package org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.consent.mgt.core.ConsentManager;
import org.wso2.carbon.consent.mgt.core.constant.ConsentConstants;
import org.wso2.carbon.consent.mgt.core.exception.ConsentManagementClientException;
import org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException;
import org.wso2.carbon.consent.mgt.core.model.AddReceiptResponse;
import org.wso2.carbon.consent.mgt.core.model.ConsentPurpose;
import org.wso2.carbon.consent.mgt.core.model.PIICategory;
import org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity;
import org.wso2.carbon.consent.mgt.core.model.Purpose;
import org.wso2.carbon.consent.mgt.core.model.PurposeCategory;
import org.wso2.carbon.consent.mgt.core.model.Receipt;
import org.wso2.carbon.consent.mgt.core.model.ReceiptInput;
import org.wso2.carbon.consent.mgt.core.model.ReceiptListResponse;
import org.wso2.carbon.consent.mgt.core.model.ReceiptPurposeInput;
import org.wso2.carbon.consent.mgt.core.model.ReceiptService;
import org.wso2.carbon.consent.mgt.core.model.ReceiptServiceInput;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.constant.SSOConsentConstants;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim;
import org.wso2.carbon.identity.core.util.IdentityConfigParser;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/SSOConsentServiceImpl.class */
public class SSOConsentServiceImpl implements SSOConsentService {
    private static final Log log = LogFactory.getLog(SSOConsentServiceImpl.class);
    private static final String DEFAULT_PURPOSE = "DEFAULT";
    private static final String DEFAULT_PURPOSE_CATEGORY = "DEFAULT";
    private static final String DEFAULT_PURPOSE_GROUP = "DEFAULT";
    private static final String DEFAULT_PURPOSE_GROUP_TYPE = "SP";
    private boolean ssoConsentEnabled = true;

    public SSOConsentServiceImpl() {
        readSSOConsentEnabledConfig();
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentService
    public ConsentClaimsData getConsentRequiredClaimsWithExistingConsents(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException {
        return getConsentRequiredClaims(serviceProvider, authenticatedUser, true);
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentService
    public ConsentClaimsData getConsentRequiredClaimsWithoutExistingConsents(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException {
        return getConsentRequiredClaims(serviceProvider, authenticatedUser, false);
    }

    /* JADX WARN: Removed duplicated region for block: B:46:0x0126  */
    /* JADX WARN: Removed duplicated region for block: B:48:0x0139  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData getConsentRequiredClaims(org.wso2.carbon.identity.application.common.model.ServiceProvider r8, org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser r9, boolean r10) throws org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException {
        /*
            Method dump skipped, instructions count: 440
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentServiceImpl.getConsentRequiredClaims(org.wso2.carbon.identity.application.common.model.ServiceProvider, org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser, boolean):org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData");
    }

    private boolean isCustomClaimMapping(ServiceProvider serviceProvider) {
        return !serviceProvider.getClaimConfig().isLocalClaimDialect();
    }

    private boolean isPassThroughScenario(ClaimMapping[] claimMappingArr, Map<ClaimMapping, String> map) {
        return ArrayUtils.isEmpty(claimMappingArr) && MapUtils.isNotEmpty(map);
    }

    private String getSubjectClaimUri(ServiceProvider serviceProvider) {
        String subjectClaimUri = serviceProvider.getLocalAndOutBoundAuthenticationConfig().getSubjectClaimUri();
        if (StringUtils.isBlank(subjectClaimUri)) {
            subjectClaimUri = SSOConsentConstants.USERNAME_CLAIM;
        }
        return subjectClaimUri;
    }

    private void readSSOConsentEnabledConfig() {
        OMElement firstChildWithName;
        OMElement configElement = IdentityConfigParser.getInstance().getConfigElement(SSOConsentConstants.CONFIG_ELEM_CONSENT);
        if (configElement != null && (firstChildWithName = configElement.getFirstChildWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", SSOConsentConstants.CONFIG_ELEM_ENABLE_SSO_CONSENT_MANAGEMENT))) != null) {
            String text = firstChildWithName.getText();
            if (StringUtils.isNotBlank(text)) {
                this.ssoConsentEnabled = Boolean.parseBoolean(text);
                if (isDebugEnabled()) {
                    logDebug("Consent management for SSO is set to " + this.ssoConsentEnabled + " from configurations.");
                    return;
                }
                return;
            }
        }
        this.ssoConsentEnabled = true;
    }

    private ClaimMapping[] getSpClaimMappings(ServiceProvider serviceProvider) {
        return serviceProvider.getClaimConfig() != null ? serviceProvider.getClaimConfig().getClaimMappings() : new ClaimMapping[0];
    }

    private String getSPTenantDomain(ServiceProvider serviceProvider) {
        User owner = serviceProvider.getOwner();
        return owner != null ? owner.getTenantDomain() : "carbon.super";
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentService
    public void processConsent(List<Integer> list, ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, ConsentClaimsData consentClaimsData) throws SSOConsentServiceException {
        if (!isSSOConsentManagementEnabled(serviceProvider)) {
            throw new SSOConsentDisabledException("Consent management for SSO is disabled.", "Consent management for SSO is disabled.");
        }
        if (isDebugEnabled()) {
            logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has approved consent.");
        }
        UserConsent processUserConsent = processUserConsent(list, consentClaimsData);
        String buildSubjectWithUserStoreDomain = buildSubjectWithUserStoreDomain(authenticatedUser);
        List<ClaimMetaData> allUserApprovedClaims = getAllUserApprovedClaims(serviceProvider, authenticatedUser, processUserConsent);
        String sPTenantDomain = getSPTenantDomain(serviceProvider);
        String tenantDomain = authenticatedUser.getTenantDomain();
        if (CollectionUtils.isNotEmpty(allUserApprovedClaims)) {
            addReceipt(buildSubjectWithUserStoreDomain, tenantDomain, serviceProvider, sPTenantDomain, allUserApprovedClaims);
        }
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentService
    public List<ClaimMetaData> getClaimsWithConsents(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException {
        if (!isSSOConsentManagementEnabled(serviceProvider)) {
            throw new SSOConsentDisabledException("Consent management for SSO is disabled.", "Consent management for SSO is disabled.");
        }
        if (serviceProvider == null) {
            throw new SSOConsentServiceException("Service provider cannot be null.");
        }
        String applicationName = serviceProvider.getApplicationName();
        ArrayList arrayList = new ArrayList();
        Receipt consentReceiptOfUser = getConsentReceiptOfUser(serviceProvider, authenticatedUser, applicationName, getSPTenantDomain(serviceProvider), buildSubjectWithUserStoreDomain(authenticatedUser));
        return consentReceiptOfUser == null ? arrayList : getConsentClaimsFromReceipt(consentReceiptOfUser);
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.SSOConsentService
    public boolean isSSOConsentManagementEnabled(ServiceProvider serviceProvider) {
        return this.ssoConsentEnabled;
    }

    private Receipt getConsentReceiptOfUser(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, String str, String str2, String str3) throws SSOConsentServiceException {
        try {
            List<ReceiptListResponse> receiptListOfUserForSP = getReceiptListOfUserForSP(authenticatedUser, str, str2, str3, 2);
            if (isDebugEnabled()) {
                logDebug(String.format("Retrieved %s receipts for user: %s, service provider: %s in tenant domain %s", Integer.valueOf(receiptListOfUserForSP.size()), str3, serviceProvider, str2));
            }
            if (hasUserMultipleReceipts(receiptListOfUserForSP)) {
                throw new SSOConsentServiceException("Consent Management Error", "User cannot have more than one ACTIVE consent per service provider.");
            }
            if (hasUserSingleReceipt(receiptListOfUserForSP)) {
                return getReceipt(authenticatedUser, getFirstConsentReceiptFromList(receiptListOfUserForSP));
            }
            return null;
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent Management Error", "Error while retrieving user consents.", e);
        }
    }

    private AddReceiptResponse addReceipt(String str, String str2, ServiceProvider serviceProvider, String str3, List<ClaimMetaData> list) throws SSOConsentServiceException {
        ReceiptInput buildReceiptInput = buildReceiptInput(str, serviceProvider, str3, list);
        try {
            try {
                startTenantFlowWithUser(str, str2);
                AddReceiptResponse addConsent = getConsentManager().addConsent(buildReceiptInput);
                PrivilegedCarbonContext.endTenantFlow();
                if (isDebugEnabled()) {
                    logDebug("Successfully added consent receipt: " + addConsent.getConsentReceiptId());
                }
                return addConsent;
            } catch (ConsentManagementException e) {
                throw new SSOConsentServiceException("Consent receipt error", "Error while adding the consent receipt", e);
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private ReceiptInput buildReceiptInput(String str, ServiceProvider serviceProvider, String str2, List<ClaimMetaData> list) throws SSOConsentServiceException {
        Purpose defaultPurpose = getDefaultPurpose();
        PurposeCategory defaultPurposeCategory = getDefaultPurposeCategory();
        List<PIICategoryValidity> piiCategoryValiditiesForClaims = getPiiCategoryValiditiesForClaims(list, "VALID_UNTIL:INDEFINITE");
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        HashMap hashMap = new HashMap();
        arrayList3.add(defaultPurposeCategory.getId());
        arrayList2.add(getReceiptPurposeInput(FrameworkConstants.Consent.EXPLICIT_CONSENT_TYPE, "VALID_UNTIL:INDEFINITE", defaultPurpose, piiCategoryValiditiesForClaims, arrayList3));
        arrayList.add(getReceiptServiceInput(serviceProvider, str2, arrayList2));
        return getReceiptInput(str, "Web Form - Sign-in", "NONE", "us_EN", "NONE", arrayList, hashMap);
    }

    private ReceiptInput getReceiptInput(String str, String str2, String str3, String str4, String str5, List<ReceiptServiceInput> list, Map<String, String> map) {
        ReceiptInput receiptInput = new ReceiptInput();
        receiptInput.setCollectionMethod(str2);
        receiptInput.setJurisdiction(str3);
        receiptInput.setLanguage(str4);
        receiptInput.setPolicyUrl(str5);
        receiptInput.setServices(list);
        receiptInput.setProperties(map);
        receiptInput.setPiiPrincipalId(str);
        return receiptInput;
    }

    private ReceiptServiceInput getReceiptServiceInput(ServiceProvider serviceProvider, String str, List<ReceiptPurposeInput> list) {
        ReceiptServiceInput receiptServiceInput = new ReceiptServiceInput();
        receiptServiceInput.setPurposes(list);
        receiptServiceInput.setTenantDomain(str);
        if (serviceProvider == null) {
            return receiptServiceInput;
        }
        String applicationName = serviceProvider.getApplicationName();
        String description = serviceProvider.getDescription();
        if (StringUtils.isBlank(description)) {
            description = applicationName;
        }
        receiptServiceInput.setService(applicationName);
        receiptServiceInput.setSpDisplayName(description);
        receiptServiceInput.setSpDescription(description);
        return receiptServiceInput;
    }

    private ReceiptPurposeInput getReceiptPurposeInput(String str, String str2, Purpose purpose, List<PIICategoryValidity> list, List<Integer> list2) {
        ReceiptPurposeInput receiptPurposeInput = new ReceiptPurposeInput();
        receiptPurposeInput.setPrimaryPurpose(true);
        receiptPurposeInput.setTermination(str2);
        receiptPurposeInput.setConsentType(str);
        receiptPurposeInput.setThirdPartyDisclosure(false);
        receiptPurposeInput.setPurposeId(purpose.getId());
        receiptPurposeInput.setPurposeCategoryId(list2);
        receiptPurposeInput.setPiiCategory(list);
        return receiptPurposeInput;
    }

    private List<PIICategoryValidity> getPiiCategoryValiditiesForClaims(List<ClaimMetaData> list, String str) throws SSOConsentServiceException {
        PIICategory addPIICategoryForClaim;
        ArrayList arrayList = new ArrayList();
        for (ClaimMetaData claimMetaData : list) {
            try {
                addPIICategoryForClaim = getConsentManager().getPIICategoryByName(claimMetaData.getClaimUri());
            } catch (ConsentManagementClientException e) {
                if (!isInvalidPIICategoryError(e)) {
                    throw new SSOConsentServiceException("Consent PII category error", "Error while retrieving PII category: DEFAULT", e);
                }
                addPIICategoryForClaim = addPIICategoryForClaim(claimMetaData);
            } catch (ConsentManagementException e2) {
                throw new SSOConsentServiceException("Consent PII category error", "Error while retrieving PII category: DEFAULT", e2);
            }
            arrayList.add(new PIICategoryValidity(addPIICategoryForClaim.getId(), str));
        }
        return arrayList;
    }

    private PIICategory addPIICategoryForClaim(ClaimMetaData claimMetaData) throws SSOConsentServiceException {
        try {
            return getConsentManager().addPIICategory(new PIICategory(claimMetaData.getClaimUri(), claimMetaData.getDescription(), false, claimMetaData.getDisplayName()));
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent PII category error", "Error while adding PII category:DEFAULT", e);
        }
    }

    private boolean isInvalidPIICategoryError(ConsentManagementClientException consentManagementClientException) {
        return ConsentConstants.ErrorMessages.ERROR_CODE_PII_CAT_NAME_INVALID.getCode().equals(consentManagementClientException.getErrorCode());
    }

    private PurposeCategory getDefaultPurposeCategory() throws SSOConsentServiceException {
        PurposeCategory addDefaultPurposeCategory;
        try {
            addDefaultPurposeCategory = getConsentManager().getPurposeCategoryByName("DEFAULT");
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent purpose category error", "Error while retrieving purpose category: DEFAULT", e);
        } catch (ConsentManagementClientException e2) {
            if (!isInvalidPurposeCategoryError(e2)) {
                throw new SSOConsentServiceException("Consent purpose category error", "Error while retrieving purpose category: DEFAULT", e2);
            }
            addDefaultPurposeCategory = addDefaultPurposeCategory();
        }
        return addDefaultPurposeCategory;
    }

    private PurposeCategory addDefaultPurposeCategory() throws SSOConsentServiceException {
        try {
            return getConsentManager().addPurposeCategory(new PurposeCategory("DEFAULT", "For core functionalities of the product"));
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent purpose category error", "Error while adding purpose category: DEFAULT", e);
        }
    }

    private boolean isInvalidPurposeCategoryError(ConsentManagementClientException consentManagementClientException) {
        return ConsentConstants.ErrorMessages.ERROR_CODE_PURPOSE_CAT_NAME_INVALID.getCode().equals(consentManagementClientException.getErrorCode());
    }

    private Purpose getDefaultPurpose() throws SSOConsentServiceException {
        Purpose addDefaultPurpose;
        try {
            addDefaultPurpose = getConsentManager().getPurposeByName("DEFAULT", "DEFAULT", DEFAULT_PURPOSE_GROUP_TYPE);
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent purpose error", "Error while retrieving purpose: DEFAULT", e);
        } catch (ConsentManagementClientException e2) {
            if (!isInvalidPurposeError(e2)) {
                throw new SSOConsentServiceException("Consent purpose error", "Error while retrieving purpose: DEFAULT", e2);
            }
            addDefaultPurpose = addDefaultPurpose();
        }
        return addDefaultPurpose;
    }

    private Purpose addDefaultPurpose() throws SSOConsentServiceException {
        try {
            return getConsentManager().addPurpose(new Purpose("DEFAULT", "For core functionalities of the product", "DEFAULT", DEFAULT_PURPOSE_GROUP_TYPE));
        } catch (ConsentManagementException e) {
            throw new SSOConsentServiceException("Consent purpose error", "Error while adding purpose: DEFAULT", e);
        }
    }

    private boolean isInvalidPurposeError(ConsentManagementClientException consentManagementClientException) {
        return ConsentConstants.ErrorMessages.ERROR_CODE_PURPOSE_NAME_INVALID.getCode().equals(consentManagementClientException.getErrorCode());
    }

    private UserConsent processUserConsent(List<Integer> list, ConsentClaimsData consentClaimsData) throws SSOConsentServiceException {
        UserConsent userConsent = new UserConsent();
        List<ClaimMetaData> buildApprovedClaimList = buildApprovedClaimList(list, consentClaimsData);
        List<ClaimMetaData> buildDisapprovedClaimList = buildDisapprovedClaimList(getConsentRequiredClaimMetaData(consentClaimsData), buildApprovedClaimList);
        if (isMandatoryClaimsDisapproved(consentClaimsData.getMandatoryClaims(), buildDisapprovedClaimList)) {
            throw new SSOConsentServiceException("Consent Denied for Mandatory Attributes", "User denied consent to share mandatory attributes.");
        }
        userConsent.setApprovedClaims(buildApprovedClaimList);
        userConsent.setDisapprovedClaims(buildDisapprovedClaimList);
        return userConsent;
    }

    private List<ClaimMetaData> getAllUserApprovedClaims(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, UserConsent userConsent) throws SSOConsentServiceException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(userConsent.getApprovedClaims());
        Receipt consentReceiptOfUser = getConsentReceiptOfUser(serviceProvider, authenticatedUser, serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider), buildSubjectWithUserStoreDomain(authenticatedUser));
        if (consentReceiptOfUser == null) {
            return arrayList;
        }
        arrayList.addAll(getClaimsFromPIICategoryValidity(getPIICategoriesFromServices(consentReceiptOfUser.getServices())));
        return getDistinctClaims(arrayList);
    }

    private List<ClaimMetaData> getDistinctClaims(List<ClaimMetaData> list) {
        return (List) list.stream().filter(distinctByKey((v0) -> {
            return v0.getClaimUri();
        })).collect(Collectors.toList());
    }

    private Predicate<ClaimMetaData> distinctByKey(Function<ClaimMetaData, String> function) {
        HashSet hashSet = new HashSet();
        return claimMetaData -> {
            return hashSet.add(function.apply(claimMetaData));
        };
    }

    private List<ClaimMetaData> getConsentRequiredClaimMetaData(ConsentClaimsData consentClaimsData) {
        ArrayList arrayList = new ArrayList();
        if (CollectionUtils.isNotEmpty(consentClaimsData.getMandatoryClaims())) {
            arrayList.addAll(consentClaimsData.getMandatoryClaims());
        }
        if (CollectionUtils.isNotEmpty(consentClaimsData.getRequestedClaims())) {
            arrayList.addAll(consentClaimsData.getRequestedClaims());
        }
        return arrayList;
    }

    private List<ClaimMetaData> buildDisapprovedClaimList(List<ClaimMetaData> list, List<ClaimMetaData> list2) {
        List<ClaimMetaData> arrayList = new ArrayList();
        if (CollectionUtils.isNotEmpty(list)) {
            list.removeAll(list2);
            arrayList = list;
        }
        return arrayList;
    }

    private List<ClaimMetaData> buildApprovedClaimList(List<Integer> list, ConsentClaimsData consentClaimsData) {
        ArrayList arrayList = new ArrayList();
        for (Integer num : list) {
            ClaimMetaData claimMetaData = new ClaimMetaData();
            claimMetaData.setId(num.intValue());
            List<ClaimMetaData> mandatoryClaims = consentClaimsData.getMandatoryClaims();
            int indexOf = mandatoryClaims.indexOf(claimMetaData);
            if (indexOf != -1) {
                arrayList.add(mandatoryClaims.get(indexOf));
            }
            List<ClaimMetaData> requestedClaims = consentClaimsData.getRequestedClaims();
            int indexOf2 = requestedClaims.indexOf(claimMetaData);
            if (indexOf2 != -1) {
                arrayList.add(requestedClaims.get(indexOf2));
            }
        }
        return arrayList;
    }

    private String buildSubjectWithUserStoreDomain(AuthenticatedUser authenticatedUser) {
        return UserCoreUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.isFederatedUser() ? getFederatedUserDomain(authenticatedUser.getFederatedIdPName()) : authenticatedUser.getUserStoreDomain());
    }

    private String getFederatedUserDomain(String str) {
        return StringUtils.isNotBlank(str) ? "FEDERATED:" + str : "FEDERATED";
    }

    private List<ReceiptListResponse> getReceiptListOfUserForSP(AuthenticatedUser authenticatedUser, String str, String str2, String str3, int i) throws ConsentManagementException {
        startTenantFlowWithUser(str3, authenticatedUser.getTenantDomain());
        try {
            List<ReceiptListResponse> searchReceipts = getConsentManager().searchReceipts(i, 0, str3, str2, str, "ACTIVE");
            PrivilegedCarbonContext.endTenantFlow();
            return searchReceipts;
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private List<PIICategoryValidity> getPIICategoriesFromServices(List<ReceiptService> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<ReceiptService> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getPurposes().iterator();
            while (it2.hasNext()) {
                arrayList.addAll(arrayList.size(), ((ConsentPurpose) it2.next()).getPiiCategory());
            }
        }
        return arrayList;
    }

    private List<ClaimMetaData> getConsentClaimsFromReceipt(Receipt receipt) {
        List<ClaimMetaData> claimsFromPIICategoryValidity = getClaimsFromPIICategoryValidity(getPIICategoriesFromServices(receipt.getServices()));
        if (isDebugEnabled()) {
            logDebug(String.format("User: %s has provided consent in receipt: %s for claims: " + claimsFromPIICategoryValidity, receipt.getPiiPrincipalId(), receipt.getConsentReceiptId()));
        }
        return claimsFromPIICategoryValidity;
    }

    private List<ClaimMetaData> getClaimsFromPIICategoryValidity(List<PIICategoryValidity> list) {
        ArrayList arrayList = new ArrayList();
        for (PIICategoryValidity pIICategoryValidity : list) {
            if (isConsentForClaimValid(pIICategoryValidity)) {
                ClaimMetaData claimMetaData = new ClaimMetaData();
                claimMetaData.setClaimUri(pIICategoryValidity.getName());
                claimMetaData.setDisplayName(pIICategoryValidity.getDisplayName());
                arrayList.add(claimMetaData);
            }
        }
        return arrayList;
    }

    protected boolean isConsentForClaimValid(PIICategoryValidity pIICategoryValidity) {
        String validity = pIICategoryValidity.getValidity();
        if (StringUtils.isEmpty(validity)) {
            return true;
        }
        for (String str : Arrays.asList(validity.split(SSOConsentConstants.CONSENT_VALIDITY_SEPARATOR))) {
            if (isSupportedExpiryType(str)) {
                String[] split = str.split(":", 2);
                if (split.length != 2) {
                    return false;
                }
                try {
                    String str2 = split[1];
                    if (isDebugEnabled()) {
                        logDebug(String.format("Validity time for PII category: %s is %s.", pIICategoryValidity.getName(), str2));
                    }
                    if (isExpiryIndefinite(str2)) {
                        return true;
                    }
                    return isExpired(System.currentTimeMillis(), Long.parseLong(str2));
                } catch (NumberFormatException e) {
                    if (!isDebugEnabled()) {
                        return false;
                    }
                    logDebug(String.format("Cannot parse timestamp: %s. for PII category %s.", validity, pIICategoryValidity.getName()));
                    return false;
                }
            }
        }
        return true;
    }

    private boolean isSupportedExpiryType(String str) {
        return str.toUpperCase().startsWith(SSOConsentConstants.CONSENT_VALIDITY_TYPE_VALID_UNTIL);
    }

    private boolean isExpired(long j, long j2) {
        return j2 > j;
    }

    private boolean isExpiryIndefinite(String str) {
        return SSOConsentConstants.CONSENT_VALIDITY_TYPE_VALID_UNTIL_INDEFINITE.equalsIgnoreCase(str);
    }

    private boolean isMandatoryClaimsDisapproved(List<ClaimMetaData> list, List<ClaimMetaData> list2) {
        return CollectionUtils.isNotEmpty(list) && !Collections.disjoint(list2, list);
    }

    private ConsentClaimsData getConsentRequiredClaimData(List<String> list, List<String> list2, String str) throws SSOConsentServiceException {
        ConsentClaimsData consentClaimsData = new ConsentClaimsData();
        try {
            List<LocalClaim> localClaims = getClaimMetadataManagementService().getLocalClaims(str);
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            int i = 0;
            if (CollectionUtils.isNotEmpty(localClaims)) {
                for (LocalClaim localClaim : localClaims) {
                    if (isAllRequiredClaimsChecked(list, list2)) {
                        break;
                    }
                    String claimURI = localClaim.getClaimURI();
                    if (list.remove(claimURI)) {
                        arrayList.add(buildClaimMetaData(i, localClaim, claimURI));
                        i++;
                    } else if (list2.remove(claimURI)) {
                        arrayList2.add(buildClaimMetaData(i, localClaim, claimURI));
                        i++;
                    }
                }
            }
            if (CollectionUtils.isNotEmpty(list)) {
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    arrayList.add(buildClaimMetaData(i, it.next()));
                    i++;
                }
            }
            if (CollectionUtils.isNotEmpty(list2)) {
                Iterator<String> it2 = list.iterator();
                while (it2.hasNext()) {
                    arrayList2.add(buildClaimMetaData(i, it2.next()));
                    i++;
                }
            }
            consentClaimsData.setMandatoryClaims(arrayList);
            consentClaimsData.setRequestedClaims(arrayList2);
            return consentClaimsData;
        } catch (ClaimMetadataException e) {
            throw new SSOConsentServiceException("Error while retrieving local claims", "Error occurred while retrieving local claims for tenant: " + str, e);
        }
    }

    private boolean isAllRequiredClaimsChecked(List<String> list, List<String> list2) {
        return CollectionUtils.isEmpty(list) && CollectionUtils.isEmpty(list2);
    }

    private ClaimMetaData buildClaimMetaData(int i, String str) {
        return buildClaimMetaData(i, new LocalClaim(str), str);
    }

    private ClaimMetaData buildClaimMetaData(int i, LocalClaim localClaim, String str) {
        ClaimMetaData claimMetaData = new ClaimMetaData();
        claimMetaData.setId(i);
        claimMetaData.setClaimUri(str);
        String str2 = (String) localClaim.getClaimProperties().get("DisplayName");
        if (StringUtils.isNotBlank(str2)) {
            claimMetaData.setDisplayName(str2);
        } else {
            claimMetaData.setDisplayName(str);
        }
        String claimProperty = localClaim.getClaimProperty("Description");
        if (StringUtils.isNotBlank(claimProperty)) {
            claimMetaData.setDescription(claimProperty);
        } else {
            claimMetaData.setDescription("");
        }
        return claimMetaData;
    }

    private List<String> getClaimsFromConsentMetaData(List<ClaimMetaData> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<ClaimMetaData> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getClaimUri());
        }
        return arrayList;
    }

    private String getFirstConsentReceiptFromList(List<ReceiptListResponse> list) {
        return list.get(0).getConsentReceiptId();
    }

    private Receipt getReceipt(AuthenticatedUser authenticatedUser, String str) throws SSOConsentServiceException {
        try {
            try {
                startTenantFlowWithUser(buildSubjectWithUserStoreDomain(authenticatedUser), authenticatedUser.getTenantDomain());
                Receipt receipt = getConsentManager().getReceipt(str);
                PrivilegedCarbonContext.endTenantFlow();
                return receipt;
            } catch (ConsentManagementException e) {
                throw new SSOConsentServiceException("Consent Management Error", "Error while retrieving user consents.", e);
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private boolean hasUserSingleReceipt(List<ReceiptListResponse> list) {
        return list.size() == 1;
    }

    private boolean hasUserMultipleReceipts(List<ReceiptListResponse> list) {
        return list.size() > 1;
    }

    private void startTenantFlowWithUser(String str, String str2) {
        startTenantFlow(str2);
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(str);
    }

    private void startTenantFlow(String str) {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(str, true);
    }

    private boolean isDebugEnabled() {
        return log.isDebugEnabled();
    }

    private void logDebug(String str) {
        log.debug(str);
    }

    private ConsentManager getConsentManager() {
        return FrameworkServiceDataHolder.getInstance().getConsentManager();
    }

    private ClaimMetadataManagementService getClaimMetadataManagementService() {
        return FrameworkServiceDataHolder.getInstance().getClaimMetadataManagementService();
    }
}
