package org.springframework.security.oauth2.provider.token;

import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.TokenRequest;

/* loaded from: input_file:org/springframework/security/oauth2/provider/token/JwtTokenServices.class */
public class JwtTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices, InitializingBean {
    public static final String TOKEN_ID = "jti";
    private ClientDetailsService clientDetailsService;
    private TokenEnhancer accessTokenEnhancer;
    private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
    private JwtTokenEnhancer jwtTokenEnhancer = new JwtTokenEnhancer();
    private int refreshTokenValiditySeconds = 2592000;
    private int accessTokenValiditySeconds = 43200;
    private boolean supportRefreshToken = false;
    private boolean reuseRefreshToken = true;
    private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();

    public void setSupportRefreshToken(boolean z) {
        this.supportRefreshToken = z;
    }

    public void setReuseRefreshToken(boolean z) {
        this.reuseRefreshToken = z;
    }

    public void setTokenEnhancer(TokenEnhancer tokenEnhancer) {
        this.accessTokenEnhancer = tokenEnhancer;
    }

    public void setRefreshTokenValiditySeconds(int i) {
        this.refreshTokenValiditySeconds = i;
    }

    public void setAccessTokenValiditySeconds(int i) {
        this.accessTokenValiditySeconds = i;
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator) {
        this.authenticationKeyGenerator = authenticationKeyGenerator;
    }

    public void setVerifierKey(String str) {
        this.jwtTokenEnhancer.setVerifierKey(str);
    }

    public void setSigningKey(String str) {
        this.jwtTokenEnhancer.setSigningKey(str);
    }

    public void afterPropertiesSet() throws Exception {
        this.jwtTokenEnhancer.afterPropertiesSet();
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        return this.tokenConverter.extractAuthentication(decode(str));
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        return this.tokenConverter.extractAccessToken(str, decode(str));
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken createAccessToken(OAuth2Authentication oAuth2Authentication) throws AuthenticationException {
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(getAccessToken(oAuth2Authentication));
        defaultOAuth2AccessToken.setRefreshToken(createRefreshToken(oAuth2Authentication));
        return defaultOAuth2AccessToken;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken refreshAccessToken(String str, TokenRequest tokenRequest) throws AuthenticationException {
        if (!this.supportRefreshToken) {
            throw new InvalidGrantException("Invalid refresh token: " + str);
        }
        OAuth2Authentication loadAuthentication = loadAuthentication(str);
        String clientId = loadAuthentication.getOAuth2Request().getClientId();
        if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Wrong client for this refresh token: " + str);
        }
        if (isExpired(readAccessToken(str))) {
            throw new InvalidTokenException("Invalid refresh token (expired): " + str);
        }
        OAuth2Authentication createRefreshedAuthentication = createRefreshedAuthentication(loadAuthentication, tokenRequest.getScope());
        OAuth2AccessToken createAccessToken = createAccessToken(createRefreshedAuthentication);
        if (!this.reuseRefreshToken) {
            new DefaultOAuth2AccessToken(createAccessToken).setRefreshToken(createRefreshToken(createRefreshedAuthentication));
        }
        return createAccessToken;
    }

    @Override // org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices
    public OAuth2AccessToken getAccessToken(OAuth2Authentication oAuth2Authentication) {
        String extractKey = this.authenticationKeyGenerator.extractKey(oAuth2Authentication);
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(extractKey);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("jti", extractKey);
        defaultOAuth2AccessToken.setAdditionalInformation(linkedHashMap);
        int accessTokenValiditySeconds = getAccessTokenValiditySeconds(oAuth2Authentication.getOAuth2Request());
        if (accessTokenValiditySeconds > 0) {
            defaultOAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + (accessTokenValiditySeconds * 1000)));
        }
        defaultOAuth2AccessToken.setScope(oAuth2Authentication.getOAuth2Request().getScope());
        if (this.accessTokenEnhancer != null) {
            defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(this.accessTokenEnhancer.enhance(defaultOAuth2AccessToken, oAuth2Authentication));
        }
        return defaultOAuth2AccessToken.setValue(encode(defaultOAuth2AccessToken, oAuth2Authentication));
    }

    protected boolean isExpired(OAuth2AccessToken oAuth2AccessToken) {
        return oAuth2AccessToken.getExpiration() != null && System.currentTimeMillis() > oAuth2AccessToken.getExpiration().getTime();
    }

    protected boolean isSupportRefreshToken(OAuth2Request oAuth2Request) {
        return this.clientDetailsService != null ? this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getAuthorizedGrantTypes().contains(OAuth2AccessToken.REFRESH_TOKEN) : this.supportRefreshToken;
    }

    protected int getAccessTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer accessTokenValiditySeconds;
        return (this.clientDetailsService == null || (accessTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getAccessTokenValiditySeconds()) == null) ? this.accessTokenValiditySeconds : accessTokenValiditySeconds.intValue();
    }

    protected int getRefreshTokenValiditySeconds(OAuth2Request oAuth2Request) {
        Integer refreshTokenValiditySeconds;
        return (this.clientDetailsService == null || (refreshTokenValiditySeconds = this.clientDetailsService.loadClientByClientId(oAuth2Request.getClientId()).getRefreshTokenValiditySeconds()) == null) ? this.refreshTokenValiditySeconds : refreshTokenValiditySeconds.intValue();
    }

    private String encode(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        return this.jwtTokenEnhancer.encode(oAuth2AccessToken, oAuth2Authentication);
    }

    private Map<String, Object> decode(String str) {
        return this.jwtTokenEnhancer.decode(str);
    }

    private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication oAuth2Authentication, Set<String> set) {
        OAuth2Authentication oAuth2Authentication2 = oAuth2Authentication;
        if (set != null && !set.isEmpty()) {
            OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
            Set scope = oAuth2Request.getScope();
            if (scope == null || !scope.containsAll(set)) {
                throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + set + ".", scope);
            }
            oAuth2Authentication2 = new OAuth2Authentication(oAuth2Request, oAuth2Authentication.getUserAuthentication());
        }
        return oAuth2Authentication2;
    }

    private ExpiringOAuth2RefreshToken createRefreshToken(OAuth2Authentication oAuth2Authentication) {
        if (!isSupportRefreshToken(oAuth2Authentication.getOAuth2Request())) {
            return null;
        }
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(getAccessToken(oAuth2Authentication));
        Date date = new Date(System.currentTimeMillis() + (getRefreshTokenValiditySeconds(oAuth2Authentication.getOAuth2Request()) * 1000));
        defaultOAuth2AccessToken.setExpiration(date);
        defaultOAuth2AccessToken.setValue(encode(defaultOAuth2AccessToken, oAuth2Authentication));
        return new DefaultExpiringOAuth2RefreshToken(defaultOAuth2AccessToken.getValue(), date);
    }
}
