package org.wso2.carbon.identity.oauth2.util;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.openidconnect.OIDCConstants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/ClaimsUtil.class */
public class ClaimsUtil {
    private static final Log log = LogFactory.getLog(ClaimsUtil.class);
    private static final String INBOUND_AUTH2_TYPE = "oauth2";
    private static final String SP_DIALECT = "http://wso2.org/oidc/claim";

    public static boolean isInLocalDialect(Map<String, String> map) {
        Iterator<String> it = map.keySet().iterator();
        if (it.hasNext()) {
            return it.next().startsWith("http://wso2.org/claims/");
        }
        return false;
    }

    public static Map<String, String> convertFederatedClaimsToLocalDialect(Map<String, String> map, ClaimMapping[] claimMappingArr, String str) {
        if (log.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            Iterator<String> it = map.keySet().iterator();
            while (it.hasNext()) {
                sb.append(it.next()).append(",");
            }
            log.debug("Converting federated user claims to local dialect. Converting claim urls: " + sb.toString());
        }
        if (claimMappingArr == null || claimMappingArr.length <= 0) {
            return map;
        }
        Map<String, String> mapRemoteClaimsToLocalClaims = mapRemoteClaimsToLocalClaims(map, FrameworkUtils.getClaimMappings(claimMappingArr, true), loadDefaultValuesForClaims(claimMappingArr));
        if (log.isDebugEnabled()) {
            StringBuilder sb2 = new StringBuilder();
            Iterator<String> it2 = mapRemoteClaimsToLocalClaims.keySet().iterator();
            while (it2.hasNext()) {
                sb2.append(it2.next()).append(",");
            }
            log.debug("Converted federated user claims to local dialect. Converting claim urls: " + sb2.toString());
        }
        return mapRemoteClaimsToLocalClaims;
    }

    private static ServiceProvider getServiceProvider(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityApplicationManagementException {
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        return applicationMgtService.getApplicationExcludingFileBasedSPs(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), "oauth2", tenantDomain), tenantDomain);
    }

    public static Map<String, String> convertClaimsToOIDCDialect(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, String> map) throws IdentityApplicationManagementException, IdentityException {
        HashMap hashMap = new HashMap();
        if (log.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            Iterator<String> it = map.keySet().iterator();
            while (it.hasNext()) {
                sb.append(it.next()).append(",");
            }
            log.debug("Converting user claims from local dialect to OIDC dialect for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", client id:" + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + ", converting claim urls: " + sb.toString());
        }
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        ServiceProvider applicationExcludingFileBasedSPs = applicationMgtService.getApplicationExcludingFileBasedSPs(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), "oauth2", tenantDomain), tenantDomain);
        if (applicationExcludingFileBasedSPs == null) {
            return hashMap;
        }
        ClaimMapping[] claimMappings = applicationExcludingFileBasedSPs.getClaimConfig().getClaimMappings();
        if (claimMappings == null || claimMappings.length <= 0) {
            claimMappings = new ClaimMapping[0];
        }
        ArrayList arrayList = new ArrayList();
        for (ClaimMapping claimMapping : claimMappings) {
            if (claimMapping.isRequested()) {
                arrayList.add(claimMapping.getLocalClaim().getClaimUri());
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Requested number of local claims: " + arrayList.size());
        }
        for (Map.Entry entry : ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(SP_DIALECT, (Set) null, tenantDomain, false).entrySet()) {
            String str = map.get(entry.getValue());
            if (str != null && arrayList.contains(entry.getValue())) {
                hashMap.put((String) entry.getKey(), str);
                if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                    log.debug("Mapped claim: key -  " + ((String) entry.getKey()) + " value -" + str);
                }
            }
        }
        if (log.isDebugEnabled()) {
            StringBuilder sb2 = new StringBuilder();
            Iterator it2 = hashMap.keySet().iterator();
            while (it2.hasNext()) {
                sb2.append((String) it2.next()).append(",");
            }
            log.debug("Converted user claims from local dialect to OIDC dialect for user: " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", client id:" + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + ", converted claim urls: " + sb2.toString());
        }
        return hashMap;
    }

    public static Map<String, String> handleClaimMapping(IdentityProvider identityProvider, Map<String, String> map, String str, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityException, IdentityApplicationManagementException {
        if (!OAuthServerConfiguration.getInstance().isConvertOriginalClaimsFromAssertionsToOIDCDialect()) {
            setHasNonOIDCClaimsProperty(oAuthTokenReqMessageContext);
            return map;
        }
        ClaimMapping[] claimMappings = identityProvider.getClaimConfig().getClaimMappings();
        Map<String, String> hashMap = new HashMap();
        ServiceProvider serviceProvider = getServiceProvider(oAuthTokenReqMessageContext);
        if (ArrayUtils.isNotEmpty(claimMappings)) {
            if (log.isDebugEnabled()) {
                log.debug("Claim mappings exist for identity provider " + identityProvider.getIdentityProviderName());
            }
            Map<String, String> handleClaimsForIDP = handleClaimsForIDP(map, str, identityProvider, false, claimMappings);
            if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                log.debug("Claims of user : " + oAuthTokenReqMessageContext.getAuthorizedUser() + " after IDP  claim mapping " + handleClaimsForIDP.toString());
            }
            if (isSPRequestedClaimsExist(oAuthTokenReqMessageContext)) {
                hashMap = handleUnMappedClaims(oAuthTokenReqMessageContext, map, convertClaimsToOIDCDialect(oAuthTokenReqMessageContext, handleClaimsForIDP), claimMappings);
            } else if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                log.debug("IDP claims exists, SP claims does not exist, for the identity provider " + identityProvider.getIdentityProviderName() + ", service provider " + serviceProvider.getApplicationName() + ", hence cannot do claim mapping");
            }
        } else {
            if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                log.debug("IDP claims do not exist for, identity provider, " + identityProvider.getIdentityProviderName() + ", hence directly copying custom claims, " + map.toString());
            }
            if (isSPRequestedClaimsExist(oAuthTokenReqMessageContext)) {
                Map<String, String> convertClaimsToOIDCDialect = convertClaimsToOIDCDialect(oAuthTokenReqMessageContext, map);
                if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                    log.debug("IDP claims do not exist but SP Claim mappings exists for, identity provider, " + identityProvider.getIdentityProviderName() + ", and Service Provider, " + serviceProvider.getApplicationName() + ", claims after SP mapping, " + convertClaimsToOIDCDialect.toString());
                }
                hashMap = handleUnMappedClaims(oAuthTokenReqMessageContext, map, convertClaimsToOIDCDialect, claimMappings);
            } else {
                setHasNonOIDCClaimsProperty(oAuthTokenReqMessageContext);
                hashMap = map;
                if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                    log.debug("IDP claims and SP Claim mappings do not exists for, identity provider, " + identityProvider.getIdentityProviderName() + ", and Service Provider, " + serviceProvider.getApplicationName() + ", hence claims are proxied, " + hashMap.toString());
                }
            }
        }
        return hashMap;
    }

    private static boolean isUserClaimsInTokenLoggable() {
        return IdentityUtil.isTokenLoggable("UserClaims");
    }

    private static void setHasNonOIDCClaimsProperty(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        oAuthTokenReqMessageContext.addProperty(OIDCConstants.HAS_NON_OIDC_CLAIMS, true);
    }

    private static boolean isSPRequestedClaimsExist(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityApplicationManagementException {
        boolean z = false;
        ServiceProvider serviceProvider = getServiceProvider(oAuthTokenReqMessageContext);
        ClaimMapping[] claimMappings = serviceProvider.getClaimConfig().getClaimMappings();
        if (claimMappings != null) {
            int length = claimMappings.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (claimMappings[i].isRequested()) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        if (z && log.isDebugEnabled()) {
            log.debug("Service provider " + serviceProvider.getApplicationName() + " has requested claim mappings");
        }
        return z;
    }

    private static Map<String, String> handleUnMappedClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, String> map, Map<String, String> map2, ClaimMapping[] claimMappingArr) throws IdentityApplicationManagementException {
        if (OAuthServerConfiguration.getInstance().isAddUnmappedUserAttributes()) {
            map2 = addMissingClaims(oAuthTokenReqMessageContext, map, map2, claimMappingArr);
            setHasNonOIDCClaimsProperty(oAuthTokenReqMessageContext);
            if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
                log.debug("AddUnMappedAttributes is set to true in identity level, hence OIDC claims after conversion, for the user : " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", " + map2.toString());
            }
        } else if (isUserClaimsInTokenLoggable() && log.isDebugEnabled()) {
            log.debug("AddUnMappedAttributes is set to false in identity level, hence OIDC claims after conversion, for the user : " + oAuthTokenReqMessageContext.getAuthorizedUser() + ", " + map2.toString());
        }
        return map2;
    }

    private static Map<String, String> addMissingClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, String> map, Map<String, String> map2, ClaimMapping[] claimMappingArr) throws IdentityApplicationManagementException {
        boolean isUserClaimsInTokenLoggable = isUserClaimsInTokenLoggable();
        ClaimConfig claimConfig = getServiceProvider(oAuthTokenReqMessageContext).getClaimConfig();
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        map.forEach((str, str2) -> {
            boolean z = false;
            String str = null;
            if (!ArrayUtils.isNotEmpty(claimMappingArr)) {
                ClaimMapping[] claimMappings = claimConfig.getClaimMappings();
                int length = claimMappings.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    ClaimMapping claimMapping = claimMappings[i];
                    if (claimMapping.getLocalClaim().getClaimUri().equals(str) && claimMapping.isRequested()) {
                        z = true;
                        break;
                    }
                    i++;
                }
                if (z) {
                    return;
                }
                if (isUserClaimsInTokenLoggable && log.isDebugEnabled()) {
                    log.debug("SP Claim mapping does not exist for " + str + ", hence adding value " + str2 + " for the user : " + authorizedUser);
                }
                map2.put(str, str2);
                return;
            }
            int length2 = claimMappingArr.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                ClaimMapping claimMapping2 = claimMappingArr[i2];
                if (claimMapping2.getRemoteClaim().getClaimUri().equals(str)) {
                    str = claimMapping2.getLocalClaim().getClaimUri();
                    z = true;
                    break;
                }
                i2++;
            }
            if (!z) {
                if (isUserClaimsInTokenLoggable && log.isDebugEnabled()) {
                    log.debug("IDP Claim mapping does not exist for " + str + ", hence adding value " + str2 + " for the user : " + authorizedUser);
                }
                map2.put(str, str2);
                return;
            }
            boolean z2 = false;
            ClaimMapping[] claimMappings2 = claimConfig.getClaimMappings();
            int length3 = claimMappings2.length;
            int i3 = 0;
            while (true) {
                if (i3 >= length3) {
                    break;
                }
                ClaimMapping claimMapping3 = claimMappings2[i3];
                if (claimMapping3.getLocalClaim().getClaimUri().equals(str) && claimMapping3.isRequested()) {
                    z2 = true;
                    break;
                }
                i3++;
            }
            if (z2) {
                return;
            }
            if (isUserClaimsInTokenLoggable && log.isDebugEnabled()) {
                log.debug("IDP Claim mapping exist, but SP Claim mapping does not exist for " + str + ", hence adding value " + str2 + " for the user : " + authorizedUser);
            }
            map2.put(str, str2);
        });
        if (isUserClaimsInTokenLoggable && log.isDebugEnabled()) {
            log.debug("Final set of claims for the user : " + authorizedUser + ": " + map2.toString());
        }
        return map2;
    }

    public static boolean isResidentIdp(IdentityProvider identityProvider) {
        return "LOCAL".equals(identityProvider.getIdentityProviderName());
    }

    public static Map<String, String> mapRemoteClaimsToLocalClaims(Map<String, String> map, Map<String, String> map2, Map<String, String> map3) {
        HashMap hashMap = new HashMap();
        Iterator<Map.Entry<String, String>> it = map2.entrySet().iterator();
        while (it.hasNext()) {
            String key = it.next().getKey();
            String str = map.get(map2.get(key));
            if (StringUtils.isEmpty(str)) {
                str = map3.get(key);
            }
            if (!StringUtils.isEmpty(str)) {
                hashMap.put(key, str);
            }
        }
        return hashMap;
    }

    public static Map<String, String> loadDefaultValuesForClaims(ClaimMapping[] claimMappingArr) {
        HashMap hashMap = new HashMap();
        for (ClaimMapping claimMapping : claimMappingArr) {
            String defaultValue = claimMapping.getDefaultValue();
            if (defaultValue != null && !defaultValue.isEmpty()) {
                hashMap.put(claimMapping.getLocalClaim().getClaimUri(), defaultValue);
            }
        }
        return hashMap;
    }

    public static Map<String, String> extractClaimsFromAssertion(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, Assertion assertion, String str) {
        HashMap hashMap = new HashMap();
        List attributeStatements = assertion.getAttributeStatements();
        if (CollectionUtils.isNotEmpty(attributeStatements)) {
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                    List attributeValues = attribute.getAttributeValues();
                    String str2 = null;
                    if (attributeValues != null) {
                        for (int i = 0; i < attributeValues.size(); i++) {
                            String textContent = ((XMLObject) attribute.getAttributeValues().get(i)).getDOM().getTextContent();
                            if (log.isDebugEnabled()) {
                                log.debug("Attribute: " + attribute.getName() + ", Value: " + textContent);
                            }
                            str2 = StringUtils.isBlank(str2) ? textContent : str2 + str + textContent;
                            hashMap.put(attribute.getName(), str2);
                        }
                    }
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("No AttributeStatement found in the request for client with id: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
        }
        return hashMap;
    }

    public static Map<String, String> handleClaimsForIDP(Map<String, String> map, String str, IdentityProvider identityProvider, boolean z, ClaimMapping[] claimMappingArr) {
        Map<String, String> handleLocalClaims;
        if (z) {
            handleLocalClaims = handleLocalClaims(map, identityProvider);
        } else if (claimMappingArr.length > 0) {
            handleLocalClaims = convertFederatedClaimsToLocalDialect(map, claimMappingArr, str);
            if (log.isDebugEnabled()) {
                log.debug("IDP claims dialect is not local. Converted claims for identity provider: " + identityProvider.getIdentityProviderName());
            }
        } else {
            handleLocalClaims = handleLocalClaims(map, identityProvider);
        }
        return handleLocalClaims;
    }

    public static Map<String, String> handleClaimsForResidentIDP(Map<String, String> map, IdentityProvider identityProvider) {
        Map<String, String> hashMap = new HashMap();
        if (identityProvider.getClaimConfig().isLocalClaimDialect()) {
            hashMap = handleLocalClaims(map, identityProvider);
        } else if (isInLocalDialect(map)) {
            hashMap = map;
            if (log.isDebugEnabled()) {
                log.debug("IDP claims dialect is not local. But claims are in local dialect for identity provider: " + identityProvider.getIdentityProviderName() + ". Using attributes in assertion as the IDP claims.");
            }
        } else if (log.isDebugEnabled()) {
            log.debug("IDP claims dialect is not local. These claims are not handled for identity provider: " + identityProvider.getIdentityProviderName());
        }
        return hashMap;
    }

    public static void addUserAttributesToCache(OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<ClaimMapping, String> map) {
        AuthorizationGrantCacheKey authorizationGrantCacheKey = new AuthorizationGrantCacheKey(oAuth2AccessTokenRespDTO.getAccessToken());
        AuthorizationGrantCacheEntry authorizationGrantCacheEntry = new AuthorizationGrantCacheEntry(map);
        authorizationGrantCacheEntry.setSubjectClaim(oAuthTokenReqMessageContext.getAuthorizedUser().getAuthenticatedSubjectIdentifier());
        Object property = oAuthTokenReqMessageContext.getProperty(OIDCConstants.HAS_NON_OIDC_CLAIMS);
        if (property != null) {
            authorizationGrantCacheEntry.setHasNonOIDCClaims(((Boolean) property).booleanValue());
        } else {
            authorizationGrantCacheEntry.setHasNonOIDCClaims(false);
        }
        if (StringUtils.isNotBlank(oAuth2AccessTokenRespDTO.getTokenId())) {
            authorizationGrantCacheEntry.setTokenId(oAuth2AccessTokenRespDTO.getTokenId());
        }
        authorizationGrantCacheEntry.setValidityPeriod(TimeUnit.MILLISECONDS.toNanos(oAuth2AccessTokenRespDTO.getExpiresInMillis()));
        AuthorizationGrantCache.getInstance().addToCacheByToken(authorizationGrantCacheKey, authorizationGrantCacheEntry);
    }

    private static Map<String, String> handleLocalClaims(Map<String, String> map, IdentityProvider identityProvider) {
        Map<String, String> hashMap = new HashMap();
        if (isInLocalDialect(map)) {
            hashMap = map;
            if (log.isDebugEnabled()) {
                log.debug("Claims are in local dialect for identity provider: " + identityProvider.getIdentityProviderName() + ". Using attributes in assertion as the IDP claims.");
            }
        } else if (log.isDebugEnabled()) {
            log.debug("Claims are not in local dialect for identity provider: " + identityProvider.getIdentityProviderName() + ". Not considering attributes in assertion.");
        }
        return hashMap;
    }
}
