package org.wso2.carbon.identity.oauth2.util;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/Oauth2ScopeUtils.class */
public class Oauth2ScopeUtils {
    private static final Log log = LogFactory.getLog(Oauth2ScopeUtils.class);
    public static final String OAUTH_APP_DO_PROPERTY_NAME = "OAuthAppDO";
    private static final String OAUTH_ENABLE_SYSTEM_LEVEL_INTERNAL_SYSTEM_SCOPE_MANAGEMENT = "OAuth.EnableSystemLevelInternalSystemScopeManagement";

    public static IdentityOAuth2ScopeServerException generateServerException(Oauth2ScopeConstants.ErrorMessages errorMessages, String str) throws IdentityOAuth2ScopeServerException {
        return (IdentityOAuth2ScopeServerException) IdentityException.error(IdentityOAuth2ScopeServerException.class, errorMessages.getCode(), StringUtils.isNotBlank(str) ? String.format(errorMessages.getMessage(), str) : errorMessages.getMessage());
    }

    public static IdentityOAuth2ScopeServerException generateServerException(Oauth2ScopeConstants.ErrorMessages errorMessages, String str, Throwable th) throws IdentityOAuth2ScopeServerException {
        return (IdentityOAuth2ScopeServerException) IdentityException.error(IdentityOAuth2ScopeServerException.class, errorMessages.getCode(), StringUtils.isNotBlank(str) ? String.format(errorMessages.getMessage(), str) : errorMessages.getMessage(), th);
    }

    public static IdentityOAuth2ScopeServerException generateServerException(Oauth2ScopeConstants.ErrorMessages errorMessages, Throwable th) throws IdentityOAuth2ScopeServerException {
        return (IdentityOAuth2ScopeServerException) IdentityException.error(IdentityOAuth2ScopeServerException.class, errorMessages.getCode(), errorMessages.getMessage(), th);
    }

    public static IdentityOAuth2ScopeClientException generateClientException(Oauth2ScopeConstants.ErrorMessages errorMessages, String str) throws IdentityOAuth2ScopeClientException {
        return (IdentityOAuth2ScopeClientException) IdentityException.error(IdentityOAuth2ScopeClientException.class, errorMessages.getCode(), StringUtils.isNotBlank(str) ? String.format(errorMessages.getMessage(), str) : errorMessages.getMessage());
    }

    public static IdentityOAuth2ScopeClientException generateClientException(Oauth2ScopeConstants.ErrorMessages errorMessages, String str, Throwable th) throws IdentityOAuth2ScopeClientException {
        return (IdentityOAuth2ScopeClientException) IdentityException.error(IdentityOAuth2ScopeClientException.class, errorMessages.getCode(), StringUtils.isNotBlank(str) ? String.format(errorMessages.getMessage(), str) : errorMessages.getMessage(), th);
    }

    public static int getTenantID() {
        return PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
    }

    public static boolean validateByApplicationScopeValidator(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthAppDO = isATokenRequest(oAuthTokenReqMessageContext) ? getOAuthAppDO(oAuthTokenReqMessageContext) : getOAuthAppDO(oAuthAuthzReqMessageContext);
        String[] scopeValidators = oAuthAppDO.getScopeValidators();
        if (ArrayUtils.isEmpty(scopeValidators)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug(String.format("There is no scope validator registered for %s@%s", oAuthAppDO.getApplicationName(), OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO)));
            return true;
        }
        ArrayList arrayList = new ArrayList(Arrays.asList(scopeValidators));
        if (isATokenRequest(oAuthTokenReqMessageContext)) {
            if (hasScopeValidationFailed(oAuthTokenReqMessageContext, arrayList, null)) {
                return false;
            }
        } else if (hasScopeValidationFailed(null, arrayList, oAuthAuthzReqMessageContext)) {
            return false;
        }
        if (arrayList.isEmpty()) {
            return true;
        }
        throw new IdentityOAuth2Exception(String.format("The scope validators %s registered for application %s@%s are not found in the server configuration ", StringUtils.join(arrayList, ", "), oAuthAppDO.getApplicationName(), OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO)));
    }

    private static boolean isATokenRequest(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return oAuthTokenReqMessageContext != null;
    }

    private static OAuthAppDO getOAuthAppDO(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthAppDO = (OAuthAppDO) oAuthTokenReqMessageContext.getProperty("OAuthAppDO");
        if (oAuthAppDO == null) {
            try {
                if (oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO() != null) {
                    throw new IdentityOAuth2Exception("OAuth2 Access Token Request Object was null when obtaining OAuth Application.");
                }
                oAuthAppDO = OAuth2Util.getAppInformationByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
            } catch (InvalidOAuthClientException e) {
                throw new IdentityOAuth2Exception("Error while retrieving OAuth application for client id: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), (Throwable) e);
            }
        }
        return oAuthAppDO;
    }

    private static OAuthAppDO getOAuthAppDO(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthAppDO = (OAuthAppDO) oAuthAuthzReqMessageContext.getProperty("OAuthAppDO");
        if (oAuthAppDO == null) {
            try {
                if (oAuthAuthzReqMessageContext.getAuthorizationReqDTO() != null) {
                    throw new IdentityOAuth2Exception("Authorization Request Object was null when obtaining OAuth Application.");
                }
                oAuthAppDO = OAuth2Util.getAppInformationByClientId(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey());
            } catch (InvalidOAuthClientException e) {
                throw new IdentityOAuth2Exception("Error while retrieving OAuth application for client id: " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(), (Throwable) e);
            }
        }
        return oAuthAppDO;
    }

    private static boolean hasScopeValidationFailed(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, List<String> list, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return !iterateOAuth2ScopeValidators(oAuthAuthzReqMessageContext, oAuthTokenReqMessageContext, list);
    }

    private static boolean iterateOAuth2ScopeValidators(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, List<String> list) throws IdentityOAuth2Exception {
        boolean validateScope;
        for (OAuth2ScopeValidator oAuth2ScopeValidator : OAuthServerConfiguration.getInstance().getOAuth2ScopeValidators()) {
            if (oAuth2ScopeValidator != null && list.contains(oAuth2ScopeValidator.getValidatorName())) {
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Validating scope of token request using %s", oAuth2ScopeValidator.getValidatorName()));
                }
                if (oAuthAuthzReqMessageContext != null) {
                    try {
                        validateScope = oAuth2ScopeValidator.validateScope(oAuthAuthzReqMessageContext);
                    } catch (UserStoreException e) {
                        throw new IdentityOAuth2Exception("Error while validating scopes from application scope validator", (Throwable) e);
                    }
                } else {
                    validateScope = oAuth2ScopeValidator.validateScope(oAuthTokenReqMessageContext);
                }
                list.remove(oAuth2ScopeValidator.getValidatorName());
                if (!validateScope) {
                    if (!LoggerUtils.isDiagnosticLogsEnabled()) {
                        return false;
                    }
                    HashMap hashMap = new HashMap();
                    hashMap.put("applicationScopeValidator", oAuth2ScopeValidator.getValidatorName());
                    HashMap hashMap2 = new HashMap();
                    if (oAuthAuthzReqMessageContext != null) {
                        hashMap2.put("clientId", oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey());
                        if (ArrayUtils.isNotEmpty(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes())) {
                            hashMap2.put("scopes", Arrays.asList(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes()));
                        }
                    } else {
                        hashMap2.put("clientId", oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
                        if (ArrayUtils.isNotEmpty(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope())) {
                            hashMap2.put("scopes", Arrays.asList(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope()));
                        }
                    }
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap2, "FAILED", "Scope validation failed against the configured application scope validator.", "validate-scope", hashMap);
                    return false;
                }
            }
        }
        return true;
    }

    public static boolean isSystemLevelInternalSystemScopeManagementEnabled() {
        String property = IdentityUtil.getProperty(OAUTH_ENABLE_SYSTEM_LEVEL_INTERNAL_SYSTEM_SCOPE_MANAGEMENT);
        if (StringUtils.isNotEmpty(property)) {
            return Boolean.parseBoolean(property);
        }
        return true;
    }

    public static String[] getRequestedScopes(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        if (ArrayUtils.isEmpty(strArr)) {
            return ArrayUtils.EMPTY_STRING_ARRAY;
        }
        for (String str : strArr) {
            if (str.startsWith(Oauth2ScopeConstants.INTERNAL_SCOPE_PREFIX) || str.equalsIgnoreCase(Oauth2ScopeConstants.SYSTEM_SCOPE)) {
                arrayList.add(str);
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }
}
