package org.cloudfoundry.identity.uaa.oauth.refresh;

import com.google.common.collect.Maps;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import org.cloudfoundry.identity.uaa.oauth.AuthTimeDateConverter;
import org.cloudfoundry.identity.uaa.oauth.AuthorizationAttributesParser;
import org.cloudfoundry.identity.uaa.oauth.KeyInfo;
import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
import org.cloudfoundry.identity.uaa.oauth.TokenEndpointBuilder;
import org.cloudfoundry.identity.uaa.oauth.TokenValidityResolver;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/oauth/refresh/RefreshTokenCreator.class */
public class RefreshTokenCreator {
    private boolean isRestrictRefreshGrant;
    private final TokenValidityResolver refreshTokenValidityResolver;
    private final TokenEndpointBuilder tokenEndpointBuilder;
    private TimeService timeService;
    private KeyInfoService keyInfoService;
    private final String UAA_REFRESH_TOKEN = "uaa.offline_token";

    public RefreshTokenCreator(boolean z, TokenValidityResolver tokenValidityResolver, TokenEndpointBuilder tokenEndpointBuilder, TimeService timeService, KeyInfoService keyInfoService) {
        this.isRestrictRefreshGrant = z;
        this.refreshTokenValidityResolver = tokenValidityResolver;
        this.tokenEndpointBuilder = tokenEndpointBuilder;
        this.timeService = timeService;
        this.keyInfoService = keyInfoService;
    }

    public CompositeExpiringOAuth2RefreshToken createRefreshToken(UaaUser uaaUser, RefreshTokenRequestData refreshTokenRequestData, String str) {
        String str2 = refreshTokenRequestData.grantType;
        if (!isRefreshTokenSupported(str2, refreshTokenRequestData.scopes)) {
            return null;
        }
        Map<String, String> additionalAuthorizationAttributes = new AuthorizationAttributesParser().getAdditionalAuthorizationAttributes(refreshTokenRequestData.authorities);
        Date resolve = this.refreshTokenValidityResolver.resolve(refreshTokenRequestData.clientId);
        String str3 = UUID.randomUUID().toString().replace("-", "") + TokenConstants.REFRESH_TOKEN_SUFFIX;
        return new CompositeExpiringOAuth2RefreshToken(buildJwtToken(uaaUser, refreshTokenRequestData, str, str2, additionalAuthorizationAttributes, resolve, str3), resolve, str3);
    }

    private String buildJwtToken(UaaUser uaaUser, RefreshTokenRequestData refreshTokenRequestData, String str, String str2, Map<String, String> map, Date date, String str3) {
        try {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("jti", str3);
            linkedHashMap.put("sub", uaaUser.getId());
            linkedHashMap.put(ClaimConstants.IAT, Long.valueOf(this.timeService.getCurrentTimeMillis() / 1000));
            linkedHashMap.put("exp", Long.valueOf(date.getTime() / 1000));
            linkedHashMap.put(ClaimConstants.CID, refreshTokenRequestData.clientId);
            linkedHashMap.put("client_id", refreshTokenRequestData.clientId);
            linkedHashMap.put(ClaimConstants.ISS, this.tokenEndpointBuilder.getTokenEndpoint());
            linkedHashMap.put(ClaimConstants.ZONE_ID, IdentityZoneHolder.get().getId());
            linkedHashMap.put("aud", refreshTokenRequestData.resourceIds);
            linkedHashMap.put(ClaimConstants.GRANTED_SCOPES, refreshTokenRequestData.scopes);
            if (null != refreshTokenRequestData.authenticationMethods && !refreshTokenRequestData.authenticationMethods.isEmpty()) {
                linkedHashMap.put(ClaimConstants.AMR, refreshTokenRequestData.authenticationMethods);
            }
            if (null != refreshTokenRequestData.authTime) {
                linkedHashMap.put(ClaimConstants.AUTH_TIME, AuthTimeDateConverter.dateToAuthTime(refreshTokenRequestData.authTime));
            }
            if (null != refreshTokenRequestData.acr && !refreshTokenRequestData.acr.isEmpty()) {
                HashMap newHashMap = Maps.newHashMap();
                newHashMap.put("values", refreshTokenRequestData.acr);
                linkedHashMap.put("acr", newHashMap);
            }
            if (null != map) {
                linkedHashMap.put(ClaimConstants.ADDITIONAL_AZ_ATTR, map);
            }
            if (null != refreshTokenRequestData.externalAttributes) {
                linkedHashMap.putAll(refreshTokenRequestData.externalAttributes);
            }
            if (null != str2) {
                linkedHashMap.put("grant_type", str2);
            }
            if (null != uaaUser) {
                linkedHashMap.put("user_name", uaaUser.getUsername());
                linkedHashMap.put("origin", uaaUser.getOrigin());
                linkedHashMap.put("user_id", uaaUser.getId());
            }
            if (refreshTokenRequestData.revocable) {
                linkedHashMap.put(ClaimConstants.REVOCABLE, true);
            }
            if (StringUtils.hasText(str)) {
                linkedHashMap.put(ClaimConstants.REVOCATION_SIGNATURE, str);
            }
            return JwtHelper.encode(JsonUtils.writeValueAsString(linkedHashMap), getActiveKeyInfo()).getEncoded();
        } catch (JsonUtils.JsonUtilException e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    private KeyInfo getActiveKeyInfo() {
        return (KeyInfo) Optional.ofNullable(this.keyInfoService.getActiveKey()).orElseThrow(() -> {
            return new InternalAuthenticationServiceException("Unable to sign token, misconfigured JWT signing keys");
        });
    }

    protected boolean isRefreshTokenSupported(String str, Set<String> set) {
        return !this.isRestrictRefreshGrant ? TokenConstants.GRANT_TYPE_AUTHORIZATION_CODE.equals(str) || "password".equals(str) || TokenConstants.GRANT_TYPE_USER_TOKEN.equals(str) || "refresh_token".equals(str) || TokenConstants.GRANT_TYPE_SAML2_BEARER.equals(str) : set.contains("uaa.offline_token");
    }

    public void ensureRefreshTokenCreationNotRestricted(ArrayList<String> arrayList) {
        if (this.isRestrictRefreshGrant && !arrayList.contains("uaa.offline_token")) {
            throw new InsufficientScopeException(String.format("Expected scope %s is missing", "uaa.offline_token"));
        }
    }

    public void setRestrictRefreshGrant(boolean z) {
        this.isRestrictRefreshGrant = z;
    }

    public void setTimeService(TimeService timeService) {
        this.timeService = timeService;
    }
}
