package org.wso2.carbon.identity.openidconnect;

import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/OIDCClaimUtil.class */
public class OIDCClaimUtil {
    private static final Log log = LogFactory.getLog(OIDCClaimUtil.class);
    private static final String OPENID_IDP_ENTITY_ID = "IdPEntityId";
    private static final String SEND_ONLY_SP_MAPPED_ROLES = "SPRoleManagement.ReturnOnlyMappedLocalRoles";
    public static final String DEFAULT_SUBJECT_TYPE = "OAuth.OpenIDConnect.DefaultSubjectType";

    private OIDCClaimUtil() {
    }

    public static String getServiceProviderMappedUserRoles(ServiceProvider serviceProvider, List<String> list, String str) throws FrameworkException {
        if (!CollectionUtils.isNotEmpty(list)) {
            return null;
        }
        ArrayList arrayList = new ArrayList(list);
        RoleMapping[] roleMappings = serviceProvider.getPermissionAndRoleConfig().getRoleMappings();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        boolean parseBoolean = Boolean.parseBoolean(IdentityUtil.getProperty(SEND_ONLY_SP_MAPPED_ROLES));
        boolean isRemoveUserDomainInRole = isRemoveUserDomainInRole(serviceProvider);
        if (ArrayUtils.isNotEmpty(roleMappings)) {
            for (RoleMapping roleMapping : roleMappings) {
                if (arrayList.contains(getLocalRoleName(roleMapping))) {
                    arrayList.removeAll(Collections.singletonList(getLocalRoleName(roleMapping)));
                    arrayList3.add(roleMapping.getRemoteRole());
                }
            }
            if (!parseBoolean) {
                if (isRemoveUserDomainInRole) {
                    arrayList2 = arrayList;
                } else {
                    arrayList3.addAll(arrayList);
                }
            }
        } else if (isRemoveUserDomainInRole) {
            arrayList2 = arrayList;
        } else {
            arrayList3 = arrayList;
        }
        if (isRemoveUserDomainInRole) {
            List<String> removeDomainFromNamesExcludeHybrid = removeDomainFromNamesExcludeHybrid(arrayList2);
            if (!removeDomainFromNamesExcludeHybrid.isEmpty()) {
                arrayList3.addAll(removeDomainFromNamesExcludeHybrid);
            }
        }
        return StringUtils.join(arrayList3, str);
    }

    private static boolean isRemoveUserDomainInRole(ServiceProvider serviceProvider) {
        return (serviceProvider.getLocalAndOutBoundAuthenticationConfig() == null || serviceProvider.getLocalAndOutBoundAuthenticationConfig().isUseUserstoreDomainInRoles()) ? false : true;
    }

    private static List<String> removeDomainFromNamesExcludeHybrid(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            String extractDomainFromName = IdentityUtil.extractDomainFromName(str);
            if ("Internal".equalsIgnoreCase(extractDomainFromName) || "Application".equalsIgnoreCase(extractDomainFromName) || "Workflow".equalsIgnoreCase(extractDomainFromName)) {
                arrayList.add(str);
            } else {
                arrayList.add(UserCoreUtil.removeDomainFromName(str));
            }
        }
        return arrayList;
    }

    public static String getSubjectClaimCachedAgainstAccessToken(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
        if (valueFromCacheByToken != null) {
            return valueFromCacheByToken.getSubjectClaim();
        }
        return null;
    }

    private static String getLocalRoleName(RoleMapping roleMapping) {
        return roleMapping.getLocalRole().getLocalRoleName();
    }

    @Deprecated
    public static Map<String, Object> filterUserClaimsBasedOnConsent(Map<String, Object> map, AuthenticatedUser authenticatedUser, String str, String str2, String str3) {
        if (isConsentBasedClaimFilteringApplicable(str3)) {
            return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByUserConsent(map, authenticatedUser, str, str2);
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Filtering user claims based on consent skipped for grant type:%s. Returning original user claims for user: %s, for clientId: %s of tenantDomain: %s", str3, authenticatedUser.toFullQualifiedUsername(), str, str2));
        }
        return map;
    }

    public static Map<String, Object> filterUserClaimsBasedOnConsent(Map<String, Object> map, AuthenticatedUser authenticatedUser, String str, String str2, String str3, ServiceProvider serviceProvider) {
        if (isConsentBasedClaimFilteringApplicable(str3) && !FrameworkUtils.isConsentPageSkippedForSP(serviceProvider)) {
            return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByUserConsent(map, authenticatedUser, str, str2);
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Filtering user claims based on consent skipped for grant type:%s. Returning original user claims for user:%s, for clientId:%s of tenantDomain:%s", str3, authenticatedUser.toFullQualifiedUsername(), str, str2));
        }
        return map;
    }

    public static Map<String, Object> filterUserClaimsBasedOnConsent(Map<String, Object> map, AuthenticatedUser authenticatedUser, String str, String str2, String str3, ServiceProvider serviceProvider, boolean z) {
        if (!OAuth2ServiceComponentHolder.isConsentedTokenColumnEnabled()) {
            return filterUserClaimsBasedOnConsent(map, authenticatedUser, str, str2, str3, serviceProvider);
        }
        if (z && !FrameworkUtils.isConsentPageSkippedForSP(serviceProvider)) {
            return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByUserConsent(map, authenticatedUser, str, str2);
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Filtering user claims based on consent skipped for grant type. Returning original user claims for user:%s, for clientId:%s of tenantDomain:%s", authenticatedUser.toFullQualifiedUsername(), str, str2));
        }
        return map;
    }

    public static boolean isConsentBasedClaimFilteringApplicable(String str) {
        return isOIDCConsentPageNotSkipped() && isUserConsentRequiredForClaims(str);
    }

    private static boolean isOIDCConsentPageNotSkipped() {
        return !OAuthServerConfiguration.getInstance().getOpenIDConnectSkipeUserConsentConfig();
    }

    private static boolean isUserConsentRequiredForClaims(String str) {
        return OAuthServerConfiguration.getInstance().isUserConsentRequiredForClaims(str);
    }

    private static OAuthConstants.SubjectType getSubjectType(OAuthAppDO oAuthAppDO) {
        if (StringUtils.isNotEmpty(oAuthAppDO.getSubjectType())) {
            return OAuthConstants.SubjectType.fromValue(oAuthAppDO.getSubjectType());
        }
        log.debug("Subject type is not configured for the service provider: " + oAuthAppDO.getOauthConsumerKey() + ". Returning default subject type: " + getDefaultSubjectType());
        return getDefaultSubjectType();
    }

    public static OAuthConstants.SubjectType getDefaultSubjectType() {
        return StringUtils.isNotBlank(IdentityUtil.getProperty(DEFAULT_SUBJECT_TYPE)) ? OAuthConstants.SubjectType.fromValue(IdentityUtil.getProperty(DEFAULT_SUBJECT_TYPE)) : OAuthConstants.SubjectType.PUBLIC;
    }

    public static String getSubjectClaim(String str, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        return OAuthConstants.SubjectType.PAIRWISE.equals(getSubjectType(oAuthAppDO)) ? getPairwiseSubjectIdentifier(oAuthAppDO.getSectorIdentifierURI(), str, oAuthAppDO.getCallbackUrl()) : str;
    }

    private static String getPairwiseSubjectIdentifier(String str, String str2, String str3) throws IdentityOAuth2Exception {
        URI uri = null;
        if (StringUtils.isNotBlank(str)) {
            uri = URI.create(str);
        } else if (StringUtils.isNotBlank(str3) && isValidCallBackURI(str3)) {
            uri = URI.create(str3);
        }
        if (uri == null) {
            throw new IdentityOAuth2Exception("Invalid sector identifier URI or callback URI.");
        }
        String host = uri.getHost();
        if (StringUtils.isBlank(str2)) {
            throw new IdentityOAuth2Exception("Invalid user id.");
        }
        return UUID.nameUUIDFromBytes(host.concat(str2).getBytes(StandardCharsets.UTF_8)).toString();
    }

    private static boolean isValidCallBackURI(String str) {
        return !str.startsWith("regexp=");
    }

    public static String getCallbackUrl(String str, String str2) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str, str2);
        if (appInformationByClientId != null) {
            return appInformationByClientId.getCallbackUrl();
        }
        return null;
    }
}
