package org.forgerock.openam.oauth2;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.shared.debug.Debug;
import java.security.Key;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.oauth2.core.AccessToken;
import org.forgerock.oauth2.core.AuthorizationCode;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.DeviceCode;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.OAuth2Uris;
import org.forgerock.oauth2.core.RefreshToken;
import org.forgerock.oauth2.core.ResourceOwner;
import org.forgerock.oauth2.core.StatefulAccessToken;
import org.forgerock.oauth2.core.StatefulRefreshToken;
import org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.oauth2.rest.TokenResource;
import org.forgerock.openam.tokens.CoreTokenField;
import org.forgerock.openam.utils.Alphabet;
import org.forgerock.openam.utils.RealmNormaliser;
import org.forgerock.openam.utils.RecoveryCodeGenerator;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.forgerock.openidconnect.OpenIdConnectToken;
import org.forgerock.openidconnect.OpenIdConnectTokenStore;
import org.forgerock.util.encode.Base64url;
import org.forgerock.util.generator.IdGenerator;
import org.forgerock.util.query.QueryFilter;
import org.json.JSONException;
import org.json.JSONObject;
import org.restlet.data.Status;
import org.restlet.ext.servlet.ServletUtils;

@Singleton
/* loaded from: input_file:org/forgerock/openam/oauth2/StatefulTokenStore.class */
public class StatefulTokenStore implements OpenIdConnectTokenStore {
    protected static final String ALPHABET = "234567ABCDEFGHIJKLMNOPQRSTVWXYZabcdefghijkmnopqrstvwxyz";
    private static final int CODE_LENGTH = 8;
    private static final int NUM_RETRIES = 10;
    private final Debug logger;
    private final OAuth2AuditLogger auditLogger;
    private final OAuthTokenStore tokenStore;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final OAuth2UrisFactory oauth2UrisFactory;
    private final OpenIdConnectClientRegistrationStore clientRegistrationStore;
    private final RealmNormaliser realmNormaliser;
    private final SSOTokenManager ssoTokenManager;
    private final CookieExtractor cookieExtractor;
    private final SecureRandom secureRandom;
    private final ClientAuthenticationFailureFactory failureFactory;
    private final RecoveryCodeGenerator recoveryCodeGenerator;
    private final OAuth2Utils utils;

    @Inject
    public StatefulTokenStore(OAuthTokenStore oAuthTokenStore, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, OAuth2UrisFactory oAuth2UrisFactory, OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, RealmNormaliser realmNormaliser, SSOTokenManager sSOTokenManager, CookieExtractor cookieExtractor, OAuth2AuditLogger oAuth2AuditLogger, @Named("OAuth2Provider") Debug debug, SecureRandom secureRandom, ClientAuthenticationFailureFactory clientAuthenticationFailureFactory, RecoveryCodeGenerator recoveryCodeGenerator, OAuth2Utils oAuth2Utils) {
        this.tokenStore = oAuthTokenStore;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.oauth2UrisFactory = oAuth2UrisFactory;
        this.clientRegistrationStore = openIdConnectClientRegistrationStore;
        this.realmNormaliser = realmNormaliser;
        this.ssoTokenManager = sSOTokenManager;
        this.cookieExtractor = cookieExtractor;
        this.auditLogger = oAuth2AuditLogger;
        this.logger = debug;
        this.secureRandom = secureRandom;
        this.failureFactory = clientAuthenticationFailureFactory;
        this.recoveryCodeGenerator = recoveryCodeGenerator;
        this.utils = oAuth2Utils;
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AuthorizationCode createAuthorizationCode(Set<String> set, ResourceOwner resourceOwner, String str, String str2, String str3, OAuth2Request oAuth2Request, String str4, String str5) throws ServerException, NotFoundException {
        this.logger.message("DefaultOAuthTokenStoreImpl::Creating Authorization code");
        OpenIdConnectClientRegistration clientRegistration = getClientRegistration(str, oAuth2Request);
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        try {
            AuthorizationCode authorizationCode = new AuthorizationCode(UUID.randomUUID().toString(), resourceOwner.getId(), str, str2, set, getClaimsFromRequest(oAuth2Request), clientRegistration == null ? oAuth2ProviderSettings.getAuthorizationCodeLifetime() + Time.currentTimeMillis() : clientRegistration.getAuthorizationCodeLifeTime(oAuth2ProviderSettings) + Time.currentTimeMillis(), str3, this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm")), getAuthModulesFromSSOToken(oAuth2Request), getAuthenticationContextClassReferenceFromRequest(oAuth2Request), getSsoTokenId(oAuth2Request), str4, str5, UUID.randomUUID().toString(), IdGenerator.DEFAULT.generate());
            try {
                this.tokenStore.create(authorizationCode);
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logAccessMessage("CREATED_AUTHORIZATION_CODE", new String[]{"CREATED_AUTHORIZATION_CODE", authorizationCode.toString()}, null);
                }
                oAuth2Request.setToken(AuthorizationCode.class, authorizationCode);
                return authorizationCode;
            } catch (CoreTokenException e) {
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logErrorMessage("FAILED_CREATE_AUTHORIZATION_CODE", new String[]{"FAILED_CREATE_AUTHORIZATION_CODE", authorizationCode.toString()}, null);
                }
                this.logger.error("Unable to create authorization code " + authorizationCode.getTokenInfo(), e);
                throw new ServerException("Could not create token in CTS");
            }
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    private OpenIdConnectClientRegistration getClientRegistration(String str, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        OpenIdConnectClientRegistration openIdConnectClientRegistration = null;
        try {
            openIdConnectClientRegistration = this.clientRegistrationStore.get(str, oAuth2Request);
        } catch (InvalidClientException e) {
        }
        return openIdConnectClientRegistration;
    }

    private String getClaimsFromRequest(OAuth2Request oAuth2Request) {
        return (String) oAuth2Request.getParameter("claims");
    }

    private String getSsoTokenId(OAuth2Request oAuth2Request) {
        return this.cookieExtractor.extract(ServletUtils.getRequest(oAuth2Request.getRequest()), SystemProperties.get("com.iplanet.am.cookie.name"));
    }

    private String getAuthModulesFromSSOToken(OAuth2Request oAuth2Request) {
        String str = null;
        try {
            SSOToken createSSOToken = this.ssoTokenManager.createSSOToken(ServletUtils.getRequest(oAuth2Request.getRequest()));
            if (createSSOToken != null) {
                str = createSSOToken.getProperty("AuthType");
            }
        } catch (SSOException e) {
            this.logger.warning("Could not get list of auth modules from authentication", e);
        }
        return str;
    }

    private String getAuthenticationContextClassReferenceFromRequest(OAuth2Request oAuth2Request) {
        return (String) oAuth2Request.getRequest().getAttributes().get("acr");
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectTokenStore
    public OpenIdConnectToken createOpenIDToken(ResourceOwner resourceOwner, String str, String str2, String str3, String str4, OAuth2Request oAuth2Request) throws ServerException, InvalidClientException, NotFoundException {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        OAuth2Uris oAuth2Uris = this.oauth2UrisFactory.get(oAuth2Request);
        OpenIdConnectClientRegistration openIdConnectClientRegistration = this.clientRegistrationStore.get(str, oAuth2Request);
        String iDTokenSignedResponseAlgorithm = openIdConnectClientRegistration.getIDTokenSignedResponseAlgorithm();
        String iDTokenEncryptionResponseAlgorithm = openIdConnectClientRegistration.getIDTokenEncryptionResponseAlgorithm();
        String iDTokenEncryptionResponseMethod = openIdConnectClientRegistration.getIDTokenEncryptionResponseMethod();
        long currentTimeMillis = Time.currentTimeMillis();
        long jwtTokenLifeTime = openIdConnectClientRegistration.getJwtTokenLifeTime(oAuth2ProviderSettings) + currentTimeMillis;
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            String issuer = oAuth2Uris.getIssuer();
            List<String> aMRFromAuthModules = getAMRFromAuthModules(oAuth2Request, oAuth2ProviderSettings);
            byte[] bArr = null;
            String clientSecret = openIdConnectClientRegistration.getClientSecret();
            if (StringUtils.isNotEmpty(clientSecret)) {
                bArr = clientSecret.getBytes(org.forgerock.json.jose.utils.Utils.CHARSET);
            }
            KeyPair signingKeyPair = oAuth2ProviderSettings.getSigningKeyPair(JwsAlgorithm.valueOf(iDTokenSignedResponseAlgorithm.toUpperCase()));
            Key iDTokenEncryptionKey = openIdConnectClientRegistration.getIDTokenEncryptionKey();
            String generateAtHash = generateAtHash(iDTokenSignedResponseAlgorithm, oAuth2Request, oAuth2ProviderSettings);
            String generateCHash = generateCHash(iDTokenSignedResponseAlgorithm, oAuth2Request, oAuth2ProviderSettings);
            String authenticationContextClassReference = getAuthenticationContextClassReference(oAuth2Request);
            String generateKid = generateKid(oAuth2ProviderSettings.getJWKSet(), iDTokenSignedResponseAlgorithm);
            String generateKid2 = generateKid(oAuth2ProviderSettings.getJWKSet(), iDTokenSignedResponseAlgorithm);
            long authTime = resourceOwner.getAuthTime();
            String subValue = openIdConnectClientRegistration.getSubValue(resourceOwner.getId(), oAuth2ProviderSettings);
            String str5 = null;
            if (oAuth2ProviderSettings.shouldStoreOpsTokens()) {
                str5 = UUID.randomUUID().toString();
                try {
                    this.tokenStore.create(JsonValue.json(JsonValue.object(new Map.Entry[]{JsonValue.field("id", JsonValue.array(new Object[]{str5})), JsonValue.field("ops", JsonValue.array(new Object[]{str4})), JsonValue.field(TokenResource.EXPIRE_TIME_KEY, JsonValue.array(new Object[]{Long.toString(jwtTokenLifeTime)}))})));
                } catch (CoreTokenException e) {
                    this.logger.error("Unable to create id_token user session token", e);
                    throw new ServerException("Could not create token in CTS");
                }
            }
            OpenIdConnectToken openIdConnectToken = new OpenIdConnectToken(generateKid, generateKid2, bArr, signingKeyPair, iDTokenEncryptionKey, iDTokenSignedResponseAlgorithm, iDTokenEncryptionResponseAlgorithm, iDTokenEncryptionResponseMethod, openIdConnectClientRegistration.isIDTokenEncryptionEnabled(), issuer, subValue, str, str2, TimeUnit.MILLISECONDS.toSeconds(jwtTokenLifeTime), TimeUnit.MILLISECONDS.toSeconds(currentTimeMillis), authTime, str3, str5, generateAtHash, generateCHash, authenticationContextClassReference, aMRFromAuthModules, IdGenerator.DEFAULT.generate(), normalise);
            oAuth2Request.setSession(str4);
            oAuth2Request.setToken(OpenIdConnectToken.class, openIdConnectToken);
            String str6 = (String) oAuth2Request.getParameter("response_type");
            if ("client_credentials".equals(oAuth2Request.getParameter("grant_type"))) {
                this.logger.message("Can't add claims for the client credentials flow.");
            } else if (oAuth2ProviderSettings.isAlwaysAddClaimsToToken() || (str6 != null && str6.trim().equals("id_token"))) {
                appendIdTokenClaims(openIdConnectClientRegistration, oAuth2Request, oAuth2ProviderSettings, openIdConnectToken);
            } else if (oAuth2ProviderSettings.getClaimsParameterSupported()) {
                appendRequestedIdTokenClaims(openIdConnectClientRegistration, oAuth2Request, oAuth2ProviderSettings, openIdConnectToken);
            }
            return openIdConnectToken;
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    private void appendIdTokenClaims(ClientRegistration clientRegistration, OAuth2Request oAuth2Request, OAuth2ProviderSettings oAuth2ProviderSettings, OpenIdConnectToken openIdConnectToken) throws ServerException, NotFoundException, InvalidClientException {
        try {
            for (Map.Entry<String, Object> entry : oAuth2ProviderSettings.getUserInfo(clientRegistration, (AccessToken) oAuth2Request.getToken(AccessToken.class), oAuth2Request).getValues().entrySet()) {
                openIdConnectToken.put(entry.getKey(), entry.getValue());
            }
        } catch (UnauthorizedClientException e) {
            throw this.failureFactory.getException(oAuth2Request, e.getMessage());
        }
    }

    private void appendRequestedIdTokenClaims(ClientRegistration clientRegistration, OAuth2Request oAuth2Request, OAuth2ProviderSettings oAuth2ProviderSettings, OpenIdConnectToken openIdConnectToken) throws ServerException, NotFoundException, InvalidClientException {
        AccessToken accessToken = (AccessToken) oAuth2Request.getToken(AccessToken.class);
        String str = accessToken != null ? (String) accessToken.toMap().get("claims") : (String) oAuth2Request.getParameter("claims");
        if (str != null) {
            try {
                JSONObject jSONObject = new JSONObject(str).getJSONObject("id_token");
                Map<String, Object> values = oAuth2ProviderSettings.getUserInfo(clientRegistration, accessToken, oAuth2Request).getValues();
                Iterator<String> keys = jSONObject.keys();
                while (keys.hasNext()) {
                    String next = keys.next();
                    if (values.containsKey(next)) {
                        openIdConnectToken.put(next, values.get(next));
                    }
                }
            } catch (UnauthorizedClientException e) {
                throw this.failureFactory.getException(oAuth2Request, e.getMessage());
            } catch (JSONException e2) {
            }
        }
    }

    private String generateKid(JsonValue jsonValue, String str) {
        JwsAlgorithm valueOf = JwsAlgorithm.valueOf(str);
        if (!JwsAlgorithmType.RSA.equals(valueOf.getAlgorithmType()) && !JwsAlgorithmType.ECDSA.equals(valueOf.getAlgorithmType())) {
            return null;
        }
        JsonValue jsonValue2 = jsonValue.get("keys");
        if (jsonValue2.isNull() || jsonValue2.asList().isEmpty()) {
            return null;
        }
        return jsonValue2.get(0).get("kid").asString();
    }

    private List<String> getAMRFromAuthModules(OAuth2Request oAuth2Request, OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        ArrayList arrayList = null;
        String authModules = oAuth2Request.getToken(AuthorizationCode.class) != null ? ((AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class)).getAuthModules() : oAuth2Request.getToken(RefreshToken.class) != null ? ((RefreshToken) oAuth2Request.getToken(RefreshToken.class)).getAuthModules() : getAuthModulesFromSSOToken(oAuth2Request);
        if (authModules != null) {
            Map<String, String> aMRAuthModuleMappings = oAuth2ProviderSettings.getAMRAuthModuleMappings();
            if (!aMRAuthModuleMappings.isEmpty()) {
                arrayList = new ArrayList();
                List asList = Arrays.asList(authModules.split("\\|"));
                for (Map.Entry<String, String> entry : aMRAuthModuleMappings.entrySet()) {
                    if (asList.contains(entry.getValue())) {
                        arrayList.add(entry.getKey());
                    }
                }
            }
        }
        return arrayList;
    }

    private String getAuthenticationContextClassReference(OAuth2Request oAuth2Request) {
        return oAuth2Request.getToken(AuthorizationCode.class) != null ? ((AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class)).getAuthenticationContextClassReference() : oAuth2Request.getToken(RefreshToken.class) != null ? ((RefreshToken) oAuth2Request.getToken(RefreshToken.class)).getAuthenticationContextClassReference() : getAuthenticationContextClassReferenceFromRequest(oAuth2Request);
    }

    private String generateAtHash(String str, OAuth2Request oAuth2Request, OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        AccessToken accessToken = (AccessToken) oAuth2Request.getToken(AccessToken.class);
        if (accessToken != null) {
            return generateHash(str, (String) accessToken.getTokenInfo().get("access_token"), oAuth2ProviderSettings);
        }
        this.logger.message("at_hash generation requires an existing access_token.");
        return null;
    }

    private String generateCHash(String str, OAuth2Request oAuth2Request, OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
        if (authorizationCode != null) {
            return generateHash(str, authorizationCode.getTokenId(), oAuth2ProviderSettings);
        }
        this.logger.message("c_hash generation requires an existing code.");
        return null;
    }

    private String generateHash(String str, String str2, OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        if (!oAuth2ProviderSettings.getSupportedIDTokenSigningAlgorithms().contains(str)) {
            this.logger.message("Unsupported signing algorithm requested for hash value.");
            return null;
        }
        try {
            byte[] digest = MessageDigest.getInstance(JwsAlgorithm.valueOf(str).getMdAlgorithm()).digest(str2.getBytes(org.forgerock.json.jose.utils.Utils.CHARSET));
            return Base64url.encode(Arrays.copyOfRange(digest, 0, digest.length / 2));
        } catch (NoSuchAlgorithmException e) {
            this.logger.message("Unsupported signing algorithm chosen for hashing.");
            throw new ServerException("Algorithm not supported.");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken createAccessToken(String str, String str2, String str3, String str4, String str5, String str6, Set<String> set, RefreshToken refreshToken, String str7, String str8, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        return createAccessToken(str, str2, str3, str4, str5, str6, set, refreshToken, str7, str8, oAuth2Request, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken createAccessToken(String str, String str2, String str3, String str4, String str5, String str6, Set<String> set, RefreshToken refreshToken, String str7, String str8, OAuth2Request oAuth2Request, long j) throws ServerException, NotFoundException {
        OpenIdConnectClientRegistration clientRegistration = getClientRegistration(str5, oAuth2Request);
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        try {
            StatefulAccessToken statefulAccessToken = new StatefulAccessToken(UUID.randomUUID().toString(), str3, str4, str5, str6, set, clientRegistration == null ? oAuth2ProviderSettings.getAccessTokenLifetime() + Time.currentTimeMillis() : clientRegistration.getAccessTokenLifeTime(oAuth2ProviderSettings) + Time.currentTimeMillis(), refreshToken, "access_token", str, str7, this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm")), str8, IdGenerator.DEFAULT.generate(), j, this.utils.getConfirmationKey(oAuth2Request));
            try {
                this.tokenStore.create(statefulAccessToken.toJsonValue());
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logAccessMessage("CREATED_TOKEN", new String[]{"CREATED_TOKEN", statefulAccessToken.toString()}, null);
                }
                oAuth2Request.setToken(AccessToken.class, statefulAccessToken);
                return statefulAccessToken;
            } catch (CoreTokenException e) {
                this.logger.error("Could not create token in CTS: " + e.getMessage());
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logErrorMessage("FAILED_CREATE_TOKEN", new String[]{"FAILED_CREATE_TOKEN", statefulAccessToken.toString()}, null);
                }
                throw new ServerException("Could not create token in CTS: " + e.getMessage());
            }
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, null);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, long j) throws ServerException, NotFoundException {
        AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, (authorizationCode == null || authorizationCode.getAuthGrantId() == null) ? UUID.randomUUID().toString() : authorizationCode.getAuthGrantId(), j);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, String str6) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, str6, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, String str6, long j) throws ServerException, NotFoundException {
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            this.logger.message("Create refresh token");
            OpenIdConnectClientRegistration clientRegistration = getClientRegistration(str2, oAuth2Request);
            OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
            String uuid = UUID.randomUUID().toString();
            String generate = IdGenerator.DEFAULT.generate();
            long refreshTokenLifetime = clientRegistration == null ? oAuth2ProviderSettings.getRefreshTokenLifetime() : clientRegistration.getRefreshTokenLifeTime(oAuth2ProviderSettings);
            long currentTimeMillis = refreshTokenLifetime < 0 ? -1L : refreshTokenLifetime + Time.currentTimeMillis();
            AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
            String str7 = null;
            String str8 = null;
            if (authorizationCode != null) {
                str7 = authorizationCode.getAuthModules();
                str8 = authorizationCode.getAuthenticationContextClassReference();
            }
            RefreshToken refreshToken = (RefreshToken) oAuth2Request.getToken(RefreshToken.class);
            if (refreshToken != null) {
                str7 = refreshToken.getAuthModules();
                str8 = refreshToken.getAuthenticationContextClassReference();
            }
            StatefulRefreshToken statefulRefreshToken = new StatefulRefreshToken(uuid, str3, str2, str4, set, currentTimeMillis, "Bearer", "refresh_token", str, normalise, str7, str8, generate, str6, j);
            if (!StringUtils.isBlank(str5)) {
                statefulRefreshToken.setClaims(str5);
            }
            try {
                this.tokenStore.create(statefulRefreshToken);
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logAccessMessage("CREATED_REFRESH_TOKEN", new String[]{"CREATED_REFRESH_TOKEN", statefulRefreshToken.toString()}, null);
                }
                oAuth2Request.setToken(RefreshToken.class, statefulRefreshToken);
                return statefulRefreshToken;
            } catch (CoreTokenException e) {
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logErrorMessage("FAILED_CREATE_REFRESH_TOKEN", new String[]{"FAILED_CREATE_REFRESH_TOKEN", statefulRefreshToken.toString()}, null);
                }
                this.logger.error("Unable to create refresh token: " + statefulRefreshToken.getTokenInfo(), e);
                throw new ServerException("Could not create token in CTS: " + e.getMessage());
            }
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AuthorizationCode readAuthorizationCode(OAuth2Request oAuth2Request, String str) throws InvalidGrantException, ServerException, NotFoundException {
        AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
        if (authorizationCode != null) {
            return authorizationCode;
        }
        this.logger.message("Reading Authorization code: {}", new Object[]{str});
        try {
            JsonValue read = this.tokenStore.read(str);
            if (read == null) {
                this.logger.error("Unable to read authorization code corresponding to id: " + str);
                throw new InvalidGrantException("The provided access grant is invalid, expired, or revoked.");
            }
            AuthorizationCode authorizationCode2 = new AuthorizationCode(read);
            validateTokenRealm(authorizationCode2.getRealm(), oAuth2Request);
            oAuth2Request.setToken(AuthorizationCode.class, authorizationCode2);
            return authorizationCode2;
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read authorization code corresponding to id: " + str, e);
            throw new ServerException("Could not read token from CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateAuthorizationCode(OAuth2Request oAuth2Request, AuthorizationCode authorizationCode) {
        try {
            this.tokenStore.update(authorizationCode);
            if (this.auditLogger.isAuditLogEnabled()) {
                this.auditLogger.logAccessMessage("UPDATED_AUTHORIZATION_CODE", new String[]{"UPDATED_AUTHORIZATION_CODE", authorizationCode.toString()}, null);
            }
        } catch (CoreTokenException e) {
            if (this.auditLogger.isAuditLogEnabled()) {
                this.auditLogger.logErrorMessage("FAILED_UPDATE_AUTHORIZATION_CODE", new String[]{"FAILED_UPDATE_AUTHORIZATION_CODE", authorizationCode.toString()}, null);
            }
            this.logger.error("DefaultOAuthTokenStoreImpl::Unable to update authorization code " + authorizationCode.getTokenInfo(), e);
            throw new OAuthProblemException(Status.SERVER_ERROR_INTERNAL.getCode(), "Internal error", "Could not update token in CTS", null);
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateAccessToken(OAuth2Request oAuth2Request, AccessToken accessToken) {
        try {
            this.tokenStore.update(accessToken.toJsonValue());
        } catch (CoreTokenException e) {
            this.logger.error("DefaultOAuthTokenStoreImpl::Unable to update access token " + accessToken.getTokenId(), e);
            throw new OAuthProblemException(Status.SERVER_ERROR_INTERNAL.getCode(), "Internal error", "Could not update token in CTS", null);
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteAuthorizationCode(OAuth2Request oAuth2Request, String str) {
        if (this.logger.messageEnabled()) {
            this.logger.message("DefaultOAuthTokenStoreImpl::Deleting Authorization code: " + str);
        }
        try {
            if (this.tokenStore.read(str) == null) {
                this.logger.error("DefaultOAuthTokenStoreImpl::Unable to read authorization code corresponding to id: " + str);
                throw new OAuthProblemException(Status.CLIENT_ERROR_NOT_FOUND.getCode(), "Not found", "Could not find token using CTS", null);
            }
            try {
                this.tokenStore.delete(str);
            } catch (CoreTokenException e) {
                this.logger.error("DefaultOAuthTokenStoreImpl::Unable to delete authorization code corresponding to id: " + str, e);
                throw new OAuthProblemException(Status.SERVER_ERROR_INTERNAL.getCode(), "Internal error", "Could not delete token from CTS: " + e.getMessage(), null);
            }
        } catch (CoreTokenException e2) {
            this.logger.error("DefaultOAuthTokenStoreImpl::Unable to read authorization code corresponding to id: " + str, e2);
            throw new OAuthProblemException(Status.SERVER_ERROR_INTERNAL.getCode(), "Internal error", "Could not read token from CTS: " + e2.getMessage(), null);
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteAccessToken(OAuth2Request oAuth2Request, String str) throws ServerException {
        this.logger.message("Deleting access token");
        try {
            this.tokenStore.delete(str);
        } catch (CoreTokenException e) {
            this.logger.error("Unable to delete access token corresponding to id: " + str, e);
            throw new ServerException("Could not delete token from CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteRefreshToken(OAuth2Request oAuth2Request, String str) throws InvalidRequestException {
        try {
            this.tokenStore.delete(str);
        } catch (CoreTokenException e) {
            this.logger.error("Unable to delete refresh token corresponding to id: " + str, e);
            throw new InvalidRequestException();
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken readAccessToken(OAuth2Request oAuth2Request, String str) throws ServerException, InvalidGrantException, NotFoundException {
        AccessToken accessToken = (AccessToken) oAuth2Request.getToken(AccessToken.class);
        if (accessToken != null) {
            return accessToken;
        }
        this.logger.message("Reading access token");
        try {
            JsonValue read = this.tokenStore.read(str);
            if (read == null) {
                this.logger.error("Unable to read access token corresponding to id: " + str);
                throw new InvalidGrantException("Could not read token in CTS");
            }
            StatefulAccessToken statefulAccessToken = new StatefulAccessToken(read);
            validateTokenRealm(statefulAccessToken.getRealm(), oAuth2Request);
            oAuth2Request.setToken(AccessToken.class, statefulAccessToken);
            return statefulAccessToken;
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read access token corresponding to id: " + str, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken readRefreshToken(OAuth2Request oAuth2Request, String str) throws ServerException, InvalidGrantException, NotFoundException {
        RefreshToken refreshToken = (RefreshToken) oAuth2Request.getToken(RefreshToken.class);
        if (refreshToken != null) {
            return refreshToken;
        }
        this.logger.message("Read refresh token");
        try {
            JsonValue read = this.tokenStore.read(str);
            if (read == null) {
                this.logger.error("Unable to read refresh token corresponding to id: " + str);
                throw new InvalidGrantException("grant is invalid");
            }
            StatefulRefreshToken statefulRefreshToken = new StatefulRefreshToken(read);
            validateTokenRealm(statefulRefreshToken.getRealm(), oAuth2Request);
            oAuth2Request.setToken(RefreshToken.class, statefulRefreshToken);
            return statefulRefreshToken;
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read refresh token corresponding to id: " + str, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }

    protected void validateTokenRealm(String str, OAuth2Request oAuth2Request) throws InvalidGrantException, NotFoundException {
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            if (str.equals(normalise) || this.realmNormaliser.normalise(str).equals(normalise)) {
            } else {
                throw new InvalidGrantException("Grant is not valid for the requested realm");
            }
        } catch (org.forgerock.json.resource.NotFoundException e) {
            throw new NotFoundException(e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode createDeviceCode(Set<String> set, ResourceOwner resourceOwner, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, Integer num, String str9, OAuth2Request oAuth2Request, String str10, String str11) throws ServerException, NotFoundException {
        this.logger.message("DefaultOAuthTokenStoreImpl::Creating Authorization code");
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        String uuid = UUID.randomUUID().toString();
        String generate = IdGenerator.DEFAULT.generate();
        String str12 = null;
        int i = 0;
        while (i < NUM_RETRIES) {
            String generateCode = this.recoveryCodeGenerator.generateCode(Alphabet.BASE58, CODE_LENGTH);
            try {
                readDeviceCode(generateCode, oAuth2Request);
            } catch (InvalidGrantException e) {
                str12 = generateCode;
            } catch (ServerException e2) {
                this.logger.message("Could not query CTS, assume duplicate to be safe", e2);
            }
            i++;
        }
        if (i == NUM_RETRIES) {
            throw new ServerException("Could not generate a unique user code");
        }
        try {
            DeviceCode deviceCode = new DeviceCode(uuid, str12, resourceOwner == null ? null : resourceOwner.getId(), str, str2, str3, str4, str5, str6, str7, str8, num, str9, Time.currentTimeMillis() + (1000 * oAuth2ProviderSettings.getDeviceCodeLifetime()), set, this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm")), str10, str11, generate);
            try {
                this.tokenStore.create(deviceCode);
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logAccessMessage("CREATED_DEVICE_CODE", new String[]{"CREATED_DEVICE_CODE", deviceCode.toString()}, null);
                }
                oAuth2Request.setToken(DeviceCode.class, deviceCode);
                return deviceCode;
            } catch (CoreTokenException e3) {
                if (this.auditLogger.isAuditLogEnabled()) {
                    this.auditLogger.logErrorMessage("FAILED_CREATE_DEVICE_CODE", new String[]{"FAILED_CREATE_DEVICE_CODE", deviceCode.toString()}, null);
                }
                this.logger.error("Unable to create device code " + deviceCode, e3);
                throw new ServerException("Could not create token in CTS");
            }
        } catch (org.forgerock.json.resource.NotFoundException e4) {
            throw new NotFoundException(e4.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode readDeviceCode(String str, String str2, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        DeviceCode deviceCode = (DeviceCode) oAuth2Request.getToken(DeviceCode.class);
        if (deviceCode == null) {
            try {
                JsonValue read = this.tokenStore.read(str2);
                if (read == null) {
                    return null;
                }
                deviceCode = new DeviceCode(read);
            } catch (CoreTokenException e) {
                this.logger.error("Unable to read device code corresponding to id: " + str2, e);
                throw new ServerException("Could not read token in CTS: " + e.getMessage());
            }
        }
        if (!str.equals(deviceCode.getClientId())) {
            throw new InvalidGrantException();
        }
        validateTokenRealm(deviceCode.getRealm(), oAuth2Request);
        oAuth2Request.setToken(DeviceCode.class, deviceCode);
        return deviceCode;
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode readDeviceCode(String str, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        DeviceCode deviceCode = (DeviceCode) oAuth2Request.getToken(DeviceCode.class);
        if (deviceCode != null) {
            return deviceCode;
        }
        try {
            JsonValue query = this.tokenStore.query(QueryFilter.equalTo(CoreTokenField.STRING_FOURTEEN, str));
            if (query.size() != 1) {
                throw new InvalidGrantException();
            }
            DeviceCode deviceCode2 = new DeviceCode(JsonValue.json(query.asCollection().iterator().next()));
            oAuth2Request.setToken(DeviceCode.class, deviceCode2);
            return deviceCode2;
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read device code corresponding to id: " + str, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateDeviceCode(DeviceCode deviceCode, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        try {
            readDeviceCode(deviceCode.getClientId(), deviceCode.getDeviceCode(), oAuth2Request);
            this.tokenStore.update(deviceCode);
        } catch (CoreTokenException e) {
            throw new ServerException("Could not update user code state");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteDeviceCode(String str, String str2, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        try {
            readDeviceCode(str, str2, oAuth2Request);
            this.tokenStore.delete(str2);
        } catch (CoreTokenException e) {
            throw new ServerException("Could not delete user code state");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public JsonValue queryForToken(String str, QueryFilter<CoreTokenField> queryFilter) throws ServerException, NotFoundException {
        try {
            return this.tokenStore.query(queryFilter);
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read the token using to query: " + queryFilter, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void delete(String str, String str2) throws ServerException, NotFoundException {
        delete(str2);
    }

    private void delete(String str) throws ServerException {
        try {
            this.tokenStore.delete(str);
        } catch (CoreTokenException e) {
            this.logger.error("Unable to delete token corresponding to id : " + str, e);
            throw new ServerException("Could not delete token in CTS: " + e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public JsonValue read(String str) throws ServerException {
        try {
            return this.tokenStore.read(str);
        } catch (CoreTokenException e) {
            this.logger.error("Unable to read token corresponding to id : " + str, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }
}
