package org.apache.cxf.rs.security.oauth2.provider;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.class */
public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, ClientRegistrationProvider {
    private long refreshTokenLifetime;
    private MessageContext messageContext;
    private List<String> defaultScopes;
    private List<String> requiredScopes;
    private List<String> invisibleToClientScopes;
    private boolean supportPreauthorizedTokens;
    private boolean useJwtFormatForAccessTokens;
    private OAuthJoseJwtProducer jwtAccessTokenProducer;
    private Map<String, String> jwtAccessTokenClaimMap;
    private long accessTokenLifetime = 3600;
    private boolean recycleRefreshTokens = true;
    private Map<String, OAuthPermission> permissionMap = new HashMap();

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken createAccessToken(AccessTokenRegistration accessTokenRegistration) throws OAuthServiceException {
        ServerAccessToken doCreateAccessToken = doCreateAccessToken(accessTokenRegistration);
        saveAccessToken(doCreateAccessToken);
        if (isRefreshTokenSupported(accessTokenRegistration.getApprovedScope())) {
            createNewRefreshToken(doCreateAccessToken);
        }
        return doCreateAccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessTokenRegistration) {
        ServerAccessToken createNewAccessToken = createNewAccessToken(accessTokenRegistration.getClient());
        createNewAccessToken.setAudiences(accessTokenRegistration.getAudiences());
        createNewAccessToken.setGrantType(accessTokenRegistration.getGrantType());
        createNewAccessToken.setScopes(convertScopeToPermissions(accessTokenRegistration.getClient(), accessTokenRegistration.getApprovedScope()));
        createNewAccessToken.setSubject(accessTokenRegistration.getSubject());
        createNewAccessToken.setClientCodeVerifier(accessTokenRegistration.getClientCodeVerifier());
        createNewAccessToken.setNonce(accessTokenRegistration.getNonce());
        createNewAccessToken.setResponseType(accessTokenRegistration.getResponseType());
        createNewAccessToken.setGrantCode(accessTokenRegistration.getGrantCode());
        createNewAccessToken.getExtraProperties().putAll(accessTokenRegistration.getExtraProperties());
        if (isUseJwtFormatForAccessTokens()) {
            createNewAccessToken.setTokenKey(processJwtAccessToken(createJwtAccessToken(createNewAccessToken)));
        }
        return createNewAccessToken;
    }

    protected JwtClaims createJwtAccessToken(ServerAccessToken serverAccessToken) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setTokenId(serverAccessToken.getTokenKey());
        jwtClaims.setClaim(JwtTokenUtils.getClaimName("client_id", "client_id", getJwtAccessTokenClaimMap()), serverAccessToken.getClient().getClientId());
        jwtClaims.setIssuedAt(Long.valueOf(serverAccessToken.getIssuedAt()));
        if (serverAccessToken.getExpiresIn() > 0) {
            jwtClaims.setExpiryTime(Long.valueOf(serverAccessToken.getIssuedAt() + serverAccessToken.getExpiresIn()));
        }
        UserSubject subject = serverAccessToken.getSubject();
        if (subject != null) {
            if (subject.getId() != null) {
                jwtClaims.setSubject(subject.getId());
            }
            jwtClaims.setClaim(JwtTokenUtils.getClaimName(OAuthConstants.RESOURCE_OWNER_NAME, OAuthConstants.RESOURCE_OWNER_NAME, getJwtAccessTokenClaimMap()), subject.getLogin());
        }
        if (serverAccessToken.getIssuer() != null) {
            jwtClaims.setIssuer(serverAccessToken.getIssuer());
        }
        if (!serverAccessToken.getScopes().isEmpty()) {
            jwtClaims.setClaim("scope", OAuthUtils.convertPermissionsToScopeList(serverAccessToken.getScopes()));
        }
        if (!serverAccessToken.getAudiences().isEmpty()) {
            List<String> audiences = serverAccessToken.getAudiences();
            if (audiences.size() == 1) {
                jwtClaims.setAudience(audiences.get(0));
            } else {
                jwtClaims.setAudiences(audiences);
            }
        }
        if (!serverAccessToken.getExtraProperties().isEmpty()) {
            jwtClaims.setClaim("extra_properties", serverAccessToken.getExtraProperties());
        }
        if (serverAccessToken.getGrantType() != null) {
            jwtClaims.setClaim(OAuthConstants.GRANT_TYPE, serverAccessToken.getGrantType());
        }
        if (serverAccessToken.getGrantCode() != null) {
            jwtClaims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, serverAccessToken.getGrantCode());
        }
        if (serverAccessToken.getClientCodeVerifier() != null) {
            jwtClaims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, serverAccessToken.getClientCodeVerifier());
        }
        return jwtClaims;
    }

    protected ServerAccessToken createNewAccessToken(Client client) {
        return new BearerAccessToken(client, this.accessTokenLifetime);
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public void removeAccessToken(ServerAccessToken serverAccessToken) throws OAuthServiceException {
        revokeAccessToken(serverAccessToken.getTokenKey());
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken refreshAccessToken(Client client, String str, List<String> list) throws OAuthServiceException {
        RefreshToken revokeRefreshToken = this.recycleRefreshTokens ? revokeRefreshToken(str) : getRefreshToken(str);
        if (revokeRefreshToken == null) {
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        if (OAuthUtils.isExpired(Long.valueOf(revokeRefreshToken.getIssuedAt()), Long.valueOf(revokeRefreshToken.getExpiresIn()))) {
            if (!this.recycleRefreshTokens) {
                revokeRefreshToken(str);
            }
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        if (this.recycleRefreshTokens) {
            revokeAccessTokens(revokeRefreshToken);
        }
        ServerAccessToken doRefreshAccessToken = doRefreshAccessToken(client, revokeRefreshToken, list);
        saveAccessToken(doRefreshAccessToken);
        if (this.recycleRefreshTokens) {
            createNewRefreshToken(doRefreshAccessToken);
        } else {
            updateRefreshToken(revokeRefreshToken, doRefreshAccessToken);
        }
        return doRefreshAccessToken;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public void revokeToken(Client client, String str, String str2) throws OAuthServiceException {
        ServerAccessToken serverAccessToken = null;
        if (!"refresh_token".equals(str2)) {
            serverAccessToken = revokeAccessToken(str);
        }
        if (serverAccessToken != null) {
            handleLinkedRefreshToken(serverAccessToken);
        } else {
            if (OAuthConstants.ACCESS_TOKEN.equals(str2)) {
                return;
            }
            revokeAccessTokens(revokeRefreshToken(str));
        }
    }

    protected void handleLinkedRefreshToken(ServerAccessToken serverAccessToken) {
        RefreshToken refreshToken;
        if (serverAccessToken == null || serverAccessToken.getRefreshToken() == null || (refreshToken = getRefreshToken(serverAccessToken.getRefreshToken())) == null) {
            return;
        }
        unlinkRefreshAccessToken(refreshToken, serverAccessToken.getTokenKey());
        if (refreshToken.getAccessTokens().isEmpty()) {
            revokeRefreshToken(refreshToken.getTokenKey());
        } else {
            saveRefreshToken(refreshToken);
        }
    }

    protected void revokeAccessTokens(RefreshToken refreshToken) {
        if (refreshToken != null) {
            Iterator<String> it = refreshToken.getAccessTokens().iterator();
            while (it.hasNext()) {
                revokeAccessToken(it.next());
            }
        }
    }

    protected void unlinkRefreshAccessToken(RefreshToken refreshToken, String str) {
        List<String> accessTokens = refreshToken.getAccessTokens();
        for (int i = 0; i < accessTokens.size(); i++) {
            if (accessTokens.get(i).equals(str)) {
                accessTokens.remove(i);
                return;
            }
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> list) {
        if (this.requiredScopes != null && !list.containsAll(this.requiredScopes)) {
            throw new OAuthServiceException("Required scopes are missing");
        }
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            convertSingleScopeToPermission(client, it.next(), arrayList);
        }
        if (arrayList.isEmpty()) {
            throw new OAuthServiceException("Requested scopes can not be mapped");
        }
        return arrayList;
    }

    protected void convertSingleScopeToPermission(Client client, String str, List<OAuthPermission> list) {
        OAuthPermission oAuthPermission = this.permissionMap.get(str);
        if (oAuthPermission == null) {
            throw new OAuthServiceException("Unexpected scope: " + str);
        }
        list.add(oAuthPermission);
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken getPreauthorizedToken(Client client, List<String> list, UserSubject userSubject, String str) throws OAuthServiceException {
        if (!isSupportPreauthorizedTokens()) {
            return null;
        }
        ServerAccessToken serverAccessToken = null;
        for (ServerAccessToken serverAccessToken2 : getAccessTokens(client, userSubject)) {
            if (serverAccessToken2.getClient().getClientId().equals(client.getClientId()) && serverAccessToken2.getGrantType().equals(str) && (userSubject == null || serverAccessToken2.getSubject().getLogin().equals(userSubject.getLogin()))) {
                serverAccessToken = serverAccessToken2;
                break;
            }
        }
        if (serverAccessToken != null && OAuthUtils.isExpired(Long.valueOf(serverAccessToken.getIssuedAt()), Long.valueOf(serverAccessToken.getExpiresIn()))) {
            revokeToken(client, serverAccessToken.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
            serverAccessToken = null;
        }
        return serverAccessToken;
    }

    protected boolean isRefreshTokenSupported(List<String> list) {
        return list.contains(OAuthConstants.REFRESH_TOKEN_SCOPE);
    }

    protected String getCurrentRequestedGrantType() {
        return (String) this.messageContext.get(OAuthConstants.GRANT_TYPE);
    }

    protected String getCurrentClientSecret() {
        return (String) this.messageContext.get("client_secret");
    }

    protected RefreshToken updateRefreshToken(RefreshToken refreshToken, ServerAccessToken serverAccessToken) {
        linkAccessTokenToRefreshToken(refreshToken, serverAccessToken);
        saveRefreshToken(refreshToken);
        linkRefreshTokenToAccessToken(refreshToken, serverAccessToken);
        return refreshToken;
    }

    protected RefreshToken createNewRefreshToken(ServerAccessToken serverAccessToken) {
        return updateRefreshToken(doCreateNewRefreshToken(serverAccessToken), serverAccessToken);
    }

    protected RefreshToken doCreateNewRefreshToken(ServerAccessToken serverAccessToken) {
        RefreshToken refreshToken = new RefreshToken(serverAccessToken.getClient(), this.refreshTokenLifetime);
        if (serverAccessToken.getAudiences() != null) {
            LinkedList linkedList = new LinkedList();
            linkedList.addAll(serverAccessToken.getAudiences());
            refreshToken.setAudiences(linkedList);
        }
        refreshToken.setGrantType(serverAccessToken.getGrantType());
        if (serverAccessToken.getScopes() != null) {
            LinkedList linkedList2 = new LinkedList();
            linkedList2.addAll(serverAccessToken.getScopes());
            refreshToken.setScopes(linkedList2);
        }
        refreshToken.setSubject(serverAccessToken.getSubject());
        refreshToken.setClientCodeVerifier(serverAccessToken.getClientCodeVerifier());
        return refreshToken;
    }

    protected void linkAccessTokenToRefreshToken(RefreshToken refreshToken, ServerAccessToken serverAccessToken) {
        refreshToken.getAccessTokens().add(serverAccessToken.getTokenKey());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void linkRefreshTokenToAccessToken(RefreshToken refreshToken, ServerAccessToken serverAccessToken) {
        serverAccessToken.setRefreshToken(refreshToken.getTokenKey());
    }

    protected ServerAccessToken doRefreshAccessToken(Client client, RefreshToken refreshToken, List<String> list) {
        ServerAccessToken createNewAccessToken = createNewAccessToken(client);
        createNewAccessToken.setAudiences(refreshToken.getAudiences());
        createNewAccessToken.setGrantType(refreshToken.getGrantType());
        createNewAccessToken.setSubject(refreshToken.getSubject());
        if (list.isEmpty()) {
            createNewAccessToken.setScopes(refreshToken.getScopes());
        } else {
            List<OAuthPermission> convertScopeToPermissions = convertScopeToPermissions(client, list);
            if (!refreshToken.getScopes().containsAll(convertScopeToPermissions)) {
                throw new OAuthServiceException("Invalid scopes");
            }
            createNewAccessToken.setScopes(convertScopeToPermissions);
        }
        return createNewAccessToken;
    }

    public void setAccessTokenLifetime(long j) {
        this.accessTokenLifetime = j;
    }

    public void setRefreshTokenLifetime(long j) {
        this.refreshTokenLifetime = j;
    }

    public void setRecycleRefreshTokens(boolean z) {
        this.recycleRefreshTokens = z;
    }

    public void init() {
        for (OAuthPermission oAuthPermission : this.permissionMap.values()) {
            if (this.defaultScopes != null && this.defaultScopes.contains(oAuthPermission.getPermission())) {
                oAuthPermission.setDefaultPermission(true);
            }
            if (this.invisibleToClientScopes != null && this.invisibleToClientScopes.contains(oAuthPermission.getPermission())) {
                oAuthPermission.setInvisibleToClient(true);
            }
        }
    }

    public void close() {
    }

    public Map<String, OAuthPermission> getPermissionMap() {
        return this.permissionMap;
    }

    public void setPermissionMap(Map<String, OAuthPermission> map) {
        this.permissionMap = map;
    }

    public void setSupportedScopes(Map<String, String> map) {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            this.permissionMap.put(entry.getKey(), new OAuthPermission(entry.getKey(), entry.getValue()));
        }
    }

    public MessageContext getMessageContext() {
        return this.messageContext;
    }

    public void setMessageContext(MessageContext messageContext) {
        this.messageContext = messageContext;
    }

    protected void removeClientTokens(Client client) {
        List<RefreshToken> refreshTokens = getRefreshTokens(client, null);
        if (refreshTokens != null) {
            Iterator<RefreshToken> it = refreshTokens.iterator();
            while (it.hasNext()) {
                revokeRefreshToken(it.next().getTokenKey());
            }
        }
        List<ServerAccessToken> accessTokens = getAccessTokens(client, null);
        if (accessTokens != null) {
            Iterator<ServerAccessToken> it2 = accessTokens.iterator();
            while (it2.hasNext()) {
                revokeAccessToken(it2.next().getTokenKey());
            }
        }
    }

    public Client removeClient(String str) {
        Client client = getClient(str);
        removeClientTokens(client);
        doRemoveClient(client);
        return client;
    }

    protected ServerAccessToken revokeAccessToken(String str) {
        ServerAccessToken accessToken = getAccessToken(str);
        if (accessToken != null) {
            doRevokeAccessToken(accessToken);
        }
        return accessToken;
    }

    protected RefreshToken revokeRefreshToken(String str) {
        RefreshToken refreshToken = getRefreshToken(str);
        if (refreshToken != null) {
            doRevokeRefreshToken(refreshToken);
        }
        return refreshToken;
    }

    protected abstract void saveAccessToken(ServerAccessToken serverAccessToken);

    protected abstract void saveRefreshToken(RefreshToken refreshToken);

    protected abstract void doRevokeAccessToken(ServerAccessToken serverAccessToken);

    protected abstract void doRevokeRefreshToken(RefreshToken refreshToken);

    protected abstract RefreshToken getRefreshToken(String str);

    protected abstract void doRemoveClient(Client client);

    public List<String> getDefaultScopes() {
        return this.defaultScopes;
    }

    public void setDefaultScopes(List<String> list) {
        this.defaultScopes = list;
    }

    public List<String> getRequiredScopes() {
        return this.requiredScopes;
    }

    public void setRequiredScopes(List<String> list) {
        this.requiredScopes = list;
    }

    public List<String> getInvisibleToClientScopes() {
        return this.invisibleToClientScopes;
    }

    public void setInvisibleToClientScopes(List<String> list) {
        this.invisibleToClientScopes = list;
    }

    public boolean isSupportPreauthorizedTokens() {
        return this.supportPreauthorizedTokens;
    }

    public void setSupportPreauthorizedTokens(boolean z) {
        this.supportPreauthorizedTokens = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean isClientMatched(Client client, UserSubject userSubject) {
        return userSubject == null || (client.getResourceOwnerSubject() != null && client.getResourceOwnerSubject().getLogin().equals(userSubject.getLogin()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean isTokenMatched(ServerAccessToken serverAccessToken, Client client, UserSubject userSubject) {
        if (client != null && !serverAccessToken.getClient().getClientId().equals(client.getClientId())) {
            return false;
        }
        UserSubject subject = serverAccessToken.getSubject();
        if (userSubject != null) {
            return subject != null && subject.getLogin().equals(userSubject.getLogin());
        }
        return true;
    }

    public void setClients(List<Client> list) {
        Iterator<Client> it = list.iterator();
        while (it.hasNext()) {
            setClient(it.next());
        }
    }

    public boolean isUseJwtFormatForAccessTokens() {
        return this.useJwtFormatForAccessTokens;
    }

    public void setUseJwtFormatForAccessTokens(boolean z) {
        this.useJwtFormatForAccessTokens = z;
    }

    public OAuthJoseJwtProducer getJwtAccessTokenProducer() {
        return this.jwtAccessTokenProducer;
    }

    public void setJwtAccessTokenProducer(OAuthJoseJwtProducer oAuthJoseJwtProducer) {
        this.jwtAccessTokenProducer = oAuthJoseJwtProducer;
    }

    protected String processJwtAccessToken(JwtClaims jwtClaims) {
        return (getJwtAccessTokenProducer() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenProducer()).processJwt(new JwtToken(jwtClaims));
    }

    public Map<String, String> getJwtAccessTokenClaimMap() {
        return this.jwtAccessTokenClaimMap;
    }

    public void setJwtAccessTokenClaimMap(Map<String, String> map) {
        this.jwtAccessTokenClaimMap = map;
    }
}
