package org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringJoiner;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.utils.URIBuilder;
import org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.AbstractPostAuthnHandler;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.PostAuthnHandlerFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/request/impl/consent/ConsentMgtPostAuthnHandler.class */
public class ConsentMgtPostAuthnHandler extends AbstractPostAuthnHandler {
    private static final String HTTP_WSO2_ORG_OIDC_CLAIM = "http://wso2.org/oidc/claim";
    private static final String HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY = "http://schemas.xmlsoap.org/ws/2005/05/identity";
    private static final String HTTP_AXSCHEMA_ORG = "http://axschema.org";
    private static final String URN_SCIM_SCHEMAS_CORE_1_0 = "urn:scim:schemas:core:1.0";
    private static final String CONSENT_PROMPTED = "consentPrompted";
    private static final String CLAIM_SEPARATOR = ",";
    private static final String REQUESTED_CLAIMS_PARAM = "requestedClaims";
    private static final String MANDATORY_CLAIMS_PARAM = "mandatoryClaims";
    private static final String CONSENT_CLAIM_META_DATA = "consentClaimMetaData";
    private static final String REQUEST_TYPE_OAUTH2 = "oauth2";
    private static final String SP_NAME_DEFAULT = "DEFAULT";
    private static final String USER_CONSENT_INPUT = "consent";
    private static final String USER_CONSENT_APPROVE = "approve";
    private static final String LOGIN_ENDPOINT = "login.do";
    private static final String CONSENT_ENDPOINT = "consent.do";
    private static final Log LOG = LogFactory.getLog(ConsentMgtPostAuthnHandler.class);

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.request.PostAuthenticationHandler
    public PostAuthnHandlerFlowStatus handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        if (getAuthenticatedUser(authenticationContext) != null) {
            return (isOAuthFlow(authenticationContext) || isOpenIDFlow(authenticationContext)) ? PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED : FrameworkUtils.isConsentPageSkippedForSP(getServiceProvider(authenticationContext)) ? PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED : isConsentPrompted(authenticationContext) ? handlePostConsent(httpServletRequest, httpServletResponse, authenticationContext) : handlePreConsent(httpServletRequest, httpServletResponse, authenticationContext);
        }
        if (isDebugEnabled()) {
            logDebug("User not available in AuthenticationContext. Returning");
        }
        return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
    }

    private boolean isOAuthFlow(AuthenticationContext authenticationContext) {
        return "oidc".equals(authenticationContext.getRequestType()) || "oauth2".equalsIgnoreCase(authenticationContext.getRequestType());
    }

    private boolean isOpenIDFlow(AuthenticationContext authenticationContext) {
        return FrameworkConstants.RequestType.CLAIM_TYPE_OPENID.equals(authenticationContext.getRequestType());
    }

    private boolean isDebugEnabled() {
        return LOG.isDebugEnabled();
    }

    private void logDebug(String str) {
        LOG.debug(str);
    }

    /* JADX WARN: Type inference failed for: r15v0, types: [java.lang.Throwable, org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException] */
    protected PostAuthnHandlerFlowStatus handlePreConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        String applicationName = authenticationContext.getSequenceConfig().getApplicationConfig().getApplicationName();
        Map<String, String> claimMappings = authenticationContext.getSequenceConfig().getApplicationConfig().getClaimMappings();
        if (SP_NAME_DEFAULT.equalsIgnoreCase(applicationName)) {
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        }
        AuthenticatedUser authenticatedUser = getAuthenticatedUser(authenticationContext);
        ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
        try {
            ConsentClaimsData consentRequiredClaimsWithExistingConsents = getSSOConsentService().getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
            if (isDebugEnabled()) {
                logDebug(String.format("Retrieving required consent data of user: %s for service provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
            }
            removeClaimsWithoutConsent(authenticationContext, consentRequiredClaimsWithExistingConsents);
            consentRequiredClaimsWithExistingConsents.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentRequiredClaimsWithExistingConsents.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
            if (hasConsentForRequiredClaims(consentRequiredClaimsWithExistingConsents)) {
                if (isDebugEnabled()) {
                    logDebug(String.format("Required consent data is empty for user: %s for service provider: %s in tenant domain: %s. Post authentication completed.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
                }
                return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
            }
            String buildConsentClaimString = buildConsentClaimString(consentRequiredClaimsWithExistingConsents.getMandatoryClaims());
            String buildConsentClaimString2 = buildConsentClaimString(consentRequiredClaimsWithExistingConsents.getRequestedClaims());
            if (isDebugEnabled()) {
                logDebug(String.format("Require consent for mandatory claims: %s, requested claims: %s, from user: %s for service provider: %s in tenant domain: %s.", consentRequiredClaimsWithExistingConsents.getMandatoryClaims(), consentRequiredClaimsWithExistingConsents.getRequestedClaims(), authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap = new HashMap();
                hashMap.put(FrameworkConstants.LogConstants.MANDATORY_CLAIMS, consentRequiredClaimsWithExistingConsents.getMandatoryClaims());
                hashMap.put(FrameworkConstants.LogConstants.REQUESTED_CLAIMS, consentRequiredClaimsWithExistingConsents.getRequestedClaims());
                hashMap.put("user", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getAuthenticatedSubjectIdentifier()) : authenticatedUser.getAuthenticatedSubjectIdentifier());
                hashMap.put(FrameworkConstants.LogConstants.SERVICE_PROVIDER, serviceProvider.getApplicationName());
                hashMap.put(FrameworkConstants.LogConstants.TENANT_DOMAIN, getSPTenantDomain(serviceProvider));
                LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "SUCCESS", "Require consent for claims from user", FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
            }
            redirectToConsentPage(httpServletResponse, authenticationContext, buildConsentClaimString2, buildConsentClaimString);
            setConsentPoppedUpState(authenticationContext);
            authenticationContext.addParameter(CONSENT_CLAIM_META_DATA, consentRequiredClaimsWithExistingConsents);
            return PostAuthnHandlerFlowStatus.INCOMPLETE;
        } catch (SSOConsentDisabledException e) {
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        } catch (SSOConsentServiceException e2) {
            String format = String.format("Error occurred while retrieving consent data of user: %s for service provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("user", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getAuthenticatedSubjectIdentifier()) : authenticatedUser.getAuthenticatedSubjectIdentifier());
                hashMap2.put(FrameworkConstants.LogConstants.SERVICE_PROVIDER, serviceProvider.getApplicationName());
                hashMap2.put(FrameworkConstants.LogConstants.TENANT_DOMAIN, getSPTenantDomain(serviceProvider));
                LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap2, "FAILED", "Error occurred while processing consent data of user: " + e2.getMessage(), FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
            }
            throw new PostAuthenticationFailedException("Authentication failed. Error occurred while processing user consent.", format, e2);
        }
    }

    private boolean hasConsentForRequiredClaims(ConsentClaimsData consentClaimsData) {
        return CollectionUtils.isEmpty(consentClaimsData.getMandatoryClaims()) && CollectionUtils.isEmpty(consentClaimsData.getRequestedClaims());
    }

    private void removeClaimsWithoutConsent(AuthenticationContext authenticationContext, ConsentClaimsData consentClaimsData) throws PostAuthenticationFailedException {
        List<ClaimMetaData> claimsWithConsent = consentClaimsData.getClaimsWithConsent();
        claimsWithConsent.addAll(consentClaimsData.getRequestedClaims());
        claimsWithConsent.addAll(consentClaimsData.getMandatoryClaims());
        removeUserClaimsFromContext(authenticationContext, getClaimsWithoutConsent(getClaimsFromMetaData(claimsWithConsent), authenticationContext), getStandardDialect(authenticationContext));
    }

    private List<ClaimMetaData> removeConsentRequestedNullUserAttributes(List<ClaimMetaData> list, Map<ClaimMapping, String> map, Map<String, String> map2) {
        ArrayList arrayList = new ArrayList();
        if (list != null && map != null && map2 != null) {
            for (ClaimMetaData claimMetaData : list) {
                Iterator<Map.Entry<ClaimMapping, String>> it = map.entrySet().iterator();
                while (true) {
                    if (it.hasNext()) {
                        if (claimMetaData.getClaimUri().equals(map2.get(it.next().getKey().getLocalClaim().getClaimUri()))) {
                            arrayList.add(claimMetaData);
                            break;
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    private ServiceProvider getServiceProvider(AuthenticationContext authenticationContext) {
        return authenticationContext.getSequenceConfig().getApplicationConfig().getServiceProvider();
    }

    private String getSPTenantDomain(ServiceProvider serviceProvider) {
        User owner = serviceProvider.getOwner();
        return owner != null ? owner.getTenantDomain() : "carbon.super";
    }

    private List<String> getClaimsWithoutConsent(List<String> list, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        List<String> sPRequestedLocalClaims = getSPRequestedLocalClaims(authenticationContext);
        sPRequestedLocalClaims.removeAll(list);
        return sPRequestedLocalClaims;
    }

    private String buildConsentClaimString(List<ClaimMetaData> list) {
        StringJoiner stringJoiner = new StringJoiner(",");
        for (ClaimMetaData claimMetaData : list) {
            stringJoiner.add(claimMetaData.getId() + "_" + claimMetaData.getDisplayName());
        }
        return stringJoiner.toString();
    }

    /* JADX WARN: Type inference failed for: r18v0, types: [java.lang.Throwable, org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException] */
    /* JADX WARN: Type inference failed for: r18v1, types: [org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException, java.lang.Throwable] */
    protected PostAuthnHandlerFlowStatus handlePostConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        AuthenticatedUser authenticatedUser = getAuthenticatedUser(authenticationContext);
        ApplicationConfig applicationConfig = authenticationContext.getSequenceConfig().getApplicationConfig();
        Map<String, String> claimMappings = applicationConfig.getClaimMappings();
        ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
        HashMap hashMap = new HashMap();
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            hashMap.put("user", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getAuthenticatedSubjectIdentifier()) : authenticatedUser.getAuthenticatedSubjectIdentifier());
            hashMap.put(FrameworkConstants.LogConstants.SERVICE_PROVIDER, serviceProvider.getApplicationName());
            hashMap.put(FrameworkConstants.LogConstants.TENANT_DOMAIN, getSPTenantDomain(serviceProvider));
        }
        if (!httpServletRequest.getParameter(USER_CONSENT_INPUT).equalsIgnoreCase(USER_CONSENT_APPROVE)) {
            String format = String.format("Authentication failed. User denied consent to share information with %s.", applicationConfig.getApplicationName());
            if (isDebugEnabled()) {
                logDebug(String.format("User: %s denied consent to share information with the service provider: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), applicationConfig.getApplicationName()));
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "FAILED", "User denied consent to share information with the service provider.", FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
            }
            throw new PostAuthenticationFailedException(format, format);
        }
        if (isDebugEnabled()) {
            logDebug(String.format("User: %s has approved consent for service provider: %s in tenant domain %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
        }
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "SUCCESS", "User has approved consent for service provider.", FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
        }
        UserConsent processUserConsent = processUserConsent(httpServletRequest, authenticationContext);
        ConsentClaimsData consentClaimsData = getConsentClaimsData(authenticationContext, authenticatedUser, serviceProvider);
        consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
        try {
            getSSOConsentService().processConsent(getClaimIdsWithConsent(processUserConsent), serviceProvider, authenticatedUser, consentClaimsData);
            removeDisapprovedClaims(authenticationContext, authenticatedUser);
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        } catch (SSOConsentDisabledException e) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "FAILED", "Consent management is disabled for SSO: " + e.getMessage(), FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
            }
            throw new PostAuthenticationFailedException("Authentication Failure: Consent management is disabled for SSO.", "Illegal operation. Consent management is disabled, but post authentication for sso consent management is invoked.", e);
        } catch (SSOConsentServiceException e2) {
            String format2 = String.format("Error occurred while processing consent input of user: %s, for service provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "FAILED", "Error occurred while processing consent input: " + e2.getMessage(), FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
            }
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing user consent input.", format2, e2);
        }
    }

    /* JADX WARN: Type inference failed for: r12v0, types: [java.lang.Throwable, org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException] */
    private ConsentClaimsData getConsentClaimsData(AuthenticationContext authenticationContext, AuthenticatedUser authenticatedUser, ServiceProvider serviceProvider) throws PostAuthenticationFailedException {
        ConsentClaimsData consentClaimsData = (ConsentClaimsData) authenticationContext.getParameter(CONSENT_CLAIM_META_DATA);
        if (consentClaimsData == null) {
            if (isDebugEnabled()) {
                logDebug("Cannot find consentClaimMetaData entry in AuthenticationContext. Retrieving from SSOConsentService.");
            }
            try {
                consentClaimsData = getSSOConsentService().getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
            } catch (SSOConsentDisabledException e) {
                throw new PostAuthenticationFailedException("Authentication Failure: Consent management is disabled for SSO.", "Illegal operation. Consent management is disabled, but post authentication for sso consent management is invoked.", e);
            } catch (SSOConsentServiceException e2) {
                String format = String.format("Error occurred while retrieving consent data of user: %s for service provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("user", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(authenticatedUser.getAuthenticatedSubjectIdentifier()) : authenticatedUser.getAuthenticatedSubjectIdentifier());
                    hashMap.put(FrameworkConstants.LogConstants.SERVICE_PROVIDER, serviceProvider.getApplicationName());
                    hashMap.put(FrameworkConstants.LogConstants.TENANT_DOMAIN, getSPTenantDomain(serviceProvider));
                    LoggerUtils.triggerDiagnosticLogEvent(FrameworkConstants.LogConstants.AUTHENTICATION_FRAMEWORK, hashMap, "FAILED", "Error occurred while processing user consent: " + e2.getMessage(), FrameworkConstants.LogConstants.ActionIDs.PROCESS_CLAIM_CONSENT, (Map) null);
                }
                throw new PostAuthenticationFailedException("Authentication failed. Error occurred while processing user consent.", format, e2);
            }
        }
        return consentClaimsData;
    }

    private List<Integer> getClaimIdsWithConsent(UserConsent userConsent) {
        return (List) userConsent.getApprovedClaims().stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
    }

    private void removeDisapprovedClaims(AuthenticationContext authenticationContext, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException, PostAuthenticationFailedException {
        String standardDialect = getStandardDialect(authenticationContext);
        List<String> claimsWithoutConsent = getClaimsWithoutConsent(getClaimsFromMetaData(getSSOConsentService().getClaimsWithConsents(getServiceProvider(authenticationContext), authenticatedUser)), authenticationContext);
        if (isDebugEnabled()) {
            ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
            logDebug(String.format("Removing disapproved claims: %s in the dialect: %s by user: %s for service provider: %s in tenant domain: %s.", claimsWithoutConsent, StringUtils.defaultString(standardDialect), getAuthenticatedUser(authenticationContext).getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
        }
        removeUserClaimsFromContext(authenticationContext, claimsWithoutConsent, standardDialect);
    }

    private List<String> getClaimsFromMetaData(List<ClaimMetaData> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<ClaimMetaData> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getClaimUri());
        }
        return arrayList;
    }

    private UserConsent processUserConsent(HttpServletRequest httpServletRequest, AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        UserConsent userConsent = new UserConsent();
        ConsentClaimsData consentClaimsData = (ConsentClaimsData) authenticationContext.getParameter(CONSENT_CLAIM_META_DATA);
        List<ClaimMetaData> buildApprovedClaimList = buildApprovedClaimList("consent_", httpServletRequest.getParameterMap(), consentClaimsData);
        List<ClaimMetaData> buildDisapprovedClaimList = buildDisapprovedClaimList(getConsentRequiredClaimMetaData(consentClaimsData), buildApprovedClaimList);
        if (isMandatoryClaimsDisapproved(consentClaimsData.getMandatoryClaims(), buildDisapprovedClaimList)) {
            throw new PostAuthenticationFailedException("Authentication failed. Consent denied for mandatory attributes.", "User denied consent to share mandatory attributes.");
        }
        userConsent.setApprovedClaims(buildApprovedClaimList);
        userConsent.setDisapprovedClaims(buildDisapprovedClaimList);
        return userConsent;
    }

    private List<ClaimMetaData> getConsentRequiredClaimMetaData(ConsentClaimsData consentClaimsData) {
        ArrayList arrayList = new ArrayList();
        if (CollectionUtils.isNotEmpty(consentClaimsData.getMandatoryClaims())) {
            arrayList.addAll(consentClaimsData.getMandatoryClaims());
        }
        if (CollectionUtils.isNotEmpty(consentClaimsData.getRequestedClaims())) {
            arrayList.addAll(consentClaimsData.getRequestedClaims());
        }
        return arrayList;
    }

    private boolean isMandatoryClaimsDisapproved(List<ClaimMetaData> list, List<ClaimMetaData> list2) {
        return CollectionUtils.isNotEmpty(list) && !Collections.disjoint(list2, list);
    }

    private List<ClaimMetaData> buildDisapprovedClaimList(List<ClaimMetaData> list, List<ClaimMetaData> list2) {
        List<ClaimMetaData> arrayList = new ArrayList();
        if (CollectionUtils.isNotEmpty(list)) {
            list.removeAll(list2);
            arrayList = list;
        }
        return arrayList;
    }

    private List<ClaimMetaData> buildApprovedClaimList(String str, Map<String, String[]> map, ConsentClaimsData consentClaimsData) {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, String[]> entry : map.entrySet()) {
            if (entry.getKey().startsWith(str)) {
                String substring = entry.getKey().substring(str.length());
                ClaimMetaData claimMetaData = new ClaimMetaData();
                try {
                    claimMetaData.setId(Integer.parseInt(substring));
                    List<ClaimMetaData> mandatoryClaims = consentClaimsData.getMandatoryClaims();
                    int indexOf = mandatoryClaims.indexOf(claimMetaData);
                    if (indexOf != -1) {
                        arrayList.add(mandatoryClaims.get(indexOf));
                    }
                    List<ClaimMetaData> requestedClaims = consentClaimsData.getRequestedClaims();
                    int indexOf2 = requestedClaims.indexOf(claimMetaData);
                    if (indexOf2 != -1) {
                        arrayList.add(requestedClaims.get(indexOf2));
                    }
                } catch (NumberFormatException e) {
                }
            }
        }
        return arrayList;
    }

    private void redirectToConsentPage(HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext, String str, String str2) throws PostAuthenticationFailedException {
        try {
            httpServletResponse.sendRedirect(getUriBuilder(authenticationContext, str, str2).build().toString());
        } catch (IOException e) {
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing consent requirements.", "Error while redirecting to consent page.", e);
        } catch (URISyntaxException e2) {
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing consent requirements.", "Error while building redirect URI.", e2);
        }
    }

    private String getSubjectClaimUri(ApplicationConfig applicationConfig) {
        String subjectClaimUri = applicationConfig.getSubjectClaimUri();
        if (StringUtils.isEmpty(subjectClaimUri)) {
            subjectClaimUri = "http://wso2.org/claims/username";
        }
        return subjectClaimUri;
    }

    private List<String> getSPRequestedLocalClaims(AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        ArrayList arrayList = new ArrayList();
        ApplicationConfig applicationConfig = authenticationContext.getSequenceConfig().getApplicationConfig();
        if (applicationConfig == null) {
            ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing application claim configurations.", "Application configs are null in AuthenticationContext for SP: " + serviceProvider.getApplicationName() + " in tenant domain: " + getSPTenantDomain(serviceProvider));
        }
        Map<String, String> requestedClaimMappings = applicationConfig.getRequestedClaimMappings();
        if (MapUtils.isNotEmpty(requestedClaimMappings) && CollectionUtils.isNotEmpty(requestedClaimMappings.values())) {
            arrayList = new ArrayList(requestedClaimMappings.values());
        }
        arrayList.remove(getSubjectClaimUri(applicationConfig));
        if (isDebugEnabled()) {
            logDebug(String.format("Requested claims for SP: %s - " + arrayList, applicationConfig.getApplicationName()));
        }
        return arrayList;
    }

    private List<String> getSPMandatoryLocalClaims(AuthenticationContext authenticationContext) throws PostAuthenticationFailedException {
        ArrayList arrayList = new ArrayList();
        ApplicationConfig applicationConfig = authenticationContext.getSequenceConfig().getApplicationConfig();
        if (applicationConfig == null) {
            ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing application claim configurations.", "Application configs are null in AuthenticationContext for SP: " + serviceProvider.getApplicationName() + " in tenant domain: " + getSPTenantDomain(serviceProvider));
        }
        Map<String, String> mandatoryClaimMappings = applicationConfig.getMandatoryClaimMappings();
        if (MapUtils.isNotEmpty(mandatoryClaimMappings) && CollectionUtils.isNotEmpty(mandatoryClaimMappings.values())) {
            arrayList = new ArrayList(mandatoryClaimMappings.values());
        }
        String subjectClaimUri = getSubjectClaimUri(applicationConfig);
        if (!arrayList.contains(subjectClaimUri)) {
            arrayList.add(subjectClaimUri);
        }
        if (isDebugEnabled()) {
            logDebug(String.format("Mandatory claims for SP: %s - " + arrayList, applicationConfig.getApplicationName()));
        }
        return arrayList;
    }

    private URIBuilder getUriBuilder(AuthenticationContext authenticationContext, String str, String str2) throws URISyntaxException {
        URIBuilder uRIBuilder = new URIBuilder(ConfigurationFacade.getInstance().getAuthenticationEndpointURL().replace(LOGIN_ENDPOINT, CONSENT_ENDPOINT));
        if (StringUtils.isNotBlank(str)) {
            if (isDebugEnabled()) {
                logDebug("Appending requested local claims to redirect URI: " + str);
            }
            uRIBuilder.addParameter(REQUESTED_CLAIMS_PARAM, str);
        }
        if (StringUtils.isNotBlank(str2)) {
            if (isDebugEnabled()) {
                logDebug("Appending mandatory local claims to redirect URI: " + str2);
            }
            uRIBuilder.addParameter(MANDATORY_CLAIMS_PARAM, str2);
        }
        uRIBuilder.addParameter("sessionDataKey", authenticationContext.getContextIdentifier());
        uRIBuilder.addParameter(FrameworkConstants.REQUEST_PARAM_SP, authenticationContext.getSequenceConfig().getApplicationConfig().getApplicationName());
        return uRIBuilder;
    }

    private AuthenticatedUser getAuthenticatedUser(AuthenticationContext authenticationContext) {
        return authenticationContext.getSequenceConfig().getAuthenticatedUser();
    }

    private void setConsentPoppedUpState(AuthenticationContext authenticationContext) {
        authenticationContext.addParameter(CONSENT_PROMPTED, true);
    }

    private boolean isConsentPrompted(AuthenticationContext authenticationContext) {
        return authenticationContext.getParameter(CONSENT_PROMPTED) != null;
    }

    private void removeUserClaimsFromContext(AuthenticationContext authenticationContext, List<String> list, String str) {
        Map<ClaimMapping, String> userAttributes = getUserAttributes(authenticationContext);
        HashMap hashMap = new HashMap();
        if (isDebugEnabled()) {
            ServiceProvider serviceProvider = getServiceProvider(authenticationContext);
            logDebug(String.format("Removing disapproved claims: %s from context of user: %s for service provider: %s in tenant domain: %s", list, getAuthenticatedUser(authenticationContext).getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider)));
        }
        if (isStandardDialect(str)) {
            filterClaims(userAttributes, list, getSPToCarbonClaimMappings(authenticationContext), hashMap);
        } else {
            filterClaims(userAttributes, list, authenticationContext.getSequenceConfig().getApplicationConfig().getRequestedClaimMappings(), hashMap);
        }
        authenticationContext.getSequenceConfig().getAuthenticatedUser().setUserAttributes(hashMap);
    }

    private boolean isWSO2StandardDialect(String str) {
        return StringUtils.equals(str, "http://wso2.org/claims");
    }

    private boolean isStandardDialect(String str) {
        return StringUtils.isNotBlank(str) && !isWSO2StandardDialect(str);
    }

    private Map<ClaimMapping, String> getUserAttributes(AuthenticationContext authenticationContext) {
        return authenticationContext.getSequenceConfig().getAuthenticatedUser().getUserAttributes();
    }

    private void filterClaims(Map<ClaimMapping, String> map, List<String> list, Map<String, String> map2, Map<ClaimMapping, String> map3) {
        for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
            if (isConsentApprovedForClaim(list, map2, entry.getKey().getLocalClaim().getClaimUri())) {
                map3.put(entry.getKey(), entry.getValue());
            }
        }
    }

    private Map<String, String> getSPToCarbonClaimMappings(AuthenticationContext authenticationContext) {
        Object property = authenticationContext.getProperty(FrameworkConstants.SP_TO_CARBON_CLAIM_MAPPING);
        return (property == null || !(property instanceof HashMap)) ? new HashMap() : (Map) property;
    }

    private boolean isConsentApprovedForClaim(List<String> list, Map<String, String> map, String str) {
        return (list.contains(str) || list.contains(map.get(str))) ? false : true;
    }

    private String getStandardDialect(AuthenticationContext authenticationContext) {
        String requestType = authenticationContext.getRequestType();
        Map<String, String> claimMappings = authenticationContext.getSequenceConfig().getApplicationConfig().getClaimMappings();
        if ("oidc".equals(requestType)) {
            return HTTP_WSO2_ORG_OIDC_CLAIM;
        }
        if (FrameworkConstants.RequestType.CLAIM_TYPE_STS.equals(requestType)) {
            return HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY;
        }
        if (FrameworkConstants.RequestType.CLAIM_TYPE_OPENID.equals(requestType)) {
            return HTTP_AXSCHEMA_ORG;
        }
        if (FrameworkConstants.RequestType.CLAIM_TYPE_WSO2.equals(requestType)) {
            return "http://wso2.org/claims";
        }
        if (FrameworkConstants.RequestType.CLAIM_TYPE_SCIM.equals(requestType)) {
            return URN_SCIM_SCHEMAS_CORE_1_0;
        }
        if (claimMappings == null || claimMappings.isEmpty()) {
            return "http://wso2.org/claims";
        }
        boolean z = false;
        Iterator<Map.Entry<String, String>> it = claimMappings.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<String, String> next = it.next();
            if (!next.getKey().equalsIgnoreCase(next.getValue())) {
                z = true;
                break;
            }
        }
        if (z) {
            return null;
        }
        return "http://wso2.org/claims";
    }

    private SSOConsentService getSSOConsentService() {
        return FrameworkServiceDataHolder.getInstance().getSSOConsentService();
    }

    public String getName() {
        return "ConsentMgtPostAuthenticationHandler";
    }
}
