package ru.org.openam.oauth.v2.data;

import com.iplanet.am.sdk.AMHashMap;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.Session;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.server.AuthContextLocal;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.service.AuthUtils;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.datastruct.ValueNotFoundException;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.TreeMap;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.core.realms.Realm;
import org.forgerock.openam.core.realms.RealmLookup;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.session.service.access.persistence.SessionPersistenceStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.auth.modules.OAuth2Token;
import ru.org.openam.auth.modules.exception.invalid_request;
import ru.org.openam.auth.modules.exception.token.invalid_client;
import ru.org.openam.auth.modules.exception.token.invalid_grant;
import ru.org.openam.idm.User;
import ru.org.openam.oauth.v2.ext.OAuth2Extension;
import ru.org.openam.oauth.v2.ext.OAuth2ExtensionHolder;

/* loaded from: input_file:ru/org/openam/oauth/v2/data/refresh_token.class */
public class refresh_token {
    OAuth2Token lm;
    AMIdentity identity;
    private String token;
    private String password;
    Permission permission;
    public static Logger logger = LoggerFactory.getLogger(refresh_token.class);
    static final SecureRandom random = new SecureRandom();

    /* loaded from: input_file:ru/org/openam/oauth/v2/data/refresh_token$DestroyReason.class */
    public enum DestroyReason {
        ISSUE_NEW,
        REVOKE,
        LIMIT_REACHED
    }

    public int hashCode() {
        return getUID().hashCode();
    }

    public boolean equals(Object obj) {
        return (obj instanceof refresh_token) && getUID().equals(((refresh_token) obj).getUID());
    }

    public refresh_token(OAuth2Token oAuth2Token, Permission permission) {
        this.token = null;
        this.password = null;
        this.lm = oAuth2Token;
        this.permission = permission;
        permission.p = Boolean.valueOf(SystemProperties.getAsBoolean("ru.org.openam.oauth.v2.data.refresh_token.password", true));
        this.token = RandomStringUtils.random(128, 0, 0, true, true, (char[]) null, random).toLowerCase();
        AMHashMap aMHashMap = new AMHashMap(5);
        aMHashMap.put("cn", new HashSet(Arrays.asList(this.token)));
        aMHashMap.put("uid", new HashSet(Arrays.asList(this.token.concat("%").concat(permission.aud))));
        aMHashMap.put("manager", new HashSet(Arrays.asList(permission.getIdentity().getUniversalId())));
        aMHashMap.put(CollectionHelper.getMapAttr(oAuth2Token.options, "ru.org.openam.auth.modules.OAuth2Token.attribute", "p"), new HashSet(Arrays.asList(permission.toString())));
        this.password = RandomStringUtils.random(64, 0, 0, true, true, (char[]) null, random);
        aMHashMap.put("userPassword", new HashSet(Arrays.asList(this.password)));
        try {
            this.identity = oAuth2Token.getAMIdentityRepository(oAuth2Token.getRequestOrg()).createIdentity(IdType.USER, this.token.concat("%").concat(permission.aud), aMHashMap);
            logger.info("create {} for {}", this.identity.getUniversalId(), permission.sub());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public void updatePassword() {
        this.password = RandomStringUtils.random(64, 0, 0, true, true, (char[]) null, random);
        AMHashMap aMHashMap = new AMHashMap(1);
        aMHashMap.put("userPassword", new HashSet(Arrays.asList(this.password)));
        try {
            this.identity.setAttributes(aMHashMap);
            this.identity.store();
            logger.info("update password {} for {}", this.identity.getUniversalId(), this.permission.sub());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public refresh_token(OAuth2Token oAuth2Token, String str, String str2) throws AuthLoginException {
        this.token = null;
        this.password = null;
        this.lm = oAuth2Token;
        get_refresh_token(oAuth2Token, str, str2);
    }

    public void get_refresh_token(OAuth2Token oAuth2Token, String str, String str2) throws AuthLoginException {
        if (StringUtils.isBlank(str)) {
            throw new invalid_request(oAuth2Token, "refresh_token missing");
        }
        if (!str.matches("^[a-zA-Z0-9]+(:[a-zA-Z0-9]+){0,1}$")) {
            throw new invalid_request(oAuth2Token, "refresh_token invalid format");
        }
        String[] split = str.split(":");
        this.token = split[0];
        get_refresh_token_with_password(oAuth2Token, split[0].concat("%").concat(str2), split.length > 1 ? split[1] : null);
    }

    /* JADX WARN: Type inference failed for: r0v50, types: [ru.org.openam.oauth.v2.data.refresh_token$2] */
    private void get_refresh_token_with_password(OAuth2Token oAuth2Token, String str, String str2) throws AuthLoginException {
        get_refresh_token(str);
        Boolean bool = false;
        if (!StringUtils.isBlank(str2)) {
            try {
                final String requestOrg = oAuth2Token.getRequestOrg();
                Realm lookup = ((RealmLookup) InjectorHolder.getInstance(RealmLookup.class)).lookup(requestOrg);
                if ("oauth2token".equals(AuthD.getAuth().getOrgConfiguredAuthenticationChain(lookup.asDN()))) {
                    NameCallback[] nameCallbackArr = {new NameCallback("login"), new PasswordCallback("password", false)};
                    nameCallbackArr[0].setName(str);
                    ((PasswordCallback) nameCallbackArr[1]).setPassword(str2.toCharArray());
                    bool = Boolean.valueOf(getAMIdentityRepository().authenticate(IdType.USER, nameCallbackArr));
                } else {
                    final AuthContextLocal authContext = AuthUtils.getAuthContext(lookup.asDN());
                    authContext.getLoginState().setHttpServletRequest(new HttpServletRequestWrapper(oAuth2Token.getHttpServletRequest()) { // from class: ru.org.openam.oauth.v2.data.refresh_token.1
                        public Object getAttribute(String str3) {
                            return "org.forgerock.openam.auth.noSession".equals(str3) ? "true" : super.getAttribute(str3);
                        }

                        public String getServerName() {
                            return requestOrg == null ? super.getServerName() : requestOrg;
                        }
                    });
                    authContext.login();
                    int i = 0;
                    while (true) {
                        if (authContext.getStatus() != AuthContext.Status.IN_PROGRESS || !authContext.hasMoreRequirements()) {
                            break;
                        }
                        int i2 = i;
                        i++;
                        if (i2 <= 10) {
                            NameCallback[] requirements = authContext.getRequirements(false);
                            if (requirements.length >= 2 && (requirements[0] instanceof NameCallback) && (requirements[1] instanceof PasswordCallback)) {
                                requirements[0].setName(str);
                                ((PasswordCallback) requirements[1]).setPassword(str2.toCharArray());
                                authContext.getLoginState().getSession().putProperty("am.protected.sfo.disable", "1");
                                authContext.submitRequirements(requirements);
                                break;
                            }
                            authContext.submitRequirements(requirements);
                        } else {
                            logger.error("login: auth attempts exceeded");
                            throw new invalid_grant(oAuth2Token, "refresh_token auth loop config");
                        }
                    }
                    if (authContext.getStatus() == AuthContext.Status.SUCCESS) {
                        bool = true;
                        if (authContext.getSSOToken() != null) {
                            new Thread() { // from class: ru.org.openam.oauth.v2.data.refresh_token.2
                                @Override // java.lang.Thread, java.lang.Runnable
                                public void run() {
                                    setPriority(1);
                                    try {
                                        authContext.logout();
                                    } catch (AuthLoginException e) {
                                        refresh_token.logger.warn("authContext.logout()", e);
                                    }
                                }
                            }.start();
                        }
                    } else if (authContext.getStatus() == AuthContext.Status.FAILED && authContext.getLoginException() != null && (authContext.getLoginException() instanceof InvalidPasswordException) && CollectionHelper.getBooleanMapAttr(oAuth2Token.options, "ru.org.openam.auth.modules.OAuth2Token.refresh_token.temporarylock.destroy", false)) {
                        if (this.identity != null && this.identity.isExists() && isTemporaryLocked(this.identity)) {
                            logger.info("destroy refresh token {} by temporary lock: {}", str, getPermission().getIdentity().getUniversalId());
                            destroy(authContext.getLoginState().getHttpServletRequest());
                        }
                        this.identity = null;
                    }
                }
            } catch (Exception e) {
                throw new invalid_grant(oAuth2Token, "refresh_token authentification invalid");
            } catch (invalid_grant e2) {
                throw e2;
            }
        }
        if (!bool.booleanValue() && getPermission().p.booleanValue()) {
            throw new invalid_grant(oAuth2Token, "refresh_token password required");
        }
    }

    public refresh_token(String str) throws AuthLoginException {
        this.token = null;
        this.password = null;
        get_refresh_token(str, true);
    }

    public refresh_token(String str, boolean z) throws AuthLoginException {
        this.token = null;
        this.password = null;
        get_refresh_token(str, z);
    }

    public void get_refresh_token(String str) throws AuthLoginException {
        get_refresh_token(str, true);
    }

    public void get_refresh_token(String str, boolean z) throws AuthLoginException {
        IdSearchControl idSearchControl = new IdSearchControl();
        idSearchControl.setAllReturnAttributes(false);
        idSearchControl.setMaxResults(2);
        try {
            IdSearchResults searchIdentities = getAMIdentityRepository().searchIdentities(IdType.USER, str, idSearchControl);
            if (searchIdentities.getSearchResults().size() == 0) {
                logger.warn("token not found {}", str);
                throw new invalid_grant(this.lm, "refresh_token revoked");
            }
            if (searchIdentities.getSearchResults().size() > 1) {
                logger.warn("multiply token found {}", str);
                throw new invalid_grant(this.lm, "refresh_token revoked: multiply account");
            }
            this.identity = (AMIdentity) searchIdentities.getSearchResults().iterator().next();
            if (getPermission() == null) {
                logger.info("destroy refresh token {} by empty permission data", this.identity.getUniversalId());
                destroy(null);
            }
            try {
                if (getPermission().getIdentity() == null || !getPermission().getIdentity().isExists()) {
                    logger.info("destroy refresh token {} owner not found {}", this.identity.getUniversalId(), getPermission().sub);
                    destroy(null);
                }
            } catch (SSOException | IdRepoException e) {
            }
            try {
                if (Integer.valueOf(CollectionHelper.getIntMapAttrThrows(this.permission.getOAuth2AuthOptions(), "ru.org.openam.auth.modules.OAuth2Auth.refresh_token.validity")).intValue() > 0 && System.currentTimeMillis() - getPermission().ac.longValue() > 60000 * r0.intValue()) {
                    logger.info("destroy refresh_token {} as expired from {} by oauth2auth setting", this.identity.getUniversalId(), new Date(getPermission().ac.longValue()));
                    destroy(null);
                }
            } catch (ValueNotFoundException e2) {
            }
            if (this.lm != null) {
                try {
                    if (Integer.valueOf(CollectionHelper.getIntMapAttrThrows(this.lm.options, "ru.org.openam.auth.modules.OAuth2Token.refresh_token.validity")).intValue() > 0 && System.currentTimeMillis() - getPermission().ac.longValue() > 60000 * r0.intValue()) {
                        logger.info("destroy refresh_token {} as expired from {} by oauth2token setting", this.identity.getUniversalId(), new Date(getPermission().ac.longValue()));
                        destroy(null);
                    }
                } catch (ValueNotFoundException e3) {
                }
            }
            if (z) {
                if (!this.identity.isActive() || isTemporaryLocked(this.identity)) {
                    logger.info("refresh token {} is isActive==false", this.identity.getUniversalId());
                    throw new invalid_grant(this.lm, "refresh_token suspended: token blocked");
                }
                try {
                    if (!getPermission().getIdentity().isActive() || isTemporaryLocked(getPermission().getIdentity())) {
                        logger.info("refresh token {} is getIdentity().isActive()==false", this.identity.getUniversalId());
                        throw new invalid_grant(this.lm, "refresh_token suspended: account blocked");
                    }
                } catch (SSOException | IdRepoException e4) {
                }
            }
        } catch (SSOException | IdRepoException e5) {
            throw new RuntimeException((Throwable) e5);
        }
    }

    private boolean isTemporaryLocked(AMIdentity aMIdentity) {
        return new User(aMIdentity).isTemporaryLocked();
    }

    public void destroy(DestroyReason destroyReason, HttpServletRequest httpServletRequest) throws invalid_grant, AuthLoginException {
        try {
            logger.info("destroy refresh_token {}", this.identity.getUniversalId());
            OAuth2Extension extenstion = OAuth2ExtensionHolder.getExtenstion();
            if (extenstion != null) {
                extenstion.refreshTokenOnDestroy(this, destroyReason, httpServletRequest);
            }
            getAMIdentityRepository().deleteIdentities(new HashSet(Arrays.asList(this.identity)));
            String str = getPermission().dn;
            if (StringUtils.isNotBlank(str)) {
                try {
                    for (String str2 : ((SessionPersistenceStore) InjectorHolder.getInstance(SessionPersistenceStore.class)).getAccessTokens(IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), str))) {
                        try {
                            Session session = Session.getSession(new SessionID(str2));
                            if (this.identity.getName().equals(session.getProperty("am.protected.oauth2.refresh_token"))) {
                                logger.warn("destroy access_token {} {}", this.identity.getUniversalId(), str2);
                                session.destroySession(session);
                            }
                        } catch (Exception e) {
                        }
                    }
                } catch (IdRepoException | CoreTokenException e2) {
                    logger.warn("destroy access_tokens {}: {}", str, e2.getMessage());
                }
            }
            throw new invalid_grant(this.lm, "refresh_token revoked");
        } catch (SSOException | IdRepoException e3) {
            throw new RuntimeException((Throwable) e3);
        }
    }

    public void destroy(HttpServletRequest httpServletRequest) throws invalid_grant, AuthLoginException {
        destroy(DestroyReason.REVOKE, httpServletRequest);
    }

    AMIdentityRepository getAMIdentityRepository() throws SSOException, IdRepoException {
        return this.lm == null ? new AMIdentityRepository((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), "/oauth") : this.lm.getAMIdentityRepository(this.lm.getRequestOrg());
    }

    String getPermissionField() {
        return this.lm == null ? "p" : CollectionHelper.getMapAttr(this.lm.options, "ru.org.openam.auth.modules.OAuth2Token.attribute", "p");
    }

    public Permission getPermission() throws invalid_client, AuthLoginException {
        if (this.permission == null) {
            try {
                Set attribute = this.identity.getAttribute(getPermissionField());
                if (attribute.isEmpty()) {
                    return null;
                }
                String str = ((String) attribute.iterator().next()).toString();
                try {
                    this.permission = Permission.fromString(str);
                } catch (IOException e) {
                    logger.warn("error parse permission {} {}", new Object[]{this.identity.getUniversalId(), str, e});
                    destroy(null);
                }
            } catch (SSOException | IdRepoException e2) {
                throw new RuntimeException((Throwable) e2);
            }
        }
        return this.permission;
    }

    public void save() {
        AMHashMap aMHashMap = new AMHashMap(1);
        aMHashMap.put(getPermissionField(), new HashSet(Arrays.asList(this.permission.toString())));
        try {
            this.identity.setAttributes(aMHashMap);
            this.identity.store();
        } catch (SSOException | IdRepoException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public String toString() {
        return getUID().replaceFirst("(.*)%.*", "$1");
    }

    public String toClient() {
        return SystemProperties.getAsBoolean("ru.org.openam.oauth.v2.data.refresh_token.password", true) ? this.token + ":" + this.password : this.token;
    }

    public String getUID() {
        return this.identity.getName();
    }

    public AMIdentity getIdentity() {
        return this.identity;
    }

    public static Set<String> getTokens(AMIdentity aMIdentity) {
        HashSet hashSet = new HashSet();
        IdSearchControl idSearchControl = new IdSearchControl();
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.put("manager", new HashSet(Arrays.asList(aMIdentity.getUniversalId())));
        idSearchControl.setSearchModifiers(IdSearchOpModifier.AND, treeMap);
        idSearchControl.setAllReturnAttributes(false);
        idSearchControl.setMaxResults(64000);
        try {
            IdSearchResults searchIdentities = new AMIdentityRepository((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), "/oauth").searchIdentities(IdType.USER, "*", idSearchControl);
            if (searchIdentities.getSearchResults() != null) {
                Iterator it = searchIdentities.getSearchResults().iterator();
                while (it.hasNext()) {
                    hashSet.add(((AMIdentity) it.next()).getName());
                }
            }
            return hashSet;
        } catch (SSOException | IdRepoException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
