package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimConfig;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.OAuthScopeBindingCache;
import org.wso2.carbon.identity.oauth.cache.OAuthScopeBindingCacheKey;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.bean.Scope;
import org.wso2.carbon.identity.oauth2.bean.ScopeBinding;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/JDBCPermissionBasedInternalScopeValidator.class */
public class JDBCPermissionBasedInternalScopeValidator {
    private static final String PERMISSION_ROOT = "/permission";
    private static final String PERMISSION_BINDING_TYPE = "PERMISSION";
    private static final String ROOT = "/";
    private static final String ADMIN_PERMISSION_ROOT = "/permission/admin";
    private static final String INTERNAL_SCOPE_PREFIX = "internal_";
    private static final String EVERYONE_PERMISSION = "everyone_permission";
    private static final Log log = LogFactory.getLog(JDBCPermissionBasedInternalScopeValidator.class);
    private static final String ATTRIBUTE_SEPARATOR = FrameworkUtils.getMultiAttributeSeparator();

    public String[] validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String[] requestedScopes = getRequestedScopes(oAuthTokenReqMessageContext.getScope());
        if (ArrayUtils.isEmpty(requestedScopes)) {
            return requestedScopes;
        }
        String[] scopes = getScopes(getUserAllowedScopes(oAuthTokenReqMessageContext.getAuthorizedUser(), requestedScopes, oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()));
        if (ArrayUtils.contains(requestedScopes, Oauth2ScopeConstants.SYSTEM_SCOPE)) {
            return scopes;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : requestedScopes) {
            if (ArrayUtils.contains(scopes, str)) {
                arrayList.add(str);
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public String[] validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        String[] requestedScopes = getRequestedScopes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes());
        if (ArrayUtils.isEmpty(requestedScopes)) {
            return requestedScopes;
        }
        String[] scopes = getScopes(getUserAllowedScopes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), requestedScopes, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey()));
        if (ArrayUtils.contains(requestedScopes, Oauth2ScopeConstants.SYSTEM_SCOPE)) {
            return scopes;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : requestedScopes) {
            if (ArrayUtils.contains(scopes, str)) {
                arrayList.add(str);
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    private String[] getRequestedScopes(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        if (strArr == null) {
            return null;
        }
        for (String str : strArr) {
            if (str.startsWith(INTERNAL_SCOPE_PREFIX) || str.equalsIgnoreCase(Oauth2ScopeConstants.SYSTEM_SCOPE)) {
                arrayList.add(str);
            }
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    private String[] getScopes(List<Scope> list) {
        return (String[]) list.stream().map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        });
    }

    private List<Scope> getUserAllowedScopes(AuthenticatedUser authenticatedUser, String[] strArr, String str) {
        ArrayList arrayList = new ArrayList();
        try {
            try {
                try {
                } catch (IdentityOAuth2Exception e) {
                    log.error("Error while accessing identity provider manager.", e);
                    endTenantFlow();
                }
            } catch (IdentityOAuth2ScopeServerException e2) {
                log.error("Error while retrieving oAuth2 scopes.", e2);
                endTenantFlow();
            } catch (UserStoreException e3) {
                log.error("Error while accessing Authorization Manager.", e3);
                endTenantFlow();
            }
            if (strArr == null) {
                ArrayList arrayList2 = new ArrayList();
                endTenantFlow();
                return arrayList2;
            }
            boolean contains = ArrayUtils.contains(strArr, Oauth2ScopeConstants.SYSTEM_SCOPE);
            int tenantId = IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain());
            startTenantFlow(authenticatedUser.getTenantDomain(), tenantId);
            AuthorizationManager authorizationManager = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getAuthorizationManager();
            String[] allowedUIResourcesOfUser = authenticatedUser.isFederatedUser() ? isSPAlwaysSendMappedLocalSubjectId(str) ? getAllowedUIResourcesOfUser(authenticatedUser, authorizationManager) : getAllowedUIResourcesForNotAssociatedFederatedUser(authenticatedUser, authorizationManager) : getAllowedUIResourcesOfUser(authenticatedUser, authorizationManager);
            Set<Scope> scopesOfPermissionType = getScopesOfPermissionType(tenantId);
            if (ArrayUtils.contains(allowedUIResourcesOfUser, ROOT) || ArrayUtils.contains(allowedUIResourcesOfUser, PERMISSION_ROOT)) {
                ArrayList arrayList3 = new ArrayList(scopesOfPermissionType);
                endTenantFlow();
                return arrayList3;
            }
            if (ArrayUtils.contains(allowedUIResourcesOfUser, ADMIN_PERMISSION_ROOT)) {
                ArrayList arrayList4 = new ArrayList(getAdminAllowedScopes(scopesOfPermissionType, strArr));
                endTenantFlow();
                return arrayList4;
            }
            for (Scope scope : scopesOfPermissionType) {
                if (contains || ArrayUtils.contains(strArr, scope.getName())) {
                    boolean z = true;
                    for (ScopeBinding scopeBinding : scope.getScopeBindings()) {
                        if ("PERMISSION".equalsIgnoreCase(scopeBinding.getBindingType())) {
                            Iterator<String> it = scopeBinding.getBindings().iterator();
                            while (true) {
                                if (it.hasNext()) {
                                    String next = it.next();
                                    boolean z2 = false;
                                    String[] strArr2 = allowedUIResourcesOfUser;
                                    int length = strArr2.length;
                                    int i = 0;
                                    while (true) {
                                        if (i >= length) {
                                            break;
                                        }
                                        if ((next + ROOT).startsWith(strArr2[i] + ROOT)) {
                                            z2 = true;
                                            break;
                                        }
                                        i++;
                                    }
                                    if (!z2) {
                                        z = false;
                                        break;
                                    }
                                }
                            }
                        }
                    }
                    if (z) {
                        arrayList.add(scope);
                    }
                }
            }
            endTenantFlow();
            return arrayList;
        } catch (Throwable th) {
            endTenantFlow();
            throw th;
        }
    }

    private boolean isSPAlwaysSendMappedLocalSubjectId(String str) throws IdentityOAuth2Exception {
        ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(str);
        if (serviceProvider == null) {
            throw new IdentityOAuth2Exception("Unable to find service provider for client id " + str);
        }
        ClaimConfig claimConfig = serviceProvider.getClaimConfig();
        if (claimConfig != null) {
            return claimConfig.isAlwaysSendMappedLocalSubjectId();
        }
        throw new IdentityOAuth2Exception("Unable to find claim configuration for service provider of client id " + str);
    }

    private String[] getAllowedUIResourcesForNotAssociatedFederatedUser(AuthenticatedUser authenticatedUser, AuthorizationManager authorizationManager) throws UserStoreException, IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        IdentityProvider identityProvider = OAuth2Util.getIdentityProvider(authenticatedUser.getFederatedIdPName(), authenticatedUser.getTenantDomain());
        List<String> valuesOfGroupsFromUserAttributes = getValuesOfGroupsFromUserAttributes(authenticatedUser.getUserAttributes());
        if (CollectionUtils.isNotEmpty(valuesOfGroupsFromUserAttributes)) {
            for (RoleMapping roleMapping : identityProvider.getPermissionAndRoleConfig().getRoleMappings()) {
                if (roleMapping != null && roleMapping.getLocalRole() != null && valuesOfGroupsFromUserAttributes.contains(roleMapping.getLocalRole().getLocalRoleName())) {
                    arrayList.add(roleMapping.getLocalRole().getLocalRoleName());
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            for (String str : authorizationManager.getAllowedUIResourcesForRole((String) it.next(), ROOT)) {
                if (!arrayList2.contains(str)) {
                    arrayList2.add(str);
                }
            }
        }
        arrayList2.add(EVERYONE_PERMISSION);
        return (String[]) arrayList2.toArray(new String[0]);
    }

    private List<String> getValuesOfGroupsFromUserAttributes(Map<ClaimMapping, String> map) {
        if (!MapUtils.isNotEmpty(map)) {
            return null;
        }
        for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
            if (entry.getKey().getRemoteClaim() != null && StringUtils.equals(entry.getKey().getRemoteClaim().getClaimUri(), OAuth2Constants.GROUPS)) {
                return Arrays.asList(entry.getValue().split(Pattern.quote(ATTRIBUTE_SEPARATOR)));
            }
        }
        return null;
    }

    private String[] getAllowedUIResourcesOfUser(AuthenticatedUser authenticatedUser, AuthorizationManager authorizationManager) throws UserStoreException {
        return (String[]) ArrayUtils.add(authorizationManager.getAllowedUIResourcesForUser(IdentityUtil.addDomainToName(authenticatedUser.getUserName(), authenticatedUser.getUserStoreDomain()), ROOT), EVERYONE_PERMISSION);
    }

    private Set<Scope> getScopesOfPermissionType(int i) throws IdentityOAuth2ScopeServerException {
        Set<Scope> scopes;
        Scope[] valueFromCache = OAuthScopeBindingCache.getInstance().getValueFromCache(new OAuthScopeBindingCacheKey("PERMISSION", i));
        if (valueFromCache != null) {
            scopes = (Set) Arrays.stream(valueFromCache).collect(Collectors.toSet());
        } else {
            scopes = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().getScopes(i, "PERMISSION");
            if (CollectionUtils.isNotEmpty(scopes)) {
                OAuthScopeBindingCache.getInstance().addToCache(new OAuthScopeBindingCacheKey("PERMISSION", i), (Scope[]) scopes.toArray(new Scope[0]));
            }
        }
        return scopes;
    }

    private void startTenantFlow(String str, int i) {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(i);
        PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(str);
    }

    private void endTenantFlow() {
        PrivilegedCarbonContext.endTenantFlow();
    }

    private Set<Scope> getAdminAllowedScopes(Set<Scope> set, String[] strArr) {
        HashSet hashSet = new HashSet(set);
        for (Scope scope : set) {
            if (ArrayUtils.contains(strArr, scope.getName())) {
                for (ScopeBinding scopeBinding : scope.getScopeBindings()) {
                    if ("PERMISSION".equalsIgnoreCase(scopeBinding.getBindingType())) {
                        Iterator<String> it = scopeBinding.getBindings().iterator();
                        while (true) {
                            if (it.hasNext()) {
                                String next = it.next();
                                if (!next.startsWith(ADMIN_PERMISSION_ROOT) && !next.equals(EVERYONE_PERMISSION)) {
                                    hashSet.remove(scope);
                                    break;
                                }
                            }
                        }
                    }
                }
            }
        }
        return hashSet;
    }
}
