package org.wso2.carbon.identity.oauth2.authz;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.AppInfoCache;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.dto.OAuthErrorDTO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler;
import org.wso2.carbon.identity.oauth2.device.errorcodes.DeviceErrorCodes;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.JDBCPermissionBasedInternalScopeValidator;
import org.wso2.carbon.identity.oauth2.validators.RoleBasedInternalScopeValidator;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.class */
public class AuthorizationHandlerManager {
    public static final String OAUTH_APP_PROPERTY = "OAuthAppDO";
    private static final Log log = LogFactory.getLog(AuthorizationHandlerManager.class);
    private static AuthorizationHandlerManager instance;
    private Map<String, ResponseTypeHandler> responseHandlers = OAuthServerConfiguration.getInstance().getSupportedResponseTypes();

    private AuthorizationHandlerManager() throws IdentityOAuth2Exception {
        if (AppInfoCache.getInstance() == null) {
            log.error("Error while creating AppInfoCache");
        } else if (log.isDebugEnabled() && AppInfoCache.getInstance().isEnabled()) {
            log.debug("Successfully enabled AppInfoCache under OAuthCacheManager");
        }
    }

    public static AuthorizationHandlerManager getInstance() throws IdentityOAuth2Exception {
        CarbonUtils.checkSecurity();
        if (instance == null) {
            synchronized (AuthorizationHandlerManager.class) {
                if (instance == null) {
                    instance = new AuthorizationHandlerManager();
                }
            }
        }
        return instance;
    }

    public OAuth2AuthorizeRespDTO handleAuthorization(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) throws IdentityOAuth2Exception, IdentityOAuthAdminException, InvalidOAuthClientException {
        OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext = getOAuthAuthzReqMessageContext(oAuth2AuthorizeReqDTO);
        ResponseTypeHandler responseHandler = getResponseHandler(oAuth2AuthorizeReqDTO);
        OAuth2AuthorizeRespDTO validateAuthzRequest = validateAuthzRequest(oAuth2AuthorizeReqDTO, oAuthAuthzReqMessageContext, responseHandler);
        if (isErrorResponseFound(validateAuthzRequest)) {
            if (log.isDebugEnabled()) {
                log.debug("Error response received for authorization request by user : " + oAuth2AuthorizeReqDTO.getUser() + ", client : " + oAuth2AuthorizeReqDTO.getConsumerKey() + ", scope : " + OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes()));
            }
            return validateAuthzRequest;
        }
        try {
            OAuth2Util.setAuthzRequestContext(oAuthAuthzReqMessageContext);
            OAuth2AuthorizeRespDTO issue = responseHandler.issue(oAuthAuthzReqMessageContext);
            OAuth2Util.clearAuthzRequestContext();
            return issue;
        } catch (Throwable th) {
            OAuth2Util.clearAuthzRequestContext();
            throw th;
        }
    }

    private ResponseTypeHandler getResponseHandler(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) {
        return this.responseHandlers.get(oAuth2AuthorizeReqDTO.getResponseType());
    }

    private OAuth2AuthorizeRespDTO validateAuthzRequest(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, ResponseTypeHandler responseTypeHandler) throws IdentityOAuth2Exception {
        OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO = new OAuth2AuthorizeRespDTO();
        if (!isInvalidResponseType(oAuth2AuthorizeReqDTO, oAuth2AuthorizeRespDTO) && !isInvalidClient(oAuth2AuthorizeReqDTO, oAuth2AuthorizeRespDTO, oAuthAuthzReqMessageContext, responseTypeHandler) && !isInvalidAccessDelegation(oAuth2AuthorizeReqDTO, oAuth2AuthorizeRespDTO, oAuthAuthzReqMessageContext, responseTypeHandler)) {
            List<String> allowedScopes = OAuthServerConfiguration.getInstance().getAllowedScopes();
            ArrayList arrayList = new ArrayList();
            String[] scopes = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes();
            ArrayList arrayList2 = new ArrayList();
            if (scopes != null) {
                for (String str : scopes) {
                    if (OAuth2Util.isAllowedScope(allowedScopes, str)) {
                        arrayList.add(str);
                    } else {
                        arrayList2.add(str);
                    }
                }
                oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setScopes((String[]) arrayList2.toArray(new String[0]));
            }
            String[] validateScope = new JDBCPermissionBasedInternalScopeValidator().validateScope(oAuthAuthzReqMessageContext);
            if (IdentityUtil.isSystemRolesEnabled()) {
                validateScope = (String[]) ArrayUtils.addAll(validateScope, new RoleBasedInternalScopeValidator().validateScope(oAuthAuthzReqMessageContext));
            }
            removeInternalScopes(oAuthAuthzReqMessageContext);
            oAuthAuthzReqMessageContext.setAuthorizedInternalScopes(validateScope);
            if (OAuthServerConfiguration.getInstance().isDropUnregisteredScopes()) {
                if (log.isDebugEnabled()) {
                    log.debug("DropUnregisteredScopes config is enabled. Attempting to drop unregistered scopes.");
                }
                oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setScopes(OAuth2Util.dropUnregisteredScopes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes(), oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain()));
            }
            if (validateScope(oAuth2AuthorizeReqDTO, oAuth2AuthorizeRespDTO, oAuthAuthzReqMessageContext, responseTypeHandler)) {
                addAuthorizedInternalScopes(oAuthAuthzReqMessageContext, oAuthAuthzReqMessageContext.getAuthorizedInternalScopes());
                addAllowedScopes(oAuthAuthzReqMessageContext, (String[]) arrayList.toArray(new String[0]));
            }
            return oAuth2AuthorizeRespDTO;
        }
        return oAuth2AuthorizeRespDTO;
    }

    private void addAuthorizedInternalScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, String[] strArr) {
        oAuthAuthzReqMessageContext.setApprovedScope((String[]) ArrayUtils.addAll(oAuthAuthzReqMessageContext.getApprovedScope(), strArr));
    }

    private void addAllowedScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, String[] strArr) {
        oAuthAuthzReqMessageContext.setApprovedScope((String[]) ArrayUtils.addAll(oAuthAuthzReqMessageContext.getApprovedScope(), strArr));
    }

    private void removeInternalScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        if (oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes() == null) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes()) {
            if (!str.startsWith(Oauth2ScopeConstants.INTERNAL_SCOPE_PREFIX) && !str.startsWith(Oauth2ScopeConstants.CONSOLE_SCOPE_PREFIX) && !str.equalsIgnoreCase(Oauth2ScopeConstants.SYSTEM_SCOPE)) {
                arrayList.add(str);
            }
        }
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setScopes((String[]) arrayList.toArray(new String[0]));
    }

    private boolean validateScope(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, ResponseTypeHandler responseTypeHandler) throws IdentityOAuth2Exception {
        if (responseTypeHandler.validateScope(oAuthAuthzReqMessageContext)) {
            if (approvedScopeNotSetByTheCallbackHandler(oAuthAuthzReqMessageContext)) {
                oAuthAuthzReqMessageContext.setApprovedScope(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes());
            }
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Approved scope(s) : " + OAuth2Util.buildScopeString(oAuthAuthzReqMessageContext.getApprovedScope()));
            return true;
        }
        handleErrorRequest(oAuth2AuthorizeRespDTO, "invalid_scope", "Invalid Scope!");
        oAuth2AuthorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl());
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Scope validation failed for user : " + oAuth2AuthorizeReqDTO.getUser() + ", for the scope(s) : " + OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes()));
        return false;
    }

    private boolean approvedScopeNotSetByTheCallbackHandler(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        return oAuthAuthzReqMessageContext.getApprovedScope() == null || oAuthAuthzReqMessageContext.getApprovedScope().length == 0;
    }

    private boolean isInvalidAccessDelegation(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, ResponseTypeHandler responseTypeHandler) throws IdentityOAuth2Exception {
        if (responseTypeHandler.validateAccessDelegation(oAuthAuthzReqMessageContext)) {
            return false;
        }
        handleErrorRequest(oAuth2AuthorizeRespDTO, DeviceErrorCodes.UNAUTHORIZED_CLIENT, "Authorization Failure!");
        oAuth2AuthorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl());
        if (log.isDebugEnabled()) {
            log.debug("User : " + oAuth2AuthorizeReqDTO.getUser() + " doesn't have necessary rights to grant access to the resource(s) : " + OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes()));
        }
        if (!LoggerUtils.isDiagnosticLogsEnabled()) {
            return true;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("clientId", oAuth2AuthorizeReqDTO.getConsumerKey());
        if (oAuth2AuthorizeReqDTO.getUser() != null) {
            try {
                hashMap.put("user", oAuth2AuthorizeReqDTO.getUser().getUserId());
            } catch (UserIdNotFoundException e) {
                if (StringUtils.isNotBlank(oAuth2AuthorizeReqDTO.getUser().getAuthenticatedSubjectIdentifier())) {
                    hashMap.put("user", oAuth2AuthorizeReqDTO.getUser().getAuthenticatedSubjectIdentifier().replaceAll(Constants.FULL_STOP_DELIMITER, "*"));
                }
            }
        }
        hashMap.put("requestedScopes", OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes()));
        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "User doesn't have necessary rights to grant access to the requested resource(s).", "validate-authz-request", (Map) null);
        return true;
    }

    private boolean isInvalidClient(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, ResponseTypeHandler responseTypeHandler) throws IdentityOAuth2Exception {
        if (responseTypeHandler.isAuthorizedClient(oAuthAuthzReqMessageContext)) {
            return false;
        }
        handleErrorRequest(oAuth2AuthorizeRespDTO, DeviceErrorCodes.UNAUTHORIZED_CLIENT, "The authenticated client is not authorized to use this authorization grant type");
        oAuth2AuthorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl());
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Client validation failed for user : " + oAuth2AuthorizeReqDTO.getUser() + ", for client : " + oAuth2AuthorizeReqDTO.getConsumerKey());
        return true;
    }

    private OAuthAuthzReqMessageContext getOAuthAuthzReqMessageContext(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext = new OAuthAuthzReqMessageContext(oAuth2AuthorizeReqDTO);
        OAuthAppDO appInformation = getAppInformation(oAuth2AuthorizeReqDTO);
        oAuthAuthzReqMessageContext.addProperty("OAuthAppDO", appInformation);
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setTenantDomain(OAuth2Util.getTenantDomainOfOauthApp(appInformation));
        return oAuthAuthzReqMessageContext;
    }

    private boolean isErrorResponseFound(OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) {
        return oAuth2AuthorizeRespDTO.getErrorMsg() != null;
    }

    private boolean isInvalidResponseType(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) {
        if (this.responseHandlers.containsKey(oAuth2AuthorizeReqDTO.getResponseType())) {
            return false;
        }
        handleErrorRequest(oAuth2AuthorizeRespDTO, "unsupported_response_type", "Unsupported Response Type!");
        oAuth2AuthorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl());
        if (log.isDebugEnabled()) {
            log.debug("Unsupported Response Type : " + oAuth2AuthorizeReqDTO.getResponseType() + " provided for user : " + oAuth2AuthorizeReqDTO.getUser() + ", for client :" + oAuth2AuthorizeReqDTO.getConsumerKey());
        }
        if (!LoggerUtils.isDiagnosticLogsEnabled()) {
            return true;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("clientId", oAuth2AuthorizeReqDTO.getConsumerKey());
        hashMap.put("response_type", oAuth2AuthorizeReqDTO.getResponseType());
        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "Un-supported response type.", "validate-authz-request", (Map) null);
        return true;
    }

    private OAuthAppDO getAppInformation(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAppDO oAuthAppDO = (OAuthAppDO) AppInfoCache.getInstance().getValueFromCache(oAuth2AuthorizeReqDTO.getConsumerKey());
        if (oAuthAppDO != null) {
            return oAuthAppDO;
        }
        OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(oAuth2AuthorizeReqDTO.getConsumerKey());
        AppInfoCache.getInstance().addToCache(oAuth2AuthorizeReqDTO.getConsumerKey(), appInformation);
        return appInformation;
    }

    private void handleErrorRequest(OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO, String str, String str2) {
        oAuth2AuthorizeRespDTO.setErrorCode(str);
        oAuth2AuthorizeRespDTO.setErrorMsg(str2);
    }

    public OAuthErrorDTO handleUserConsentDenial(OAuth2Parameters oAuth2Parameters) {
        return this.responseHandlers.get(oAuth2Parameters.getResponseType()).handleUserConsentDenial(oAuth2Parameters);
    }

    public OAuthErrorDTO handleAuthenticationFailure(OAuth2Parameters oAuth2Parameters) {
        return this.responseHandlers.get(oAuth2Parameters.getResponseType()).handleAuthenticationFailure(oAuth2Parameters);
    }
}
