package org.cloudfoundry.identity.uaa.oauth;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.oauth2.provider.ClientDetails;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/oauth/TokenValidationService.class */
public class TokenValidationService {
    private RevocableTokenProvisioning revocableTokenProvisioning;
    private TokenEndpointBuilder tokenEndpointBuilder;
    private UaaUserDatabase userDatabase;
    private ClientServicesExtension clientServicesExtension;
    private KeyInfoService keyInfoService;

    public TokenValidationService(RevocableTokenProvisioning revocableTokenProvisioning, TokenEndpointBuilder tokenEndpointBuilder, UaaUserDatabase uaaUserDatabase, ClientServicesExtension clientServicesExtension, KeyInfoService keyInfoService) {
        this.revocableTokenProvisioning = revocableTokenProvisioning;
        this.tokenEndpointBuilder = tokenEndpointBuilder;
        this.userDatabase = uaaUserDatabase;
        this.clientServicesExtension = clientServicesExtension;
        this.keyInfoService = keyInfoService;
    }

    public TokenValidation validateToken(String str, boolean z) {
        if (!UaaTokenUtils.isJwtToken(str)) {
            try {
                str = this.revocableTokenProvisioning.retrieve(str, IdentityZoneHolder.get().getId()).getValue();
            } catch (EmptyResultDataAccessException e) {
                throw new TokenRevokedException("The token expired, was revoked, or the token ID is incorrect.");
            }
        }
        TokenValidation buildAccessTokenValidator = z ? TokenValidation.buildAccessTokenValidator(str, this.keyInfoService) : TokenValidation.buildRefreshTokenValidator(str, this.keyInfoService);
        buildAccessTokenValidator.checkRevocableTokenStore(this.revocableTokenProvisioning).checkIssuer(this.tokenEndpointBuilder.getTokenEndpoint());
        ClientDetails clientDetails = buildAccessTokenValidator.getClientDetails(this.clientServicesExtension);
        UaaUser userDetails = buildAccessTokenValidator.getUserDetails(this.userDatabase);
        buildAccessTokenValidator.checkClientAndUser(clientDetails, userDetails);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (clientDetails.getClientSecret() != null) {
            arrayList.addAll(Arrays.asList(clientDetails.getClientSecret().split(" ")));
        } else {
            arrayList2.add(UaaTokenUtils.getRevocableTokenSignature(clientDetails, null, userDetails));
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            arrayList2.add(UaaTokenUtils.getRevocableTokenSignature(clientDetails, (String) it.next(), userDetails));
        }
        return buildAccessTokenValidator.checkRevocationSignature(arrayList2);
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }
}
