package org.cloudfoundry.identity.uaa.oauth.token;

import java.net.URI;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.audit.event.TokenIssuedEvent;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.Claims;
import org.cloudfoundry.identity.uaa.oauth.approval.Approval;
import org.cloudfoundry.identity.uaa.oauth.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.type.TypeReference;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-common-2.2.5.jar:org/cloudfoundry/identity/uaa/oauth/token/UaaTokenServices.class */
public class UaaTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, InitializingBean, ApplicationEventPublisherAware {
    private int refreshTokenValiditySeconds = 2592000;
    private int accessTokenValiditySeconds = 43200;
    private final Log logger = LogFactory.getLog(getClass());
    private UaaUserDatabase userDatabase = null;
    private ObjectMapper mapper = new ObjectMapper();
    private ClientDetailsService clientDetailsService = null;
    private SignerProvider signerProvider = new SignerProvider();
    private String issuer = null;
    private String tokenEndpoint = null;
    private Set<String> defaultUserAuthorities = new HashSet();
    private ApprovalStore approvalStore = null;
    private ApplicationEventPublisher applicationEventPublisher;
    private String host;

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.applicationEventPublisher = applicationEventPublisher;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (null == str) {
            throw new InvalidTokenException("Invalid refresh token (empty token)");
        }
        if (!OAuth2AccessToken.REFRESH_TOKEN.equals(tokenRequest.getRequestParameters().get("grant_type"))) {
            throw new InvalidGrantException("Invalid grant type: " + ((String) tokenRequest.getRequestParameters().get("grant_type")));
        }
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        String str2 = (String) claimsForToken.get(Claims.CID);
        if (str2 == null || !str2.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + str);
        }
        String str3 = (String) claimsForToken.get(Claims.USER_ID);
        UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str3);
        long longValue = ((Integer) claimsForToken.get(Claims.IAT)).longValue() * 1000;
        if (retrieveUserById.getModified().after(new Date(longValue))) {
            this.logger.debug("User was last modified at " + retrieveUserById.getModified() + " refresh token was issued at " + new Date(longValue));
            throw new InvalidTokenException("Invalid refresh token (password changed): " + str);
        }
        long longValue2 = ((Integer) claimsForToken.get("exp")).longValue() * 1000;
        if (new Date(longValue2).before(new Date())) {
            throw new InvalidTokenException("Invalid refresh token (expired): " + str + " expired at " + new Date(longValue2));
        }
        ArrayList arrayList = (ArrayList) claimsForToken.get("scope");
        Set<String> scope = tokenRequest.getScope();
        if (scope.isEmpty()) {
            scope = new HashSet<>(arrayList);
        }
        if (arrayList.isEmpty() || !arrayList.containsAll(scope)) {
            throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", new HashSet(arrayList));
        }
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str2);
        String obj = claimsForToken.get("grant_type").toString();
        checkForApproval(str3, str2, scope, getAutoApprovedScopes(obj, arrayList, loadClientByClientId), new Date(longValue));
        Integer accessTokenValiditySeconds = loadClientByClientId.getAccessTokenValiditySeconds();
        return createAccessToken(retrieveUserById.getId(), retrieveUserById.getUsername(), retrieveUserById.getEmail(), accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : this.accessTokenValiditySeconds, null, scope, str2, new HashSet<>((ArrayList) claimsForToken.get("aud")), obj, str, (Map) claimsForToken.get(Claims.ADDITIONAL_AZ_ATTR), new HashSet<>());
    }

    private void checkForApproval(String str, String str2, Collection<String> collection, Collection<String> collection2, Date date) {
        HashSet hashSet = new HashSet(collection2);
        for (Approval approval : this.approvalStore.getApprovals(str, str2)) {
            if (collection.contains(approval.getScope()) && approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                if (!approval.isCurrentlyActive()) {
                    this.logger.debug("Approval " + approval + " has expired. Need to re-approve.");
                    throw new InvalidTokenException("Invalid token (approvals expired)");
                }
                if (date.before(approval.getLastUpdatedAt())) {
                    this.logger.debug("At least one approval " + approval + " was updated more recently at " + approval.getLastUpdatedAt() + " access token was issued at " + date);
                    throw new InvalidTokenException("Invalid token (approvals updated): " + approval.getLastUpdatedAt());
                }
                hashSet.add(approval.getScope());
            }
        }
        if (hashSet.containsAll(collection)) {
            return;
        }
        this.logger.debug("All requested scopes " + collection + " were not approved " + hashSet);
        HashSet hashSet2 = new HashSet(collection);
        hashSet2.removeAll(hashSet);
        throw new InvalidTokenException("Invalid token (some requested scopes are not approved): " + hashSet2);
    }

    private OAuth2AccessToken createAccessToken(String str, String str2, String str3, int i, Collection<GrantedAuthority> collection, Set<String> set, String str4, Set<String> set2, String str5, String str6, Map<String, String> map, Set<String> set3) throws AuthenticationException {
        OpenIdToken openIdToken = new OpenIdToken(UUID.randomUUID().toString());
        if (i > 0) {
            openIdToken.setExpiration(new Date(System.currentTimeMillis() + (i * 1000)));
        }
        openIdToken.setRefreshToken(str6 == null ? null : new DefaultOAuth2RefreshToken(str6));
        if (null == set || set.size() == 0) {
            this.logger.debug("No scopes were granted");
            throw new InvalidTokenException("No scopes were granted");
        }
        openIdToken.setScope(set);
        Map<String, Object> hashMap = new HashMap<>();
        hashMap.put("jti", openIdToken.getValue());
        if (null != map) {
            hashMap.put(Claims.ADDITIONAL_AZ_ATTR, map);
        }
        openIdToken.setAdditionalInformation(hashMap);
        try {
            openIdToken.setValue(JwtHelper.encode(this.mapper.writeValueAsString(createJWTAccessToken(openIdToken, str, str2, str3, collection, set, str4, set2, str5, str6)), this.signerProvider.getSigner()).getEncoded());
            populateIdToken(openIdToken, set, set3);
            publish(new TokenIssuedEvent(openIdToken, SecurityContextHolder.getContext().getAuthentication()));
            return openIdToken;
        } catch (Exception e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    private void populateIdToken(OpenIdToken openIdToken, Set<String> set, Set<String> set2) {
        if (set.contains("openid") && set2.contains(OpenIdToken.ID_TOKEN)) {
            openIdToken.setIdTokenValue(openIdToken.getValue());
        }
    }

    private Map<String, ?> createJWTAccessToken(OAuth2AccessToken oAuth2AccessToken, String str, String str2, String str3, Collection<GrantedAuthority> collection, Set<String> set, String str4, Set<String> set2, String str5, String str6) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", oAuth2AccessToken.getAdditionalInformation().get("jti"));
        linkedHashMap.putAll(oAuth2AccessToken.getAdditionalInformation());
        linkedHashMap.put(Claims.SUB, str);
        if (null != collection) {
            linkedHashMap.put("authorities", AuthorityUtils.authorityListToSet(collection));
        }
        linkedHashMap.put("scope", set);
        linkedHashMap.put("client_id", str4);
        linkedHashMap.put(Claims.CID, str4);
        linkedHashMap.put(Claims.AZP, str4);
        if (null != str5) {
            linkedHashMap.put("grant_type", str5);
        }
        if (!"client_credentials".equals(str5)) {
            linkedHashMap.put(Claims.USER_ID, str);
            linkedHashMap.put("user_name", str2 == null ? str : str2);
            if (null != str3) {
                linkedHashMap.put(Claims.EMAIL, str3);
            }
        }
        linkedHashMap.put(Claims.IAT, Long.valueOf(System.currentTimeMillis() / 1000));
        if (oAuth2AccessToken.getExpiration() != null) {
            linkedHashMap.put("exp", Long.valueOf(oAuth2AccessToken.getExpiration().getTime() / 1000));
        }
        if (getTokenEndpoint() != null) {
            linkedHashMap.put(Claims.ISS, getTokenEndpoint());
            linkedHashMap.put(Claims.ZONE_ID, IdentityZoneHolder.get().getId());
        }
        linkedHashMap.put("aud", set2);
        return linkedHashMap;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        String userId;
        ExpiringOAuth2RefreshToken createRefreshToken = createRefreshToken(oAuth2Authentication);
        String str = null;
        String str2 = null;
        Collection<GrantedAuthority> collection = null;
        if (oAuth2Authentication.isClientOnly()) {
            ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(oAuth2Authentication.getName());
            userId = loadClientByClientId.getClientId();
            collection = loadClientByClientId.getAuthorities();
        } else {
            userId = getUserId(oAuth2Authentication);
            UaaUser retrieveUserById = this.userDatabase.retrieveUserById(userId);
            str = retrieveUserById.getUsername();
            str2 = retrieveUserById.getEmail();
        }
        String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
        Set scope = oAuth2Authentication.getOAuth2Request().getScope();
        String str3 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.addAll(scope);
        String str4 = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("external_scopes");
        if (null != str4 && StringUtils.hasLength(str4)) {
            linkedHashSet.addAll(OAuth2Utils.parseParameterList(str4));
        }
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("authorities"));
        Integer accessTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(clientId).getAccessTokenValiditySeconds();
        return createAccessToken(userId, str, str2, accessTokenValiditySeconds != null ? accessTokenValiditySeconds.intValue() : this.accessTokenValiditySeconds, collection, linkedHashSet, clientId, oAuth2Authentication.getOAuth2Request().getResourceIds(), str3, createRefreshToken != null ? createRefreshToken.getValue() : null, additionalAuthorizationAttributes, extractResponseTypes(oAuth2Authentication));
    }

    protected Set<String> extractResponseTypes(OAuth2Authentication oAuth2Authentication) {
        Set<String> responseTypes = oAuth2Authentication.getOAuth2Request().getResponseTypes();
        if (responseTypes != null && responseTypes.size() == 1) {
            String next = responseTypes.iterator().next();
            String str = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get(OAuth2Utils.RESPONSE_TYPE);
            if ("code".equals(next) && str != null) {
                responseTypes = OAuth2Utils.parseParameterList(str);
            }
        }
        return responseTypes;
    }

    private Map<String, String> getAdditionalAuthorizationAttributes(String str) {
        if (!StringUtils.hasLength(str)) {
            return null;
        }
        try {
            return (Map) ((Map) this.mapper.readValue(str.getBytes(), Map.class)).get(Claims.ADDITIONAL_AZ_ATTR);
        } catch (Throwable th) {
            this.logger.error("Unable to read additionalAuthorizationAttributes", th);
            return null;
        }
    }

    private ExpiringOAuth2RefreshToken createRefreshToken(OAuth2Authentication oAuth2Authentication) {
        String str = (String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("grant_type");
        if (!isRefreshTokenSupported(str)) {
            return null;
        }
        Map<String, String> additionalAuthorizationAttributes = getAdditionalAuthorizationAttributes((String) oAuth2Authentication.getOAuth2Request().getRequestParameters().get("authorities"));
        DefaultExpiringOAuth2RefreshToken defaultExpiringOAuth2RefreshToken = new DefaultExpiringOAuth2RefreshToken(UUID.randomUUID().toString(), new Date(System.currentTimeMillis() + (getRefreshTokenValiditySeconds(oAuth2Authentication.getOAuth2Request()) * 1000)));
        try {
            return new DefaultExpiringOAuth2RefreshToken(JwtHelper.encode(this.mapper.writeValueAsString(createJWTRefreshToken(defaultExpiringOAuth2RefreshToken, this.userDatabase.retrieveUserById(getUserId(oAuth2Authentication)), oAuth2Authentication.getOAuth2Request().getScope(), oAuth2Authentication.getOAuth2Request().getClientId(), str, additionalAuthorizationAttributes, oAuth2Authentication.getOAuth2Request().getResourceIds())), this.signerProvider.getSigner()).getEncoded(), defaultExpiringOAuth2RefreshToken.getExpiration());
        } catch (Exception e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    protected String getUserId(OAuth2Authentication oAuth2Authentication) {
        return Origin.getUserId(oAuth2Authentication.getUserAuthentication());
    }

    private Map<String, ?> createJWTRefreshToken(OAuth2RefreshToken oAuth2RefreshToken, UaaUser uaaUser, Set<String> set, String str, String str2, Map<String, String> map, Set<String> set2) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", UUID.randomUUID().toString());
        linkedHashMap.put(Claims.SUB, uaaUser.getId());
        linkedHashMap.put("scope", set);
        if (null != map) {
            linkedHashMap.put(Claims.ADDITIONAL_AZ_ATTR, map);
        }
        linkedHashMap.put(Claims.IAT, Long.valueOf(System.currentTimeMillis() / 1000));
        if (((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration() != null) {
            linkedHashMap.put("exp", Long.valueOf(((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration().getTime() / 1000));
        }
        linkedHashMap.put(Claims.CID, str);
        if (getTokenEndpoint() != null) {
            linkedHashMap.put(Claims.ISS, getTokenEndpoint());
            linkedHashMap.put(Claims.ZONE_ID, IdentityZoneHolder.get().getId());
        }
        if (null != str2) {
            linkedHashMap.put("grant_type", str2);
        }
        if (!"client_credentials".equals(str2)) {
            linkedHashMap.put("user_name", uaaUser.getUsername());
            linkedHashMap.put(Claims.USER_ID, uaaUser.getId());
        }
        linkedHashMap.put("aud", set2);
        return linkedHashMap;
    }

    protected boolean isRefreshTokenSupported(String str) {
        return "authorization_code".equals(str) || "password".equals(str) || OAuth2AccessToken.REFRESH_TOKEN.equals(str);
    }

    protected int getRefreshTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer refreshTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getRefreshTokenValiditySeconds();
        return refreshTokenValiditySeconds != null ? refreshTokenValiditySeconds.intValue() : this.refreshTokenValiditySeconds;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.clientDetailsService, "clientDetailsService must be set");
        Assert.notNull(this.issuer, "issuer must be set");
        Assert.notNull(this.approvalStore, "approvalStore must be set");
        this.host = new URI(this.issuer).getHost();
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    private void validateClient(String str) throws AuthenticationException {
        if (str != null) {
            try {
                this.clientDetailsService.loadClientByClientId(str);
            } catch (InvalidClientException e) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            } catch (NoSuchClientException e2) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            } catch (ClientRegistrationException e3) {
                throw new OAuth2AccessDeniedException("Invalid client:" + str);
            }
        }
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        if (((Integer) claimsForToken.get("exp")) != null && new Date(r0.intValue() * 1000).before(new Date())) {
            throw new InvalidTokenException("Invalid access token (expired): " + str + " expired at " + new Date(r0.intValue() * 1000));
        }
        validateClient((String) claimsForToken.get("client_id"));
        validateClient((String) claimsForToken.get(Claims.CID));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest((String) claimsForToken.get("client_id"), (ArrayList) claimsForToken.get("scope"));
        ArrayList arrayList = (ArrayList) claimsForToken.get("aud");
        authorizationRequest.setResourceIds(Collections.unmodifiableSet(arrayList == null ? new HashSet() : new HashSet(arrayList)));
        authorizationRequest.setApproved(true);
        List<GrantedAuthority> commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString(this.defaultUserAuthorities));
        if (claimsForToken.containsKey("authorities")) {
            Object obj = claimsForToken.get("authorities");
            if (obj instanceof String) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList((String) obj);
            }
            if (obj instanceof Collection) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection) obj));
            }
        }
        UaaAuthentication uaaAuthentication = null;
        if (claimsForToken.containsKey(Claims.EMAIL)) {
            uaaAuthentication = new UaaAuthentication(new UaaPrincipal(new UaaUser((String) claimsForToken.get(Claims.USER_ID), (String) claimsForToken.get("user_name"), null, (String) claimsForToken.get(Claims.EMAIL), UaaAuthority.USER_AUTHORITIES, null, null, null, null, null, null, false, IdentityZoneHolder.get().getId())), UaaAuthority.USER_AUTHORITIES, null);
        } else {
            authorizationRequest.setAuthorities(commaSeparatedStringToAuthorityList);
        }
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), uaaAuthentication);
        oAuth2Authentication.setAuthenticated(true);
        return oAuth2Authentication;
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        Map<String, Object> claimsForToken = getClaimsForToken(str);
        OpenIdToken openIdToken = new OpenIdToken(str);
        openIdToken.setTokenType(OAuth2AccessToken.BEARER_TYPE);
        Integer num = (Integer) claimsForToken.get("exp");
        if (null != num) {
            openIdToken.setExpiration(new Date(num.longValue() * 1000));
        }
        ArrayList arrayList = (ArrayList) claimsForToken.get("scope");
        if (null != arrayList && arrayList.size() > 0) {
            openIdToken.setScope(new HashSet(arrayList));
        }
        if (null != ((String) claimsForToken.get(Claims.EMAIL))) {
            String str2 = (String) claimsForToken.get(Claims.USER_ID);
            UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str2);
            long longValue = ((Integer) claimsForToken.get(Claims.IAT)).longValue() * 1000;
            if (retrieveUserById.getModified().after(new Date(longValue))) {
                this.logger.debug("User was last modified at " + retrieveUserById.getModified() + " access token was issued at " + new Date(longValue));
                throw new InvalidTokenException("Invalid access token (password changed): " + str);
            }
            String str3 = (String) claimsForToken.get("client_id");
            ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(str3);
            ArrayList arrayList2 = (ArrayList) claimsForToken.get("scope");
            Set<String> autoApprovedScopes = getAutoApprovedScopes(claimsForToken.get("grant_type"), arrayList2, loadClientByClientId);
            if (autoApprovedScopes.containsAll(arrayList2)) {
                return openIdToken;
            }
            checkForApproval(str2, str3, arrayList2, autoApprovedScopes, new Date(longValue));
        }
        return openIdToken;
    }

    private Set<String> getAutoApprovedScopes(Object obj, Collection<String> collection, ClientDetails clientDetails) {
        if (obj != null && "password".equals(obj.toString())) {
            return new HashSet(collection);
        }
        Object obj2 = clientDetails.getAdditionalInformation().get(ClientConstants.AUTO_APPROVE);
        HashSet hashSet = new HashSet();
        if (obj2 instanceof Collection) {
            hashSet.addAll((Collection) obj2);
        } else if (((obj2 instanceof Boolean) && ((Boolean) obj2).booleanValue()) || "true".equals(obj2)) {
            hashSet.addAll(clientDetails.getScope());
        }
        if ((clientDetails instanceof BaseClientDetails) && ((BaseClientDetails) clientDetails).getAutoApproveScopes() != null) {
            hashSet.addAll(((BaseClientDetails) clientDetails).getAutoApproveScopes());
        }
        return UaaTokenUtils.instance().retainAutoApprovedScopes(collection, hashSet);
    }

    private Map<String, Object> getClaimsForToken(String str) {
        try {
            try {
                Map<String, Object> map = (Map) this.mapper.readValue(JwtHelper.decodeAndVerify(str, this.signerProvider.getVerifier()).getClaims(), new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.oauth.token.UaaTokenServices.1
                });
                if (getTokenEndpoint() == null || getTokenEndpoint().equals(map.get(Claims.ISS))) {
                    return map;
                }
                throw new InvalidTokenException("Invalid issuer for token:" + map.get(Claims.ISS));
            } catch (Exception e) {
                throw new IllegalStateException("Cannot read token claims", e);
            }
        } catch (Throwable th) {
            this.logger.debug("Invalid token (could not decode)");
            throw new InvalidTokenException("Invalid token (could not decode): " + str);
        }
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        return null;
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public String getTokenEndpoint() {
        if (this.issuer == null) {
            return null;
        }
        String str = this.host;
        if (StringUtils.hasText(IdentityZoneHolder.get().getSubdomain())) {
            str = IdentityZoneHolder.get().getSubdomain() + "." + this.host;
        }
        return UriComponentsBuilder.fromUriString(this.issuer).host(str).pathSegment("oauth/token").build().toUriString();
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setSignerProvider(SignerProvider signerProvider) {
        this.signerProvider = signerProvider;
    }

    public void setDefaultUserAuthorities(Set<String> set) {
        this.defaultUserAuthorities = set;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    private void publish(TokenIssuedEvent tokenIssuedEvent) {
        if (this.applicationEventPublisher != null) {
            this.applicationEventPublisher.publishEvent(tokenIssuedEvent);
        }
    }
}
