package org.wso2.carbon.identity.oauth2.validators.xacml;

import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.xml.stream.XMLStreamException;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.xpath.AXIOMXPath;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jaxen.JaxenException;
import org.wso2.balana.utils.exception.PolicyBuilderException;
import org.wso2.balana.utils.policy.PolicyBuilder;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.entitlement.EntitlementException;
import org.wso2.carbon.identity.entitlement.common.dto.RequestDTO;
import org.wso2.carbon.identity.entitlement.common.dto.RowDTO;
import org.wso2.carbon.identity.entitlement.common.util.PolicyCreatorUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.identity.oauth2.validators.xacml.constants.XACMLScopeValidatorConstants;
import org.wso2.carbon.identity.oauth2.validators.xacml.internal.OAuthScopeValidatorDataHolder;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/xacml/XACMLScopeValidator.class */
public class XACMLScopeValidator extends OAuth2ScopeValidator {
    private static final String SCOPE_VALIDATOR_NAME = "XACML Scope Validator";
    private static final Log log = LogFactory.getLog(XACMLScopeValidator.class);

    public boolean validateScope(AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        if (isUnauthorizedToken(accessTokenDO)) {
            return false;
        }
        return validateScope(accessTokenDO.getScope(), accessTokenDO.getAuthzUser(), accessTokenDO.getConsumerKey(), XACMLScopeValidatorConstants.ACTION_VALIDATE, str, accessTokenDO.getAccessToken());
    }

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return validateScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope(), oAuthTokenReqMessageContext.getAuthorizedUser(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), XACMLScopeValidatorConstants.ACTION_SCOPE_VALIDATE, null, null);
    }

    public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return validateScope(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(), XACMLScopeValidatorConstants.ACTION_SCOPE_VALIDATE, null, null);
    }

    private boolean validateScope(String[] strArr, AuthenticatedUser authenticatedUser, String str, String str2, String str3, String str4) throws IdentityOAuth2Exception {
        boolean z = false;
        FrameworkUtils.startTenantFlow(authenticatedUser.getTenantDomain());
        if (StringUtils.isNotEmpty(str)) {
            try {
                try {
                    OAuthAppDO oAuthAppDO = getOAuthAppDO(str);
                    z = isRequestPermit(createRequest(strArr, authenticatedUser, oAuthAppDO, str2, str3, str4), oAuthAppDO, authenticatedUser.toFullQualifiedUsername());
                    FrameworkUtils.endTenantFlow();
                } catch (InvalidOAuthClientException e) {
                    throw new IdentityOAuth2Exception(String.format("Error occurred when retrieving corresponding app for this specific client id. %s of user %s ", str, authenticatedUser.toFullQualifiedUsername()), e);
                }
            } catch (Throwable th) {
                FrameworkUtils.endTenantFlow();
                throw th;
            }
        }
        return z;
    }

    private String createRequest(String[] strArr, AuthenticatedUser authenticatedUser, OAuthAppDO oAuthAppDO, String str, String str2, String str3) throws IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList();
        RowDTO createRowDTO = createRowDTO(str, XACMLScopeValidatorConstants.AUTH_ACTION_ID, XACMLScopeValidatorConstants.ACTION_CATEGORY);
        RowDTO createRowDTO2 = createRowDTO(oAuthAppDO.getApplicationName(), XACMLScopeValidatorConstants.SP_NAME_ID, XACMLScopeValidatorConstants.SP_CATEGORY);
        RowDTO createRowDTO3 = createRowDTO(authenticatedUser.getUserName(), XACMLScopeValidatorConstants.USERNAME_ID, XACMLScopeValidatorConstants.USER_CATEGORY);
        RowDTO createRowDTO4 = createRowDTO(authenticatedUser.getUserStoreDomain(), XACMLScopeValidatorConstants.USER_STORE_ID, XACMLScopeValidatorConstants.USER_CATEGORY);
        RowDTO createRowDTO5 = createRowDTO(authenticatedUser.getTenantDomain(), XACMLScopeValidatorConstants.USER_TENANT_DOMAIN_ID, XACMLScopeValidatorConstants.USER_CATEGORY);
        RowDTO createRowDTO6 = createRowDTO(str2, "urn:oasis:names:tc:xacml:1.0:resource:resource-id", "urn:oasis:names:tc:xacml:3.0:attribute-category:resource");
        arrayList.add(createRowDTO(authenticatedUser.toString(), "urn:oasis:names:tc:xacml:1.0:subject:subject-id", "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"));
        arrayList.add(createRowDTO);
        arrayList.add(createRowDTO2);
        arrayList.add(createRowDTO3);
        arrayList.add(createRowDTO4);
        arrayList.add(createRowDTO5);
        arrayList.add(createRowDTO6);
        for (String str4 : strArr) {
            arrayList.add(createRowDTO(str4, XACMLScopeValidatorConstants.SCOPE_ID, XACMLScopeValidatorConstants.SCOPE_CATEGORY));
        }
        createRowDTOForUserType(authenticatedUser, arrayList);
        createRowDTOsForUserAttributes(authenticatedUser, str, arrayList, str3);
        RequestDTO requestDTO = new RequestDTO();
        requestDTO.setRowDTOs(arrayList);
        try {
            String buildRequest = PolicyBuilder.getInstance().buildRequest(PolicyCreatorUtil.createRequestElementDTO(requestDTO));
            if (log.isDebugEnabled()) {
                log.debug("XACML scope validation request :\n" + buildRequest);
            }
            return buildRequest;
        } catch (PolicyBuilderException e) {
            throw new IdentityOAuth2Exception(String.format("Exception occurred when building  XACML request of user %s.", authenticatedUser.toFullQualifiedUsername()), e);
        }
    }

    private boolean isRequestPermit(String str, OAuthAppDO oAuthAppDO, String str2) throws IdentityOAuth2Exception {
        boolean z = false;
        try {
            String decision = OAuthScopeValidatorDataHolder.getInstance().getEntitlementService().getDecision(str);
            if (log.isDebugEnabled()) {
                log.debug("XACML scope validation response :\n" + decision);
            }
            String extractDecisionFromXACMLResponse = extractDecisionFromXACMLResponse(decision);
            if (isResponseNotApplicable(extractDecisionFromXACMLResponse)) {
                log.warn(String.format("No applicable rule for service provider '%s@%s'. Add a validating policy (or unset Scope Validation using XACMLScopeValidator) to fix this warning.", oAuthAppDO.getApplicationName(), OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO)));
                z = true;
            } else if (isResponsePermit(extractDecisionFromXACMLResponse)) {
                z = true;
            }
            return z;
        } catch (EntitlementException e) {
            throw new IdentityOAuth2Exception(String.format("Exception occurred when evaluating XACML request of user %s.", str2), e);
        } catch (XMLStreamException | JaxenException e2) {
            throw new IdentityOAuth2Exception(String.format("Exception occurred when reading XACML response of user %s.", str2), e2);
        }
    }

    private OAuthAppDO getOAuthAppDO(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        return OAuth2Util.getAppInformationByClientId(str);
    }

    private RowDTO createRowDTO(String str, String str2, String str3) {
        RowDTO rowDTO = new RowDTO();
        rowDTO.setAttributeValue(str);
        rowDTO.setAttributeDataType("http://www.w3.org/2001/XMLSchema#string");
        rowDTO.setAttributeId(str2);
        rowDTO.setCategory(str3);
        return rowDTO;
    }

    private String extractDecisionFromXACMLResponse(String str) throws XMLStreamException, JaxenException {
        AXIOMXPath aXIOMXPath = new AXIOMXPath(XACMLScopeValidatorConstants.DECISION_XPATH);
        aXIOMXPath.addNamespace(XACMLScopeValidatorConstants.XACML_NS_PREFIX, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17");
        return aXIOMXPath.stringValueOf(new StAXOMBuilder(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))).getDocumentElement());
    }

    private boolean isUnauthorizedToken(AccessTokenDO accessTokenDO) {
        if (accessTokenDO.getAuthzUser() != null) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug(String.format("There is no authorized user for access token id %s.", accessTokenDO.getTokenId()));
        return true;
    }

    private boolean isResponsePermit(String str) {
        return XACMLScopeValidatorConstants.RULE_EFFECT_PERMIT.equalsIgnoreCase(str);
    }

    private boolean isResponseNotApplicable(String str) {
        return XACMLScopeValidatorConstants.RULE_EFFECT_NOT_APPLICABLE.equalsIgnoreCase(str);
    }

    public String getValidatorName() {
        return SCOPE_VALIDATOR_NAME;
    }

    private void createRowDTOForUserType(AuthenticatedUser authenticatedUser, List<RowDTO> list) {
        list.add(createRowDTO(authenticatedUser.isFederatedUser() ? "FEDERATED" : "LOCAL", XACMLScopeValidatorConstants.USER_TYPE_ID, XACMLScopeValidatorConstants.USER_CATEGORY));
    }

    private void createRowDTOsForUserAttributes(AuthenticatedUser authenticatedUser, String str, List<RowDTO> list, String str2) {
        Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
        if (userAttributes.isEmpty() && str.equals(XACMLScopeValidatorConstants.ACTION_VALIDATE)) {
            userAttributes = getUserAttributesFromAuthorizationGrantCache(str2);
        }
        if (userAttributes != null) {
            for (Map.Entry<ClaimMapping, String> entry : userAttributes.entrySet()) {
                if (entry.getKey().getRemoteClaim() != null && StringUtils.isNotEmpty(entry.getKey().getRemoteClaim().getClaimUri()) && StringUtils.isNotEmpty(entry.getValue()) && !entry.getKey().getRemoteClaim().getClaimUri().equalsIgnoreCase("MultiAttributeSeparator")) {
                    String value = entry.getValue();
                    for (String str3 : value.contains(FrameworkUtils.getMultiAttributeSeparator()) ? getAttributeValues(value) : new String[]{value}) {
                        list.add(createRowDTO(str3, entry.getKey().getRemoteClaim().getClaimUri(), XACMLScopeValidatorConstants.SP_CLAIM_CATEGORY));
                    }
                }
            }
        }
    }

    private Map<ClaimMapping, String> getUserAttributesFromAuthorizationGrantCache(String str) {
        Map<ClaimMapping, String> map = null;
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
        if (valueFromCacheByToken != null) {
            map = valueFromCacheByToken.getUserAttributes();
        }
        return map;
    }

    private String[] getAttributeValues(String str) {
        return str.split(FrameworkUtils.getMultiAttributeSeparator());
    }
}
