package org.forgerock.oauth2.core;

import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.inject.Inject;
import org.forgerock.oauth2.core.exceptions.AuthorizationDeclinedException;
import org.forgerock.oauth2.core.exceptions.AuthorizationPendingException;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.ExpiredTokenException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidCodeException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.audit.AuditConstants;
import org.forgerock.openam.audit.context.AuditRequestContext;
import org.forgerock.openam.oauth2.OAuth2UrisFactory;
import org.forgerock.openam.oauth2.validation.ConfirmationKeyValidator;
import org.forgerock.util.Reject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/oauth2/core/AccessTokenService.class */
public class AccessTokenService {
    private final Logger logger = LoggerFactory.getLogger("OAuth2Provider");
    private final Map<String, ? extends GrantTypeHandler> grantTypeHandlers;
    private final ClientAuthenticator clientAuthenticator;
    private final TokenStore tokenStore;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final OAuth2UrisFactory urisFactory;
    private final ConfirmationKeyValidator confirmationKeyValidator;

    @Inject
    public AccessTokenService(Map<String, GrantTypeHandler> map, ClientAuthenticator clientAuthenticator, TokenStore tokenStore, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, OAuth2UrisFactory oAuth2UrisFactory, ConfirmationKeyValidator confirmationKeyValidator) {
        this.grantTypeHandlers = map;
        this.clientAuthenticator = clientAuthenticator;
        this.tokenStore = tokenStore;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.urisFactory = oAuth2UrisFactory;
        this.confirmationKeyValidator = confirmationKeyValidator;
    }

    public AccessToken requestAccessToken(OAuth2Request oAuth2Request) throws RedirectUriMismatchException, InvalidClientException, InvalidRequestException, InvalidCodeException, InvalidGrantException, ServerException, UnauthorizedClientException, InvalidScopeException, NotFoundException, AuthorizationPendingException, ExpiredTokenException, AuthorizationDeclinedException, BadRequestException {
        String str = (String) oAuth2Request.getParameter("grant_type");
        GrantTypeHandler grantTypeHandler = this.grantTypeHandlers.get(str);
        if (grantTypeHandler == null) {
            throw new InvalidGrantException("Unknown Grant Type, " + str);
        }
        return grantTypeHandler.handle(oAuth2Request);
    }

    public AccessToken refreshToken(OAuth2Request oAuth2Request) throws InvalidClientException, InvalidRequestException, BadRequestException, ServerException, ExpiredTokenException, InvalidGrantException, InvalidScopeException, NotFoundException {
        Reject.ifTrue(Utils.isEmpty((String) oAuth2Request.getParameter("refresh_token")), "Missing parameter, 'refresh_token'");
        this.confirmationKeyValidator.validateRequest(oAuth2Request);
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        ClientRegistration authenticate = this.clientAuthenticator.authenticate(oAuth2Request, this.urisFactory.get(oAuth2Request).getTokenEndpoint());
        String str = (String) oAuth2Request.getParameter("refresh_token");
        RefreshToken readRefreshToken = this.tokenStore.readRefreshToken(oAuth2Request, str);
        if (readRefreshToken == null) {
            this.logger.error("Refresh token does not exist for id: " + str);
            throw new InvalidRequestException("RefreshToken does not exist");
        }
        AuditRequestContext.putProperty(AuditConstants.TrackingIdKey.OAUTH2_GRANT.toString(), readRefreshToken.getAuditTrackingId());
        if (!readRefreshToken.getClientId().equalsIgnoreCase(authenticate.getClientId())) {
            this.logger.error("Refresh Token was issued to a different client id: " + authenticate.getClientId());
            throw new InvalidRequestException("Token was issued to a different client");
        }
        if (readRefreshToken.isExpired()) {
            this.logger.warn("Refresh Token is expired for id: " + readRefreshToken.getTokenId());
            throw new InvalidGrantException("grant is invalid");
        }
        Set<String> splitScope = Utils.splitScope((String) oAuth2Request.getParameter("scope"));
        String str2 = (String) oAuth2Request.getParameter("grant_type");
        Set<String> validateRefreshTokenScope = oAuth2ProviderSettings.validateRefreshTokenScope(authenticate, Collections.unmodifiableSet(splitScope), Collections.unmodifiableSet(readRefreshToken.getScope() != null ? new TreeSet(readRefreshToken.getScope()) : new TreeSet()), oAuth2Request);
        String validateRequestedClaims = oAuth2ProviderSettings.validateRequestedClaims(readRefreshToken.getClaims());
        RefreshToken refreshToken = null;
        if (oAuth2ProviderSettings.issueRefreshTokensOnRefreshingToken()) {
            refreshToken = this.tokenStore.createRefreshToken(str2, authenticate.getClientId(), readRefreshToken.getResourceOwnerId(), readRefreshToken.getRedirectUri(), readRefreshToken.getScope(), oAuth2Request, validateRequestedClaims, readRefreshToken.getAuthGrantId(), readRefreshToken.getAuthTimeSeconds());
            this.tokenStore.deleteRefreshToken(oAuth2Request, readRefreshToken.toString());
        }
        AccessToken createAccessToken = this.tokenStore.createAccessToken(str2, "Bearer", null, readRefreshToken.getResourceOwnerId(), authenticate.getClientId(), readRefreshToken.getRedirectUri(), validateRefreshTokenScope, refreshToken == null ? readRefreshToken : refreshToken, null, validateRequestedClaims, oAuth2Request, readRefreshToken.getAuthTimeSeconds());
        if (refreshToken != null) {
            createAccessToken.addExtraData("refresh_token", refreshToken.toString());
        }
        oAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(createAccessToken, oAuth2Request);
        if (validateRefreshTokenScope != null && !validateRefreshTokenScope.isEmpty()) {
            createAccessToken.addExtraData("scope", Utils.joinScope(validateRefreshTokenScope));
        }
        return createAccessToken;
    }
}
