package org.apereo.cas.support.oauth.web.response.accesstoken;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.validator.token.device.InvalidOAuth20DeviceTokenException;
import org.apereo.cas.support.oauth.validator.token.device.ThrottledOAuth20DeviceUserCodeApprovalException;
import org.apereo.cas.support.oauth.validator.token.device.UnapprovedOAuth20DeviceUserCodeException;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessTokenFactory;
import org.apereo.cas.ticket.device.OAuth20DeviceToken;
import org.apereo.cas.ticket.device.OAuth20DeviceTokenFactory;
import org.apereo.cas.ticket.device.OAuth20DeviceUserCode;
import org.apereo.cas.ticket.device.OAuth20DeviceUserCodeFactory;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.6.10.jar:org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20DefaultTokenGenerator.class */
public class OAuth20DefaultTokenGenerator implements OAuth20TokenGenerator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20DefaultTokenGenerator.class);
    protected final OAuth20AccessTokenFactory accessTokenFactory;
    protected final OAuth20DeviceTokenFactory deviceTokenFactory;
    protected final OAuth20DeviceUserCodeFactory deviceUserCodeFactory;
    protected final OAuth20RefreshTokenFactory refreshTokenFactory;
    protected final TicketRegistry ticketRegistry;
    protected final CasConfigurationProperties casProperties;

    /* JADX WARN: Type inference failed for: r0v1, types: [org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGeneratedResult$OAuth20TokenGeneratedResultBuilder] */
    private static OAuth20TokenGeneratedResult generateAccessTokenResult(AccessTokenRequestContext accessTokenRequestContext, Pair<OAuth20AccessToken, OAuth20RefreshToken> pair) {
        return OAuth20TokenGeneratedResult.builder().registeredService(accessTokenRequestContext.getRegisteredService()).accessToken(pair.getKey()).refreshToken(pair.getValue()).grantType(accessTokenRequestContext.getGrantType()).responseType(accessTokenRequestContext.getResponseType()).build();
    }

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator
    public OAuth20TokenGeneratedResult generate(AccessTokenRequestContext accessTokenRequestContext) throws Exception {
        return OAuth20ResponseTypes.DEVICE_CODE.equals(accessTokenRequestContext.getResponseType()) ? generateAccessTokenOAuthDeviceCodeResponseType(accessTokenRequestContext) : generateAccessTokenResult(accessTokenRequestContext, generateAccessTokenOAuthGrantTypes(accessTokenRequestContext));
    }

    /* JADX WARN: Type inference failed for: r0v46, types: [org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext$AccessTokenRequestContextBuilder] */
    /* JADX WARN: Type inference failed for: r0v7, types: [org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGeneratedResult$OAuth20TokenGeneratedResultBuilder] */
    protected OAuth20TokenGeneratedResult generateAccessTokenOAuthDeviceCodeResponseType(AccessTokenRequestContext accessTokenRequestContext) throws Exception {
        String deviceCode = accessTokenRequestContext.getDeviceCode();
        if (!StringUtils.isNotBlank(deviceCode)) {
            Pair<OAuth20DeviceToken, OAuth20DeviceUserCode> createDeviceTokensInTicketRegistry = createDeviceTokensInTicketRegistry(accessTokenRequestContext);
            return OAuth20TokenGeneratedResult.builder().responseType(accessTokenRequestContext.getResponseType()).registeredService(accessTokenRequestContext.getRegisteredService()).deviceCode(createDeviceTokensInTicketRegistry.getLeft().getId()).userCode(createDeviceTokensInTicketRegistry.getValue().getId()).build();
        }
        OAuth20DeviceToken deviceTokenFromTicketRegistry = getDeviceTokenFromTicketRegistry(deviceCode);
        if (getDeviceUserCodeFromRegistry(deviceTokenFromTicketRegistry).isUserCodeApproved()) {
            LOGGER.debug("Provided user code [{}] linked to device code [{}] is approved", deviceTokenFromTicketRegistry.getId(), deviceCode);
            this.ticketRegistry.deleteTicket(deviceCode);
            AccessTokenRequestContext build = AccessTokenRequestContext.builder().service(accessTokenRequestContext.getService()).authentication(accessTokenRequestContext.getAuthentication()).registeredService(accessTokenRequestContext.getRegisteredService()).ticketGrantingTicket(accessTokenRequestContext.getTicketGrantingTicket()).grantType(accessTokenRequestContext.getGrantType()).scopes(new LinkedHashSet(0)).responseType(accessTokenRequestContext.getResponseType()).generateRefreshToken(accessTokenRequestContext.getRegisteredService() != null && accessTokenRequestContext.isGenerateRefreshToken()).build();
            return generateAccessTokenResult(build, generateAccessTokenOAuthGrantTypes(build));
        }
        if (deviceTokenFromTicketRegistry.getLastTimeUsed() != null) {
            long seconds = Beans.newDuration(this.casProperties.getAuthn().getOauth().getDeviceToken().getRefreshInterval()).getSeconds();
            if (deviceTokenFromTicketRegistry.getLastTimeUsed().plusSeconds(seconds).isAfter(ZonedDateTime.now(ZoneOffset.UTC))) {
                LOGGER.error("Request for user code approval is greater than the configured refresh interval of [{}] second(s)", Long.valueOf(seconds));
                throw new ThrottledOAuth20DeviceUserCodeApprovalException(deviceTokenFromTicketRegistry.getId());
            }
        }
        deviceTokenFromTicketRegistry.update();
        this.ticketRegistry.updateTicket(deviceTokenFromTicketRegistry);
        LOGGER.error("Provided user code [{}] linked to device code [{}] is NOT approved yet", deviceTokenFromTicketRegistry.getId(), deviceCode);
        throw new UnapprovedOAuth20DeviceUserCodeException(deviceTokenFromTicketRegistry.getId());
    }

    protected Pair<OAuth20AccessToken, OAuth20RefreshToken> generateAccessTokenOAuthGrantTypes(AccessTokenRequestContext accessTokenRequestContext) throws Exception {
        LOGGER.debug("Creating access token for [{}]", accessTokenRequestContext.getService());
        AuthenticationBuilder addAttribute = DefaultAuthenticationBuilder.newInstance(accessTokenRequestContext.getAuthentication()).setAuthenticationDate(ZonedDateTime.now(ZoneOffset.UTC)).addAttribute("grant_type", accessTokenRequestContext.getGrantType().getType()).addAttribute("scope", accessTokenRequestContext.getScopes());
        String str = (String) Optional.ofNullable(accessTokenRequestContext.getRegisteredService()).map((v0) -> {
            return v0.getClientId();
        }).orElse("");
        Map<String, Object> orDefault = accessTokenRequestContext.getClaims().getOrDefault(OAuth20Constants.CLAIMS_USERINFO, new HashMap());
        Objects.requireNonNull(addAttribute);
        orDefault.forEach(addAttribute::addAttribute);
        FunctionUtils.doIfNotNull(accessTokenRequestContext.getDpop(), str2 -> {
            addAttribute.addAttribute("DPoP", accessTokenRequestContext.getDpop());
        });
        FunctionUtils.doIfNotNull(accessTokenRequestContext.getDpopConfirmation(), str3 -> {
            addAttribute.addAttribute(OAuth20Constants.DPOP_CONFIRMATION, accessTokenRequestContext.getDpopConfirmation());
        });
        Authentication build = addAttribute.build();
        LOGGER.debug("Creating access token for [{}]", accessTokenRequestContext);
        TicketGrantingTicket ticketGrantingTicket = accessTokenRequestContext.getTicketGrantingTicket();
        OAuth20AccessToken create = this.accessTokenFactory.create(accessTokenRequestContext.getService(), build, ticketGrantingTicket, accessTokenRequestContext.getScopes(), (String) Optional.ofNullable(accessTokenRequestContext.getToken()).map((v0) -> {
            return v0.getId();
        }).orElse(null), str, accessTokenRequestContext.getClaims(), accessTokenRequestContext.getResponseType(), accessTokenRequestContext.getGrantType());
        LOGGER.debug("Created access token [{}]", create);
        addTicketToRegistry(create, ticketGrantingTicket);
        LOGGER.debug("Added access token [{}] to registry", create);
        updateOAuthCode(accessTokenRequestContext, create);
        return Pair.of(create, (OAuth20RefreshToken) FunctionUtils.doIf(accessTokenRequestContext.isGenerateRefreshToken(), Unchecked.supplier(() -> {
            return generateRefreshToken(accessTokenRequestContext, create);
        }), () -> {
            LOGGER.debug("Service [{}] is not able/allowed to receive refresh tokens", accessTokenRequestContext.getService());
            return null;
        }).get());
    }

    protected void updateOAuthCode(AccessTokenRequestContext accessTokenRequestContext, OAuth20AccessToken oAuth20AccessToken) throws Exception {
        if (accessTokenRequestContext.isRefreshToken()) {
            OAuth20RefreshToken oAuth20RefreshToken = (OAuth20RefreshToken) accessTokenRequestContext.getToken();
            oAuth20RefreshToken.getAccessTokens().add(oAuth20AccessToken.getId());
            this.ticketRegistry.updateTicket(oAuth20RefreshToken);
        } else if (accessTokenRequestContext.isCodeToken()) {
            ((Ticket) Ticket.class.cast(accessTokenRequestContext.getToken())).update();
            if (accessTokenRequestContext.getToken().isExpired()) {
                this.ticketRegistry.deleteTicket(accessTokenRequestContext.getToken().getId());
            } else {
                this.ticketRegistry.updateTicket(accessTokenRequestContext.getToken());
            }
            this.ticketRegistry.updateTicket(accessTokenRequestContext.getTicketGrantingTicket());
        }
    }

    protected void addTicketToRegistry(Ticket ticket, TicketGrantingTicket ticketGrantingTicket) throws Exception {
        LOGGER.debug("Adding ticket [{}] to registry", ticket);
        this.ticketRegistry.addTicket(ticket);
        if (ticketGrantingTicket != null) {
            LOGGER.debug("Updating parent ticket-granting ticket [{}]", ticketGrantingTicket);
            this.ticketRegistry.updateTicket(ticketGrantingTicket);
        }
    }

    protected void addTicketToRegistry(Ticket ticket) throws Exception {
        addTicketToRegistry(ticket, null);
    }

    protected OAuth20RefreshToken generateRefreshToken(AccessTokenRequestContext accessTokenRequestContext, OAuth20AccessToken oAuth20AccessToken) throws Exception {
        LOGGER.debug("Creating refresh token for [{}]", accessTokenRequestContext.getService());
        OAuth20RefreshToken create = this.refreshTokenFactory.create(accessTokenRequestContext.getService(), accessTokenRequestContext.getAuthentication(), accessTokenRequestContext.getTicketGrantingTicket(), accessTokenRequestContext.getScopes(), accessTokenRequestContext.getRegisteredService().getClientId(), oAuth20AccessToken.getId(), accessTokenRequestContext.getClaims(), accessTokenRequestContext.getResponseType(), accessTokenRequestContext.getGrantType());
        LOGGER.debug("Adding refresh token [{}] to the registry", create);
        addTicketToRegistry(create, accessTokenRequestContext.getTicketGrantingTicket());
        if (accessTokenRequestContext.isExpireOldRefreshToken()) {
            expireOldRefreshToken(accessTokenRequestContext);
        }
        return create;
    }

    private OAuth20DeviceUserCode getDeviceUserCodeFromRegistry(OAuth20DeviceToken oAuth20DeviceToken) {
        return (OAuth20DeviceUserCode) FunctionUtils.doAndHandle(() -> {
            return (OAuth20DeviceUserCode) this.ticketRegistry.getTicket(oAuth20DeviceToken.getUserCode(), OAuth20DeviceUserCode.class);
        }, th -> {
            LOGGER.error("Provided user code [{}] is invalid or expired and cannot be found in the ticket registry", oAuth20DeviceToken.getUserCode());
            throw new InvalidOAuth20DeviceTokenException(oAuth20DeviceToken.getUserCode());
        }).get();
    }

    private OAuth20DeviceToken getDeviceTokenFromTicketRegistry(String str) {
        return (OAuth20DeviceToken) FunctionUtils.doAndHandle(() -> {
            return (OAuth20DeviceToken) this.ticketRegistry.getTicket(str, OAuth20DeviceToken.class);
        }, th -> {
            LoggingUtils.error(LOGGER, th);
            throw new InvalidOAuth20DeviceTokenException(str);
        }).get();
    }

    private Pair<OAuth20DeviceToken, OAuth20DeviceUserCode> createDeviceTokensInTicketRegistry(AccessTokenRequestContext accessTokenRequestContext) throws Exception {
        OAuth20DeviceToken createDeviceCode = this.deviceTokenFactory.createDeviceCode(accessTokenRequestContext.getService());
        LOGGER.debug("Created device code token [{}]", createDeviceCode.getId());
        Ticket createDeviceUserCode = this.deviceUserCodeFactory.createDeviceUserCode(createDeviceCode);
        LOGGER.debug("Created device user code token [{}]", createDeviceUserCode.getId());
        addTicketToRegistry(createDeviceCode);
        LOGGER.debug("Added device token [{}] to registry", createDeviceCode);
        addTicketToRegistry(createDeviceUserCode);
        LOGGER.debug("Added device user token [{}] to registry", createDeviceUserCode);
        return Pair.of(createDeviceCode, createDeviceUserCode);
    }

    private void expireOldRefreshToken(AccessTokenRequestContext accessTokenRequestContext) throws Exception {
        OAuth20Token token = accessTokenRequestContext.getToken();
        LOGGER.debug("Expiring old refresh token [{}]", token);
        token.markTicketExpired();
        this.ticketRegistry.deleteTicket(token);
    }

    @Generated
    public OAuth20DefaultTokenGenerator(OAuth20AccessTokenFactory oAuth20AccessTokenFactory, OAuth20DeviceTokenFactory oAuth20DeviceTokenFactory, OAuth20DeviceUserCodeFactory oAuth20DeviceUserCodeFactory, OAuth20RefreshTokenFactory oAuth20RefreshTokenFactory, TicketRegistry ticketRegistry, CasConfigurationProperties casConfigurationProperties) {
        this.accessTokenFactory = oAuth20AccessTokenFactory;
        this.deviceTokenFactory = oAuth20DeviceTokenFactory;
        this.deviceUserCodeFactory = oAuth20DeviceUserCodeFactory;
        this.refreshTokenFactory = oAuth20RefreshTokenFactory;
        this.ticketRegistry = ticketRegistry;
        this.casProperties = casConfigurationProperties;
    }
}
