package io.jans.as.server.token.ws.rs;

import com.google.common.base.Preconditions;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.IdToken;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.model.common.TokenExchangeGrant;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.token.HandleTokenFactory;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.function.Function;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TokenExchangeService.class */
public class TokenExchangeService {
    public static final String DEVICE_SECRET = "device_secret";

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private TokenRestWebServiceValidator tokenRestWebServiceValidator;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private TokenCreatorService tokenCreatorService;

    @Inject
    private AttributeService attributeService;

    public void rotateDeviceSecretOnRefreshToken(HttpServletRequest httpServletRequest, AuthorizationGrant authorizationGrant, String str) {
        SessionId sessionByDn;
        if (!str.contains("device_sso") || StringUtils.isBlank(authorizationGrant.getSessionDn()) || (sessionByDn = this.sessionIdService.getSessionByDn(authorizationGrant.getSessionDn())) == null) {
            return;
        }
        String parameter = httpServletRequest.getParameter(DEVICE_SECRET);
        if (StringUtils.isBlank(parameter)) {
            rotateDeviceSecret(sessionByDn, parameter, true);
        }
    }

    public String rotateDeviceSecret(SessionId sessionId, String str) {
        return rotateDeviceSecret(sessionId, str, false);
    }

    public String rotateDeviceSecret(SessionId sessionId, String str, boolean z) {
        if (BooleanUtils.isFalse(this.appConfiguration.getRotateDeviceSecret()) && !z) {
            return null;
        }
        String generateDeviceSecret = HandleTokenFactory.generateDeviceSecret();
        List deviceSecrets = sessionId.getDeviceSecrets();
        deviceSecrets.remove(str);
        deviceSecrets.add(generateDeviceSecret);
        this.sessionIdService.updateSessionId(sessionId, false);
        return generateDeviceSecret;
    }

    public JSONObject processTokenExchange(String str, Function<JsonWebResponse, Void> function, ExecutionContext executionContext) {
        HttpServletRequest httpRequest = executionContext.getHttpRequest();
        Client client = executionContext.getClient();
        OAuth2AuditLog auditLog = executionContext.getAuditLog();
        String parameter = httpRequest.getParameter("audience");
        String parameter2 = httpRequest.getParameter("subject_token");
        String parameter3 = httpRequest.getParameter("subject_token_type");
        String parameter4 = httpRequest.getParameter("actor_token");
        String parameter5 = httpRequest.getParameter("actor_token_type");
        this.tokenRestWebServiceValidator.validateAudience(parameter, auditLog);
        this.tokenRestWebServiceValidator.validateSubjectTokenType(parameter3, auditLog);
        this.tokenRestWebServiceValidator.validateActorTokenType(parameter5, auditLog);
        this.tokenRestWebServiceValidator.validateActorToken(parameter4, auditLog);
        SessionId sessionByDeviceSecret = this.sessionIdService.getSessionByDeviceSecret(parameter4);
        this.tokenRestWebServiceValidator.validateSessionForTokenExchange(sessionByDeviceSecret, parameter4, auditLog);
        Preconditions.checkNotNull(sessionByDeviceSecret);
        this.tokenRestWebServiceValidator.validateSubjectToken(parameter4, parameter2, sessionByDeviceSecret, auditLog);
        TokenExchangeGrant createTokenExchangeGrant = this.authorizationGrantList.createTokenExchangeGrant(new User(), client);
        createTokenExchangeGrant.setSessionDn(sessionByDeviceSecret.getDn());
        executionContext.setGrant(createTokenExchangeGrant);
        String checkScopesPolicy = createTokenExchangeGrant.checkScopesPolicy(str);
        AccessToken createAccessToken = createTokenExchangeGrant.createAccessToken(executionContext);
        IdToken idToken = null;
        if (org.apache.commons.lang.BooleanUtils.isTrue(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && createTokenExchangeGrant.getScopes().contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(httpRequest, createTokenExchangeGrant, client, this.appConfiguration, this.attributeService);
            executionContext.setIncludeIdTokenClaims(equals);
            executionContext.setPreProcessing(function);
            executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
            idToken = createTokenExchangeGrant.createIdToken(null, null, null, null, null, executionContext);
        }
        RefreshToken createRefreshToken = this.tokenCreatorService.createRefreshToken(executionContext, checkScopesPolicy);
        executionContext.getAuditLog().updateOAuth2AuditLog(createTokenExchangeGrant, true);
        String rotateDeviceSecret = rotateDeviceSecret(sessionByDeviceSecret, parameter4);
        JSONObject jSONObject = new JSONObject();
        try {
            TokenRestWebServiceImpl.fillJsonObject(jSONObject, createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, checkScopesPolicy, idToken);
            jSONObject.put("issued_token_type", "urn:ietf:params:oauth:token-type:access_token");
            if (StringUtils.isNotBlank(rotateDeviceSecret)) {
                jSONObject.put(DEVICE_SECRET, rotateDeviceSecret);
            }
        } catch (JSONException e) {
            this.log.error(e.getMessage(), e);
        }
        return jSONObject;
    }

    public String createNewDeviceSecret(String str, Client client, String str2) {
        if (StringUtils.isBlank(str2) || !str2.contains("device_sso")) {
            this.log.debug("Skip device secret. No device_sso scope.");
            return null;
        }
        if (client == null || !ArrayUtils.contains(client.getGrantTypes(), GrantType.TOKEN_EXCHANGE)) {
            this.log.debug("Skip device secret. Scope has {} value but client does not have Token Exchange Grant Type enabled ('urn:ietf:params:oauth:grant-type:token-exchange')", "device_sso");
            return null;
        }
        try {
            SessionId sessionByDn = this.sessionIdService.getSessionByDn(str);
            if (sessionByDn == null) {
                this.log.debug("Unable to find session by dn: {}", str);
                return null;
            }
            String generateDeviceSecret = HandleTokenFactory.generateDeviceSecret();
            sessionByDn.getDeviceSecrets().add(generateDeviceSecret);
            this.sessionIdService.updateSessionId(sessionByDn, false);
            return generateDeviceSecret;
        } catch (Exception e) {
            this.log.error("Failed to generate device_secret", e);
            return null;
        }
    }
}
