package org.wso2.carbon.identity.openidconnect;

import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.minidev.json.JSONObject;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.dto.ScopeDTO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
import org.wso2.carbon.registry.api.RegistryException;
import org.wso2.carbon.registry.core.Resource;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/OpenIDConnectClaimFilterImpl.class */
public class OpenIDConnectClaimFilterImpl implements OpenIDConnectClaimFilter {
    private static final String ADDRESS_PREFIX = "address.";
    private static final String ADDRESS_SCOPE = "address";
    private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim";
    private static final Log log = LogFactory.getLog(OpenIDConnectClaimFilterImpl.class);
    private static final int DEFAULT_PRIORITY = 100;

    @Override // org.wso2.carbon.identity.openidconnect.OpenIDConnectClaimFilter
    public Map<String, Object> getClaimsFilteredByOIDCScopes(Map<String, Object> map, String[] strArr, String str, String str2) {
        if (MapUtils.isEmpty(map)) {
            logDebugForEmptyUserClaims();
            return new HashMap();
        }
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        Map<String, List<String>> oIDCScopeClaimMap = getOIDCScopeClaimMap(str2);
        if (MapUtils.isNotEmpty(oIDCScopeClaimMap)) {
            List<String> addressScopeClaimUris = getAddressScopeClaimUris(oIDCScopeClaimMap);
            for (String str3 : strArr) {
                if (oIDCScopeClaimMap.containsKey(str3)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Requested scope: " + str3 + " is a defined OIDC Scope in tenantDomain: " + str2 + ". Filtering claims based on the permitted claims in the scope.");
                    }
                    hashMap.putAll(handleRequestedOIDCScope(map, hashMap2, oIDCScopeClaimMap, addressScopeClaimUris, str3));
                } else if (log.isDebugEnabled()) {
                    log.debug("Requested scope: " + str3 + " is not a defined OIDC Scope in tenantDomain: " + str2 + Constants.FULL_STOP_DELIMITER);
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("No OIDC scopes defined for tenantDomain: " + str2 + ". Cannot proceed with filtering user claims therefore returning an empty claim map.");
        }
        if (isNotEmpty(hashMap2)) {
            handleAddressClaim(hashMap, hashMap2);
        }
        handleRolesClaim(hashMap);
        handleUpdateAtClaim(hashMap);
        handlePhoneNumberVerifiedClaim(hashMap);
        handleEmailVerifiedClaim(hashMap);
        return hashMap;
    }

    @Override // org.wso2.carbon.identity.openidconnect.OpenIDConnectClaimFilter
    public List<String> getClaimsFilteredByOIDCScopes(Set<String> set, String str) {
        ArrayList arrayList = new ArrayList();
        Map<String, List<String>> oIDCScopeClaimMap = getOIDCScopeClaimMap(str);
        if (MapUtils.isNotEmpty(oIDCScopeClaimMap)) {
            for (String str2 : set) {
                if (oIDCScopeClaimMap.containsKey(str2)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Requested scope: " + str2 + " is a defined OIDC Scope in tenantDomain: " + str + ". Filtering claims based on the permitted claims in the scope.");
                    }
                    arrayList.addAll(getClaimUrisInSupportedOIDCScope(oIDCScopeClaimMap, str2));
                } else if (log.isDebugEnabled()) {
                    log.debug("Requested scope: " + str2 + " is not a defined OIDC Scope in tenantDomain: " + str + Constants.FULL_STOP_DELIMITER);
                }
            }
        } else if (log.isDebugEnabled()) {
            log.debug("No OIDC scopes defined for tenantDomain: " + str + ". Cannot proceed with getting claims for the requested scopes. Therefore returning an empty claim list.");
        }
        return arrayList;
    }

    @Override // org.wso2.carbon.identity.openidconnect.OpenIDConnectClaimFilter
    public Map<String, Object> getClaimsFilteredByUserConsent(Map<String, Object> map, AuthenticatedUser authenticatedUser, String str, String str2) {
        if (MapUtils.isEmpty(map)) {
            logDebugForEmptyUserClaims();
            return new HashMap();
        }
        try {
            ServiceProvider serviceProvider = OAuth2Util.getServiceProvider(str, str2);
            if (isConsentManagementServiceDisabled(serviceProvider)) {
                if (log.isDebugEnabled()) {
                    log.debug("Consent Management disabled or not applicable for Service Provider: " + serviceProvider.getApplicationName() + ". Skipping filtering user claims based on consent.");
                }
                return map;
            }
            List<String> oIDCClaimURIs = getOIDCClaimURIs(getUserConsentedLocalClaimURIs(authenticatedUser, serviceProvider), str2);
            handleConsentOfAddressClaim(str2, map, oIDCClaimURIs);
            Stream<String> stream = map.keySet().stream();
            oIDCClaimURIs.getClass();
            Stream<String> filter = stream.filter((v1) -> {
                return r1.contains(v1);
            });
            Function function = str3 -> {
                return str3;
            };
            map.getClass();
            return (Map) filter.collect(Collectors.toMap(function, (v1) -> {
                return r2.get(v1);
            }));
        } catch (IdentityOAuth2Exception | SSOConsentServiceException e) {
            log.error("Error while filtering claims based on user consent for user: " + authenticatedUser.toFullQualifiedUsername() + " for client_id: " + str, e);
            return map;
        }
    }

    private void handleConsentOfAddressClaim(String str, Map<String, Object> map, List<String> list) {
        boolean z = false;
        JSONObject jSONObject = new JSONObject();
        Map<String, List<String>> oIDCScopeClaimMap = getOIDCScopeClaimMap(str);
        if (map.containsKey(ADDRESS_SCOPE) && MapUtils.isNotEmpty(oIDCScopeClaimMap)) {
            List<String> addressScopeClaimUris = getAddressScopeClaimUris(oIDCScopeClaimMap);
            jSONObject = (JSONObject) map.get(ADDRESS_SCOPE);
            for (String str2 : addressScopeClaimUris) {
                if (list.contains(str2)) {
                    z = true;
                    list.remove(str2);
                    if (log.isDebugEnabled()) {
                        log.debug("Consent available for sub-claim: " + str2 + " of address claim.");
                    }
                } else if (jSONObject.containsKey(str2)) {
                    jSONObject.remove(str2);
                }
            }
        }
        if (z) {
            list.add(ADDRESS_SCOPE);
            map.put(ADDRESS_SCOPE, jSONObject);
            if (log.isDebugEnabled()) {
                log.debug("Adding sub-claims: " + jSONObject.keySet() + " to the ID token under the address claim.");
            }
        }
    }

    private Map<String, List<String>> getOIDCScopeClaimMap(String str) {
        HashMap hashMap = new HashMap();
        for (ScopeDTO scopeDTO : getOIDCScopes(IdentityTenantUtil.getTenantId(str))) {
            hashMap.put(scopeDTO.getName(), Arrays.asList(scopeDTO.getClaim()));
        }
        return hashMap;
    }

    private boolean isConsentManagementServiceDisabled(ServiceProvider serviceProvider) {
        return !OpenIDConnectServiceComponentHolder.getInstance().getSsoConsentService().isSSOConsentManagementEnabled(serviceProvider);
    }

    private List<String> getUserConsentedLocalClaimURIs(AuthenticatedUser authenticatedUser, ServiceProvider serviceProvider) throws SSOConsentServiceException {
        return getClaimUrisWithConsent(OpenIDConnectServiceComponentHolder.getInstance().getSsoConsentService().getClaimsWithConsents(serviceProvider, authenticatedUser));
    }

    @Override // org.wso2.carbon.identity.openidconnect.OpenIDConnectClaimFilter
    public int getPriority() {
        return DEFAULT_PRIORITY;
    }

    @Override // org.wso2.carbon.identity.openidconnect.OpenIDConnectClaimFilter
    public Map<String, Object> getClaimsFilteredByEssentialClaims(Map<String, Object> map, List<RequestedClaim> list) {
        if (MapUtils.isEmpty(map)) {
            logDebugForEmptyUserClaims();
            return new HashMap();
        }
        HashMap hashMap = new HashMap();
        if (CollectionUtils.isNotEmpty(list)) {
            for (RequestedClaim requestedClaim : list) {
                String name = requestedClaim.getName();
                if (requestedClaim.isEssential() && map.get(name) != null) {
                    List<String> values = requestedClaim.getValues();
                    if (CollectionUtils.isEmpty(values) && StringUtils.isNotEmpty(requestedClaim.getValue())) {
                        values = Collections.singletonList(requestedClaim.getValue());
                    }
                    if (CollectionUtils.isNotEmpty(values)) {
                        if (values.contains((String) map.get(name))) {
                            hashMap.put(name, map.get(name));
                        }
                    } else {
                        hashMap.put(name, map.get(name));
                    }
                }
            }
        }
        return hashMap;
    }

    private Properties getOIDCScopeProperties(String str) {
        int tenantId;
        RegistryService registryService;
        Resource resource = null;
        try {
            try {
                tenantId = IdentityTenantUtil.getTenantId(str);
                startTenantFlow(str, tenantId);
                registryService = OAuth2ServiceComponentHolder.getRegistryService();
            } catch (RegistryException e) {
                log.error("Error while obtaining registry collection from registry path:/oidc", e);
                PrivilegedCarbonContext.endTenantFlow();
            }
            if (registryService == null) {
                throw new RegistryException("Registry Service not set in OAuth2 Component. Component may not have initialized correctly.");
            }
            resource = registryService.getConfigSystemRegistry(tenantId).get("/oidc");
            PrivilegedCarbonContext.endTenantFlow();
            Properties properties = new Properties();
            if (resource != null) {
                for (String str2 : resource.getProperties().keySet()) {
                    properties.setProperty(str2, resource.getProperty(str2));
                }
            } else {
                log.error("OIDC scope resource cannot be found at /oidc for tenantDomain: " + str);
            }
            return properties;
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private List<ScopeDTO> getOIDCScopes(int i) {
        List arrayList = new ArrayList();
        try {
            arrayList = OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().getScopes(i);
        } catch (IdentityOAuth2Exception e) {
            log.error("Error while loading oidc scopes and claims for the tenant: " + i);
        }
        return arrayList;
    }

    private Map<String, Object> handleRequestedOIDCScope(Map<String, Object> map, Map<String, Object> map2, Map<String, List<String>> map3, List<String> list, String str) {
        HashMap hashMap = new HashMap();
        for (String str2 : getClaimUrisInSupportedOIDCScope(map3, str)) {
            String str3 = str2;
            boolean z = false;
            if (isAddressClaim(str2, list)) {
                if (log.isDebugEnabled()) {
                    log.debug("Identified an address claim: " + str2 + ". Removing \"address.\" prefix from the claimUri");
                }
                str3 = removeAddressPrefix(str2);
                z = true;
            }
            if (map.containsKey(str3)) {
                if (log.isDebugEnabled()) {
                    log.debug("Adding claim:" + str3 + " into the filtered claims");
                }
                Object obj = map.get(str3);
                if (z) {
                    map2.put(str3, obj);
                } else {
                    hashMap.put(str3, obj);
                }
            } else if (log.isDebugEnabled()) {
                log.debug("No valid user claim value found for the claimUri:" + str3);
            }
        }
        return hashMap;
    }

    private String removeAddressPrefix(String str) {
        return StringUtils.startsWith(str, ADDRESS_PREFIX) ? StringUtils.substringAfterLast(str, ADDRESS_PREFIX) : str;
    }

    private void handleAddressClaim(Map<String, Object> map, Map<String, Object> map2) {
        if (MapUtils.isNotEmpty(map2)) {
            JSONObject jSONObject = new JSONObject();
            for (Map.Entry<String, Object> entry : map2.entrySet()) {
                jSONObject.put(entry.getKey(), entry.getValue());
            }
            map.put(ADDRESS_SCOPE, jSONObject);
        }
    }

    private List<String> getAddressScopeClaimUris(Map<String, List<String>> map) {
        return getClaimUrisInSupportedOIDCScope(map, ADDRESS_SCOPE);
    }

    private boolean isAddressClaim(String str, List<String> list) {
        return StringUtils.startsWith(str, ADDRESS_PREFIX) || list.contains(str);
    }

    private List<String> getClaimUrisInSupportedOIDCScope(Map<String, List<String>> map, String str) {
        List<String> arrayList = new ArrayList();
        if (map.containsKey(str)) {
            arrayList = map.get(str);
        }
        return arrayList;
    }

    private void handleUpdateAtClaim(Map<String, Object> map) {
        if (map.containsKey("updated_at") && map.get("updated_at") != null && (map.get("updated_at") instanceof String)) {
            Date dateIfValidDateString = getDateIfValidDateString((String) map.get("updated_at"));
            map.put("updated_at", Long.valueOf((dateIfValidDateString != null ? dateIfValidDateString.getTime() : Long.parseLong((String) map.get("updated_at"))) / 1000));
        }
    }

    private void handlePhoneNumberVerifiedClaim(Map<String, Object> map) {
        if (map.containsKey("phone_number_verified") && map.get("phone_number_verified") != null && (map.get("phone_number_verified") instanceof String)) {
            map.put("phone_number_verified", Boolean.valueOf((String) map.get("phone_number_verified")));
        }
    }

    private void handleEmailVerifiedClaim(Map<String, Object> map) {
        if (map.containsKey("email_verified") && map.get("email_verified") != null && (map.get("email_verified") instanceof String)) {
            map.put("email_verified", Boolean.valueOf((String) map.get("email_verified")));
        }
    }

    private void handleRolesClaim(Map<String, Object> map) {
        if (map.containsKey("roles") && IdentityUtil.isGroupsVsRolesSeparationImprovementsEnabled() && (map.get("roles") instanceof String)) {
            String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
            List<String> asList = Arrays.asList(map.get("roles").toString().split(multiAttributeSeparator));
            for (String str : asList) {
                if ("Internal".equalsIgnoreCase(IdentityUtil.extractDomainFromName(str))) {
                    asList.set(asList.indexOf(str), UserCoreUtil.removeDomainFromName(str));
                }
            }
            map.put("roles", StringUtils.join(asList, multiAttributeSeparator));
        }
    }

    private void startTenantFlow(String str, int i) {
        PrivilegedCarbonContext.startTenantFlow();
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        threadLocalCarbonContext.setTenantId(i);
        threadLocalCarbonContext.setTenantDomain(str);
    }

    private boolean isNotEmpty(Map<String, Object> map) {
        return (map == null || map.isEmpty()) ? false : true;
    }

    private boolean isNotEmpty(Properties properties) {
        return (properties == null || properties.isEmpty()) ? false : true;
    }

    private Date getDateIfValidDateString(String str) {
        try {
            return new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss").parse(str);
        } catch (Exception e) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("The given date string: " + str + " is not in correct date time format.");
            return null;
        }
    }

    private List<String> getOIDCClaimURIs(List<String> list, String str) {
        try {
            return (List) OpenIDConnectServiceComponentHolder.getInstance().getClaimMetadataManagementService().getExternalClaims(OIDC_DIALECT, str).stream().filter(externalClaim -> {
                return list.contains(externalClaim.getMappedLocalClaim());
            }).map((v0) -> {
                return v0.getClaimURI();
            }).collect(Collectors.toList());
        } catch (ClaimMetadataException e) {
            String str2 = "Error while trying to convert user consented claims to OIDC dialect in tenantDomain: " + str;
            if (log.isDebugEnabled()) {
                log.debug(str2, e);
            }
            return Collections.emptyList();
        }
    }

    private List<String> getClaimUrisWithConsent(List<ClaimMetaData> list) {
        return (List) list.stream().map((v0) -> {
            return v0.getClaimUri();
        }).collect(Collectors.toList());
    }

    private void logDebugForEmptyUserClaims() {
        if (log.isDebugEnabled()) {
            log.debug("No user claims to filter. Returning an empty map of filtered claims.");
        }
    }
}
