package org.wso2.carbon.identity.oauth.ciba.grant;

import java.sql.Timestamp;
import java.util.Calendar;
import java.util.List;
import java.util.TimeZone;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth.ciba.common.AuthReqStatus;
import org.wso2.carbon.identity.oauth.ciba.common.CibaConstants;
import org.wso2.carbon.identity.oauth.ciba.dao.CibaDAOFactory;
import org.wso2.carbon.identity.oauth.ciba.exceptions.CibaCoreException;
import org.wso2.carbon.identity.oauth.ciba.exceptions.ErrorCodes;
import org.wso2.carbon.identity.oauth.ciba.model.CibaAuthCodeDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth/ciba/grant/CibaGrantHandler.class */
public class CibaGrantHandler extends AbstractAuthorizationGrantHandler {
    private static final String INVALID_GRANT = "invalid_grant";
    private static final String MISSING_AUTH_REQ_ID = "auth_req_id_missing";
    private static final String INVALID_AUTH_REQ_ID = "invalid auth_req_id";
    private static final String INVALID_PARAMETERS = "invalid_request_parameters";
    private static Log log = LogFactory.getLog(CibaGrantHandler.class);

    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenRespDTO issue = super.issue(oAuthTokenReqMessageContext);
        String authReqId = getAuthReqId(oAuthTokenReqMessageContext);
        try {
            CibaDAOFactory.getInstance().getCibaAuthMgtDAO().updateStatus(retrieveCibaAuthCode(authReqId).getCibaAuthCodeKey(), AuthReqStatus.TOKEN_ISSUED);
            if (log.isDebugEnabled()) {
                log.debug("Successfully updated the status of authentication request made by client:" + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
            }
            return issue;
        } catch (CibaCoreException e) {
            throw new IdentityOAuth2Exception("Error occurred in persisting status for the request made with auth_req_id: " + authReqId, e);
        }
    }

    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (!super.validateGrant(oAuthTokenReqMessageContext)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Successful in validating grant.Validation failed for the token request made by client: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
            return false;
        }
        try {
            CibaAuthCodeDO retrieveCibaAuthCode = retrieveCibaAuthCode(getAuthReqId(oAuthTokenReqMessageContext));
            validateAuthReqIdOwner(retrieveCibaAuthCode.getConsumerKey(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
            validateAuthReqId(retrieveCibaAuthCode);
            if (isTokenAlreadyIssued(retrieveCibaAuthCode)) {
                throw new IdentityOAuth2Exception("invalid_request");
            }
            if (!isAuthorized(retrieveCibaAuthCode).booleanValue()) {
                throw new IdentityOAuth2Exception("access_denied", "User denied authentication");
            }
            validatePollingFrequency(retrieveCibaAuthCode);
            if (isAuthorizationPending(retrieveCibaAuthCode)) {
                updateLastPolledTime(retrieveCibaAuthCode);
                throw new IdentityOAuth2Exception(ErrorCodes.AUTHORIZATION_PENDING, "Authorization pending");
            }
            setPropertiesForTokenGeneration(oAuthTokenReqMessageContext, retrieveCibaAuthCode);
            return true;
        } catch (CibaCoreException e) {
            throw new IdentityOAuth2Exception(INVALID_PARAMETERS, e);
        }
    }

    protected String getAuthReqId(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String str = null;
        for (RequestParameter requestParameter : oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters()) {
            if (CibaConstants.AUTH_REQ_ID.equals(requestParameter.getKey()) && requestParameter.getValue() != null && requestParameter.getValue().length > 0) {
                str = requestParameter.getValue()[0];
            }
        }
        if (str != null) {
            return str;
        }
        if (log.isDebugEnabled()) {
            log.debug("token request misses mandated parameter (auth_req_id).");
        }
        throw new IdentityOAuth2Exception(MISSING_AUTH_REQ_ID);
    }

    private Boolean isAuthorized(CibaAuthCodeDO cibaAuthCodeDO) {
        return Boolean.valueOf((AuthReqStatus.CONSENT_DENIED.equals(cibaAuthCodeDO.getAuthReqStatus()) || AuthReqStatus.FAILED.equals(cibaAuthCodeDO.getAuthReqStatus())) ? false : true);
    }

    private void validateAuthReqId(CibaAuthCodeDO cibaAuthCodeDO) throws IdentityOAuth2Exception, CibaCoreException {
        if (Calendar.getInstance(TimeZone.getTimeZone(CibaConstants.UTC)).getTimeInMillis() > cibaAuthCodeDO.getIssuedTime().getTime() + (cibaAuthCodeDO.getExpiresIn() * 1000)) {
            if (log.isDebugEnabled()) {
                log.debug("CIBA auth_req_id is in expired state.Token Request Denied.");
            }
            CibaDAOFactory.getInstance().getCibaAuthMgtDAO().updateStatus(cibaAuthCodeDO.getCibaAuthCodeKey(), AuthReqStatus.EXPIRED);
            throw new IdentityOAuth2Exception(ErrorCodes.EXPIRED_AUTH_REQ_ID, "Token expired");
        }
    }

    private void validateAuthReqIdOwner(String str, String str2) throws IdentityOAuth2Exception {
        if (str.equals(str2)) {
            return;
        }
        log.debug("CIBA auth_req_id does not belong to the requested client.Token Request Denied.");
        throw new IdentityOAuth2Exception("Invalid client. Request ID issued for different client");
    }

    private void validatePollingFrequency(CibaAuthCodeDO cibaAuthCodeDO) throws IdentityOAuth2Exception, CibaCoreException {
        long timeInMillis = Calendar.getInstance(TimeZone.getTimeZone(CibaConstants.UTC)).getTimeInMillis();
        long time = cibaAuthCodeDO.getLastPolledTime().getTime();
        long interval = cibaAuthCodeDO.getInterval();
        String cibaAuthCodeKey = cibaAuthCodeDO.getCibaAuthCodeKey();
        if (timeInMillis < time + (interval * 1000)) {
            long j = interval + 3;
            if (log.isDebugEnabled()) {
                log.debug(" Rigorous polling for the token  made by client for request identified by cibaAuthCodeDOKey : " + cibaAuthCodeDO.getCibaAuthCodeKey() + ". Updated the Polling frequency on the table.");
            }
            CibaDAOFactory.getInstance().getCibaAuthMgtDAO().updatePollingInterval(cibaAuthCodeKey, j);
            throw new IdentityOAuth2Exception(ErrorCodes.SLOW_DOWN, "Slow down");
        }
    }

    private void updateLastPolledTime(CibaAuthCodeDO cibaAuthCodeDO) throws CibaCoreException {
        CibaDAOFactory.getInstance().getCibaAuthMgtDAO().updateLastPollingTime(cibaAuthCodeDO.getCibaAuthCodeKey(), new Timestamp(Calendar.getInstance(TimeZone.getTimeZone(CibaConstants.UTC)).getTimeInMillis()));
    }

    private boolean isAuthorizationPending(CibaAuthCodeDO cibaAuthCodeDO) throws CibaCoreException {
        Enum authReqStatus = cibaAuthCodeDO.getAuthReqStatus();
        String cibaAuthCodeKey = cibaAuthCodeDO.getCibaAuthCodeKey();
        if (!authReqStatus.equals(AuthReqStatus.AUTHENTICATED)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.info("User still not authenticated for the request made by client for request uniquely identified by cibaAuthCodeKey : " + cibaAuthCodeKey);
        return false;
    }

    private boolean isTokenAlreadyIssued(CibaAuthCodeDO cibaAuthCodeDO) throws CibaCoreException {
        Enum authReqStatus = cibaAuthCodeDO.getAuthReqStatus();
        String cibaAuthCodeKey = cibaAuthCodeDO.getCibaAuthCodeKey();
        if (authReqStatus.equals(AuthReqStatus.TOKEN_ISSUED)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.info("Token is not delivered for the request made for cibaAuthCodeDOKey : " + cibaAuthCodeKey);
        return false;
    }

    private void setPropertiesForTokenGeneration(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, CibaAuthCodeDO cibaAuthCodeDO) {
        oAuthTokenReqMessageContext.setAuthorizedUser(OAuth2Util.getUserFromUserName(cibaAuthCodeDO.getAuthenticatedUser().getUserName()));
        oAuthTokenReqMessageContext.setScope(cibaAuthCodeDO.getScopes());
    }

    private CibaAuthCodeDO retrieveCibaAuthCode(String str) throws IdentityOAuth2Exception {
        try {
            String cibaAuthCodeKey = CibaDAOFactory.getInstance().getCibaAuthMgtDAO().getCibaAuthCodeKey(str);
            if (StringUtils.isBlank(cibaAuthCodeKey)) {
                if (log.isDebugEnabled()) {
                    log.debug("Provided auth_req_id : " + str + " with the token request is not valid.Or not issued by Identity server.");
                }
                throw new IdentityOAuth2Exception(INVALID_AUTH_REQ_ID);
            }
            CibaAuthCodeDO cibaAuthCode = CibaDAOFactory.getInstance().getCibaAuthMgtDAO().getCibaAuthCode(cibaAuthCodeKey);
            if (cibaAuthCode.getAuthReqStatus().equals(AuthReqStatus.AUTHENTICATED)) {
                List<String> scopes = CibaDAOFactory.getInstance().getCibaAuthMgtDAO().getScopes(cibaAuthCode.getCibaAuthCodeKey());
                cibaAuthCode.setScopes((String[]) scopes.toArray(new String[scopes.size()]));
                cibaAuthCode.setAuthenticatedUser(CibaDAOFactory.getInstance().getCibaAuthMgtDAO().getAuthenticatedUser(cibaAuthCode.getCibaAuthCodeKey()));
            }
            return cibaAuthCode;
        } catch (CibaCoreException e) {
            throw new IdentityOAuth2Exception(INVALID_AUTH_REQ_ID, e);
        }
    }
}
