package org.wso2.carbon.device.mgt.oauth.extensions.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthScopeDAOImpl;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/device/mgt/oauth/extensions/validators/RoleBasedScopeValidator.class */
public class RoleBasedScopeValidator extends OAuth2ScopeValidator {
    Log log = LogFactory.getLog(RoleBasedScopeValidator.class);

    public boolean validateScope(AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        String[] scope = accessTokenDO.getScope();
        if (scope == null || scope.length == 0) {
            return true;
        }
        OAuthScopeDAOImpl oAuthScopeDAOImpl = new OAuthScopeDAOImpl();
        if (!new ArrayList(Arrays.asList(scope)).contains(str)) {
            if (!this.log.isDebugEnabled() || !IdentityUtil.isTokenLoggable("AccessToken")) {
                return false;
            }
            this.log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str + "'");
            return false;
        }
        try {
            AuthenticatedUser authzUser = accessTokenDO.getAuthzUser();
            RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
            int tenantId = realmService.getTenantManager().getTenantId(authzUser.getTenantDomain());
            if (tenantId == 0 || tenantId == -1) {
                tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
            }
            Set bindingsOfScopeByScopeName = oAuthScopeDAOImpl.getBindingsOfScopeByScopeName(str, tenantId);
            if (bindingsOfScopeByScopeName == null || bindingsOfScopeByScopeName.isEmpty()) {
                if (!this.log.isDebugEnabled()) {
                    return true;
                }
                this.log.debug("Did not find any roles associated to the scope " + str);
                return true;
            }
            if (this.log.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder("Found roles of scope '" + str + "' ");
                Iterator it = bindingsOfScopeByScopeName.iterator();
                while (it.hasNext()) {
                    sb.append((String) it.next());
                    sb.append(", ");
                }
                this.log.debug(sb.toString());
            }
            boolean z = false;
            if (tenantId != -1234) {
                try {
                    PrivilegedCarbonContext.startTenantFlow();
                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(realmService.getTenantManager().getDomain(tenantId), true);
                    z = true;
                } catch (Throwable th) {
                    if (z) {
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                    throw th;
                }
            }
            String[] roleListOfUser = realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(MultitenantUtils.getTenantAwareUsername(authzUser.getUserName()));
            if (z) {
                PrivilegedCarbonContext.endTenantFlow();
            }
            if (roleListOfUser == null || roleListOfUser.length <= 0) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("No roles associated for the user " + authzUser.getUserName());
                return false;
            }
            if (this.log.isDebugEnabled()) {
                StringBuilder sb2 = new StringBuilder("Found roles of user ");
                sb2.append(authzUser.getUserName());
                sb2.append(" ");
                for (String str2 : roleListOfUser) {
                    sb2.append(str2);
                    sb2.append(", ");
                }
                this.log.debug(sb2.toString());
            }
            bindingsOfScopeByScopeName.retainAll(Arrays.asList(roleListOfUser));
            return !bindingsOfScopeByScopeName.isEmpty();
        } catch (UserStoreException e) {
            this.log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
            return false;
        }
    }
}
