package org.cloudfoundry.identity.uaa.oauth;

import com.fasterxml.jackson.core.type.TypeReference;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Timestamp;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.atomic.AtomicLong;
import javax.sql.DataSource;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.dao.DataIntegrityViolationException;
import org.springframework.dao.DeadlockLoserDataAccessException;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.jdbc.core.support.SqlLobValue;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.oauth2.common.util.SerializationUtils;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.23.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaTokenStore.class */
public class UaaTokenStore implements AuthorizationCodeServices {
    public static final long EXPIRATION_TIME = 300000;
    public static final long LEGACY_CODE_EXPIRATION_TIME = 259200000;
    public static final String USER_AUTHENTICATION_UAA_AUTHENTICATION = "userAuthentication.uaaAuthentication";
    public static final String USER_AUTHENTICATION_UAA_PRINCIPAL = "userAuthentication.uaaPrincipal";
    public static final String USER_AUTHENTICATION_AUTHORITIES = "userAuthentication.authorities";
    public static final String OAUTH2_REQUEST_PARAMETERS = "oauth2Request.requestParameters";
    public static final String OAUTH2_REQUEST_CLIENT_ID = "oauth2Request.clientId";
    public static final String OAUTH2_REQUEST_AUTHORITIES = "oauth2Request.authorities";
    public static final String OAUTH2_REQUEST_APPROVED = "oauth2Request.approved";
    public static final String OAUTH2_REQUEST_SCOPE = "oauth2Request.scope";
    public static final String OAUTH2_REQUEST_RESOURCE_IDS = "oauth2Request.resourceIds";
    public static final String OAUTH2_REQUEST_REDIRECT_URI = "oauth2Request.redirectUri";
    public static final String OAUTH2_REQUEST_RESPONSE_TYPES = "oauth2Request.responseTypes";
    protected static Log logger = LogFactory.getLog(UaaTokenStore.class);
    private static final String SQL_SELECT_STATEMENT = "select code, user_id, client_id, expiresat, created, authentication from oauth_code where code = ?";
    private static final String SQL_INSERT_STATEMENT = "insert into oauth_code (code, user_id, client_id, expiresat, authentication, identity_zone_id) values (?, ?, ?, ?, ?, ?)";
    private static final String SQL_DELETE_STATEMENT = "delete from oauth_code where code = ?";
    private static final String SQL_EXPIRE_STATEMENT = "delete from oauth_code where expiresat > 0 AND expiresat < ?";
    private static final String SQL_CLEAN_STATEMENT = "delete from oauth_code where created < ? and expiresat = 0";
    private final DataSource dataSource;
    private final long expirationTime;
    private final RandomValueStringGenerator generator;
    private final RowMapper rowMapper;
    private final AtomicLong lastClean;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.23.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaTokenStore$TokenCode.class */
    public class TokenCode {
        private final String code;
        private final String userId;
        private final String clientId;
        private final long expiresAt;
        private final Timestamp created;
        private final byte[] authentication;

        public TokenCode(String str, String str2, String str3, long j, Timestamp timestamp, byte[] bArr) {
            this.code = str;
            this.userId = str2;
            this.clientId = str3;
            this.expiresAt = j;
            this.created = timestamp;
            this.authentication = bArr;
        }

        public byte[] getAuthentication() {
            return this.authentication;
        }

        public String getClientId() {
            return this.clientId;
        }

        public String getCode() {
            return this.code;
        }

        public Timestamp getCreated() {
            return this.created;
        }

        public long getExpiresAt() {
            return this.expiresAt;
        }

        public String getUserId() {
            return this.userId;
        }

        public boolean isExpired() {
            return getExpiresAt() == 0 ? new Timestamp(System.currentTimeMillis() - UaaTokenStore.this.getExpirationTime()).after(getCreated()) : getExpiresAt() < System.currentTimeMillis();
        }

        public String toString() {
            return "TokenCode{, code='" + this.code + "', userId='" + this.userId + "', clientId='" + this.clientId + "', expiresAt=" + this.expiresAt + ", created=" + this.created + '}';
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.23.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaTokenStore$TokenCodeRowMapper.class */
    protected class TokenCodeRowMapper implements RowMapper<TokenCode> {
        protected TokenCodeRowMapper() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.springframework.jdbc.core.RowMapper
        public TokenCode mapRow(ResultSet resultSet, int i) throws SQLException {
            int i2 = 1 + 1;
            String string = resultSet.getString(1);
            int i3 = i2 + 1;
            String string2 = resultSet.getString(i2);
            int i4 = i3 + 1;
            String string3 = resultSet.getString(i3);
            int i5 = i4 + 1;
            long j = resultSet.getLong(i4);
            int i6 = i5 + 1;
            Timestamp timestamp = resultSet.getTimestamp(i5);
            int i7 = i6 + 1;
            return UaaTokenStore.this.createTokenCode(string, string2, string3, j, timestamp, resultSet.getBytes(i6));
        }
    }

    public UaaTokenStore(DataSource dataSource) {
        this(dataSource, EXPIRATION_TIME);
    }

    public UaaTokenStore(DataSource dataSource, long j) {
        this.generator = new RandomValueStringGenerator(10);
        this.rowMapper = new TokenCodeRowMapper();
        this.lastClean = new AtomicLong(0L);
        this.dataSource = dataSource;
        this.expirationTime = j;
    }

    @Override // org.springframework.security.oauth2.provider.code.AuthorizationCodeServices
    public String createAuthorizationCode(OAuth2Authentication oAuth2Authentication) {
        performExpirationClean();
        JdbcTemplate jdbcTemplate = new JdbcTemplate(this.dataSource);
        int i = 0;
        do {
            int i2 = i;
            i++;
            if (i2 > 3) {
                return null;
            }
            try {
                String generate = this.generator.generate();
                if (jdbcTemplate.update(SQL_INSERT_STATEMENT, new Object[]{generate, oAuth2Authentication.getUserAuthentication() == null ? null : ((UaaPrincipal) oAuth2Authentication.getUserAuthentication().getPrincipal()).getId(), oAuth2Authentication.getOAuth2Request().getClientId(), Long.valueOf(System.currentTimeMillis() + getExpirationTime()), new SqlLobValue(serializeOauth2Authentication(oAuth2Authentication)), IdentityZoneHolder.get().getId()}, new int[]{12, 12, 12, 2, 2004, 12}) != 0) {
                    return generate;
                }
                throw new DataIntegrityViolationException("[oauth_code] Failed to insert code. Result was 0");
                break;
            } catch (DataIntegrityViolationException e) {
            }
        } while (i < 3);
        throw e;
    }

    @Override // org.springframework.security.oauth2.provider.code.AuthorizationCodeServices
    public OAuth2Authentication consumeAuthorizationCode(String str) throws InvalidGrantException {
        TokenCode tokenCode;
        performExpirationClean();
        JdbcTemplate jdbcTemplate = new JdbcTemplate(this.dataSource);
        try {
            tokenCode = (TokenCode) jdbcTemplate.queryForObject(SQL_SELECT_STATEMENT, this.rowMapper, str);
        } catch (EmptyResultDataAccessException e) {
        }
        if (tokenCode == null) {
            throw new InvalidGrantException("Invalid authorization code: " + str);
        }
        try {
            if (tokenCode.isExpired()) {
                logger.debug("[oauth_code] Found code, but it expired:" + tokenCode);
                throw new InvalidGrantException("Authorization code expired: " + str);
            }
            if (tokenCode.getExpiresAt() == 0) {
                OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) SerializationUtils.deserialize(tokenCode.getAuthentication());
                jdbcTemplate.update(SQL_DELETE_STATEMENT, str);
                return oAuth2Authentication;
            }
            OAuth2Authentication deserializeOauth2Authentication = deserializeOauth2Authentication(tokenCode.getAuthentication());
            jdbcTemplate.update(SQL_DELETE_STATEMENT, str);
            return deserializeOauth2Authentication;
        } catch (Throwable th) {
            jdbcTemplate.update(SQL_DELETE_STATEMENT, str);
            throw th;
        }
    }

    protected byte[] serializeOauth2Authentication(OAuth2Authentication oAuth2Authentication) {
        Authentication userAuthentication = oAuth2Authentication.getUserAuthentication();
        HashMap hashMap = new HashMap();
        if (userAuthentication != null) {
            if (userAuthentication instanceof UaaAuthentication) {
                hashMap.put(USER_AUTHENTICATION_UAA_AUTHENTICATION, JsonUtils.writeValueAsString(userAuthentication));
            } else {
                hashMap.put(USER_AUTHENTICATION_UAA_PRINCIPAL, JsonUtils.writeValueAsString(userAuthentication.getPrincipal()));
                hashMap.put(USER_AUTHENTICATION_AUTHORITIES, UaaStringUtils.getStringsFromAuthorities(userAuthentication.getAuthorities()));
            }
        }
        hashMap.put(OAUTH2_REQUEST_PARAMETERS, oAuth2Authentication.getOAuth2Request().getRequestParameters());
        hashMap.put(OAUTH2_REQUEST_CLIENT_ID, oAuth2Authentication.getOAuth2Request().getClientId());
        hashMap.put(OAUTH2_REQUEST_AUTHORITIES, UaaStringUtils.getStringsFromAuthorities(oAuth2Authentication.getOAuth2Request().getAuthorities()));
        hashMap.put(OAUTH2_REQUEST_APPROVED, Boolean.valueOf(oAuth2Authentication.getOAuth2Request().isApproved()));
        hashMap.put(OAUTH2_REQUEST_SCOPE, oAuth2Authentication.getOAuth2Request().getScope());
        hashMap.put(OAUTH2_REQUEST_RESOURCE_IDS, oAuth2Authentication.getOAuth2Request().getResourceIds());
        hashMap.put(OAUTH2_REQUEST_REDIRECT_URI, oAuth2Authentication.getOAuth2Request().getRedirectUri());
        hashMap.put(OAUTH2_REQUEST_RESPONSE_TYPES, oAuth2Authentication.getOAuth2Request().getResponseTypes());
        if (oAuth2Authentication.getOAuth2Request().getExtensions() != null && oAuth2Authentication.getOAuth2Request().getExtensions().size() > 0) {
            logger.warn("[oauth_code] Unable to serialize extensions:" + oAuth2Authentication.getOAuth2Request().getExtensions());
        }
        return JsonUtils.writeValueAsBytes(hashMap);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v50, types: [org.springframework.security.core.Authentication] */
    protected OAuth2Authentication deserializeOauth2Authentication(byte[] bArr) {
        Map map = (Map) JsonUtils.readValue(bArr, new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.oauth.UaaTokenStore.1
        });
        UaaAuthentication uaaAuthentication = null;
        if (map.get(USER_AUTHENTICATION_UAA_AUTHENTICATION) != null) {
            uaaAuthentication = (Authentication) JsonUtils.readValue((String) map.get(USER_AUTHENTICATION_UAA_AUTHENTICATION), UaaAuthentication.class);
        } else if (map.get(USER_AUTHENTICATION_UAA_PRINCIPAL) != null) {
            uaaAuthentication = new UaaAuthentication((UaaPrincipal) JsonUtils.readValue((String) map.get(USER_AUTHENTICATION_UAA_PRINCIPAL), UaaPrincipal.class), UaaStringUtils.getAuthoritiesFromStrings((Collection) map.get(USER_AUTHENTICATION_AUTHORITIES)), UaaAuthenticationDetails.UNKNOWN);
        }
        return new OAuth2Authentication(new OAuth2Request((Map) map.get(OAUTH2_REQUEST_PARAMETERS), (String) map.get(OAUTH2_REQUEST_CLIENT_ID), UaaStringUtils.getAuthoritiesFromStrings((Collection) map.get(OAUTH2_REQUEST_AUTHORITIES)), ((Boolean) map.get(OAUTH2_REQUEST_APPROVED)).booleanValue(), new HashSet((Collection) map.get(OAUTH2_REQUEST_SCOPE)), new HashSet((Collection) map.get(OAUTH2_REQUEST_RESOURCE_IDS)), (String) map.get(OAUTH2_REQUEST_REDIRECT_URI), new HashSet((Collection) map.get(OAUTH2_REQUEST_RESPONSE_TYPES)), new HashMap()), uaaAuthentication);
    }

    protected void performExpirationClean() {
        long j = this.lastClean.get();
        if (System.currentTimeMillis() - j <= getExpirationTime() || !this.lastClean.compareAndSet(j, j + getExpirationTime())) {
            return;
        }
        try {
            JdbcTemplate jdbcTemplate = new JdbcTemplate(this.dataSource);
            logger.debug("[oauth_code] Removed " + jdbcTemplate.update(SQL_EXPIRE_STATEMENT, Long.valueOf(System.currentTimeMillis())) + " expired entries.");
            logger.debug("[oauth_code] Removed " + jdbcTemplate.update(SQL_CLEAN_STATEMENT, new Timestamp(System.currentTimeMillis() - LEGACY_CODE_EXPIRATION_TIME)) + " old entries.");
        } catch (DeadlockLoserDataAccessException e) {
            logger.debug("[oauth code] Deadlock trying to expire entries, ignored.");
        }
    }

    public long getExpirationTime() {
        return this.expirationTime;
    }

    public TokenCode createTokenCode(String str, String str2, String str3, long j, Timestamp timestamp, byte[] bArr) {
        return new TokenCode(str, str2, str3, j, timestamp, bArr);
    }
}
