package org.forgerock.openam.oauth2;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.shared.debug.Debug;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Named;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.builders.JwtBuilderFactory;
import org.forgerock.json.jose.builders.JwtClaimsSetBuilder;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.exceptions.InvalidJwtException;
import org.forgerock.json.jose.jwe.CompressionAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.oauth2.core.AccessToken;
import org.forgerock.oauth2.core.AuthorizationCode;
import org.forgerock.oauth2.core.DeviceCode;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.RefreshToken;
import org.forgerock.oauth2.core.ResourceOwner;
import org.forgerock.oauth2.core.Token;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.blacklist.Blacklist;
import org.forgerock.openam.blacklist.BlacklistException;
import org.forgerock.openam.blacklist.Blacklistable;
import org.forgerock.openam.cts.CTSPersistentStore;
import org.forgerock.openam.cts.adapters.TokenAdapter;
import org.forgerock.openam.cts.api.filter.TokenFilterBuilder;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.oauth2.rest.TokenResource;
import org.forgerock.openam.tokens.CoreTokenField;
import org.forgerock.openam.utils.RealmNormaliser;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.forgerock.util.encode.Base64;
import org.forgerock.util.query.QueryFilter;
import org.joda.time.Duration;

/* loaded from: input_file:org/forgerock/openam/oauth2/StatelessTokenStore.class */
public class StatelessTokenStore implements TokenStore {
    private final Debug logger;
    private final TokenStore statefulTokenStore;
    private final JwtBuilderFactory jwtBuilder;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final OpenIdConnectClientRegistrationStore clientRegistrationStore;
    private final RealmNormaliser realmNormaliser;
    private final OAuth2UrisFactory oAuth2UrisFactory;
    private final Blacklist<Blacklistable> tokenBlacklist;
    private final CTSPersistentStore cts;
    private final TokenAdapter<StatelessTokenMetadata> tokenAdapter;
    private final OAuth2Utils utils;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.forgerock.openam.oauth2.StatelessTokenStore$1, reason: invalid class name */
    /* loaded from: input_file:org/forgerock/openam/oauth2/StatelessTokenStore$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType = new int[JwsAlgorithmType.values().length];

        static {
            try {
                $SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType[JwsAlgorithmType.HMAC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType[JwsAlgorithmType.RSA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType[JwsAlgorithmType.ECDSA.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @Inject
    public StatelessTokenStore(StatefulTokenStore statefulTokenStore, JwtBuilderFactory jwtBuilderFactory, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, @Named("OAuth2Provider") Debug debug, OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, RealmNormaliser realmNormaliser, OAuth2UrisFactory oAuth2UrisFactory, Blacklist<Blacklistable> blacklist, CTSPersistentStore cTSPersistentStore, TokenAdapter<StatelessTokenMetadata> tokenAdapter, OAuth2Utils oAuth2Utils) {
        this.statefulTokenStore = statefulTokenStore;
        this.jwtBuilder = jwtBuilderFactory;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.logger = debug;
        this.clientRegistrationStore = openIdConnectClientRegistrationStore;
        this.realmNormaliser = realmNormaliser;
        this.oAuth2UrisFactory = oAuth2UrisFactory;
        this.tokenBlacklist = blacklist;
        this.cts = cTSPersistentStore;
        this.tokenAdapter = tokenAdapter;
        this.utils = oAuth2Utils;
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AuthorizationCode createAuthorizationCode(Set<String> set, ResourceOwner resourceOwner, String str, String str2, String str3, OAuth2Request oAuth2Request, String str4, String str5) throws ServerException, NotFoundException {
        return this.statefulTokenStore.createAuthorizationCode(set, resourceOwner, str, str2, str3, oAuth2Request, str4, str5);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken createAccessToken(String str, String str2, String str3, String str4, String str5, String str6, Set<String> set, RefreshToken refreshToken, String str7, String str8, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        return createAccessToken(str, str2, str3, str4, str5, str6, set, refreshToken, str7, str8, oAuth2Request, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken createAccessToken(String str, String str2, String str3, String str4, String str5, String str6, Set<String> set, RefreshToken refreshToken, String str7, String str8, OAuth2Request oAuth2Request, long j) throws ServerException, NotFoundException {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        OpenIdConnectClientRegistration clientRegistration = getClientRegistration(str5, oAuth2Request);
        Duration millis = Duration.millis(Time.currentTimeMillis());
        Duration standardSeconds = clientRegistration == null ? Duration.standardSeconds(oAuth2ProviderSettings.getAccessTokenLifetime()) : Duration.millis(clientRegistration.getAccessTokenLifeTime(oAuth2ProviderSettings));
        Duration plus = standardSeconds.plus(millis);
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            HashMap hashMap = new HashMap();
            AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
            if (authorizationCode != null) {
                String sessionId = authorizationCode.getSessionId();
                if (StringUtils.isNotBlank(sessionId)) {
                    try {
                        hashMap.put("roles", (Set) IdUtils.getIdentity(SSOTokenManager.getInstance().createSSOToken(sessionId)).getMemberships(IdType.GROUP).stream().map(aMIdentity -> {
                            return aMIdentity.getName();
                        }).collect(Collectors.toSet()));
                    } catch (SSOException | IdRepoException e) {
                        this.logger.error("Error retrieving session from AuthorizationCode", e);
                    }
                }
            }
            String uuid = UUID.randomUUID().toString();
            JwtClaimsSetBuilder claim = this.jwtBuilder.claims().jti(uuid).exp(Time.newDate(plus.getMillis())).aud(Collections.singletonList(str5)).sub(str4).iat(Time.newDate(millis.getMillis())).nbf(Time.newDate(millis.getMillis())).iss(this.oAuth2UrisFactory.get(oAuth2Request).getIssuer()).claim("scope", org.apache.commons.lang.StringUtils.join(set, OAuth2Utils.SCOPE_DELIMITER)).claim("realm_access", hashMap).claim("claims", str8).claim("realm", normalise).claim("nonce", str7).claim("tokenName", "access_token").claim("token_type", "Bearer").claim("typ", "Bearer").claim("expires_in", Long.valueOf(standardSeconds.getMillis())).claim("auditTrackingId", UUID.randomUUID().toString()).claim("authGrantId", refreshToken != null ? refreshToken.getAuthGrantId() : UUID.randomUUID().toString()).claim("auth_time", Long.valueOf(j));
            JsonValue confirmationKey = this.utils.getConfirmationKey(oAuth2Request);
            if (confirmationKey != null) {
                claim.claim("cnf", confirmationKey.asMap());
            }
            JwsAlgorithm signingAlgorithm = getSigningAlgorithm(oAuth2Request);
            SignedJwt asJwt = this.jwtBuilder.jws(getTokenSigningHandler(oAuth2Request, signingAlgorithm)).claims(claim.build()).headers().alg(signingAlgorithm).zip(getCompressionAlgorithm(oAuth2Request)).headerIfNotNull("kid", generateKid(oAuth2ProviderSettings.getJWKSet(), signingAlgorithm.toString())).done().asJwt();
            StatelessAccessToken statelessAccessToken = new StatelessAccessToken(asJwt, asJwt.build());
            oAuth2Request.setToken(AccessToken.class, statelessAccessToken);
            createStatelessTokenMetadata(uuid, plus.getMillis(), statelessAccessToken);
            return statelessAccessToken;
        } catch (org.forgerock.json.resource.NotFoundException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    private String generateKid(JsonValue jsonValue, String str) {
        JwsAlgorithm valueOf = JwsAlgorithm.valueOf(str);
        if (!JwsAlgorithmType.RSA.equals(valueOf.getAlgorithmType()) && !JwsAlgorithmType.ECDSA.equals(valueOf.getAlgorithmType())) {
            return null;
        }
        JsonValue jsonValue2 = jsonValue.get("keys");
        if (jsonValue2.isNull() || jsonValue2.asList().isEmpty()) {
            return null;
        }
        return jsonValue2.get(0).get("kid").asString();
    }

    private CompressionAlgorithm getCompressionAlgorithm(OAuth2Request oAuth2Request) throws NotFoundException, ServerException {
        return this.providerSettingsFactory.get(oAuth2Request).isTokenCompressionEnabled() ? CompressionAlgorithm.DEF : CompressionAlgorithm.NONE;
    }

    private void createStatelessTokenMetadata(String str, long j, StatelessToken statelessToken) throws ServerException {
        try {
            this.cts.create(this.tokenAdapter.toToken(new StatelessTokenMetadata(str, statelessToken.getResourceOwnerId(), j, statelessToken.getAuthGrantId(), statelessToken.getClientId(), statelessToken.getScope(), statelessToken.getRealm(), statelessToken.getTokenName(), statelessToken.getTokenType())));
        } catch (CoreTokenException e) {
            this.logger.error("Failed to add stateless token metadata to CTS", e);
            throw new ServerException((Throwable) e);
        }
    }

    private OpenIdConnectClientRegistration getClientRegistration(String str, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        OpenIdConnectClientRegistration openIdConnectClientRegistration = null;
        try {
            openIdConnectClientRegistration = this.clientRegistrationStore.get(str, oAuth2Request);
        } catch (InvalidClientException e) {
        }
        return openIdConnectClientRegistration;
    }

    private SigningHandler getTokenSigningHandler(OAuth2Request oAuth2Request, JwsAlgorithm jwsAlgorithm) throws NotFoundException, ServerException {
        try {
            OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
            switch (AnonymousClass1.$SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType[jwsAlgorithm.getAlgorithmType().ordinal()]) {
                case 1:
                    return new SigningManager().newHmacSigningHandler(Base64.decode(oAuth2ProviderSettings.getTokenHmacSharedSecret()));
                case 2:
                    return new SigningManager().newRsaSigningHandler(oAuth2ProviderSettings.getSigningKeyPair(jwsAlgorithm).getPrivate());
                case 3:
                    return new SigningManager().newEcdsaSigningHandler((ECPrivateKey) oAuth2ProviderSettings.getSigningKeyPair(jwsAlgorithm).getPrivate());
                default:
                    throw new ServerException("Unsupported Token signing algorithm");
            }
        } catch (IllegalArgumentException e) {
            throw new ServerException("Invalid Token signing algorithm");
        }
    }

    private SigningHandler getTokenVerificationHandler(OAuth2ProviderSettings oAuth2ProviderSettings, JwsAlgorithm jwsAlgorithm) throws NotFoundException, ServerException {
        try {
            switch (AnonymousClass1.$SwitchMap$org$forgerock$json$jose$jws$JwsAlgorithmType[jwsAlgorithm.getAlgorithmType().ordinal()]) {
                case 1:
                    return new SigningManager().newHmacSigningHandler(Base64.decode(oAuth2ProviderSettings.getTokenHmacSharedSecret()));
                case 2:
                    return new SigningManager().newRsaSigningHandler(oAuth2ProviderSettings.getSigningKeyPair(jwsAlgorithm).getPublic());
                case 3:
                    return new SigningManager().newEcdsaVerificationHandler((ECPublicKey) oAuth2ProviderSettings.getSigningKeyPair(jwsAlgorithm).getPublic());
                default:
                    throw new ServerException("Unsupported Token signing algorithm");
            }
        } catch (IllegalArgumentException e) {
            throw new ServerException("Invalid Token signing algorithm");
        }
    }

    private JwsAlgorithm getSigningAlgorithm(OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        try {
            JwsAlgorithm valueOf = JwsAlgorithm.valueOf(this.providerSettingsFactory.get(oAuth2Request).getTokenSigningAlgorithm().toUpperCase());
            if (isAlgorithmSupported(oAuth2Request, valueOf)) {
                return valueOf;
            }
            throw new ServerException("Unsupported Token signing algorithm");
        } catch (IllegalArgumentException e) {
            throw new ServerException("Invalid Token signing algorithm");
        }
    }

    private JwsAlgorithm getSigningAlgorithm(OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException, NotFoundException {
        try {
            JwsAlgorithm valueOf = JwsAlgorithm.valueOf(oAuth2ProviderSettings.getTokenSigningAlgorithm().toUpperCase());
            if (isAlgorithmSupported(oAuth2ProviderSettings, valueOf)) {
                return valueOf;
            }
            throw new ServerException("Unsupported Token signing algorithm");
        } catch (IllegalArgumentException e) {
            throw new ServerException("Invalid Token signing algorithm");
        }
    }

    private boolean isAlgorithmSupported(OAuth2Request oAuth2Request, JwsAlgorithm jwsAlgorithm) throws ServerException, NotFoundException {
        Iterator<String> it = this.providerSettingsFactory.get(oAuth2Request).getSupportedIDTokenSigningAlgorithms().iterator();
        while (it.hasNext()) {
            if (it.next().toUpperCase().equals(jwsAlgorithm.toString())) {
                return true;
            }
        }
        return false;
    }

    private boolean isAlgorithmSupported(OAuth2ProviderSettings oAuth2ProviderSettings, JwsAlgorithm jwsAlgorithm) throws ServerException, NotFoundException {
        Iterator<String> it = oAuth2ProviderSettings.getSupportedIDTokenSigningAlgorithms().iterator();
        while (it.hasNext()) {
            if (it.next().toUpperCase().equals(jwsAlgorithm.toString())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, "");
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, long j) throws ServerException, NotFoundException {
        AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, (authorizationCode == null || authorizationCode.getAuthGrantId() == null) ? UUID.randomUUID().toString() : authorizationCode.getAuthGrantId(), j);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, String str6) throws ServerException, NotFoundException {
        return createRefreshToken(str, str2, str3, str4, set, oAuth2Request, str5, str6, TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken createRefreshToken(String str, String str2, String str3, String str4, Set<String> set, OAuth2Request oAuth2Request, String str5, String str6, long j) throws ServerException, NotFoundException {
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            OpenIdConnectClientRegistration clientRegistration = getClientRegistration(str2, oAuth2Request);
            OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
            Duration millis = Duration.millis(Time.currentTimeMillis());
            Duration standardSeconds = clientRegistration == null ? Duration.standardSeconds(oAuth2ProviderSettings.getRefreshTokenLifetime()) : Duration.millis(clientRegistration.getRefreshTokenLifeTime(oAuth2ProviderSettings));
            long millis2 = standardSeconds.isShorterThan(Duration.ZERO) ? -1L : standardSeconds.plus(millis).getMillis();
            String uuid = UUID.randomUUID().toString();
            JwtClaimsSetBuilder claim = this.jwtBuilder.claims().jti(uuid).exp(Time.newDate(millis2)).aud(Collections.singletonList(str2)).sub(str3).iat(Time.newDate(millis.getMillis())).nbf(Time.newDate(millis.getMillis())).iss(this.oAuth2UrisFactory.get(oAuth2Request).getIssuer()).claim("scope", set).claim("realm", normalise).claim("token_type", "Bearer").claim("expires_in", Long.valueOf(standardSeconds.getMillis())).claim("tokenName", "refresh_token").claim("auditTrackingId", UUID.randomUUID().toString()).claim("authGrantId", str6).claim("auth_time", Long.valueOf(j));
            for (Token token : oAuth2Request.getTokens()) {
                if (token instanceof AuthorizationCode) {
                    claim.claim("nonce", ((AuthorizationCode) token).getNonce());
                }
            }
            String str7 = null;
            String str8 = null;
            AuthorizationCode authorizationCode = (AuthorizationCode) oAuth2Request.getToken(AuthorizationCode.class);
            if (authorizationCode != null) {
                str7 = authorizationCode.getAuthModules();
                str8 = authorizationCode.getAuthenticationContextClassReference();
            }
            RefreshToken refreshToken = (RefreshToken) oAuth2Request.getToken(RefreshToken.class);
            if (refreshToken != null) {
                str7 = refreshToken.getAuthModules();
                str8 = refreshToken.getAuthenticationContextClassReference();
            }
            if (str7 != null) {
                claim.claim("authModules", str7);
            }
            if (str8 != null) {
                claim.claim("acr", str8);
            }
            if (!StringUtils.isBlank(str5)) {
                claim.claim("claims", str5);
            }
            JwsAlgorithm signingAlgorithm = getSigningAlgorithm(oAuth2Request);
            SignedJwt asJwt = this.jwtBuilder.jws(getTokenSigningHandler(oAuth2Request, signingAlgorithm)).claims(claim.build()).headers().alg(signingAlgorithm).zip(getCompressionAlgorithm(oAuth2Request)).done().asJwt();
            StatelessRefreshToken statelessRefreshToken = new StatelessRefreshToken(asJwt, asJwt.build());
            oAuth2Request.setToken(RefreshToken.class, statelessRefreshToken);
            createStatelessTokenMetadata(uuid, millis2, statelessRefreshToken);
            return statelessRefreshToken;
        } catch (org.forgerock.json.resource.NotFoundException e) {
            throw new NotFoundException(e.getMessage());
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AuthorizationCode readAuthorizationCode(OAuth2Request oAuth2Request, String str) throws InvalidGrantException, ServerException, NotFoundException {
        return this.statefulTokenStore.readAuthorizationCode(oAuth2Request, str);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateAuthorizationCode(OAuth2Request oAuth2Request, AuthorizationCode authorizationCode) throws NotFoundException, ServerException {
        this.statefulTokenStore.updateAuthorizationCode(oAuth2Request, authorizationCode);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateAccessToken(OAuth2Request oAuth2Request, AccessToken accessToken) {
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteAuthorizationCode(OAuth2Request oAuth2Request, String str) throws NotFoundException, ServerException {
        this.statefulTokenStore.deleteAuthorizationCode(oAuth2Request, str);
    }

    private boolean isBlacklisted(String str) throws BlacklistException {
        return this.tokenBlacklist.isBlacklisted(new BlacklistItem(str));
    }

    private JsonValue query(QueryFilter<CoreTokenField> queryFilter) throws ServerException {
        try {
            Collection query = this.cts.query(new TokenFilterBuilder().withQuery(queryFilter).build());
            ArrayList arrayList = new ArrayList();
            Iterator it = query.iterator();
            while (it.hasNext()) {
                arrayList.add(((StatelessTokenMetadata) this.tokenAdapter.fromToken((org.forgerock.openam.cts.api.tokens.Token) it.next())).asMap());
            }
            return new JsonValue(arrayList);
        } catch (CoreTokenException e) {
            throw new ServerException("Token not found in CTS");
        }
    }

    private void blacklist(String str, long j) throws BlacklistException {
        this.tokenBlacklist.blacklist(new BlacklistItem(str, j));
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteAccessToken(OAuth2Request oAuth2Request, String str) throws ServerException {
        try {
            SignedJwt signedJwt = (SignedJwt) new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            String jwtId = signedJwt.getClaimsSet().getJwtId();
            if (isBlacklisted(jwtId)) {
                this.logger.warning("Token " + jwtId + " has been blacklisted");
            } else {
                verifySignature(signedJwt, oAuth2Request);
                verifyTokenType("access_token", signedJwt);
                validateTokenRealm((String) signedJwt.getClaimsSet().getClaim("realm", String.class), oAuth2Request);
                blacklist(jwtId, signedJwt.getClaimsSet().getExpirationTime().getTime());
                this.cts.delete(jwtId);
            }
        } catch (InvalidJwtException | InvalidGrantException | NotFoundException | CoreTokenException e) {
            throw new ServerException("Token id is not a JWT");
        } catch (BlacklistException e2) {
            this.logger.error("Could not delete token", e2);
            throw new ServerException("Could not delete token");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteRefreshToken(OAuth2Request oAuth2Request, String str) throws InvalidRequestException, ServerException {
        try {
            SignedJwt signedJwt = (SignedJwt) new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            String jwtId = signedJwt.getClaimsSet().getJwtId();
            if (isBlacklisted(jwtId)) {
                this.logger.warning("Token " + jwtId + " has been blacklisted");
            } else {
                verifySignature(signedJwt, oAuth2Request);
                verifyTokenType("refresh_token", signedJwt);
                validateTokenRealm((String) signedJwt.getClaimsSet().getClaim("realm", String.class), oAuth2Request);
                blacklist(jwtId, signedJwt.getClaimsSet().getExpirationTime().getTime());
                this.cts.delete(jwtId);
            }
        } catch (InvalidJwtException | InvalidGrantException | NotFoundException | CoreTokenException e) {
            throw new InvalidRequestException("Token id is not a JWT");
        } catch (BlacklistException e2) {
            this.logger.error("Could not delete token", e2);
            throw new InvalidRequestException("Could not delete token");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public AccessToken readAccessToken(OAuth2Request oAuth2Request, String str) throws ServerException, InvalidGrantException, NotFoundException {
        try {
            SignedJwt signedJwt = (SignedJwt) new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            if (isBlacklisted(signedJwt.getClaimsSet().getJwtId())) {
                throw new InvalidGrantException("Token has been blacklisted");
            }
            verifySignature(signedJwt, oAuth2Request);
            verifyTokenType("access_token", signedJwt);
            validateTokenRealm((String) signedJwt.getClaimsSet().getClaim("realm", String.class), oAuth2Request);
            StatelessAccessToken statelessAccessToken = new StatelessAccessToken(signedJwt, str);
            oAuth2Request.setToken(AccessToken.class, statelessAccessToken);
            return statelessAccessToken;
        } catch (InvalidJwtException e) {
            throw new InvalidGrantException("Token id is not a JWT");
        } catch (BlacklistException e2) {
            this.logger.error("Could not read token", e2);
            throw new InvalidGrantException("Could not read token");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public RefreshToken readRefreshToken(OAuth2Request oAuth2Request, String str) throws ServerException, InvalidGrantException, NotFoundException {
        try {
            SignedJwt signedJwt = (SignedJwt) new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            if (isBlacklisted(signedJwt.getClaimsSet().getJwtId())) {
                throw new InvalidGrantException("Token has been blacklisted");
            }
            verifySignature(signedJwt, oAuth2Request);
            verifyTokenType("refresh_token", signedJwt);
            validateTokenRealm((String) signedJwt.getClaimsSet().getClaim("realm", String.class), oAuth2Request);
            StatelessRefreshToken statelessRefreshToken = new StatelessRefreshToken(signedJwt, str);
            oAuth2Request.setToken(RefreshToken.class, statelessRefreshToken);
            return statelessRefreshToken;
        } catch (InvalidJwtException e) {
            throw new InvalidGrantException("Token id is not a JWT");
        } catch (BlacklistException e2) {
            this.logger.error("Could not read token", e2);
            throw new InvalidGrantException("Could not read token");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode createDeviceCode(Set<String> set, ResourceOwner resourceOwner, String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, Integer num, String str9, OAuth2Request oAuth2Request, String str10, String str11) throws ServerException, NotFoundException {
        return this.statefulTokenStore.createDeviceCode(set, resourceOwner, str, str2, str3, str4, str5, str6, str7, str8, num, str9, oAuth2Request, str10, str11);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode readDeviceCode(String str, String str2, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        return this.statefulTokenStore.readDeviceCode(str, str2, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public DeviceCode readDeviceCode(String str, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        return this.statefulTokenStore.readDeviceCode(str, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void updateDeviceCode(DeviceCode deviceCode, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        this.statefulTokenStore.updateDeviceCode(deviceCode, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void deleteDeviceCode(String str, String str2, OAuth2Request oAuth2Request) throws ServerException, NotFoundException, InvalidGrantException {
        this.statefulTokenStore.deleteDeviceCode(str, str2, oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public JsonValue queryForToken(String str, QueryFilter<CoreTokenField> queryFilter) throws ServerException, NotFoundException {
        return query(queryFilter);
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public void delete(String str, String str2) throws ServerException, NotFoundException {
        if (isJwt(str2).booleanValue()) {
            str2 = new JwtReconstruction().reconstructJwt(str2, SignedJwt.class).getClaimsSet().getJwtId();
        }
        try {
            if (isBlacklisted(str2)) {
                this.logger.warning("Token " + str2 + " has been blacklisted");
            } else {
                blacklist(str2, ((StatelessTokenMetadata) this.tokenAdapter.fromToken(this.cts.read(str2))).getExpiryTime());
                this.cts.delete(str2);
            }
        } catch (BlacklistException e) {
            this.logger.error("Could not delete token", e);
            throw new ServerException("Could not delete token");
        } catch (CoreTokenException e2) {
            throw new ServerException("Token id not found in CTS");
        }
    }

    @Override // org.forgerock.oauth2.core.TokenStore
    public JsonValue read(String str) throws ServerException {
        StatelessToken statelessRefreshToken;
        try {
            SignedJwt reconstructJwt = new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            if (isBlacklisted(reconstructJwt.getClaimsSet().getJwtId())) {
                this.logger.warning("Token " + str + " has been blacklisted");
                return null;
            }
            String str2 = (String) reconstructJwt.getClaimsSet().getClaim("tokenName", String.class);
            if ("access_token".equals(str2)) {
                statelessRefreshToken = new StatelessAccessToken(reconstructJwt, str);
            } else {
                if (!"refresh_token".equals(str2)) {
                    throw new ServerException("Unrecognised token type");
                }
                statelessRefreshToken = new StatelessRefreshToken(reconstructJwt, str);
            }
            return convertToken(statelessRefreshToken);
        } catch (BlacklistException e) {
            this.logger.error("Could not read token", e);
            throw new ServerException("Could not read token");
        } catch (InvalidJwtException e2) {
            throw new ServerException("Token id is not a JWT");
        }
    }

    private Boolean isJwt(String str) {
        try {
            new JwtReconstruction().reconstructJwt(str, SignedJwt.class);
            return true;
        } catch (InvalidJwtException e) {
            return false;
        }
    }

    private void verifySignature(SignedJwt signedJwt, OAuth2Request oAuth2Request) throws NotFoundException, InvalidGrantException, ServerException {
        verifySignature(this.providerSettingsFactory.get(oAuth2Request), signedJwt);
    }

    private void verifySignature(OAuth2ProviderSettings oAuth2ProviderSettings, SignedJwt signedJwt) throws InvalidGrantException, ServerException, NotFoundException {
        if (!signedJwt.verify(getTokenVerificationHandler(oAuth2ProviderSettings, getSigningAlgorithm(oAuth2ProviderSettings)))) {
            throw new InvalidGrantException();
        }
    }

    private void verifyTokenType(String str, SignedJwt signedJwt) throws InvalidGrantException {
        if (!str.equals(signedJwt.getClaimsSet().getClaim("tokenName"))) {
            throw new InvalidGrantException("Token is not an " + str + " token: " + signedJwt.getClaimsSet().getJwtId());
        }
    }

    protected void validateTokenRealm(String str, OAuth2Request oAuth2Request) throws InvalidGrantException, NotFoundException {
        try {
            String normalise = this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"));
            if (str.equals(normalise) || this.realmNormaliser.normalise(str).equals(normalise)) {
            } else {
                throw new InvalidGrantException("Grant is not valid for the requested realm");
            }
        } catch (org.forgerock.json.resource.NotFoundException e) {
            throw new NotFoundException(e.getMessage());
        }
    }

    private JsonValue convertToken(StatelessToken statelessToken) {
        HashMap hashMap = new HashMap();
        hashMap.put("userName", statelessToken.getResourceOwnerId());
        hashMap.put("clientID", statelessToken.getClientId());
        hashMap.put("grant_type", statelessToken.getTokenType());
        hashMap.put("realm", statelessToken.getRealm());
        hashMap.put(TokenResource.EXPIRE_TIME_KEY, Long.valueOf(statelessToken.getExpiryTime()));
        hashMap.put("id", statelessToken.getJwtId());
        hashMap.put("tokenName", statelessToken.getTokenName());
        hashMap.put("authGrantId", statelessToken.getAuthGrantId());
        hashMap.put("scope", statelessToken.getScope());
        return JsonValue.json(hashMap);
    }
}
