package org.wso2.carbon.device.mgt.oauth.extensions;

import com.google.gson.Gson;
import java.io.File;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.cache.Caching;
import javax.xml.parsers.DocumentBuilderFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.w3c.dom.Document;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.keymgt.ScopesIssuer;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfig;
import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfigurationFailedException;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/device/mgt/oauth/extensions/OAuthExtUtils.class */
public class OAuthExtUtils {
    private static final Log log = LogFactory.getLog(OAuthExtUtils.class);
    private static final String DEFAULT_SCOPE_NAME = "default";
    private static final String UI_EXECUTE = "ui.execute";
    private static final String REST_API_SCOPE_CACHE = "REST_API_SCOPE_CACHE";
    private static final int START_INDEX = 0;
    private static final String DEFAULT_SCOPE_TAG = "device-mgt";

    public static int getTenantId(String str) {
        int i = START_INDEX;
        if (str != null) {
            try {
                i = OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantManager().getTenantId(str);
            } catch (UserStoreException e) {
                log.error("Error when getting the tenant id from the tenant domain : " + str, e);
            }
        }
        return i;
    }

    public static boolean setScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String[] scope = oAuthTokenReqMessageContext.getScope();
        String[] strArr = {DEFAULT_SCOPE_NAME};
        if (scope == null || scope.length == 0) {
            oAuthTokenReqMessageContext.setScope(strArr);
            return true;
        }
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        List asList = Arrays.asList(scope);
        try {
            Map scopeRolesOfApplication = ApiMgtDAO.getInstance().getScopeRolesOfApplication(clientId);
            String tenantDomain = oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain();
            Map map = (Map) Caching.getCacheManager("API_MANAGER_CACHE").getCache(REST_API_SCOPE_CACHE).get(tenantDomain);
            if (map != null) {
                scopeRolesOfApplication.putAll(map);
            } else {
                Map rESTAPIScopesFromConfig = APIUtil.getRESTAPIScopesFromConfig(APIUtil.getTenantRESTAPIScopesConfig(tenantDomain));
                scopeRolesOfApplication.putAll(rESTAPIScopesFromConfig);
                Caching.getCacheManager("API_MANAGER_CACHE").getCache(REST_API_SCOPE_CACHE).put(tenantDomain, rESTAPIScopesFromConfig);
            }
            if (scopeRolesOfApplication.isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug("No scopes defined for the Application " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
                }
                oAuthTokenReqMessageContext.setScope(getAllowedScopes(asList));
                return true;
            }
            List<String> authorizedScopes = getAuthorizedScopes(oAuthTokenReqMessageContext, asList, scopeRolesOfApplication);
            if (authorizedScopes.isEmpty()) {
                oAuthTokenReqMessageContext.setScope(strArr);
            } else {
                oAuthTokenReqMessageContext.setScope((String[]) authorizedScopes.toArray(new String[authorizedScopes.size()]));
            }
            return true;
        } catch (APIManagementException e) {
            log.error("Error while getting scopes of application " + e.getMessage());
            return false;
        }
    }

    private static boolean isWhiteListedScope(String str) {
        Iterator<String> it = OAuthExtensionsDataHolder.getInstance().getWhitelistedScopes().iterator();
        while (it.hasNext()) {
            if (str.matches(it.next())) {
                return true;
            }
        }
        return false;
    }

    private static String[] getAllowedScopes(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            if (isWhiteListedScope(str)) {
                arrayList.add(str);
            }
        }
        if (arrayList.isEmpty()) {
            arrayList.add(DEFAULT_SCOPE_NAME);
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private static List<String> getAuthorizedScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, List<String> list, Map<String, String> map) {
        ArrayList arrayList = new ArrayList();
        String userName = oAuthTokenReqMessageContext.getAuthorizedUser().getUserName();
        try {
            int tenantId = OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantManager().getTenantId(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain());
            if (tenantId == 0 || tenantId == -1) {
                tenantId = IdentityTenantUtil.getTenantIdOfUser(userName);
            }
            UserRealm tenantUserRealm = OAuthExtensionsDataHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
            for (String str : list) {
                boolean z = START_INDEX;
                String str2 = map.get(str);
                if (str2 != null && str2.length() != 0) {
                    ArrayList<String> arrayList2 = new ArrayList(Arrays.asList(str2.replaceAll(" ", "").split(",")));
                    if (!arrayList2.isEmpty()) {
                        for (String str3 : arrayList2) {
                            if (tenantUserRealm != null && tenantUserRealm.getAuthorizationManager() != null) {
                                String userStoreDomain = oAuthTokenReqMessageContext.getAuthorizedUser().getUserStoreDomain();
                                z = userStoreDomain != null ? tenantUserRealm.getAuthorizationManager().isUserAuthorized(userStoreDomain + "/" + userName, str3, "ui.execute") : tenantUserRealm.getAuthorizationManager().isUserAuthorized(userName, str3, "ui.execute");
                                if (z) {
                                    break;
                                }
                            }
                        }
                        if (z) {
                            arrayList.add(str);
                        }
                    }
                } else if (map.containsKey(str) || isWhiteListedScope(str)) {
                    arrayList.add(str);
                }
            }
        } catch (UserStoreException e) {
            log.error("Error occurred while initializing user store.", e);
        }
        return arrayList;
    }

    public static String extractUserName(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        String trim = str.trim();
        return trim.substring(START_INDEX, trim.lastIndexOf(64));
    }

    public static boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        boolean scopes = ScopesIssuer.getInstance().setScopes(oAuthTokenReqMessageContext);
        if (scopes) {
            PrivilegedCarbonContext.startTenantFlow();
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain(), true);
            String userName = oAuthTokenReqMessageContext.getAuthorizedUser().getUserName();
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(userName);
            try {
                try {
                    DeviceRequestDTO deviceRequestDTO = START_INDEX;
                    RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
                    int length = requestParameters.length;
                    for (int i = START_INDEX; i < length; i++) {
                        RequestParameter requestParameter = requestParameters[i];
                        if (OAuthConstants.DEFAULT_DEVICE_ASSERTION.equals(requestParameter.getKey())) {
                            deviceRequestDTO = (DeviceRequestDTO) new Gson().fromJson(new String(Base64.decodeBase64(requestParameter.getValue()[START_INDEX])), DeviceRequestDTO.class);
                        }
                    }
                    if (deviceRequestDTO != null) {
                        String[] split = deviceRequestDTO.getScope().split(" ");
                        int length2 = split.length;
                        for (int i2 = START_INDEX; i2 < length2; i2++) {
                            String str = split[i2];
                            DeviceAuthorizationResult isUserAuthorized = OAuthExtensionsDataHolder.getInstance().getDeviceAccessAuthorizationService().isUserAuthorized(deviceRequestDTO.getDeviceIdentifiers(), userName, getPermissions(str));
                            if (isUserAuthorized != null && isUserAuthorized.getAuthorizedDevices() != null) {
                                String[] scope = oAuthTokenReqMessageContext.getScope();
                                String[] strArr = new String[scope.length + isUserAuthorized.getAuthorizedDevices().size()];
                                int i3 = START_INDEX;
                                int length3 = scope.length;
                                for (int i4 = START_INDEX; i4 < length3; i4++) {
                                    strArr[i3] = scope[i4];
                                    i3++;
                                }
                                for (DeviceIdentifier deviceIdentifier : isUserAuthorized.getAuthorizedDevices()) {
                                    strArr[i3] = "device-mgt:" + deviceIdentifier.getType() + ":" + deviceIdentifier.getId() + ":" + str;
                                    i3++;
                                }
                                oAuthTokenReqMessageContext.setScope(strArr);
                            }
                        }
                    }
                    PrivilegedCarbonContext.endTenantFlow();
                } catch (DeviceAccessAuthorizationException e) {
                    log.error("Error occurred while checking authorization for the user " + userName, e);
                    PrivilegedCarbonContext.endTenantFlow();
                }
            } catch (Throwable th) {
                PrivilegedCarbonContext.endTenantFlow();
                throw th;
            }
        }
        return scopes;
    }

    private static String[] getPermissions(String str) {
        return DeviceMgtScopesConfig.getInstance().getDeviceMgtScopePermissionMap().get(str);
    }

    public static Document convertToDocument(File file) throws DeviceMgtScopesConfigurationFailedException {
        DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
        newInstance.setNamespaceAware(true);
        try {
            return newInstance.newDocumentBuilder().parse(file);
        } catch (Exception e) {
            throw new DeviceMgtScopesConfigurationFailedException("Error occurred while parsing file, while converting to a org.w3c.dom.Document", e);
        }
    }
}
