package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.bean.Scope;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.class */
public class JDBCScopeValidator extends OAuth2ScopeValidator {
    public static final String CHECK_ROLES_FROM_SAML_ASSERTION = "checkRolesFromSamlAssertion";
    public static final String RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION = "retrieveRolesFromUserStoreForScopeValidation";
    private static final String SCOPE_VALIDATOR_NAME = "Role based scope validator";
    private static final String OPENID = "openid";
    private static final Log log = LogFactory.getLog(JDBCScopeValidator.class);

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v67, types: [org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry, java.io.Serializable] */
    @Override // org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator
    public boolean validateScope(AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        String[] scope;
        if (str == null || (scope = accessTokenDO.getScope()) == null || scope.length == 0) {
            return true;
        }
        String str2 = null;
        int i = -1;
        boolean z = false;
        CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(str));
        if (cacheEntry != null && (cacheEntry instanceof ResourceScopeCacheEntry)) {
            str2 = ((ResourceScopeCacheEntry) cacheEntry).getScope();
            i = ((ResourceScopeCacheEntry) cacheEntry).getTenantId();
            z = true;
        }
        if (!z) {
            Pair<String, Integer> findTenantAndScopeOfResource = OAuthTokenPersistenceFactory.getInstance().getTokenManagementDAO().findTenantAndScopeOfResource(str);
            if (findTenantAndScopeOfResource != null) {
                str2 = (String) findTenantAndScopeOfResource.getLeft();
                i = ((Integer) findTenantAndScopeOfResource.getRight()).intValue();
            }
            OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(str);
            ?? resourceScopeCacheEntry = new ResourceScopeCacheEntry(str2);
            resourceScopeCacheEntry.setTenantId(i);
            OAuthCache.getInstance().addToCache(oAuthCacheKey, resourceScopeCacheEntry);
        }
        if (str2 == null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Resource '" + str + "' is not protected with a scope");
            return true;
        }
        if (!new ArrayList(Arrays.asList(scope)).contains(str2)) {
            if (!log.isDebugEnabled() || !IdentityUtil.isTokenLoggable("AccessToken")) {
                return false;
            }
            log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str2 + "'");
            return false;
        }
        if (accessTokenDO.getAuthzUser().isFederatedUser() && (Boolean.parseBoolean(System.getProperty(CHECK_ROLES_FROM_SAML_ASSERTION)) || !Boolean.parseBoolean(System.getProperty(RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION)))) {
            return true;
        }
        try {
            AuthenticatedUser authzUser = accessTokenDO.getAuthzUser();
            int tenantId = getTenantId(authzUser);
            String[] userRoles = getUserRoles(authzUser);
            if (!ArrayUtils.isEmpty(userRoles)) {
                return isUserAuthorizedForScope(str2, userRoles, tenantId);
            }
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("No roles associated for the user " + authzUser.getUserName());
            return false;
        } catch (UserStoreException e) {
            log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
            return false;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws UserStoreException, IdentityOAuth2Exception {
        return validateScope(oAuthTokenReqMessageContext.getScope(), oAuthTokenReqMessageContext.getAuthorizedUser());
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator
    public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws UserStoreException, IdentityOAuth2Exception {
        return validateScope(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
    }

    private boolean validateScope(String[] strArr, AuthenticatedUser authenticatedUser) throws UserStoreException, IdentityOAuth2Exception {
        String[] strArr2 = (String[]) ArrayUtils.removeElement(strArr, OPENID);
        try {
            for (String str : OAuth2ServiceComponentHolder.getInstance().getOAuthAdminService().getScopeNames()) {
                strArr2 = (String[]) ArrayUtils.removeElement(strArr2, str);
            }
            if (ArrayUtils.isEmpty(strArr2)) {
                return true;
            }
            int tenantId = getTenantId(authenticatedUser);
            String[] userRoles = getUserRoles(authenticatedUser);
            for (String str2 : strArr2) {
                if (!isScopeValid(str2, tenantId)) {
                    log.error("Requested scope " + str2 + " is invalid");
                    return false;
                }
                if (!isUserAuthorizedForScope(str2, userRoles, tenantId)) {
                    return false;
                }
            }
            return true;
        } catch (IdentityOAuthAdminException e) {
            log.error("Unable to obtain OIDC scopes list.");
            return false;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator
    public String getValidatorName() {
        return SCOPE_VALIDATOR_NAME;
    }

    private boolean isScopeValid(String str, int i) {
        Scope scope = null;
        try {
            scope = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().getScopeByName(str, i);
        } catch (IdentityOAuth2ScopeServerException e) {
            log.error("Error while retrieving scope with name :" + str);
        }
        return scope != null;
    }

    private boolean isUserAuthorizedForScope(String str, String[] strArr, int i) throws IdentityOAuth2Exception {
        Set<String> bindingsOfScopeByScopeName = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().getBindingsOfScopeByScopeName(str, i);
        if (CollectionUtils.isEmpty(bindingsOfScopeByScopeName)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Did not find any roles associated to the scope " + str);
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug(("Found roles of scope '" + str + "' ") + String.join(",", bindingsOfScopeByScopeName));
        }
        if (ArrayUtils.isEmpty(strArr)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("User does not have required roles for scope " + str);
            return false;
        }
        HashSet hashSet = new HashSet(bindingsOfScopeByScopeName);
        bindingsOfScopeByScopeName.retainAll(Arrays.asList(strArr));
        if (!bindingsOfScopeByScopeName.isEmpty() || validateInternalUserRoles(hashSet, strArr)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("User does not have required roles for scope " + str);
        return false;
    }

    private boolean validateInternalUserRoles(Set<String> set, String[] strArr) {
        for (String str : set) {
            int indexOf = str.indexOf(CarbonConstants.DOMAIN_SEPARATOR);
            if (indexOf > 0 && "Internal".equalsIgnoreCase(str.substring(0, indexOf))) {
                for (String str2 : strArr) {
                    if (str.equalsIgnoreCase(str2)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private String[] getUserRoles(User user) throws UserStoreException {
        boolean z = false;
        RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
        int tenantId = getTenantId(user);
        if (tenantId != -1234) {
            try {
                PrivilegedCarbonContext.startTenantFlow();
                PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(realmService.getTenantManager().getDomain(tenantId), true);
                z = true;
            } catch (Throwable th) {
                if (z) {
                    PrivilegedCarbonContext.endTenantFlow();
                }
                throw th;
            }
        }
        String[] roleListOfUser = realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(MultitenantUtils.getTenantAwareUsername(user.toFullQualifiedUsername()));
        if (z) {
            PrivilegedCarbonContext.endTenantFlow();
        }
        if (ArrayUtils.isNotEmpty(roleListOfUser) && log.isDebugEnabled()) {
            log.debug("Found roles of user " + user.getUserName() + Constants.SEPARATED_WITH_SPACE + String.join(",", roleListOfUser));
        }
        return roleListOfUser;
    }

    private int getTenantId(User user) throws UserStoreException {
        int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain());
        if (tenantId == 0 || tenantId == -1) {
            tenantId = IdentityTenantUtil.getTenantIdOfUser(user.getUserName());
        }
        return tenantId;
    }
}
