package org.wso2.carbon.device.mgt.oauth.extensions.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAO;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/device/mgt/oauth/extensions/validators/PermissionBasedScopeValidator.class */
public class PermissionBasedScopeValidator extends OAuth2ScopeValidator {
    private static final Log log = LogFactory.getLog(PermissionBasedScopeValidator.class);
    private static final String UI_EXECUTE = "ui.execute";

    public boolean validateScope(AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        String[] scope = accessTokenDO.getScope();
        if (scope == null || scope.length == 0) {
            return true;
        }
        OAuthScopeDAO oAuthScopeDAO = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO();
        if (!new ArrayList(Arrays.asList(scope)).contains(str)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str + "'");
            return false;
        }
        try {
            AuthenticatedUser authzUser = accessTokenDO.getAuthzUser();
            RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
            int tenantId = realmService.getTenantManager().getTenantId(authzUser.getTenantDomain());
            if (tenantId == 0 || tenantId == -1) {
                tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
            }
            Set<String> bindingsOfScopeByScopeName = oAuthScopeDAO.getBindingsOfScopeByScopeName(str, tenantId);
            if (bindingsOfScopeByScopeName == null || bindingsOfScopeByScopeName.isEmpty()) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("Did not find any roles associated to the scope " + str);
                return true;
            }
            if (log.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder("Found permissions of scope '" + str + "' ");
                Iterator it = bindingsOfScopeByScopeName.iterator();
                while (it.hasNext()) {
                    sb.append((String) it.next());
                    sb.append(", ");
                }
                log.debug(sb.toString());
            }
            boolean z = false;
            if (tenantId != -1234) {
                try {
                    PrivilegedCarbonContext.startTenantFlow();
                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(realmService.getTenantManager().getDomain(tenantId), true);
                    z = true;
                } catch (Throwable th) {
                    if (z) {
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                    throw th;
                }
            }
            AuthorizationManager authorizationManager = realmService.getTenantUserRealm(tenantId).getAuthorizationManager();
            if (z) {
                PrivilegedCarbonContext.endTenantFlow();
            }
            boolean z2 = false;
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(authzUser.getUserName());
            for (String str2 : bindingsOfScopeByScopeName) {
                if (authorizationManager != null) {
                    String userStoreDomain = authzUser.getUserStoreDomain();
                    z2 = userStoreDomain != null ? authorizationManager.isUserAuthorized(userStoreDomain + "/" + tenantAwareUsername, str2, UI_EXECUTE) : authorizationManager.isUserAuthorized(tenantAwareUsername, str2, UI_EXECUTE);
                    if (z2) {
                        break;
                    }
                }
            }
            if (z2) {
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("User '" + authzUser.getUserName() + "' is authorized");
                return true;
            }
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("No permissions associated for the user " + authzUser.getUserName());
            return false;
        } catch (UserStoreException e) {
            log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
            return false;
        }
    }
}
