package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.cache.OAuthScopeBindingCache;
import org.wso2.carbon.identity.oauth.cache.OAuthScopeBindingCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.bean.Scope;
import org.wso2.carbon.identity.oauth2.bean.ScopeBinding;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.util.Oauth2ScopeUtils;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.util.OrganizationSharedUserUtil;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.class */
public class JDBCPermissionBasedInternalScopeValidator {
    private static final String PERMISSION_ROOT = "/permission";
    private static final Log log = LogFactory.getLog(JDBCPermissionBasedInternalScopeValidator.class);
    private static final String PERMISSION_BINDING_TYPE = "PERMISSION";
    private static final String ROOT = "/";
    private static final String ADMIN_PERMISSION_ROOT = "/permission/admin";
    private static final String EVERYONE_PERMISSION = "everyone_permission";

    public String[] validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String[] scope = oAuthTokenReqMessageContext.getScope();
        return ArrayUtils.isEmpty(scope) ? scope : getScopeNames(getUserAllowedScopes(oAuthTokenReqMessageContext.getAuthorizedUser(), scope, oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()));
    }

    public String[] validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        String[] scopes = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes();
        return ArrayUtils.isEmpty(scopes) ? scopes : validateScope(scopes, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey());
    }

    public String[] validateScope(String[] strArr, AuthenticatedUser authenticatedUser, String str) {
        return getScopeNames(getUserAllowedScopes(authenticatedUser, strArr, str));
    }

    private String[] getScopeNames(Set<Scope> set) {
        return (String[]) set.stream().map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        });
    }

    private Set<Scope> getUserAllowedScopes(AuthenticatedUser authenticatedUser, String[] strArr, String str) {
        HashSet hashSet = new HashSet();
        try {
            try {
                try {
                } catch (InvalidOAuthClientException e) {
                    log.error("Error while retrieving the Application Information for client id: " + str, e);
                    endTenantFlow();
                } catch (IdentityOAuth2Exception e2) {
                    log.error("Error while accessing identity provider manager.", e2);
                    endTenantFlow();
                }
            } catch (IdentityOAuth2ScopeServerException e3) {
                log.error("Error while retrieving oAuth2 scopes.", e3);
                endTenantFlow();
            } catch (UserIdNotFoundException e4) {
                log.error("User id not available for user: " + authenticatedUser.getLoggableUserId(), e4);
                endTenantFlow();
            } catch (UserStoreException e5) {
                log.error("Error while accessing Authorization Manager.", e5);
                endTenantFlow();
            }
            if (strArr == null) {
                HashSet hashSet2 = new HashSet();
                endTenantFlow();
                return hashSet2;
            }
            String tenantDomain = authenticatedUser.getTenantDomain();
            boolean z = false;
            if (authenticatedUser.isFederatedUser()) {
                z = OAuth2Util.isFederatedRoleBasedAuthzEnabled(str);
                if (z) {
                    tenantDomain = OAuth2Util.getTenantDomainOfOauthApp(OAuth2Util.getAppInformationByClientId(str));
                }
            }
            int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
            Set<Scope> scopesOfPermissionType = getScopesOfPermissionType(tenantId);
            HashSet hashSet3 = new HashSet(Arrays.asList(ArrayUtils.contains(strArr, Oauth2ScopeConstants.SYSTEM_SCOPE) ? getScopeNames(scopesOfPermissionType) : Oauth2ScopeUtils.getRequestedScopes(strArr)));
            startTenantFlow(tenantDomain, tenantId);
            AuthorizationManager authorizationManager = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
            String[] retrieveUserOrganizationPermission = StringUtils.isNotEmpty(authenticatedUser.getAccessingOrganization()) ? retrieveUserOrganizationPermission(authenticatedUser, authenticatedUser.getAccessingOrganization()) : authenticatedUser.isFederatedUser() ? z ? getAllowedPermissionsUsingRoleForNonAssociatedFederatedUsers(authenticatedUser, authorizationManager) : isSPAlwaysSendMappedLocalSubjectId(str) ? getAllowedResourcesOfUser(authenticatedUser, authorizationManager) : getAllowedResourcesForNotAssociatedFederatedUser(authenticatedUser, authorizationManager) : getAllowedResourcesOfUser(authenticatedUser, authorizationManager);
            for (Scope scope : scopesOfPermissionType) {
                if (hashSet3.contains(scope.getName())) {
                    boolean z2 = true;
                    for (ScopeBinding scopeBinding : scope.getScopeBindings()) {
                        if ("PERMISSION".equalsIgnoreCase(scopeBinding.getBindingType())) {
                            Iterator<String> it = scopeBinding.getBindings().iterator();
                            while (true) {
                                if (it.hasNext()) {
                                    String next = it.next();
                                    boolean z3 = false;
                                    String[] strArr2 = retrieveUserOrganizationPermission;
                                    int length = strArr2.length;
                                    int i = 0;
                                    while (true) {
                                        if (i >= length) {
                                            break;
                                        }
                                        if ((next + ROOT).startsWith(strArr2[i] + ROOT)) {
                                            z3 = true;
                                            break;
                                        }
                                        i++;
                                    }
                                    if (!z3) {
                                        z2 = false;
                                        break;
                                    }
                                }
                            }
                        }
                    }
                    if (z2) {
                        hashSet.add(scope);
                    }
                }
            }
            endTenantFlow();
            return hashSet;
        } catch (Throwable th) {
            endTenantFlow();
            throw th;
        }
    }

    private boolean isSPAlwaysSendMappedLocalSubjectId(String str) throws IdentityOAuth2Exception {
        ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(str);
        if (serviceProvider == null) {
            throw new IdentityOAuth2Exception("Unable to find service provider for client id " + str);
        }
        ClaimConfig claimConfig = serviceProvider.getClaimConfig();
        if (claimConfig != null) {
            return claimConfig.isAlwaysSendMappedLocalSubjectId();
        }
        throw new IdentityOAuth2Exception("Unable to find claim configuration for service provider of client id " + str);
    }

    private String[] getAllowedResourcesForNotAssociatedFederatedUser(AuthenticatedUser authenticatedUser, AuthorizationManager authorizationManager) throws UserStoreException, IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        IdentityProvider identityProvider = OAuth2Util.getIdentityProvider(authenticatedUser.getFederatedIdPName(), authenticatedUser.getTenantDomain());
        List<String> valuesOfGroupsFromUserAttributes = getValuesOfGroupsFromUserAttributes(authenticatedUser.getUserAttributes());
        if (CollectionUtils.isNotEmpty(valuesOfGroupsFromUserAttributes)) {
            for (RoleMapping roleMapping : identityProvider.getPermissionAndRoleConfig().getRoleMappings()) {
                if (roleMapping != null && roleMapping.getLocalRole() != null) {
                    String str = Oauth2ScopeConstants.INTERNAL_ROLE_PREFIX + roleMapping.getLocalRole().getLocalRoleName();
                    if (valuesOfGroupsFromUserAttributes.contains(roleMapping.getLocalRole().getLocalRoleName())) {
                        arrayList.add(roleMapping.getLocalRole().getLocalRoleName());
                    } else if (StringUtils.isNotBlank(roleMapping.getLocalRole().getUserStoreId()) && valuesOfGroupsFromUserAttributes.contains(str)) {
                        arrayList.add(str);
                    }
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            for (String str2 : authorizationManager.getAllowedUIResourcesForRole((String) it.next(), ROOT)) {
                if (!arrayList2.contains(str2)) {
                    arrayList2.add(str2);
                }
            }
        }
        arrayList2.add(EVERYONE_PERMISSION);
        return (String[]) arrayList2.toArray(new String[0]);
    }

    private String[] getAllowedPermissionsUsingRoleForNonAssociatedFederatedUsers(AuthenticatedUser authenticatedUser, AuthorizationManager authorizationManager) throws UserStoreException, IdentityOAuth2Exception {
        HashSet hashSet = new HashSet();
        for (String str : OAuth2Util.getRolesFromFederatedUserAttributes(authenticatedUser.getUserAttributes())) {
            if (str.toLowerCase().startsWith("Internal".toLowerCase() + CarbonConstants.DOMAIN_SEPARATOR)) {
                for (String str2 : authorizationManager.getAllowedUIResourcesForRole(str, ROOT)) {
                    hashSet.add(str2);
                }
            }
        }
        hashSet.add(EVERYONE_PERMISSION);
        return (String[]) hashSet.toArray(new String[0]);
    }

    private List<String> getValuesOfGroupsFromUserAttributes(Map<ClaimMapping, String> map) {
        String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
        if (!MapUtils.isNotEmpty(map)) {
            return null;
        }
        for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
            if (entry.getKey().getRemoteClaim() != null && StringUtils.equals(entry.getKey().getRemoteClaim().getClaimUri(), "groups")) {
                return Arrays.asList(entry.getValue().split(Pattern.quote(multiAttributeSeparator)));
            }
        }
        return null;
    }

    private String[] getAllowedResourcesOfUser(AuthenticatedUser authenticatedUser, AuthorizationManager authorizationManager) throws UserStoreException, UserIdNotFoundException {
        String userName = authenticatedUser.getUserName();
        if (userName == null) {
            userName = OAuth2Util.resolveUsernameFromUserId(authenticatedUser.getTenantDomain(), authenticatedUser.getUserId());
        }
        if (StringUtils.isNotEmpty(authenticatedUser.getUserStoreDomain())) {
            userName = UserCoreUtil.addDomainToName(userName, authenticatedUser.getUserStoreDomain());
        }
        return (String[]) ArrayUtils.add(authorizationManager.getAllowedUIResourcesForUser(userName, ROOT), EVERYONE_PERMISSION);
    }

    private String[] retrieveUserOrganizationPermission(AuthenticatedUser authenticatedUser, String str) throws UserIdNotFoundException {
        String[] strArr = null;
        if (StringUtils.isNotBlank(str)) {
            try {
                String userName = authenticatedUser.isFederatedUser() ? authenticatedUser.getUserName() : authenticatedUser.getUserId();
                if (authenticatedUser.getAccessingOrganization() != null && !authenticatedUser.getAccessingOrganization().equals(authenticatedUser.getUserResidentOrganization())) {
                    Optional userIdOfAssociatedUserByOrgId = OrganizationSharedUserUtil.getUserIdOfAssociatedUserByOrgId(userName, str);
                    if (userIdOfAssociatedUserByOrgId.isPresent()) {
                        userName = (String) userIdOfAssociatedUserByOrgId.get();
                    }
                }
                strArr = (String[]) OAuth2ServiceComponentHolder.getRoleManager().getUserOrganizationPermissions(userName, str).toArray(new String[0]);
            } catch (OrganizationManagementException e) {
                log.error("Error while retrieving the organization permissions of the user.");
            }
        }
        return (String[]) ArrayUtils.add(strArr, EVERYONE_PERMISSION);
    }

    private Set<Scope> getScopesOfPermissionType(int i) throws IdentityOAuth2ScopeServerException {
        Set<Scope> scopes;
        if (Oauth2ScopeUtils.isSystemLevelInternalSystemScopeManagementEnabled()) {
            return new HashSet(OAuth2ServiceComponentHolder.getInstance().getOauthScopeBinding());
        }
        Scope[] valueFromCache = OAuthScopeBindingCache.getInstance().getValueFromCache(new OAuthScopeBindingCacheKey("PERMISSION"), i);
        if (valueFromCache != null) {
            scopes = (Set) Arrays.stream(valueFromCache).collect(Collectors.toSet());
        } else {
            scopes = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().getScopes(i, "PERMISSION");
            if (CollectionUtils.isNotEmpty(scopes)) {
                OAuthScopeBindingCache.getInstance().addToCache(new OAuthScopeBindingCacheKey("PERMISSION"), (Scope[]) scopes.toArray(new Scope[0]), i);
            }
        }
        return scopes;
    }

    private void startTenantFlow(String str, int i) {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(i);
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(str);
    }

    private void endTenantFlow() {
        PrivilegedCarbonContext.endTenantFlow();
    }

    private String resolveTenantDomain(String str) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getOrganizationManager().resolveTenantDomain(str);
        } catch (OrganizationManagementException e) {
            throw new IdentityOAuth2Exception(e.getMessage(), (Throwable) e);
        }
    }
}
