package com.atlassian.oauth2.client.lib.token;

import com.atlassian.annotations.VisibleForTesting;
import com.atlassian.oauth2.client.api.ClientConfiguration;
import com.atlassian.oauth2.client.api.ClientToken;
import com.atlassian.oauth2.client.api.lib.token.TokenService;
import com.atlassian.oauth2.client.api.lib.token.TokenServiceException;
import com.atlassian.oauth2.client.api.storage.config.ProviderType;
import com.atlassian.oauth2.client.api.storage.token.ClientTokenEntity;
import com.atlassian.oauth2.client.lib.ClientTokenImpl;
import com.atlassian.oauth2.client.lib.web.AuthorizationCodeFlowUrlsProvider;
import com.atlassian.oauth2.client.properties.SystemProperty;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import java.net.URI;
import java.time.Clock;
import java.time.DateTimeException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.HashMap;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/oauth2-client-plugin-3.0.6.jar:com/atlassian/oauth2/client/lib/token/DefaultTokenService.class */
public class DefaultTokenService implements TokenService, InternalTokenService {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) DefaultTokenService.class);
    private final Clock clock;
    private final RefreshTokenExpirationHandler refreshTokenExpirationHandler;
    private final AuthorizationCodeFlowUrlsProvider authorizationCodeFlowUrlsProvider;
    private final Duration minimumAccessTokenLifetimeWhenNoRefreshToken;
    private final Set<ProviderType> providersWithRequiredRefreshToken;

    public DefaultTokenService(Clock clock, RefreshTokenExpirationHandler refreshTokenExpirationHandler, AuthorizationCodeFlowUrlsProvider authorizationCodeFlowUrlsProvider, Duration duration, Collection<ProviderType> collection) {
        this.clock = clock;
        this.refreshTokenExpirationHandler = refreshTokenExpirationHandler;
        this.authorizationCodeFlowUrlsProvider = authorizationCodeFlowUrlsProvider;
        this.minimumAccessTokenLifetimeWhenNoRefreshToken = duration;
        this.providersWithRequiredRefreshToken = ImmutableSet.copyOf((Collection) collection);
    }

    @Override // com.atlassian.oauth2.client.api.lib.token.TokenService
    public ClientToken forceRefresh(ClientConfiguration clientConfiguration, ClientToken clientToken) throws TokenServiceException {
        Preconditions.checkArgument(clientToken.getRefreshToken() != null);
        return getToken(ClientTokenImpl.builder(clientToken), clientConfiguration, getRefreshRequest(clientConfiguration, clientToken));
    }

    @Override // com.atlassian.oauth2.client.api.lib.token.TokenService
    public ClientToken refreshIfNeeded(ClientConfiguration clientConfiguration, ClientToken clientToken, Duration duration) throws TokenServiceException {
        return isRefreshNeeded(clientToken, duration) ? forceRefresh(clientConfiguration, clientToken) : clientToken;
    }

    @Override // com.atlassian.oauth2.client.api.lib.token.TokenService
    public boolean isRefreshNeeded(ClientToken clientToken, Duration duration) {
        try {
            if (clientToken.getRefreshToken() == null) {
                return false;
            }
            return clientToken.getAccessTokenExpiration().isBefore(this.clock.instant().plus((TemporalAmount) SystemProperty.MAX_CLOCK_SKEW.getValue()).plus((TemporalAmount) duration));
        } catch (ArithmeticException | DateTimeException e) {
            logger.debug("Margin exceeds limits of Instant. Refresh required", e);
            return true;
        }
    }

    @Override // com.atlassian.oauth2.client.lib.token.InternalTokenService
    public ClientToken getAccessTokenFromAuthorizationCode(ClientConfiguration clientConfiguration, String str) throws TokenServiceException {
        ClientToken token = getToken(ClientTokenImpl.builder(), clientConfiguration, getAuthorizationCodeExchangeRequest(clientConfiguration, str));
        validateRefreshTokenPresenceForNewToken(clientConfiguration, token);
        return token;
    }

    @VisibleForTesting
    protected void validateRefreshTokenPresenceForNewToken(ClientConfiguration clientConfiguration, ClientToken clientToken) {
        if (clientToken.getRefreshToken() == null) {
            Preconditions.checkArgument(!this.providersWithRequiredRefreshToken.contains(clientConfiguration.getProviderType()), "Refresh token is missing but required for the provider: " + clientConfiguration.getProviderType());
            Preconditions.checkArgument(!clientToken.getAccessTokenExpiration().isBefore(this.clock.instant().plus((TemporalAmount) this.minimumAccessTokenLifetimeWhenNoRefreshToken)), "Refresh token is not present and access token lifetime is too short " + clientToken.getAccessTokenExpiration());
        }
    }

    @VisibleForTesting
    protected HTTPRequest getRefreshRequest(ClientConfiguration clientConfiguration, ClientToken clientToken) {
        return getTokenRequestInternal(clientConfiguration, new RefreshTokenGrant(new RefreshToken(clientToken.getRefreshToken())));
    }

    @VisibleForTesting
    protected HTTPRequest getAuthorizationCodeExchangeRequest(ClientConfiguration clientConfiguration, String str) {
        return getTokenRequestInternal(clientConfiguration, new AuthorizationCodeGrant(new AuthorizationCode(str), this.authorizationCodeFlowUrlsProvider.getRedirectUri(clientConfiguration)));
    }

    @VisibleForTesting
    protected ClientToken getToken(ClientTokenImpl.Builder builder, ClientConfiguration clientConfiguration, HTTPRequest hTTPRequest) throws TokenServiceException {
        Instant instant = this.clock.instant();
        try {
            HTTPResponse send = hTTPRequest.send();
            logger.trace("Got OAuth Provider response: [{}], [{}]", Integer.valueOf(send.getStatusCode()), send.getContent());
            TokenResponse parse = TokenResponse.parse(send);
            if (parse.indicatesSuccess()) {
                return buildToken(builder, clientConfiguration, parse.toSuccessResponse().getTokens(), instant);
            }
            throw new TokenServiceException(parse.toErrorResponse().getErrorObject().getDescription());
        } catch (Exception e) {
            throw new TokenServiceException(e);
        }
    }

    private HTTPRequest getTokenRequestInternal(ClientConfiguration clientConfiguration, AuthorizationGrant authorizationGrant) {
        logger.debug("Trying to get tokens for an integration with a client id - {}", clientConfiguration.getClientId());
        ClientSecretPost clientSecretPost = new ClientSecretPost(new ClientID(clientConfiguration.getClientId()), new Secret(clientConfiguration.getClientSecret()));
        URI create = URI.create(clientConfiguration.getTokenEndpoint());
        HashMap hashMap = new HashMap();
        Scope parse = Scope.parse(clientConfiguration.getScopes());
        if (clientConfiguration.getProviderType() == ProviderType.MICROSOFT) {
            parse.add("offline_access");
            hashMap.put("redirect_uri", ImmutableList.of(this.authorizationCodeFlowUrlsProvider.getRedirectUri(clientConfiguration).toString()));
        }
        HTTPRequest hTTPRequest = new TokenRequest(create, clientSecretPost, authorizationGrant, parse, null, hashMap).toHTTPRequest();
        hTTPRequest.setAccept("application/json");
        hTTPRequest.setHeader("x-atlassian-token", new String[]{"no-check"});
        if (SystemProperty.ADD_EMPTY_USER_AGENT_FOR_TOKEN_REQUESTS.getValue().booleanValue()) {
            hTTPRequest.setHeader("User-Agent", new String[]{""});
        }
        return hTTPRequest;
    }

    @VisibleForTesting
    ClientToken buildToken(ClientTokenImpl.Builder builder, ClientConfiguration clientConfiguration, Tokens tokens, Instant instant) {
        long lifetime = tokens.getAccessToken().getLifetime();
        builder.accessToken(tokens.getAccessToken().getValue()).accessTokenExpiration(lifetime == 0 ? ClientTokenEntity.MAX_TIMESTAMP : instant.plusSeconds(lifetime));
        if (tokens.getRefreshToken() != null) {
            builder.refreshToken(tokens.getRefreshToken().getValue());
            builder.refreshTokenExpiration(this.refreshTokenExpirationHandler.getExpirationTimeForToken(clientConfiguration, instant, tokens.getRefreshToken()));
        }
        return builder.build();
    }
}
