package io.jans.as.server.token.ws.rs;

import com.google.common.base.Strings;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.model.common.AbstractAuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.model.GluuStatus;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import org.apache.commons.lang.BooleanUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TokenCreatorService.class */
public class TokenCreatorService {

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AttributeService attributeService;

    public boolean isRefreshTokenAllowed(Client client, String str, AbstractAuthorizationGrant abstractAuthorizationGrant) {
        if (!BooleanUtils.isTrue(this.appConfiguration.getForceOfflineAccessScopeToEnableRefreshToken()) || abstractAuthorizationGrant.getScopes().contains("offline_access") || Strings.nullToEmpty(str).contains("offline_access")) {
            return Arrays.asList(client.getGrantTypes()).contains(GrantType.REFRESH_TOKEN);
        }
        return false;
    }

    @Nullable
    public RefreshToken createRefreshToken(@NotNull ExecutionContext executionContext, @NotNull String str) {
        AuthorizationGrant grant = executionContext.getGrant();
        if (!isRefreshTokenAllowed(executionContext.getClient(), str, grant)) {
            return null;
        }
        checkUser(grant);
        ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(executionContext.getHttpRequest(), grant, executionContext.getClient(), this.appConfiguration, this.attributeService);
        externalUpdateTokenContext.setExecutionContext(executionContext);
        int refreshTokenLifetimeInSeconds = this.externalUpdateTokenService.getRefreshTokenLifetimeInSeconds(externalUpdateTokenContext);
        return refreshTokenLifetimeInSeconds > 0 ? grant.createRefreshToken(executionContext, refreshTokenLifetimeInSeconds) : grant.createRefreshToken(executionContext);
    }

    private void checkUser(AuthorizationGrant authorizationGrant) {
        if (BooleanUtils.isFalse(this.appConfiguration.getCheckUserPresenceOnRefreshToken())) {
            return;
        }
        User user = authorizationGrant.getUser();
        if (user == null || GluuStatus.INACTIVE == user.getStatus()) {
            this.log.trace("The user associated with this grant is not found or otherwise with status=inactive.");
            throw new WebApplicationException(error(400, TokenErrorResponseType.INVALID_GRANT, "The user associated with this grant is not found or otherwise with status=inactive.").build());
        }
    }

    public Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }
}
