package io.openliberty.security.jakartasec.tokens;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import io.openliberty.security.jakartasec.TraceConstants;
import jakarta.security.enterprise.identitystore.openid.AccessToken;
import jakarta.security.enterprise.identitystore.openid.JwtClaims;
import jakarta.security.enterprise.identitystore.openid.Scope;
import java.io.Serializable;
import java.time.Instant;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:io/openliberty/security/jakartasec/tokens/AccessTokenImpl.class */
public class AccessTokenImpl implements AccessToken, Serializable {
    public static final TraceComponent tc = Tr.register(AccessTokenImpl.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private static final long serialVersionUID = 1;
    private final String tokenString;
    private final Long expirationTimeInSeconds;
    private final Instant responseGenerationTime;
    private final Long tokenMinValidityInMillis;
    private Map<String, Object> accessTokenClaimsMap;
    private JwtClaims jwtClaims;
    private AccessToken.Type type;

    public AccessTokenImpl(String str, Instant instant, Long l, Long l2) {
        this.tokenString = str;
        this.expirationTimeInSeconds = l;
        this.responseGenerationTime = instant;
        this.tokenMinValidityInMillis = l2;
        this.accessTokenClaimsMap = Collections.emptyMap();
        this.jwtClaims = JwtClaims.NONE;
        this.type = AccessToken.Type.MAC;
    }

    public AccessTokenImpl(String str, Map<String, Object> map, Instant instant, Long l, Long l2) {
        this(str, instant, l, l2);
        this.accessTokenClaimsMap = map == null ? Collections.emptyMap() : map;
        this.jwtClaims = map == null ? JwtClaims.NONE : new JwtClaimsImpl(map);
        this.type = AccessToken.Type.BEARER;
    }

    public String getToken() {
        return this.tokenString;
    }

    public boolean isJWT() {
        return AccessToken.Type.BEARER.equals(this.type);
    }

    public JwtClaims getJwtClaims() {
        return this.jwtClaims;
    }

    public Map<String, Object> getClaims() {
        if (!AccessToken.Type.BEARER.equals(this.type)) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        this.accessTokenClaimsMap.forEach(new CloneClaimsAction(hashMap));
        return hashMap;
    }

    public Object getClaim(String str) {
        return this.accessTokenClaimsMap.get(str);
    }

    public Long getExpirationTime() {
        return this.expirationTimeInSeconds;
    }

    public boolean isExpired() {
        Instant expirationInstant = getExpirationInstant();
        Instant now = Instant.now();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Current time: " + now + ", expirationInstant: " + expirationInstant + " = when the token response was generated (" + this.responseGenerationTime + ") + expiration time (" + this.expirationTimeInSeconds + "), tokenMinValidityInMillis: " + this.tokenMinValidityInMillis, new Object[0]);
            Tr.debug(tc, "Token is considered expired if the current time is after expiration instant, or if the current time + tokenMinValidityInMillis is after the expiration instant", new Object[0]);
        }
        return now.isAfter(expirationInstant) || now.plusMillis(this.tokenMinValidityInMillis.longValue()).isAfter(expirationInstant);
    }

    private Instant getExpirationInstant() {
        Instant instant = Instant.MIN;
        if (this.expirationTimeInSeconds != null && this.expirationTimeInSeconds.longValue() >= 0) {
            instant = this.responseGenerationTime.plusMillis(this.expirationTimeInSeconds.longValue() * 1000);
        } else if (AccessToken.Type.BEARER.equals(this.type)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Access token is a bearer token", new Object[0]);
            }
            Optional expirationTime = this.jwtClaims.getExpirationTime();
            if (expirationTime.isPresent()) {
                instant = (Instant) expirationTime.get();
            }
        }
        return instant;
    }

    public Scope getScope() {
        if (!AccessToken.Type.BEARER.equals(this.type)) {
            return null;
        }
        Optional stringClaim = this.jwtClaims.getStringClaim("scope");
        if (stringClaim.isPresent()) {
            return Scope.parse((String) stringClaim.get());
        }
        return null;
    }

    public AccessToken.Type getType() {
        return this.type;
    }
}
