package org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl;

import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.CarbonException;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.core.util.PermissionUpdateUtil;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.user.profile.mgt.UserProfileAdmin;
import org.wso2.carbon.identity.user.profile.mgt.UserProfileException;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/provisioning/impl/DefaultProvisioningHandler.class */
public class DefaultProvisioningHandler implements ProvisioningHandler {
    private static final Log log = LogFactory.getLog(DefaultProvisioningHandler.class);
    private static final String ALREADY_ASSOCIATED_MESSAGE = "UserAlreadyAssociated";
    private static volatile DefaultProvisioningHandler instance;
    private SecureRandom random = new SecureRandom();

    public static DefaultProvisioningHandler getInstance() {
        if (instance == null) {
            synchronized (DefaultProvisioningHandler.class) {
                if (instance == null) {
                    instance = new DefaultProvisioningHandler();
                }
            }
        }
        return instance;
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler
    public void handle(List<String> list, String str, Map<String, String> map, String str2, String str3) throws FrameworkException {
        String userStoreDomain;
        UserStoreManager userStoreManager;
        RegistryService registryService = FrameworkServiceComponent.getRegistryService();
        RealmService realmService = FrameworkServiceComponent.getRealmService();
        try {
            try {
                int tenantId = realmService.getTenantManager().getTenantId(str3);
                UserRealm realmByTenantDomain = AnonymousSessionUtil.getRealmByTenantDomain(registryService, realmService, str3);
                String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
                if ("As in username".equalsIgnoreCase(str2)) {
                    String extractDomainFromName = UserCoreUtil.extractDomainFromName(str);
                    try {
                        userStoreManager = getUserStoreManager(realmByTenantDomain, extractDomainFromName);
                        userStoreDomain = extractDomainFromName;
                    } catch (FrameworkException e) {
                        log.error("User store domain " + extractDomainFromName + " does not exist for the tenant " + str3 + ", hence provisioning user to PRIMARY");
                        userStoreDomain = "PRIMARY";
                        userStoreManager = getUserStoreManager(realmByTenantDomain, userStoreDomain);
                    }
                } else {
                    userStoreDomain = getUserStoreDomain(str2, realmByTenantDomain);
                    userStoreManager = getUserStoreManager(realmByTenantDomain, userStoreDomain);
                }
                String removeDomainFromName = UserCoreUtil.removeDomainFromName(tenantAwareUsername);
                if (log.isDebugEnabled()) {
                    log.debug("User: " + removeDomainFromName + " with roles : " + list + " is going to be provisioned");
                }
                List<String> convertInternalRoleDomainsToCamelCase = convertInternalRoleDomainsToCamelCase(list);
                Collection<String> rolesAvailableToAdd = getRolesAvailableToAdd(userStoreManager, convertInternalRoleDomainsToCamelCase);
                String remove = map.remove(FrameworkConstants.IDP_ID);
                String remove2 = map.remove(FrameworkConstants.ASSOCIATED_ID);
                Map<String, String> prepareClaimMappings = prepareClaimMappings(map);
                if (userStoreManager.isExistingUser(removeDomainFromName)) {
                    if (list != null && !list.isEmpty()) {
                        List asList = Arrays.asList(userStoreManager.getRoleListOfUser(removeDomainFromName));
                        rolesAvailableToAdd.removeAll(asList);
                        ArrayList arrayList = new ArrayList();
                        arrayList.addAll(asList);
                        arrayList.removeAll(convertInternalRoleDomainsToCamelCase);
                        arrayList.remove(realmByTenantDomain.getRealmConfiguration().getEveryOneRoleName());
                        handleFederatedUserNameEqualsToSuperAdminUserName(realmByTenantDomain, removeDomainFromName, userStoreManager, arrayList);
                        updateUserWithNewRoleSet(removeDomainFromName, userStoreManager, convertInternalRoleDomainsToCamelCase, rolesAvailableToAdd, arrayList);
                    }
                    if (!prepareClaimMappings.isEmpty()) {
                        prepareClaimMappings.remove(FrameworkConstants.PASSWORD);
                        userStoreManager.setUserClaimValues(UserCoreUtil.removeDomainFromName(removeDomainFromName), prepareClaimMappings, (String) null);
                    }
                    if (StringUtils.isEmpty(UserProfileAdmin.getInstance().getNameAssociatedWith(remove, remove2))) {
                        associateUser(removeDomainFromName, userStoreDomain, str3, remove2, remove);
                    }
                } else {
                    String generatePassword = generatePassword();
                    String str4 = prepareClaimMappings.get(FrameworkConstants.PASSWORD);
                    if (StringUtils.isNotEmpty(str4)) {
                        generatePassword = str4;
                    }
                    prepareClaimMappings.remove(FrameworkConstants.PASSWORD);
                    userStoreManager.addUser(removeDomainFromName, generatePassword, (String[]) rolesAvailableToAdd.toArray(new String[rolesAvailableToAdd.size()]), prepareClaimMappings, (String) null);
                    associateUser(removeDomainFromName, userStoreDomain, str3, remove2, remove);
                    if (log.isDebugEnabled()) {
                        log.debug("Federated user: " + removeDomainFromName + " is provisioned by authentication framework with roles : " + Arrays.toString(rolesAvailableToAdd.toArray(new String[rolesAvailableToAdd.size()])));
                    }
                }
                PermissionUpdateUtil.updatePermissionTree(tenantId);
            } catch (UserStoreException | CarbonException | UserProfileException e2) {
                throw new FrameworkException("Error while provisioning user : " + str, (Throwable) e2);
            }
        } finally {
            IdentityUtil.clearIdentityErrorMsg();
        }
    }

    protected void associateUser(String str, String str2, String str3, String str4, String str5) throws FrameworkException {
        String addDomainToName = UserCoreUtil.addDomainToName(str, str2);
        try {
            FrameworkUtils.startTenantFlow(str3);
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(addDomainToName);
            if (StringUtils.isEmpty(str5) || StringUtils.isEmpty(str4)) {
                throw new FrameworkException("Error while associating local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject : " + str4 + " in IdP: " + str5);
            }
            UserProfileAdmin.getInstance().associateID(str5, str4);
            if (log.isDebugEnabled()) {
                log.debug("Associated local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject : " + str4 + " in IdP: " + str5);
            }
        } catch (UserProfileException e) {
            if (!isUserAlreadyAssociated(e)) {
                throw new FrameworkException("Error while associating local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject : " + str4 + " in IdP: " + str5, (Throwable) e);
            }
            log.info("An association already exists for user: " + str4 + ". Skip association while JIT provisioning");
        } finally {
            FrameworkUtils.endTenantFlow();
        }
    }

    private boolean isUserAlreadyAssociated(UserProfileException userProfileException) {
        return userProfileException.getMessage() != null && userProfileException.getMessage().contains(ALREADY_ASSOCIATED_MESSAGE);
    }

    private void updateUserWithNewRoleSet(String str, UserStoreManager userStoreManager, List<String> list, Collection<String> collection, Collection<String> collection2) throws org.wso2.carbon.user.core.UserStoreException {
        if (log.isDebugEnabled()) {
            log.debug("Deleting roles : " + Arrays.toString(collection2.toArray(new String[collection2.size()])) + " and Adding roles : " + Arrays.toString(collection.toArray(new String[collection.size()])));
        }
        userStoreManager.updateRoleListOfUser(str, (String[]) collection2.toArray(new String[collection2.size()]), (String[]) collection.toArray(new String[collection.size()]));
        if (log.isDebugEnabled()) {
            log.debug("Federated user: " + str + " is updated by authentication framework with roles : " + list);
        }
    }

    private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm userRealm, String str, UserStoreManager userStoreManager, Collection<String> collection) throws org.wso2.carbon.user.core.UserStoreException, FrameworkException {
        if (userStoreManager.getRealmConfiguration().isPrimary() && str.equals(userRealm.getRealmConfiguration().getAdminUserName())) {
            if (log.isDebugEnabled()) {
                log.debug("Federated user's username is equal to super admin's username of local IdP.");
            }
            if (collection.contains(userRealm.getRealmConfiguration().getAdminRoleName())) {
                if (log.isDebugEnabled()) {
                    log.debug("Federated user doesn't have super admin role. Unable to sync roles, since super admin role cannot be unassigned from super admin user");
                }
                throw new FrameworkException("Federated user which having same username to super admin username of local IdP, trying login without having super admin role assigned");
            }
        }
    }

    private Map<String, String> prepareClaimMappings(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null && !map.isEmpty()) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                if (!StringUtils.isEmpty(key) && !StringUtils.isEmpty(value)) {
                    hashMap.put(key, value);
                }
            }
        }
        return hashMap;
    }

    private Collection<String> getRolesAvailableToAdd(UserStoreManager userStoreManager, List<String> list) throws org.wso2.carbon.user.core.UserStoreException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        String[] roleNames = userStoreManager.getRoleNames();
        if (roleNames != null) {
            arrayList.retainAll(Arrays.asList(roleNames));
        }
        return arrayList;
    }

    private UserStoreManager getUserStoreManager(UserRealm userRealm, String str) throws org.wso2.carbon.user.core.UserStoreException, FrameworkException {
        UserStoreManager userStoreManager = (str == null || str.isEmpty()) ? userRealm.getUserStoreManager() : userRealm.getUserStoreManager().getSecondaryUserStoreManager(str);
        if (userStoreManager == null) {
            throw new FrameworkException("Specified user store is invalid");
        }
        return userStoreManager;
    }

    private String getUserStoreDomain(String str, UserRealm userRealm) throws FrameworkException, org.wso2.carbon.user.core.UserStoreException {
        if (str == null || userRealm.getUserStoreManager().getSecondaryUserStoreManager(str) != null) {
            return str;
        }
        throw new FrameworkException("Specified user store domain " + str + " is not valid.");
    }

    protected String generatePassword() {
        return RandomStringUtils.randomNumeric(12);
    }

    private List<String> removeDomainFromNamesExcludeInternal(List<String> list, int i) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            if ("Internal".equalsIgnoreCase(IdentityUtil.extractDomainFromName(str))) {
                arrayList.add(str);
            } else {
                arrayList.add(UserCoreUtil.removeDomainFromName(str));
            }
        }
        return arrayList;
    }

    private List<String> convertInternalRoleDomainsToCamelCase(List<String> list) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            for (String str : list) {
                if (StringUtils.containsIgnoreCase(str, "Internal" + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add("Internal" + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else if (StringUtils.containsIgnoreCase(str, FrameworkConstants.InternalRoleDomains.APPLICATION_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add(FrameworkConstants.InternalRoleDomains.APPLICATION_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else if (StringUtils.containsIgnoreCase(str, FrameworkConstants.InternalRoleDomains.WORKFLOW_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add(FrameworkConstants.InternalRoleDomains.WORKFLOW_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else {
                    arrayList.add(str);
                }
            }
        }
        return arrayList;
    }
}
