package org.wso2.carbon.identity.oauth2.token.handlers.grant.saml;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.joda.time.DateTime;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureValidationProvider;
import org.opensaml.xmlsec.signature.support.SignatureValidator;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.context.RegistryType;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.CertificateInfo;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.PermissionsAndRoleConfig;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
import org.wso2.carbon.identity.core.persistence.IdentityPersistenceManager;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.ClaimsUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.util.X509CredentialImpl;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.saml.common.util.SAMLInitializer;
import org.wso2.carbon.identity.saml.common.util.UnmarshallUtils;
import org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/saml/SAML2BearerGrantHandler.class */
public class SAML2BearerGrantHandler extends AbstractAuthorizationGrantHandler {
    public static final String ASSERTION_ELEMENT = "Assertion";
    public static final String IDP_ENTITY_ID = "IdPEntityId";
    private static final Log log = LogFactory.getLog(SAML2BearerGrantHandler.class);
    private static final String SAMLSSO_AUTHENTICATOR = "samlsso";
    private static final String SAML2SSO_AUTHENTICATOR_NAME = "SAMLSSOAuthenticator";
    public static final String SECURITY_SAML_SIGN_KEY_STORE_LOCATION = "Security.SAMLSignKeyStore.Location";
    public static final String SECURITY_SAML_SIGN_KEY_STORE_TYPE = "Security.SAMLSignKeyStore.Type";
    public static final String SECURITY_SAML_SIGN_KEY_STORE_PASSWORD = "Security.SAMLSignKeyStore.Password";
    public static final String SECURITY_SAML_SIGN_KEY_STORE_KEY_ALIAS = "Security.SAMLSignKeyStore.KeyAlias";
    public static final String SECURITY_SAML_SIGN_KEY_STORE_KEY_PASSWORD = "Security.SAMLSignKeyStore.KeyPassword";
    SAMLSignatureProfileValidator profileValidator = null;

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public void init() throws IdentityOAuth2Exception {
        super.init();
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(getClass().getClassLoader());
        try {
            try {
                SAMLInitializer.doBootstrap();
                currentThread.setContextClassLoader(contextClassLoader);
                this.profileValidator = new SAMLSignatureProfileValidator();
            } catch (InitializationException e) {
                log.error("Error in bootstrapping the OpenSAML3 library", e);
                throw new IdentityOAuth2Exception("Error in bootstrapping the OpenSAML3 library");
            }
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        super.validateGrant(oAuthTokenReqMessageContext);
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("SAML_Assertion")) {
            log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
        }
        Assertion assertionObject = getAssertionObject(oAuthTokenReqMessageContext);
        validateSubject(oAuthTokenReqMessageContext, assertionObject);
        validateIssuer(oAuthTokenReqMessageContext, assertionObject);
        validateSignature(assertionObject);
        String tenantDomain = getTenantDomain(oAuthTokenReqMessageContext);
        IdentityProvider identityProvider = getIdentityProvider(assertionObject, tenantDomain);
        if (isSAMLSignKeyStoreConfigured()) {
            validateSignatureAgainstSAMLSignKeyStoreCertificate(assertionObject);
        } else {
            validateSignatureAgainstIdpCertificate(assertionObject, tenantDomain, identityProvider);
        }
        validateConditions(oAuthTokenReqMessageContext, assertionObject, identityProvider, tenantDomain);
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        validateAssertionTimeWindow(timeStampSkewInSeconds, getNotOnOrAfter(assertionObject), getNotBefore(assertionObject));
        processSubjectConfirmation(oAuthTokenReqMessageContext, assertionObject, identityProvider, tenantDomain, timeStampSkewInSeconds);
        setValuesInMessageContext(oAuthTokenReqMessageContext, assertionObject, identityProvider, tenantDomain);
        invokeExtension(oAuthTokenReqMessageContext);
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getValueForIsRefreshTokenAllowed("urn:oasis:names:tc:SAML:2.0:cm:bearer");
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        Assertion assertion;
        OAuth2AccessTokenRespDTO issue = super.issue(oAuthTokenReqMessageContext);
        if (OAuth2Util.isOIDCAuthzRequest(oAuthTokenReqMessageContext.getScope()) && (assertion = (Assertion) oAuthTokenReqMessageContext.getProperty("SAML2Assertion")) != null) {
            handleClaimsInAssertion(oAuthTokenReqMessageContext, issue, assertion);
        }
        return issue;
    }

    protected void handleClaimsInAssertion(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, Assertion assertion) throws IdentityOAuth2Exception {
        Map<String, String> extractClaimsFromAssertion = ClaimsUtil.extractClaimsFromAssertion(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO, assertion, FrameworkUtils.getMultiAttributeSeparator());
        if (extractClaimsFromAssertion == null || extractClaimsFromAssertion.size() <= 0) {
            return;
        }
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isBlank(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        if (OAuthServerConfiguration.getInstance().isConvertOriginalClaimsFromAssertionsToOIDCDialect()) {
            IdentityProvider identityProvider = getIdentityProvider(assertion, tenantDomain);
            Map<String, String> handleClaimsForResidentIDP = ClaimsUtil.isResidentIdp(identityProvider) ? handleClaimsForResidentIDP(extractClaimsFromAssertion, identityProvider) : handleClaimsForIDP(extractClaimsFromAssertion, tenantDomain, identityProvider, identityProvider.getClaimConfig().isLocalClaimDialect(), identityProvider.getClaimConfig().getClaimMappings());
            Iterator it = IdentityUtil.getRoleGroupClaims().iterator();
            while (it.hasNext()) {
                handleIdPRoleMapping(oAuthTokenReqMessageContext, oAuth2AccessTokenRespDTO, identityProvider, handleClaimsForResidentIDP, (String) it.next());
            }
            if (handleClaimsForResidentIDP == null || handleClaimsForResidentIDP.size() <= 0) {
                return;
            }
            try {
                addUserAttributesToCache(oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, FrameworkUtils.buildClaimMappings(ClaimsUtil.convertClaimsToOIDCDialect(oAuthTokenReqMessageContext, handleClaimsForResidentIDP)));
                return;
            } catch (IdentityApplicationManagementException | IdentityException e) {
                throw new IdentityOAuth2Exception("Error while converting user claims to OIDC dialect from idp " + identityProvider.getIdentityProviderName(), (Throwable) e);
            }
        }
        Map buildClaimMappings = FrameworkUtils.buildClaimMappings(extractClaimsFromAssertion);
        Iterator it2 = buildClaimMappings.entrySet().iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            Map.Entry entry = (Map.Entry) it2.next();
            if (IdentityUtil.getRoleGroupClaims().stream().anyMatch(str -> {
                return str.equals(((ClaimMapping) entry.getKey()).getLocalClaim().getClaimUri());
            }) && StringUtils.isNotBlank((String) entry.getValue())) {
                String updatedRoleClaimValue = getUpdatedRoleClaimValue(getIdentityProvider(assertion, tenantDomain), (String) entry.getValue());
                if (updatedRoleClaimValue != null) {
                    entry.setValue(updatedRoleClaimValue);
                } else {
                    it2.remove();
                }
            }
        }
        addUserAttributesToCache(oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, buildClaimMappings);
    }

    private String getUpdatedRoleClaimValue(IdentityProvider identityProvider, String str) {
        if (StringUtils.equalsIgnoreCase("LOCAL", identityProvider.getIdentityProviderName())) {
            return str;
        }
        PermissionsAndRoleConfig permissionAndRoleConfig = identityProvider.getPermissionAndRoleConfig();
        if (permissionAndRoleConfig == null || !ArrayUtils.isNotEmpty(permissionAndRoleConfig.getRoleMappings())) {
            if (OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                return null;
            }
            return str;
        }
        String[] split = str.split(FrameworkUtils.getMultiAttributeSeparator());
        ArrayList arrayList = new ArrayList();
        for (String str2 : split) {
            RoleMapping[] roleMappings = permissionAndRoleConfig.getRoleMappings();
            int length = roleMappings.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    RoleMapping roleMapping = roleMappings[i];
                    if (roleMapping.getRemoteRole().equals(str2)) {
                        arrayList.add(roleMapping.getLocalRole().getLocalRoleName());
                        break;
                    }
                    i++;
                } else if (!OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                    arrayList.add(str2);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return StringUtils.join(arrayList, FrameworkUtils.getMultiAttributeSeparator());
    }

    protected Map<String, String> handleClaimsForIDP(Map<String, String> map, String str, IdentityProvider identityProvider, boolean z, ClaimMapping[] claimMappingArr) {
        return ClaimsUtil.handleClaimsForIDP(map, str, identityProvider, z, claimMappingArr);
    }

    protected Map<String, String> handleClaimsForResidentIDP(Map<String, String> map, IdentityProvider identityProvider) {
        return ClaimsUtil.handleClaimsForResidentIDP(map, identityProvider);
    }

    protected static void addUserAttributesToCache(OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<ClaimMapping, String> map) {
        ClaimsUtil.addUserAttributesToCache(oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, map);
    }

    private void validateAssertionTimeWindow(long j, DateTime dateTime, DateTime dateTime2) throws IdentityOAuth2Exception {
        if (!isWithinValidTimeWindow(dateTime, dateTime2, j)) {
            throw new IdentityOAuth2Exception("Assertion is not valid according to the time window provided in Conditions");
        }
    }

    private void processSubjectConfirmation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, IdentityProvider identityProvider, String str, long j) throws IdentityOAuth2Exception {
        boolean z = false;
        Map<DateTime, DateTime> hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        for (SubjectConfirmation subjectConfirmation : getSubjectConfirmations(assertion)) {
            z = updateBearerFound(subjectConfirmation, z);
            if (subjectConfirmation.getSubjectConfirmationData() != null) {
                arrayList.addAll(getRecipientUrls(subjectConfirmation.getSubjectConfirmationData()));
                hashMap = getValidNotBeforeAndAfterDetails(subjectConfirmation.getSubjectConfirmationData(), j);
            }
        }
        validateBearer(z);
        validateRecipient(assertion, getTokenEPAlias(assertion, identityProvider, str), arrayList);
        setValidityPeriod(oAuthTokenReqMessageContext, assertion, hashMap);
    }

    private void validateBearer(boolean z) throws IdentityOAuth2Exception {
        if (!z) {
            throw new IdentityOAuth2Exception("Failed to find a SubjectConfirmation with a Method attribute having : urn:oasis:names:tc:SAML:2.0:cm:bearer");
        }
    }

    private void setValidityPeriod(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, Map<DateTime, DateTime> map) throws IdentityOAuth2Exception {
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        DateTime dateTime = null;
        DateTime notOnOrAfter = getNotOnOrAfter(assertion);
        if (notOnOrAfter != null) {
            oAuthTokenReqMessageContext.setValidityPeriod(notOnOrAfter.getMillis() - timeInMillis);
            return;
        }
        if (map.isEmpty()) {
            throw new IdentityOAuth2Exception("Cannot find valid NotOnOrAfter details in assertion");
        }
        if (log.isDebugEnabled()) {
            log.debug("NotOnORAfter details are not found in Conditions. Evaluating values received in SubjectConfirmationData");
        }
        for (Map.Entry<DateTime, DateTime> entry : map.entrySet()) {
            if (isSubjectConfirmationTimeWindowIncludedInConditionsTimeWindow(notOnOrAfter, getNotBefore(assertion), entry)) {
                dateTime = entry.getKey();
            }
        }
        if (dateTime == null) {
            if (log.isDebugEnabled()) {
                log.debug("Valid NotOnORAfter details are not found in SubjectConfirmation");
            }
            throw new IdentityOAuth2Exception("Cannot find valid NotOnOrAfter details in assertion");
        }
        oAuthTokenReqMessageContext.setValidityPeriod(dateTime.getMillis() - timeInMillis);
    }

    private boolean isSubjectConfirmationTimeWindowIncludedInConditionsTimeWindow(DateTime dateTime, DateTime dateTime2, Map.Entry<DateTime, DateTime> entry) {
        if (dateTime != null && dateTime.isBefore(entry.getKey())) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Conditions has earlier expiry than SubjectConfirmationData");
            return false;
        }
        if (dateTime2 == null || entry.getValue() == null || !dateTime2.isAfter(entry.getValue())) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("NotBefore in SubjectConfirmationData has earlier value than NotBefore in Conditions");
        return false;
    }

    private void validateRecipient(Assertion assertion, String str, List<String> list) throws IdentityOAuth2Exception {
        if (!CollectionUtils.isNotEmpty(list) || list.contains(str)) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("None of the recipient URLs match against the token endpoint alias : " + str);
        }
        throw new IdentityOAuth2Exception("Recipient validation failed");
    }

    private void setValuesInMessageContext(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, IdentityProvider identityProvider, String str) throws IdentityOAuth2Exception {
        setUserInMessageContext(oAuthTokenReqMessageContext, identityProvider, assertion, str);
        oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
        oAuthTokenReqMessageContext.addProperty("SAML2Assertion", assertion);
    }

    private void invokeExtension(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        SAML2TokenCallbackHandler sAML2TokenCallbackHandler = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
        if (sAML2TokenCallbackHandler != null) {
            if (log.isDebugEnabled()) {
                log.debug("Invoking the SAML2 Token callback handler");
            }
            sAML2TokenCallbackHandler.handleSAML2Token(oAuthTokenReqMessageContext);
        }
    }

    /* JADX WARN: Finally extract failed */
    protected void validateSignatureAgainstIdpCertificate(Assertion assertion, String str, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        boolean z = false;
        SignatureException signatureException = null;
        CertificateInfo[] certificateInfoArray = identityProvider.getCertificateInfoArray();
        if (log.isDebugEnabled()) {
            log.debug(certificateInfoArray.length + " certificates found for Identity Provider " + identityProvider.getIdentityProviderName());
        }
        if (ArrayUtils.isEmpty(certificateInfoArray)) {
            throw new IdentityOAuth2Exception("No certificates found for Identity Provider " + identityProvider.getIdentityProviderName() + " of tenant domain " + str);
        }
        try {
            Thread currentThread = Thread.currentThread();
            ClassLoader contextClassLoader = currentThread.getContextClassLoader();
            currentThread.setContextClassLoader(SignatureValidationProvider.class.getClassLoader());
            try {
                int i = 0;
                for (CertificateInfo certificateInfo : certificateInfoArray) {
                    X509CredentialImpl x509CredentialImpl = new X509CredentialImpl(getIdpCertificate(str, identityProvider, certificateInfo));
                    try {
                        if (log.isDebugEnabled()) {
                            log.debug("Validating the signature with certificate " + certificateInfo.getThumbPrint() + " at index: " + i);
                        }
                        SignatureValidator.validate(assertion.getSignature(), x509CredentialImpl);
                        z = false;
                        break;
                    } catch (SignatureException e) {
                        if (log.isDebugEnabled()) {
                            log.debug("Signature validation failed with certificate " + certificateInfo.getThumbPrint() + " at index: " + i);
                        }
                        z = true;
                        if (signatureException == null) {
                            signatureException = e;
                        } else {
                            signatureException.addSuppressed(e);
                        }
                        i++;
                    }
                }
                if (z) {
                    throw signatureException;
                }
                currentThread.setContextClassLoader(contextClassLoader);
            } catch (Throwable th) {
                currentThread.setContextClassLoader(contextClassLoader);
                throw th;
            }
        } catch (SignatureException e2) {
            throw new IdentityOAuth2Exception("Error while validating the signature.", (Throwable) e2);
        }
    }

    private X509Certificate getIdpCertificate(String str, IdentityProvider identityProvider, CertificateInfo certificateInfo) throws IdentityOAuth2Exception {
        try {
            return (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(certificateInfo.getCertValue());
        } catch (CertificateException e) {
            throw new IdentityOAuth2Exception("Error occurred while decoding public certificate with thumbprint " + certificateInfo.getThumbPrint() + " of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + str, e);
        }
    }

    private void validateSignature(Assertion assertion) throws IdentityOAuth2Exception {
        try {
            this.profileValidator.validate(assertion.getSignature());
        } catch (SignatureException e) {
            throw new IdentityOAuth2Exception("Signature do not adhere to the SAML signature profile.", (Throwable) e);
        }
    }

    private Map<DateTime, DateTime> getValidNotBeforeAndAfterDetails(SubjectConfirmationData subjectConfirmationData, long j) throws IdentityOAuth2Exception {
        HashMap hashMap = new HashMap();
        DateTime notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
        DateTime notBefore = subjectConfirmationData.getNotBefore();
        if (isWithinValidTimeWindow(notOnOrAfter, notBefore, j)) {
            if (notOnOrAfter != null) {
                hashMap.put(notOnOrAfter, notBefore);
            } else if (log.isDebugEnabled()) {
                log.debug("Cannot find valid NotOnOrAfter and NotBefore attributes in SubjectConfirmationData " + subjectConfirmationData.toString());
            }
        }
        return hashMap;
    }

    private List<String> getRecipientUrls(SubjectConfirmationData subjectConfirmationData) {
        ArrayList arrayList = new ArrayList();
        if (subjectConfirmationData.getRecipient() != null) {
            arrayList.add(subjectConfirmationData.getRecipient());
        }
        return arrayList;
    }

    private DateTime getNotBefore(Assertion assertion) {
        return assertion.getConditions().getNotBefore();
    }

    private DateTime getNotOnOrAfter(Assertion assertion) {
        return assertion.getConditions().getNotOnOrAfter();
    }

    private boolean isWithinValidTimeWindow(DateTime dateTime, DateTime dateTime2, long j) throws IdentityOAuth2Exception {
        if (dateTime != null && isExpired(dateTime, j)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("NotOnOrAfter :" + dateTime + ". Assertion is not valid anymore");
            return false;
        }
        if (!isBeforeValidPeriod(dateTime2, j)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("NotBefore :" + dateTime2 + ". Assertion is not valid during this time");
        return false;
    }

    private boolean isBeforeValidPeriod(DateTime dateTime, long j) {
        return dateTime != null && dateTime.minus(j).isAfterNow();
    }

    private boolean isExpired(DateTime dateTime, long j) {
        return dateTime.plus(j).isBeforeNow();
    }

    private boolean updateBearerFound(SubjectConfirmation subjectConfirmation, boolean z) throws IdentityOAuth2Exception {
        if (subjectConfirmation.getMethod() != null) {
            if (subjectConfirmation.getMethod().equals("urn:oasis:names:tc:SAML:2.0:cm:bearer")) {
                z = true;
            }
            return z;
        }
        if (log.isDebugEnabled()) {
            log.debug("Cannot find Method attribute in SubjectConfirmation " + subjectConfirmation.toString());
        }
        throw new IdentityOAuth2Exception("Cannot find Method attribute in SubjectConfirmation");
    }

    private List<SubjectConfirmation> getSubjectConfirmations(Assertion assertion) throws IdentityOAuth2Exception {
        List<SubjectConfirmation> subjectConfirmations = assertion.getSubject().getSubjectConfirmations();
        if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
            throw new IdentityOAuth2Exception("No SubjectConfirmation exist in Assertion");
        }
        return subjectConfirmations;
    }

    private String getTokenEPAlias(Assertion assertion, IdentityProvider identityProvider, String str) throws IdentityOAuth2Exception {
        return ClaimsUtil.isResidentIdp(identityProvider) ? getTokenEPAliasFromResidentIdp(assertion, identityProvider, str) : identityProvider.getAlias();
    }

    private void validateConditions(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, IdentityProvider identityProvider, String str) throws IdentityOAuth2Exception {
        Conditions conditions = assertion.getConditions();
        if (conditions == null) {
            throw new IdentityOAuth2Exception("SAML Assertion doesn't contain Conditions");
        }
        validateAudience(identityProvider, conditions, getTokenEPAlias(assertion, identityProvider, str), str);
    }

    private boolean validateTokenEPAlias(IdentityProvider identityProvider, String str, String str2) throws IdentityOAuth2Exception {
        if (!StringUtils.isBlank(str)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Token Endpoint alias has not been configured in the Identity Provider : " + identityProvider.getIdentityProviderName() + " in tenant : " + str2);
        }
        throw new IdentityOAuth2Exception("Token Endpoint alias has not been configured in the Identity Provider");
    }

    private boolean validateAudienceRestriction(List<AudienceRestriction> list) throws IdentityOAuth2Exception {
        if (list != null && !list.isEmpty()) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("SAML Assertion doesn't contain AudienceRestrictions");
        }
        throw new IdentityOAuth2Exception("Audience restriction not found in the saml assertion");
    }

    private boolean validateAudience(IdentityProvider identityProvider, Conditions conditions, String str, String str2) throws IdentityOAuth2Exception {
        validateTokenEPAlias(identityProvider, str, str2);
        List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
        validateAudienceRestriction(audienceRestrictions);
        boolean z = false;
        for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (((Audience) it.next()).getAudienceURI().equals(str)) {
                        z = true;
                        break;
                    }
                }
            }
            if (z) {
                break;
            }
        }
        if (z) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("SAML Assertion Audience Restriction validation failed against the Audience : " + str + " of Identity Provider : " + identityProvider.getIdentityProviderName() + " in tenant : " + str2);
        }
        throw new IdentityOAuth2Exception("SAML Assertion Audience Restriction validation failed");
    }

    private String getTokenEPAliasFromResidentIdp(Assertion assertion, IdentityProvider identityProvider, String str) throws IdentityOAuth2Exception {
        String str2 = null;
        Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), OAuthServerConfiguration.ConfigElements.OAUTH2_TOKEN_EP_URL);
        if (property != null) {
            str2 = property.getValue();
        }
        return str2;
    }

    private boolean validateIdpEntityId(Assertion assertion, String str, String str2) throws IdentityOAuth2Exception {
        if (str2 != null && assertion.getIssuer().getValue().equals(str2)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("SAML Token Issuer verification failed against resident Identity Provider in tenant : " + str + ". Received : " + assertion.getIssuer().getValue() + ", Expected : " + str2);
        }
        throw new IdentityOAuth2Exception("Issuer verification failed against resident idp");
    }

    private String getIdpEntityId(FederatedAuthenticatorConfig[] federatedAuthenticatorConfigArr) {
        String str = null;
        Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigArr, SAMLSSO_AUTHENTICATOR).getProperties(), IDP_ENTITY_ID);
        if (property != null) {
            str = property.getValue();
        }
        return str;
    }

    private IdentityProvider getIdentityProvider(Assertion assertion, String str) throws IdentityOAuth2Exception {
        try {
            IdentityProvider identityProviderFromManager = getIdentityProviderFromManager(assertion, str);
            checkNullIdentityProvider(assertion, str, identityProviderFromManager);
            if (ClaimsUtil.isResidentIdp(identityProviderFromManager)) {
                identityProviderFromManager = IdentityProviderManager.getInstance().getResidentIdP(str);
            }
            if (log.isDebugEnabled()) {
                log.debug("Found an idp with given information. IDP name : " + identityProviderFromManager.getIdentityProviderName());
            }
            return identityProviderFromManager;
        } catch (IdentityProviderManagementException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while retrieving identity provider for issuer : " + assertion.getIssuer().getValue() + " for tenantDomain : " + str, e);
            }
            throw new IdentityOAuth2Exception("Error while retrieving identity provider");
        }
    }

    private IdentityProvider getIdentityProviderFromManager(Assertion assertion, String str) throws IdentityProviderManagementException, IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            log.debug("Retrieving identity provider : " + assertion.getIssuer().getValue() + " for authenticator name " + SAMLSSO_AUTHENTICATOR);
        }
        IdentityProvider idPByAuthenticatorPropertyValue = getIdPByAuthenticatorPropertyValue(assertion, str, SAMLSSO_AUTHENTICATOR);
        if (idPByAuthenticatorPropertyValue == null) {
            if (log.isDebugEnabled()) {
                log.debug("Couldnt find an idp for samlsso authenticator. Hence retrieving identity provider : " + assertion.getIssuer().getValue() + " for authenticator name " + SAML2SSO_AUTHENTICATOR_NAME);
            }
            idPByAuthenticatorPropertyValue = getIdPByAuthenticatorPropertyValue(assertion, str, SAML2SSO_AUTHENTICATOR_NAME);
        }
        if (idPByAuthenticatorPropertyValue == null) {
            if (log.isDebugEnabled()) {
                log.debug("SAML Token Issuer : " + assertion.getIssuer().getValue() + " is not registered as a local Identity Provider in tenant : " + str + ". Hence checking if the assertion is from resident IdP with IdP Entity ID Alias enabled");
            }
            if (validateIdpEntityIdAliasFromSAMLSP(assertion, str).booleanValue()) {
                idPByAuthenticatorPropertyValue = IdentityProviderManager.getInstance().getResidentIdP(str);
            }
        }
        return idPByAuthenticatorPropertyValue;
    }

    private IdentityProvider getIdPByAuthenticatorPropertyValue(Assertion assertion, String str, String str2) throws IdentityProviderManagementException {
        return IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue(IDP_ENTITY_ID, assertion.getIssuer().getValue(), str, str2, false);
    }

    private void checkNullIdentityProvider(Assertion assertion, String str, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        if (identityProvider == null) {
            if (log.isDebugEnabled()) {
                log.debug("SAML Token Issuer : " + assertion.getIssuer().getValue() + " not registered as a local Identity Provider in tenant : " + str);
            }
            throw new IdentityOAuth2Exception("Identity provider is null");
        }
    }

    private Boolean validateIdpEntityIdAliasFromSAMLSP(Assertion assertion, String str) throws IdentityOAuth2Exception {
        List<AudienceRestriction> audienceRestrictions = assertion.getConditions().getAudienceRestrictions();
        validateAudienceRestriction(audienceRestrictions);
        for (AudienceRestriction audienceRestriction : audienceRestrictions) {
            if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
                Iterator it = audienceRestriction.getAudiences().iterator();
                while (it.hasNext()) {
                    SAMLSSOServiceProviderDO sAMLSSOServiceProvider = getSAMLSSOServiceProvider(((Audience) it.next()).getAudienceURI(), str);
                    if (sAMLSSOServiceProvider != null && sAMLSSOServiceProvider.getIdpEntityIDAlias() != null && sAMLSSOServiceProvider.getIdpEntityIDAlias().equals(assertion.getIssuer().getValue())) {
                        if (log.isDebugEnabled()) {
                            log.debug("Token Issuer verified against IdP Entity ID Alias : " + sAMLSSOServiceProvider.getIdpEntityIDAlias() + " of SAML Service Provider " + sAMLSSOServiceProvider.getIssuer() + " in tenant : " + str + Constants.FULL_STOP_DELIMITER);
                        }
                        return true;
                    }
                }
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("No SAML Service Provider configuration with IdP Entity ID Alias similar to token issuer found.");
        }
        return false;
    }

    private SAMLSSOServiceProviderDO getSAMLSSOServiceProvider(String str, String str2) throws IdentityOAuth2Exception {
        int tenantId;
        RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
        if (StringUtils.isBlank(str2)) {
            str2 = "carbon.super";
            tenantId = -1234;
        } else {
            try {
                tenantId = realmService.getTenantManager().getTenantId(str2);
            } catch (UserStoreException e) {
                throw new IdentityOAuth2Exception("Error occurred while retrieving tenant id for the domain : " + str2, (Throwable) e);
            }
        }
        try {
            try {
                PrivilegedCarbonContext.startTenantFlow();
                PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
                threadLocalCarbonContext.setTenantId(tenantId);
                threadLocalCarbonContext.setTenantDomain(str2);
                IdentityTenantUtil.initializeRegistry(tenantId, str2);
                SAMLSSOServiceProviderDO serviceProvider = IdentityPersistenceManager.getPersistanceManager().getServiceProvider(PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType.SYSTEM_CONFIGURATION), str);
                PrivilegedCarbonContext.endTenantFlow();
                return serviceProvider;
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while validating existence of SAML service provider '" + str + "' that issued the assertion in the tenant domain '" + str2 + "'");
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private boolean validateIssuer(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion) throws IdentityOAuth2Exception {
        if (!issuerNotFoundInAssertion(assertion)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Issuer is empty in the SAML assertion. Token request for user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
        }
        throw new IdentityOAuth2Exception("Issuer is empty in the SAML assertion");
    }

    private boolean issuerNotFoundInAssertion(Assertion assertion) {
        return assertion.getIssuer() == null || StringUtils.isEmpty(assertion.getIssuer().getValue());
    }

    private boolean validateSubject(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion) throws IdentityOAuth2Exception {
        if (assertion.getSubject() != null) {
            validateNameId(oAuthTokenReqMessageContext, assertion);
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Cannot find a Subject in the Assertion. Token request for the user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
        }
        throw new IdentityOAuth2Exception("Cannot find a Subject in the Assertion");
    }

    private void validateNameId(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion) throws IdentityOAuth2Exception {
        if (StringUtils.isBlank(getNameIdValue(assertion))) {
            if (log.isDebugEnabled()) {
                log.debug("NameID in Assertion is not found in subject. Token request for the user : " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
            throw new IdentityOAuth2Exception("NameID in Assertion cannot be empty");
        }
    }

    protected String getUserId(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, IdentityProvider identityProvider, Assertion assertion) throws IdentityOAuth2Exception {
        if (!OAuthServerConfiguration.getInstance().getSaml2UserIdFromClaims()) {
            String nameIdValue = getNameIdValue(assertion);
            if (log.isDebugEnabled()) {
                log.debug("Using the name identifier : " + nameIdValue + " as the user id.");
            }
            return nameIdValue;
        }
        if (!isUserIdFromClaimsEnabled(identityProvider)) {
            throw new IdentityOAuth2Exception("UserIdFromClaims configuration is enabled for saml bearer grant but SAML federated authenticator configuration IsUserIdInClaims is not enabled to the identity provider : " + identityProvider.getIdentityProviderName());
        }
        Map<String, String> extractClaimsFromAssertion = ClaimsUtil.extractClaimsFromAssertion(oAuthTokenReqMessageContext, null, assertion, FrameworkUtils.getMultiAttributeSeparator());
        String userClaimURI = identityProvider.getClaimConfig().getUserClaimURI();
        if (!StringUtils.isNotBlank(userClaimURI)) {
            throw new IdentityOAuth2Exception("SAML federated authenticator configuration IsUserIdInClaims is enabled to the identity provider : " + identityProvider.getIdentityProviderName() + " but User ID Claim URI is not selected in basic claim configuration.");
        }
        if (extractClaimsFromAssertion != null) {
            String str = extractClaimsFromAssertion.get(userClaimURI);
            if (StringUtils.isNotBlank(str)) {
                if (log.isDebugEnabled()) {
                    log.debug("Using the user claim URI value : " + str + " as the user id.");
                }
                return str;
            }
        }
        throw new IdentityOAuth2Exception("User id found among claims option and user claim URI : " + userClaimURI + " are configured for the SAML federated identity provider : " + identityProvider.getIdentityProviderName() + ", but user claim value is not present in the SAML assertion.");
    }

    private boolean isUserIdFromClaimsEnabled(IdentityProvider identityProvider) {
        FederatedAuthenticatorConfig federatedAuthenticator;
        Property property;
        FederatedAuthenticatorConfig[] federatedAuthenticatorConfigs = identityProvider.getFederatedAuthenticatorConfigs();
        if (federatedAuthenticatorConfigs == null || (federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(federatedAuthenticatorConfigs, SAML2SSO_AUTHENTICATOR_NAME)) == null || (property = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "IsUserIdInClaims")) == null || !"TRUE".equalsIgnoreCase(property.getValue())) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("IsUserIdInClaims is enabled to the SAML federated identity provider : " + identityProvider.getIdentityProviderName());
        return true;
    }

    private String getNameIdValue(Assertion assertion) throws IdentityOAuth2Exception {
        if (assertion.getSubject().getNameID() != null) {
            return assertion.getSubject().getNameID().getValue();
        }
        throw new IdentityOAuth2Exception("NameID value is null. Cannot proceed");
    }

    private Assertion getAssertionObject(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        try {
            XMLObject unmarshall = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
            validateAssertionList(unmarshall);
            return getAssertion(unmarshall);
        } catch (IdentityUnmarshallingException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while unmashalling the assertion", e);
            }
            throw new IdentityOAuth2Exception("Error while unmashalling the assertion", e);
        }
    }

    private Assertion getAssertion(XMLObject xMLObject) throws IdentityOAuth2Exception {
        if (xMLObject instanceof Assertion) {
            return (Assertion) xMLObject;
        }
        throw new IdentityOAuth2Exception("Only Assertion objects are validated in SAML2Bearer Grant Type");
    }

    private boolean validateAssertionList(XMLObject xMLObject) throws IdentityOAuth2Exception {
        if (xMLObject.getDOM().getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", ASSERTION_ELEMENT).getLength() > 0) {
            throw new IdentityOAuth2Exception("Nested assertions found in request");
        }
        return true;
    }

    private String getTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        return tenantDomain;
    }

    protected void setUserInMessageContext(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, IdentityProvider identityProvider, Assertion assertion, String str) throws IdentityOAuth2Exception {
        if ("FEDERATED".equalsIgnoreCase(OAuthServerConfiguration.getInstance().getSaml2BearerTokenUserType())) {
            setFederatedUser(oAuthTokenReqMessageContext, assertion, str);
            return;
        }
        if ("LOCAL".equalsIgnoreCase(OAuthServerConfiguration.getInstance().getSaml2BearerTokenUserType())) {
            try {
                setLocalUser(oAuthTokenReqMessageContext, assertion, str);
            } catch (UserStoreException e) {
                throw new IdentityOAuth2Exception("Error while building local user from given assertion", (Throwable) e);
            }
        } else if ("LEGACY".equalsIgnoreCase(OAuthServerConfiguration.getInstance().getSaml2BearerTokenUserType())) {
            createLegacyUser(oAuthTokenReqMessageContext, assertion);
        } else {
            if (!ClaimsUtil.isResidentIdp(identityProvider)) {
                setFederatedUser(oAuthTokenReqMessageContext, assertion, str);
                return;
            }
            try {
                setLocalUser(oAuthTokenReqMessageContext, assertion, str);
            } catch (UserStoreException e2) {
                throw new IdentityOAuth2Exception("Error while building local user from given assertion", (Throwable) e2);
            }
        }
    }

    protected void setFederatedUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, String str) throws IdentityOAuth2Exception {
        String userId = getUserId(oAuthTokenReqMessageContext, getIdentityProvider(assertion, str), assertion);
        if (log.isDebugEnabled()) {
            log.debug("Setting federated user : " + userId + ". with SP tenant domain : " + str);
        }
        AuthenticatedUser createFederateAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(userId);
        createFederateAuthenticatedUserFromSubjectIdentifier.setUserName(userId);
        createFederateAuthenticatedUserFromSubjectIdentifier.setFederatedIdPName(getIdentityProvider(assertion, getTenantDomain(oAuthTokenReqMessageContext)).getIdentityProviderName());
        oAuthTokenReqMessageContext.setAuthorizedUser(createFederateAuthenticatedUserFromSubjectIdentifier);
    }

    protected void setLocalUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, String str) throws UserStoreException, IdentityOAuth2Exception {
        RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
        try {
            if (log.isDebugEnabled()) {
                log.debug("Retrieving service provider for client id : " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + ". Tenant domain : " + str);
            }
            ServiceProvider serviceProviderByClientId = OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), OAuthApplicationMgtListener.OAUTH2, str);
            AuthenticatedUser buildLocalUser = buildLocalUser(oAuthTokenReqMessageContext, assertion, serviceProviderByClientId, str);
            if (log.isDebugEnabled()) {
                log.debug("Setting local user with username :" + buildLocalUser.getUserName() + ". User store domain :" + buildLocalUser.getUserStoreDomain() + ". Tenant domain : " + buildLocalUser.getTenantDomain() + " . Authenticated subjectIdentifier : " + buildLocalUser.getAuthenticatedSubjectIdentifier());
            }
            if (!str.equalsIgnoreCase(buildLocalUser.getTenantDomain()) && !serviceProviderByClientId.isSaasApp()) {
                throw new IdentityOAuth2Exception("Non SaaS app tries to issue token for a different tenant domain. User tenant domain : " + buildLocalUser.getTenantDomain() + ". SP tenant domain : " + str);
            }
            UserStoreManager userStoreManager = realmService.getTenantUserRealm(IdentityTenantUtil.getTenantId(buildLocalUser.getTenantDomain())).getUserStoreManager();
            if (log.isDebugEnabled()) {
                log.debug("Checking whether the user exists in local user store");
            }
            if (!userDoesNotExist(userStoreManager, buildLocalUser)) {
                oAuthTokenReqMessageContext.setAuthorizedUser(buildLocalUser);
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("User " + buildLocalUser.getUsernameAsSubjectIdentifier(true, false) + " doesn't exist in local user store.");
                }
                throw new IdentityOAuth2Exception("User not found in local user store");
            }
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving service provider for client id : " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + " in tenant domain " + str);
        }
    }

    private boolean userDoesNotExist(UserStoreManager userStoreManager, AuthenticatedUser authenticatedUser) throws UserStoreException {
        return !userStoreManager.isExistingUser(authenticatedUser.getUsernameAsSubjectIdentifier(true, false));
    }

    protected AuthenticatedUser buildLocalUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion, ServiceProvider serviceProvider, String str) throws IdentityOAuth2Exception {
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        String userId = getUserId(oAuthTokenReqMessageContext, getIdentityProvider(assertion, str), assertion);
        if (log.isDebugEnabled()) {
            log.debug("Building local user with assertion subject : " + userId);
        }
        authenticatedUser.setUserStoreDomain(UserCoreUtil.extractDomainFromName(userId));
        authenticatedUser.setUserName(MultitenantUtils.getTenantAwareUsername(UserCoreUtil.removeDomainFromName(userId)));
        String tenantDomain = MultitenantUtils.getTenantDomain(userId);
        if (!serviceProvider.isSaasApp() && !userId.endsWith("carbon.super") && "carbon.super".equalsIgnoreCase(tenantDomain)) {
            tenantDomain = str;
        }
        authenticatedUser.setTenantDomain(tenantDomain);
        authenticatedUser.setAuthenticatedSubjectIdentifier(authenticatedUser.getUserName(), serviceProvider);
        authenticatedUser.setFederatedIdPName(getIdentityProvider(assertion, getTenantDomain(oAuthTokenReqMessageContext)).getIdentityProviderName());
        return authenticatedUser;
    }

    protected void createLegacyUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Assertion assertion) throws IdentityOAuth2Exception {
        String userId = getUserId(oAuthTokenReqMessageContext, getIdentityProvider(assertion, getTenantDomain(oAuthTokenReqMessageContext)), assertion);
        AuthenticatedUser userFromUserName = OAuth2Util.getUserFromUserName(userId);
        userFromUserName.setAuthenticatedSubjectIdentifier(userId);
        userFromUserName.setFederatedUser(true);
        userFromUserName.setFederatedIdPName(getIdentityProvider(assertion, getTenantDomain(oAuthTokenReqMessageContext)).getIdentityProviderName());
        oAuthTokenReqMessageContext.setAuthorizedUser(userFromUserName);
    }

    protected void validateSignatureAgainstSAMLSignKeyStoreCertificate(Assertion assertion) throws IdentityOAuth2Exception {
        try {
            SignatureValidator.validate(assertion.getSignature(), new X509CredentialImpl(getCertificateFromSAMLSignKeyStore()));
        } catch (SignatureException e) {
            if (!StringUtils.isNotEmpty(assertion.getIssuer().getValue())) {
                throw new IdentityOAuth2Exception("Error while validating the signature from SAML sign keystore, SAML Token Issuer is null.", (Throwable) e);
            }
            throw new IdentityOAuth2Exception("Error while validating the signature from SAML sign keystore for SAML Token Issuer: " + assertion.getIssuer().getValue(), (Throwable) e);
        }
    }

    private X509Certificate getCertificateFromSAMLSignKeyStore() throws IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            log.debug("Getting the certificate from separate SAMLSignKeyStore.");
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_LOCATION));
            Throwable th = null;
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_TYPE));
                    keyStore.load(fileInputStream, ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_PASSWORD).toCharArray());
                    X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_KEY_ALIAS));
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return x509Certificate;
                } finally {
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (th != null) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (FileNotFoundException e) {
            throw new IdentityOAuth2Exception("Unable to locate SAML sign keystore.", e);
        } catch (IOException e2) {
            throw new IdentityOAuth2Exception("Unable to read SAML sign keystore.", e2);
        } catch (KeyStoreException e3) {
            throw new IdentityOAuth2Exception("Unable to load SAML sign keystore.", e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new IdentityOAuth2Exception("Unable to load algorithm.", e4);
        } catch (CertificateException e5) {
            throw new IdentityOAuth2Exception("Unable to read certificate from SAML sign keystore.", e5);
        }
    }

    private boolean isSAMLSignKeyStoreConfigured() {
        return StringUtils.isNotBlank(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_LOCATION)) && StringUtils.isNotBlank(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_TYPE)) && StringUtils.isNotBlank(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_PASSWORD)) && StringUtils.isNotBlank(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_KEY_ALIAS)) && StringUtils.isNotBlank(ServerConfiguration.getInstance().getFirstProperty(SECURITY_SAML_SIGN_KEY_STORE_KEY_PASSWORD));
    }

    private void handleIdPRoleMapping(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO, IdentityProvider identityProvider, Map<String, String> map, String str) {
        if (map == null || !StringUtils.isNotBlank(map.get(str))) {
            return;
        }
        String updatedRoleClaimValue = getUpdatedRoleClaimValue(identityProvider, map.get(str));
        if (updatedRoleClaimValue != null) {
            map.put(str, updatedRoleClaimValue);
            return;
        }
        map.remove(str);
        if (map.isEmpty()) {
            addUserAttributesToCache(oAuth2AccessTokenRespDTO, oAuthTokenReqMessageContext, new HashMap());
        }
    }
}
