package io.jans.as.server.model.common;

import com.google.common.collect.Lists;
import io.jans.as.common.claims.Audience;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.ldap.TokenEntity;
import io.jans.as.server.model.ldap.TokenType;
import io.jans.as.server.model.token.HandleTokenFactory;
import io.jans.as.server.model.token.IdTokenFactory;
import io.jans.as.server.model.token.JwtSigner;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.GrantService;
import io.jans.as.server.service.MetricService;
import io.jans.as.server.service.SectorIdentifierService;
import io.jans.as.server.service.external.ExternalIntrospectionService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalIntrospectionContext;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.util.ServerUtil;
import io.jans.as.server.util.TokenHashUtil;
import io.jans.model.metric.MetricType;
import io.jans.service.CacheService;
import jakarta.inject.Inject;
import jakarta.ws.rs.WebApplicationException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.function.Supplier;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/as/server/model/common/AuthorizationGrant.class */
public abstract class AuthorizationGrant extends AbstractAuthorizationGrant {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationGrant.class);

    @Inject
    private CacheService cacheService;

    @Inject
    private GrantService grantService;

    @Inject
    private IdTokenFactory idTokenFactory;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private ClientService clientService;

    @Inject
    private ExternalIntrospectionService externalIntrospectionService;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private SectorIdentifierService sectorIdentifierService;

    @Inject
    private MetricService metricService;

    @Inject
    private StatService statService;
    private boolean isCachedWithNoPersistence;

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthorizationGrant() {
        this.isCachedWithNoPersistence = false;
    }

    protected AuthorizationGrant(User user, AuthorizationGrantType authorizationGrantType, Client client, Date date) {
        super(user, authorizationGrantType, client, date);
        this.isCachedWithNoPersistence = false;
    }

    @Override // io.jans.as.server.model.common.AbstractAuthorizationGrant
    public void init(User user, AuthorizationGrantType authorizationGrantType, Client client, Date date) {
        super.init(user, authorizationGrantType, client, date);
    }

    private IdToken createIdTokenInternal(AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, ExecutionContext executionContext) throws Exception {
        executionContext.initFromGrantIfNeeded(this);
        JsonWebResponse createJwr = this.idTokenFactory.createJwr(this, authorizationCode, accessToken, refreshToken, executionContext);
        IdToken idToken = new IdToken(createJwr.toString(), createJwr.getClaims().getClaimAsDate("iat"), createJwr.getClaims().getClaimAsDate("exp"));
        if (log.isTraceEnabled()) {
            log.trace("Created id_token: {}", idToken.getCode());
        }
        return idToken;
    }

    @Override // io.jans.as.server.model.common.AbstractAuthorizationGrant, io.jans.as.server.model.common.IAuthorizationGrant
    public String checkScopesPolicy(String str) {
        if (StringUtils.isBlank(str)) {
            return str;
        }
        String checkScopesPolicy = super.checkScopesPolicy(str);
        save();
        return checkScopesPolicy;
    }

    @Override // io.jans.as.server.model.common.IAuthorizationGrant
    public void save() {
        if (!this.isCachedWithNoPersistence) {
            saveImpl();
        } else if (getAuthorizationGrantType() == AuthorizationGrantType.AUTHORIZATION_CODE) {
            saveInCache();
        } else {
            if (getAuthorizationGrantType() != AuthorizationGrantType.CIBA) {
                throw new UnsupportedOperationException("Grant caching is not supported for : " + getAuthorizationGrantType());
            }
            saveInCache();
        }
    }

    private void saveInCache() {
        CacheGrant cacheGrant = new CacheGrant(this, this.appConfiguration);
        this.cacheService.put(cacheGrant.getExpiresIn(), cacheGrant.cacheKey(), cacheGrant);
    }

    public boolean isImplicitFlow() {
        return getAuthorizationGrantType() == null || getAuthorizationGrantType() == AuthorizationGrantType.IMPLICIT;
    }

    private void saveImpl() {
        List<TokenEntity> grantsByGrantId;
        String grantId = getGrantId();
        if (!StringUtils.isNotBlank(grantId) || (grantsByGrantId = this.grantService.getGrantsByGrantId(grantId)) == null || grantsByGrantId.isEmpty()) {
            return;
        }
        for (TokenEntity tokenEntity : grantsByGrantId) {
            initTokenFromGrant(tokenEntity);
            log.debug("Saving grant: {}, code_challenge: {}", grantId, getCodeChallenge());
            this.grantService.mergeSilently(tokenEntity);
        }
    }

    private void initTokenFromGrant(TokenEntity tokenEntity) {
        String nonce = getNonce();
        if (nonce != null) {
            tokenEntity.setNonce(nonce);
        }
        tokenEntity.setScope(getScopesAsString());
        tokenEntity.setAuthMode(getAcrValues());
        tokenEntity.setSessionDn(getSessionDn());
        tokenEntity.setAuthenticationTime(getAuthenticationTime());
        tokenEntity.setCodeChallenge(getCodeChallenge());
        tokenEntity.setCodeChallengeMethod(getCodeChallengeMethod());
        tokenEntity.setClaims(getClaims());
        JwtAuthorizationRequest jwtAuthorizationRequest = getJwtAuthorizationRequest();
        if (jwtAuthorizationRequest == null || !StringUtils.isNotBlank(jwtAuthorizationRequest.getEncodedJwt())) {
            return;
        }
        tokenEntity.setJwtRequest(jwtAuthorizationRequest.getEncodedJwt());
    }

    @Override // io.jans.as.server.model.common.AbstractAuthorizationGrant, io.jans.as.server.model.common.IAuthorizationGrant
    public AccessToken createAccessToken(ExecutionContext executionContext) {
        try {
            executionContext.initFromGrantIfNeeded(this);
            AccessToken createAccessToken = super.createAccessToken(executionContext);
            if (createAccessToken.getExpiresIn() < 0) {
                log.trace("Failed to create access token with negative expiration time");
                return null;
            }
            JwtSigner jwtSigner = null;
            if (getClient().isAccessTokenAsJwt()) {
                jwtSigner = createAccessTokenAsJwt(createAccessToken, executionContext);
            }
            if (!this.externalUpdateTokenService.modifyAccessToken(createAccessToken, ExternalUpdateTokenContext.of(executionContext, jwtSigner))) {
                log.trace("External script forbids access token creation.");
                return null;
            }
            if (getClient().isAccessTokenAsJwt() && jwtSigner != null) {
                String jwt = jwtSigner.sign().toString();
                if (log.isTraceEnabled()) {
                    log.trace("Created access token JWT: {}", jwt + ", claims: " + jwtSigner.getJwt().getClaims().toJsonString());
                }
                createAccessToken.setCode(jwt);
            }
            TokenEntity asToken = asToken(createAccessToken);
            executionContext.setAccessTokenEntity(asToken);
            persist(asToken);
            this.statService.reportAccessToken(getGrantType());
            this.metricService.incCounter(MetricType.TOKEN_ACCESS_TOKEN_COUNT);
            if (log.isTraceEnabled()) {
                log.trace("Created plain access token: {}", createAccessToken.getCode());
            }
            return createAccessToken;
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            return null;
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    public JwtSigner createAccessTokenAsJwt(AccessToken accessToken, ExecutionContext executionContext) throws Exception {
        User user = getUser();
        Client client = getClient();
        executionContext.initFromGrantIfNeeded(this);
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(this.appConfiguration.getDefaultSignatureAlgorithm());
        if (client.getAccessTokenSigningAlg() != null && SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg()) != null) {
            fromString = SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg());
        }
        JwtSigner jwtSigner = new JwtSigner(this.appConfiguration, this.webKeysConfiguration, fromString, client.getClientId(), this.clientService.decryptSecret(client.getClientSecret()));
        Jwt newJwt = jwtSigner.newJwt();
        newJwt.getClaims().setClaim("scope", Lists.newArrayList(getScopes()));
        newJwt.getClaims().setClaim("client_id", getClientId());
        newJwt.getClaims().setClaim("username", user != null ? user.getAttribute("displayName") : null);
        newJwt.getClaims().setClaim("token_type", accessToken.getTokenType().getName());
        newJwt.getClaims().setClaim("code", accessToken.getCode());
        newJwt.getClaims().setClaim("acr", getAcrValues());
        newJwt.getClaims().setClaim("auth_time", ServerUtil.dateToSeconds(getAuthenticationTime()));
        newJwt.getClaims().setExpirationTime(accessToken.getExpirationDate());
        newJwt.getClaims().setIssuedAt(accessToken.getCreationDate());
        newJwt.getClaims().setSubjectIdentifier(getSub());
        newJwt.getClaims().setClaim("x5t#S256", accessToken.getX5ts256());
        String dpop = executionContext.getDpop();
        if (StringUtils.isNotBlank(dpop)) {
            newJwt.getClaims().setNotBefore(accessToken.getCreationDate());
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("jkt", dpop);
            newJwt.getClaims().setClaim("cnf", jSONObject);
        }
        Audience.setAudience(newJwt.getClaims(), getClient());
        if (BooleanUtils.isTrue(client.getAttributes().getRunIntrospectionScriptBeforeJwtCreation())) {
            runIntrospectionScriptAndInjectValuesIntoJwt(newJwt, executionContext);
        }
        return jwtSigner;
    }

    private void runIntrospectionScriptAndInjectValuesIntoJwt(Jwt jwt, ExecutionContext executionContext) {
        executionContext.initFromGrantIfNeeded(this);
        JSONObject jSONObject = new JSONObject();
        ExternalIntrospectionContext externalIntrospectionContext = new ExternalIntrospectionContext(this, executionContext.getHttpRequest(), executionContext.getHttpResponse(), this.appConfiguration, this.attributeService);
        externalIntrospectionContext.setAccessTokenAsJwt(jwt);
        if (this.externalIntrospectionService.executeExternalModifyResponse(jSONObject, externalIntrospectionContext)) {
            log.trace("Successfully run external introspection scripts.");
            if (externalIntrospectionContext.isTranferIntrospectionPropertiesIntoJwtClaims()) {
                log.trace("Transfering claims into jwt ...");
                JwtUtil.transferIntoJwtClaims(jSONObject, jwt);
                log.trace("Transfered.");
            }
        }
    }

    private RefreshToken saveRefreshToken(RefreshToken refreshToken, ExecutionContext executionContext) {
        try {
            executionContext.initFromGrantIfNeeded(this);
            if (refreshToken.getExpiresIn() <= 0) {
                log.debug("Token expiration date is in the past. Skip refresh_token creation.");
                return null;
            }
            TokenEntity asToken = asToken(refreshToken);
            executionContext.setRefreshTokenEntity(asToken);
            if (!this.externalUpdateTokenService.modifyRefreshToken(refreshToken, ExternalUpdateTokenContext.of(executionContext))) {
                log.trace("External script forbids refresh token creation.");
                return null;
            }
            if (executionContext.getScopes().contains("online_access")) {
                asToken.getAttributes().setOnlineAccess(true);
            }
            persist(asToken);
            this.statService.reportRefreshToken(getGrantType());
            this.metricService.incCounter(MetricType.TOKEN_REFRESH_TOKEN_COUNT);
            if (log.isTraceEnabled()) {
                log.trace("Created refresh token: {}", refreshToken.getCode());
            }
            return refreshToken;
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            return null;
        }
    }

    private RefreshToken saveRefreshToken(Supplier<RefreshToken> supplier, ExecutionContext executionContext) {
        try {
            return saveRefreshToken(supplier.get(), executionContext);
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            return null;
        }
    }

    @Override // io.jans.as.server.model.common.AbstractAuthorizationGrant, io.jans.as.server.model.common.IAuthorizationGrant
    public RefreshToken createRefreshToken(ExecutionContext executionContext) {
        executionContext.initFromGrantIfNeeded(this);
        return saveRefreshToken(() -> {
            return super.createRefreshToken(executionContext);
        }, executionContext);
    }

    @Override // io.jans.as.server.model.common.AbstractAuthorizationGrant, io.jans.as.server.model.common.IAuthorizationGrant
    public RefreshToken createRefreshToken(ExecutionContext executionContext, int i) {
        executionContext.initFromGrantIfNeeded(this);
        return saveRefreshToken(() -> {
            return super.createRefreshToken(executionContext, i);
        }, executionContext);
    }

    public RefreshToken createRefreshToken(ExecutionContext executionContext, Date date) {
        return saveRefreshToken(() -> {
            RefreshToken refreshToken = new RefreshToken(HandleTokenFactory.generateHandleToken(), new Date(), date);
            refreshToken.setSessionDn(getSessionDn());
            refreshToken.setDpop(executionContext.getDpop());
            return refreshToken;
        }, executionContext);
    }

    @Override // io.jans.as.server.model.common.IAuthorizationGrant
    public IdToken createIdToken(String str, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, String str2, ExecutionContext executionContext) {
        try {
            executionContext.initFromGrantIfNeeded(this);
            executionContext.setScopes(getScopes());
            executionContext.setClaimsAsString(getClaims());
            executionContext.setNonce(str);
            executionContext.setState(str2);
            IdToken createIdTokenInternal = createIdTokenInternal(authorizationCode, accessToken, refreshToken, executionContext);
            AuthorizationGrant grant = executionContext.getGrant();
            String acrValues = grant.getAcrValues();
            String sessionDn = grant.getSessionDn();
            if (createIdTokenInternal.getExpiresIn() > 0) {
                TokenEntity asToken = asToken(createIdTokenInternal);
                asToken.setAuthMode(acrValues);
                asToken.setSessionDn(sessionDn);
                persist(asToken);
            }
            setAcrValues(acrValues);
            setSessionDn(sessionDn);
            this.statService.reportIdToken(getGrantType());
            this.metricService.incCounter(MetricType.TOKEN_ID_TOKEN_COUNT);
            return createIdTokenInternal;
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            return null;
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    public void persist(TokenEntity tokenEntity) {
        this.grantService.persist(tokenEntity);
    }

    public void persist(AuthorizationCode authorizationCode) {
        persist(asToken(authorizationCode));
    }

    public TokenEntity asToken(IdToken idToken) {
        TokenEntity asTokenEntity = asTokenEntity(idToken);
        asTokenEntity.setTokenTypeEnum(TokenType.ID_TOKEN);
        return asTokenEntity;
    }

    public TokenEntity asToken(RefreshToken refreshToken) {
        TokenEntity asTokenEntity = asTokenEntity(refreshToken);
        asTokenEntity.setTokenTypeEnum(TokenType.REFRESH_TOKEN);
        return asTokenEntity;
    }

    public TokenEntity asToken(AuthorizationCode authorizationCode) {
        TokenEntity asTokenEntity = asTokenEntity(authorizationCode);
        asTokenEntity.setTokenTypeEnum(TokenType.AUTHORIZATION_CODE);
        return asTokenEntity;
    }

    public TokenEntity asToken(AccessToken accessToken) {
        TokenEntity asTokenEntity = asTokenEntity(accessToken);
        asTokenEntity.setTokenTypeEnum(TokenType.ACCESS_TOKEN);
        return asTokenEntity;
    }

    public String getScopesAsString() {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = getScopes().iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(" ");
        }
        return sb.toString().trim();
    }

    public TokenEntity asTokenEntity(AbstractToken abstractToken) {
        TokenEntity tokenEntity = new TokenEntity();
        String hash = TokenHashUtil.hash(abstractToken.getCode());
        tokenEntity.setDn(this.grantService.buildDn(hash));
        tokenEntity.setGrantId(getGrantId());
        tokenEntity.setCreationDate(abstractToken.getCreationDate());
        tokenEntity.setExpirationDate(abstractToken.getExpirationDate());
        tokenEntity.setTtl(Integer.valueOf(abstractToken.getTtl()));
        tokenEntity.setTokenCode(hash);
        tokenEntity.setUserId(getUserId());
        tokenEntity.setUserDn(getUserDn());
        tokenEntity.setClientId(getClientId());
        tokenEntity.getAttributes().setX5cs256(abstractToken.getX5ts256());
        tokenEntity.getAttributes().setDpopJkt(getDpopJkt());
        tokenEntity.setDpop(abstractToken.getDpop());
        AuthorizationGrantType authorizationGrantType = getAuthorizationGrantType();
        if (authorizationGrantType != null) {
            tokenEntity.setGrantType(authorizationGrantType.getParamName());
        }
        AuthorizationCode authorizationCode = getAuthorizationCode();
        if (authorizationCode != null) {
            tokenEntity.setAuthorizationCode(TokenHashUtil.hash(authorizationCode.getCode()));
        }
        initTokenFromGrant(tokenEntity);
        return tokenEntity;
    }

    @Override // io.jans.as.server.model.common.IAuthorizationGrant
    public void revokeAllTokens() {
        TokenEntity tokenEntity = getTokenEntity();
        if (tokenEntity == null || !StringUtils.isNotBlank(tokenEntity.getGrantId())) {
            return;
        }
        this.grantService.removeAllByGrantId(tokenEntity.getGrantId());
    }

    @Override // io.jans.as.server.model.common.IAuthorizationGrant
    public void checkExpiredTokens() {
    }

    @Override // io.jans.as.server.model.common.IAuthorizationGrant
    public String getSub() {
        return this.sectorIdentifierService.getSub(this);
    }

    public boolean isCachedWithNoPersistence() {
        return this.isCachedWithNoPersistence;
    }

    public void setIsCachedWithNoPersistence(boolean z) {
        this.isCachedWithNoPersistence = z;
    }
}
