package org.wso2.carbon.identity.oauth2.token.handlers.grant;

import java.sql.Timestamp;
import java.util.Date;
import java.util.UUID;
import org.apache.amber.oauth2.as.issuer.MD5Generator;
import org.apache.amber.oauth2.as.issuer.OAuthIssuer;
import org.apache.amber.oauth2.as.issuer.OAuthIssuerImpl;
import org.apache.amber.oauth2.common.exception.OAuthSystemException;
import org.apache.amber.oauth2.common.message.types.GrantType;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.callback.OAuthCallback;
import org.wso2.carbon.identity.oauth.callback.OAuthCallbackManager;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.class */
public abstract class AbstractAuthorizationGrantHandler implements AuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(AbstractAuthorizationGrantHandler.class);
    protected TokenMgtDAO tokenMgtDAO;
    protected final OAuthIssuer oauthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
    protected OAuthCallbackManager callbackManager;
    protected boolean cacheEnabled;
    protected OAuthCache oauthCache;

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public void init() throws IdentityOAuth2Exception {
        this.tokenMgtDAO = new TokenMgtDAO();
        this.callbackManager = new OAuthCallbackManager();
        if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
            this.cacheEnabled = true;
            this.oauthCache = OAuthCache.getInstance();
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean isConfidentialClient() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean isOfTypeApplicationUser() throws IdentityOAuth2Exception {
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        RefreshTokenValidationDataDO validateRefreshToken;
        String refreshTokenState;
        AccessTokenDO validAccessTokenIfExist;
        AccessTokenDO accessTokenDO;
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        String buildScopeString = OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope());
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        String authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(clientId + ":" + authorizedUser.toLowerCase() + ":" + buildScopeString);
        String str = null;
        if (OAuth2Util.checkAccessTokenPartitioningEnabled() && OAuth2Util.checkUserNameAssertionEnabled()) {
            str = OAuth2Util.getUserStoreDomainFromUserId(oAuthTokenReqMessageContext.getAuthorizedUser());
        }
        String str2 = isOfTypeApplicationUser() ? OAuthConstants.USER_TYPE_FOR_USER_TOKEN : OAuthConstants.USER_TYPE_FOR_APPLICATION_TOKEN;
        synchronized ((clientId + ":" + authorizedUser + ":" + buildScopeString).intern()) {
            try {
                if (this.cacheEnabled && (accessTokenDO = (AccessTokenDO) this.oauthCache.getValueFromCache((CacheKey) oAuthCacheKey)) != null) {
                    long tokenExpireTimeMillis = OAuth2Util.getTokenExpireTimeMillis(accessTokenDO);
                    if (tokenExpireTimeMillis > 0) {
                        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
                        oAuth2AccessTokenRespDTO.setAccessToken(accessTokenDO.getAccessToken());
                        if (issueRefreshToken() && OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                            oAuth2AccessTokenRespDTO.setRefreshToken(accessTokenDO.getRefreshToken());
                        }
                        oAuth2AccessTokenRespDTO.setExpiresIn(tokenExpireTimeMillis / 1000);
                        oAuth2AccessTokenRespDTO.setExpiresInMillis(tokenExpireTimeMillis);
                        if (log.isDebugEnabled()) {
                            log.debug("Access Token info retrieved from the cache and served to client with client id : " + oauth2AccessTokenReqDTO.getClientId());
                        }
                        return oAuth2AccessTokenRespDTO;
                    }
                    this.oauthCache.clearCacheEntry((CacheKey) oAuthCacheKey);
                }
                validAccessTokenIfExist = this.tokenMgtDAO.getValidAccessTokenIfExist(oauth2AccessTokenReqDTO.getClientId(), oAuthTokenReqMessageContext.getAuthorizedUser(), str, buildScopeString);
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while getting existing token for client ID" + oauth2AccessTokenReqDTO.getClientId());
                }
            }
            if (validAccessTokenIfExist != null) {
                validAccessTokenIfExist.setScope(oAuthTokenReqMessageContext.getScope());
                validAccessTokenIfExist.setTokenType(str2);
                OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO2 = new OAuth2AccessTokenRespDTO();
                oAuth2AccessTokenRespDTO2.setRefreshToken(validAccessTokenIfExist.getRefreshToken());
                oAuth2AccessTokenRespDTO2.setAccessToken(validAccessTokenIfExist.getAccessToken());
                long tokenExpireTimeMillis2 = OAuth2Util.getTokenExpireTimeMillis(validAccessTokenIfExist);
                oAuth2AccessTokenRespDTO2.setExpiresIn(tokenExpireTimeMillis2 / 1000);
                oAuth2AccessTokenRespDTO2.setExpiresInMillis(tokenExpireTimeMillis2);
                if (log.isDebugEnabled()) {
                    log.debug("Retrieving existing valid access token for client ID" + oauth2AccessTokenReqDTO.getClientId());
                }
                if (this.cacheEnabled) {
                    if (log.isDebugEnabled()) {
                        log.debug("Access Token info was added to the cache for the client id : " + oauth2AccessTokenReqDTO.getClientId());
                    }
                    this.oauthCache.addToCache((CacheKey) oAuthCacheKey, (CacheEntry) validAccessTokenIfExist);
                }
                if (!issueRefreshToken() || !OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                    oAuth2AccessTokenRespDTO2.setRefreshToken(null);
                }
                return oAuth2AccessTokenRespDTO2;
            }
            if (log.isDebugEnabled()) {
                log.debug("Marking old token as expired for client Id : " + clientId + " AuthorizedUser : " + authorizedUser);
            }
            String accessTokenState = this.tokenMgtDAO.getAccessTokenState(clientId, authorizedUser, buildScopeString);
            if (accessTokenState != null) {
                if (accessTokenState.equals(OAuthConstants.TokenStates.TOKEN_STATE_REVOKED)) {
                    this.tokenMgtDAO.setAccessTokenState(clientId, authorizedUser, OAuthConstants.TokenStates.TOKEN_STATE_REVOKED, UUID.randomUUID().toString(), str, buildScopeString);
                } else {
                    this.tokenMgtDAO.setAccessTokenState(clientId, authorizedUser, OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED, UUID.randomUUID().toString(), str, buildScopeString);
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Issuing a new access token for " + clientId + " AuthorizedUser : " + authorizedUser);
            }
            try {
                String accessToken = this.oauthIssuerImpl.accessToken();
                String refreshToken = this.oauthIssuerImpl.refreshToken();
                AccessTokenDO validAccessTokenIfExist2 = this.tokenMgtDAO.getValidAccessTokenIfExist(clientId, authorizedUser, str, true);
                if (validAccessTokenIfExist2 != null && (refreshTokenState = (validateRefreshToken = this.tokenMgtDAO.validateRefreshToken(clientId, validAccessTokenIfExist2.getRefreshToken())).getRefreshTokenState()) != null) {
                    long issuedAt = validateRefreshToken.getIssuedAt();
                    long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
                    if (OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(refreshTokenState) && ((issuedAt + validAccessTokenIfExist2.getValidityPeriodInMillis()) - validateRefreshToken.getIssuedAt()) + timeStampSkewInSeconds > 1000) {
                        refreshToken = validAccessTokenIfExist2.getRefreshToken();
                    }
                }
                if (OAuth2Util.checkUserNameAssertionEnabled()) {
                    String authorizedUser2 = oAuthTokenReqMessageContext.getAuthorizedUser();
                    accessToken = Base64Utils.encode((accessToken + ":" + authorizedUser2).getBytes());
                    refreshToken = Base64Utils.encode((refreshToken + ":" + authorizedUser2).getBytes());
                }
                Timestamp timestamp = new Timestamp(new Date().getTime());
                long userAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds();
                long validityPeriod = oAuthTokenReqMessageContext.getValidityPeriod();
                if (validityPeriod != -1 && validityPeriod > 0) {
                    userAccessTokenValidityPeriodInSeconds = validityPeriod;
                }
                AccessTokenDO accessTokenDO2 = new AccessTokenDO(clientId, oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getScope(), timestamp, userAccessTokenValidityPeriodInSeconds, str2);
                accessTokenDO2.setRefreshToken(refreshToken);
                accessTokenDO2.setTokenState(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE);
                accessTokenDO2.setAccessToken(accessToken);
                accessTokenDO2.setTenantID(oAuthTokenReqMessageContext.getTenantID());
                this.tokenMgtDAO.storeAccessToken(accessToken, oauth2AccessTokenReqDTO.getClientId(), accessTokenDO2, str);
                if (log.isDebugEnabled()) {
                    log.debug("Persisted an access token with Client ID : " + oauth2AccessTokenReqDTO.getClientId() + "authorized user : " + oAuthTokenReqMessageContext.getAuthorizedUser() + "timestamp : " + timestamp + "validity period : " + userAccessTokenValidityPeriodInSeconds + "scope : " + OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope()) + "Token State : " + OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE);
                }
                if (this.cacheEnabled) {
                    this.oauthCache.addToCache((CacheKey) oAuthCacheKey, (CacheEntry) accessTokenDO2);
                    if (log.isDebugEnabled()) {
                        log.debug("Access Token info was added to the cache for the client id : " + oauth2AccessTokenReqDTO.getClientId());
                    }
                }
                OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO3 = new OAuth2AccessTokenRespDTO();
                oAuth2AccessTokenRespDTO3.setAccessToken(accessToken);
                if (issueRefreshToken() && OAuthServerConfiguration.getInstance().getSupportedGrantTypes().containsKey(GrantType.REFRESH_TOKEN.toString())) {
                    oAuth2AccessTokenRespDTO3.setRefreshToken(refreshToken);
                }
                oAuth2AccessTokenRespDTO3.setExpiresIn(OAuth2Util.getTokenExpireTimeMillis(accessTokenDO2) / 1000);
                return oAuth2AccessTokenRespDTO3;
            } catch (OAuthSystemException e2) {
                throw new IdentityOAuth2Exception("Error when generating the tokens.", e2);
            }
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuthCallback oAuthCallback = new OAuthCallback(oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.ACCESS_DELEGATION_TOKEN);
        oAuthCallback.setRequestedScope(oAuthTokenReqMessageContext.getScope());
        if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString()));
        } else if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString()));
        } else {
            oAuthCallback.setGrantType(GrantType.valueOf(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().toUpperCase()));
        }
        this.callbackManager.handleCallback(oAuthCallback);
        oAuthTokenReqMessageContext.setValidityPeriod(oAuthCallback.getValidityPeriod());
        return oAuthCallback.isAuthorized();
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuthCallback oAuthCallback = new OAuthCallback(oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.SCOPE_VALIDATION_TOKEN);
        oAuthCallback.setRequestedScope(oAuthTokenReqMessageContext.getScope());
        if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString()));
        } else if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().equals(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) {
            oAuthCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf(OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString()));
        } else {
            oAuthCallback.setGrantType(GrantType.valueOf(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType().toUpperCase()));
        }
        this.callbackManager.handleCallback(oAuthCallback);
        oAuthTokenReqMessageContext.setValidityPeriod(oAuthCallback.getValidityPeriod());
        oAuthTokenReqMessageContext.setScope(oAuthCallback.getApprovedScope());
        return oAuthCallback.isValidScope();
    }
}
