package com.appiancorp.oauth.inbound.authserver.tokens;

import com.appiancorp.oauth.inbound.authserver.AuthzServerUtils;
import com.appiancorp.oauth.inbound.authserver.DefaultGrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.GrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.exceptions.OAuthInvalidGrantException;
import com.appiancorp.oauth.inbound.exceptions.OAuthException;
import com.appiancorp.oauth.inbound.monitor.OAuthAuthCodeAuditEvent;
import com.appiancorp.oauth.inbound.monitor.OAuthAuthCodeAuditLogger;
import com.appiancorp.oauth.inbound.monitor.TokenExchangeInteraction;
import com.google.common.annotations.VisibleForTesting;
import java.net.URI;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import javax.transaction.Transactional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/authserver/tokens/TokenFamilyManagerDbImpl.class */
public class TokenFamilyManagerDbImpl<U, V> implements TokenFamilyManager<V> {
    private static final Logger LOG = LoggerFactory.getLogger(TokenFamilyManagerDbImpl.class);
    private final TokenFactory<U> accessTokenFactory;
    private final TokenFactory<V> refreshTokenFactory;
    private final TokenFamilyEntityService tokenFamilyEntityService;
    private final OAuthAuthCodeAuditLogger oAuthAuthCodeAuditLogger;
    private Supplier<String> authCodeSupplier = () -> {
        return UUID.randomUUID().toString();
    };
    private Supplier<String> tokenFamilyIdSupplier = () -> {
        return UUID.randomUUID().toString();
    };

    public TokenFamilyManagerDbImpl(TokenFactory<U> tokenFactory, TokenFactory<V> tokenFactory2, TokenFamilyEntityService tokenFamilyEntityService, OAuthAuthCodeAuditLogger oAuthAuthCodeAuditLogger) {
        this.accessTokenFactory = tokenFactory;
        this.refreshTokenFactory = tokenFactory2;
        this.tokenFamilyEntityService = tokenFamilyEntityService;
        this.oAuthAuthCodeAuditLogger = oAuthAuthCodeAuditLogger;
    }

    @Transactional(dontRollbackOn = {IllegalStateException.class, OAuthException.class})
    public TokenSet generateNewTokenSetUsingRefreshToken(String str, TokenCheck<V> tokenCheck) throws OAuthException {
        Token parse = this.refreshTokenFactory.parse(str);
        String tokenFamilyId = parse.getTokenFamilyId();
        String id = parse.getId();
        Optional tokenFamilyById = this.tokenFamilyEntityService.getTokenFamilyById(tokenFamilyId);
        if (!tokenFamilyById.isPresent()) {
            this.oAuthAuthCodeAuditLogger.log((String) null, OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, (String) null, TokenExchangeInteraction.REFRESH_TOKEN_FOR_TOKENS);
            LOG.error("Refresh token may have expired. No token family of id {} found for refresh token id {}.", tokenFamilyId, id);
            throw new OAuthInvalidGrantException("Refresh token may have expired.");
        }
        TokenFamily tokenFamily = (TokenFamily) tokenFamilyById.get();
        String refreshTokenId = tokenFamily.getRefreshTokenId();
        if (!refreshTokenId.equals(id)) {
            this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), TokenExchangeInteraction.REFRESH_TOKEN_FOR_TOKENS);
            this.tokenFamilyEntityService.delete(tokenFamilyId);
            LOG.error("Refresh token was used earlier. Given refresh token id {} doesn't match existing refresh token id {} for token family id {}.", new Object[]{id, refreshTokenId, tokenFamilyId});
            throw new OAuthInvalidGrantException("Invalid refresh token.");
        }
        GrantedAuthorization grantedAuthorizationFromTokenFamily = getGrantedAuthorizationFromTokenFamily(tokenFamily);
        if (tokenCheck.isAuthorized(parse, grantedAuthorizationFromTokenFamily)) {
            return generateNewTokenSetFromGrantedAuth(grantedAuthorizationFromTokenFamily, tokenFamily, TokenExchangeInteraction.REFRESH_TOKEN_FOR_TOKENS);
        }
        this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), TokenExchangeInteraction.REFRESH_TOKEN_FOR_TOKENS);
        this.tokenFamilyEntityService.delete(tokenFamilyId);
        LOG.debug("Refresh token authorization checks failed.");
        throw new OAuthInvalidGrantException("Refresh token authorization failed.");
    }

    @Transactional(dontRollbackOn = {IllegalStateException.class, OAuthException.class})
    public TokenSet generateNewTokenSetUsingAuthCode(String str, AuthCodeCheck authCodeCheck) throws OAuthException {
        String authCodeHash = AuthzServerUtils.getAuthCodeHash(str);
        Optional tokenFamilyByAuthCode = this.tokenFamilyEntityService.getTokenFamilyByAuthCode(str);
        if (!tokenFamilyByAuthCode.isPresent()) {
            this.oAuthAuthCodeAuditLogger.log((String) null, OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, (String) null, TokenExchangeInteraction.AUTH_CODE_FOR_TOKENS);
            LOG.error("Auth code {} (hashed) was not found in repository.", authCodeHash);
            throw new OAuthInvalidGrantException("Invalid auth code.");
        }
        TokenFamily tokenFamily = (TokenFamily) tokenFamilyByAuthCode.get();
        String id = tokenFamily.getId();
        if (Boolean.TRUE.equals(tokenFamily.isAuthCodeUsed())) {
            this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), TokenExchangeInteraction.AUTH_CODE_FOR_TOKENS);
            this.tokenFamilyEntityService.delete(id);
            LOG.error("Auth code {} (hashed) was used earlier.", authCodeHash);
            throw new OAuthInvalidGrantException("Revoked auth code.");
        }
        if (tokenFamily.getAuthCodeExpirationTs().longValue() + TimeUnit.SECONDS.toMillis(60L) <= System.currentTimeMillis()) {
            this.tokenFamilyEntityService.delete(id);
            LOG.error("Auth code {} (hashed) has expired.", authCodeHash);
            throw new OAuthInvalidGrantException("Expired auth code.");
        }
        GrantedAuthorization grantedAuthorizationFromTokenFamily = getGrantedAuthorizationFromTokenFamily(tokenFamily);
        if (authCodeCheck.isAuthorized(grantedAuthorizationFromTokenFamily)) {
            return generateNewTokenSetFromGrantedAuth(grantedAuthorizationFromTokenFamily, tokenFamily, TokenExchangeInteraction.AUTH_CODE_FOR_TOKENS);
        }
        this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), TokenExchangeInteraction.AUTH_CODE_FOR_TOKENS);
        this.tokenFamilyEntityService.delete(id);
        LOG.debug("Auth code authorization checks failed.");
        throw new OAuthInvalidGrantException("Auth code authorization failed.");
    }

    @Transactional(dontRollbackOn = {IllegalStateException.class})
    public String createAuthCode(GrantedAuthorization grantedAuthorization) throws OAuthException {
        String str = this.authCodeSupplier.get();
        String str2 = this.tokenFamilyIdSupplier.get();
        Optional tokenFamilyByAuthCode = this.tokenFamilyEntityService.getTokenFamilyByAuthCode(str);
        if (!tokenFamilyByAuthCode.isPresent()) {
            this.tokenFamilyEntityService.createTokenFamilyFromGrantedAuthorization(grantedAuthorization, str, str2);
            return str;
        }
        String id = ((TokenFamily) tokenFamilyByAuthCode.get()).getId();
        this.tokenFamilyEntityService.delete(((TokenFamily) tokenFamilyByAuthCode.get()).getId());
        String authCodeHash = AuthzServerUtils.getAuthCodeHash(str);
        LOG.error("Found a previous entry for auth code {} (hashed). Token family of id {} will be deleted from storage.", authCodeHash, id);
        throw new IllegalStateException("Found a previous entry for auth code hash: " + authCodeHash);
    }

    private TokenSet generateNewTokenSetFromGrantedAuth(GrantedAuthorization grantedAuthorization, TokenFamily tokenFamily, TokenExchangeInteraction tokenExchangeInteraction) throws OAuthException {
        String id = tokenFamily.getId();
        Optional generateToken = this.accessTokenFactory.generateToken(id, grantedAuthorization);
        Optional generateToken2 = this.refreshTokenFactory.generateToken(id, grantedAuthorization);
        if (!generateToken.isPresent()) {
            this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.ACCESS_TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), tokenExchangeInteraction);
            this.tokenFamilyEntityService.delete(id);
            throw new IllegalStateException("Did not get a new access token from factory for token family id: " + id);
        }
        if (!generateToken2.isPresent()) {
            this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.REFRESH_TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), tokenExchangeInteraction);
            this.tokenFamilyEntityService.delete(id);
            throw new IllegalStateException("Did not get a new refresh token from factory for token family id: " + id);
        }
        Token token = (Token) generateToken2.get();
        String id2 = token.getId();
        if (this.tokenFamilyEntityService.getTokenFamilyByRefreshTokenId(id2).isPresent()) {
            this.tokenFamilyEntityService.delete(id);
            this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.REFRESH_TOKEN_GENERATION_FAILED, tokenFamily.getRedirectUri(), tokenExchangeInteraction);
            throw new IllegalStateException("A refresh token already exists with id: " + id2);
        }
        this.tokenFamilyEntityService.updateWithRefreshTokenId(tokenFamily, id2);
        TokenSet tokenSet = new TokenSet(((Token) generateToken.get()).getStringValue(), token.getStringValue());
        tokenSet.setAccessTokenExpirationTime(((Token) generateToken.get()).getExpiration());
        this.oAuthAuthCodeAuditLogger.log(tokenFamily.getUserUuid(), OAuthAuthCodeAuditEvent.TOKEN_GENERATION_SUCCESSFUL, tokenFamily.getRedirectUri(), tokenExchangeInteraction);
        return tokenSet;
    }

    @VisibleForTesting
    protected GrantedAuthorization getGrantedAuthorizationFromTokenFamily(TokenFamily tokenFamily) {
        return DefaultGrantedAuthorization.newSessionBackedGrantAuthorization(tokenFamily.getUserUuid(), tokenFamily.getSessionId()).withCodeChallenge(tokenFamily.getCodeChallenge()).withRedirectUri(URI.create(tokenFamily.getRedirectUri())).build();
    }

    @VisibleForTesting
    protected void setAuthCodeSupplier(Supplier<String> supplier) {
        this.authCodeSupplier = supplier;
    }

    @VisibleForTesting
    protected void setTokenFamilyIdSupplier(Supplier<String> supplier) {
        this.tokenFamilyIdSupplier = supplier;
    }
}
