package org.cloudfoundry.identity.uaa.oauth;

import com.fasterxml.jackson.core.type.TypeReference;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.audit.event.TokenIssuedEvent;
import org.cloudfoundry.identity.uaa.authentication.AbstractClientParametersAuthenticationFilter;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationJsonBase;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.TokenPolicy;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.class */
public class UaaTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, InitializingBean, ApplicationEventPublisherAware {
    private ApplicationEventPublisher applicationEventPublisher;
    private String host;
    private TokenPolicy tokenPolicy;
    private final Log logger = LogFactory.getLog(getClass());
    private UaaUserDatabase userDatabase = null;
    private ClientDetailsService clientDetailsService = null;
    private SignerProvider signerProvider = new SignerProvider();
    private String issuer = null;
    private String tokenEndpoint = null;
    private Set<String> defaultUserAuthorities = new HashSet();
    private ApprovalStore approvalStore = null;
    private List<String> validIdTokenScopes = Arrays.asList("openid");
    private Set<String> excludedClaims = Collections.EMPTY_SET;

    public Set<String> getExcludedClaims() {
        return this.excludedClaims;
    }

    public void setExcludedClaims(Set<String> set) {
        this.excludedClaims = set;
    }

    public void setValidIdTokenScopes(List<String> list) {
        this.validIdTokenScopes = list;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.applicationEventPublisher = applicationEventPublisher;
    }

    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (null == str) {
            throw new InvalidTokenException("Invalid refresh token (empty token)");
        }
        if (!"refresh_token".equals(tokenRequest.getRequestParameters().get("grant_type"))) {
            throw new InvalidGrantException("Invalid grant type: " + ((String) tokenRequest.getRequestParameters().get("grant_type")));
        }
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        String str2 = (String) claimsForToken.get("cid");
        if (str2 == null || !str2.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + str);
        }
        String str3 = (String) claimsForToken.get("user_id");
        UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str3);
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2);
        long longValue = ((Integer) claimsForToken.get("iat")).longValue() * 1000;
        long longValue2 = ((Integer) claimsForToken.get("exp")).longValue() * 1000;
        if (new Date(longValue2).before(new Date())) {
            throw new InvalidTokenException("Invalid refresh token (expired): " + str + " expired at " + new Date(longValue2));
        }
        ArrayList arrayList = (ArrayList) claimsForToken.get("scope");
        Set<String> scope = tokenRequest.getScope();
        if (scope.isEmpty()) {
            scope = new HashSet<>(arrayList);
        }
        if (arrayList.isEmpty() || !arrayList.containsAll(scope)) {
            throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", new HashSet(arrayList));
        }
        String obj = claimsForToken.get("grant_type").toString();
        checkForApproval(str3, str2, scope, getAutoApprovedScopes(obj, arrayList, loadClientByClientId), new Date(longValue));
        Integer accessTokenValiditySeconds = loadClientByClientId.getAccessTokenValiditySeconds();
        String str4 = (String) claimsForToken.get("nonce");
        Map<String, String> map = (Map) claimsForToken.get("az_attr");
        String str5 = (String) claimsForToken.get("rev_sig");
        if (StringUtils.hasText(str5) && !str5.equals(getRevocableTokenSignature(loadClientByClientId, retrieveUserById))) {
            throw new TokenRevokedException(str);
        }
        return createAccessToken(retrieveUserById.getId(), retrieveUserById, claimsForToken.get("auth_time") != null ? new Date(((Long) claimsForToken.get("auth_time")).longValue() * 1000) : null, accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : getZoneAccessTokenValidity(), null, scope, str2, new HashSet<>((ArrayList) claimsForToken.get("aud")), obj, str, str4, map, new HashSet<>(), str5, false, null, null);
    }

    private int getZoneAccessTokenValidity() {
        IdentityZoneConfiguration config = IdentityZoneHolder.get().getConfig();
        int accessTokenValidity = this.tokenPolicy.getAccessTokenValidity();
        if (config != null) {
            accessTokenValidity = config.getTokenPolicy().getAccessTokenValidity() != -1 ? config.getTokenPolicy().getAccessTokenValidity() : this.tokenPolicy.getAccessTokenValidity();
        }
        return accessTokenValidity;
    }

    private void checkForApproval(String str, String str2, Collection<String> collection, Collection<String> collection2, Date date) {
        HashSet hashSet = new HashSet(collection2);
        for (Approval approval : this.approvalStore.getApprovals(str, str2)) {
            if (collection.contains(approval.getScope()) && approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                if (!approval.isCurrentlyActive()) {
                    this.logger.debug("Approval " + approval + " has expired. Need to re-approve.");
                    throw new InvalidTokenException("Invalid token (approvals expired)");
                }
                if (date.before(approval.getLastUpdatedAt())) {
                    this.logger.debug("At least one approval " + approval + " was updated more recently at " + approval.getLastUpdatedAt() + " access token was issued at " + date);
                    throw new InvalidTokenException("Invalid token (approvals updated): " + approval.getLastUpdatedAt());
                }
                hashSet.add(approval.getScope());
            }
        }
        if (hashSet.containsAll(collection)) {
            return;
        }
        this.logger.debug("All requested scopes " + collection + " were not approved " + hashSet);
        HashSet hashSet2 = new HashSet(collection);
        hashSet2.removeAll(hashSet);
        throw new InvalidTokenException("Invalid token (some requested scopes are not approved): " + hashSet2);
    }

    private OAuth2AccessToken createAccessToken(String str, UaaUser uaaUser, Date date, int i, Collection<GrantedAuthority> collection, Set<String> set, String str2, Set<String> set2, String str3, String str4, String str5, Map<String, String> map, Set<String> set3, String str6, boolean z, Set<String> set4, Map<String, List<String>> map2) throws AuthenticationException {
        CompositeAccessToken compositeAccessToken = new CompositeAccessToken(UUID.randomUUID().toString());
        if (i > 0) {
            compositeAccessToken.setExpiration(new Date(System.currentTimeMillis() + (i * 1000)));
        }
        compositeAccessToken.setRefreshToken(str4 == null ? null : new DefaultOAuth2RefreshToken(str4));
        if (null == set || set.size() == 0) {
            this.logger.debug("No scopes were granted");
            throw new InvalidTokenException("No scopes were granted");
        }
        compositeAccessToken.setScope(set);
        HashMap hashMap = new HashMap();
        hashMap.put("jti", compositeAccessToken.getValue());
        if (null != map) {
            hashMap.put("az_attr", map);
        }
        if (str5 != null) {
            hashMap.put("nonce", str5);
        }
        compositeAccessToken.setAdditionalInformation(hashMap);
        Map<String, ?> createJWTAccessToken = createJWTAccessToken(compositeAccessToken, str, uaaUser, date, collection, set, str2, set2, str3, str4, str6);
        try {
            compositeAccessToken.setValue(JwtHelper.encode(JsonUtils.writeValueAsString(createJWTAccessToken), this.signerProvider.getSigner()).getEncoded());
            populateIdToken(compositeAccessToken, createJWTAccessToken, set, set3, str2, z, set4, uaaUser, map2);
            publish(new TokenIssuedEvent(compositeAccessToken, SecurityContextHolder.getContext().getAuthentication()));
            return compositeAccessToken;
        } catch (JsonUtils.JsonUtilException e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    private void populateIdToken(CompositeAccessToken compositeAccessToken, Map<String, ?> map, Set<String> set, Set<String> set2, String str, boolean z, Set<String> set3, UaaUser uaaUser, Map<String, List<String>> map2) {
        if (z || (set.contains("openid") && set2.contains(CompositeAccessToken.ID_TOKEN))) {
            try {
                HashMap hashMap = new HashMap(map);
                hashMap.remove(UaaAuthenticationJsonBase.AUTHORITIES);
                HashSet hashSet = new HashSet();
                for (String str2 : set) {
                    if (this.validIdTokenScopes != null && this.validIdTokenScopes.contains(str2)) {
                        hashSet.add(str2);
                    }
                }
                hashMap.put("scope", hashSet);
                hashMap.put("aud", new HashSet(Arrays.asList(str)));
                if (set.contains("roles") && set3 != null && !set3.isEmpty()) {
                    hashMap.put("roles", set3);
                }
                if (set.contains("user_attributes") && map2 != null) {
                    hashMap.put("user_attributes", map2);
                }
                if (set.contains("profile") && uaaUser != null) {
                    String givenName = uaaUser.getGivenName();
                    if (givenName != null) {
                        hashMap.put("given_name", givenName);
                    }
                    String familyName = uaaUser.getFamilyName();
                    if (familyName != null) {
                        hashMap.put("family_name", familyName);
                    }
                    String phoneNumber = uaaUser.getPhoneNumber();
                    if (phoneNumber != null) {
                        hashMap.put("phone_number", phoneNumber);
                    }
                }
                compositeAccessToken.setIdTokenValue(JwtHelper.encode(JsonUtils.writeValueAsString(hashMap), this.signerProvider.getSigner()).getEncoded());
            } catch (JsonUtils.JsonUtilException e) {
                throw new IllegalStateException("Cannot convert ID token to JSON", e);
            }
        }
    }

    private Map<String, ?> createJWTAccessToken(OAuth2AccessToken oAuth2AccessToken, String str, UaaUser uaaUser, Date date, Collection<GrantedAuthority> collection, Set<String> set, String str2, Set<String> set2, String str3, String str4, String str5) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", oAuth2AccessToken.getAdditionalInformation().get("jti"));
        linkedHashMap.putAll(oAuth2AccessToken.getAdditionalInformation());
        linkedHashMap.put("sub", str);
        if (null != collection) {
            linkedHashMap.put(UaaAuthenticationJsonBase.AUTHORITIES, AuthorityUtils.authorityListToSet(collection));
        }
        linkedHashMap.put("scope", set);
        linkedHashMap.put(AbstractClientParametersAuthenticationFilter.CLIENT_ID, str2);
        linkedHashMap.put("cid", str2);
        linkedHashMap.put("azp", str2);
        if (null != str3) {
            linkedHashMap.put("grant_type", str3);
        }
        if (!"client_credentials".equals(str3)) {
            linkedHashMap.put("user_id", str);
            if (uaaUser != null) {
                String origin = uaaUser.getOrigin();
                if (StringUtils.hasLength(origin)) {
                    linkedHashMap.put("origin", origin);
                }
                String username = uaaUser.getUsername();
                linkedHashMap.put("user_name", username == null ? str : username);
                String email = uaaUser.getEmail();
                if (email != null) {
                    linkedHashMap.put("email", email);
                }
            }
            if (date != null) {
                linkedHashMap.put("auth_time", Long.valueOf(date.getTime() / 1000));
            }
        }
        if (StringUtils.hasText(str5)) {
            linkedHashMap.put("rev_sig", str5);
        }
        linkedHashMap.put("iat", Long.valueOf(System.currentTimeMillis() / 1000));
        if (oAuth2AccessToken.getExpiration() != null) {
            linkedHashMap.put("exp", Long.valueOf(oAuth2AccessToken.getExpiration().getTime() / 1000));
        }
        if (getTokenEndpoint() != null) {
            linkedHashMap.put("iss", getTokenEndpoint());
            linkedHashMap.put("zid", IdentityZoneHolder.get().getId());
        }
        linkedHashMap.put("aud", set2);
        Iterator<String> it = getExcludedClaims().iterator();
        while (it.hasNext()) {
            linkedHashMap.remove(it.next());
        }
        return linkedHashMap;
    }

    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        String userId;
        Date date = null;
        UaaUser uaaUser = null;
        boolean z = false;
        Collection<GrantedAuthority> collection = null;
        if (oAuth2Authentication.isClientOnly()) {
            ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(oAuth2Authentication.getName());
            userId = loadClientByClientId.getClientId();
            collection = loadClientByClientId.getAuthorities();
        } else {
            userId = getUserId(oAuth2Authentication);
            uaaUser = this.userDatabase.retrieveUserById(userId);
            if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
                date = new Date(((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthenticatedTime());
            }
        }
        ClientDetails loadClientByClientId2 = this.clientDetailsService.loadClientByClientId(oAuth2Authentication.getOAuth2Request().getClientId());
        String revocableTokenSignature = getRevocableTokenSignature(loadClientByClientId2, uaaUser);
        ExpiringOAuth2RefreshToken createRefreshToken = createRefreshToken(oAuth2Authentication, revocableTokenSignature);
        String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
        Set scope = oAuth2Authentication.getOAuth2Request().getScope();
        String str = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.addAll(scope);
        String str2 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("external_scopes");
        if (null != str2 && StringUtils.hasLength(str2)) {
            linkedHashSet.addAll(OAuth2Utils.parseParameterList(str2));
        }
        Set<String> set = Collections.EMPTY_SET;
        MultiValueMap<String, String> multiValueMap = Collections.EMPTY_MAP;
        if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
            set = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getExternalGroups();
            multiValueMap = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getUserAttributes();
        }
        String str3 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("nonce");
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get(UaaAuthenticationJsonBase.AUTHORITIES));
        if ("authorization_code".equals(oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type")) && "code".equals(oAuth2Authentication.getOAuth2Request().getRequestParameters().get("response_type")) && oAuth2Authentication.getOAuth2Request().getRequestParameters().get("scope") != null && ((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("scope")).contains("openid")) {
            z = true;
        }
        int zoneAccessTokenValidity = getZoneAccessTokenValidity();
        Integer accessTokenValiditySeconds = loadClientByClientId2.getAccessTokenValiditySeconds();
        return createAccessToken(userId, uaaUser, date, accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : zoneAccessTokenValidity, collection, linkedHashSet, clientId, oAuth2Authentication.getOAuth2Request().getResourceIds(), str, createRefreshToken != null ? createRefreshToken.getValue() : null, str3, additionalAuthorizationAttributes, extractResponseTypes(oAuth2Authentication), revocableTokenSignature, z, set, multiValueMap);
    }

    protected Set<String> extractResponseTypes(OAuth2Authentication oAuth2Authentication) {
        Set<String> responseTypes = oAuth2Authentication.getOAuth2Request().getResponseTypes();
        if (responseTypes != null && responseTypes.size() == 1) {
            String next = responseTypes.iterator().next();
            String str = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("response_type");
            if ("code".equals(next) && str != null) {
                responseTypes = OAuth2Utils.parseParameterList(str);
            }
        }
        return responseTypes;
    }

    private Map<String, String> getAdditionalAuthorizationAttributes(String str) {
        if (!StringUtils.hasLength(str)) {
            return null;
        }
        try {
            return (Map) ((Map) JsonUtils.readValue(str, new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.oauth.UaaTokenServices.1
            })).get("az_attr");
        } catch (Throwable th) {
            this.logger.error("Unable to read additionalAuthorizationAttributes", th);
            return null;
        }
    }

    private ExpiringOAuth2RefreshToken createRefreshToken(OAuth2Authentication oAuth2Authentication, String str) {
        String str2 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        if (!isRefreshTokenSupported(str2)) {
            return null;
        }
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get(UaaAuthenticationJsonBase.AUTHORITIES));
        DefaultExpiringOAuth2RefreshToken defaultExpiringOAuth2RefreshToken = new DefaultExpiringOAuth2RefreshToken(UUID.randomUUID().toString(), new Date(System.currentTimeMillis() + (getRefreshTokenValiditySeconds(oAuth2Authentication.getOAuth2Request()) * 1000)));
        try {
            return new DefaultExpiringOAuth2RefreshToken(JwtHelper.encode(JsonUtils.writeValueAsString(createJWTRefreshToken(defaultExpiringOAuth2RefreshToken, this.userDatabase.retrieveUserById(getUserId(oAuth2Authentication)), oAuth2Authentication.getOAuth2Request().getScope(), oAuth2Authentication.getOAuth2Request().getClientId(), str2, additionalAuthorizationAttributes, oAuth2Authentication.getOAuth2Request().getResourceIds(), str)), this.signerProvider.getSigner()).getEncoded(), defaultExpiringOAuth2RefreshToken.getExpiration());
        } catch (JsonUtils.JsonUtilException e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    protected String getRevocableTokenSignature(ClientDetails clientDetails, UaaUser uaaUser) {
        String[] strArr = new String[8];
        strArr[0] = clientDetails.getClientId();
        strArr[1] = clientDetails.getClientSecret();
        strArr[2] = (String) clientDetails.getAdditionalInformation().get("token_salt");
        strArr[3] = uaaUser == null ? null : uaaUser.getId();
        strArr[4] = uaaUser == null ? null : uaaUser.getPassword();
        strArr[5] = uaaUser == null ? null : uaaUser.getSalt();
        strArr[6] = uaaUser == null ? null : uaaUser.getEmail();
        strArr[7] = uaaUser == null ? null : uaaUser.getUsername();
        LinkedList linkedList = new LinkedList();
        for (String str : strArr) {
            if (str != null) {
                linkedList.add(str);
            }
        }
        return this.signerProvider.getRevocationHash(linkedList);
    }

    protected String getUserId(OAuth2Authentication oAuth2Authentication) {
        return Origin.getUserId(oAuth2Authentication.getUserAuthentication());
    }

    private Map<String, ?> createJWTRefreshToken(OAuth2RefreshToken oAuth2RefreshToken, UaaUser uaaUser, Set<String> set, String str, String str2, Map<String, String> map, Set<String> set2, String str3) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", UUID.randomUUID().toString() + "-r");
        linkedHashMap.put("sub", uaaUser.getId());
        linkedHashMap.put("scope", set);
        if (null != map) {
            linkedHashMap.put("az_attr", map);
        }
        linkedHashMap.put("iat", Long.valueOf(System.currentTimeMillis() / 1000));
        if (((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration() != null) {
            linkedHashMap.put("exp", Long.valueOf(((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration().getTime() / 1000));
        }
        linkedHashMap.put("cid", str);
        linkedHashMap.put(AbstractClientParametersAuthenticationFilter.CLIENT_ID, str);
        if (getTokenEndpoint() != null) {
            linkedHashMap.put("iss", getTokenEndpoint());
            linkedHashMap.put("zid", IdentityZoneHolder.get().getId());
        }
        if (null != str2) {
            linkedHashMap.put("grant_type", str2);
        }
        if (!"client_credentials".equals(str2)) {
            linkedHashMap.put("user_name", uaaUser.getUsername());
            linkedHashMap.put("origin", uaaUser.getOrigin());
            linkedHashMap.put("user_id", uaaUser.getId());
        }
        if (StringUtils.hasText(str3)) {
            linkedHashMap.put("rev_sig", str3);
        }
        linkedHashMap.put("aud", set2);
        return linkedHashMap;
    }

    protected boolean isRefreshTokenSupported(String str) {
        return "authorization_code".equals(str) || "password".equals(str) || "refresh_token".equals(str);
    }

    protected int getRefreshTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer refreshTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getRefreshTokenValiditySeconds();
        if (refreshTokenValiditySeconds != null) {
            return refreshTokenValiditySeconds.intValue();
        }
        IdentityZoneConfiguration config = IdentityZoneHolder.get().getConfig();
        int refreshTokenValidity = this.tokenPolicy.getRefreshTokenValidity();
        if (config != null) {
            refreshTokenValidity = config.getTokenPolicy().getRefreshTokenValidity() != -1 ? config.getTokenPolicy().getRefreshTokenValidity() : this.tokenPolicy.getRefreshTokenValidity();
        }
        return refreshTokenValidity;
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.clientDetailsService, "clientDetailsService must be set");
        Assert.notNull(this.issuer, "issuer must be set");
        Assert.notNull(this.approvalStore, "approvalStore must be set");
        this.host = new URI(this.issuer).getHost();
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    private void validateClient(String str) throws AuthenticationException {
        if (str != null) {
            try {
                this.clientDetailsService.loadClientByClientId(str);
            } catch (InvalidClientException e) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            } catch (NoSuchClientException e2) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            } catch (ClientRegistrationException e3) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            }
        }
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        if (((Integer) claimsForToken.get("exp")) != null && new Date(r0.intValue() * 1000).before(new Date())) {
            throw new InvalidTokenException("Invalid access token (expired): " + str + " expired at " + new Date(r0.intValue() * 1000));
        }
        validateClient((String) claimsForToken.get(AbstractClientParametersAuthenticationFilter.CLIENT_ID));
        validateClient((String) claimsForToken.get("cid"));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest((String) claimsForToken.get(AbstractClientParametersAuthenticationFilter.CLIENT_ID), (ArrayList) claimsForToken.get("scope"));
        ArrayList arrayList = (ArrayList) claimsForToken.get("aud");
        authorizationRequest.setResourceIds(Collections.unmodifiableSet(arrayList == null ? new HashSet() : new HashSet(arrayList)));
        authorizationRequest.setApproved(true);
        List commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString(this.defaultUserAuthorities));
        if (claimsForToken.containsKey(UaaAuthenticationJsonBase.AUTHORITIES)) {
            Object obj = claimsForToken.get(UaaAuthenticationJsonBase.AUTHORITIES);
            if (obj instanceof String) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList((String) obj);
            }
            if (obj instanceof Collection) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection) obj));
            }
        }
        UaaAuthentication uaaAuthentication = null;
        if (claimsForToken.containsKey("email")) {
            uaaAuthentication = new UaaAuthentication(new UaaPrincipal(this.userDatabase.retrieveUserById((String) claimsForToken.get("user_id"))), UaaAuthority.USER_AUTHORITIES, null);
        } else {
            authorizationRequest.setAuthorities(commaSeparatedStringToAuthorityList);
        }
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), uaaAuthentication);
        oAuth2Authentication.setAuthenticated(true);
        return oAuth2Authentication;
    }

    public OAuth2AccessToken readAccessToken(String str) {
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        CompositeAccessToken compositeAccessToken = new CompositeAccessToken(str);
        compositeAccessToken.setTokenType("Bearer");
        Integer num = (Integer) claimsForToken.get("exp");
        if (null != num) {
            compositeAccessToken.setExpiration(new Date(num.longValue() * 1000));
        }
        ArrayList<String> arrayList = (ArrayList) claimsForToken.get("scope");
        if (null != arrayList && arrayList.size() > 0) {
            compositeAccessToken.setScope(new HashSet(arrayList));
        }
        String str2 = (String) claimsForToken.get("cid");
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2);
        if (null != ((String) claimsForToken.get("email"))) {
            String str3 = (String) claimsForToken.get("user_id");
            try {
                UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str3);
                long longValue = ((Integer) claimsForToken.get("iat")).longValue() * 1000;
                validateUserScopes(arrayList, retrieveUserById.getAuthorities());
                validateClientScopes(arrayList, loadClientByClientId.getScope());
                ArrayList arrayList2 = (ArrayList) claimsForToken.get("scope");
                Set<String> autoApprovedScopes = getAutoApprovedScopes(claimsForToken.get("grant_type"), arrayList2, loadClientByClientId);
                if (autoApprovedScopes.containsAll(arrayList2)) {
                    return compositeAccessToken;
                }
                checkForApproval(str3, str2, arrayList2, autoApprovedScopes, new Date(longValue));
            } catch (UsernameNotFoundException e) {
                throw new InvalidTokenException("Invalid access token (user ID not found): " + str3);
            }
        } else {
            validateClientAuthorities(arrayList, (List) loadClientByClientId.getAuthorities());
        }
        return compositeAccessToken;
    }

    private void validateClientAuthorities(ArrayList<String> arrayList, List<? extends GrantedAuthority> list) {
        validateAuthorities(arrayList, list);
    }

    private void validateUserScopes(ArrayList<String> arrayList, List<? extends GrantedAuthority> list) {
        validateAuthorities(arrayList, list);
    }

    private void validateAuthorities(ArrayList<String> arrayList, List<? extends GrantedAuthority> list) {
        if (list == null) {
            throw new InvalidTokenException("Invalid token (all scopes have been revoked)");
        }
        List list2 = (List) list.stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList());
        arrayList.stream().forEach(str -> {
            if (!list2.contains(str)) {
                throw new InvalidTokenException("Invalid token (scope " + str + " has been revoked)");
            }
        });
    }

    private void validateClientScopes(ArrayList<String> arrayList, Set<String> set) {
        if (set == null) {
            throw new InvalidTokenException("Invalid token (all scopes have been revoked)");
        }
        new ArrayList().addAll(set);
        Set<Pattern> constructWildcards = UaaStringUtils.constructWildcards(set);
        arrayList.stream().forEach(str -> {
            if (!set.contains(str) && !UaaStringUtils.matches(constructWildcards, str)) {
                throw new InvalidTokenException("Invalid token (scope " + str + " has been revoked)");
            }
        });
    }

    private Set<String> getAutoApprovedScopes(Object obj, Collection<String> collection, ClientDetails clientDetails) {
        if (obj != null && "password".equals(obj.toString())) {
            return new HashSet(collection);
        }
        Object obj2 = clientDetails.getAdditionalInformation().get("autoapprove");
        HashSet hashSet = new HashSet();
        if (obj2 instanceof Collection) {
            hashSet.addAll((Collection) obj2);
        } else if (((obj2 instanceof Boolean) && ((Boolean) obj2).booleanValue()) || "true".equals(obj2)) {
            hashSet.addAll(clientDetails.getScope());
        }
        if ((clientDetails instanceof BaseClientDetails) && ((BaseClientDetails) clientDetails).getAutoApproveScopes() != null) {
            hashSet.addAll(((BaseClientDetails) clientDetails).getAutoApproveScopes());
        }
        return UaaTokenUtils.instance().retainAutoApprovedScopes(collection, hashSet);
    }

    private Map<String, Object> getClaimsForToken(String str) {
        try {
            try {
                Map<String, Object> map = (Map) JsonUtils.readValue(JwtHelper.decodeAndVerify(str, this.signerProvider.getVerifier()).getClaims(), new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.oauth.UaaTokenServices.2
                });
                if (getTokenEndpoint() != null && !getTokenEndpoint().equals(map.get("iss"))) {
                    throw new InvalidTokenException("Invalid issuer for token:" + map.get("iss"));
                }
                String str2 = (String) map.get("rev_sig");
                if (str2 != null) {
                    String str3 = (String) map.get("cid");
                    String str4 = (String) map.get("user_id");
                    UaaUser uaaUser = null;
                    ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str3);
                    try {
                        uaaUser = this.userDatabase.retrieveUserById(str4);
                    } catch (UsernameNotFoundException e) {
                    }
                    if (str2 != null && !str2.equals(getRevocableTokenSignature(loadClientByClientId, uaaUser))) {
                        throw new TokenRevokedException(str);
                    }
                }
                return map;
            } catch (JsonUtils.JsonUtilException e2) {
                throw new IllegalStateException("Cannot read token claims", e2);
            }
        } catch (Throwable th) {
            this.logger.debug("Invalid token (could not decode)", th);
            throw new InvalidTokenException("Invalid token (could not decode): " + str);
        }
    }

    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        return null;
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public String getTokenEndpoint() {
        if (this.issuer == null) {
            return null;
        }
        String str = this.host;
        if (StringUtils.hasText(IdentityZoneHolder.get().getSubdomain())) {
            str = IdentityZoneHolder.get().getSubdomain() + "." + this.host;
        }
        return UriComponentsBuilder.fromUriString(this.issuer).host(str).pathSegment(new String[]{"oauth/token"}).build().toUriString();
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setSignerProvider(SignerProvider signerProvider) {
        this.signerProvider = signerProvider;
    }

    public void setDefaultUserAuthorities(Set<String> set) {
        this.defaultUserAuthorities = set;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    private void publish(TokenIssuedEvent tokenIssuedEvent) {
        if (this.applicationEventPublisher != null) {
            this.applicationEventPublisher.publishEvent(tokenIssuedEvent);
        }
    }

    public void setTokenPolicy(TokenPolicy tokenPolicy) {
        this.tokenPolicy = tokenPolicy;
    }

    public TokenPolicy getTokenPolicy() {
        return this.tokenPolicy;
    }
}
