package org.wso2.carbon.apimgt.keymgt.token;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.wso2.carbon.apimgt.keymgt.MethodStats;
import org.wso2.carbon.apimgt.keymgt.MethodTimeLogger;
import org.wso2.carbon.apimgt.keymgt.ScopesIssuer;
import org.wso2.carbon.apimgt.keymgt.handlers.ResourceConstants;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.PermissionsAndRoleConfig;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler.class */
public class ExtendedJWTBearerGrantHandler extends JWTBearerGrantHandler {
    private static Log log;
    private IdentityProvider identityProvider = null;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;
    private static final JoinPoint.StaticPart ajc$tjp_3 = null;
    private static final JoinPoint.StaticPart ajc$tjp_4 = null;

    /* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(ExtendedJWTBearerGrantHandler.validateScope_aroundBody0((ExtendedJWTBearerGrantHandler) objArr2[0], (OAuthTokenReqMessageContext) objArr2[1], (JoinPoint) objArr2[2]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return ExtendedJWTBearerGrantHandler.getResidentIDPForIssuer_aroundBody2((ExtendedJWTBearerGrantHandler) objArr2[0], (String) objArr2[1], (String) objArr2[2], (JoinPoint) objArr2[3]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return ExtendedJWTBearerGrantHandler.getUpdatedRoleClaimValue_aroundBody4((ExtendedJWTBearerGrantHandler) objArr2[0], (IdentityProvider) objArr2[1], (String) objArr2[2], (JoinPoint) objArr2[3]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler$AjcClosure7.class */
    public class AjcClosure7 extends AroundClosure {
        public AjcClosure7(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return ExtendedJWTBearerGrantHandler.getClaimSet_aroundBody6((ExtendedJWTBearerGrantHandler) objArr2[0], (SignedJWT) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/token/ExtendedJWTBearerGrantHandler$AjcClosure9.class */
    public class AjcClosure9 extends AroundClosure {
        public AjcClosure9(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return ExtendedJWTBearerGrantHandler.getSignedJWT_aroundBody8((ExtendedJWTBearerGrantHandler) objArr2[0], (OAuthTokenReqMessageContext) objArr2[1], (JoinPoint) objArr2[2]);
        }
    }

    static {
        ajc$preClinit();
        log = LogFactory.getLog(ExtendedJWTBearerGrantHandler.class);
    }

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, oAuthTokenReqMessageContext);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure1(new Object[]{this, oAuthTokenReqMessageContext, makeJP}).linkClosureAndJoinPoint(69648))) : validateScope_aroundBody0(this, oAuthTokenReqMessageContext, makeJP);
    }

    private IdentityProvider getResidentIDPForIssuer(String str, String str2) throws IdentityOAuth2Exception {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_1, this, this, str, str2);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (IdentityProvider) MethodTimeLogger.aspectOf().log(new AjcClosure3(new Object[]{this, str, str2, makeJP}).linkClosureAndJoinPoint(69648)) : getResidentIDPForIssuer_aroundBody2(this, str, str2, makeJP);
    }

    private String getUpdatedRoleClaimValue(IdentityProvider identityProvider, String str) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_2, this, this, identityProvider, str);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (String) MethodTimeLogger.aspectOf().log(new AjcClosure5(new Object[]{this, identityProvider, str, makeJP}).linkClosureAndJoinPoint(69648)) : getUpdatedRoleClaimValue_aroundBody4(this, identityProvider, str, makeJP);
    }

    private JWTClaimsSet getClaimSet(SignedJWT signedJWT) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_3, this, this, signedJWT);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (JWTClaimsSet) MethodTimeLogger.aspectOf().log(new AjcClosure7(new Object[]{this, signedJWT, makeJP}).linkClosureAndJoinPoint(69648)) : getClaimSet_aroundBody6(this, signedJWT, makeJP);
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_4, this, this, oAuthTokenReqMessageContext);
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? (SignedJWT) MethodTimeLogger.aspectOf().log(new AjcClosure9(new Object[]{this, oAuthTokenReqMessageContext, makeJP}).linkClosureAndJoinPoint(69648)) : getSignedJWT_aroundBody8(this, oAuthTokenReqMessageContext, makeJP);
    }

    static final boolean validateScope_aroundBody0(ExtendedJWTBearerGrantHandler extendedJWTBearerGrantHandler, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, JoinPoint joinPoint) {
        String[] stringArrayClaim;
        SignedJWT signedJWT = null;
        String[] strArr = null;
        try {
            signedJWT = extendedJWTBearerGrantHandler.getSignedJWT(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            log.error("Couldn't retrieve signed JWT", e);
        }
        JWTClaimsSet claimSet = extendedJWTBearerGrantHandler.getClaimSet(signedJWT);
        String issuer = claimSet != null ? claimSet.getIssuer() : null;
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        try {
            extendedJWTBearerGrantHandler.identityProvider = IdentityProviderManager.getInstance().getIdPByName(issuer, tenantDomain);
            if (extendedJWTBearerGrantHandler.identityProvider == null) {
                log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
            } else if (StringUtils.equalsIgnoreCase(extendedJWTBearerGrantHandler.identityProvider.getIdentityProviderName(), "default")) {
                extendedJWTBearerGrantHandler.identityProvider = extendedJWTBearerGrantHandler.getResidentIDPForIssuer(tenantDomain, issuer);
                if (extendedJWTBearerGrantHandler.identityProvider == null) {
                    log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
                }
            }
        } catch (IdentityProviderManagementException | IdentityOAuth2Exception e2) {
            log.error("Couldn't initiate identity provider instance", e2);
        }
        if (claimSet != null) {
            try {
                stringArrayClaim = claimSet.getStringArrayClaim(extendedJWTBearerGrantHandler.identityProvider.getClaimConfig().getRoleClaimURI());
            } catch (ParseException e3) {
                log.error("Couldn't retrieve roles:", e3);
            }
        } else {
            stringArrayClaim = null;
        }
        strArr = stringArrayClaim;
        ArrayList arrayList = new ArrayList();
        if (strArr != null) {
            for (String str : strArr) {
                String updatedRoleClaimValue = extendedJWTBearerGrantHandler.getUpdatedRoleClaimValue(extendedJWTBearerGrantHandler.identityProvider, str);
                if (updatedRoleClaimValue != null) {
                    arrayList.add(updatedRoleClaimValue);
                } else {
                    arrayList.add(str);
                }
            }
        }
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        Map userAttributes = authorizedUser.getUserAttributes();
        String roleClaimURI = extendedJWTBearerGrantHandler.identityProvider.getClaimConfig().getRoleClaimURI();
        userAttributes.put(ClaimMapping.build(roleClaimURI, roleClaimURI, (String) null, false), arrayList.toString().replace(" ", ""));
        if (roleClaimURI != null) {
            oAuthTokenReqMessageContext.addProperty(ResourceConstants.ROLE_CLAIM, roleClaimURI);
        }
        authorizedUser.setUserAttributes(userAttributes);
        oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
        return ScopesIssuer.getInstance().setScopes(oAuthTokenReqMessageContext);
    }

    static final IdentityProvider getResidentIDPForIssuer_aroundBody2(ExtendedJWTBearerGrantHandler extendedJWTBearerGrantHandler, String str, String str2, JoinPoint joinPoint) {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (str2.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "IdPEntityId").getValue() : "")) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", str), e);
        }
    }

    static final String getUpdatedRoleClaimValue_aroundBody4(ExtendedJWTBearerGrantHandler extendedJWTBearerGrantHandler, IdentityProvider identityProvider, String str, JoinPoint joinPoint) {
        if (StringUtils.equalsIgnoreCase("LOCAL", identityProvider.getIdentityProviderName())) {
            return str;
        }
        String replace = str.replace("\\/", "/").replace("[", "").replace("]", "").replace("\"", "");
        PermissionsAndRoleConfig permissionAndRoleConfig = identityProvider.getPermissionAndRoleConfig();
        if (permissionAndRoleConfig == null || !ArrayUtils.isNotEmpty(permissionAndRoleConfig.getRoleMappings())) {
            if (OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                return null;
            }
            return replace;
        }
        String[] split = replace.split(FrameworkUtils.getMultiAttributeSeparator());
        ArrayList arrayList = new ArrayList();
        for (String str2 : split) {
            RoleMapping[] roleMappings = permissionAndRoleConfig.getRoleMappings();
            int length = roleMappings.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    RoleMapping roleMapping = roleMappings[i];
                    if (roleMapping.getRemoteRole().equals(str2)) {
                        arrayList.add(roleMapping.getLocalRole().getLocalRoleName());
                        break;
                    }
                    i++;
                } else if (!OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                    arrayList.add(str2);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return StringUtils.join(arrayList, FrameworkUtils.getMultiAttributeSeparator());
    }

    static final JWTClaimsSet getClaimSet_aroundBody6(ExtendedJWTBearerGrantHandler extendedJWTBearerGrantHandler, SignedJWT signedJWT, JoinPoint joinPoint) {
        JWTClaimsSet jWTClaimsSet = null;
        try {
            jWTClaimsSet = signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            log.error("Error when trying to retrieve claimsSet from the JWT:", e);
        }
        return jWTClaimsSet;
    }

    static final SignedJWT getSignedJWT_aroundBody8(ExtendedJWTBearerGrantHandler extendedJWTBearerGrantHandler, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, JoinPoint joinPoint) {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals("assertion")) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str)) {
            throw new IdentityOAuth2Exception("Error while retrieving assertion");
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (log.isDebugEnabled()) {
                log.debug(parse);
            }
            return parse;
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while parsing the JWT.", e);
        }
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("ExtendedJWTBearerGrantHandler.java", ExtendedJWTBearerGrantHandler.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "validateScope", "org.wso2.carbon.apimgt.keymgt.token.ExtendedJWTBearerGrantHandler", "org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext", "tokReqMsgCtx", "", "boolean"), 61);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getResidentIDPForIssuer", "org.wso2.carbon.apimgt.keymgt.token.ExtendedJWTBearerGrantHandler", "java.lang.String:java.lang.String", "tenantDomain:jwtIssuer", "org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception", "org.wso2.carbon.identity.application.common.model.IdentityProvider"), 124);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getUpdatedRoleClaimValue", "org.wso2.carbon.apimgt.keymgt.token.ExtendedJWTBearerGrantHandler", "org.wso2.carbon.identity.application.common.model.IdentityProvider:java.lang.String", "identityProvider:currentRoleClaimValue", "", "java.lang.String"), 152);
        ajc$tjp_3 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getClaimSet", "org.wso2.carbon.apimgt.keymgt.token.ExtendedJWTBearerGrantHandler", "com.nimbusds.jwt.SignedJWT", "signedJWT", "", "com.nimbusds.jwt.JWTClaimsSet"), 193);
        ajc$tjp_4 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "getSignedJWT", "org.wso2.carbon.apimgt.keymgt.token.ExtendedJWTBearerGrantHandler", "org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext", "tokReqMsgCtx", "org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception", "com.nimbusds.jwt.SignedJWT"), 209);
    }
}
