzCodeDO authzCodeDO) throws IdentityOAuth2Exception {
        OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().updateAuthorizationCodeState(authzCodeDO.getAuthorizationCode(), "REVOKED");
        if (log.isDebugEnabled()) {
            log.debug("Changed state of authorization code : " + authzCodeDO.getAuthorizationCode() + " to revoked");
        }
        diagnosticLog.info("Changed state of authorization code : " + authzCodeDO.getAuthorizationCode() + " to revoked.");
        if (this.cacheEnabled) {
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForAuthzCode(authzCodeDO.getConsumerKey(), authzCodeDO.getAuthorizationCode())));
            if (log.isDebugEnabled()) {
                log.debug("Revoked Authorization code issued for client " + authzCodeDO.getConsumerKey() + " was removed from the cache.");
            }
        }
    }

    private OAuthAppDO getOAuthAppDO(String str) throws IdentityOAuth2Exception {
        try {
            return OAuth2Util.getAppInformationByClientId(str);
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for client: " + str);
        }
    }
}
