package org.wso2.carbon.identity.oauth2.token.handlers.grant;

import java.sql.Timestamp;
import java.util.Date;
import java.util.UUID;
import org.apache.amber.oauth2.as.issuer.MD5Generator;
import org.apache.amber.oauth2.as.issuer.OAuthIssuer;
import org.apache.amber.oauth2.as.issuer.OAuthIssuerImpl;
import org.apache.amber.oauth2.common.exception.OAuthSystemException;
import org.apache.amber.oauth2.common.message.types.GrantType;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.OAuthAppDO;
import org.wso2.carbon.identity.oauth.cache.AppInfoCache;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.callback.OAuthCallback;
import org.wso2.carbon.identity.oauth.callback.OAuthCallbackManager;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.class */
public abstract class AbstractAuthorizationGrantHandler implements AuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(AbstractAuthorizationGrantHandler.class);
    protected final OAuthIssuer oauthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
    protected TokenMgtDAO tokenMgtDAO;
    protected OAuthCallbackManager callbackManager;
    protected boolean cacheEnabled;
    protected OAuthCache oauthCache;

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public void init() throws IdentityOAuth2Exception {
        this.tokenMgtDAO = new TokenMgtDAO();
        this.callbackManager = new OAuthCallbackManager();
        if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
            this.cacheEnabled = true;
            this.oauthCache = OAuthCache.getInstance();
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean isConfidentialClient() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean isOfTypeApplicationUser() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDO;
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope());
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        String authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(clientId + ":" + authorizedUser.toLowerCase() + ":" + buildScopeString);
        String str = null;
        if (OAuth2Util.checkAccessTokenPartitioningEnabled() && OAuth2Util.checkUserNameAssertionEnabled()) {
            str = OAuth2Util.getUserStoreDomainFromUserId(oAuthTokenReqMessageContext.getAuthorizedUser());
        }
        String str2 = isOfTypeApplicationUser() ? OAuthConstants.USER_TYPE_FOR_USER_TOKEN : OAuthConstants.USER_TYPE_FOR_APPLICATION_TOKEN;
        String str3 = null;
        Timestamp timestamp = null;
        long j = 0;
        synchronized ((clientId + ":" + authorizedUser + ":" + buildScopeString).intern()) {
            if (this.cacheEnabled && (accessTokenDO = (AccessTokenDO) this.oauthCache.getValueFromCache((CacheKey) oAuthCacheKey)) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Retrieved active access token : " + accessTokenDO.getAccessToken() + " for client Id " + clientId + ", user " + authorizedUser + " and scope " + buildScopeString + " from cache");
                }
                long tokenExpireTimeMillis = OAuth2Util.getTokenExpireTimeMillis(accessTokenDO);
                if (tokenExpireTimeMillis > 0 || tokenExpireTimeMillis < 0) {
                    if (log.isDebugEnabled()) {
                        if (tokenExpireTimeMillis > 0) {
                            log.debug("Access Token " + accessTokenDO.getAccessToken() + " is still valid");
                        } else {
                            log.debug("Infinite lifetime Access Token " + accessTokenDO.getAccessToken() + " found in cache");
                        }
                    }
                    OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
                    oAuth2AccessTokenRespDTO.setAccessToken(accessTokenDO.getAccessToken());
                    if (issueRefreshToken() && OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                        oAuth2AccessTokenRespDTO.setRefreshToken(accessTokenDO.getRefreshToken());
                    }
                    if (tokenExpireTimeMillis > 0) {
                        oAuth2AccessTokenRespDTO.setExpiresIn(tokenExpireTimeMillis / 1000);
                        oAuth2AccessTokenRespDTO.setExpiresInMillis(tokenExpireTimeMillis);
                    } else {
                        oAuth2AccessTokenRespDTO.setExpiresIn(9223372036854775L);
                        oAuth2AccessTokenRespDTO.setExpiresInMillis(Long.MAX_VALUE);
                    }
                    return oAuth2AccessTokenRespDTO;
                }
                long refreshTokenExpireTimeMillis = OAuth2Util.getRefreshTokenExpireTimeMillis(accessTokenDO);
                if (refreshTokenExpireTimeMillis < 0 || refreshTokenExpireTimeMillis > 0) {
                    log.debug("Access token has expired, But refresh token is still valid. User existing refresh token.");
                    str3 = accessTokenDO.getRefreshToken();
                    timestamp = accessTokenDO.getRefreshTokenIssuedTime();
                    j = accessTokenDO.getRefreshTokenValidityPeriodInMillis();
                }
                this.oauthCache.clearCacheEntry((CacheKey) oAuthCacheKey);
                this.tokenMgtDAO.setAccessTokenState(accessTokenDO.getAccessToken(), OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED, UUID.randomUUID().toString(), str);
                if (log.isDebugEnabled()) {
                    log.debug("Access token " + accessTokenDO.getAccessToken() + " is expired. Therefore cleared it from cache and marked it as expired in database");
                }
            }
            AccessTokenDO retrieveLatestAccessToken = this.tokenMgtDAO.retrieveLatestAccessToken(oauth2AccessTokenReqDTO.getClientId(), oAuthTokenReqMessageContext.getAuthorizedUser(), str, buildScopeString, false);
            if (retrieveLatestAccessToken != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Retrieved latest access token : " + retrieveLatestAccessToken.getAccessToken() + " for client Id " + clientId + ", user " + authorizedUser + " and scope " + buildScopeString + " from database");
                }
                long tokenExpireTimeMillis2 = OAuth2Util.getTokenExpireTimeMillis(retrieveLatestAccessToken);
                long refreshTokenExpireTimeMillis2 = OAuth2Util.getRefreshTokenExpireTimeMillis(retrieveLatestAccessToken);
                if (OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(retrieveLatestAccessToken.getTokenState()) && (tokenExpireTimeMillis2 > 0 || tokenExpireTimeMillis2 < 0)) {
                    if (log.isDebugEnabled()) {
                        if (tokenExpireTimeMillis2 > 0) {
                            log.debug("Access token " + retrieveLatestAccessToken.getAccessToken() + " is valid for another " + tokenExpireTimeMillis2 + "ms");
                        } else {
                            log.debug("Infinite lifetime Access Token " + retrieveLatestAccessToken.getAccessToken() + " found in cache");
                        }
                    }
                    OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO2 = new OAuth2AccessTokenRespDTO();
                    oAuth2AccessTokenRespDTO2.setAccessToken(retrieveLatestAccessToken.getAccessToken());
                    if (issueRefreshToken() && OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                        oAuth2AccessTokenRespDTO2.setRefreshToken(retrieveLatestAccessToken.getRefreshToken());
                    }
                    if (tokenExpireTimeMillis2 > 0) {
                        oAuth2AccessTokenRespDTO2.setExpiresIn(tokenExpireTimeMillis2 / 1000);
                        oAuth2AccessTokenRespDTO2.setExpiresInMillis(tokenExpireTimeMillis2);
                    } else {
                        oAuth2AccessTokenRespDTO2.setExpiresIn(9223372036854775L);
                        oAuth2AccessTokenRespDTO2.setExpiresInMillis(Long.MAX_VALUE);
                    }
                    if (this.cacheEnabled) {
                        this.oauthCache.addToCache((CacheKey) oAuthCacheKey, (CacheEntry) retrieveLatestAccessToken);
                        if (log.isDebugEnabled()) {
                            log.debug("Access Token info was added to the cache for the cache key : " + oAuthCacheKey.getCacheKeyString());
                        }
                    }
                    return oAuth2AccessTokenRespDTO2;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Access token + " + retrieveLatestAccessToken.getAccessToken() + " is not valid anymore");
                }
                if (OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(retrieveLatestAccessToken.getTokenState())) {
                    if (refreshTokenExpireTimeMillis2 > 0 || refreshTokenExpireTimeMillis2 < 0) {
                        log.debug("Access token has expired, But refresh token is still valid. User existing refresh token.");
                        str3 = retrieveLatestAccessToken.getRefreshToken();
                        timestamp = retrieveLatestAccessToken.getRefreshTokenIssuedTime();
                        j = retrieveLatestAccessToken.getRefreshTokenValidityPeriodInMillis();
                    }
                    this.tokenMgtDAO.setAccessTokenState(retrieveLatestAccessToken.getAccessToken(), OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED, UUID.randomUUID().toString(), str);
                    if (log.isDebugEnabled()) {
                        log.debug("Marked token " + retrieveLatestAccessToken.getAccessToken() + " as expired");
                    }
                } else if (log.isDebugEnabled()) {
                    log.debug("Token " + retrieveLatestAccessToken.getAccessToken() + " is " + retrieveLatestAccessToken.getTokenState());
                }
            } else if (log.isDebugEnabled()) {
                log.debug("No access token found in database for client Id " + clientId + ", user " + authorizedUser + " and scope " + buildScopeString + ". Therefore issuing new token");
            }
            if (log.isDebugEnabled()) {
                log.debug("Issuing a new access token for " + clientId + " AuthorizedUser : " + authorizedUser);
            }
            try {
                String accessToken = this.oauthIssuerImpl.accessToken();
                if (str3 == null) {
                    str3 = this.oauthIssuerImpl.refreshToken();
                }
                if (OAuth2Util.checkUserNameAssertionEnabled()) {
                    String authorizedUser2 = oAuthTokenReqMessageContext.getAuthorizedUser();
                    accessToken = Base64Utils.encode((accessToken + ":" + authorizedUser2).getBytes());
                    str3 = Base64Utils.encode((str3 + ":" + authorizedUser2).getBytes());
                }
                Timestamp timestamp2 = new Timestamp(new Date().getTime());
                if (timestamp == null) {
                    timestamp = timestamp2;
                }
                long applicationAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() * 1000;
                if (isOfTypeApplicationUser()) {
                    applicationAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000;
                }
                long validityPeriod = oAuthTokenReqMessageContext.getValidityPeriod();
                if (validityPeriod != -1 && validityPeriod > 0) {
                    applicationAccessTokenValidityPeriodInSeconds = validityPeriod * 1000;
                }
                if (j == 0) {
                    j = OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000;
                }
                AccessTokenDO accessTokenDO2 = new AccessTokenDO(clientId, oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getScope(), timestamp2, timestamp, applicationAccessTokenValidityPeriodInSeconds, j, str2);
                accessTokenDO2.setAccessToken(accessToken);
                accessTokenDO2.setRefreshToken(str3);
                accessTokenDO2.setTokenState(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE);
                accessTokenDO2.setTenantID(oAuthTokenReqMessageContext.getTenantID());
                try {
                    this.tokenMgtDAO.storeAccessToken(accessToken, oauth2AccessTokenReqDTO.getClientId(), accessTokenDO2, str);
                    if (log.isDebugEnabled()) {
                        log.debug("Persisted Access Token : " + accessToken + " for Client ID : " + oauth2AccessTokenReqDTO.getClientId() + ", Authorized User : " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", Timestamp : " + timestamp2 + ", Validity period (s) : " + accessTokenDO2.getValidityPeriod() + ", Scope : " + OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope()) + " and Token State : " + OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE);
                    }
                    if (this.cacheEnabled) {
                        this.oauthCache.addToCache((CacheKey) oAuthCacheKey, (CacheEntry) accessTokenDO2);
                        if (log.isDebugEnabled()) {
                            log.debug("Access token was added to OAuthCache for cache key : " + oAuthCacheKey.getCacheKeyString());
                        }
                    }
                    OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO3 = new OAuth2AccessTokenRespDTO();
                    oAuth2AccessTokenRespDTO3.setAccessToken(accessToken);
                    if (issueRefreshToken() && OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                        oAuth2AccessTokenRespDTO3.setRefreshToken(str3);
                    }
                    if (applicationAccessTokenValidityPeriodInSeconds > 0) {
                        oAuth2AccessTokenRespDTO3.setExpiresInMillis(accessTokenDO2.getValidityPeriodInMillis());
                        oAuth2AccessTokenRespDTO3.setExpiresIn(accessTokenDO2.getValidityPeriod());
                    } else {
                        oAuth2AccessTokenRespDTO3.setExpiresInMillis(Long.MAX_VALUE);
                        oAuth2AccessTokenRespDTO3.setExpiresIn(9223372036854775L);
                    }
                    oAuth2AccessTokenRespDTO3.setAuthorizedScopes(buildScopeString);
                    return oAuth2AccessTokenRespDTO3;
                } catch (IdentityException e) {
                    throw new IdentityOAuth2Exception("Error occurred while storing new access token : " + accessToken, e);
                }
            } catch (OAuthSystemException e2) {
                throw new IdentityOAuth2Exception("Error occurred while generating access token and refresh token", e2);
            }
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuthCallback oAuthCallback = new OAuthCallback(oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.ACCESS_DELEGATION_TOKEN);
        oAuthCallback.setRequestedScope(oAuthTokenReqMessageContext.getScope());
        if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString()));
        } else if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString()));
        } else {
            oAuthCallback.setGrantType(GrantType.valueOf(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().toUpperCase()));
        }
        this.callbackManager.handleCallback(oAuthCallback);
        oAuthTokenReqMessageContext.setValidityPeriod(oAuthCallback.getValidityPeriod());
        return oAuthCallback.isAuthorized();
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuthCallback oAuthCallback = new OAuthCallback(oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.SCOPE_VALIDATION_TOKEN);
        oAuthCallback.setRequestedScope(oAuthTokenReqMessageContext.getScope());
        if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString()));
        } else if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString()));
        } else {
            oAuthCallback.setGrantType(GrantType.valueOf(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().toUpperCase()));
        }
        this.callbackManager.handleCallback(oAuthCallback);
        oAuthTokenReqMessageContext.setValidityPeriod(oAuthCallback.getValidityPeriod());
        oAuthTokenReqMessageContext.setScope(oAuthCallback.getApprovedScope());
        return oAuthCallback.isValidScope();
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        String grantType = oauth2AccessTokenReqDTO.getGrantType();
        AppInfoCache appInfoCache = AppInfoCache.getInstance();
        OAuthAppDO valueFromCache = appInfoCache.getValueFromCache(oauth2AccessTokenReqDTO.getClientId());
        if (valueFromCache == null) {
            try {
                valueFromCache = new OAuthAppDAO().getAppInformation(oauth2AccessTokenReqDTO.getClientId());
                appInfoCache.addToCache(oauth2AccessTokenReqDTO.getClientId(), valueFromCache);
            } catch (InvalidOAuthClientException e) {
                log.error("Error while reading application data for client id : " + oauth2AccessTokenReqDTO.getClientId(), e);
                return false;
            }
        }
        if (valueFromCache.getGrantTypes() == null || valueFromCache.getGrantTypes().contains(grantType)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Unsupported Grant Type : " + grantType + " for client id : " + oauth2AccessTokenReqDTO.getClientId());
        return false;
    }
}
