package com.liferay.oauth2.provider.rest.internal.endpoint.liferay;

import com.liferay.oauth2.provider.configuration.OAuth2ProviderConfiguration;
import com.liferay.oauth2.provider.constants.GrantType;
import com.liferay.oauth2.provider.model.OAuth2Application;
import com.liferay.oauth2.provider.model.OAuth2ApplicationScopeAliases;
import com.liferay.oauth2.provider.model.OAuth2Authorization;
import com.liferay.oauth2.provider.redirect.OAuth2RedirectURIInterpolator;
import com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration;
import com.liferay.oauth2.provider.rest.internal.endpoint.authorize.configuration.OAuth2AuthorizationFlowConfiguration;
import com.liferay.oauth2.provider.rest.internal.endpoint.constants.OAuth2ProviderRESTEndpointConstants;
import com.liferay.oauth2.provider.rest.spi.bearer.token.provider.BearerTokenProvider;
import com.liferay.oauth2.provider.rest.spi.bearer.token.provider.BearerTokenProviderAccessor;
import com.liferay.oauth2.provider.scope.liferay.LiferayOAuth2Scope;
import com.liferay.oauth2.provider.scope.liferay.ScopeLocator;
import com.liferay.oauth2.provider.service.OAuth2ApplicationLocalService;
import com.liferay.oauth2.provider.service.OAuth2ApplicationScopeAliasesLocalService;
import com.liferay.oauth2.provider.service.OAuth2AuthorizationLocalService;
import com.liferay.oauth2.provider.service.OAuth2ScopeGrantLocalService;
import com.liferay.petra.concurrent.DCLSingleton;
import com.liferay.petra.function.transform.TransformUtil;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.Company;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.module.configuration.ConfigurationException;
import com.liferay.portal.kernel.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.security.auth.CompanyThreadLocal;
import com.liferay.portal.kernel.service.CompanyLocalService;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.transaction.Propagation;
import com.liferay.portal.kernel.transaction.TransactionConfig;
import com.liferay.portal.kernel.transaction.TransactionInvokerUtil;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.ListUtil;
import com.liferay.portal.kernel.util.MapUtil;
import com.liferay.portal.kernel.util.OrderByComparator;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.Validator;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
import org.apache.cxf.rs.security.oauth2.grants.jwt.Constants;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(configurationPid = {"com.liferay.oauth2.provider.rest.internal.configuration.OAuth2AuthorizationServerConfiguration"}, service = {LiferayOAuthDataProvider.class})
/* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/endpoint/liferay/LiferayOAuthDataProvider.class */
public class LiferayOAuthDataProvider extends AbstractAuthorizationCodeDataProvider {
    private static final Log _log = LogFactoryUtil.getLog(LiferayOAuthDataProvider.class);
    private static final Set<String> _refreshTokenIncompatibleGrants = new HashSet();

    @Reference(policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    private volatile BearerTokenProviderAccessor _bearerTokenProviderAccessor;

    @Reference
    private CompanyLocalService _companyLocalService;

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private OAuth2ApplicationLocalService _oAuth2ApplicationLocalService;

    @Reference
    private OAuth2ApplicationScopeAliasesLocalService _oAuth2ApplicationScopeAliasesLocalService;

    @Reference
    private OAuth2AuthorizationLocalService _oAuth2AuthorizationLocalService;
    private OAuth2AuthorizationServerConfiguration _oAuth2AuthorizationServerConfiguration;

    @Reference
    private OAuth2ScopeGrantLocalService _oAuth2ScopeGrantLocalService;
    private final DCLSingleton<OAuthJoseJwtProducer> _oAuthJoseJwtProducerDCLSingleton = new DCLSingleton<>();

    @Reference
    private Portal _portal;

    @Reference
    private ScopeLocator _scopeLocator;

    @Reference
    private ServerAuthorizationCodeGrantProvider _serverAuthorizationCodeGrantProvider;

    @Reference
    private UserLocalService _userLocalService;

    public LiferayOAuthDataProvider() {
        setInvisibleToClientScopes(Collections.singletonList(OAuthConstants.REFRESH_TOKEN_SCOPE));
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider, org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> list) {
        ArrayList arrayList = new ArrayList();
        List<String> invisibleToClientScopes = getInvisibleToClientScopes();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            OAuthPermission oAuthPermission = new OAuthPermission(it.next());
            if (invisibleToClientScopes.contains(oAuthPermission.getPermission())) {
                oAuthPermission.setInvisibleToClient(true);
            }
            arrayList.add(oAuthPermission);
        }
        return arrayList;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider, org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken createAccessToken(AccessTokenRegistration accessTokenRegistration) throws OAuthServiceException {
        ArrayList arrayList = new ArrayList(accessTokenRegistration.getRequestedScope());
        if (arrayList.isEmpty()) {
            arrayList.addAll(accessTokenRegistration.getClient().getRegisteredScopes());
        }
        accessTokenRegistration.setApprovedScope(arrayList);
        if (!_refreshTokenIncompatibleGrants.contains(accessTokenRegistration.getGrantType())) {
            arrayList.add(OAuthConstants.REFRESH_TOKEN_SCOPE);
        }
        return super.createAccessToken(accessTokenRegistration);
    }

    @Override // org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider, org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider
    public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration authorizationCodeRegistration) throws OAuthServiceException {
        ServerAuthorizationCodeGrant createCodeGrant = super.createCodeGrant(authorizationCodeRegistration);
        if (createCodeGrant.getClientCodeChallengeMethod() == null) {
            createCodeGrant.setClientCodeChallengeMethod("S256");
        }
        createCodeGrant.setExtraProperties(authorizationCodeRegistration.getExtraProperties());
        createCodeGrant.setRequestedScopes(authorizationCodeRegistration.getRequestedScope());
        this._serverAuthorizationCodeGrantProvider.putServerAuthorizationCodeGrant(createCodeGrant);
        return createCodeGrant;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public void doRevokeAccessToken(ServerAccessToken serverAccessToken) {
        OAuth2Authorization fetchOAuth2AuthorizationByAccessTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByAccessTokenContent(serverAccessToken.getTokenKey());
        if (fetchOAuth2AuthorizationByAccessTokenContent == null) {
            return;
        }
        fetchOAuth2AuthorizationByAccessTokenContent.setAccessTokenContent("EXPIRED_TOKEN");
        this._oAuth2AuthorizationLocalService.updateOAuth2Authorization(fetchOAuth2AuthorizationByAccessTokenContent);
    }

    public void doRevokeAuthorization(OAuth2Authorization oAuth2Authorization) {
        this._oAuth2AuthorizationLocalService.deleteOAuth2Authorization(oAuth2Authorization);
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public void doRevokeRefreshToken(RefreshToken refreshToken) {
        OAuth2Authorization fetchOAuth2AuthorizationByRefreshTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByRefreshTokenContent(refreshToken.getTokenKey());
        if (fetchOAuth2AuthorizationByRefreshTokenContent == null) {
            return;
        }
        fetchOAuth2AuthorizationByRefreshTokenContent.setRefreshTokenContent("EXPIRED_TOKEN");
        this._oAuth2AuthorizationLocalService.updateOAuth2Authorization(fetchOAuth2AuthorizationByRefreshTokenContent);
    }

    public BearerTokenProvider.AccessToken fromCXFAccessToken(ServerAccessToken serverAccessToken) {
        OAuth2Application resolveOAuth2Application = resolveOAuth2Application(serverAccessToken.getClient());
        UserSubject subject = serverAccessToken.getSubject();
        return new BearerTokenProvider.AccessToken(resolveOAuth2Application, serverAccessToken.getAudiences(), serverAccessToken.getClientCodeVerifier(), serverAccessToken.getExpiresIn(), serverAccessToken.getExtraProperties(), serverAccessToken.getGrantCode(), serverAccessToken.getGrantType(), serverAccessToken.getIssuedAt(), serverAccessToken.getIssuer(), serverAccessToken.getNonce(), serverAccessToken.getParameters(), serverAccessToken.getRefreshToken(), serverAccessToken.getResponseType(), OAuthUtils.convertPermissionsToScopeList(serverAccessToken.getScopes()), serverAccessToken.getTokenKey(), serverAccessToken.getTokenType(), GetterUtil.getLong(subject.getId()), subject.getLogin());
    }

    public BearerTokenProvider.RefreshToken fromCXFRefreshToken(RefreshToken refreshToken) {
        OAuth2Application resolveOAuth2Application = resolveOAuth2Application(refreshToken.getClient());
        UserSubject subject = refreshToken.getSubject();
        return new BearerTokenProvider.RefreshToken(resolveOAuth2Application, refreshToken.getAudiences(), refreshToken.getClientCodeVerifier(), refreshToken.getExpiresIn(), refreshToken.getGrantType(), refreshToken.getIssuedAt(), OAuthUtils.convertPermissionsToScopeList(refreshToken.getScopes()), refreshToken.getTokenKey(), refreshToken.getTokenType(), GetterUtil.getLong(subject.getId()), subject.getLogin());
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken getAccessToken(String str) throws OAuthServiceException {
        if (Validator.isBlank(str)) {
            if (!_log.isWarnEnabled()) {
                return null;
            }
            _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use empty OAuth 2 access token"}));
            return null;
        }
        OAuth2Authorization fetchOAuth2AuthorizationByAccessTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByAccessTokenContent(str);
        if (fetchOAuth2AuthorizationByAccessTokenContent == null) {
            if (!_log.isWarnEnabled()) {
                return null;
            }
            _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " used unknown OAuth 2 token. Repeating report may be ", "a sign of a brute-force attack."}));
            return null;
        }
        if ("EXPIRED_TOKEN".equals(fetchOAuth2AuthorizationByAccessTokenContent.getAccessTokenContent())) {
            if (!_log.isDebugEnabled()) {
                return null;
            }
            _log.debug(StringBundler.concat(new Object[]{"Remote client ", _getRemoteIP(), " tried to use expired or revoked OAuth 2 token for ", "Liferay OAuth 2 application ", Long.valueOf(fetchOAuth2AuthorizationByAccessTokenContent.getOAuth2ApplicationId()), " and user ", Long.valueOf(fetchOAuth2AuthorizationByAccessTokenContent.getUserId())}));
            return null;
        }
        try {
            return _populateAccessToken(fetchOAuth2AuthorizationByAccessTokenContent);
        } catch (PortalException e) {
            _log.error("Unable to populate access token", e);
            throw new OAuthServiceException((Throwable) e);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public List<ServerAccessToken> getAccessTokens(Client client, UserSubject userSubject) throws OAuthServiceException {
        throw new UnsupportedOperationException();
    }

    public BearerTokenProvider getBearerTokenProvider(long j, String str) {
        return this._bearerTokenProviderAccessor.getBearerTokenProvider(j, str);
    }

    public Client getClient(OAuth2Application oAuth2Application) {
        return _populateClient(oAuth2Application, getMessageContext());
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider
    public List<Client> getClients(UserSubject userSubject) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider
    public List<ServerAuthorizationCodeGrant> getCodeGrants(Client client, UserSubject userSubject) throws OAuthServiceException {
        return this._serverAuthorizationCodeGrantProvider.getServerAuthorizationCodeGrants(client, userSubject);
    }

    @Override // org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider
    public long getGrantLifetime() {
        try {
            return ((OAuth2AuthorizationFlowConfiguration) this._configurationProvider.getSystemConfiguration(OAuth2AuthorizationFlowConfiguration.class)).authorizationCodeGrantTTL();
        } catch (ConfigurationException e) {
            throw new OAuthServiceException("Unable to get system configuration: " + OAuth2AuthorizationFlowConfiguration.class.getName(), (Throwable) e);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public String getIssuer() {
        try {
            return this._portal.getHost(getMessageContext().getHttpServletRequest());
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug(e);
            }
            Company fetchCompany = this._companyLocalService.fetchCompany(CompanyThreadLocal.getCompanyId().longValue());
            if (fetchCompany != null) {
                return fetchCompany.getWebId();
            }
            return null;
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public OAuthJoseJwtProducer getJwtAccessTokenProducer() {
        return (OAuthJoseJwtProducer) this._oAuthJoseJwtProducerDCLSingleton.getSingleton(this::_createJwtAccessTokenProducer);
    }

    public OAuth2Authorization getOAuth2Authorization(Client client, String str, long j) {
        try {
            return this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByRememberDeviceContent(j, this._oAuth2ApplicationLocalService.getOAuth2Application(MapUtil.getLong(client.getProperties(), OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID), client.getClientId()).getOAuth2ApplicationId(), str);
        } catch (PortalException e) {
            throw new OAuthServiceException((Throwable) e);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public RefreshToken getRefreshToken(String str) {
        if (Validator.isBlank(str)) {
            if (!_log.isWarnEnabled()) {
                return null;
            }
            _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use empty OAuth 2 refresh token"}));
            return null;
        }
        try {
            OAuth2Authorization fetchOAuth2AuthorizationByRefreshTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByRefreshTokenContent(str);
            if (fetchOAuth2AuthorizationByRefreshTokenContent == null) {
                if (!_log.isWarnEnabled()) {
                    return null;
                }
                _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " used unknown OAuth 2 refresh token. Repeating ", "report may be a sign of a brute force attack."}));
                return null;
            }
            if ("EXPIRED_TOKEN".equals(fetchOAuth2AuthorizationByRefreshTokenContent.getRefreshTokenContent())) {
                if (!_log.isDebugEnabled()) {
                    return null;
                }
                _log.debug(StringBundler.concat(new Object[]{"Remote client ", _getRemoteIP(), " tried to use expired or revoked OAuth 2 refresh ", "token for Liferay OAuth 2 application ", Long.valueOf(fetchOAuth2AuthorizationByRefreshTokenContent.getOAuth2ApplicationId()), " and user ", Long.valueOf(fetchOAuth2AuthorizationByRefreshTokenContent.getUserId())}));
                return null;
            }
            OAuth2Application oAuth2Application = this._oAuth2ApplicationLocalService.getOAuth2Application(fetchOAuth2AuthorizationByRefreshTokenContent.getOAuth2ApplicationId());
            long _toCXFTime = _toCXFTime(fetchOAuth2AuthorizationByRefreshTokenContent.getRefreshTokenExpirationDate());
            long _toCXFTime2 = _toCXFTime(fetchOAuth2AuthorizationByRefreshTokenContent.getRefreshTokenCreateDate());
            RefreshToken refreshToken = new RefreshToken(_populateClient(oAuth2Application, getMessageContext()), str, _toCXFTime - _toCXFTime2, _toCXFTime2);
            refreshToken.setAccessTokens(Collections.singletonList(fetchOAuth2AuthorizationByRefreshTokenContent.getAccessTokenContent()));
            refreshToken.setScopes(convertScopeToPermissions(refreshToken.getClient(), this._oAuth2ApplicationScopeAliasesLocalService.getScopeAliasesList(fetchOAuth2AuthorizationByRefreshTokenContent.getOAuth2ApplicationScopeAliasesId())));
            refreshToken.setSubject(_populateUserSubject(fetchOAuth2AuthorizationByRefreshTokenContent.getCompanyId(), fetchOAuth2AuthorizationByRefreshTokenContent.getUserId(), fetchOAuth2AuthorizationByRefreshTokenContent.getUserName()));
            refreshToken.getExtraProperties().put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID, String.valueOf(fetchOAuth2AuthorizationByRefreshTokenContent.getCompanyId()));
            return refreshToken;
        } catch (PortalException e) {
            throw new OAuthServiceException((Throwable) e);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public List<RefreshToken> getRefreshTokens(Client client, UserSubject userSubject) throws OAuthServiceException {
        return null;
    }

    public ServerAuthorizationCodeGrant getServerAuthorizationCodeGrant(String str) {
        if (str == null) {
            return null;
        }
        return this._serverAuthorizationCodeGrantProvider.getServerAuthorizationCodeGrant(str);
    }

    public UserSubject getUserSubject(long j) {
        User fetchUser = this._userLocalService.fetchUser(j);
        if (fetchUser == null) {
            return null;
        }
        return _populateUserSubject(fetchUser.getCompanyId(), j, fetchUser.getScreenName());
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider, org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
    public ServerAccessToken refreshAccessToken(Client client, String str, List<String> list) throws OAuthServiceException {
        RefreshToken refreshToken = getRefreshToken(str);
        if (refreshToken == null) {
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        if (OAuthUtils.isExpired(Long.valueOf(refreshToken.getIssuedAt()), Long.valueOf(refreshToken.getExpiresIn()))) {
            doRevokeRefreshToken(refreshToken);
            if (_log.isDebugEnabled()) {
                _log.debug(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use an expired OAuth 2 refresh token for ", "OAuth 2 client ID ", client.getClientId()}));
            }
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        OAuth2Application resolveOAuth2Application = resolveOAuth2Application(client);
        if (!getBearerTokenProvider(resolveOAuth2Application.getCompanyId(), resolveOAuth2Application.getClientId()).isValid(fromCXFRefreshToken(refreshToken))) {
            doRevokeRefreshToken(refreshToken);
            if (_log.isWarnEnabled()) {
                _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use an invalid OAuth 2 token for OAuth 2 ", "client ID ", client.getClientId()}));
            }
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        if (this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByRefreshTokenContent(str) == null) {
            if (_log.isWarnEnabled()) {
                _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " used unknown OAuth 2 refresh token for OAuth 2 ", "client ID ", client.getClientId(), ". Repeating report may be a sign of a brute force ", "attack."}));
            }
            throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
        }
        ServerAccessToken doRefreshAccessToken = doRefreshAccessToken(client, refreshToken, Collections.emptyList());
        doRefreshAccessToken.setRefreshToken(refreshToken.getTokenKey());
        RefreshToken doCreateNewRefreshToken = doCreateNewRefreshToken(doRefreshAccessToken);
        try {
            if (((OAuth2ProviderConfiguration) this._configurationProvider.getSystemConfiguration(OAuth2ProviderConfiguration.class)).recycleRefreshToken()) {
                doCreateNewRefreshToken.setTokenKey(refreshToken.getTokenKey());
            }
            doCreateNewRefreshToken.getAccessTokens().add(doRefreshAccessToken.getTokenKey());
            try {
                _invokeTransactionally(() -> {
                    saveAccessToken(doRefreshAccessToken);
                    saveRefreshToken(doCreateNewRefreshToken);
                });
                doRefreshAccessToken.setRefreshToken(doCreateNewRefreshToken.getTokenKey());
                return doRefreshAccessToken;
            } catch (Throwable th) {
                throw new OAuthServiceException(th);
            }
        } catch (ConfigurationException e) {
            throw new OAuthServiceException("Unable to get system configuration: " + OAuth2ProviderConfiguration.class.getName(), (Throwable) e);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider
    public ServerAuthorizationCodeGrant removeCodeGrant(String str) throws OAuthServiceException {
        if (str == null) {
            return null;
        }
        return this._serverAuthorizationCodeGrantProvider.removeServerAuthorizationCodeGrant(str);
    }

    public OAuth2Application resolveOAuth2Application(Client client) {
        OAuth2Application fetchOAuth2Application = this._oAuth2ApplicationLocalService.fetchOAuth2Application(GetterUtil.getLong(client.getProperties().get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID)), client.getClientId());
        if (fetchOAuth2Application != null) {
            return fetchOAuth2Application;
        }
        if (!_log.isWarnEnabled()) {
            return null;
        }
        _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use a nonexistent OAuth 2 client ID ", client.getClientId()}));
        return null;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider
    public void setClient(Client client) {
        throw new UnsupportedOperationException();
    }

    public void updateRememberDeviceContent(String str, String str2) {
        this._oAuth2AuthorizationLocalService.updateRememberDeviceContent(str, str2);
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        Collections.addAll(_refreshTokenIncompatibleGrants, Constants.JWT_BEARER_GRANT, Constants.JWT_BEARER_GRANT, HttpUtils.urlEncode(OAuthConstants.CLIENT_CREDENTIALS_GRANT, StandardCharsets.UTF_8.name()));
        this._oAuth2AuthorizationServerConfiguration = (OAuth2AuthorizationServerConfiguration) ConfigurableUtil.createConfigurable(OAuth2AuthorizationServerConfiguration.class, map);
        _init();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public JwtClaims createJwtAccessToken(ServerAccessToken serverAccessToken) {
        JwtClaims createJwtAccessToken = super.createJwtAccessToken(serverAccessToken);
        List<OAuthPermission> scopes = serverAccessToken.getScopes();
        if (!scopes.isEmpty()) {
            createJwtAccessToken.setClaim("scope", OAuthUtils.convertPermissionsToScope(scopes));
        }
        return createJwtAccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public ServerAccessToken createNewAccessToken(Client client, UserSubject userSubject) {
        ServerAccessToken createNewAccessToken = super.createNewAccessToken(client, userSubject);
        if (getIssuer() != null) {
            createNewAccessToken.setIssuer(getIssuer());
        }
        return createNewAccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessTokenRegistration) {
        String str;
        ServerAccessToken _createOpaqueServerAccessToken = _createOpaqueServerAccessToken(accessTokenRegistration.getAudiences(), accessTokenRegistration.getClient(), accessTokenRegistration.getClientCodeVerifier(), accessTokenRegistration.getGrantCode(), accessTokenRegistration.getGrantType(), accessTokenRegistration.getNonce(), accessTokenRegistration.getExtraProperties(), convertScopeToPermissions(accessTokenRegistration.getClient(), accessTokenRegistration.getApprovedScope()), accessTokenRegistration.getResponseType(), accessTokenRegistration.getSubject());
        MessageContext messageContext = getMessageContext();
        if (messageContext != null && (str = (String) messageContext.get("x5t#S256")) != null) {
            _createOpaqueServerAccessToken.getExtraProperties().put("x5t#S256", str);
        }
        _customizeServerAccessToken(accessTokenRegistration.getExtraProperties(), _createOpaqueServerAccessToken);
        if (isUseJwtFormatForAccessTokens()) {
            _convertToJWTAccessToken(_createOpaqueServerAccessToken);
        }
        return _createOpaqueServerAccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    public RefreshToken doCreateNewRefreshToken(ServerAccessToken serverAccessToken) {
        RefreshToken doCreateNewRefreshToken = super.doCreateNewRefreshToken(serverAccessToken);
        BearerTokenProvider.RefreshToken fromCXFRefreshToken = fromCXFRefreshToken(doCreateNewRefreshToken);
        OAuth2Application oAuth2Application = fromCXFRefreshToken.getOAuth2Application();
        getBearerTokenProvider(oAuth2Application.getCompanyId(), oAuth2Application.getClientId()).onBeforeCreate(fromCXFRefreshToken);
        doCreateNewRefreshToken.setAudiences(fromCXFRefreshToken.getAudiences());
        doCreateNewRefreshToken.setClientCodeVerifier(fromCXFRefreshToken.getClientCodeVerifier());
        doCreateNewRefreshToken.setExpiresIn(fromCXFRefreshToken.getExpiresIn());
        doCreateNewRefreshToken.setGrantType(fromCXFRefreshToken.getGrantType());
        doCreateNewRefreshToken.setIssuedAt(fromCXFRefreshToken.getIssuedAt());
        doCreateNewRefreshToken.setScopes(convertScopeToPermissions(serverAccessToken.getClient(), fromCXFRefreshToken.getScopes()));
        doCreateNewRefreshToken.setTokenKey(fromCXFRefreshToken.getTokenKey());
        doCreateNewRefreshToken.setTokenType(fromCXFRefreshToken.getTokenType());
        UserSubject subject = doCreateNewRefreshToken.getSubject();
        subject.setId(String.valueOf(fromCXFRefreshToken.getUserId()));
        subject.setLogin(fromCXFRefreshToken.getUserName());
        return doCreateNewRefreshToken;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected Client doGetClient(String str) {
        OAuth2Application fetchOAuth2Application = this._oAuth2ApplicationLocalService.fetchOAuth2Application(CompanyThreadLocal.getCompanyId().longValue(), str);
        if (fetchOAuth2Application != null) {
            MessageContext messageContext = getMessageContext();
            messageContext.put("client_id", str);
            return _populateClient(fetchOAuth2Application, messageContext);
        }
        if (!_log.isWarnEnabled()) {
            return null;
        }
        _log.warn(StringBundler.concat(new String[]{"Remote client ", _getRemoteIP(), " tried to use a nonexistent OAuth 2 client ID ", str}));
        return null;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected ServerAccessToken doRefreshAccessToken(Client client, RefreshToken refreshToken, List<String> list) {
        List<OAuthPermission> convertScopeToPermissions;
        if (list.isEmpty()) {
            convertScopeToPermissions = refreshToken.getScopes() != null ? new ArrayList(refreshToken.getScopes()) : null;
        } else {
            convertScopeToPermissions = convertScopeToPermissions(client, list);
            if (!refreshToken.getScopes().containsAll(convertScopeToPermissions)) {
                throw new OAuthServiceException("Invalid scopes");
            }
        }
        ServerAccessToken _createOpaqueServerAccessToken = _createOpaqueServerAccessToken(refreshToken.getAudiences() != null ? new ArrayList(refreshToken.getAudiences()) : null, client, refreshToken.getClientCodeVerifier(), refreshToken.getGrantCode(), refreshToken.getGrantType(), refreshToken.getNonce(), refreshToken.getExtraProperties(), convertScopeToPermissions, refreshToken.getResponseType(), refreshToken.getSubject());
        _customizeServerAccessToken(Collections.emptyMap(), _createOpaqueServerAccessToken);
        if (isUseJwtFormatForAccessTokens()) {
            _convertToJWTAccessToken(_createOpaqueServerAccessToken);
        }
        return _createOpaqueServerAccessToken;
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected void doRemoveClient(Client client) {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected String processJwtAccessToken(JwtClaims jwtClaims) {
        OAuthJoseJwtProducer jwtAccessTokenProducer = getJwtAccessTokenProducer();
        JwsHeaders jwsHeaders = new JwsHeaders();
        jwsHeaders.setHeader("typ", "at+jwt");
        return jwtAccessTokenProducer.processJwt(new JwtToken(jwsHeaders, jwtClaims));
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected void saveAccessToken(ServerAccessToken serverAccessToken) {
        try {
            _invokeTransactionally(() -> {
                _transactionalSaveServerAccessToken(serverAccessToken);
            });
        } catch (Throwable th) {
            throw new OAuthServiceException(th);
        }
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider
    protected void saveRefreshToken(RefreshToken refreshToken) {
        List<String> accessTokens = refreshToken.getAccessTokens();
        if (ListUtil.isEmpty(accessTokens)) {
            throw new OAuthServiceException("Unable to find granted token");
        }
        OAuth2Authorization fetchOAuth2AuthorizationByAccessTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByAccessTokenContent(accessTokens.iterator().next());
        fetchOAuth2AuthorizationByAccessTokenContent.setRefreshTokenContent(refreshToken.getTokenKey());
        fetchOAuth2AuthorizationByAccessTokenContent.setRefreshTokenCreateDate(_toDate(refreshToken.getIssuedAt()));
        fetchOAuth2AuthorizationByAccessTokenContent.setRefreshTokenExpirationDate(_toDate(refreshToken.getIssuedAt() + refreshToken.getExpiresIn()));
        this._oAuth2AuthorizationLocalService.updateOAuth2Authorization(fetchOAuth2AuthorizationByAccessTokenContent);
    }

    private void _convertToJWTAccessToken(ServerAccessToken serverAccessToken) {
        String processJwtAccessToken = processJwtAccessToken(createJwtAccessToken(serverAccessToken));
        if (isPersistJwtEncoding()) {
            serverAccessToken.setTokenKey(processJwtAccessToken);
        } else {
            serverAccessToken.setEncodedToken(processJwtAccessToken);
        }
    }

    private OAuthJoseJwtProducer _createJwtAccessTokenProducer() {
        OAuthJoseJwtProducer oAuthJoseJwtProducer = new OAuthJoseJwtProducer();
        oAuthJoseJwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(JwkUtils.readJwkKey(this._oAuth2AuthorizationServerConfiguration.jwtAccessTokenSigningJSONWebKey())));
        return oAuthJoseJwtProducer;
    }

    private ServerAccessToken _createOpaqueServerAccessToken(List<String> list, Client client, String str, String str2, String str3, String str4, Map<String, String> map, List<OAuthPermission> list2, String str5, UserSubject userSubject) {
        ServerAccessToken createNewAccessToken = createNewAccessToken(client, userSubject);
        createNewAccessToken.getExtraProperties().putAll(map);
        createNewAccessToken.setAudiences(list);
        createNewAccessToken.setClientCodeVerifier(str);
        createNewAccessToken.setGrantCode(str2);
        createNewAccessToken.setGrantType(str3);
        createNewAccessToken.setNonce(str4);
        createNewAccessToken.setResponseType(str5);
        createNewAccessToken.setScopes(list2);
        createNewAccessToken.setSubject(userSubject);
        return createNewAccessToken;
    }

    private void _customizeServerAccessToken(Map<String, String> map, ServerAccessToken serverAccessToken) {
        BearerTokenProvider.AccessToken fromCXFAccessToken = fromCXFAccessToken(serverAccessToken);
        UserSubject subject = serverAccessToken.getSubject();
        subject.setId(String.valueOf(fromCXFAccessToken.getUserId()));
        subject.setLogin(fromCXFAccessToken.getUserName());
        OAuth2Application oAuth2Application = fromCXFAccessToken.getOAuth2Application();
        getBearerTokenProvider(oAuth2Application.getCompanyId(), oAuth2Application.getClientId()).onBeforeCreate(fromCXFAccessToken);
        serverAccessToken.setAudiences(fromCXFAccessToken.getAudiences());
        serverAccessToken.setClientCodeVerifier(fromCXFAccessToken.getClientCodeVerifier());
        serverAccessToken.setExpiresIn(fromCXFAccessToken.getExpiresIn());
        serverAccessToken.setExtraProperties(fromCXFAccessToken.getExtraProperties());
        serverAccessToken.setGrantCode(fromCXFAccessToken.getGrantCode());
        serverAccessToken.setGrantType(fromCXFAccessToken.getGrantType());
        serverAccessToken.setIssuedAt(fromCXFAccessToken.getIssuedAt());
        serverAccessToken.setIssuer(fromCXFAccessToken.getIssuer());
        serverAccessToken.setNonce(fromCXFAccessToken.getNonce());
        Map<String, String> parameters = fromCXFAccessToken.getParameters();
        parameters.putAll(map);
        serverAccessToken.setParameters(parameters);
        serverAccessToken.setRefreshToken(fromCXFAccessToken.getRefreshToken());
        serverAccessToken.setResponseType(fromCXFAccessToken.getResponseType());
        serverAccessToken.setScopes(convertScopeToPermissions(serverAccessToken.getClient(), fromCXFAccessToken.getScopes()));
        serverAccessToken.setTokenKey(fromCXFAccessToken.getTokenKey());
        serverAccessToken.setTokenType(fromCXFAccessToken.getTokenType());
    }

    private Collection<LiferayOAuth2Scope> _getLiferayOAuth2Scopes(long j, List<String> list) {
        OAuth2ApplicationScopeAliases fetchOAuth2ApplicationScopeAliases = this._oAuth2ApplicationScopeAliasesLocalService.fetchOAuth2ApplicationScopeAliases(j);
        return fetchOAuth2ApplicationScopeAliases == null ? Collections.emptyList() : TransformUtil.transform(this._oAuth2ScopeGrantLocalService.getOAuth2ScopeGrants(j, -1, -1, (OrderByComparator) null), oAuth2ScopeGrant -> {
            if (Collections.disjoint(oAuth2ScopeGrant.getScopeAliasesList(), list)) {
                return null;
            }
            LiferayOAuth2Scope liferayOAuth2Scope = this._scopeLocator.getLiferayOAuth2Scope(oAuth2ScopeGrant.getCompanyId(), oAuth2ScopeGrant.getApplicationName(), oAuth2ScopeGrant.getScope());
            Collection liferayOAuth2Scopes = this._scopeLocator.getLiferayOAuth2Scopes(fetchOAuth2ApplicationScopeAliases.getCompanyId());
            if (liferayOAuth2Scope == null || !liferayOAuth2Scopes.contains(liferayOAuth2Scope)) {
                return null;
            }
            return liferayOAuth2Scope;
        });
    }

    private String _getRemoteIP() {
        HttpServletRequest httpServletRequest = getMessageContext().getHttpServletRequest();
        return httpServletRequest.getRemoteAddr() + " - " + httpServletRequest.getRemoteHost();
    }

    private User _getUser(UserSubject userSubject) throws Exception {
        Map<String, String> properties = userSubject.getProperties();
        long j = GetterUtil.getLong(properties.get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID));
        String str = properties.get("UUID");
        if (str != null) {
            return this._userLocalService.getUserByUuidAndCompanyId(str, j);
        }
        String str2 = properties.get("emailAddress");
        if (str2 != null) {
            return this._userLocalService.getUserByEmailAddress(j, str2);
        }
        String str3 = properties.get("screenName");
        return str3 != null ? this._userLocalService.getUserByScreenName(j, str3) : this._userLocalService.getUser(GetterUtil.getLong(userSubject.getId()));
    }

    private void _init() {
        setUseJwtFormatForAccessTokens(this._oAuth2AuthorizationServerConfiguration.issueJWTAccessToken());
    }

    private void _invokeTransactionally(Runnable runnable) throws Throwable {
        TransactionInvokerUtil.invoke(TransactionConfig.Factory.create(Propagation.REQUIRED, new Class[]{Exception.class}, new Class[0]), () -> {
            runnable.run();
            return null;
        });
    }

    private ServerAccessToken _populateAccessToken(OAuth2Authorization oAuth2Authorization) throws PortalException {
        OAuth2Application fetchOAuth2Application = this._oAuth2ApplicationLocalService.fetchOAuth2Application(oAuth2Authorization.getOAuth2ApplicationId());
        if (fetchOAuth2Application == null) {
            throw new SystemException("No application found for authorization " + oAuth2Authorization);
        }
        Client client = getClient(fetchOAuth2Application.getClientId());
        long _toCXFTime = _toCXFTime(oAuth2Authorization.getAccessTokenExpirationDate());
        long _toCXFTime2 = _toCXFTime(oAuth2Authorization.getAccessTokenCreateDate());
        BearerAccessToken bearerAccessToken = new BearerAccessToken(client, oAuth2Authorization.getAccessTokenContent(), _toCXFTime - _toCXFTime2, _toCXFTime2);
        bearerAccessToken.setSubject(_populateUserSubject(oAuth2Authorization.getCompanyId(), oAuth2Authorization.getUserId(), oAuth2Authorization.getUserName()));
        bearerAccessToken.setScopes(convertScopeToPermissions(client, this._oAuth2ApplicationScopeAliasesLocalService.getScopeAliasesList(oAuth2Authorization.getOAuth2ApplicationScopeAliasesId())));
        bearerAccessToken.getExtraProperties().put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID, String.valueOf(oAuth2Authorization.getCompanyId()));
        return bearerAccessToken;
    }

    private Client _populateClient(OAuth2Application oAuth2Application, MessageContext messageContext) {
        String clientSecret = oAuth2Application.getClientSecret();
        if (Validator.isBlank(clientSecret)) {
            clientSecret = null;
        }
        String clientAuthenticationMethod = oAuth2Application.getClientAuthenticationMethod();
        Client client = new Client(oAuth2Application.getClientId(), clientSecret, !clientAuthenticationMethod.equals("none"), oAuth2Application.getName(), oAuth2Application.getHomePageURL());
        List<String> allowedGrantTypes = client.getAllowedGrantTypes();
        try {
            OAuth2ProviderConfiguration oAuth2ProviderConfiguration = (OAuth2ProviderConfiguration) this._configurationProvider.getSystemConfiguration(OAuth2ProviderConfiguration.class);
            for (GrantType grantType : oAuth2Application.getAllowedGrantTypesList()) {
                if (oAuth2ProviderConfiguration.allowAuthorizationCodeGrant() && grantType == GrantType.AUTHORIZATION_CODE) {
                    allowedGrantTypes.add(OAuthConstants.AUTHORIZATION_CODE_GRANT);
                } else if (oAuth2ProviderConfiguration.allowAuthorizationCodePKCEGrant() && grantType == GrantType.AUTHORIZATION_CODE_PKCE) {
                    allowedGrantTypes.add(OAuthConstants.AUTHORIZATION_CODE_GRANT);
                    allowedGrantTypes.add(OAuth2ProviderRESTEndpointConstants.AUTHORIZATION_CODE_PKCE_GRANT);
                } else if (oAuth2ProviderConfiguration.allowClientCredentialsGrant() && grantType == GrantType.CLIENT_CREDENTIALS) {
                    allowedGrantTypes.add(OAuthConstants.CLIENT_CREDENTIALS_GRANT);
                } else if (oAuth2ProviderConfiguration.allowJWTBearerGrant() && grantType == GrantType.JWT_BEARER) {
                    allowedGrantTypes.add(Constants.JWT_BEARER_GRANT);
                    allowedGrantTypes.add(HttpUtils.urlEncode(Constants.JWT_BEARER_GRANT, StandardCharsets.UTF_8.name()));
                } else if (oAuth2ProviderConfiguration.allowResourceOwnerPasswordCredentialsGrant() && grantType == GrantType.RESOURCE_OWNER_PASSWORD) {
                    allowedGrantTypes.add("password");
                } else if (oAuth2ProviderConfiguration.allowRefreshTokenGrant() && grantType == GrantType.REFRESH_TOKEN) {
                    allowedGrantTypes.add("refresh_token");
                } else if (_log.isDebugEnabled()) {
                    _log.debug("Unknown or disabled grant type " + grantType);
                }
            }
            if (allowedGrantTypes.isEmpty()) {
                allowedGrantTypes.add("");
            }
            client.setApplicationDescription(oAuth2Application.getDescription());
            if (oAuth2Application.getOAuth2ApplicationScopeAliasesId() > 0) {
                client.setRegisteredScopes(this._oAuth2ApplicationScopeAliasesLocalService.getScopeAliasesList(oAuth2Application.getOAuth2ApplicationScopeAliasesId()));
            }
            client.setRedirectUris(OAuth2RedirectURIInterpolator.interpolateRedirectURIsList(messageContext != null ? messageContext.getHttpServletRequest() : null, oAuth2Application.getRedirectURIsList(), this._portal));
            client.setSubject(_populateUserSubject(oAuth2Application.getCompanyId(), oAuth2Application.getClientCredentialUserId(), oAuth2Application.getClientCredentialUserName()));
            client.setTokenEndpointAuthMethod(clientAuthenticationMethod);
            Map<String, String> properties = client.getProperties();
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID, String.valueOf(oAuth2Application.getCompanyId()));
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_FEATURES, oAuth2Application.getFeatures());
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_JWKS, oAuth2Application.getJwks());
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_REMEMBER_DEVICE, String.valueOf(oAuth2Application.isRememberDevice()));
            properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_TRUSTED_APPLICATION, String.valueOf(oAuth2Application.isTrustedApplication()));
            for (String str : oAuth2Application.getFeaturesList()) {
                properties.put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_FEATURE_PREFIX + str, str);
            }
            return client;
        } catch (ConfigurationException e) {
            throw new OAuthServiceException("Unable to get system configuration: " + OAuth2ProviderConfiguration.class.getName(), (Throwable) e);
        }
    }

    private UserSubject _populateUserSubject(long j, long j2, String str) {
        UserSubject userSubject = new UserSubject(str, String.valueOf(j2));
        userSubject.getProperties().put(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID, String.valueOf(j));
        return userSubject;
    }

    private long _toCXFTime(Date date) {
        return date.getTime() / 1000;
    }

    private Date _toDate(long j) {
        return new Date(j * 1000);
    }

    private void _transactionalSaveServerAccessToken(ServerAccessToken serverAccessToken) {
        Date _toDate = _toDate(serverAccessToken.getIssuedAt());
        Date _toDate2 = _toDate(serverAccessToken.getIssuedAt() + serverAccessToken.getExpiresIn());
        if (serverAccessToken.getRefreshToken() != null) {
            OAuth2Authorization fetchOAuth2AuthorizationByRefreshTokenContent = this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByRefreshTokenContent(serverAccessToken.getRefreshToken());
            fetchOAuth2AuthorizationByRefreshTokenContent.setAccessTokenContent(serverAccessToken.getTokenKey());
            fetchOAuth2AuthorizationByRefreshTokenContent.setAccessTokenCreateDate(_toDate);
            fetchOAuth2AuthorizationByRefreshTokenContent.setAccessTokenExpirationDate(_toDate2);
            this._oAuth2AuthorizationLocalService.updateOAuth2Authorization(fetchOAuth2AuthorizationByRefreshTokenContent);
            return;
        }
        Client client = serverAccessToken.getClient();
        OAuth2Application resolveOAuth2Application = resolveOAuth2Application(client);
        long j = 0;
        String str = "";
        if (serverAccessToken.getSubject() != null) {
            try {
                User _getUser = _getUser(serverAccessToken.getSubject());
                j = _getUser.getUserId();
                str = _getUser.getFullName();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        Map<String, String> properties = client.getProperties();
        OAuth2Authorization addOAuth2Authorization = this._oAuth2AuthorizationLocalService.addOAuth2Authorization(resolveOAuth2Application.getCompanyId(), j, str, resolveOAuth2Application.getOAuth2ApplicationId(), resolveOAuth2Application.getOAuth2ApplicationScopeAliasesId(), serverAccessToken.getTokenKey(), _toDate, _toDate2, properties.get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_REMOTE_HOST), properties.get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_REMOTE_ADDR), (String) null, (Date) null, (Date) null);
        try {
            this._oAuth2ScopeGrantLocalService.grantLiferayOAuth2Scopes(addOAuth2Authorization.getOAuth2AuthorizationId(), _getLiferayOAuth2Scopes(addOAuth2Authorization.getOAuth2ApplicationScopeAliasesId(), OAuthUtils.convertPermissionsToScopeList(serverAccessToken.getScopes())));
        } catch (PortalException e2) {
            _log.error("Unable to find authorization " + addOAuth2Authorization);
            throw new OAuthServiceException("Unable to grant scope for token", (Throwable) e2);
        }
    }
}
