package org.springframework.security.oauth2.provider.token;

import java.util.Date;
import java.util.Set;
import java.util.UUID;
import org.cloudfoundry.identity.uaa.security.web.CookieBasedCsrfTokenRepository;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-2.0.11.RELEASE.jar:org/springframework/security/oauth2/provider/token/DefaultTokenServices.class */
public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, ConsumerTokenServices, InitializingBean {
    private int refreshTokenValiditySeconds = CookieBasedCsrfTokenRepository.DEFAULT_COOKIE_MAX_AGE;
    private int accessTokenValiditySeconds = 43200;
    private boolean supportRefreshToken = false;
    private boolean reuseRefreshToken = true;
    private TokenStore tokenStore;
    private ClientDetailsService clientDetailsService;
    private TokenEnhancer accessTokenEnhancer;
    private AuthenticationManager authenticationManager;

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.tokenStore, "tokenStore must be set");
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    @Transactional
    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        OAuth2AccessToken accessToken = this.tokenStore.getAccessToken(oAuth2Authentication);
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (accessToken != null) {
            if (!accessToken.isExpired()) {
                this.tokenStore.storeAccessToken(accessToken, oAuth2Authentication);
                return accessToken;
            }
            if (accessToken.getRefreshToken() != null) {
                oAuth2RefreshToken = accessToken.getRefreshToken();
                this.tokenStore.removeRefreshToken(oAuth2RefreshToken);
            }
            this.tokenStore.removeAccessToken(accessToken);
        }
        if (oAuth2RefreshToken == null) {
            oAuth2RefreshToken = createRefreshToken(oAuth2Authentication);
        } else if (oAuth2RefreshToken instanceof ExpiringOAuth2RefreshToken) {
            if (System.currentTimeMillis() > ((ExpiringOAuth2RefreshToken) oAuth2RefreshToken).getExpiration().getTime()) {
                oAuth2RefreshToken = createRefreshToken(oAuth2Authentication);
            }
        }
        OAuth2AccessToken createAccessToken = createAccessToken(oAuth2Authentication, oAuth2RefreshToken);
        this.tokenStore.storeAccessToken(createAccessToken, oAuth2Authentication);
        OAuth2RefreshToken refreshToken = createAccessToken.getRefreshToken();
        if (refreshToken != null) {
            this.tokenStore.storeRefreshToken(refreshToken, oAuth2Authentication);
        }
        return createAccessToken;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    @Transactional(noRollbackFor = {InvalidTokenException.class, InvalidGrantException.class})
    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (!this.supportRefreshToken) {
            throw new InvalidGrantException("Invalid refresh token: " + str);
        }
        OAuth2RefreshToken readRefreshToken = this.tokenStore.readRefreshToken(str);
        if (readRefreshToken == null) {
            throw new InvalidGrantException("Invalid refresh token: " + str);
        }
        OAuth2Authentication readAuthenticationForRefreshToken = this.tokenStore.readAuthenticationForRefreshToken(readRefreshToken);
        if (this.authenticationManager != null && !readAuthenticationForRefreshToken.isClientOnly()) {
            Authentication authenticate = this.authenticationManager.authenticate(new PreAuthenticatedAuthenticationToken(readAuthenticationForRefreshToken.getUserAuthentication(), "", readAuthenticationForRefreshToken.getAuthorities()));
            Object details = readAuthenticationForRefreshToken.getDetails();
            readAuthenticationForRefreshToken = new OAuth2Authentication(readAuthenticationForRefreshToken.getOAuth2Request(), authenticate);
            readAuthenticationForRefreshToken.setDetails(details);
        }
        String clientId = readAuthenticationForRefreshToken.getOAuth2Request().getClientId();
        if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + str);
        }
        this.tokenStore.removeAccessTokenUsingRefreshToken(readRefreshToken);
        if (isExpired(readRefreshToken)) {
            this.tokenStore.removeRefreshToken(readRefreshToken);
            throw new InvalidTokenException("Invalid refresh token (expired): " + readRefreshToken);
        }
        OAuth2Authentication createRefreshedAuthentication = createRefreshedAuthentication(readAuthenticationForRefreshToken, tokenRequest);
        if (!this.reuseRefreshToken) {
            this.tokenStore.removeRefreshToken(readRefreshToken);
            readRefreshToken = createRefreshToken(createRefreshedAuthentication);
        }
        OAuth2AccessToken createAccessToken = createAccessToken(createRefreshedAuthentication, readRefreshToken);
        this.tokenStore.storeAccessToken(createAccessToken, createRefreshedAuthentication);
        if (!this.reuseRefreshToken) {
            this.tokenStore.storeRefreshToken(createAccessToken.getRefreshToken(), createRefreshedAuthentication);
        }
        return createAccessToken;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        return this.tokenStore.getAccessToken(oAuth2Authentication);
    }

    private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication oAuth2Authentication, TokenRequest tokenRequest) {
        Set scope = tokenRequest.getScope();
        OAuth2Request refresh = oAuth2Authentication.getOAuth2Request().refresh(tokenRequest);
        if (scope != null && !scope.isEmpty()) {
            Set scope2 = refresh.getScope();
            if (scope2 == null || !scope2.containsAll(scope)) {
                throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", scope2);
            }
            refresh = refresh.narrowScope(scope);
        }
        return new OAuth2Authentication(refresh, oAuth2Authentication.getUserAuthentication());
    }

    protected boolean isExpired(OAuth2RefreshToken oAuth2RefreshToken) {
        if (!(oAuth2RefreshToken instanceof ExpiringOAuth2RefreshToken)) {
            return false;
        }
        ExpiringOAuth2RefreshToken expiringOAuth2RefreshToken = (ExpiringOAuth2RefreshToken) oAuth2RefreshToken;
        return expiringOAuth2RefreshToken.getExpiration() == null || System.currentTimeMillis() > expiringOAuth2RefreshToken.getExpiration().getTime();
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        return this.tokenStore.readAccessToken(str);
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException, InvalidTokenException {
        OAuth2AccessToken readAccessToken = this.tokenStore.readAccessToken(str);
        if (readAccessToken == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        if (readAccessToken.isExpired()) {
            this.tokenStore.removeAccessToken(readAccessToken);
            throw new InvalidTokenException("Access token expired: " + str);
        }
        OAuth2Authentication readAuthentication = this.tokenStore.readAuthentication(readAccessToken);
        if (readAuthentication == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        if (this.clientDetailsService != null) {
            String clientId = readAuthentication.getOAuth2Request().getClientId();
            try {
                this.clientDetailsService.loadClientByClientId(clientId);
            } catch (ClientRegistrationException e) {
                throw new InvalidTokenException("Client not valid: " + clientId, e);
            }
        }
        return readAuthentication;
    }

    public String getClientId(String str) {
        OAuth2Authentication readAuthentication = this.tokenStore.readAuthentication(str);
        if (readAuthentication == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        OAuth2Request oAuth2Request = readAuthentication.getOAuth2Request();
        if (oAuth2Request == null) {
            throw new InvalidTokenException("Invalid access token (no client id): " + str);
        }
        return oAuth2Request.getClientId();
    }

    @Override // org.springframework.security.oauth2.provider.token.ConsumerTokenServices
    public boolean revokeToken(String str) {
        OAuth2AccessToken readAccessToken = this.tokenStore.readAccessToken(str);
        if (readAccessToken == null) {
            return false;
        }
        if (readAccessToken.getRefreshToken() != null) {
            this.tokenStore.removeRefreshToken(readAccessToken.getRefreshToken());
        }
        this.tokenStore.removeAccessToken(readAccessToken);
        return true;
    }

    private OAuth2RefreshToken createRefreshToken(OAuth2Authentication oAuth2Authentication) {
        if (!isSupportRefreshToken(oAuth2Authentication.getOAuth2Request())) {
            return null;
        }
        int refreshTokenValiditySeconds = getRefreshTokenValiditySeconds(oAuth2Authentication.getOAuth2Request());
        String uuid = UUID.randomUUID().toString();
        return refreshTokenValiditySeconds > 0 ? new DefaultExpiringOAuth2RefreshToken(uuid, new Date(System.currentTimeMillis() + (refreshTokenValiditySeconds * 1000))) : new DefaultOAuth2RefreshToken(uuid);
    }

    private OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication, OAuth2RefreshToken oAuth2RefreshToken) {
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
        int accessTokenValiditySeconds = getAccessTokenValiditySeconds(oAuth2Authentication.getOAuth2Request());
        if (accessTokenValiditySeconds > 0) {
            defaultOAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + (accessTokenValiditySeconds * 1000)));
        }
        defaultOAuth2AccessToken.setRefreshToken(oAuth2RefreshToken);
        defaultOAuth2AccessToken.setScope(oAuth2Authentication.getOAuth2Request().getScope());
        return this.accessTokenEnhancer != null ? this.accessTokenEnhancer.enhance(defaultOAuth2AccessToken, oAuth2Authentication) : defaultOAuth2AccessToken;
    }

    protected int getAccessTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer accessTokenValiditySeconds;
        return (this.clientDetailsService == null || (accessTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getAccessTokenValiditySeconds()) == null) ? this.accessTokenValiditySeconds : accessTokenValiditySeconds.intValue();
    }

    protected int getRefreshTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer refreshTokenValiditySeconds;
        return (this.clientDetailsService == null || (refreshTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getRefreshTokenValiditySeconds()) == null) ? this.refreshTokenValiditySeconds : refreshTokenValiditySeconds.intValue();
    }

    protected boolean isSupportRefreshToken(OAuth2Request oAuth2Request) {
        return this.clientDetailsService != null ? this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getAuthorizedGrantTypes().contains("refresh_token") : this.supportRefreshToken;
    }

    public void setTokenEnhancer(TokenEnhancer tokenEnhancer) {
        this.accessTokenEnhancer = tokenEnhancer;
    }

    public void setRefreshTokenValiditySeconds(int i) {
        this.refreshTokenValiditySeconds = i;
    }

    public void setAccessTokenValiditySeconds(int i) {
        this.accessTokenValiditySeconds = i;
    }

    public void setSupportRefreshToken(boolean z) {
        this.supportRefreshToken = z;
    }

    public void setReuseRefreshToken(boolean z) {
        this.reuseRefreshToken = z;
    }

    public void setTokenStore(TokenStore tokenStore) {
        this.tokenStore = tokenStore;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }
}
