package org.wso2.carbon.identity.authz.service.handler;

import java.util.Iterator;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.authz.service.AuthorizationContext;
import org.wso2.carbon.identity.authz.service.AuthorizationResult;
import org.wso2.carbon.identity.authz.service.AuthorizationStatus;
import org.wso2.carbon.identity.authz.service.exception.AuthzServiceServerException;
import org.wso2.carbon.identity.authz.service.internal.AuthorizationServiceHolder;
import org.wso2.carbon.identity.core.handler.AbstractIdentityHandler;
import org.wso2.carbon.identity.core.handler.InitConfig;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.class */
public class AuthorizationHandler extends AbstractIdentityHandler {
    private static final Log log = LogFactory.getLog(AuthorizationHandler.class);
    private static final String RESOURCE_PERMISSION_NONE = "none";

    public AuthorizationResult handleAuthorization(AuthorizationContext authorizationContext) throws AuthzServiceServerException {
        AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY);
        try {
            User user = authorizationContext.getUser();
            int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain());
            String permissionString = authorizationContext.getPermissionString();
            String[] strArr = authorizationContext.getParameter("oauth2-allowed-scopes") == null ? null : (String[]) authorizationContext.getParameter("oauth2-allowed-scopes");
            boolean booleanValue = authorizationContext.getParameter("oauth2-validate-scopes") == null ? false : ((Boolean) authorizationContext.getParameter("oauth2-validate-scopes")).booleanValue();
            UserRealm tenantUserRealm = AuthorizationServiceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId);
            if (isScopeValidationRequired(authorizationContext, booleanValue)) {
                validateScopes(authorizationContext, authorizationResult, strArr);
            } else if (StringUtils.isNotBlank(permissionString) || authorizationContext.getRequiredScopes().size() == 0) {
                validatePermissions(authorizationResult, user, permissionString, tenantUserRealm);
            }
            return authorizationResult;
        } catch (UserStoreException e) {
            String str = "Error occurred while trying to authorize, " + e.getMessage();
            log.error(str);
            throw new AuthzServiceServerException(str, e);
        }
    }

    public void init(InitConfig initConfig) {
    }

    public String getName() {
        return "AuthorizationHandler";
    }

    public int getPriority() {
        return 100;
    }

    private void validatePermissions(AuthorizationResult authorizationResult, User user, String str, UserRealm userRealm) throws UserStoreException {
        if (RESOURCE_PERMISSION_NONE.equalsIgnoreCase(str)) {
            authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
        } else if (userRealm.getAuthorizationManager().isUserAuthorized(UserCoreUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()), str, "ui.execute")) {
            authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
        }
    }

    private void validateScopes(AuthorizationContext authorizationContext, AuthorizationResult authorizationResult, String[] strArr) {
        boolean z = true;
        if (strArr != null) {
            Iterator<String> it = authorizationContext.getRequiredScopes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (!ArrayUtils.contains(strArr, it.next())) {
                    z = false;
                    break;
                }
            }
            if (z) {
                authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
            }
        }
    }

    private boolean isScopeValidationRequired(AuthorizationContext authorizationContext, boolean z) {
        return z && CollectionUtils.isNotEmpty(authorizationContext.getRequiredScopes());
    }
}
