package org.wso2.carbon.identity.oauth2.token.handlers.grant;

import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationDataPublisher;
import org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedIdPData;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.base.IdentityRuntimeException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.registry.core.utils.UUIDGenerator;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserStoreClientException;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.common.AuthenticationResult;
import org.wso2.carbon.user.core.common.User;
import org.wso2.carbon.user.core.config.UserStorePreferenceOrderSupplier;
import org.wso2.carbon.user.core.model.UserMgtContext;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handlers/grant/PasswordGrantHandler.class */
public class PasswordGrantHandler extends AbstractAuthorizationGrantHandler {
    private static final Log log = LogFactory.getLog(PasswordGrantHandler.class);
    private static final String OAUTH2 = "oauth2";
    private static final String IS_INITIAL_LOGIN = "isInitialLogin";
    private static final String PASSWORD_GRANT_AUTHENTICATOR_NAME = "BASIC";
    private static final String PUBLISH_PASSWORD_GRANT_LOGIN = "OAuth.PublishPasswordGrantLogin";
    private static final String REMOTE_IP_ADDRESS = "remote-ip-address";

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean issueRefreshToken() throws IdentityOAuth2Exception {
        return OAuthServerConfiguration.getInstance().getValueForIsRefreshTokenAllowed("password");
    }

    @Override // org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler, org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        super.validateGrant(oAuthTokenReqMessageContext);
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        ServiceProvider serviceProvider = getServiceProvider(oauth2AccessTokenReqDTO);
        validateUserTenant(oauth2AccessTokenReqDTO, serviceProvider);
        setPropertiesForTokenGeneration(oAuthTokenReqMessageContext, oauth2AccessTokenReqDTO, validateUserCredentials(oauth2AccessTokenReqDTO, serviceProvider));
        return true;
    }

    private void setPropertiesForTokenGeneration(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, AuthenticatedUser authenticatedUser) {
        oAuthTokenReqMessageContext.setAuthorizedUser(authenticatedUser);
        oAuthTokenReqMessageContext.setScope(oAuth2AccessTokenReqDTO.getScope());
    }

    private boolean validateUserTenant(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, ServiceProvider serviceProvider) throws IdentityOAuth2Exception {
        String str = null;
        if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
            String fullQualifiedUsernameWhenTenantQualifiedUrlEnabled = getFullQualifiedUsernameWhenTenantQualifiedUrlEnabled(oAuth2AccessTokenReqDTO, serviceProvider);
            str = MultitenantUtils.getTenantDomain(fullQualifiedUsernameWhenTenantQualifiedUrlEnabled);
            oAuth2AccessTokenReqDTO.setResourceOwnerUsername(fullQualifiedUsernameWhenTenantQualifiedUrlEnabled);
        }
        if (StringUtils.isBlank(str)) {
            str = MultitenantUtils.getTenantDomain(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
        }
        if (serviceProvider.isSaasApp() || str.equals(oAuth2AccessTokenReqDTO.getTenantDomain())) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Non-SaaS service provider. Application tenantDomain(" + oAuth2AccessTokenReqDTO.getTenantDomain() + ") != User tenant domain(" + str + ")");
        }
        throw new IdentityOAuth2Exception("Users in the tenant domain : " + str + " do not have access to application " + serviceProvider.getApplicationName());
    }

    private String getFullQualifiedUsernameWhenTenantQualifiedUrlEnabled(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, ServiceProvider serviceProvider) {
        boolean isEmailUserName = MultitenantUtils.isEmailUserName();
        boolean isSaasApp = serviceProvider.isSaasApp();
        boolean isLegacySaaSAuthenticationEnabled = IdentityTenantUtil.isLegacySaaSAuthenticationEnabled();
        String resourceOwnerUsername = oAuth2AccessTokenReqDTO.getResourceOwnerUsername();
        String tenantDomainFromContext = IdentityTenantUtil.getTenantDomainFromContext();
        if (!isSaasApp) {
            return UserCoreUtil.addTenantDomainToEntry(resourceOwnerUsername, tenantDomainFromContext);
        }
        if (isLegacySaaSAuthenticationEnabled) {
            return resourceOwnerUsername;
        }
        return (isEmailUserName && StringUtils.equalsIgnoreCase(MultitenantUtils.getTenantDomain(resourceOwnerUsername), "carbon.super") && !resourceOwnerUsername.endsWith("carbon.super")) ? UserCoreUtil.addTenantDomainToEntry(resourceOwnerUsername, tenantDomainFromContext) : resourceOwnerUsername;
    }

    private ServiceProvider getServiceProvider(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuth2Exception {
        try {
            ServiceProvider serviceProviderByClientId = OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(oAuth2AccessTokenReqDTO.getClientId(), "oauth2", oAuth2AccessTokenReqDTO.getTenantDomain());
            if (serviceProviderByClientId == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Could not find an application for client id: " + oAuth2AccessTokenReqDTO.getClientId() + ", scope: oauth2, tenant: " + oAuth2AccessTokenReqDTO.getTenantDomain());
                }
                throw new IdentityOAuth2Exception("Service Provider not found");
            }
            if (log.isDebugEnabled()) {
                log.debug("Retrieved service provider: " + serviceProviderByClientId.getApplicationName() + " for client: " + oAuth2AccessTokenReqDTO.getClientId() + ", scope: oauth2, tenant: " + oAuth2AccessTokenReqDTO.getTenantDomain());
            }
            return serviceProviderByClientId;
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id " + oAuth2AccessTokenReqDTO.getClientId(), (Throwable) e);
        }
    }

    private AuthenticatedUser validateUserCredentials(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, ServiceProvider serviceProvider) throws IdentityOAuth2Exception {
        boolean parseBoolean = Boolean.parseBoolean(IdentityUtil.getProperty(PUBLISH_PASSWORD_GRANT_LOGIN));
        try {
            try {
                try {
                    UserStorePreferenceOrderSupplier userStorePreferenceOrderSupplier = FrameworkUtils.getUserStorePreferenceOrderSupplier((AuthenticationContext) null, serviceProvider);
                    UserMgtContext userMgtContext = new UserMgtContext();
                    userMgtContext.setUserStorePreferenceOrderSupplier(userStorePreferenceOrderSupplier);
                    if (userStorePreferenceOrderSupplier != null) {
                        UserCoreUtil.setUserMgtContextInThreadLocal(userMgtContext);
                        if (log.isDebugEnabled()) {
                            log.debug("UserMgtContext had been set as the thread local.");
                        }
                    }
                    AbstractUserStoreManager userStoreManager = getUserStoreManager(oAuth2AccessTokenReqDTO);
                    String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
                    String tenantDomain = MultitenantUtils.getTenantDomain(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
                    ResolvedUserResult processMultiAttributeLoginIdentification = FrameworkUtils.processMultiAttributeLoginIdentification(tenantAwareUsername, tenantDomain);
                    String str = null;
                    if (processMultiAttributeLoginIdentification != null && ResolvedUserResult.UserResolvedStatus.SUCCESS.equals(processMultiAttributeLoginIdentification.getResolvedStatus())) {
                        tenantAwareUsername = processMultiAttributeLoginIdentification.getUser().getUsername();
                        str = processMultiAttributeLoginIdentification.getUser().getUserID();
                        oAuth2AccessTokenReqDTO.setResourceOwnerUsername(tenantAwareUsername + "@" + tenantDomain);
                    }
                    AuthenticationResult authenticateWithID = str != null ? userStoreManager.authenticateWithID(str, oAuth2AccessTokenReqDTO.getResourceOwnerPassword()) : userStoreManager.authenticateWithID("http://wso2.org/claims/username", tenantAwareUsername, oAuth2AccessTokenReqDTO.getResourceOwnerPassword(), "default");
                    boolean z = AuthenticationResult.AuthenticationStatus.SUCCESS == authenticateWithID.getAuthenticationStatus() && authenticateWithID.getAuthenticatedUser().isPresent();
                    if (log.isDebugEnabled()) {
                        log.debug("user " + oAuth2AccessTokenReqDTO.getResourceOwnerUsername() + " authenticated: " + z);
                    }
                    if (z) {
                        AuthenticatedUser authenticatedUser = new AuthenticatedUser((User) authenticateWithID.getAuthenticatedUser().get());
                        if (parseBoolean) {
                            publishAuthenticationData(oAuth2AccessTokenReqDTO, true, serviceProvider, authenticatedUser);
                        }
                        UserCoreUtil.removeUserMgtContextInThreadLocal();
                        if (log.isDebugEnabled()) {
                            log.debug("UserMgtContext had been remove from the thread local.");
                        }
                        return authenticatedUser;
                    }
                    if (parseBoolean) {
                        publishAuthenticationData(oAuth2AccessTokenReqDTO, false, serviceProvider);
                    }
                    if ("carbon.super".equalsIgnoreCase(MultitenantUtils.getTenantDomain(oAuth2AccessTokenReqDTO.getResourceOwnerUsername()))) {
                        throw new IdentityOAuth2Exception("Authentication failed for " + tenantAwareUsername);
                    }
                    String resourceOwnerUsername = oAuth2AccessTokenReqDTO.getResourceOwnerUsername();
                    if (IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
                        resourceOwnerUsername = tenantAwareUsername;
                    }
                    throw new IdentityOAuth2Exception("Authentication failed for " + resourceOwnerUsername);
                } catch (UserStoreException e) {
                    if (parseBoolean) {
                        publishAuthenticationData(oAuth2AccessTokenReqDTO, false, serviceProvider);
                    }
                    String message = e.getMessage();
                    UserStoreClientException rootCause = ExceptionUtils.getRootCause(e);
                    if (rootCause instanceof UserStoreClientException) {
                        message = rootCause.getMessage();
                        String errorCode = rootCause.getErrorCode();
                        if (StringUtils.isNotBlank(errorCode)) {
                            message = errorCode + Constants.SEPARATED_WITH_SPACE + message;
                        }
                    }
                    if (e.getCause() instanceof IdentityException) {
                        IdentityException cause = e.getCause();
                        if (StringUtils.isNotBlank(cause.getErrorCode())) {
                            message = cause.getErrorCode() + Constants.SEPARATED_WITH_SPACE + e.getMessage();
                        }
                    }
                    throw new IdentityOAuth2Exception(message, (Throwable) e);
                }
            } catch (UserStoreClientException e2) {
                if (parseBoolean) {
                    publishAuthenticationData(oAuth2AccessTokenReqDTO, false, serviceProvider);
                }
                String message2 = e2.getMessage();
                if (StringUtils.isNotBlank(e2.getErrorCode())) {
                    message2 = e2.getErrorCode() + Constants.SEPARATED_WITH_SPACE + e2.getMessage();
                }
                throw new IdentityOAuth2Exception(message2, (Throwable) e2);
            }
        } catch (Throwable th) {
            UserCoreUtil.removeUserMgtContextInThreadLocal();
            if (log.isDebugEnabled()) {
                log.debug("UserMgtContext had been remove from the thread local.");
            }
            throw th;
        }
    }

    protected void publishAuthenticationData(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, boolean z, ServiceProvider serviceProvider) {
        publishAuthenticationData(oAuth2AccessTokenReqDTO, z, serviceProvider, getAuthenticatedUser(oAuth2AccessTokenReqDTO, serviceProvider));
    }

    protected void publishAuthenticationData(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, boolean z, ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) {
        AuthenticationContext initializeAuthContext = initializeAuthContext(authenticatedUser, serviceProvider);
        AuthenticationDataPublisher authenticationDataPublisherProxy = OAuth2ServiceComponentHolder.getAuthenticationDataPublisherProxy();
        if (authenticationDataPublisherProxy == null || !authenticationDataPublisherProxy.isEnabled(initializeAuthContext)) {
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("user", authenticatedUser);
        hashMap.put(REMOTE_IP_ADDRESS, IdentityUtil.getClientIpAddress(oAuth2AccessTokenReqDTO.getHttpServletRequestWrapper()));
        Map unmodifiableMap = Collections.unmodifiableMap(hashMap);
        if (z) {
            authenticationDataPublisherProxy.publishAuthenticationStepSuccess((HttpServletRequest) null, initializeAuthContext, unmodifiableMap);
            authenticationDataPublisherProxy.publishAuthenticationSuccess((HttpServletRequest) null, initializeAuthContext, unmodifiableMap);
        } else {
            authenticationDataPublisherProxy.publishAuthenticationStepFailure((HttpServletRequest) null, initializeAuthContext, unmodifiableMap);
            authenticationDataPublisherProxy.publishAuthenticationFailure((HttpServletRequest) null, initializeAuthContext, unmodifiableMap);
        }
    }

    private AuthenticationContext initializeAuthContext(AuthenticatedUser authenticatedUser, ServiceProvider serviceProvider) {
        AuthenticationContext authenticationContext = new AuthenticationContext();
        authenticationContext.setContextIdentifier(UUIDGenerator.generateUUID());
        authenticationContext.setTenantDomain(authenticatedUser.getTenantDomain());
        authenticationContext.setRequestType("oauth2");
        authenticationContext.setRememberMe(false);
        authenticationContext.setForceAuthenticate(true);
        authenticationContext.setPassiveAuthenticate(false);
        authenticationContext.setProperty(IS_INITIAL_LOGIN, true);
        SequenceConfig sequenceConfig = new SequenceConfig();
        sequenceConfig.setAuthenticatedUser(authenticatedUser);
        sequenceConfig.setApplicationConfig(new ApplicationConfig(serviceProvider));
        sequenceConfig.setAuthenticatedIdPs("LOCAL");
        authenticationContext.setSequenceConfig(sequenceConfig);
        AuthenticatedIdPData authenticatedIdPData = new AuthenticatedIdPData();
        authenticatedIdPData.setUser(authenticatedUser);
        authenticatedIdPData.setIdpName("LOCAL");
        AuthenticatorConfig authenticatorConfig = new AuthenticatorConfig();
        authenticatorConfig.setName(PASSWORD_GRANT_AUTHENTICATOR_NAME);
        authenticatedIdPData.addAuthenticator(authenticatorConfig);
        authenticationContext.getCurrentAuthenticatedIdPs().put("LOCAL", authenticatedIdPData);
        authenticationContext.setServiceProviderName(sequenceConfig.getApplicationConfig().getApplicationName());
        return authenticationContext;
    }

    private AbstractUserStoreManager getUserStoreManager(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuth2Exception {
        int tenantId = getTenantId(oAuth2AccessTokenReqDTO);
        try {
            AbstractUserStoreManager userStoreManager = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(tenantId).getUserStoreManager();
            if (log.isDebugEnabled()) {
                log.debug("Retrieved user store manager for tenant id: " + tenantId);
            }
            return userStoreManager;
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception(e.getMessage(), (Throwable) e);
        }
    }

    private int getTenantId(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuth2Exception {
        String tenantDomain = MultitenantUtils.getTenantDomain(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
        try {
            int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
            if (log.isDebugEnabled()) {
                log.debug("Retrieved tenant id: " + tenantId + " for tenant domain: " + tenantDomain);
            }
            return tenantId;
        } catch (IdentityRuntimeException e) {
            log.error("Token request with Password Grant Type for an invalid tenant : " + tenantDomain);
            throw new IdentityOAuth2Exception(e.getMessage(), (Throwable) e);
        }
    }

    private AuthenticatedUser getAuthenticatedUser(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, ServiceProvider serviceProvider) {
        AuthenticatedUser userFromUserName = OAuth2Util.getUserFromUserName(getFullQualifiedUsername(oAuth2AccessTokenReqDTO));
        userFromUserName.setAuthenticatedSubjectIdentifier(userFromUserName.getUserName(), serviceProvider);
        if (log.isDebugEnabled()) {
            log.debug("Token request with password grant type from user: " + userFromUserName);
        }
        return userFromUserName;
    }

    private String getFullQualifiedUsername(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        String str = MultitenantUtils.getTenantAwareUsername(oAuth2AccessTokenReqDTO.getResourceOwnerUsername()) + "@" + MultitenantUtils.getTenantDomain(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
        if (str.contains(CarbonConstants.DOMAIN_SEPARATOR) || !StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) {
            return str;
        }
        if (log.isDebugEnabled()) {
            log.debug("User store domain is not found in username. Adding domain: " + UserCoreUtil.getDomainFromThreadLocal());
        }
        return UserCoreUtil.getDomainFromThreadLocal() + CarbonConstants.DOMAIN_SEPARATOR + str;
    }
}
