package org.wso2.am.choreo.extensions.token.handler;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.am.choreo.extensions.token.handler.internal.ServiceReferenceHolder;
import org.wso2.am.choreo.extensions.token.handler.utils.ChoreoScopeIssuerUtils;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.model.ApplicationInfo;
import org.wso2.carbon.apimgt.impl.APIAdminImpl;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.grant.token.exchange.Constants;
import org.wso2.carbon.identity.oauth2.grant.token.exchange.TokenExchangeGrantHandler;
import org.wso2.carbon.identity.oauth2.grant.token.exchange.utils.TokenExchangeUtils;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;

/* loaded from: input_file:org/wso2/am/choreo/extensions/token/handler/ChoreoTokenExchangeGrantHandler.class */
public class ChoreoTokenExchangeGrantHandler extends TokenExchangeGrantHandler {
    private static final Log log = LogFactory.getLog(ChoreoTokenExchangeGrantHandler.class);

    private String generateRandomString(int i) {
        StringBuilder sb = new StringBuilder();
        Random random = new Random();
        while (sb.length() < i) {
            sb.append(TokenHandlerConstants.USER_ID_GEN_RANDOM_CHARSET.charAt((int) (random.nextFloat() * TokenHandlerConstants.USER_ID_GEN_RANDOM_CHARSET.length())));
        }
        return sb.toString();
    }

    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (ChoreoScopeIssuerUtils.isConfigsSet()) {
            String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
            String authenticatedSubjectIdentifier = oAuthTokenReqMessageContext.getAuthorizedUser().getAuthenticatedSubjectIdentifier();
            String subjectToken = getSubjectToken(oAuthTokenReqMessageContext);
            if (StringUtils.isNotBlank(subjectToken)) {
                SignedJWT signedJWT = (SignedJWT) oAuthTokenReqMessageContext.getProperty(TokenHandlerConstants.SIGNED_JWT);
                if (signedJWT == null) {
                    signedJWT = TokenExchangeUtils.getSignedJWT(subjectToken);
                }
                if (signedJWT != null) {
                    try {
                        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
                        JSONObject jSONObject = (JSONObject) jWTClaimsSet.getClaim(TokenHandlerConstants.IDP_CLAIMS_CLAIM_KEY);
                        oAuthTokenReqMessageContext.addProperty(TokenHandlerConstants.IDP_CLAIMS_CLAIM_KEY, filterClaims(jSONObject != null ? convertToStringMap(jSONObject) : getCustomClaims(jWTClaimsSet.getClaims())));
                    } catch (ParseException e) {
                        throw new IdentityOAuth2Exception("Failed to parse the subject token", e);
                    }
                }
            }
            if (authenticatedSubjectIdentifier != null && ChoreoScopeIssuerUtils.isClientIdMatching(clientId)) {
                try {
                    UserStoreManager userStoreManager = ServiceReferenceHolder.getInstance().getRealmService().getTenantUserRealm(-1234).getUserStoreManager();
                    if (!userStoreManager.isExistingUser(authenticatedSubjectIdentifier)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Adding user " + authenticatedSubjectIdentifier + " to the user store");
                        }
                        userStoreManager.addUser(authenticatedSubjectIdentifier, generateRandomString(8), (String[]) null, (Map) null, (String) null, false);
                    } else if (log.isDebugEnabled()) {
                        log.debug("User " + authenticatedSubjectIdentifier + " already exists in the user store");
                    }
                } catch (UserStoreException e2) {
                    throw new IdentityOAuth2Exception("Failed to add user " + authenticatedSubjectIdentifier + " to user store", e2);
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Choreo extension configuration is not set!");
        }
        return super.issue(oAuthTokenReqMessageContext);
    }

    private String getSubjectToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String str = null;
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (TokenHandlerConstants.SUBJECT_TOKEN.equals(requestParameter.getKey())) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        return str;
    }

    protected IdentityProvider getIdentityProvider(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str, String str2) throws IdentityOAuth2Exception {
        IdentityProvider identityProvider = super.getIdentityProvider(oAuthTokenReqMessageContext, str, str2);
        APIAdminImpl aPIAdminImpl = new APIAdminImpl();
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        try {
            ApplicationInfo lightweightApplicationByConsumerKey = aPIAdminImpl.getLightweightApplicationByConsumerKey(clientId);
            if (lightweightApplicationByConsumerKey == null) {
                return identityProvider;
            }
            try {
                if (aPIAdminImpl.isIDPExistInOrg(lightweightApplicationByConsumerKey.getOrganizationId(), identityProvider.getResourceId())) {
                    return identityProvider;
                }
                if (log.isDebugEnabled()) {
                    log.debug("No Registered IDP found for the JWT with issuer: " + str + " in the organization: " + lightweightApplicationByConsumerKey.getOrganizationId());
                }
                throw new IdentityOAuth2Exception("invalid_request", "No Registered IDP found for the JWT with issuer: " + str);
            } catch (APIManagementException e) {
                log.error("Error while checking IDP: " + identityProvider.getResourceId() + " in the organization: " + lightweightApplicationByConsumerKey.getOrganizationId());
                throw new IdentityOAuth2Exception("Error while checking IDP for the issuer: " + str);
            }
        } catch (APIManagementException e2) {
            log.error("Error while getting the organization UUID of the client id: " + clientId, e2);
            throw new IdentityOAuth2Exception("Error while getting the organization details of the client id: " + clientId, e2);
        }
    }

    private static Map<String, String> getCustomClaims(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String key = entry.getKey();
            boolean z = false;
            String[] strArr = Constants.REGISTERED_CLAIMS;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (strArr[i].equals(key)) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                Object value = entry.getValue();
                if (value instanceof JSONArray) {
                    hashMap.put(entry.getKey(), StringUtils.join((Collection) value, FrameworkUtils.getMultiAttributeSeparator()));
                } else {
                    hashMap.put(entry.getKey(), value.toString());
                }
            }
        }
        return hashMap;
    }

    private static Map<String, String> convertToStringMap(JSONObject jSONObject) {
        HashMap hashMap = new HashMap();
        if (jSONObject != null) {
            jSONObject.forEach((str, obj) -> {
                hashMap.put(str, obj.toString());
            });
        }
        return hashMap;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v19, types: [java.util.Map] */
    private static Map<String, String> filterClaims(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null) {
            Set set = (Set) Stream.of((Object[]) ServiceReferenceHolder.getInstance().getChoreoExtensionConfiguration().getTokenHandlerConfiguration().getTokenExchangeAllowedClaims().trim().split("\\s*,\\s*")).collect(Collectors.toSet());
            hashMap = (Map) map.entrySet().stream().filter(entry -> {
                return set.contains(entry.getKey());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
        }
        return hashMap;
    }
}
