package org.wso2.carbon.identity.oauth2.token.handlers.grant;

import java.sql.Timestamp;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.tokenprocessor.RefreshTokenGrantProcessor;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.ResponseHeader;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.device.errorcodes.DeviceErrorCodes;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinding;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.class */
public class RefreshGrantHandler extends AbstractAuthorizationGrantHandler {
    public static final String PREV_ACCESS_TOKEN = "previousAccessToken";
    public static final int LAST_ACCESS_TOKEN_RETRIEVAL_LIMIT = 10;
    public static final int ALLOWED_MINIMUM_VALIDITY_PERIOD = 1000;
    public static final String DEACTIVATED_ACCESS_TOKEN = "DeactivatedAccessToken";
    private static final Log log = LogFactory.getLog(RefreshGrantHandler.class);
    private boolean isHashDisabled = OAuth2Util.isHashDisabled();

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        super.validateGrant(oAuthTokenReqMessageContext);
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        RefreshTokenValidationDataDO validateRefreshToken = getRefreshTokenGrantProcessor().validateRefreshToken(oAuthTokenReqMessageContext);
        validateRefreshTokenInRequest(oauth2AccessTokenReqDTO, validateRefreshToken);
        validateTokenBindingReference(oauth2AccessTokenReqDTO, validateRefreshToken);
        if (log.isDebugEnabled()) {
            log.debug("Refresh token validation successful for Client id : " + oauth2AccessTokenReqDTO.getClientId() + ", Authorized User : " + validateRefreshToken.getAuthorizedUser() + ", Token Scope : " + OAuth2Util.buildScopeString(validateRefreshToken.getScope()));
        }
        setPropertiesForTokenGeneration(oAuthTokenReqMessageContext, validateRefreshToken);
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken");
        if (isRefreshTokenExpired(refreshTokenValidationDataDO)) {
            return handleError(DeviceErrorCodes.UNSUPPORTED_GRANT_TYPE, "Refresh token is expired.", oauth2AccessTokenReqDTO);
        }
        AccessTokenDO createAccessTokenBean = getRefreshTokenGrantProcessor().createAccessTokenBean(oAuthTokenReqMessageContext, oauth2AccessTokenReqDTO, refreshTokenValidationDataDO, getTokenType());
        String buildScopeString = OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope());
        try {
            synchronized ((oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + ":" + oAuthTokenReqMessageContext.getAuthorizedUser().getUserId() + ":" + buildScopeString + ":" + getTokenBindingReference(oAuthTokenReqMessageContext)).intern()) {
                setTokenData(createAccessTokenBean, oAuthTokenReqMessageContext, refreshTokenValidationDataDO, oauth2AccessTokenReqDTO, createAccessTokenBean.getIssuedTime());
                persistNewToken(oAuthTokenReqMessageContext, createAccessTokenBean, oauth2AccessTokenReqDTO.getClientId());
                if (log.isDebugEnabled()) {
                    log.debug("Persisted an access token for the refresh token, Client ID : " + oauth2AccessTokenReqDTO.getClientId() + ", Authorized user : " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", Timestamp : " + createAccessTokenBean.getIssuedTime() + ", Validity period (s) : " + createAccessTokenBean.getValidityPeriod() + ", Scope : " + OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope()) + ", Token State : ACTIVE and User Type : " + getTokenType());
                }
                setTokenDataToMessageContext(oAuthTokenReqMessageContext, createAccessTokenBean);
                addUserAttributesToCache(createAccessTokenBean, oAuthTokenReqMessageContext);
            }
            return buildTokenResponse(oAuthTokenReqMessageContext, createAccessTokenBean);
        } catch (UserIdNotFoundException e) {
            throw new IdentityOAuth2Exception("User id is not available for user: " + oAuthTokenReqMessageContext.getAuthorizedUser().getLoggableMaskedUserId(), (Throwable) e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String[] scope = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope();
        String[] scope2 = oAuthTokenReqMessageContext.getScope();
        String[] authorizedInternalScopes = oAuthTokenReqMessageContext.getAuthorizedInternalScopes();
        if (!ArrayUtils.isNotEmpty(scope)) {
            return true;
        }
        if (ArrayUtils.isEmpty(scope2) && ArrayUtils.isEmpty(authorizedInternalScopes)) {
            return false;
        }
        if (ArrayUtils.isEmpty(scope2)) {
            scope2 = new String[0];
        }
        if (ArrayUtils.isEmpty(authorizedInternalScopes)) {
            authorizedInternalScopes = new String[0];
        }
        List list = (List) Stream.concat(Arrays.stream(scope2), Arrays.stream(authorizedInternalScopes)).collect(Collectors.toList());
        for (String str : scope) {
            if (!list.contains(str)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("scope: " + str + "is not granted for this refresh token");
                return false;
            }
        }
        oAuthTokenReqMessageContext.setScope(scope);
        return true;
    }

    private void setPropertiesForTokenGeneration(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, RefreshTokenValidationDataDO refreshTokenValidationDataDO) throws IdentityOAuth2Exception {
        oAuthTokenReqMessageContext.setAuthorizedUser(refreshTokenValidationDataDO.getAuthorizedUser());
        oAuthTokenReqMessageContext.setScope(refreshTokenValidationDataDO.getScope());
        oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().setAccessTokenExtendedAttributes(refreshTokenValidationDataDO.getAccessTokenExtendedAttributes());
        if (StringUtils.isNotBlank(refreshTokenValidationDataDO.getTokenBindingReference()) && !"NONE".equals(refreshTokenValidationDataDO.getTokenBindingReference())) {
            Optional<TokenBinding> tokenBindingByBindingRef = OAuthTokenPersistenceFactory.getInstance().getTokenBindingMgtDAO().getTokenBindingByBindingRef(refreshTokenValidationDataDO.getTokenId(), refreshTokenValidationDataDO.getTokenBindingReference());
            Objects.requireNonNull(oAuthTokenReqMessageContext);
            tokenBindingByBindingRef.ifPresent(oAuthTokenReqMessageContext::setTokenBinding);
        }
        oAuthTokenReqMessageContext.addProperty("previousAccessToken", refreshTokenValidationDataDO);
    }

    private boolean validateRefreshTokenInRequest(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO) throws IdentityOAuth2Exception {
        validateRefreshTokenStatus(refreshTokenValidationDataDO, oAuth2AccessTokenReqDTO.getClientId());
        if (getRefreshTokenGrantProcessor().isLatestRefreshToken(oAuth2AccessTokenReqDTO, refreshTokenValidationDataDO, getUserStoreDomain(refreshTokenValidationDataDO.getAuthorizedUser()))) {
            return true;
        }
        removeIfCached(oAuth2AccessTokenReqDTO, refreshTokenValidationDataDO);
        throw new IdentityOAuth2Exception("Invalid refresh token value in the request");
    }

    private void removeIfCached(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO) throws IdentityOAuth2Exception {
        if (this.cacheEnabled) {
            try {
                clearCache(oAuth2AccessTokenReqDTO.getClientId(), refreshTokenValidationDataDO.getAuthorizedUser().getUserId(), refreshTokenValidationDataDO.getScope(), refreshTokenValidationDataDO.getAccessToken(), refreshTokenValidationDataDO.getAuthorizedUser().getFederatedIdPName(), refreshTokenValidationDataDO.getTokenBindingReference(), refreshTokenValidationDataDO.getAuthorizedUser().getTenantDomain());
            } catch (UserIdNotFoundException e) {
                throw new IdentityOAuth2Exception("User id not found for user:" + refreshTokenValidationDataDO.getAuthorizedUser().getLoggableMaskedUserId(), (Throwable) e);
            }
        }
    }

    private boolean validateRefreshTokenStatus(RefreshTokenValidationDataDO refreshTokenValidationDataDO, String str) throws IdentityOAuth2Exception {
        String refreshTokenState = refreshTokenValidationDataDO.getRefreshTokenState();
        if (refreshTokenState == null || "ACTIVE".equals(refreshTokenState) || Constants.EXPIRED.equals(refreshTokenState)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Refresh Token state is " + refreshTokenState + " for client: " + str + ". Expected 'Active' or 'EXPIRED'");
        }
        throw new IdentityOAuth2Exception("Invalid refresh token state");
    }

    private OAuth2AccessTokenRespDTO buildTokenResponse(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessTokenDO accessTokenDO) {
        String buildScopeString = OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope());
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
        oAuth2AccessTokenRespDTO.setAccessToken(accessTokenDO.getAccessToken());
        oAuth2AccessTokenRespDTO.setTokenId(accessTokenDO.getTokenId());
        oAuth2AccessTokenRespDTO.setRefreshToken(accessTokenDO.getRefreshToken());
        if (accessTokenDO.getValidityPeriodInMillis() > 0) {
            oAuth2AccessTokenRespDTO.setExpiresIn(accessTokenDO.getValidityPeriod());
            oAuth2AccessTokenRespDTO.setExpiresInMillis(accessTokenDO.getValidityPeriodInMillis());
        } else {
            oAuth2AccessTokenRespDTO.setExpiresIn(Long.MAX_VALUE);
            oAuth2AccessTokenRespDTO.setExpiresInMillis(Long.MAX_VALUE);
        }
        oAuth2AccessTokenRespDTO.setAuthorizedScopes(buildScopeString);
        oAuth2AccessTokenRespDTO.setIsConsentedToken(accessTokenDO.isConsentedToken());
        return oAuth2AccessTokenRespDTO;
    }

    private void persistNewToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        String userStoreDomain = getUserStoreDomain(oAuthTokenReqMessageContext.getAuthorizedUser());
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken");
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug("Previous access token (hashed): " + DigestUtils.sha256Hex(refreshTokenValidationDataDO.getAccessToken()));
        }
        getRefreshTokenGrantProcessor().persistNewToken(oAuthTokenReqMessageContext, accessTokenDO, userStoreDomain, str);
        updateCacheIfEnabled(oAuthTokenReqMessageContext, accessTokenDO, str, refreshTokenValidationDataDO);
    }

    private void updateCacheIfEnabled(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessTokenDO accessTokenDO, String str, RefreshTokenValidationDataDO refreshTokenValidationDataDO) throws IdentityOAuth2Exception {
        if (this.isHashDisabled && this.cacheEnabled) {
            try {
                OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForTokenWithUserIdOrgId(str, OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope()), oAuthTokenReqMessageContext.getAuthorizedUser().getUserId(), oAuthTokenReqMessageContext.getAuthorizedUser().getFederatedIdPName(), refreshTokenValidationDataDO.getTokenBindingReference(), StringUtils.isEmpty(refreshTokenValidationDataDO.getAuthorizedUser().getAccessingOrganization()) ? "NONE" : refreshTokenValidationDataDO.getAuthorizedUser().getAccessingOrganization()));
                OAuthCache.getInstance().clearCacheEntry(oAuthCacheKey, accessTokenDO.getAuthzUser().getTenantDomain());
                if (refreshTokenValidationDataDO.getAccessToken() != null) {
                    OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(refreshTokenValidationDataDO.getAccessToken()), refreshTokenValidationDataDO.getAuthorizedUser().getTenantDomain());
                }
                if (OAuth2Util.isTokenPersistenceEnabled()) {
                    AccessTokenDO clone = AccessTokenDO.clone(accessTokenDO);
                    try {
                        OauthTokenIssuer oAuthTokenIssuerForOAuthApp = OAuth2Util.getOAuthTokenIssuerForOAuthApp(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
                        if (oAuthTokenIssuerForOAuthApp.usePersistedAccessTokenAlias()) {
                            try {
                                clone.setAccessToken(oAuthTokenIssuerForOAuthApp.getAccessTokenHash(accessTokenDO.getAccessToken()));
                            } catch (OAuthSystemException e) {
                                if (log.isDebugEnabled()) {
                                    if (IdentityUtil.isTokenLoggable("AccessToken")) {
                                        log.debug("Token issuer: " + oAuthTokenIssuerForOAuthApp.getClass() + " was tried and failed to parse the received token " + clone.getAccessToken(), e);
                                    } else {
                                        log.debug("Token issuer: " + oAuthTokenIssuerForOAuthApp.getClass() + " was tried and failed to parse the received token.", e);
                                    }
                                }
                            }
                        }
                        OAuthCache.getInstance().addToCache(oAuthCacheKey, clone);
                    } catch (InvalidOAuthClientException e2) {
                        throw new IdentityOAuth2Exception("Error while retrieving oauth issuer for the app with clientId: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), (Throwable) e2);
                    }
                }
                OAuth2Util.addTokenDOtoCache(accessTokenDO);
                if (log.isDebugEnabled()) {
                    log.debug("Access Token info for the refresh token was added to the cache for the client id : " + str + ". Old access token entry was also removed from the cache.");
                }
            } catch (UserIdNotFoundException e3) {
                throw new IdentityOAuth2Exception("User id is not available for user: " + oAuthTokenReqMessageContext.getAuthorizedUser().getLoggableMaskedUserId(), (Throwable) e3);
            }
        }
    }

    private void setTokenDataToMessageContext(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessTokenDO accessTokenDO) {
        oAuthTokenReqMessageContext.setValidityPeriod(accessTokenDO.getValidityPeriodInMillis());
        oAuthTokenReqMessageContext.setRefreshTokenvalidityPeriod(accessTokenDO.getRefreshTokenValidityPeriodInMillis());
        oAuthTokenReqMessageContext.setAccessTokenIssuedTime(accessTokenDO.getIssuedTime().getTime());
        oAuthTokenReqMessageContext.setRefreshTokenIssuedTime(accessTokenDO.getRefreshTokenIssuedTime().getTime());
        oAuthTokenReqMessageContext.addProperty("RESPONSE_HEADERS", getResponseHeaders(oAuthTokenReqMessageContext));
    }

    private ResponseHeader[] getResponseHeaders(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        ResponseHeader responseHeader = new ResponseHeader();
        responseHeader.setKey(DEACTIVATED_ACCESS_TOKEN);
        responseHeader.setValue(((RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken")).getAccessToken());
        return new ResponseHeader[]{responseHeader};
    }

    private OAuthAppDO getOAuthApp(String str) throws IdentityOAuth2Exception {
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
            if (log.isDebugEnabled()) {
                log.debug("Service Provider specific expiry time enabled for application : " + str + ". Application access token expiry time : " + appInformationByClientId.getApplicationAccessTokenExpiryTime() + ", User access token expiry time : " + appInformationByClientId.getUserAccessTokenExpiryTime() + ", Refresh token expiry time : " + appInformationByClientId.getRefreshTokenExpiryTime());
            }
            return appInformationByClientId;
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for clientId: " + str, (Throwable) e);
        }
    }

    private OAuth2AccessTokenRespDTO handleError(String str, String str2, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("OAuth-Error-Code=" + str + " client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " grant-type=" + oAuth2AccessTokenReqDTO.getGrantType() + " scope=" + OAuth2Util.buildScopeString(oAuth2AccessTokenReqDTO.getScope()));
        }
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
        oAuth2AccessTokenRespDTO.setError(true);
        oAuth2AccessTokenRespDTO.setErrorCode(str);
        oAuth2AccessTokenRespDTO.setErrorMsg(str2);
        return oAuth2AccessTokenRespDTO;
    }

    private void clearCache(String str, String str2, String[] strArr, String str3, String str4, String str5, String str6) {
        OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(OAuth2Util.buildCacheKeyStringForTokenWithUserId(str, OAuth2Util.buildScopeString(strArr), str2, str4, str5)), str6);
        if (str3 != null) {
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(str3), str6);
        }
    }

    private boolean isRefreshTokenExpired(RefreshTokenValidationDataDO refreshTokenValidationDataDO) {
        long time = refreshTokenValidationDataDO.getIssuedTime().getTime();
        long validityPeriodInMillis = refreshTokenValidationDataDO.getValidityPeriodInMillis();
        return validityPeriodInMillis >= 0 && OAuth2Util.getTimeToExpire(time, validityPeriodInMillis) < 1000;
    }

    private void setTokenData(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, RefreshTokenValidationDataDO refreshTokenValidationDataDO, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, Timestamp timestamp) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthApp = getOAuthApp(oAuth2AccessTokenReqDTO.getClientId());
        createTokens(accessTokenDO, oAuthTokenReqMessageContext);
        setRefreshTokenData(accessTokenDO, oAuth2AccessTokenReqDTO, refreshTokenValidationDataDO, oAuthApp, accessTokenDO.getRefreshToken(), timestamp, oAuthTokenReqMessageContext);
        modifyTokensIfUsernameAssertionEnabled(accessTokenDO, oAuthTokenReqMessageContext);
        setValidityPeriod(accessTokenDO, oAuthTokenReqMessageContext, oAuthApp);
    }

    private void setValidityPeriod(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO) {
        long validityPeriodInMillis = getValidityPeriodInMillis(oAuthTokenReqMessageContext, oAuthAppDO);
        accessTokenDO.setValidityPeriod(validityPeriodInMillis / 1000);
        accessTokenDO.setValidityPeriodInMillis(validityPeriodInMillis);
    }

    private void createTokens(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        try {
            OauthTokenIssuer oAuthTokenIssuerForOAuthApp = OAuth2Util.getOAuthTokenIssuerForOAuthApp(accessTokenDO.getConsumerKey());
            String accessToken = oAuthTokenIssuerForOAuthApp.accessToken(oAuthTokenReqMessageContext);
            String refreshToken = oAuthTokenIssuerForOAuthApp.refreshToken(oAuthTokenReqMessageContext);
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("New access token (hashed): " + DigestUtils.sha256Hex(accessToken) + " & new refresh token (hashed): " + DigestUtils.sha256Hex(refreshToken));
                } else {
                    log.debug("Access token and refresh token generated.");
                }
            }
            accessTokenDO.setAccessToken(accessToken);
            accessTokenDO.setRefreshToken(refreshToken);
        } catch (OAuthSystemException e) {
            if (!(e.getCause() instanceof IdentityOAuth2ClientException)) {
                throw new IdentityOAuth2Exception("Error when generating the tokens.", (Throwable) e);
            }
            throw ((IdentityOAuth2ClientException) e.getCause());
        } catch (InvalidOAuthClientException e2) {
            throw new IdentityOAuth2Exception("Error while retrieving oauth issuer for the app with clientId: " + accessTokenDO.getConsumerKey(), (Throwable) e2);
        }
    }

    private void modifyTokensIfUsernameAssertionEnabled(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        if (OAuth2Util.checkUserNameAssertionEnabled()) {
            String addUsernameToToken = OAuth2Util.addUsernameToToken(oAuthTokenReqMessageContext.getAuthorizedUser(), accessTokenDO.getAccessToken());
            String addUsernameToToken2 = OAuth2Util.addUsernameToToken(oAuthTokenReqMessageContext.getAuthorizedUser(), accessTokenDO.getRefreshToken());
            accessTokenDO.setAccessToken(addUsernameToToken);
            accessTokenDO.setRefreshToken(addUsernameToToken2);
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Encoded access token (hashed): " + DigestUtils.sha256Hex(addUsernameToToken) + " & encoded refresh token (hashed): " + DigestUtils.sha256Hex(addUsernameToToken2));
                } else {
                    log.debug("Access token and refresh token encoded using Base64 encoding.");
                }
            }
        }
    }

    private long getValidityPeriodInMillis(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO) {
        long userAccessTokenExpiryTime = oAuthAppDO.getUserAccessTokenExpiryTime() != 0 ? oAuthAppDO.getUserAccessTokenExpiryTime() * 1000 : OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000;
        long validityPeriod = oAuthTokenReqMessageContext.getValidityPeriod();
        if (validityPeriod != -1) {
            userAccessTokenExpiryTime = validityPeriod * 1000;
        }
        return userAccessTokenExpiryTime;
    }

    private void setRefreshTokenData(AccessTokenDO accessTokenDO, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO, OAuthAppDO oAuthAppDO, String str, Timestamp timestamp, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        Timestamp timestamp2 = null;
        long j = 0;
        if (!isRenewRefreshToken(oAuthAppDO.getRenewRefreshTokenEnabled())) {
            str = oAuth2AccessTokenReqDTO.getRefreshToken();
            timestamp2 = refreshTokenValidationDataDO.getIssuedTime();
            j = refreshTokenValidationDataDO.getValidityPeriodInMillis();
        } else if (!OAuthServerConfiguration.getInstance().isExtendRenewedTokenExpiryTimeEnabled()) {
            timestamp2 = refreshTokenValidationDataDO.getIssuedTime();
            j = refreshTokenValidationDataDO.getValidityPeriodInMillis();
        } else if (oAuth2AccessTokenReqDTO.getAccessTokenExtendedAttributes() != null && oAuth2AccessTokenReqDTO.getAccessTokenExtendedAttributes().isExtendedToken()) {
            j = refreshTokenValidationDataDO.getValidityPeriodInMillis();
        }
        if (timestamp2 == null) {
            timestamp2 = timestamp;
        }
        accessTokenDO.setRefreshToken(str);
        accessTokenDO.setRefreshTokenIssuedTime(timestamp2);
        accessTokenDO.setRefreshTokenValidityPeriodInMillis(getRefreshTokenValidityPeriod(j, oAuthAppDO, oAuthTokenReqMessageContext));
    }

    private long getRefreshTokenValidityPeriod(long j, OAuthAppDO oAuthAppDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        long refreshTokenvalidityPeriod = oAuthTokenReqMessageContext.getRefreshTokenvalidityPeriod();
        if (refreshTokenvalidityPeriod != -1 && refreshTokenvalidityPeriod > 0) {
            j = refreshTokenvalidityPeriod * 1000;
            if (log.isDebugEnabled()) {
                log.debug("OAuth application id : " + oAuthAppDO.getOauthConsumerKey() + ", using refresh token validity period configured from OAuthTokenReqMessageContext: " + j + " ms");
            }
        } else if (j == 0) {
            j = oAuthAppDO.getRefreshTokenExpiryTime() != 0 ? oAuthAppDO.getRefreshTokenExpiryTime() * 1000 : OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000;
        }
        return j;
    }

    private static void addUserAttributesToCache(AccessTokenDO accessTokenDO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        RefreshTokenValidationDataDO refreshTokenValidationDataDO = (RefreshTokenValidationDataDO) oAuthTokenReqMessageContext.getProperty("previousAccessToken");
        if (refreshTokenValidationDataDO.getAccessToken() == null) {
            return;
        }
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(refreshTokenValidationDataDO.getAccessToken());
        if (log.isDebugEnabled()) {
            log.debug("Getting AuthorizationGrantCacheEntry using access token id: " + accessTokenDO.getTokenId());
        }
        AuthorizationGrantCacheEntry valueFromCacheByTokenId = AuthorizationGrantCache.getInstance().getValueFromCacheByTokenId(authorizationGrantCacheKey, refreshTokenValidationDataDO.getTokenId());
        if (valueFromCacheByTokenId != null) {
            if (log.isDebugEnabled()) {
                log.debug("Getting user attributes cached against the previous access token with access token id: " + refreshTokenValidationDataDO.getTokenId());
            }
            AuthorizationGrantCacheKey authorizationGrantCacheKey2 = new AuthorizationGrantCacheKey(accessTokenDO.getAccessToken());
            if (StringUtils.isNotBlank(accessTokenDO.getTokenId())) {
                valueFromCacheByTokenId.setTokenId(accessTokenDO.getTokenId());
            } else {
                valueFromCacheByTokenId.setTokenId(null);
            }
            valueFromCacheByTokenId.setValidityPeriod(TimeUnit.MILLISECONDS.toNanos(accessTokenDO.getValidityPeriodInMillis()));
            AuthorizationGrantCache.getInstance().clearCacheEntryByTokenId(authorizationGrantCacheKey, refreshTokenValidationDataDO.getTokenId());
            AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey2, valueFromCacheByTokenId);
        }
    }

    private boolean isRenewRefreshToken(String str) {
        if (StringUtils.isNotBlank(str)) {
            if (log.isDebugEnabled()) {
                log.debug("Reading the Oauth application specific renew refresh token value as " + str + " from the IDN_OIDC_PROPERTY table");
            }
            return Boolean.parseBoolean(str);
        }
        if (log.isDebugEnabled()) {
            log.debug("Reading the global renew refresh token value from the identity.xml");
        }
        return OAuthServerConfiguration.getInstance().isRefreshTokenRenewalEnabled();
    }

    private void validateTokenBindingReference(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, RefreshTokenValidationDataDO refreshTokenValidationDataDO) throws IdentityOAuth2Exception {
        if (StringUtils.isBlank(refreshTokenValidationDataDO.getTokenBindingReference()) || "NONE".equals(refreshTokenValidationDataDO.getTokenBindingReference())) {
            return;
        }
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(oAuth2AccessTokenReqDTO.getClientId());
            if (StringUtils.isBlank(appInformationByClientId.getTokenBindingType())) {
                return;
            }
            Optional<TokenBinder> tokenBinder = OAuth2ServiceComponentHolder.getInstance().getTokenBinder(appInformationByClientId.getTokenBindingType());
            if (!tokenBinder.isPresent()) {
                throw new IdentityOAuth2Exception("Token binder for the binding type: " + appInformationByClientId.getTokenBindingType() + " is not registered.");
            }
            TokenBinder tokenBinder2 = tokenBinder.get();
            if (appInformationByClientId.isTokenBindingValidationEnabled() && !tokenBinder2.isValidTokenBinding(oAuth2AccessTokenReqDTO, refreshTokenValidationDataDO.getTokenBindingReference())) {
                throw new IdentityOAuth2Exception("Invalid token binding value is present in the request.");
            }
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Failed load the application with client id: " + oAuth2AccessTokenReqDTO.getClientId());
        }
    }

    private RefreshTokenGrantProcessor getRefreshTokenGrantProcessor() {
        return OAuth2ServiceComponentHolder.getInstance().getRefreshTokenGrantProcessor();
    }
}
