package leap.oauth2.server.endpoint.token;

import java.util.function.Consumer;
import leap.core.annotation.Inject;
import leap.lang.Strings;
import leap.oauth2.server.OAuth2AuthzServerConfig;
import leap.oauth2.server.OAuth2Errors;
import leap.oauth2.server.OAuth2Params;
import leap.oauth2.server.Oauth2MessageKey;
import leap.oauth2.server.authc.SimpleAuthzAuthentication;
import leap.oauth2.server.client.AuthzClient;
import leap.oauth2.server.client.AuthzClientCredentials;
import leap.oauth2.server.client.AuthzClientManager;
import leap.oauth2.server.token.AuthzAccessToken;
import leap.oauth2.server.token.AuthzRefreshToken;
import leap.oauth2.server.token.AuthzTokenManager;
import leap.web.Request;
import leap.web.Response;
import leap.web.security.SecurityConfig;
import leap.web.security.authc.AuthenticationManager;
import leap.web.security.user.UserDetails;
import leap.web.security.user.UserManager;

/* loaded from: input_file:leap/oauth2/server/endpoint/token/RefreshTokenGrantTypeHandler.class */
public class RefreshTokenGrantTypeHandler extends AbstractGrantTypeHandler implements GrantTypeHandler {

    @Inject
    protected OAuth2AuthzServerConfig config;

    @Inject
    protected AuthzTokenManager tokenManager;

    @Inject
    protected AuthenticationManager authcManager;

    @Inject
    protected AuthzClientManager clientManager;

    @Inject
    protected SecurityConfig sc;

    @Inject
    protected UserManager um;

    @Override // leap.oauth2.server.endpoint.token.GrantTypeHandler
    public void handleRequest(Request request, Response response, OAuth2Params oAuth2Params, Consumer<AuthzAccessToken> consumer) {
        String refreshToken = oAuth2Params.getRefreshToken();
        if (Strings.isEmpty(refreshToken)) {
            handleError(request, response, oAuth2Params, getOauth2Error(messageKey -> {
                return OAuth2Errors.invalidRequestError(request, messageKey, "refresh_token required");
            }, Oauth2MessageKey.INVALID_REQUEST_REFRESH_TOKEN_REQUIRED, new Object[0]));
            return;
        }
        AuthzRefreshToken loadRefreshToken = this.tokenManager.loadRefreshToken(refreshToken);
        if (null == loadRefreshToken) {
            handleError(request, response, oAuth2Params, getOauth2Error(messageKey2 -> {
                return OAuth2Errors.invalidGrantError(request, messageKey2, "invalid refresh token");
            }, Oauth2MessageKey.ERROR_INVALID_GRANT_INVALID_REFRESH_TOKEN, refreshToken));
            return;
        }
        if (loadRefreshToken.isExpired()) {
            this.tokenManager.removeRefreshToken(loadRefreshToken);
            handleError(request, response, oAuth2Params, getOauth2Error(messageKey3 -> {
                return OAuth2Errors.invalidGrantError(request, messageKey3, "refresh token expired");
            }, Oauth2MessageKey.ERROR_INVALID_GRANT_REFRESH_TOKEN_EXPIRED, refreshToken));
            return;
        }
        UserDetails userDetails = null;
        if (!loadRefreshToken.isClientOnly()) {
            UserDetails loadUserDetailsByIdString = this.sc.getUserStore().loadUserDetailsByIdString(loadRefreshToken.getUserId());
            if (null == loadUserDetailsByIdString || !loadUserDetailsByIdString.isEnabled()) {
                this.tokenManager.removeRefreshToken(loadRefreshToken);
                handleError(request, response, oAuth2Params, getOauth2Error(messageKey4 -> {
                    return OAuth2Errors.invalidGrantError(request, messageKey4, "invalid user");
                }, Oauth2MessageKey.INVALID_REQUEST_INVALID_USERNAME, loadRefreshToken.getUserId()));
                return;
            }
            userDetails = loadUserDetailsByIdString;
        }
        AuthzClient authzClient = null;
        if (!Strings.isEmpty(loadRefreshToken.getClientId())) {
            authzClient = authcClient(request, response, oAuth2Params);
            if (null == authzClient) {
                return;
            }
            String mo4getId = authzClient.mo4getId();
            if (!Strings.equals(loadRefreshToken.getClientId(), authzClient.mo4getId())) {
                handleError(request, response, oAuth2Params, getOauth2Error(messageKey5 -> {
                    return OAuth2Errors.invalidGrantError(request, messageKey5, "this refresh token is not for client " + mo4getId);
                }, Oauth2MessageKey.ERROR_INVALID_GRANT_INVALID_REFRESH_TOKEN, refreshToken));
                return;
            } else if (!authzClient.isEnabled()) {
                this.tokenManager.removeRefreshToken(loadRefreshToken);
                handleError(request, response, oAuth2Params, getOauth2Error(messageKey6 -> {
                    return OAuth2Errors.invalidGrantError(request, messageKey6, "invalid client");
                }, Oauth2MessageKey.INVALID_REQUEST_INVALID_CLIENT, loadRefreshToken.getClientId()));
                return;
            }
        }
        UserDetails userDetails2 = null;
        if (null != userDetails) {
            userDetails2 = this.um.getUserDetails(userDetails);
        }
        consumer.accept(this.tokenManager.createAccessToken(new SimpleAuthzAuthentication(oAuth2Params, authzClient, userDetails2), loadRefreshToken));
    }

    protected AuthzClient authcClient(Request request, Response response, OAuth2Params oAuth2Params) {
        AuthzClientCredentials extractClientCredentials = extractClientCredentials(request, response, oAuth2Params);
        if (null == extractClientCredentials) {
            return null;
        }
        try {
            AuthzClient validateClientSecret = validateClientSecret(request, response, extractClientCredentials);
            if (null == validateClientSecret) {
                return null;
            }
            return validateClientSecret;
        } catch (Throwable th) {
            OAuth2Errors.serverError(request, response, null, th.getMessage());
            return null;
        }
    }
}
