package org.cloudfoundry.identity.uaa.oauth;

import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import org.cloudfoundry.identity.uaa.approval.ApprovalService;
import org.cloudfoundry.identity.uaa.audit.event.TokenIssuedEvent;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.openid.IdTokenCreationException;
import org.cloudfoundry.identity.uaa.oauth.openid.IdTokenCreator;
import org.cloudfoundry.identity.uaa.oauth.openid.IdTokenGranter;
import org.cloudfoundry.identity.uaa.oauth.openid.UserAuthenticationData;
import org.cloudfoundry.identity.uaa.oauth.refresh.CompositeExpiringOAuth2RefreshToken;
import org.cloudfoundry.identity.uaa.oauth.refresh.RefreshTokenCreator;
import org.cloudfoundry.identity.uaa.oauth.refresh.RefreshTokenRequestData;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.oauth.token.CompositeToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthUserAuthority;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.user.UserInfo;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.TokenPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.DuplicateKeyException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.27.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.class */
public class UaaTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, ApplicationEventPublisherAware {
    private static final String CODE = "code";
    private static final String OPENID = "openid";
    private static final List<String> NON_ADDITIONAL_ROOT_CLAIMS = Arrays.asList("jti", "sub", "authorities", "scope", "client_id", ClaimConstants.CID, ClaimConstants.AZP, ClaimConstants.REVOCABLE, "grant_type", "user_id", "origin", "user_name", "email", ClaimConstants.AUTH_TIME, ClaimConstants.REVOCATION_SIGNATURE, ClaimConstants.IAT, "exp", ClaimConstants.ISS, ClaimConstants.ZONE_ID, "aud");
    private UaaUserDatabase userDatabase;
    private ClientServicesExtension clientDetailsService;
    private ApprovalService approvalService;
    private ApplicationEventPublisher applicationEventPublisher;
    private TokenPolicy tokenPolicy;
    private RevocableTokenProvisioning tokenProvisioning;
    private Set<String> excludedClaims;
    private IdTokenCreator idTokenCreator;
    private RefreshTokenCreator refreshTokenCreator;
    private TokenEndpointBuilder tokenEndpointBuilder;
    private TimeService timeService;
    private TokenValidityResolver accessTokenValidityResolver;
    private TokenValidationService tokenValidationService;
    private KeyInfoService keyInfoService;
    private IdTokenGranter idTokenGranter;
    private final Logger logger = LoggerFactory.getLogger((Class<?>) UaaTokenServices.class);
    private UaaTokenEnhancer uaaTokenEnhancer = null;

    public UaaTokenServices(IdTokenCreator idTokenCreator, TokenEndpointBuilder tokenEndpointBuilder, ClientServicesExtension clientServicesExtension, RevocableTokenProvisioning revocableTokenProvisioning, TokenValidationService tokenValidationService, RefreshTokenCreator refreshTokenCreator, TimeService timeService, TokenValidityResolver tokenValidityResolver, UaaUserDatabase uaaUserDatabase, Set<String> set, TokenPolicy tokenPolicy, KeyInfoService keyInfoService, IdTokenGranter idTokenGranter, ApprovalService approvalService) {
        this.idTokenCreator = idTokenCreator;
        this.tokenEndpointBuilder = tokenEndpointBuilder;
        this.clientDetailsService = clientServicesExtension;
        this.tokenProvisioning = revocableTokenProvisioning;
        this.tokenValidationService = tokenValidationService;
        this.refreshTokenCreator = refreshTokenCreator;
        this.timeService = timeService;
        this.accessTokenValidityResolver = tokenValidityResolver;
        this.userDatabase = uaaUserDatabase;
        this.approvalService = approvalService;
        this.excludedClaims = set;
        this.tokenPolicy = tokenPolicy;
        this.idTokenGranter = idTokenGranter;
        this.keyInfoService = keyInfoService;
    }

    public Set<String> getExcludedClaims() {
        return this.excludedClaims;
    }

    public void setExcludedClaims(Set<String> set) {
        this.excludedClaims = set;
    }

    public RevocableTokenProvisioning getTokenProvisioning() {
        return this.tokenProvisioning;
    }

    public void setTokenProvisioning(RevocableTokenProvisioning revocableTokenProvisioning) {
        this.tokenProvisioning = revocableTokenProvisioning;
    }

    public void setUaaTokenEnhancer(UaaTokenEnhancer uaaTokenEnhancer) {
        this.uaaTokenEnhancer = uaaTokenEnhancer;
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.applicationEventPublisher = applicationEventPublisher;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (null == str) {
            throw new InvalidTokenException("Invalid refresh token (empty token)");
        }
        TokenValidation checkJti = this.tokenValidationService.validateToken(str, false).checkJti();
        Map<String, Object> claims = checkJti.getClaims();
        ArrayList<String> scopesFromRefreshToken = getScopesFromRefreshToken(claims);
        this.refreshTokenCreator.ensureRefreshTokenCreationNotRestricted(scopesFromRefreshToken);
        String str2 = (String) claims.get("user_id");
        String str3 = (String) claims.get("jti");
        Integer num = (Integer) claims.get("exp");
        String str4 = (String) claims.get(ClaimConstants.CID);
        Boolean bool = (Boolean) claims.get(ClaimConstants.REVOCABLE);
        String obj = claims.get("grant_type").toString();
        String str5 = (String) claims.get(ClaimConstants.NONCE);
        String str6 = (String) claims.get(ClaimConstants.REVOCATION_SIGNATURE);
        Map<String, String> map = (Map) claims.get(ClaimConstants.ADDITIONAL_AZ_ATTR);
        Set<String> hashSet = new HashSet<>((ArrayList) claims.get("aud"));
        Integer num2 = (Integer) claims.get(ClaimConstants.AUTH_TIME);
        Set newHashSet = tokenRequest.getScope().isEmpty() ? Sets.newHashSet(scopesFromRefreshToken) : tokenRequest.getScope();
        String str7 = (String) tokenRequest.getRequestParameters().get(TokenConstants.REQUEST_TOKEN_FORMAT);
        Object clientId = tokenRequest.getClientId();
        if (str4 == null || !str4.equals(clientId)) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + str4);
        }
        boolean equals = TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(str7);
        boolean z = equals || (bool != null && bool.booleanValue());
        UaaUser retrieveUserById = this.userDatabase.retrieveUserById(str2);
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(str4);
        long longValue = num.longValue() * 1000;
        if (new Date(longValue).before(this.timeService.getCurrentDate())) {
            throw new InvalidTokenException("Invalid refresh token expired at " + new Date(longValue));
        }
        if (scopesFromRefreshToken.isEmpty() || !scopesFromRefreshToken.containsAll(newHashSet)) {
            throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + newHashSet + ".", new HashSet(scopesFromRefreshToken));
        }
        this.approvalService.ensureRequiredApprovals(str2, newHashSet, obj, baseClientDetails);
        throwIfInvalidRevocationHashSignature(str6, retrieveUserById, baseClientDetails);
        Map<String, Object> hashMap = new HashMap<>();
        if (this.uaaTokenEnhancer != null) {
            claims.entrySet().stream().filter(entry -> {
                return !NON_ADDITIONAL_ROOT_CLAIMS.contains(entry.getKey());
            }).forEach(entry2 -> {
                hashMap.put(entry2.getKey(), entry2.getValue());
            });
            claims.remove(ClaimConstants.GRANTED_SCOPES);
        }
        UserAuthenticationData userAuthenticationData = new UserAuthenticationData(AuthTimeDateConverter.authTimeToDate(num2), authenticationMethodsAsSet(claims), getAcrAsSet(claims), newHashSet, rolesAsSet(str2), getUserAttributes(str2), str5, obj, generateUniqueTokenId());
        String generateUniqueTokenId = generateUniqueTokenId();
        String encoded = checkJti.getJwt().getEncoded();
        return persistRevocableToken(generateUniqueTokenId, createCompositeToken(generateUniqueTokenId, retrieveUserById.getId(), retrieveUserById, AuthTimeDateConverter.authTimeToDate(num2), getClientPermissions(baseClientDetails), str4, hashSet, encoded, map, hashMap, str6, z, userAuthenticationData), new CompositeExpiringOAuth2RefreshToken(encoded, new Date(longValue), str3), str4, retrieveUserById.getId(), equals, z);
    }

    private void throwIfInvalidRevocationHashSignature(String str, UaaUser uaaUser, ClientDetails clientDetails) {
        if (StringUtils.hasText(str)) {
            String clientSecret = clientDetails.getClientSecret();
            if (clientSecret != null && clientSecret.split(" ").length > 1) {
                clientSecret = clientSecret.split(" ")[1];
            }
            if (!str.equals(UaaTokenUtils.getRevocableTokenSignature(clientDetails, clientSecret, uaaUser))) {
                throw new TokenRevokedException("Invalid refresh token: revocable signature mismatch");
            }
        }
    }

    private Set<String> getAcrAsSet(Map<String, Object> map) {
        Map map2 = (Map) map.get("acr");
        if (map2 == null) {
            return null;
        }
        return new HashSet((Collection) map2.get("values"));
    }

    private MultiValueMap<String, String> getUserAttributes(String str) {
        UserInfo userInfo = this.userDatabase.getUserInfo(str);
        return userInfo != null ? userInfo.getUserAttributes() : new LinkedMultiValueMap();
    }

    private HashSet<String> rolesAsSet(String str) {
        ArrayList arrayList;
        UserInfo userInfo = this.userDatabase.getUserInfo(str);
        if (userInfo != null && (arrayList = (ArrayList) userInfo.getRoles()) != null) {
            return Sets.newHashSet(arrayList);
        }
        return Sets.newHashSet();
    }

    private HashSet<String> authenticationMethodsAsSet(Map<String, Object> map) {
        ArrayList arrayList = (ArrayList) map.get(ClaimConstants.AMR);
        return arrayList == null ? Sets.newHashSet() : Sets.newHashSet(arrayList);
    }

    private CompositeToken createCompositeToken(String str, String str2, UaaUser uaaUser, Date date, Collection<GrantedAuthority> collection, String str3, Set<String> set, String str4, Map<String, String> map, Map<String, Object> map2, String str5, boolean z, UserAuthenticationData userAuthenticationData) throws AuthenticationException {
        CompositeToken compositeToken = new CompositeToken(str);
        compositeToken.setExpiration(this.accessTokenValidityResolver.resolve(str3));
        compositeToken.setRefreshToken(str4 == null ? null : new DefaultOAuth2RefreshToken(str4));
        Set<String> set2 = userAuthenticationData.scopes;
        String str6 = userAuthenticationData.grantType;
        if (null == set2 || set2.size() == 0) {
            this.logger.debug("No scopes were granted");
            throw new InvalidTokenException("No scopes were granted");
        }
        compositeToken.setScope(set2);
        ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
        concurrentHashMap.put("jti", compositeToken.getValue());
        if (null != map) {
            concurrentHashMap.put(ClaimConstants.ADDITIONAL_AZ_ATTR, map);
        }
        String str7 = userAuthenticationData.nonce;
        if (str7 != null) {
            concurrentHashMap.put(ClaimConstants.NONCE, str7);
        }
        compositeToken.setAdditionalInformation(concurrentHashMap);
        try {
            compositeToken.setValue(JwtHelper.encode(JsonUtils.writeValueAsString(createJWTAccessToken(compositeToken, str2, uaaUser, date, collection, set2, str3, set, str6, str5, z, map2)), getActiveKeyInfo()).getEncoded());
            if (this.idTokenGranter.shouldSendIdToken(str2, (BaseClientDetails) this.clientDetailsService.loadClientByClientId(str3), set2, str6)) {
                try {
                    compositeToken.setIdTokenValue(JwtHelper.encode(JsonUtils.writeValueAsString(this.idTokenCreator.create(str3, str2, userAuthenticationData)), this.keyInfoService.getActiveKey()).getEncoded());
                } catch (RuntimeException | IdTokenCreationException e) {
                    throw new IllegalStateException("Cannot convert id token to JSON");
                }
            }
            publish(new TokenIssuedEvent(compositeToken, SecurityContextHolder.getContext().getAuthentication()));
            return compositeToken;
        } catch (JsonUtils.JsonUtilException e2) {
            throw new IllegalStateException("Cannot convert access token to JSON", e2);
        }
    }

    private KeyInfo getActiveKeyInfo() {
        return (KeyInfo) Optional.ofNullable(this.keyInfoService.getActiveKey()).orElseThrow(() -> {
            return new InternalAuthenticationServiceException("Unable to sign token, misconfigured JWT signing keys");
        });
    }

    private Map<String, ?> createJWTAccessToken(OAuth2AccessToken oAuth2AccessToken, String str, UaaUser uaaUser, Date date, Collection<GrantedAuthority> collection, Set<String> set, String str2, Set<String> set2, String str3, String str4, boolean z, Map<String, Object> map) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", oAuth2AccessToken.getAdditionalInformation().get("jti"));
        linkedHashMap.putAll(oAuth2AccessToken.getAdditionalInformation());
        if (map != null) {
            linkedHashMap.putAll(map);
        }
        linkedHashMap.put("sub", str2);
        if (TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS.equals(str3)) {
            linkedHashMap.put("authorities", AuthorityUtils.authorityListToSet(collection));
        }
        linkedHashMap.put("scope", set);
        linkedHashMap.put("client_id", str2);
        linkedHashMap.put(ClaimConstants.CID, str2);
        linkedHashMap.put(ClaimConstants.AZP, str2);
        if (z) {
            linkedHashMap.put(ClaimConstants.REVOCABLE, true);
        }
        if (null != str3) {
            linkedHashMap.put("grant_type", str3);
        }
        if (uaaUser != null && str != null) {
            linkedHashMap.put("user_id", str);
            String origin = uaaUser.getOrigin();
            if (StringUtils.hasLength(origin)) {
                linkedHashMap.put("origin", origin);
            }
            String username = uaaUser.getUsername();
            linkedHashMap.put("user_name", username == null ? str : username);
            String email = uaaUser.getEmail();
            if (email != null) {
                linkedHashMap.put("email", email);
            }
            if (date != null) {
                linkedHashMap.put(ClaimConstants.AUTH_TIME, Long.valueOf(date.getTime() / 1000));
            }
            linkedHashMap.put("sub", str);
        }
        if (StringUtils.hasText(str4)) {
            linkedHashMap.put(ClaimConstants.REVOCATION_SIGNATURE, str4);
        }
        linkedHashMap.put(ClaimConstants.IAT, Long.valueOf(this.timeService.getCurrentTimeMillis() / 1000));
        linkedHashMap.put("exp", Long.valueOf(oAuth2AccessToken.getExpiration().getTime() / 1000));
        if (this.tokenEndpointBuilder.getTokenEndpoint() != null) {
            linkedHashMap.put(ClaimConstants.ISS, this.tokenEndpointBuilder.getTokenEndpoint());
            linkedHashMap.put(ClaimConstants.ZONE_ID, IdentityZoneHolder.get().getId());
        }
        linkedHashMap.put("aud", set2);
        Iterator<String> it = getExcludedClaims().iterator();
        while (it.hasNext()) {
            linkedHashMap.remove(it.next());
        }
        return linkedHashMap;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        Collection<GrantedAuthority> clientPermissions;
        String str = null;
        Date date = null;
        UaaUser uaaUser = null;
        Set<String> set = null;
        Set<String> set2 = null;
        OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId(), IdentityZoneHolder.get().getId());
        if (oAuth2Authentication.isClientOnly()) {
            clientPermissions = baseClientDetails.getAuthorities();
        } else {
            clientPermissions = getClientPermissions(baseClientDetails);
            str = getUserId(oAuth2Authentication);
            uaaUser = this.userDatabase.retrieveUserById(str);
            if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
                date = new Date(((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthenticatedTime());
                set = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthenticationMethods();
                set2 = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getAuthContextClassRef();
            }
            validateRequiredUserGroups(uaaUser, baseClientDetails);
        }
        String clientSecret = baseClientDetails.getClientSecret();
        if (clientSecret != null && clientSecret.split(" ").length > 1) {
            clientSecret = clientSecret.split(" ")[1];
        }
        String revocableTokenSignature = UaaTokenUtils.getRevocableTokenSignature(baseClientDetails, clientSecret, uaaUser);
        String generateUniqueTokenId = generateUniqueTokenId();
        boolean isOpaqueTokenRequired = isOpaqueTokenRequired(oAuth2Authentication);
        boolean z = isOpaqueTokenRequired || getActiveTokenPolicy().isJwtRevocable();
        boolean z2 = z || TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(getActiveTokenPolicy().getRefreshTokenFormat());
        HashMap hashMap = null;
        if (this.uaaTokenEnhancer != null) {
            hashMap = new HashMap(this.uaaTokenEnhancer.enhance(Collections.emptyMap(), oAuth2Authentication));
        }
        CompositeExpiringOAuth2RefreshToken compositeExpiringOAuth2RefreshToken = null;
        if (baseClientDetails.getAuthorizedGrantTypes().contains("refresh_token")) {
            compositeExpiringOAuth2RefreshToken = this.refreshTokenCreator.createRefreshToken(uaaUser, new RefreshTokenRequestData(oAuth2Request.getGrantType(), oAuth2Request.getScope(), set, (String) oAuth2Request.getRequestParameters().get("authorities"), oAuth2Request.getResourceIds(), oAuth2Request.getClientId(), z2, date, set2, hashMap), revocableTokenSignature);
        }
        String clientId = oAuth2Request.getClientId();
        Set scope = oAuth2Request.getScope();
        Map requestParameters = oAuth2Request.getRequestParameters();
        String str2 = (String) requestParameters.get("grant_type");
        LinkedHashSet linkedHashSet = new LinkedHashSet(scope);
        Set newHashSet = Sets.newHashSet();
        Map newHashMap = Maps.newHashMap();
        if (oAuth2Authentication.getUserAuthentication() instanceof UaaAuthentication) {
            newHashSet = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getExternalGroups();
            newHashMap = ((UaaAuthentication) oAuth2Authentication.getUserAuthentication()).getUserAttributes();
        }
        String str3 = (String) requestParameters.get(ClaimConstants.NONCE);
        return persistRevocableToken(generateUniqueTokenId, createCompositeToken(generateUniqueTokenId, str, uaaUser, date, clientPermissions, clientId, oAuth2Request.getResourceIds(), compositeExpiringOAuth2RefreshToken != null ? compositeExpiringOAuth2RefreshToken.getValue() : null, new AuthorizationAttributesParser().getAdditionalAuthorizationAttributes((String) requestParameters.get("authorities")), hashMap, revocableTokenSignature, z, new UserAuthenticationData(date, set, set2, linkedHashSet, newHashSet, newHashMap, str3, str2, generateUniqueTokenId)), compositeExpiringOAuth2RefreshToken, clientId, str, isOpaqueTokenRequired, z);
    }

    private TokenPolicy getActiveTokenPolicy() {
        return IdentityZoneHolder.get().getConfig().getTokenPolicy();
    }

    private Collection<GrantedAuthority> getClientPermissions(ClientDetails clientDetails) {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = clientDetails.getScope().iterator();
        while (it.hasNext()) {
            arrayList.add(new XOAuthUserAuthority(it.next()));
        }
        return arrayList;
    }

    private void validateRequiredUserGroups(UaaUser uaaUser, ClientDetails clientDetails) {
        if (!UaaTokenUtils.hasRequiredUserAuthorities((Collection) Optional.ofNullable((Collection) clientDetails.getAdditionalInformation().get(ClientConstants.REQUIRED_USER_GROUPS)).orElse(Collections.emptySet()), uaaUser.getAuthorities())) {
            throw new InvalidTokenException("User does not meet the client's required group criteria.");
        }
    }

    CompositeToken persistRevocableToken(String str, CompositeToken compositeToken, CompositeExpiringOAuth2RefreshToken compositeExpiringOAuth2RefreshToken, String str2, String str3, boolean z, boolean z2) {
        String obj = compositeToken.getScope().toString();
        long currentTimeMillis = this.timeService.getCurrentTimeMillis();
        if (z2) {
            RevocableToken value = new RevocableToken().setTokenId(str).setClientId(str2).setExpiresAt(compositeToken.getExpiration().getTime()).setIssuedAt(currentTimeMillis).setFormat(z ? TokenConstants.TokenFormat.OPAQUE.getStringValue() : TokenConstants.TokenFormat.JWT.getStringValue()).setResponseType(RevocableToken.TokenType.ACCESS_TOKEN).setZoneId(IdentityZoneHolder.get().getId()).setUserId(str3).setScope(obj).setValue(compositeToken.getValue());
            try {
                this.tokenProvisioning.create(value, IdentityZoneHolder.get().getId());
            } catch (DuplicateKeyException e) {
                this.tokenProvisioning.update(str, value, IdentityZoneHolder.get().getId());
            }
        }
        boolean z3 = z || TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(getActiveTokenPolicy().getRefreshTokenFormat());
        boolean z4 = z3 || getActiveTokenPolicy().isJwtRevocable();
        boolean isRefreshTokenUnique = getActiveTokenPolicy().isRefreshTokenUnique();
        if (compositeExpiringOAuth2RefreshToken != null && z4) {
            RevocableToken value2 = new RevocableToken().setTokenId(compositeExpiringOAuth2RefreshToken.getJti()).setClientId(str2).setExpiresAt(compositeExpiringOAuth2RefreshToken.getExpiration().getTime()).setIssuedAt(currentTimeMillis).setFormat(z3 ? TokenConstants.TokenFormat.OPAQUE.getStringValue() : TokenConstants.TokenFormat.JWT.getStringValue()).setResponseType(RevocableToken.TokenType.REFRESH_TOKEN).setZoneId(IdentityZoneHolder.get().getId()).setUserId(str3).setScope(obj).setValue(compositeExpiringOAuth2RefreshToken.getValue());
            if (isRefreshTokenUnique) {
                try {
                    this.tokenProvisioning.deleteRefreshTokensForClientAndUserId(str2, str3, IdentityZoneHolder.get().getId());
                } catch (DuplicateKeyException e2) {
                }
            }
            this.tokenProvisioning.create(value2, IdentityZoneHolder.get().getId());
        }
        CompositeToken compositeToken2 = new CompositeToken(z ? str : compositeToken.getValue());
        compositeToken2.setIdTokenValue(compositeToken.getIdTokenValue());
        compositeToken2.setExpiration(compositeToken.getExpiration());
        compositeToken2.setAdditionalInformation(compositeToken.getAdditionalInformation());
        compositeToken2.setScope(compositeToken.getScope());
        compositeToken2.setTokenType(compositeToken.getTokenType());
        compositeToken2.setRefreshToken(buildRefreshTokenResponse(compositeExpiringOAuth2RefreshToken, z3));
        return compositeToken2;
    }

    private OAuth2RefreshToken buildRefreshTokenResponse(CompositeExpiringOAuth2RefreshToken compositeExpiringOAuth2RefreshToken, boolean z) {
        if (compositeExpiringOAuth2RefreshToken == null) {
            return null;
        }
        return z ? new DefaultOAuth2RefreshToken(compositeExpiringOAuth2RefreshToken.getJti()) : new DefaultOAuth2RefreshToken(compositeExpiringOAuth2RefreshToken.getValue());
    }

    boolean isOpaqueTokenRequired(OAuth2Authentication oAuth2Authentication) {
        Map requestParameters = oAuth2Authentication.getOAuth2Request().getRequestParameters();
        return TokenConstants.TokenFormat.OPAQUE.getStringValue().equals(requestParameters.get(TokenConstants.REQUEST_TOKEN_FORMAT)) || TokenConstants.GRANT_TYPE_USER_TOKEN.equals(requestParameters.get("grant_type"));
    }

    private String getUserId(OAuth2Authentication oAuth2Authentication) {
        return Origin.getUserId(oAuth2Authentication.getUserAuthentication());
    }

    private String generateUniqueTokenId() {
        return UUID.randomUUID().toString().replace("-", "");
    }

    public void setUserDatabase(UaaUserDatabase uaaUserDatabase) {
        this.userDatabase = uaaUserDatabase;
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        if (StringUtils.isEmpty(str)) {
            throw new InvalidTokenException("Invalid access token value, must be at least 30 characters");
        }
        TokenValidation checkJti = this.tokenValidationService.validateToken(str, true).checkJti();
        Map<String, Object> claims = checkJti.getClaims();
        String encoded = checkJti.getJwt().getEncoded();
        Long valueOf = Long.valueOf(claims.get("exp").toString());
        if (new Date(valueOf.longValue() * 1000).before(this.timeService.getCurrentDate())) {
            throw new InvalidTokenException("Invalid access token: expired at " + new Date(valueOf.longValue() * 1000));
        }
        AuthorizationRequest authorizationRequest = new AuthorizationRequest((String) claims.get("client_id"), (ArrayList) claims.get("scope"));
        ArrayList arrayList = (ArrayList) claims.get("aud");
        authorizationRequest.setResourceIds(Collections.unmodifiableSet(arrayList == null ? new HashSet() : new HashSet(arrayList)));
        authorizationRequest.setApproved(true);
        List<GrantedAuthority> commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString(IdentityZoneHolder.get().getConfig().getUserConfig().getDefaultGroups()));
        if (claims.containsKey("authorities")) {
            Object obj = claims.get("authorities");
            if (obj instanceof String) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList((String) obj);
            }
            if (obj instanceof Collection) {
                commaSeparatedStringToAuthorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection) obj));
            }
        }
        UaaAuthentication uaaAuthentication = null;
        if (claims.containsKey("user_id")) {
            uaaAuthentication = new UaaAuthentication(new UaaPrincipal(this.userDatabase.retrieveUserById((String) claims.get("user_id"))), UaaAuthority.USER_AUTHORITIES, null);
        } else {
            authorizationRequest.setAuthorities(commaSeparatedStringToAuthorityList);
        }
        UaaOauth2Authentication uaaOauth2Authentication = new UaaOauth2Authentication(encoded, IdentityZoneHolder.get().getId(), authorizationRequest.createOAuth2Request(), uaaAuthentication);
        uaaOauth2Authentication.setAuthenticated(true);
        return uaaOauth2Authentication;
    }

    private ArrayList<String> getScopesFromRefreshToken(Map<String, Object> map) {
        return map.containsKey(ClaimConstants.GRANTED_SCOPES) ? (ArrayList) map.get(ClaimConstants.GRANTED_SCOPES) : (ArrayList) map.get("scope");
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        TokenValidation checkJti = this.tokenValidationService.validateToken(str, true).checkJti();
        Map<String, Object> claims = checkJti.getClaims();
        CompositeToken compositeToken = new CompositeToken(checkJti.getJwt().getEncoded());
        compositeToken.setTokenType(OAuth2AccessToken.BEARER_TYPE);
        compositeToken.setExpiration(new Date(Long.valueOf(claims.get("exp").toString()).longValue() * 1000));
        ArrayList arrayList = (ArrayList) claims.get("scope");
        if (null != arrayList && arrayList.size() > 0) {
            compositeToken.setScope(new HashSet(arrayList));
        }
        String str2 = (String) claims.get(ClaimConstants.CID);
        String str3 = (String) claims.get("user_id");
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(str2, IdentityZoneHolder.get().getId());
        if (null != str3) {
            this.approvalService.ensureRequiredApprovals(str3, (ArrayList) claims.get("scope"), (String) claims.get("grant_type"), baseClientDetails);
        }
        return compositeToken;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        return null;
    }

    public void setClientDetailsService(ClientServicesExtension clientServicesExtension) {
        this.clientDetailsService = clientServicesExtension;
    }

    private void publish(TokenIssuedEvent tokenIssuedEvent) {
        if (this.applicationEventPublisher != null) {
            this.applicationEventPublisher.publishEvent((ApplicationEvent) tokenIssuedEvent);
        }
    }

    public void setTokenPolicy(TokenPolicy tokenPolicy) {
        this.tokenPolicy = tokenPolicy;
    }

    public TokenPolicy getTokenPolicy() {
        return this.tokenPolicy;
    }

    public void setTokenEndpointBuilder(TokenEndpointBuilder tokenEndpointBuilder) {
        this.tokenEndpointBuilder = tokenEndpointBuilder;
    }

    public void setTimeService(TimeService timeService) {
        this.timeService = timeService;
    }

    public void setKeyInfoService(KeyInfoService keyInfoService) {
        this.keyInfoService = keyInfoService;
    }
}
