package org.wso2.carbon.identity.openidconnect;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.user.UserInfoEndpointException;
import org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/AbstractUserInfoResponseBuilder.class */
public abstract class AbstractUserInfoResponseBuilder implements UserInfoResponseBuilder {
    private static final Log log = LogFactory.getLog(AbstractUserInfoResponseBuilder.class);

    @Override // org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder
    public String getResponseString(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException, OAuthSystemException {
        Optional<AccessTokenDO> accessTokenDO = OAuth2Util.getAccessTokenDO(oAuth2TokenValidationResponseDTO);
        if (!accessTokenDO.isPresent()) {
            throw new IllegalArgumentException(OAuth2Util.ACCESS_TOKEN_IS_NOT_ACTIVE_ERROR_MESSAGE);
        }
        String consumerKey = accessTokenDO.get().getConsumerKey();
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuth2TokenValidationResponseDTO);
        Map<String, Object> retrieveUserClaims = retrieveUserClaims(oAuth2TokenValidationResponseDTO);
        Map<String, Object> filterOIDCClaims = filterOIDCClaims(oAuth2TokenValidationResponseDTO, consumerKey, serviceProviderTenantDomain, retrieveUserClaims);
        filterOIDCClaims.put(OAuth2Util.SUB, getOIDCSubjectClaim(consumerKey, serviceProviderTenantDomain, getSubjectClaim(retrieveUserClaims, consumerKey, serviceProviderTenantDomain, oAuth2TokenValidationResponseDTO)));
        return buildResponse(oAuth2TokenValidationResponseDTO, serviceProviderTenantDomain, filterOIDCClaims);
    }

    private String getOIDCSubjectClaim(String str, String str2, String str3) throws UserInfoEndpointException {
        try {
            return OIDCClaimUtil.getSubjectClaim(str3, OAuth2Util.getAppInformationByClientId(str, str2));
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new UserInfoEndpointException("Error while getting subject claim for client_id: " + str + " of tenantDomain: " + str2, (Throwable) e);
        }
    }

    private Map<String, Object> filterOIDCClaims(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO, String str, String str2, Map<String, Object> map) throws OAuthSystemException, UserInfoEndpointException {
        try {
            AccessTokenDO verifiedAccessToken = OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString(), false);
            String accessToken = verifiedAccessToken == null ? null : verifiedAccessToken.getAccessToken();
            if (MapUtils.isEmpty(map)) {
                if (log.isDebugEnabled()) {
                    log.debug("No user claims available to be filtered for user: " + OAuth2Util.getAuthenticatedUser(verifiedAccessToken).toFullQualifiedUsername() + " for client_id: " + str + " of tenantDomain: " + str2);
                }
                return new HashMap();
            }
            Map<String, Object> userClaimsFilteredByScope = getUserClaimsFilteredByScope(oAuth2TokenValidationResponseDTO, map, oAuth2TokenValidationResponseDTO.getScope(), str, str2);
            userClaimsFilteredByScope.putAll(getEssentialClaims(oAuth2TokenValidationResponseDTO, map));
            userClaimsFilteredByScope.putAll(filterClaimsFromRequestObject(map, accessToken));
            AuthenticatedUser authenticatedUser = OAuth2Util.getAuthenticatedUser(verifiedAccessToken);
            if (!isApiBasedAuthFlow(accessToken)) {
                return getUserClaimsFilteredByConsent(oAuth2TokenValidationResponseDTO, userClaimsFilteredByScope, authenticatedUser, str, str2);
            }
            if (log.isDebugEnabled()) {
                log.debug(String.format("Filtering user claims based on user consent skipped due api based auth flow. Returning original user claims for user:%s, for clientId:%s of tenantDomain:%s", authenticatedUser.toFullQualifiedUsername(), str, str2));
            }
            return userClaimsFilteredByScope;
        } catch (IdentityOAuth2Exception e) {
            throw new UserInfoEndpointException("Error occurred while obtaining access token.", (Throwable) e);
        }
    }

    private String getGrantType(AccessTokenDO accessTokenDO) {
        return accessTokenDO.getGrantType();
    }

    private Map<String, Object> filterClaimsFromRequestObject(Map<String, Object> map, String str) throws OAuthSystemException {
        try {
            return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByEssentialClaims(map, OpenIDConnectServiceComponentHolder.getRequestObjectService().getRequestedClaimsForUserInfo(str));
        } catch (RequestObjectException e) {
            throw new OAuthSystemException("Unable to retrieve requested claims from Request Object." + e);
        }
    }

    protected String getSubjectClaim(Map<String, Object> map, String str, String str2, OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException, OAuthSystemException {
        try {
            return OAuth2Util.getAuthenticatedUser(OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString(), false)).getAuthenticatedSubjectIdentifier();
        } catch (IdentityOAuth2Exception e) {
            throw new UserInfoEndpointException("Error occurred while obtaining access token.", (Throwable) e);
        }
    }

    protected Map<String, Object> getUserClaimsFilteredByScope(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO, Map<String, Object> map, String[] strArr, String str, String str2) throws UserInfoEndpointException {
        return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByOIDCScopes(map, strArr, str, str2);
    }

    protected Map<String, Object> getUserClaimsFilteredByConsent(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO, Map<String, Object> map, AuthenticatedUser authenticatedUser, String str, String str2) throws UserInfoEndpointException {
        try {
            AccessTokenDO verifiedAccessToken = OAuth2ServiceComponentHolder.getInstance().getTokenProvider().getVerifiedAccessToken(oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString(), false);
            String grantType = getGrantType(verifiedAccessToken);
            if (!OAuth2ServiceComponentHolder.isConsentedTokenColumnEnabled()) {
                return OIDCClaimUtil.filterUserClaimsBasedOnConsent(map, authenticatedUser, str, str2, grantType, getServiceProvider(str2, str));
            }
            return OIDCClaimUtil.filterUserClaimsBasedOnConsent(map, authenticatedUser, str, str2, grantType, getServiceProvider(str2, str), verifiedAccessToken.isConsentedToken());
        } catch (IdentityOAuth2Exception e) {
            throw new UserInfoEndpointException("An error occurred while fetching the access token details.", (Throwable) e);
        }
    }

    protected Map<String, Object> getEssentialClaims(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO, Map<String, Object> map) throws UserInfoEndpointException {
        HashMap hashMap = new HashMap();
        List<String> essentialClaimUris = getEssentialClaimUris(oAuth2TokenValidationResponseDTO);
        if (CollectionUtils.isNotEmpty(essentialClaimUris)) {
            for (String str : essentialClaimUris) {
                hashMap.put(str, map.get(str));
            }
        }
        return hashMap;
    }

    protected abstract Map<String, Object> retrieveUserClaims(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException;

    protected abstract String buildResponse(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO, String str, Map<String, Object> map) throws UserInfoEndpointException;

    private String getServiceProviderTenantDomain(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException {
        try {
            Optional<AccessTokenDO> accessTokenDO = OAuth2Util.getAccessTokenDO(oAuth2TokenValidationResponseDTO);
            if (accessTokenDO.isPresent()) {
                return OAuth2Util.getTenantDomainOfOauthApp(OAuth2Util.getAppInformationByClientId(accessTokenDO.get().getConsumerKey()));
            }
            throw new IllegalArgumentException(OAuth2Util.ACCESS_TOKEN_IS_NOT_ACTIVE_ERROR_MESSAGE);
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new UserInfoEndpointException("Error while retrieving OAuth app information for clientId: " + ((String) null));
        }
    }

    private ServiceProvider getServiceProvider(String str, String str2) throws UserInfoEndpointException {
        try {
            return OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(str2, "oauth2", str);
        } catch (IdentityApplicationManagementException e) {
            throw new UserInfoEndpointException("Error while obtaining the service provider for client_id: " + str2 + " of tenantDomain: " + str, (Throwable) e);
        }
    }

    private List<String> getEssentialClaimUris(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException {
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(OAuth2Util.getAccessTokenIdentifier(oAuth2TokenValidationResponseDTO)));
        return (valueFromCacheByToken == null || !StringUtils.isNotEmpty(valueFromCacheByToken.getEssentialClaims())) ? new ArrayList() : OAuth2Util.getEssentialClaims(valueFromCacheByToken.getEssentialClaims(), OIDCConstants.USERINFO);
    }

    private boolean isApiBasedAuthFlow(String str) {
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
        if (valueFromCacheByToken != null) {
            return valueFromCacheByToken.isApiBasedAuthRequest();
        }
        return false;
    }
}
