package org.wso2.is.notification;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.logging.Log;
import org.json.JSONObject;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.oauth.event.AbstractOAuthEventInterceptor;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/is/notification/APIMTokenExchangeAuditLogger.class */
public class APIMTokenExchangeAuditLogger extends AbstractOAuthEventInterceptor {
    private static final Log audit = CarbonConstants.AUDIT_LOG;

    public APIMTokenExchangeAuditLogger() {
        super.init(this.initConfig);
    }

    public void onPostTokenIssue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, Object> map) {
        if (isTokenExchangeGrant(oAuth2AccessTokenReqDTO) && isTokenRequestSuccessful(oAuth2AccessTokenRespDTO)) {
            logAuditMessage(constructEntityInfo(oAuth2AccessTokenReqDTO, oAuth2AccessTokenRespDTO), oAuthTokenReqMessageContext.getAuthorizedUser().getUserName());
        }
    }

    private static void logAuditMessage(JSONObject jSONObject, String str) {
        JSONObject jSONObject2 = new JSONObject();
        jSONObject2.put("typ", "Token Generation");
        jSONObject2.put("action", "Token Exchange");
        jSONObject2.put("performedBy", str);
        jSONObject2.put("info", jSONObject);
        audit.info(StringEscapeUtils.unescapeJava(jSONObject2.toString()));
    }

    private static Map<String, String> getRequestParams(RequestParameter[] requestParameterArr) {
        return (Map) Arrays.stream(requestParameterArr).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, requestParameter -> {
            return requestParameter.getValue()[0];
        }));
    }

    private static JSONObject getJWTClaims(String str) {
        JSONObject jSONObject = new JSONObject();
        try {
            if (StringUtils.isNotEmpty(str)) {
                SignedJWT parse = SignedJWT.parse(str);
                if (parse.getJWTClaimsSet() != null) {
                    JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                    jSONObject.put("issuer", jWTClaimsSet.getIssuer());
                    jSONObject.put("audience", jWTClaimsSet.getAudience() != null ? jWTClaimsSet.getAudience() : "");
                    jSONObject.put("jti", jWTClaimsSet.getJWTID() != null ? jWTClaimsSet.getJWTID() : "");
                    jSONObject.put("iat", jWTClaimsSet.getIssueTime().getTime());
                }
            }
        } catch (ParseException e) {
        }
        return jSONObject;
    }

    private static boolean isJWT(String str, String str2) {
        return "urn:ietf:params:oauth:token-type:jwt".equals(str) || ("urn:ietf:params:oauth:token-type:access_token".equals(str) && OAuth2Util.isJWT(str2));
    }

    private static boolean isTokenExchangeGrant(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        return "urn:ietf:params:oauth:grant-type:token-exchange".equals(oAuth2AccessTokenReqDTO.getGrantType());
    }

    private boolean isTokenRequestSuccessful(OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        return !oAuth2AccessTokenRespDTO.isError();
    }

    private static String getRequestedTokenType(Map<String, String> map) {
        return map.get("requested_token_type") != null ? map.get("requested_token_type") : "urn:ietf:params:oauth:token-type:jwt";
    }

    private static JSONObject constructEntityInfo(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) {
        JSONObject jSONObject = new JSONObject();
        Map<String, String> requestParams = getRequestParams(oAuth2AccessTokenReqDTO.getRequestParameters());
        jSONObject.put("client_id", oAuth2AccessTokenReqDTO.getClientId());
        jSONObject.put("grant_type", oAuth2AccessTokenReqDTO.getGrantType());
        jSONObject.put("requested_token_type", getRequestedTokenType(requestParams));
        if (isJWT(requestParams.get("subject_token_type"), requestParams.get("subject_token"))) {
            jSONObject.put("subject_token_info", getJWTClaims(requestParams.get("subject_token")));
        }
        jSONObject.put("issued_token_info", getJWTClaims(oAuth2AccessTokenRespDTO.getAccessToken()));
        return jSONObject;
    }
}
