package com.appiancorp.oauth.inbound.authserver.tokens;

import com.appiancorp.core.expr.portable.string.Strings;
import com.appiancorp.oauth.inbound.AppianSessionRegistryAdapter;
import com.appiancorp.oauth.inbound.OAuthUserService;
import com.appiancorp.oauth.inbound.SuiteConfigurationAdapter;
import com.appiancorp.oauth.inbound.authserver.GrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.clients.UserCheck;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import java.util.Optional;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.session.SessionInformation;

/* loaded from: input_file:com/appiancorp/oauth/inbound/authserver/tokens/RefreshTokenCheckImpl.class */
public class RefreshTokenCheckImpl implements TokenCheck<JWTClaimsSet> {
    private static final Logger LOG = LoggerFactory.getLogger(RefreshTokenCheckImpl.class);
    private final AppianSessionRegistryAdapter appianSessionRegistry;
    private final UserCheck userCheck;
    private final SuiteConfigurationAdapter suiteConfiguration;
    private final OAuthUserService userService;

    public RefreshTokenCheckImpl(AppianSessionRegistryAdapter appianSessionRegistryAdapter, UserCheck userCheck, SuiteConfigurationAdapter suiteConfigurationAdapter, OAuthUserService oAuthUserService) {
        this.appianSessionRegistry = appianSessionRegistryAdapter;
        this.userCheck = userCheck;
        this.suiteConfiguration = suiteConfigurationAdapter;
        this.userService = oAuthUserService;
    }

    public boolean isAuthorized(Token<JWTClaimsSet> token, GrantedAuthorization grantedAuthorization) {
        String userUuid = grantedAuthorization.getUserUuid();
        if (!Strings.isNullOrEmpty(userUuid)) {
            return isUserAuthorized(userUuid) && isUserSessionValid(grantedAuthorization) && verifyRefreshToken(token, userUuid);
        }
        LOG.warn("Invalid user UUID. User UUID cannot be null or empty.");
        return false;
    }

    private boolean isUserSessionValid(GrantedAuthorization grantedAuthorization) {
        Optional sessionId = grantedAuthorization.getSessionId();
        if (!sessionId.isPresent()) {
            LOG.error("Unexpected, No session id was set for associated user uuid {} .", grantedAuthorization.getUserUuid());
            return false;
        }
        SessionInformation sessionInformation = this.appianSessionRegistry.getSessionInformation((String) sessionId.get());
        if (sessionInformation != null && !sessionInformation.isExpired()) {
            return true;
        }
        LOG.warn("Session not found or expired. User will need to reauthorize.");
        return false;
    }

    private boolean isUserAuthorized(String str) {
        String usernameFromUuidAsAdmin = this.userService.getUsernameFromUuidAsAdmin(str);
        if (str.equals(usernameFromUuidAsAdmin)) {
            LOG.error("Username for user UUID {} not found.", str);
            return false;
        }
        if (this.userCheck.isUserAuthorized(usernameFromUuidAsAdmin)) {
            return true;
        }
        LOG.debug("User with user UUID {} is not authorized.", str);
        return false;
    }

    private boolean verifyRefreshToken(Token<JWTClaimsSet> token, String str) {
        JWTClaimsSet jWTClaimsSet = (JWTClaimsSet) token.get();
        try {
            new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().audience(this.suiteConfiguration.getBaseUri()).issuer(this.suiteConfiguration.getBaseUri()).subject(str).build(), (Set) null).verify(jWTClaimsSet, (SecurityContext) null);
            return true;
        } catch (BadJWTException e) {
            LOG.error("Claims in refresh token '{}' were missing or incorrect.", jWTClaimsSet.getJWTID(), e);
            return false;
        }
    }
}
