package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;

import java.rmi.RemoteException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.keymgt.ScopesIssuer;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationResponse;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidatorFactory;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.class */
public class AccessTokenGrantHandler extends AbstractAuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(AccessTokenGrantHandler.class);
    private static final String TENANT_DOMAIN_KEY = "tenantDomain";
    private OAuth2TokenValidator tokenValidator;
    public static final String TOKEN_GRANT_PARAM = "admin_access_token";

    public AccessTokenGrantHandler() {
        try {
            this.tokenValidator = OAuthValidatorFactory.getValidator();
        } catch (IllegalArgumentException e) {
            log.error("Failed to initialise Authenticator", e);
        }
    }

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return ScopesIssuer.getInstance().setScopes(oAuthTokenReqMessageContext);
    }

    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (!super.validateGrant(oAuthTokenReqMessageContext)) {
            return false;
        }
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        String str = null;
        String str2 = null;
        String clientId = oauth2AccessTokenReqDTO.getClientId();
        String str3 = null;
        boolean z = false;
        String str4 = null;
        for (RequestParameter requestParameter : oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters()) {
            if (TOKEN_GRANT_PARAM.equals(requestParameter.getKey()) && requestParameter.getValue() != null && requestParameter.getValue().length > 0) {
                str4 = requestParameter.getValue()[0];
            }
        }
        if (str4 != null && !str4.isEmpty()) {
            try {
                OAuthValidationResponse validateToken = this.tokenValidator.validateToken(str4);
                if (validateToken != null && validateToken.isValid()) {
                    z = true;
                    str = validateToken.getUserName();
                    str2 = MultitenantUtils.getTenantDomain(str);
                    str3 = validateToken.getTenantDomain();
                }
            } catch (RemoteException e) {
                log.error("Failed to validate the OAuth token provided.", e);
                return false;
            }
        }
        try {
            if (!OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(clientId, "oauth2", str3).isSaasApp() && !str2.equals(str3)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Non-SaaS service provider tenant domain is not same as user tenant domain; " + str3 + " != " + str2);
                return false;
            }
            String str5 = MultitenantUtils.getTenantAwareUsername(str) + "@" + str2;
            if (!z) {
                throw new IdentityOAuth2Exception("Authentication failed for " + str5);
            }
            if (!str5.contains("/") && StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) {
                str5 = UserCoreUtil.getDomainFromThreadLocal() + "/" + str5;
            }
            AuthenticatedUser userFromUserName = OAuth2Util.getUserFromUserName(str5);
            userFromUserName.setAuthenticatedSubjectIdentifier(userFromUserName.toString());
            oAuthTokenReqMessageContext.setAuthorizedUser(userFromUserName);
            oAuthTokenReqMessageContext.setScope(oauth2AccessTokenReqDTO.getScope());
            return z;
        } catch (IdentityApplicationManagementException e2) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id " + clientId, e2);
        }
    }
}
