package ru.org.openam.oauth.v2.jaxrs;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.MapperFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.datatype.joda.JodaModule;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.hash.Hashing;
import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.Session;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.dpro.session.service.SessionService;
import com.iplanet.services.util.Crypt;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.sm.DNMapper;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import java.util.TreeMap;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.forgerock.audit.events.AccessAuditEventBuilder;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.builders.JwtBuilderFactory;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.openam.audit.AMAccessAuditEventBuilder;
import org.forgerock.openam.audit.AuditConstants;
import org.forgerock.openam.audit.AuditEventPublisher;
import org.forgerock.openam.audit.context.AuditRequestContext;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.session.SessionCache;
import org.forgerock.openam.session.service.access.persistence.SessionPersistenceStore;
import org.forgerock.openam.sts.AMSTSConstants;
import org.forgerock.openam.sts.STSPublishException;
import org.forgerock.openam.sts.TokenCreationException;
import org.forgerock.openam.sts.TokenType;
import org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState;
import org.forgerock.openam.sts.service.invocation.SAML2TokenGenerationState;
import org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState;
import org.forgerock.openam.sts.tokengeneration.config.TokenGenerationServiceInjectorHolder;
import org.forgerock.openam.sts.tokengeneration.oidc.OpenIdConnectTokenGeneration;
import org.forgerock.openam.sts.tokengeneration.state.RestSTSInstanceState;
import org.forgerock.openam.sts.tokengeneration.state.STSInstanceStateProvider;
import org.forgerock.openam.utils.AMKeyProvider;
import org.forgerock.util.encode.Base64url;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.auth.modules.adaptive.persistence.SessionHistory;
import ru.org.openam.auth.modules.adaptive.plugin.PluginContext;
import ru.org.openam.auth.modules.adaptive.plugins.IP;
import ru.org.openam.auth.modules.adaptive.plugins.SID;
import ru.org.openam.auth.modules.adaptive.plugins.Time;
import ru.org.openam.auth.modules.adaptive.plugins.UserAgent;
import ru.org.openam.auth.modules.adaptive.plugins.oauth.client_name;
import ru.org.openam.auth.modules.exception.error;
import ru.org.openam.geo.Client;
import ru.org.openam.httpdump.Dump;
import ru.org.openam.oauth.v2.Stat;
import ru.org.openam.oauth.v2.data.Permission;
import ru.org.openam.oauth.v2.data.access_token;
import ru.org.openam.oauth.v2.data.client_id;
import ru.org.openam.oauth.v2.data.refresh_token;
import ru.org.openam.rest.SessionList;
import ru.org.openam.servlets.Authentificate;
import ru.org.openam.web.Version;

@Path("/")
/* loaded from: input_file:ru/org/openam/oauth/v2/jaxrs/OAuth2.class */
public class OAuth2 {
    private static Logger logger = LoggerFactory.getLogger(OAuth2.class);
    static String service$auth = SystemProperties.get(OAuth2.class.getPackage().getName().concat("service$auth"), "service=oauth2auth");
    static String service$token = SystemProperties.get(OAuth2.class.getPackage().getName().concat("service$token"), "org=oauth&service=oauth2token");
    public static final Set<String> version;
    public static final Set<String> acr_values;

    @Inject
    TokenMapper tokenMapper;
    static AMKeyProvider kp;
    static AuditEventPublisher auditEventPublisher;
    public static final Cache<String, access_token> accesstoken_cache;
    static ObjectMapper mapper;

    @GET
    @Produces({"application/json"})
    @Path("openid-configuration")
    public Response openid_configuration(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        logger.info("openid-configuration {}: {}", Authentificate.whois(httpServletRequest), httpServletRequest.getParameterMap());
        HashMap hashMap = new HashMap();
        try {
            URI issuer = getIssuer(httpServletRequest);
            hashMap.put("issuer", issuer);
            hashMap.put("jwks_uri", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/jwks"));
            hashMap.put("scopes_supported", Permission.getScopeSupported().toArray(new String[0]));
            hashMap.put("response_types_supported", new String[]{"code", "id_token"});
            hashMap.put("response_modes_supported", new String[]{"query", "fragment"});
            hashMap.put("grant_types_supported", new String[]{"authorization_code", "implicit"});
            hashMap.put("acr_values_supported", acr_values.toArray(new String[]{"USSDK_OK", "USSDK_PIN", "SIM_OK", "SIM_PIN", "SM_APP_PIN", "SM_APP_OK"}));
            hashMap.put("subject_types_supported", new String[]{"public"});
            hashMap.put("id_token_signing_alg_values_supported", new String[]{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"});
            hashMap.put("userinfo_signing_alg_values_supported", new String[]{"none", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512"});
            hashMap.put("request_object_signing_alg_values_supported", new String[]{"none", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512"});
            hashMap.put("token_endpoint_auth_methods_supported", new String[]{"client_secret_post", "client_secret_basic"});
            hashMap.put("token_endpoint_auth_signing_alg_values_supported", new String[]{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"});
            hashMap.put("display_values_supported", new String[]{"page", "touch"});
            hashMap.put("claim_types_supported", new String[]{"normal"});
            hashMap.put("claims_supported", new String[0]);
            hashMap.put("claims_locales_supported", SystemProperties.get("claims_locales_supported", "en-US,ru-RU").split(","));
            hashMap.put("ui_locales_supported", SystemProperties.get("claims_locales_supported", "en-US,ru-RU").split(","));
            hashMap.put("claims_parameter_supported", false);
            hashMap.put("request_parameter_supported", false);
            hashMap.put("request_uri_parameter_supported", true);
            hashMap.put("require_request_uri_registration", true);
            hashMap.put("op_policy_uri", SystemProperties.get("op_policy_uri", issuer.resolve(httpServletRequest.getContextPath() + "/UI/Login").toString()));
            hashMap.put("service_documentation", SystemProperties.get("service_documentation", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/service_documentation").toString()));
            hashMap.put("op_tos_uri", SystemProperties.get("op_tos_uri", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/op_tos_uri").toString()));
            hashMap.put("authorization_endpoint", SystemProperties.get("authorization_endpoint", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/auth").toString()));
            hashMap.put("token_endpoint", SystemProperties.get("token_endpoint", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/token").toString()));
            hashMap.put("userinfo_endpoint", SystemProperties.get("userinfo_endpoint", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/userinfo").toString()));
            hashMap.put("registration_endpoint", SystemProperties.get("registration_endpoint", issuer.resolve(httpServletRequest.getContextPath() + "/oauth2/registration_endpoint").toString()));
            hashMap.put("mobile_connect_version_supported", version.toArray(new String[0]));
            hashMap.put("mc_version", version.toArray(new String[0]));
            hashMap.put("mc_amr_values_supported", new String[]{"USSDK_OK", "USSDK_PIN", "SIM_OK", "SIM_PIN", "SM_APP_PIN", "SM_APP_OK"});
            hashMap.put("mc_hash_algs_supported", new String[]{"SHA-256"});
            hashMap.put("mc_di_scopes_supported", new String[]{"openid mc_authn mc_phonenumber mc_kyc_plain mc_kyc_hashed"});
            hashMap.put("mc_claims_parameter_supported", false);
            hashMap.put("login_hint_types_supported", new String[]{"MSISDN", "ENCR_MSISDN", "PCR"});
            return Response.status(200).cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), SystemProperties.get("com.iplanet.am.lbcookie.value"))}).entity(mapper.writeValueAsString(hashMap)).build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @GET
    @Produces({"application/json"})
    @Path("jwks")
    public Response jwks(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        logger.info("jwks {}: {}", Authentificate.whois(httpServletRequest), httpServletRequest.getParameterMap());
        HashMap hashMap = new HashMap();
        try {
            HashMap hashMap2 = new HashMap();
            populateKeys(kp.getKeyStore(), hashMap2);
            InputStream resourceAsStream = getClass().getResourceAsStream("/keystore.jks");
            if (resourceAsStream != null) {
                KeyStore keyStore = KeyStore.getInstance(kp.getKeystoreType());
                keyStore.load(resourceAsStream, kp.getKeystorePass());
                populateKeys(keyStore, hashMap2);
            }
            ArrayList arrayList = new ArrayList();
            for (Map.Entry entry : hashMap2.entrySet()) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put("kid", entry.getKey());
                hashMap3.put("kty", ((PublicKey) entry.getValue()).getAlgorithm());
                hashMap3.put("use", "sig");
                hashMap3.put("alg", (entry.getValue() instanceof RSAPublicKey ? "R" : "E") + "S" + (entry.getValue() instanceof RSAPublicKey ? ((RSAPublicKey) entry.getValue()).getModulus().bitLength() : ((ECPublicKey) entry.getValue()).getParams().getCurve().getField().getFieldSize()));
                if (entry.getValue() instanceof RSAPublicKey) {
                    hashMap3.put("e", Base64url.encode(((RSAPublicKey) entry.getValue()).getPublicExponent().toByteArray()));
                    hashMap3.put("n", Base64url.encode(((RSAPublicKey) entry.getValue()).getModulus().toByteArray()));
                } else if (entry.getValue() instanceof ECPublicKey) {
                    hashMap3.put("x", Base64url.encode(((ECPublicKey) entry.getValue()).getW().getAffineX().toByteArray()));
                    hashMap3.put("y", Base64url.encode(((ECPublicKey) entry.getValue()).getW().getAffineY().toByteArray()));
                    hashMap3.put("crv", "P-" + ((ECPublicKey) entry.getValue()).getParams().getCurve().getField().getFieldSize());
                }
                arrayList.add(hashMap3);
            }
            hashMap.put("keys", arrayList);
            return Response.status(200).cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), SystemProperties.get("com.iplanet.am.lbcookie.value"))}).entity(mapper.writeValueAsString(hashMap)).build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void populateKeys(KeyStore keyStore, Map<String, PublicKey> map) {
        try {
            Iterator it = Collections.list(keyStore.aliases()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                try {
                    if (keyStore.isKeyEntry(str) && keyStore.getCertificate(str) != null) {
                        PublicKey publicKey = keyStore.getCertificate(str).getPublicKey();
                        if ((publicKey instanceof RSAPublicKey) || (publicKey instanceof ECPublicKey)) {
                            map.put(str, publicKey);
                        }
                    }
                } catch (ClassCastException e) {
                }
            }
        } catch (KeyStoreException e2) {
        }
    }

    public static URI getIssuer(HttpServletRequest httpServletRequest) {
        String str;
        if (httpServletRequest == null) {
            return null;
        }
        try {
            String concat = httpServletRequest.getScheme().concat("://").concat(httpServletRequest.getServerName());
            if (httpServletRequest.getServerPort() > 443) {
                str = ":".concat("" + (httpServletRequest.getServerPort() == 443 ? 443 : httpServletRequest.getServerPort()));
            } else {
                str = "";
            }
            return new URI(concat.concat(str));
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    public static final PrivateKey getPrivateKey(HttpServletRequest httpServletRequest) {
        PrivateKey privateKey = kp.getPrivateKey(getIssuer(httpServletRequest).toString());
        if (privateKey == null) {
            if (Version.isTest()) {
                return kp.getPrivateKey("test");
            }
            logger.debug("cannot get private key [{}] in {} for request {}", new Object[]{getIssuer(httpServletRequest), kp.getKeystoreFilePath(), Dump.toString(httpServletRequest)});
        }
        return privateKey;
    }

    @Path("auth")
    @Consumes({"*/*"})
    @POST
    @Produces({"text/html"})
    public void auth_post(@QueryParam("response_type") String str, @QueryParam("client_id") String str2, @QueryParam("redirect_uri") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("correlation_id") String str6, @QueryParam("access_type") String str7, @QueryParam("approval_prompt") String str8, @QueryParam("login_hint") String str9, @QueryParam("include_granted_scopes") String str10, @QueryParam("auth-service") String str11, @QueryParam("auth-org") String str12, @QueryParam("display") String str13, @QueryParam("version") String str14, @QueryParam("acr_values") String str15, @QueryParam("code_challenge") String str16, @QueryParam("code_challenge_method") String str17, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        auth_get(str, str2, str3, str4, str5, str6, str7, str8, str9, str10, str11, str12, str13, str14, str15, str16, str17, httpServletRequest, httpServletResponse);
    }

    @GET
    @Path("auth")
    @Consumes({"*/*"})
    @Produces({"text/html"})
    public void auth_get(@QueryParam("response_type") String str, @QueryParam("client_id") String str2, @QueryParam("redirect_uri") String str3, @QueryParam("scope") String str4, @QueryParam("state") String str5, @QueryParam("correlation_id") String str6, @QueryParam("access_type") String str7, @QueryParam("approval_prompt") String str8, @QueryParam("login_hint") String str9, @QueryParam("include_granted_scopes") String str10, @QueryParam("auth-service") String str11, @QueryParam("auth-org") String str12, @QueryParam("display") String str13, @QueryParam("version") String str14, @QueryParam("acr_values") String str15, @QueryParam("code_challenge") String str16, @QueryParam("code_challenge_method") String str17, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        logger.info("auth {}: {}", Authentificate.whois(httpServletRequest), httpServletRequest.getQueryString());
        try {
            if (SystemProperties.isServerMode()) {
                httpServletRequest.setAttribute(OAuth2.class.getName().concat(".uri"), httpServletRequest.getRequestURI().concat("?").concat(httpServletRequest.getQueryString() == null ? "" : httpServletRequest.getQueryString()));
                Object[] objArr = new Object[2];
                objArr[0] = service$auth;
                objArr[1] = str12 != null ? "&org=".concat(str12) : "";
                httpServletRequest.getRequestDispatcher(MessageFormat.format("/UI/Login?{0}{1}&ForceAuth=true", objArr)).forward(new HttpServletRequestWrapper(httpServletRequest) { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.1
                    public String getParameter(String str18) {
                        return (StringUtils.equalsIgnoreCase(str18, "forward") && StringUtils.startsWithIgnoreCase(super.getParameter("redirect_uri"), "urn:ietf:wg:oauth:2.0:oob")) ? "true" : super.getParameter(str18);
                    }
                }, httpServletResponse);
                if (!httpServletResponse.isCommitted()) {
                    httpServletResponse.flushBuffer();
                }
            }
        } catch (Throwable th) {
            logger.error("auth", th);
            throw new RuntimeException("error");
        }
    }

    @Path("token")
    @Consumes({"*/*"})
    @POST
    @Produces({"application/json;charset=utf-8"})
    public Response token(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        long currentTimeMillis = System.currentTimeMillis();
        logger.info("token {}: {} {} {}", new Object[]{Authentificate.whois(httpServletRequest), httpServletRequest.getParameter("grant_type"), Permission.getClientId(httpServletRequest)});
        access_token access_tokenVar = null;
        String str = "client_credentials".equalsIgnoreCase(httpServletRequest.getParameter("grant_type")) ? Permission.getClientId(httpServletRequest) + ":" + Permission.getClientSecret(httpServletRequest) : "refresh_token".equalsIgnoreCase(httpServletRequest.getParameter("grant_type")) ? Permission.getClientId(httpServletRequest) + ":" + Permission.getClientSecret(httpServletRequest) + ":" + httpServletRequest.getParameter("refresh_token") : null;
        if (str != null) {
            access_tokenVar = (access_token) accesstoken_cache.getIfPresent(str);
            if (access_tokenVar != null) {
                try {
                    SSOToken createSSOToken = SSOTokenManager.getInstance().createSSOToken(access_tokenVar.access_token, httpServletRequest.getRemoteAddr());
                    access_tokenVar.expires_in = Integer.valueOf((int) (Math.min(createSSOToken.getTimeLeft(), createSSOToken.getMaxIdleTime() * 60) <= 0 ? 3600L : Math.min(createSSOToken.getTimeLeft(), createSSOToken.getMaxIdleTime() * 60)));
                    if (access_tokenVar.expires_in.intValue() <= 60) {
                        access_tokenVar = null;
                    } else {
                        logger.warn("restore access_token from {}: {}", Permission.getClientId(httpServletRequest), httpServletRequest.getParameter("refresh_token"));
                    }
                } catch (SSOException e) {
                    access_tokenVar = null;
                }
            }
        }
        if (access_tokenVar == null) {
            if ("client_credentials".equalsIgnoreCase(httpServletRequest.getParameter("grant_type"))) {
                try {
                    client_id client_idVar = new client_id(Permission.getClientId(httpServletRequest));
                    client_idVar.login(httpServletRequest, Permission.getClientSecret(httpServletRequest));
                    access_tokenVar = new access_token(httpServletRequest, client_idVar);
                } catch (error e2) {
                    logger.warn("client_credentials {}: {}", Permission.getClientId(httpServletRequest), e2.toString());
                    access_tokenVar = e2.getError();
                } catch (Throwable th) {
                    logger.warn("client_credentials {}: {}", Permission.getClientId(httpServletRequest), th.toString());
                    access_tokenVar = new access_token(httpServletRequest, (String) null, Permission.getClientId(httpServletRequest));
                    access_tokenVar.error = "invalid_grant";
                }
            } else {
                try {
                    if (SystemProperties.isServerMode()) {
                        httpServletRequest.setAttribute(OAuth2.class.getName().concat(".uri"), httpServletRequest.getRequestURI().concat("?").concat(httpServletRequest.getQueryString() == null ? "" : httpServletRequest.getQueryString()));
                        httpServletRequest.getRequestDispatcher(MessageFormat.format("/UI/Login?{0}&arg=newsession", service$token)).forward(new HttpServletRequestWrapper(httpServletRequest) { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.2
                            public Cookie[] getCookies() {
                                return new Cookie[0];
                            }
                        }, new HttpServletResponseWrapper(httpServletResponse) { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.3
                            public void sendError(int i, String str2) throws IOException {
                            }

                            public void sendError(int i) throws IOException {
                            }

                            public void sendRedirect(String str2) throws IOException {
                            }

                            public void flushBuffer() throws IOException {
                            }

                            public ServletOutputStream getOutputStream() throws IOException {
                                return new ServletOutputStream() { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.3.1
                                    public void write(int i) throws IOException {
                                    }
                                };
                            }

                            public PrintWriter getWriter() throws IOException {
                                return new PrintWriter((OutputStream) getOutputStream());
                            }

                            public void addHeader(String str2, String str3) {
                                if (!StringUtils.startsWithIgnoreCase(str2, "set-cookie") || StringUtils.containsIgnoreCase(str3, SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"))) {
                                    super.addHeader(str2, str3);
                                }
                            }
                        });
                    }
                } catch (Throwable th2) {
                    logger.error("token", th2);
                    throw new RuntimeException("error");
                }
            }
        }
        if (access_tokenVar == null) {
            access_tokenVar = (access_token) httpServletRequest.getAttribute(access_token.class.getName());
        }
        if (access_tokenVar == null || access_tokenVar.error != null) {
            logger.error("{}: {}", Dump.toString(httpServletRequest), access_tokenVar);
            return Response.status(httpServletRequest.getAttribute("access_token.status") != null ? ((Integer) httpServletRequest.getAttribute("access_token.status")).intValue() : 400).entity(access_tokenVar).build();
        }
        if (access_tokenVar != null && str != null) {
            if ("client_credentials".equalsIgnoreCase(httpServletRequest.getParameter("grant_type"))) {
                if (access_tokenVar.hasCache().booleanValue()) {
                    accesstoken_cache.put(str, access_tokenVar);
                }
            } else if ("refresh_token".equalsIgnoreCase(httpServletRequest.getParameter("grant_type")) && StringUtils.equals(httpServletRequest.getParameter("refresh_token"), access_tokenVar.refresh_token)) {
                accesstoken_cache.put(str, access_tokenVar);
            }
        }
        auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).realm((String) httpServletRequest.getAttribute(access_token.class.getName().concat(".realm"))).userId(httpServletRequest.getAttribute(access_token.class.getName().concat(".uid")) != null ? (String) httpServletRequest.getAttribute(access_token.class.getName().concat(".uid")) : Permission.getClientId(httpServletRequest)).responseWithDetail((access_tokenVar == null || access_tokenVar.error != null) ? AccessAuditEventBuilder.ResponseStatus.FAILED : AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "200", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS, (access_tokenVar == null || access_tokenVar.error == null) ? new JsonValue((Object) null) : JsonValue.json(access_tokenVar.error)).toEvent());
        return Response.status(200).cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), SystemProperties.get("com.iplanet.am.lbcookie.value"))}).entity(access_tokenVar).build();
    }

    @Path("userinfo")
    @Consumes({"*/*"})
    @POST
    @Produces({"application/json;charset=utf-8"})
    public Response userinfo_post(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        return userinfo(httpServletRequest, httpServletResponse);
    }

    @GET
    @Path("userinfo")
    @Consumes({"*/*"})
    @Produces({"application/json;charset=utf-8"})
    public Response userinfo(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        Long valueOf = Long.valueOf(System.currentTimeMillis());
        SSOToken token = Authentificate.getToken(httpServletRequest);
        if (token == null) {
            return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
        }
        Permission permission = null;
        try {
            try {
                if (!StringUtils.isBlank(token.getProperty("am.protected.oauth2.accept"))) {
                    permission = Permission.fromString(token.getProperty("am.protected.oauth2.accept"));
                    if (permission != null && permission.getIdentity() == null) {
                        return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
                    }
                }
                String property = token.getProperty(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"));
                String convertToken = convertToken(token, permission);
                SignedJwt reconstruct = new JwtBuilderFactory().reconstruct(convertToken, SignedJwt.class);
                if (permission != null && permission.sc != null && permission.sc.contains("openid")) {
                    reconstruct.getClaimsSet().put("id_token", convertToken);
                }
                logger.info("userinfo {} ms {}: {}", new Object[]{Long.valueOf(System.currentTimeMillis() - valueOf.longValue()), Authentificate.whois(httpServletRequest), token.getTokenID().toString()});
                Stat.api(token, permission, reconstruct.getClaimsSet().keys());
                Response.ResponseBuilder entity = Response.status(200).entity(reconstruct.getClaimsSet().build());
                return (StringUtils.isBlank(property) ? entity : entity.cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), property)})).build();
            } catch (Throwable th) {
                return Response.status(403).entity(MessageFormat.format("Access denied: {0}", token)).build();
            }
        } catch (Exception e) {
            logger.error("{} {} {}", new Object[]{token, Dump.toString(httpServletRequest), e.toString(), e});
            throw new WebApplicationException(e);
        }
    }

    public static String convertToken(SSOToken sSOToken, Permission permission) throws TokenCreationException, STSPublishException, SSOException {
        OpenIdConnectTokenGeneration openIdConnectTokenGeneration = (OpenIdConnectTokenGeneration) TokenGenerationServiceInjectorHolder.getInstance(Key.get(OpenIdConnectTokenGeneration.class));
        STSInstanceStateProvider sTSInstanceStateProvider = (STSInstanceStateProvider) TokenGenerationServiceInjectorHolder.getInstance(Key.get(new TypeLiteral<STSInstanceStateProvider<RestSTSInstanceState>>() { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.5
        }));
        OpenIdConnectTokenGenerationState build = OpenIdConnectTokenGenerationState.builder().authenticationMethodReferences((Set) null).authenticationContextClassReference((String) null).authenticationTimeInSeconds(System.currentTimeMillis()).nonce(permission == null ? null : permission.nonce).build();
        String orgNameToRealmName = permission == null ? DNMapper.orgNameToRealmName(sSOToken.getProperty("Organization", true)) : "/oauth";
        TokenGenerationServiceInvocationState build2 = TokenGenerationServiceInvocationState.builder().ssoTokenString(sSOToken.getTokenID().toString()).tokenType(TokenType.OPENAM).stsInstanceId(orgNameToRealmName.substring(1).concat("/jwt")).realm(orgNameToRealmName).saml2GenerationState((SAML2TokenGenerationState) null).openIdConnectTokenGenerationState(build).stsType(AMSTSConstants.STSType.REST).build();
        return openIdConnectTokenGeneration.generate(sSOToken, sTSInstanceStateProvider.getSTSInstanceState(build2.getStsInstanceId(), build2.getRealm()), build2);
    }

    @Path("api")
    @Consumes({"*/*"})
    @POST
    @Produces({"application/json;charset=utf-8"})
    public Response api_post(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        return api(httpServletRequest, httpServletResponse);
    }

    @GET
    @Path("api")
    @Consumes({"*/*"})
    @Produces({"application/json;charset=utf-8"})
    public Response api(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        Long valueOf = Long.valueOf(System.currentTimeMillis());
        SSOToken token = Authentificate.getToken(httpServletRequest);
        if (token == null) {
            return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
        }
        try {
            try {
                Permission fromString = Permission.fromString(token.getProperty("am.protected.oauth2.accept"));
                AMIdentity identity = fromString.getIdentity();
                if (identity == null) {
                    return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
                }
                String property = token.getProperty(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"));
                TreeMap treeMap = new TreeMap();
                if (StringUtils.equalsIgnoreCase(httpServletRequest.getMethod(), "POST") && httpServletRequest.getContentLength() > 0) {
                    ServletInputStream inputStream = httpServletRequest.getInputStream();
                    try {
                        try {
                            treeMap.putAll(fromString.setData((Map) mapper.readValue(inputStream, HashMap.class), httpServletRequest, identity, null));
                            inputStream.close();
                        } catch (Throwable th) {
                            inputStream.close();
                            throw th;
                        }
                    } catch (Exception e) {
                        logger.error("error parse  {} {}", Dump.toString(httpServletRequest), e.toString());
                        inputStream.close();
                    }
                }
                treeMap.putAll(fromString.getData(httpServletRequest, identity, null));
                logger.info("api {} ms {}: {}", new Object[]{Long.valueOf(System.currentTimeMillis() - valueOf.longValue()), Authentificate.whois(httpServletRequest), token.getTokenID().toString()});
                Stat.api(token, fromString, treeMap.keySet());
                Response.ResponseBuilder entity = Response.status(200).entity(mapper.writeValueAsString(treeMap));
                return (StringUtils.isBlank(property) ? entity : entity.cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), property)})).build();
            } catch (Throwable th2) {
                return Response.status(403).entity(MessageFormat.format("Access denied: {0}", token)).build();
            }
        } catch (Exception e2) {
            logger.error("{} {} {}", new Object[]{token, Dump.toString(httpServletRequest), e2.toString(), e2});
            throw new WebApplicationException(e2);
        }
    }

    static String getMasterUUID(HttpServletRequest httpServletRequest) {
        try {
            String property = Authentificate.getToken(httpServletRequest).getProperty("am.protected.oauth2.accept");
            return property == null ? Authentificate.getToken(httpServletRequest).getProperty("sun.am.UniversalIdentifier") : Permission.fromString(property).getIdentity().getUniversalId();
        } catch (Throwable th) {
            throw new RuntimeException(th);
        }
    }

    public static Map<Session, String> getAccessTokens(AMIdentity aMIdentity) throws SSOException, IdRepoException, CoreTokenException {
        HashMap hashMap = new HashMap();
        Iterator it = ((SessionPersistenceStore) InjectorHolder.getInstance(SessionPersistenceStore.class)).getAccessTokens(aMIdentity).iterator();
        while (it.hasNext()) {
            try {
                Session session = Session.getSession(new SessionID((String) it.next()));
                hashMap.put(session, session.getProperty("am.protected.oauth2.refresh_token"));
            } catch (Exception e) {
            }
        }
        return hashMap;
    }

    public static Set<refresh_token> getRefreshTokens(AMIdentity aMIdentity) throws SSOException, IdRepoException {
        return getRefreshTokens(aMIdentity, false);
    }

    public static Set<refresh_token> getRefreshTokens(AMIdentity aMIdentity, boolean z) throws SSOException, IdRepoException {
        HashSet hashSet = new HashSet();
        Iterator<String> it = refresh_token.getTokens(aMIdentity).iterator();
        while (it.hasNext()) {
            try {
                hashSet.add(new refresh_token(it.next(), z));
            } catch (AuthLoginException e) {
            }
        }
        return hashSet;
    }

    List<Map<String, Object>> getTokensActive(HttpServletRequest httpServletRequest) throws IdRepoException, SSOException, CoreTokenException {
        ArrayList arrayList = new ArrayList();
        String masterUUID = getMasterUUID(httpServletRequest);
        AMIdentity identity = IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), masterUUID);
        Set sessions = SessionList.getSessions(masterUUID);
        Map<Session, String> accessTokens = getAccessTokens(identity);
        sessions.addAll(accessTokens.keySet());
        Iterator it = sessions.iterator();
        while (it.hasNext()) {
            try {
                Map<String, Object> mapSession = this.tokenMapper.mapSession((Session) it.next(), identity, httpServletRequest);
                if (mapSession != null) {
                    arrayList.add(mapSession);
                }
            } catch (Throwable th) {
                logger.warn("error get property", th);
            }
        }
        for (refresh_token refresh_tokenVar : getRefreshTokens(identity)) {
            if (!accessTokens.containsValue(refresh_tokenVar.getUID())) {
                try {
                    Map<String, Object> mapRefreshToken = this.tokenMapper.mapRefreshToken(refresh_tokenVar);
                    if (mapRefreshToken != null) {
                        arrayList.add(mapRefreshToken);
                    }
                } catch (Throwable th2) {
                    logger.warn("error get property", th2);
                }
            }
        }
        return arrayList;
    }

    @GET
    @Path("tokens")
    @Consumes({"*/*"})
    @Produces({"application/json;charset=utf-8"})
    public Response tokens(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        long currentTimeMillis = System.currentTimeMillis();
        logger.info("tokens {}: {}", Authentificate.whois(httpServletRequest), httpServletRequest.getParameterMap());
        if (Authentificate.getToken(httpServletRequest, true) == null) {
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).userId(Authentificate.whois(httpServletRequest)).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "401", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}", httpServletRequest.getHeader("Authorization")))).build();
        }
        try {
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).userId(Authentificate.whois(httpServletRequest)).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "200", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return Response.status(200).cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), Authentificate.getToken(httpServletRequest).getProperty(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie")))}).entity(mapper.writeValueAsString(getTokensActive(httpServletRequest))).build();
        } catch (Exception e) {
            logger.error("{} {} {}", new Object[]{Authentificate.getToken(httpServletRequest), Dump.toString(httpServletRequest), e});
            throw new WebApplicationException(e);
        }
    }

    @GET
    @Path("history")
    @Consumes({"*/*"})
    @Produces({"application/json;charset=utf-8"})
    public Response history(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        long currentTimeMillis = System.currentTimeMillis();
        logger.info("history {}: {}", Authentificate.whois(httpServletRequest), httpServletRequest.getParameterMap());
        if (Authentificate.getToken(httpServletRequest, true) == null) {
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).realm((String) httpServletRequest.getAttribute(access_token.class.getName().concat(".realm"))).userId(Authentificate.whois(httpServletRequest)).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "401", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
        }
        try {
            List<Map<String, Object>> tokensActive = getTokensActive(httpServletRequest);
            HashSet hashSet = new HashSet();
            tokensActive.forEach(map -> {
                hashSet.add((String) map.get("token"));
            });
            Iterator it = SessionHistory.get(IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), getMasterUUID(httpServletRequest))).success.iterator();
            while (it.hasNext()) {
                PluginContext pluginContext = new PluginContext((ru.org.openam.auth.modules.adaptive.persistence.Session) it.next());
                if (pluginContext.getValue(UserAgent.class) != null) {
                    HashMap hashMap = new HashMap();
                    String str = (String) pluginContext.getValue(SID.class);
                    hashMap.put("token", Hashing.sha256().hashString(str, StandardCharsets.UTF_8).toString());
                    if (!hashSet.contains((String) hashMap.get("token"))) {
                        hashMap.put("time", new Date(((Long) pluginContext.getValue(Time.class)).longValue()));
                        hashMap.put("active", new Date(((Long) pluginContext.getValue(Time.class)).longValue()));
                        hashMap.put("isActive", false);
                        try {
                            Session session = SessionCache.getInstance().getSession(new SessionID(str), false, false);
                            hashMap.put("time", DateUtils.stringToDate(session.getProperty("authInstant")));
                            hashMap.put("active", new Date(System.currentTimeMillis() - session.getIdleTime()));
                            hashMap.put("isActive", true);
                        } catch (SessionException e) {
                        }
                        hashMap.put("ip", pluginContext.getValue(IP.class));
                        hashMap.put("geo", Client.get((String) pluginContext.getValue(IP.class)));
                        String str2 = (String) pluginContext.getValue(client_name.class);
                        if (StringUtils.isNotBlank(str2)) {
                            hashMap.put("app", str2);
                        }
                        hashMap.put("agent", this.tokenMapper.session2agent((String) pluginContext.getValue(UserAgent.class)));
                        if (StringUtils.equals(Authentificate.getToken(httpServletRequest).getTokenID().toString(), str)) {
                            hashMap.put("current", true);
                        }
                        tokensActive.add(hashMap);
                    }
                }
            }
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).realm((String) httpServletRequest.getAttribute(access_token.class.getName().concat(".realm"))).userId(Authentificate.whois(httpServletRequest)).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "200", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return Response.status(200).cookie(new NewCookie[]{new NewCookie(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie"), Authentificate.getToken(httpServletRequest).getProperty(SystemProperties.get("com.iplanet.am.lbcookie.name", "amlbcookie")))}).entity(mapper.writeValueAsString(tokensActive)).build();
        } catch (Exception e2) {
            logger.error("{} {} {}", new Object[]{Authentificate.getToken(httpServletRequest), Dump.toString(httpServletRequest), e2});
            throw new WebApplicationException(e2);
        }
    }

    public static void destroy(Session session) {
        logger.info("destroy {}", session.getSessionID());
        try {
            session.destroySession(session);
        } catch (SessionException e) {
            logger.debug("destroy {}", e.toString());
        }
    }

    @GET
    @Produces({"text/html"})
    @Path("revoke")
    public Response revoke(@QueryParam("token") String str, @QueryParam("uuid") String str2, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        long currentTimeMillis = System.currentTimeMillis();
        String lowerCase = StringUtils.lowerCase(str2);
        logger.info("revoke {}: {} {}", new Object[]{Authentificate.whois(httpServletRequest), str, lowerCase});
        if (Authentificate.getToken(httpServletRequest, true) == null && httpServletResponse != null) {
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).userId(Authentificate.whois(httpServletRequest)).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "401", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return Response.status(401).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
        }
        String str3 = null;
        if (StringUtils.isNotBlank(str)) {
            str3 = Crypt.decryptLocal(str);
            logger.info("revoke clear decrypt {}->{}", str, str3);
        }
        if (str3 == null) {
            str3 = str;
        }
        if (str3 != null) {
            str3 = str3.split(":")[0];
        }
        try {
            SSOToken sSOToken = (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
            if (StringUtils.isBlank(lowerCase)) {
                lowerCase = getMasterUUID(httpServletRequest);
            } else if (httpServletResponse != null && !((SessionService) InjectorHolder.getInstance(SessionService.class)).isSuperUser(getMasterUUID(httpServletRequest))) {
                auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).userId(StringUtils.isBlank(lowerCase) ? Authentificate.whois(httpServletRequest) : Authentificate.whois(httpServletRequest) + ": " + lowerCase).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "401", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
                return Response.status(403).entity(StringEscapeUtils.escapeHtml4(MessageFormat.format("Authentification required: {0}\r\n{1}", httpServletRequest.getHeader("Authorization"), Authentificate.getError(httpServletRequest)))).build();
            }
            AMIdentity identity = IdUtils.getIdentity(sSOToken, lowerCase);
            for (Session session : SessionList.getSessions(lowerCase)) {
                if ((StringUtils.isBlank(str) && (Authentificate.getToken(httpServletRequest) == null || !StringUtils.equals(Authentificate.getToken(httpServletRequest).getTokenID().toString(), session.getID().toString()))) || (!StringUtils.isBlank(str) && StringUtils.equals(str3, session.getID().toString()))) {
                    destroy(session);
                }
            }
            Map<Session, String> accessTokens = getAccessTokens(identity);
            for (Map.Entry<Session, String> entry : accessTokens.entrySet()) {
                Session key = entry.getKey();
                if ((StringUtils.isBlank(str3) && (Authentificate.getToken(httpServletRequest) == null || !StringUtils.equals(Authentificate.getToken(httpServletRequest).getTokenID().toString(), key.getID().toString()))) || ((!StringUtils.isBlank(str3) && StringUtils.equals(str3, key.getID().toString())) || ((!StringUtils.isBlank(str3) && StringUtils.equals(str3, Hashing.sha256().hashString(key.getID().toString(), StandardCharsets.UTF_8).toString())) || ((!StringUtils.isBlank(str3) && StringUtils.startsWith(entry.getValue(), str3)) || (!StringUtils.isBlank(str3) && !StringUtils.isBlank(entry.getValue()) && StringUtils.startsWith(Hashing.sha256().hashString(entry.getValue(), StandardCharsets.UTF_8).toString(), str3)))))) {
                    destroy(key);
                    try {
                        new refresh_token(entry.getValue()).destroy(httpServletRequest);
                    } catch (Throwable th) {
                    }
                }
            }
            for (refresh_token refresh_tokenVar : getRefreshTokens(identity)) {
                if (!accessTokens.containsValue(refresh_tokenVar.getUID())) {
                    if (StringUtils.isBlank(str3) || StringUtils.startsWith(refresh_tokenVar.getUID(), str3) || StringUtils.startsWith(Hashing.sha256().hashString(refresh_tokenVar.getUID().toString(), StandardCharsets.UTF_8).toString(), str3)) {
                        try {
                            new refresh_token(refresh_tokenVar.getUID()).destroy(httpServletRequest);
                        } catch (Throwable th2) {
                        }
                    }
                }
            }
            auditEventPublisher.tryPublish("access", new AMAccessAuditEventBuilder().forHttpServletRequest(httpServletRequest).timestamp(currentTimeMillis).transactionId(AuditRequestContext.getTransactionIdValue()).eventName(AuditConstants.EventName.AM_ACCESS_OUTCOME).component(AuditConstants.Component.OAUTH).userId(StringUtils.isBlank(lowerCase) ? Authentificate.whois(httpServletRequest) : Authentificate.whois(httpServletRequest) + ": " + lowerCase).response(AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL, "200", System.currentTimeMillis() - currentTimeMillis, TimeUnit.MILLISECONDS).toEvent());
            return null;
        } catch (Exception e) {
            logger.error("{} {} {}", new Object[]{Authentificate.getToken(httpServletRequest), Dump.toString(httpServletRequest), e});
            throw new WebApplicationException(e);
        }
    }

    static {
        logger.info("service$auth={} service$token={}", service$auth, service$token);
        version = new HashSet(Arrays.asList("mc_v1.1", "mc_di_r2_v2.3"));
        acr_values = new HashSet(Arrays.asList("2", "3", "4"));
        kp = new AMKeyProvider();
        auditEventPublisher = (AuditEventPublisher) InjectorHolder.getInstance(Key.get(AuditEventPublisher.class));
        accesstoken_cache = CacheBuilder.newBuilder().maximumSize(64000L).expireAfterWrite(15L, TimeUnit.MINUTES).build();
        mapper = new ObjectMapper() { // from class: ru.org.openam.oauth.v2.jaxrs.OAuth2.4
            private static final long serialVersionUID = 1;

            {
                registerModule(new JodaModule());
                configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false);
                setTimeZone(TimeZone.getDefault());
                setDateFormat(new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"));
                setSerializationInclusion(JsonInclude.Include.NON_NULL);
                setSerializationInclusion(JsonInclude.Include.NON_EMPTY);
                configure(MapperFeature.AUTO_DETECT_IS_GETTERS, false);
                configure(MapperFeature.AUTO_DETECT_GETTERS, false);
                configure(MapperFeature.AUTO_DETECT_SETTERS, false);
            }
        };
    }
}
