package pl.edu.icm.unity.oauth.as.token.access;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.client.ClientType;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.token.BaseOAuthResource;
import pl.edu.icm.unity.oauth.as.token.OAuthErrorException;
import pl.edu.icm.unity.types.basic.EntityParam;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/access/RefreshTokenHandler.class */
class RefreshTokenHandler {
    private static final Logger log = Log.getLogger("unity.server.oauth", RefreshTokenHandler.class);
    private final OAuthASProperties config;
    private final OAuthRefreshTokenRepository refreshTokensRepository;
    private final AccessTokenFactory accessTokenFactory;
    private final OAuthAccessTokenRepository accessTokensRepository;
    private final OAuthClientTokensCleaner tokenCleaner;
    private final TokenService tokenService;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RefreshTokenHandler(OAuthASProperties oAuthASProperties, OAuthRefreshTokenRepository oAuthRefreshTokenRepository, AccessTokenFactory accessTokenFactory, OAuthAccessTokenRepository oAuthAccessTokenRepository, OAuthClientTokensCleaner oAuthClientTokensCleaner, TokenService tokenService) {
        this.config = oAuthASProperties;
        this.refreshTokensRepository = oAuthRefreshTokenRepository;
        this.accessTokenFactory = accessTokenFactory;
        this.accessTokensRepository = oAuthAccessTokenRepository;
        this.tokenCleaner = oAuthClientTokensCleaner;
        this.tokenService = tokenService;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Response handleRefreshTokenGrant(String str, String str2, String str3) throws EngineException, JsonProcessingException {
        Optional<Token> usedRefreshTokenIfRotationIsActive = getUsedRefreshTokenIfRotationIsActive(str);
        if (usedRefreshTokenIfRotationIsActive.isPresent()) {
            clearTokensForClient(usedRefreshTokenIfRotationIsActive.get());
            return BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "refresh token has already been used");
        }
        try {
            Token readRefreshToken = this.refreshTokensRepository.readRefreshToken(str);
            OAuthToken parseInternalToken = BaseOAuthResource.parseInternalToken(readRefreshToken);
            if (isRequiredAuthenticationMissing(parseInternalToken.getClientType())) {
                return BaseOAuthResource.makeError(OAuth2Error.INVALID_CLIENT, "not authenticated");
            }
            long entityId = parseInternalToken.getClientType().equals(ClientType.CONFIDENTIAL) ? InvocationContext.getCurrent().getLoginSession().getEntityId() : parseInternalToken.getClientId();
            if (parseInternalToken.getClientId() != entityId) {
                log.warn("Client with id {} presented use refresh code issued for client", Long.valueOf(parseInternalToken.getClientId()));
                return BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "wrong refresh token");
            }
            List<String> asList = Arrays.asList(parseInternalToken.getRequestedScope());
            if (str2 == null) {
                str2 = String.join(" ", asList);
            }
            try {
                OAuthToken prepareNewTokenBasedOnOldToken = this.tokenService.prepareNewTokenBasedOnOldToken(parseInternalToken, str2, asList, readRefreshToken.getOwner().longValue(), entityId, parseInternalToken.getClientUsername(), true, GrantType.REFRESH_TOKEN.getValue());
                Date date = new Date();
                Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
                AccessToken create = this.accessTokenFactory.create(prepareNewTokenBasedOnOldToken, date, str3);
                prepareNewTokenBasedOnOldToken.setAccessToken(create.getValue());
                AccessTokenResponse accessTokenResponse = this.tokenService.getAccessTokenResponse(prepareNewTokenBasedOnOldToken, create, this.refreshTokensRepository.rotateRefreshTokenIfNeeded(this.config, date, prepareNewTokenBasedOnOldToken, parseInternalToken, readRefreshToken.getOwner()).orElse(null), null);
                log.info("Refreshed access token {} of entity {}, valid until {}", BaseOAuthResource.tokenToLog(create.getValue()), readRefreshToken.getOwner(), accessTokenExpiration);
                this.accessTokensRepository.storeAccessToken(create, prepareNewTokenBasedOnOldToken, new EntityParam(readRefreshToken.getOwner()), date, accessTokenExpiration);
                return BaseOAuthResource.toResponse(Response.ok(BaseOAuthResource.getResponseContent(accessTokenResponse)));
            } catch (OAuthErrorException e) {
                return e.response;
            }
        } catch (Exception e2) {
            return BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "wrong refresh token");
        }
    }

    private boolean isRequiredAuthenticationMissing(ClientType clientType) {
        return !clientType.equals(ClientType.PUBLIC) && InvocationContext.getCurrent().getLoginSession() == null;
    }

    private Optional<Token> getUsedRefreshTokenIfRotationIsActive(String str) {
        return this.config.getBooleanValue(OAuthASProperties.ENABLE_REFRESH_TOKENS_FOR_PUBLIC_CLIENTS_WITH_ROTATION).booleanValue() ? this.refreshTokensRepository.getUsedRefreshToken(str) : Optional.empty();
    }

    private void clearTokensForClient(Token token) {
        OAuthToken instanceFromJson = OAuthToken.getInstanceFromJson(token.getContents());
        this.tokenCleaner.removeTokensForClient(instanceFromJson.getClientId(), token.getOwner().longValue(), instanceFromJson.getFirstRefreshRollingToken());
        log.warn("Trying to reuse already used refresh token, revoke the currently active oauth tokens for client {} {}", Long.valueOf(instanceFromJson.getClientId()), instanceFromJson.getClientName());
    }
}
