package org.wso2.carbon.identity.oauth2.authz.handlers.util;

import java.sql.Timestamp;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.Claim;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.event.OAuthEventInterceptor;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Service;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuthRevocationResponseDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.AuthzCodeDO;
import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCConstants;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/authz/handlers/util/ResponseTypeHandlerUtil.class */
public class ResponseTypeHandlerUtil {
    public static final int SECOND_TO_MILLISECONDS_FACTOR = 1000;
    private static final Log log = LogFactory.getLog(ResponseTypeHandlerUtil.class);
    private static boolean isHashDisabled = OAuth2Util.isHashDisabled();

    public static void triggerPreListeners(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        try {
            oAuthEventInterceptorProxy.onPreTokenIssue(oAuthAuthzReqMessageContext, new HashMap());
            if (log.isDebugEnabled()) {
                log.debug("Oauth pre token issue listener is triggered.");
            }
        } catch (IdentityOAuth2Exception e) {
            log.error("Oauth pre token issue listener ", e);
        }
    }

    public static void triggerPostListeners(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, AccessTokenDO accessTokenDO, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) {
        OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
        if (oAuthEventInterceptorProxy == null || !oAuthEventInterceptorProxy.isEnabled()) {
            return;
        }
        try {
            oAuthEventInterceptorProxy.onPostTokenIssue(oAuthAuthzReqMessageContext, accessTokenDO, oAuth2AuthorizeRespDTO, new HashMap());
            if (log.isDebugEnabled()) {
                log.debug("Oauth post token issue listener is triggered.");
            }
        } catch (IdentityOAuth2Exception e) {
            log.error("Oauth post token issue listener ", e);
        }
    }

    public static AccessTokenDO generateAccessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        OauthTokenIssuer identityOauthTokenIssuer;
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        try {
            identityOauthTokenIssuer = OAuth2Util.getOAuthTokenIssuerForOAuthApp(consumerKey);
        } catch (InvalidOAuthClientException e) {
            log.error("Error when instantiating the OAuthIssuer for service provider app with client Id: " + consumerKey + ". Defaulting to OAuthIssuerImpl", e);
            identityOauthTokenIssuer = OAuthServerConfiguration.getInstance().getIdentityOauthTokenIssuer();
        }
        return generateAccessToken(oAuthAuthzReqMessageContext, z, identityOauthTokenIssuer);
    }

    public static AccessTokenDO generateAccessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, boolean z, OauthTokenIssuer oauthTokenIssuer) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope());
        String consumerKey = authorizationReqDTO.getConsumerKey();
        try {
            String userId = authorizationReqDTO.getUser().getUserId();
            synchronized ((consumerKey + ":" + userId + ":" + buildScopeString).intern()) {
                AccessTokenDO existingToken = getExistingToken(oAuthAuthzReqMessageContext, userId, z);
                if (isNotRenewAccessTokenPerRequest(oauthTokenIssuer, oAuthAuthzReqMessageContext)) {
                    if (existingToken != null) {
                        if (OAuthServerConfiguration.getInstance().isTokenRenewalPerRequestEnabled()) {
                            if (log.isDebugEnabled()) {
                                log.debug("RenewTokenPerRequest configuration active. Proceeding to revoke any existing active tokens for client Id: " + consumerKey + ", user: " + authorizationReqDTO.getUser().getLoggableUserId() + " and scope: " + buildScopeString + Constants.FULL_STOP_DELIMITER);
                            }
                            revokeExistingToken(existingToken.getConsumerKey(), existingToken.getAccessToken());
                            existingToken = null;
                        }
                        if (isAccessTokenValid(existingToken)) {
                            return existingToken;
                        }
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("No active access token found for client Id: " + consumerKey + ", user: " + authorizationReqDTO.getUser().getLoggableUserId() + " and scope: " + buildScopeString + ". Therefore issuing new token");
                    }
                }
                return generateNewAccessToken(oAuthAuthzReqMessageContext, existingToken, oauthTokenIssuer, userId, z);
            }
        } catch (UserIdNotFoundException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving the user id for user: " + authorizationReqDTO.getUser().getLoggableUserId());
        }
    }

    public static AuthzCodeDO generateAuthorizationCode(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        try {
            return generateAuthorizationCode(oAuthAuthzReqMessageContext, z, OAuth2Util.getOAuthTokenIssuerForOAuthApp(consumerKey));
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving oauth issuer for the app with clientId: " + consumerKey, (Throwable) e);
        }
    }

    public static AuthzCodeDO generateAuthorizationCode(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, boolean z, OauthTokenIssuer oauthTokenIssuer) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        String uuid = UUID.randomUUID().toString();
        Timestamp timestamp = new Timestamp(new Date().getTime());
        long authorizationCodeValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getAuthorizationCodeValidityPeriodInSeconds();
        long validityPeriod = oAuthAuthzReqMessageContext.getValidityPeriod();
        if (validityPeriod != -1 && validityPeriod > 0) {
            authorizationCodeValidityPeriodInSeconds = validityPeriod;
        }
        long j = authorizationCodeValidityPeriodInSeconds * 1000;
        oAuthAuthzReqMessageContext.setValidityPeriod(j);
        oAuthAuthzReqMessageContext.setAuthorizationCodeValidityPeriod(j);
        oAuthAuthzReqMessageContext.setCodeIssuedTime(timestamp.getTime());
        if (authorizationReqDTO.getUser() != null && authorizationReqDTO.getUser().isFederatedUser()) {
            authorizationReqDTO.getUser().setTenantDomain(authorizationReqDTO.getTenantDomain());
        }
        try {
            String authorizationCode = oauthTokenIssuer.authorizationCode(oAuthAuthzReqMessageContext);
            AuthzCodeDO authzCodeDO = new AuthzCodeDO(authorizationReqDTO.getUser(), oAuthAuthzReqMessageContext.getApprovedScope(), timestamp, j, authorizationReqDTO.getCallbackUrl(), authorizationReqDTO.getConsumerKey(), authorizationCode, uuid, authorizationReqDTO.getPkceCodeChallenge(), authorizationReqDTO.getPkceCodeChallengeMethod());
            OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().insertAuthorizationCode(authorizationCode, authorizationReqDTO.getConsumerKey(), authorizationReqDTO.getCallbackUrl(), authzCodeDO);
            if (z) {
                OAuthCache.getInstance().addToCache(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForAuthzCode(authorizationReqDTO.getConsumerKey(), authorizationCode)), authzCodeDO);
                if (log.isDebugEnabled()) {
                    log.debug("Authorization Code info was added to the cache for client id : " + authorizationReqDTO.getConsumerKey());
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Issued Authorization Code to user : " + authorizationReqDTO.getUser() + ", Using the redirect url : " + authorizationReqDTO.getCallbackUrl() + ", Scope : " + OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope()) + ", validity period : " + j);
            }
            return authzCodeDO;
        } catch (OAuthSystemException e) {
            throw new IdentityOAuth2Exception(e.getMessage(), (Throwable) e);
        }
    }

    public static OAuth2AuthorizeRespDTO buildAuthorizationCodeResponseDTO(OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, AuthzCodeDO authzCodeDO) throws IdentityOAuth2Exception {
        oAuth2AuthorizeRespDTO.setAuthorizationCode(authzCodeDO.getAuthorizationCode());
        oAuth2AuthorizeRespDTO.setCodeId(authzCodeDO.getAuthzCodeId());
        return oAuth2AuthorizeRespDTO;
    }

    public static OAuth2AuthorizeRespDTO buildAccessTokenResponseDTO(OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, AccessTokenDO accessTokenDO) {
        long tokenExpireTimeMillis = OAuth2Util.getTokenExpireTimeMillis(accessTokenDO, false);
        if (log.isDebugEnabled()) {
            if (tokenExpireTimeMillis > 0) {
                log.debug("Access Token is valid for another " + tokenExpireTimeMillis + "ms");
            } else {
                log.debug("Infinite lifetime Access Token found in cache");
            }
        }
        oAuth2AuthorizeRespDTO.setAccessToken(accessTokenDO.getAccessToken());
        if (tokenExpireTimeMillis > 0) {
            oAuth2AuthorizeRespDTO.setValidityPeriod(tokenExpireTimeMillis / 1000);
        } else {
            oAuth2AuthorizeRespDTO.setValidityPeriod(9223372036854775L);
        }
        oAuth2AuthorizeRespDTO.setTokenType(accessTokenDO.getTokenType());
        return oAuth2AuthorizeRespDTO;
    }

    public static OAuth2AuthorizeRespDTO buildIDTokenResponseDTO(OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, AccessTokenDO accessTokenDO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        if (isOIDCRequest(oAuthAuthzReqMessageContext)) {
            OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO2 = new OAuth2AuthorizeRespDTO();
            oAuth2AuthorizeRespDTO2.setAccessToken(accessTokenDO.getAccessToken());
            oAuth2AuthorizeRespDTO2.setAuthorizationCode(oAuth2AuthorizeRespDTO.getAuthorizationCode());
            buildIdToken(oAuthAuthzReqMessageContext, oAuth2AuthorizeRespDTO2);
            oAuth2AuthorizeRespDTO.setIdToken(oAuth2AuthorizeRespDTO2.getIdToken());
            oAuth2AuthorizeRespDTO.setOidcSessionId(oAuth2AuthorizeRespDTO2.getOidcSessionId());
        }
        return oAuth2AuthorizeRespDTO;
    }

    private static boolean isOIDCRequest(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return oAuthAuthzReqMessageContext.getApprovedScope() != null && OAuth2Util.isOIDCAuthzRequest(oAuthAuthzReqMessageContext.getApprovedScope());
    }

    private static void buildIdToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) throws IdentityOAuth2Exception {
        if (StringUtils.isNotBlank(oAuth2AuthorizeRespDTO.getAccessToken())) {
            addUserAttributesToCache(oAuth2AuthorizeRespDTO.getAccessToken(), oAuthAuthzReqMessageContext);
        }
        if (StringUtils.contains(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getResponseType(), OIDCConstants.ID_TOKEN)) {
            oAuth2AuthorizeRespDTO.setIdToken(OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder().buildIDToken(oAuthAuthzReqMessageContext, oAuth2AuthorizeRespDTO));
        }
    }

    private static void addUserAttributesToCache(String str, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        Map userAttributes = authorizationReqDTO.getUser().getUserAttributes();
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(str);
        AuthorizationGrantCacheEntry authorizationGrantCacheEntry = new AuthorizationGrantCacheEntry(userAttributes);
        if (StringUtils.isNotBlank(authorizationReqDTO.getEssentialClaims())) {
            authorizationGrantCacheEntry.setEssentialClaims(authorizationReqDTO.getEssentialClaims());
        }
        ClaimMapping claimMapping = new ClaimMapping();
        Claim claim = new Claim();
        claim.setClaimUri(OAuth2Util.SUB);
        claimMapping.setRemoteClaim(claim);
        String str2 = null;
        try {
            str2 = authorizationReqDTO.getUser().getUserId();
        } catch (UserIdNotFoundException e) {
        }
        AccessTokenDO accessTokenDO = getAccessTokenDO(str, oAuthAuthzReqMessageContext);
        if (accessTokenDO != null && StringUtils.isNotBlank(accessTokenDO.getTokenId())) {
            authorizationGrantCacheEntry.setTokenId(accessTokenDO.getTokenId());
        }
        if (StringUtils.isBlank(str2)) {
            str2 = authorizationReqDTO.getUser().getAuthenticatedSubjectIdentifier();
        }
        if (StringUtils.isNotBlank(str2)) {
            userAttributes.put(claimMapping, str2);
        }
        authorizationGrantCacheEntry.setValidityPeriod(TimeUnit.MILLISECONDS.toNanos(accessTokenDO.getValidityPeriodInMillis()));
        AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey, authorizationGrantCacheEntry);
    }

    private static AccessTokenDO getAccessTokenDO(String str, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        Object property = oAuthAuthzReqMessageContext.getProperty(OAuth2Util.ACCESS_TOKEN_DO);
        return property instanceof AccessTokenDO ? (AccessTokenDO) property : OAuth2Util.getAccessTokenDOfromTokenIdentifier(str);
    }

    private static void deactivateCurrentAuthorizationCode(String str, String str2) throws IdentityOAuth2Exception {
        if (str != null) {
            AuthzCodeDO authzCodeDO = new AuthzCodeDO();
            authzCodeDO.setAuthorizationCode(str);
            authzCodeDO.setOauthTokenId(str2);
            OAuthTokenPersistenceFactory.getInstance().getAuthorizationCodeDAO().deactivateAuthorizationCode(authzCodeDO);
        }
    }

    private static AccessTokenDO getExistingToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, String str, boolean z) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDO = null;
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope());
        String consumerKey = authorizationReqDTO.getConsumerKey();
        String authenticatedIDP = OAuth2Util.getAuthenticatedIDP(authorizationReqDTO.getUser());
        if (z) {
            accessTokenDO = getExistingTokenFromCache(consumerKey, buildScopeString, str, authenticatedIDP);
        }
        if (accessTokenDO == null) {
            accessTokenDO = getExistingTokenFromDB(oAuthAuthzReqMessageContext, z);
        }
        return accessTokenDO;
    }

    private static AccessTokenDO getExistingTokenFromCache(String str, String str2, String str3, String str4) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDO = null;
        OAuthCacheKey oAuthCacheKey = getOAuthCacheKey(str, str2, str3, str4);
        CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(oAuthCacheKey);
        if (cacheEntry instanceof AccessTokenDO) {
            accessTokenDO = (AccessTokenDO) cacheEntry;
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Retrieved active access token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " in state: " + accessTokenDO.getTokenState() + " for client Id: " + str + ", user: " + str3 + " and scope: " + str2 + " from cache.");
                } else {
                    log.debug("Retrieved active access token in state: " + accessTokenDO.getTokenState() + " for client Id: " + str + ", user: " + str3 + " and scope: " + str2 + " from cache.");
                }
            }
            if (getAccessTokenExpiryTimeMillis(accessTokenDO) == 0) {
                removeTokenFromCache(oAuthCacheKey, accessTokenDO);
            }
        }
        return accessTokenDO;
    }

    private static AccessTokenDO getExistingTokenFromDB(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, boolean z) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope());
        String consumerKey = authorizationReqDTO.getConsumerKey();
        AuthenticatedUser user = authorizationReqDTO.getUser();
        AccessTokenDO latestAccessToken = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().getLatestAccessToken(consumerKey, user, getUserStoreDomain(user), buildScopeString, false);
        if (latestAccessToken != null) {
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Retrieved latest access token(hashed): " + DigestUtils.sha256Hex(latestAccessToken.getAccessToken()) + " in state: " + latestAccessToken.getTokenState() + " for client Id: " + consumerKey + " user: " + user + " and scope: " + buildScopeString + " from db");
                } else {
                    log.debug("Retrieved latest access token for client Id: " + consumerKey + " user: " + user + " and scope: " + buildScopeString + " from db");
                }
            }
            long accessTokenExpiryTimeMillis = getAccessTokenExpiryTimeMillis(latestAccessToken);
            if ("ACTIVE".equals(latestAccessToken.getTokenState()) && accessTokenExpiryTimeMillis != 0 && z) {
                try {
                    addTokenToCache(getOAuthCacheKey(consumerKey, buildScopeString, user.getUserId(), OAuth2Util.getAuthenticatedIDP(user)), latestAccessToken);
                } catch (UserIdNotFoundException e) {
                    throw new IdentityOAuth2Exception("Error occurred while retrieving the user id for user: " + authorizationReqDTO.getUser().getLoggableUserId());
                }
            }
        }
        return latestAccessToken;
    }

    private static AccessTokenDO generateNewAccessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, AccessTokenDO accessTokenDO, OauthTokenIssuer oauthTokenIssuer, String str, boolean z) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope());
        String consumerKey = authorizationReqDTO.getConsumerKey();
        String authenticatedIDP = OAuth2Util.getAuthenticatedIDP(authorizationReqDTO.getUser());
        OAuthAppDO oAuthApp = getOAuthApp(consumerKey);
        Timestamp timestamp = new Timestamp(new Date().getTime());
        long configuredAccessTokenValidityPeriodInMillis = getConfiguredAccessTokenValidityPeriodInMillis(oAuthAuthzReqMessageContext, oAuthApp);
        oAuthAuthzReqMessageContext.addProperty("USER_TYPE", "APPLICATION_USER");
        AccessTokenDO createNewTokenBean = createNewTokenBean(oAuthAuthzReqMessageContext, oAuthApp, accessTokenDO, oauthTokenIssuer, timestamp, configuredAccessTokenValidityPeriodInMillis);
        setDetailsToMessageContext(oAuthAuthzReqMessageContext, createNewTokenBean);
        persistAccessTokenInDB(oAuthAuthzReqMessageContext, accessTokenDO, createNewTokenBean);
        deactivateCurrentAuthorizationCode(createNewTokenBean.getAuthorizationCode(), createNewTokenBean.getTokenId());
        if (isHashDisabled && z) {
            addTokenToCache(getOAuthCacheKey(consumerKey, buildScopeString, str, authenticatedIDP), createNewTokenBean);
        }
        return createNewTokenBean;
    }

    private static AccessTokenDO createNewTokenBean(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthAppDO oAuthAppDO, AccessTokenDO accessTokenDO, OauthTokenIssuer oauthTokenIssuer, Timestamp timestamp, long j) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        AccessTokenDO accessTokenDO2 = new AccessTokenDO();
        accessTokenDO2.setTokenState("ACTIVE");
        accessTokenDO2.setConsumerKey(authorizationReqDTO.getConsumerKey());
        accessTokenDO2.setAuthzUser(authorizationReqDTO.getUser());
        accessTokenDO2.setTenantID(OAuth2Util.getTenantId(authorizationReqDTO.getTenantDomain()));
        accessTokenDO2.setScope(oAuthAuthzReqMessageContext.getApprovedScope());
        accessTokenDO2.setTokenId(UUID.randomUUID().toString());
        accessTokenDO2.setTokenType("APPLICATION_USER");
        accessTokenDO2.setIssuedTime(timestamp);
        accessTokenDO2.setValidityPeriodInMillis(j);
        accessTokenDO2.setValidityPeriod(j / 1000);
        accessTokenDO2.setGrantType(getGrantType(authorizationReqDTO.getResponseType()));
        accessTokenDO2.setAccessToken(getNewAccessToken(oAuthAuthzReqMessageContext, oauthTokenIssuer));
        setRefreshTokenDetails(oAuthAuthzReqMessageContext, oAuthAppDO, accessTokenDO, accessTokenDO2, oauthTokenIssuer, timestamp);
        return accessTokenDO2;
    }

    private static String getNewAccessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OauthTokenIssuer oauthTokenIssuer) throws IdentityOAuth2Exception {
        try {
            String accessToken = oauthTokenIssuer.accessToken(oAuthAuthzReqMessageContext);
            if (OAuth2Util.checkUserNameAssertionEnabled()) {
                accessToken = OAuth2Util.addUsernameToToken(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), accessToken);
            }
            return accessToken;
        } catch (OAuthSystemException e) {
            throw new IdentityOAuth2Exception("Error while generating new access token", (Throwable) e);
        }
    }

    private static String getNewRefreshToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OauthTokenIssuer oauthTokenIssuer) throws IdentityOAuth2Exception {
        try {
            String refreshToken = oauthTokenIssuer.refreshToken(oAuthAuthzReqMessageContext);
            if (OAuth2Util.checkUserNameAssertionEnabled()) {
                refreshToken = OAuth2Util.addUsernameToToken(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), refreshToken);
            }
            return refreshToken;
        } catch (OAuthSystemException e) {
            throw new IdentityOAuth2Exception("Error while generating new refresh token", (Throwable) e);
        }
    }

    private static void setRefreshTokenDetails(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthAppDO oAuthAppDO, AccessTokenDO accessTokenDO, AccessTokenDO accessTokenDO2, OauthTokenIssuer oauthTokenIssuer, Timestamp timestamp) throws IdentityOAuth2Exception {
        if (isRefreshTokenValid(accessTokenDO)) {
            setRefreshTokenDetailsFromExistingToken(accessTokenDO, accessTokenDO2);
            return;
        }
        accessTokenDO2.setRefreshTokenIssuedTime(timestamp);
        accessTokenDO2.setRefreshTokenValidityPeriodInMillis(getConfiguredRefreshTokenValidityPeriodInMillis(oAuthAppDO, oAuthAuthzReqMessageContext));
        accessTokenDO2.setRefreshToken(getNewRefreshToken(oAuthAuthzReqMessageContext, oauthTokenIssuer));
    }

    private static void setRefreshTokenDetailsFromExistingToken(AccessTokenDO accessTokenDO, AccessTokenDO accessTokenDO2) {
        accessTokenDO2.setRefreshToken(accessTokenDO.getRefreshToken());
        accessTokenDO2.setRefreshTokenIssuedTime(accessTokenDO.getRefreshTokenIssuedTime());
        accessTokenDO2.setRefreshTokenValidityPeriodInMillis(accessTokenDO.getRefreshTokenValidityPeriodInMillis());
    }

    private static void setDetailsToMessageContext(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, AccessTokenDO accessTokenDO) {
        oAuthAuthzReqMessageContext.setValidityPeriod(accessTokenDO.getValidityPeriodInMillis());
        oAuthAuthzReqMessageContext.setRefreshTokenvalidityPeriod(accessTokenDO.getRefreshTokenValidityPeriodInMillis());
        oAuthAuthzReqMessageContext.setAccessTokenIssuedTime(accessTokenDO.getIssuedTime().getTime());
        oAuthAuthzReqMessageContext.setRefreshTokenIssuedTime(accessTokenDO.getRefreshTokenIssuedTime().getTime());
        oAuthAuthzReqMessageContext.addProperty(OAuth2Util.ACCESS_TOKEN_DO, accessTokenDO);
    }

    private static void persistAccessTokenInDB(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, AccessTokenDO accessTokenDO, AccessTokenDO accessTokenDO2) throws IdentityOAuth2Exception {
        OAuth2AuthorizeReqDTO authorizationReqDTO = oAuthAuthzReqMessageContext.getAuthorizationReqDTO();
        storeAccessToken(authorizationReqDTO, getUserStoreDomain(authorizationReqDTO.getUser()), accessTokenDO, accessTokenDO2);
        if (log.isDebugEnabled()) {
            log.debug("Persisted Access Token for Client ID: " + authorizationReqDTO.getConsumerKey() + ", Authorized User: " + authorizationReqDTO.getUser() + ", Is Federated User: " + authorizationReqDTO.getUser().isFederatedUser() + ", Timestamp: " + accessTokenDO2.getIssuedTime() + ", Validity period: " + accessTokenDO2.getValidityPeriod() + " s, Scope: " + OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope()) + " and Token State: ACTIVE");
        }
    }

    private static void storeAccessToken(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, String str, AccessTokenDO accessTokenDO, AccessTokenDO accessTokenDO2) throws IdentityOAuth2Exception {
        try {
            OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().insertAccessToken(accessTokenDO2.getAccessToken(), oAuth2AuthorizeReqDTO.getConsumerKey(), accessTokenDO2, accessTokenDO, str);
        } catch (IdentityException e) {
            throw new IdentityOAuth2Exception(IdentityUtil.isTokenLoggable("AccessToken") ? "Error occurred while storing new access token(hashed) : " + DigestUtils.sha256Hex(accessTokenDO2.getAccessToken()) : "Error occurred while storing new access token.", (Throwable) e);
        }
    }

    private static long getAccessTokenExpiryTimeMillis(AccessTokenDO accessTokenDO) throws IdentityOAuth2Exception {
        long tokenExpireTimeMillis = OAuth2Util.getTokenExpireTimeMillis(accessTokenDO);
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                if (tokenExpireTimeMillis > 0) {
                    log.debug("Access Token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " is still valid. Remaining time: " + tokenExpireTimeMillis + " ms");
                } else {
                    log.debug("Infinite lifetime Access Token(hashed) " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " found");
                }
            } else if (tokenExpireTimeMillis > 0) {
                log.debug("Valid access token is found for client: " + accessTokenDO.getConsumerKey() + ". Remaining time: " + tokenExpireTimeMillis + " ms");
            } else {
                log.debug("Infinite lifetime Access Token found for client: " + accessTokenDO.getConsumerKey());
            }
        }
        return tokenExpireTimeMillis;
    }

    private static long getConfiguredAccessTokenValidityPeriodInMillis(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        long userAccessTokenValidityPeriodInSeconds;
        long accessTokenValidityPeriod = oAuthAuthzReqMessageContext.getAccessTokenValidityPeriod();
        if (accessTokenValidityPeriod != -1 && accessTokenValidityPeriod > 0) {
            userAccessTokenValidityPeriodInSeconds = accessTokenValidityPeriod * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oAuthAppDO.getOauthConsumerKey() + ", using access token validity period configured from callback: " + userAccessTokenValidityPeriodInSeconds + " ms");
            }
        } else if (oAuthAppDO.getUserAccessTokenExpiryTime() != 0) {
            userAccessTokenValidityPeriodInSeconds = oAuthAppDO.getUserAccessTokenExpiryTime() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id: " + oAuthAppDO.getOauthConsumerKey() + ", using user access token validity period configured for application: " + userAccessTokenValidityPeriodInSeconds + " ms");
            }
        } else {
            userAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id: " + oAuthAppDO.getOauthConsumerKey() + ", using user access token validity period configured for server: " + userAccessTokenValidityPeriodInSeconds + " ms");
            }
        }
        return userAccessTokenValidityPeriodInSeconds;
    }

    private static long getConfiguredRefreshTokenValidityPeriodInMillis(OAuthAppDO oAuthAppDO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        long refreshTokenValidityPeriodInSeconds;
        long refreshTokenvalidityPeriod = oAuthAuthzReqMessageContext.getRefreshTokenvalidityPeriod();
        if (refreshTokenvalidityPeriod != -1 && refreshTokenvalidityPeriod > 0) {
            refreshTokenValidityPeriodInSeconds = oAuthAuthzReqMessageContext.getRefreshTokenvalidityPeriod() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oAuthAppDO.getOauthConsumerKey() + ", using refresh token validity period configured from OAuthAuthzReqMessageContext: " + refreshTokenValidityPeriodInSeconds + " ms");
            }
        } else if (oAuthAppDO.getRefreshTokenExpiryTime() != 0) {
            refreshTokenValidityPeriodInSeconds = oAuthAppDO.getRefreshTokenExpiryTime() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oAuthAppDO.getOauthConsumerKey() + ", using refresh token validity period configured for application: " + refreshTokenValidityPeriodInSeconds + " ms");
            }
        } else {
            refreshTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id: " + oAuthAppDO.getOauthConsumerKey() + ", using refresh token validity period configured for server: " + refreshTokenValidityPeriodInSeconds + " ms");
            }
        }
        return refreshTokenValidityPeriodInSeconds;
    }

    private static boolean isAccessTokenValid(AccessTokenDO accessTokenDO) throws IdentityOAuth2Exception {
        if (accessTokenDO == null) {
            return false;
        }
        long accessTokenExpiryTimeMillis = getAccessTokenExpiryTimeMillis(accessTokenDO);
        if ("ACTIVE".equals(accessTokenDO.getTokenState()) && accessTokenExpiryTimeMillis != 0) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        if (IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug("Access token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " is not valid anymore");
            return false;
        }
        log.debug("Latest access token in the database for client: " + accessTokenDO.getConsumerKey() + " is not valid anymore");
        return false;
    }

    private static boolean isRefreshTokenValid(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            return false;
        }
        long refreshTokenExpireTimeMillis = OAuth2Util.getRefreshTokenExpireTimeMillis(accessTokenDO);
        if (!"ACTIVE".equals(accessTokenDO.getTokenState())) {
            return false;
        }
        String consumerKey = accessTokenDO.getConsumerKey();
        if (isRefreshTokenExpired(accessTokenDO.getConsumerKey(), refreshTokenExpireTimeMillis)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            if (IdentityUtil.isTokenLoggable("RefreshToken")) {
                log.debug("Refresh token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getRefreshToken()) + " for client: " + accessTokenDO.getConsumerKey() + " is expired. Issuing a new refresh token.");
                return false;
            }
            log.debug("Refresh token for client: " + accessTokenDO.getConsumerKey() + " is expired. Issuing a new refresh token.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        if (IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug("Existing access token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " has expired, but refresh token(hashed):" + DigestUtils.sha256Hex(accessTokenDO.getRefreshToken()) + " is still valid for client: " + consumerKey + ". Remaining time: " + refreshTokenExpireTimeMillis + " ms. Using existing refresh token.");
            return true;
        }
        log.debug("Existing access token has expired, but refresh token is still valid for client: " + consumerKey + ". Remaining time: " + refreshTokenExpireTimeMillis + "ms. Using existing refresh token.");
        return true;
    }

    private static boolean isRefreshTokenExpired(String str, long j) {
        if (j >= 0) {
            return j <= 0;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Infinite lifetime Refresh Token found for client: " + str);
        return false;
    }

    private static OAuthAppDO getOAuthApp(String str) throws IdentityOAuth2Exception {
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
            if (log.isDebugEnabled()) {
                log.debug("Service Provider specific expiry time enabled for application : " + str + ". Application access token expiry time : " + appInformationByClientId.getApplicationAccessTokenExpiryTime() + ", User access token expiry time : " + appInformationByClientId.getUserAccessTokenExpiryTime() + ", Refresh token expiry time : " + appInformationByClientId.getRefreshTokenExpiryTime());
            }
            return appInformationByClientId;
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for clientId : " + str, (Throwable) e);
        }
    }

    private static boolean isNotRenewAccessTokenPerRequest(OauthTokenIssuer oauthTokenIssuer, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        boolean renewAccessTokenPerRequest = oauthTokenIssuer.renewAccessTokenPerRequest(oAuthAuthzReqMessageContext);
        if (log.isDebugEnabled()) {
            log.debug("Enable Access Token renew per request: " + renewAccessTokenPerRequest);
        }
        return !renewAccessTokenPerRequest;
    }

    private static String getUserStoreDomain(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        String str = null;
        if (OAuth2Util.checkAccessTokenPartitioningEnabled() && OAuth2Util.checkUserNameAssertionEnabled()) {
            try {
                str = OAuth2Util.getUserStoreForFederatedUser(authenticatedUser);
            } catch (IdentityOAuth2Exception e) {
                throw new IdentityOAuth2Exception("Error occurred while getting user store domain for user: " + authenticatedUser, (Throwable) e);
            }
        }
        return str;
    }

    private static String getGrantType(String str) {
        return StringUtils.contains(str, "token") ? "implicit" : str;
    }

    private static OAuthCacheKey getOAuthCacheKey(String str, String str2, String str3, String str4) {
        return new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForTokenWithUserId(str, str2, str3, str4));
    }

    private static void addTokenToCache(OAuthCacheKey oAuthCacheKey, AccessTokenDO accessTokenDO) {
        OAuthCache.getInstance().addToCache(oAuthCacheKey, accessTokenDO);
        OAuthCacheKey oAuthCacheKey2 = new OAuthCacheKey(accessTokenDO.getAccessToken());
        OAuthCache.getInstance().addToCache(oAuthCacheKey2, accessTokenDO);
        if (log.isDebugEnabled()) {
            log.debug("Access token info was added to the cache for cache key : " + oAuthCacheKey.getCacheKeyString());
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug("Access token was added to OAuthCache for cache key : " + oAuthCacheKey2.getCacheKeyString());
            }
        }
    }

    private static void removeTokenFromCache(OAuthCacheKey oAuthCacheKey, AccessTokenDO accessTokenDO) {
        OAuthCache.getInstance().clearCacheEntry(oAuthCacheKey);
        if (log.isDebugEnabled()) {
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug("Access token(hashed): " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " is expired. Therefore cleared it from cache.");
            } else {
                log.debug("Existing access token for client: " + accessTokenDO.getConsumerKey() + " is expired. Therefore cleared it from cache.");
            }
        }
    }

    private static void revokeExistingToken(String str, String str2) throws IdentityOAuth2Exception {
        OAuthRevocationResponseDTO revokeTokenByOAuthClient = getOauth2Service().revokeTokenByOAuthClient(OAuth2Util.buildOAuthRevocationRequest(buildAuthenticatedOAuthClientAuthnContext(str), str2));
        if (revokeTokenByOAuthClient.isError()) {
            String str3 = "Error while revoking tokens for clientId:" + str + " Error Message:" + revokeTokenByOAuthClient.getErrorMsg();
            log.error(str3);
            throw new IdentityOAuth2Exception(str3);
        }
    }

    private static OAuth2Service getOauth2Service() {
        return (OAuth2Service) PrivilegedCarbonContext.getThreadLocalCarbonContext().getOSGiService(OAuth2Service.class, (Hashtable) null);
    }

    private static OAuthClientAuthnContext buildAuthenticatedOAuthClientAuthnContext(String str) {
        OAuthClientAuthnContext oAuthClientAuthnContext = new OAuthClientAuthnContext();
        oAuthClientAuthnContext.setAuthenticated(true);
        oAuthClientAuthnContext.setClientId(str);
        return oAuthClientAuthnContext;
    }
}
