package org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.axiom.om.OMElement;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.PermissionUpdateUtil;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityConfigParser;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.user.profile.mgt.association.federation.constant.FederatedAssociationConstants;
import org.wso2.carbon.identity.user.profile.mgt.association.federation.exception.FederatedAssociationManagerException;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.claim.Claim;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/provisioning/impl/DefaultProvisioningHandler.class */
public class DefaultProvisioningHandler implements ProvisioningHandler {
    private static final Log log = LogFactory.getLog(DefaultProvisioningHandler.class);
    private static final String USER_WORKFLOW_ENGAGED_ERROR_CODE = "WFM-10001";
    private static volatile DefaultProvisioningHandler instance;
    private static final String LOCAL_DEFAULT_CLAIM_DIALECT = "http://wso2.org/claims";

    public static DefaultProvisioningHandler getInstance() {
        if (instance == null) {
            synchronized (DefaultProvisioningHandler.class) {
                if (instance == null) {
                    instance = new DefaultProvisioningHandler();
                }
            }
        }
        return instance;
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler
    public void handle(List<String> list, String str, Map<String, String> map, String str2, String str3) throws FrameworkException {
        handle(list, str, map, str2, str3, (List) ((Map) IdentityUtil.threadLocalProperties.get()).get(FrameworkConstants.IDP_TO_LOCAL_ROLE_MAPPING));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v162, types: [java.util.Collection] */
    /* JADX WARN: Type inference failed for: r7v0, types: [org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler] */
    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler
    public void handle(List<String> list, String str, Map<String, String> map, String str2, String str3, List<String> list2) throws FrameworkException {
        String userStoreDomain;
        UserStoreManager userStoreManager;
        RealmService realmService = FrameworkServiceDataHolder.getInstance().getRealmService();
        String obj = ((Map) IdentityUtil.threadLocalProperties.get()).get(FrameworkConstants.ATTRIBUTE_SYNC_METHOD).toString();
        try {
            try {
                int tenantId = realmService.getTenantManager().getTenantId(str3);
                UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantId);
                String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
                if ("As in username".equalsIgnoreCase(str2)) {
                    String extractDomainFromName = UserCoreUtil.extractDomainFromName(str);
                    try {
                        userStoreManager = getUserStoreManager(tenantUserRealm, extractDomainFromName);
                        userStoreDomain = extractDomainFromName;
                    } catch (FrameworkException e) {
                        log.error("User store domain " + extractDomainFromName + " does not exist for the tenant " + str3 + ", hence provisioning user to PRIMARY");
                        userStoreDomain = "PRIMARY";
                        userStoreManager = getUserStoreManager(tenantUserRealm, userStoreDomain);
                    }
                } else {
                    userStoreDomain = getUserStoreDomain(str2, tenantUserRealm);
                    userStoreManager = getUserStoreManager(tenantUserRealm, userStoreDomain);
                }
                String removeDomainFromName = UserCoreUtil.removeDomainFromName(tenantAwareUsername);
                if (log.isDebugEnabled()) {
                    log.debug("User: " + removeDomainFromName + " with roles : " + list + " is going to be provisioned");
                }
                List<String> convertInternalRoleDomainsToCamelCase = convertInternalRoleDomainsToCamelCase(list);
                String remove = map.remove(FrameworkConstants.IDP_ID);
                String remove2 = map.remove(FrameworkConstants.ASSOCIATED_ID);
                Map<String, String> prepareClaimMappings = prepareClaimMappings(map);
                if (userStoreManager.isExistingUser(removeDomainFromName)) {
                    ((Map) IdentityUtil.threadLocalProperties.get()).put(FrameworkConstants.JIT_PROVISIONING_FLOW, true);
                    if (!prepareClaimMappings.isEmpty() && !FrameworkConstants.SYNC_NONE.equals(obj)) {
                        List<String> prepareToBeDeletedClaimMappings = prepareToBeDeletedClaimMappings(map);
                        Claim[] userClaimValues = userStoreManager.getUserClaimValues(UserCoreUtil.removeDomainFromName(removeDomainFromName), FrameworkConstants.DEFAULT_SEQUENCE);
                        if (userClaimValues != null) {
                            ArrayList arrayList = new ArrayList(Arrays.asList(userClaimValues));
                            Set<String> indelibleClaims = getIndelibleClaims();
                            arrayList.removeIf(claim -> {
                                return claim.getClaimUri().contains("/identity/") || indelibleClaims.contains(claim.getClaimUri()) || prepareClaimMappings.containsKey(claim.getClaimUri());
                            });
                            if (FrameworkConstants.PRESERVE_LOCAL.equals(obj)) {
                                arrayList.removeIf(claim2 -> {
                                    return !map.containsKey(claim2.getClaimUri());
                                });
                            }
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                prepareToBeDeletedClaimMappings.add(((Claim) it.next()).getClaimUri());
                            }
                        }
                        prepareClaimMappings.remove(FrameworkConstants.PASSWORD);
                        prepareClaimMappings.remove("http://wso2.org/claims/username");
                        userStoreManager.setUserClaimValues(UserCoreUtil.removeDomainFromName(removeDomainFromName), prepareClaimMappings, (String) null);
                        if (CollectionUtils.isNotEmpty(prepareToBeDeletedClaimMappings)) {
                            for (Claim claim3 : userStoreManager.getUserClaimValues(UserCoreUtil.removeDomainFromName(removeDomainFromName), (String) null)) {
                                if (prepareToBeDeletedClaimMappings.contains(claim3.getClaimUri())) {
                                    if (log.isDebugEnabled()) {
                                        log.debug("Claim from external attributes " + claim3.getClaimUri() + " has null value But user has not null claim value for Claim " + claim3.getClaimUri() + ". Hence user claim value will be deleted.");
                                    }
                                    userStoreManager.deleteUserClaimValue(UserCoreUtil.removeDomainFromName(removeDomainFromName), claim3.getClaimUri(), (String) null);
                                }
                            }
                        }
                    }
                    if (StringUtils.isEmpty(FrameworkUtils.getFederatedAssociationManager().getUserForFederatedAssociation(str3, remove, remove2))) {
                        associateUser(removeDomainFromName, userStoreDomain, str3, remove2, remove);
                    }
                } else {
                    String generatePassword = generatePassword();
                    String str4 = prepareClaimMappings.get(FrameworkConstants.PASSWORD);
                    if (StringUtils.isNotEmpty(str4)) {
                        generatePassword = str4;
                    }
                    if (prepareClaimMappings.containsKey("http://wso2.org/claims/username") && !prepareClaimMappings.get("http://wso2.org/claims/username").equals(removeDomainFromName)) {
                        prepareClaimMappings.put("http://wso2.org/claims/username", removeDomainFromName);
                    }
                    prepareClaimMappings.remove(FrameworkConstants.PASSWORD);
                    boolean z = false;
                    try {
                        try {
                            UserCoreUtil.setSkipPasswordPatternValidationThreadLocal(true);
                            UserCoreUtil.setSkipUsernamePatternValidationThreadLocal(true);
                            if (FrameworkUtils.isJITProvisionEnhancedFeatureEnabled()) {
                                setJitProvisionedSource(str3, remove, prepareClaimMappings);
                            }
                            userStoreManager.addUser(removeDomainFromName, generatePassword, (String[]) null, prepareClaimMappings, (String) null);
                            UserCoreUtil.removeSkipPasswordPatternValidationThreadLocal();
                            UserCoreUtil.removeSkipUsernamePatternValidationThreadLocal();
                        } catch (UserStoreException e2) {
                            if (!USER_WORKFLOW_ENGAGED_ERROR_CODE.equals(e2.getErrorCode())) {
                                throw e2;
                            }
                            z = true;
                            if (log.isDebugEnabled()) {
                                log.debug("Failed to add the user while JIT provisioning since user workflows are engaged and there is a workflow already defined for the same user");
                            }
                            UserCoreUtil.removeSkipPasswordPatternValidationThreadLocal();
                            UserCoreUtil.removeSkipUsernamePatternValidationThreadLocal();
                        }
                        if (z || !userStoreManager.isExistingUser(UserCoreUtil.addDomainToName(removeDomainFromName, userStoreDomain))) {
                            if (log.isDebugEnabled()) {
                                log.debug("User is not found in the userstore. Most probably the local user creation is not complete while JIT provisioning due to user operation workflow engagement. Therefore the user account association and role and permission update are skipped.");
                            }
                            IdentityUtil.clearIdentityErrorMsg();
                            ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.JIT_PROVISIONING_FLOW);
                            ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.ATTRIBUTE_SYNC_METHOD);
                            return;
                        }
                        associateUser(removeDomainFromName, userStoreDomain, str3, remove2, remove);
                        if (log.isDebugEnabled()) {
                            log.debug("Federated user: " + removeDomainFromName + " is provisioned by authentication framework.");
                        }
                    } catch (Throwable th) {
                        UserCoreUtil.removeSkipPasswordPatternValidationThreadLocal();
                        UserCoreUtil.removeSkipUsernamePatternValidationThreadLocal();
                        throw th;
                    }
                }
                boolean parseBoolean = Boolean.parseBoolean(IdentityUtil.getProperty(FrameworkConstants.Config.SEND_MANUALLY_ADDED_LOCAL_ROLES_OF_IDP));
                List asList = Arrays.asList(userStoreManager.getRoleListOfUser(removeDomainFromName));
                List<String> retrieveRolesToBeDeleted = retrieveRolesToBeDeleted(tenantUserRealm, asList, convertInternalRoleDomainsToCamelCase);
                if (list != null && list.size() > 0) {
                    if (list2 != null && !list2.isEmpty()) {
                        if ((StringUtils.isNotEmpty(IdentityUtil.getProperty(FrameworkConstants.Config.SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP)) ? Boolean.parseBoolean(IdentityUtil.getProperty(FrameworkConstants.Config.SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP)) : false) && parseBoolean) {
                            Stream<String> distinct = retrieveRolesToBeDeleted.stream().distinct();
                            Objects.requireNonNull(list2);
                            retrieveRolesToBeDeleted = (Collection) distinct.filter((v1) -> {
                                return r1.contains(v1);
                            }).collect(Collectors.toSet());
                        }
                    }
                    convertInternalRoleDomainsToCamelCase.removeAll(asList);
                    ArrayList arrayList2 = new ArrayList();
                    for (String str5 : convertInternalRoleDomainsToCamelCase) {
                        if (!userStoreManager.isExistingRole(str5)) {
                            arrayList2.add(str5);
                        }
                    }
                    convertInternalRoleDomainsToCamelCase.removeAll(arrayList2);
                    handleFederatedUserNameEqualsToSuperAdminUserName(tenantUserRealm, removeDomainFromName, userStoreManager, retrieveRolesToBeDeleted);
                    updateUserWithNewRoleSet(removeDomainFromName, userStoreManager, convertInternalRoleDomainsToCamelCase, retrieveRolesToBeDeleted);
                } else if (!parseBoolean) {
                    updateUserWithNewRoleSet(removeDomainFromName, userStoreManager, new ArrayList(), retrieveRolesToBeDeleted);
                } else if (CollectionUtils.isNotEmpty(list2)) {
                    Stream<String> distinct2 = retrieveRolesToBeDeleted.stream().distinct();
                    Objects.requireNonNull(list2);
                    updateUserWithNewRoleSet(removeDomainFromName, userStoreManager, new ArrayList(), (Collection) distinct2.filter((v1) -> {
                        return r1.contains(v1);
                    }).collect(Collectors.toSet()));
                }
                PermissionUpdateUtil.updatePermissionTree(tenantId);
                IdentityUtil.clearIdentityErrorMsg();
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.JIT_PROVISIONING_FLOW);
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.ATTRIBUTE_SYNC_METHOD);
            } catch (Throwable th2) {
                IdentityUtil.clearIdentityErrorMsg();
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.JIT_PROVISIONING_FLOW);
                ((Map) IdentityUtil.threadLocalProperties.get()).remove(FrameworkConstants.ATTRIBUTE_SYNC_METHOD);
                throw th2;
            }
        } catch (org.wso2.carbon.user.api.UserStoreException | FederatedAssociationManagerException e3) {
            throw new FrameworkException("Error while provisioning user : " + str, (Throwable) e3);
        }
    }

    protected void associateUser(String str, String str2, String str3, String str4, String str5) throws FrameworkException {
        String addDomainToName = UserCoreUtil.addDomainToName(str, str2);
        try {
            FrameworkUtils.startTenantFlow(str3);
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(addDomainToName);
            if (StringUtils.isEmpty(str5) || StringUtils.isEmpty(str4)) {
                throw new FrameworkException("Error while associating local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject : " + str4 + " in IdP: " + str5);
            }
            FrameworkUtils.getFederatedAssociationManager().createFederatedAssociation(getAssociatedUser(str3, str2, str), str5, str4);
            if (log.isDebugEnabled()) {
                log.debug("Associated local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject : " + str4 + " in IdP: " + str5);
            }
        } catch (FederatedAssociationManagerException e) {
            if (!isUserAlreadyAssociated(e)) {
                throw new FrameworkException("Error while associating local user: " + addDomainToName + " in tenant: " + str3 + " to the federated subject: " + str4 + " in IdP: " + str5, (Throwable) e);
            }
            log.info("An association already exists for user: " + str4 + ". Skip association while JIT provisioning");
        } finally {
            FrameworkUtils.endTenantFlow();
        }
    }

    private User getAssociatedUser(String str, String str2, String str3) {
        User user = new User();
        user.setTenantDomain(str);
        user.setUserStoreDomain(str2);
        user.setUserName(MultitenantUtils.getTenantAwareUsername(str3));
        return user;
    }

    private boolean isUserAlreadyAssociated(FederatedAssociationManagerException federatedAssociationManagerException) {
        return federatedAssociationManagerException.getMessage() != null && federatedAssociationManagerException.getMessage().contains(FederatedAssociationConstants.ErrorMessages.FEDERATED_ASSOCIATION_ALREADY_EXISTS.getDescription());
    }

    private void updateUserWithNewRoleSet(String str, UserStoreManager userStoreManager, List<String> list, Collection<String> collection) throws UserStoreException {
        if (log.isDebugEnabled()) {
            log.debug("Deleting roles : " + Arrays.toString(collection.toArray(new String[0])) + " and Adding roles : " + Arrays.toString(list.toArray(new String[0])));
        }
        userStoreManager.updateRoleListOfUser(str, (String[]) collection.toArray(new String[0]), (String[]) list.toArray(new String[0]));
        if (log.isDebugEnabled()) {
            log.debug("Federated user: " + str + " is updated by authentication framework with roles : " + list);
        }
    }

    private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm userRealm, String str, UserStoreManager userStoreManager, Collection<String> collection) throws UserStoreException, FrameworkException {
        if (userStoreManager.getRealmConfiguration().isPrimary() && str.equals(userRealm.getRealmConfiguration().getAdminUserName())) {
            if (log.isDebugEnabled()) {
                log.debug("Federated user's username is equal to super admin's username of local IdP.");
            }
            if (collection.contains(userRealm.getRealmConfiguration().getAdminRoleName())) {
                if (log.isDebugEnabled()) {
                    log.debug("Federated user doesn't have super admin role. Unable to sync roles, since super admin role cannot be unassigned from super admin user");
                }
                throw new FrameworkException("Federated user which having same username to super admin username of local IdP, trying login without having super admin role assigned");
            }
        }
    }

    private Map<String, String> prepareClaimMappings(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null && !map.isEmpty()) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                if (!StringUtils.isEmpty(key) && !StringUtils.isEmpty(value) && (key.equals(FrameworkConstants.PASSWORD) || key.contains(LOCAL_DEFAULT_CLAIM_DIALECT))) {
                    hashMap.put(key, value);
                }
            }
        }
        return hashMap;
    }

    private List<String> prepareToBeDeletedClaimMappings(Map<String, String> map) {
        ArrayList arrayList = new ArrayList();
        if (MapUtils.isNotEmpty(map)) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                if (StringUtils.isNotBlank(key) && StringUtils.isBlank(value)) {
                    arrayList.add(key);
                }
            }
        }
        return arrayList;
    }

    private UserStoreManager getUserStoreManager(UserRealm userRealm, String str) throws UserStoreException, FrameworkException {
        UserStoreManager userStoreManager = (str == null || str.isEmpty()) ? userRealm.getUserStoreManager() : userRealm.getUserStoreManager().getSecondaryUserStoreManager(str);
        if (userStoreManager == null) {
            throw new FrameworkException("Specified user store is invalid");
        }
        return userStoreManager;
    }

    private String getUserStoreDomain(String str, UserRealm userRealm) throws FrameworkException, UserStoreException {
        if (str == null || userRealm.getUserStoreManager().getSecondaryUserStoreManager(str) != null) {
            return str;
        }
        throw new FrameworkException("Specified user store domain " + str + " is not valid.");
    }

    protected String generatePassword() {
        return RandomStringUtils.randomNumeric(12);
    }

    private List<String> removeDomainFromNamesExcludeInternal(List<String> list, int i) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            if ("Internal".equalsIgnoreCase(IdentityUtil.extractDomainFromName(str))) {
                arrayList.add(str);
            } else {
                arrayList.add(UserCoreUtil.removeDomainFromName(str));
            }
        }
        return arrayList;
    }

    private List<String> convertInternalRoleDomainsToCamelCase(List<String> list) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            for (String str : list) {
                if (StringUtils.containsIgnoreCase(str, "Internal" + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add("Internal" + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else if (StringUtils.containsIgnoreCase(str, FrameworkConstants.InternalRoleDomains.APPLICATION_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add(FrameworkConstants.InternalRoleDomains.APPLICATION_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else if (StringUtils.containsIgnoreCase(str, FrameworkConstants.InternalRoleDomains.WORKFLOW_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR)) {
                    arrayList.add(FrameworkConstants.InternalRoleDomains.WORKFLOW_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + UserCoreUtil.removeDomainFromName(str));
                } else {
                    arrayList.add(str);
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> retrieveRolesToBeDeleted(UserRealm userRealm, List<String> list, List<String> list2) throws UserStoreException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        arrayList.removeAll(list2);
        arrayList.remove(userRealm.getRealmConfiguration().getEveryOneRoleName());
        return arrayList;
    }

    private void setJitProvisionedSource(String str, String str2, Map<String, String> map) throws FrameworkException {
        try {
            map.put(FrameworkConstants.PROVISIONED_SOURCE_ID_CLAIM, IdentityProviderManager.getInstance().getIdPByName(str2, str, true).getResourceId());
        } catch (IdentityProviderManagementException e) {
            throw new FrameworkException("Error while getting the federated IDP name of the IDP: " + str2 + "in the tenant: " + str, (Throwable) e);
        }
    }

    private Set<String> getIndelibleClaims() {
        OMElement configElement = IdentityConfigParser.getInstance().getConfigElement(FrameworkConstants.Config.JIT_PROVISIONING_CONFIG);
        if (configElement == null) {
            if (log.isDebugEnabled()) {
                log.debug("JITProvisioning config not found.");
            }
            return Collections.emptySet();
        }
        Iterator childrenWithLocalName = configElement.getChildrenWithLocalName(FrameworkConstants.Config.INCREDIBLE_CLAIMS_CONFIG_ELEMENT);
        if (childrenWithLocalName == null) {
            if (log.isDebugEnabled()) {
                log.debug("IndelibleClaims config not found.");
            }
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        while (childrenWithLocalName.hasNext()) {
            Iterator childrenWithLocalName2 = ((OMElement) childrenWithLocalName.next()).getChildrenWithLocalName(FrameworkConstants.Config.CLAIM_URI_CONFIG_ELEMENT);
            if (childrenWithLocalName2 == null) {
                if (log.isDebugEnabled()) {
                    log.debug("ClaimURI config not found.");
                }
                return Collections.emptySet();
            }
            while (childrenWithLocalName2.hasNext()) {
                String text = ((OMElement) childrenWithLocalName2.next()).getText();
                if (StringUtils.isNotBlank(text)) {
                    hashSet.add(text.trim());
                }
            }
        }
        return hashSet;
    }
}
