package org.apereo.cas.support.oauth.web.response.accesstoken;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.LinkedHashSet;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.validator.token.device.InvalidOAuth20DeviceTokenException;
import org.apereo.cas.support.oauth.validator.token.device.ThrottledOAuth20DeviceUserCodeApprovalException;
import org.apereo.cas.support.oauth.validator.token.device.UnapprovedOAuth20DeviceUserCodeException;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketState;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCode;
import org.apereo.cas.ticket.device.DeviceToken;
import org.apereo.cas.ticket.device.DeviceTokenFactory;
import org.apereo.cas.ticket.device.DeviceUserCode;
import org.apereo.cas.ticket.refreshtoken.RefreshToken;
import org.apereo.cas.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.function.FunctionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20DefaultTokenGenerator.class */
public class OAuth20DefaultTokenGenerator implements OAuth20TokenGenerator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20DefaultTokenGenerator.class);
    protected final AccessTokenFactory accessTokenFactory;
    protected final DeviceTokenFactory deviceTokenFactory;
    protected final RefreshTokenFactory refreshTokenFactory;
    protected final TicketRegistry ticketRegistry;
    protected final CasConfigurationProperties casProperties;

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator
    public OAuth20TokenGeneratedResult generate(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        return OAuth20ResponseTypes.DEVICE_CODE.equals(accessTokenRequestDataHolder.getResponseType()) ? generateAccessTokenOAuthDeviceCodeResponseType(accessTokenRequestDataHolder) : generateAccessTokenResult(accessTokenRequestDataHolder, generateAccessTokenOAuthGrantTypes(accessTokenRequestDataHolder));
    }

    protected OAuth20TokenGeneratedResult generateAccessTokenOAuthDeviceCodeResponseType(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        String deviceCode = accessTokenRequestDataHolder.getDeviceCode();
        if (!StringUtils.isNotBlank(deviceCode)) {
            Pair<DeviceToken, DeviceUserCode> createDeviceTokensInTicketRegistry = createDeviceTokensInTicketRegistry(accessTokenRequestDataHolder);
            return OAuth20TokenGeneratedResult.builder().responseType(accessTokenRequestDataHolder.getResponseType()).registeredService(accessTokenRequestDataHolder.getRegisteredService()).deviceCode(((DeviceToken) createDeviceTokensInTicketRegistry.getLeft()).getId()).userCode(((DeviceUserCode) createDeviceTokensInTicketRegistry.getValue()).getId()).build();
        }
        DeviceToken deviceTokenFromTicketRegistry = getDeviceTokenFromTicketRegistry(deviceCode);
        if (getDeviceUserCodeFromRegistry(deviceTokenFromTicketRegistry).isUserCodeApproved()) {
            LOGGER.debug("Provided user code [{}] linked to device code [{}] is approved", deviceTokenFromTicketRegistry.getId(), deviceCode);
            this.ticketRegistry.deleteTicket(deviceCode);
            AccessTokenRequestDataHolder build = AccessTokenRequestDataHolder.builder().service(accessTokenRequestDataHolder.getService()).authentication(accessTokenRequestDataHolder.getAuthentication()).registeredService(accessTokenRequestDataHolder.getRegisteredService()).ticketGrantingTicket(accessTokenRequestDataHolder.getTicketGrantingTicket()).grantType(accessTokenRequestDataHolder.getGrantType()).scopes(new LinkedHashSet()).responseType(accessTokenRequestDataHolder.getResponseType()).generateRefreshToken(accessTokenRequestDataHolder.getRegisteredService() != null && accessTokenRequestDataHolder.isGenerateRefreshToken()).build();
            return generateAccessTokenResult(build, generateAccessTokenOAuthGrantTypes(build));
        }
        if (deviceTokenFromTicketRegistry.getLastTimeUsed() != null) {
            long seconds = Beans.newDuration(this.casProperties.getAuthn().getOauth().getDeviceToken().getRefreshInterval()).getSeconds();
            if (deviceTokenFromTicketRegistry.getLastTimeUsed().plusSeconds(seconds).isAfter(ZonedDateTime.now(ZoneOffset.UTC))) {
                LOGGER.error("Request for user code approval is greater than the configured refresh interval of [{}] second(s)", Long.valueOf(seconds));
                throw new ThrottledOAuth20DeviceUserCodeApprovalException(deviceTokenFromTicketRegistry.getId());
            }
        }
        deviceTokenFromTicketRegistry.update();
        this.ticketRegistry.updateTicket(deviceTokenFromTicketRegistry);
        LOGGER.error("Provided user code [{}] linked to device code [{}] is NOT approved yet", deviceTokenFromTicketRegistry.getId(), deviceCode);
        throw new UnapprovedOAuth20DeviceUserCodeException(deviceTokenFromTicketRegistry.getId());
    }

    private DeviceUserCode getDeviceUserCodeFromRegistry(DeviceToken deviceToken) {
        DeviceUserCode ticket = this.ticketRegistry.getTicket(deviceToken.getUserCode(), DeviceUserCode.class);
        if (ticket == null) {
            LOGGER.error("Provided user code [{}] is invalid or expired and cannot be found in the ticket registry", deviceToken.getUserCode());
            throw new InvalidOAuth20DeviceTokenException(deviceToken.getUserCode());
        }
        if (!ticket.isExpired()) {
            return ticket;
        }
        this.ticketRegistry.deleteTicket(ticket.getId());
        LOGGER.error("Provided device code [{}] has expired and will be removed from the ticket registry", deviceToken.getUserCode());
        throw new InvalidOAuth20DeviceTokenException(deviceToken.getUserCode());
    }

    private DeviceToken getDeviceTokenFromTicketRegistry(String str) {
        DeviceToken ticket = this.ticketRegistry.getTicket(str, DeviceToken.class);
        if (ticket == null) {
            LOGGER.error("Provided device code [{}] is invalid or expired and cannot be found in the ticket registry", str);
            throw new InvalidOAuth20DeviceTokenException(str);
        }
        if (!ticket.isExpired()) {
            return ticket;
        }
        this.ticketRegistry.deleteTicket(str);
        LOGGER.error("Provided device code [{}] has expired and will be removed from the ticket registry", str);
        throw new InvalidOAuth20DeviceTokenException(str);
    }

    private Pair<DeviceToken, DeviceUserCode> createDeviceTokensInTicketRegistry(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        DeviceToken createDeviceCode = this.deviceTokenFactory.createDeviceCode(accessTokenRequestDataHolder.getService());
        LOGGER.debug("Created device code token [{}]", createDeviceCode.getId());
        DeviceUserCode createDeviceUserCode = this.deviceTokenFactory.createDeviceUserCode(createDeviceCode);
        LOGGER.debug("Created device user code token [{}]", createDeviceUserCode.getId());
        addTicketToRegistry(createDeviceCode);
        LOGGER.debug("Added device token [{}] to registry", createDeviceCode);
        addTicketToRegistry(createDeviceUserCode);
        LOGGER.debug("Added device user token [{}] to registry", createDeviceUserCode);
        return Pair.of(createDeviceCode, createDeviceUserCode);
    }

    protected Pair<AccessToken, RefreshToken> generateAccessTokenOAuthGrantTypes(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        LOGGER.debug("Creating access token for [{}]", accessTokenRequestDataHolder.getService());
        Authentication build = DefaultAuthenticationBuilder.newInstance(accessTokenRequestDataHolder.getAuthentication()).addAttribute("grant_type", accessTokenRequestDataHolder.getGrantType().toString()).addAttribute("scope", accessTokenRequestDataHolder.getScopes()).addAttribute("client_id", accessTokenRequestDataHolder.getRegisteredService().getClientId()).build();
        LOGGER.debug("Creating access token for [{}]", accessTokenRequestDataHolder);
        TicketGrantingTicket ticketGrantingTicket = accessTokenRequestDataHolder.getTicketGrantingTicket();
        AccessToken create = this.accessTokenFactory.create(accessTokenRequestDataHolder.getService(), build, ticketGrantingTicket, accessTokenRequestDataHolder.getScopes());
        LOGGER.debug("Created access token [{}]", create);
        addTicketToRegistry(create, ticketGrantingTicket);
        LOGGER.debug("Added access token [{}] to registry", create);
        updateOAuthCode(accessTokenRequestDataHolder);
        return Pair.of(create, (RefreshToken) FunctionUtils.doIf(accessTokenRequestDataHolder.isGenerateRefreshToken(), () -> {
            return generateRefreshToken(accessTokenRequestDataHolder);
        }, () -> {
            LOGGER.debug("Service [{}] is not able/allowed to receive refresh tokens", accessTokenRequestDataHolder.getService());
            return null;
        }).get());
    }

    protected void updateOAuthCode(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        if (accessTokenRequestDataHolder.getToken() instanceof OAuthCode) {
            ((TicketState) TicketState.class.cast(accessTokenRequestDataHolder.getToken())).update();
            if (accessTokenRequestDataHolder.getToken().isExpired()) {
                this.ticketRegistry.deleteTicket(accessTokenRequestDataHolder.getToken().getId());
            } else {
                this.ticketRegistry.updateTicket(accessTokenRequestDataHolder.getToken());
            }
            this.ticketRegistry.updateTicket(accessTokenRequestDataHolder.getTicketGrantingTicket());
        }
    }

    protected void addTicketToRegistry(Ticket ticket, TicketGrantingTicket ticketGrantingTicket) {
        LOGGER.debug("Adding ticket [{}] to registry", ticket);
        this.ticketRegistry.addTicket(ticket);
        if (ticketGrantingTicket != null) {
            LOGGER.debug("Updating parent ticket-granting ticket [{}]", ticketGrantingTicket);
            this.ticketRegistry.updateTicket(ticketGrantingTicket);
        }
    }

    protected void addTicketToRegistry(Ticket ticket) {
        addTicketToRegistry(ticket, null);
    }

    protected RefreshToken generateRefreshToken(AccessTokenRequestDataHolder accessTokenRequestDataHolder) {
        LOGGER.debug("Creating refresh token for [{}]", accessTokenRequestDataHolder.getService());
        RefreshToken create = this.refreshTokenFactory.create(accessTokenRequestDataHolder.getService(), accessTokenRequestDataHolder.getAuthentication(), accessTokenRequestDataHolder.getTicketGrantingTicket(), accessTokenRequestDataHolder.getScopes());
        LOGGER.debug("Adding refresh token [{}] to the registry", create);
        addTicketToRegistry(create, accessTokenRequestDataHolder.getTicketGrantingTicket());
        return create;
    }

    private OAuth20TokenGeneratedResult generateAccessTokenResult(AccessTokenRequestDataHolder accessTokenRequestDataHolder, Pair<AccessToken, RefreshToken> pair) {
        return OAuth20TokenGeneratedResult.builder().registeredService(accessTokenRequestDataHolder.getRegisteredService()).accessToken((AccessToken) pair.getKey()).refreshToken((RefreshToken) pair.getValue()).grantType(accessTokenRequestDataHolder.getGrantType()).responseType(accessTokenRequestDataHolder.getResponseType()).build();
    }

    @Generated
    public OAuth20DefaultTokenGenerator(AccessTokenFactory accessTokenFactory, DeviceTokenFactory deviceTokenFactory, RefreshTokenFactory refreshTokenFactory, TicketRegistry ticketRegistry, CasConfigurationProperties casConfigurationProperties) {
        this.accessTokenFactory = accessTokenFactory;
        this.deviceTokenFactory = deviceTokenFactory;
        this.refreshTokenFactory = refreshTokenFactory;
        this.ticketRegistry = ticketRegistry;
        this.casProperties = casConfigurationProperties;
    }
}
