package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import net.minidev.json.JSONArray;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.internal.OpenIDConnectServiceComponentHolder;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/JWTAccessTokenOIDCClaimsHandler.class */
public class JWTAccessTokenOIDCClaimsHandler implements CustomClaimsCallbackHandler {
    private static final Log log = LogFactory.getLog(JWTAccessTokenOIDCClaimsHandler.class);
    private static final String OAUTH2 = "oauth2";

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        String serviceProviderTenantDomain = getServiceProviderTenantDomain(oAuthTokenReqMessageContext);
        Map<String, Object> accessTokenUserClaims = getAccessTokenUserClaims(oAuthTokenReqMessageContext.getAuthorizedUser(), clientId, serviceProviderTenantDomain);
        return (accessTokenUserClaims == null || accessTokenUserClaims.isEmpty()) ? builder.build() : setClaimsToJwtClaimSet(builder, handleClaimsFormat(accessTokenUserClaims, clientId, serviceProviderTenantDomain));
    }

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public JWTClaimsSet handleCustomClaims(JWTClaimsSet.Builder builder, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return builder.build();
    }

    private Map<String, Object> getAccessTokenUserClaims(AuthenticatedUser authenticatedUser, String str, String str2) throws IdentityOAuth2Exception {
        List<String> accessTokenClaims = getAccessTokenClaims(str, str2);
        if (accessTokenClaims.isEmpty()) {
            return new HashMap();
        }
        Map<String, String> oIDCToLocalClaimMappings = getOIDCToLocalClaimMappings(str2);
        if (oIDCToLocalClaimMappings.isEmpty()) {
            return new HashMap();
        }
        Stream<String> stream = accessTokenClaims.stream();
        Objects.requireNonNull(oIDCToLocalClaimMappings);
        try {
            return getUserClaimsFromUserStore(authenticatedUser, str, str2, (List) stream.map((v1) -> {
                return r1.get(v1);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList()));
        } catch (UserStoreException | IdentityApplicationManagementException | IdentityException | OrganizationManagementException e) {
            if (!FrameworkUtils.isContinueOnClaimHandlingErrorAllowed()) {
                throw new IdentityOAuth2Exception("Error occurred while getting claims for user: " + authenticatedUser + " from userstore.", e);
            }
            log.error("Error occurred while getting claims for user: " + authenticatedUser + " from userstore.", e);
            return null;
        }
    }

    private Map<String, Object> getUserClaimsFromUserStore(AuthenticatedUser authenticatedUser, String str, String str2, List<String> list) throws IdentityApplicationManagementException, UserStoreException, OrganizationManagementException, IdentityException {
        HashMap hashMap = new HashMap();
        ServiceProvider serviceProvider = getServiceProvider(str2, str);
        if (serviceProvider != null) {
            return OIDCClaimUtil.getUserClaimsInOIDCDialect(serviceProvider, authenticatedUser, list);
        }
        log.warn("Unable to find a service provider associated with client_id: " + str + " in tenantDomain: " + str2 + ". Returning empty claim map for user.");
        return hashMap;
    }

    private Map<String, String> getOIDCToLocalClaimMappings(String str) throws IdentityOAuth2Exception {
        try {
            return ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon("http://wso2.org/oidc/claim", (Set) null, str, false);
        } catch (ClaimMetadataException e) {
            throw new IdentityOAuth2Exception("Error occurred while retrieving OIDC to Local claim mappings.", (Throwable) e);
        }
    }

    private JWTClaimsSet setClaimsToJwtClaimSet(JWTClaimsSet.Builder builder, Map<String, Object> map) {
        JWTClaimsSet build = builder.build();
        String multiAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String obj = entry.getValue().toString();
            String key = entry.getKey();
            if (isMultiValuedAttribute(key, obj, multiAttributeSeparator)) {
                JSONArray jSONArray = new JSONArray();
                for (String str : obj.split(Pattern.quote(multiAttributeSeparator))) {
                    if (StringUtils.isNotBlank(str)) {
                        jSONArray.add(str);
                    }
                }
                if (build.getClaim(key) == null) {
                    builder.claim(entry.getKey(), jSONArray);
                }
            } else if (build.getClaim(key) == null) {
                builder.claim(entry.getKey(), entry.getValue());
            }
        }
        return builder.build();
    }

    private boolean isMultiValuedAttribute(String str, String str2, String str3) {
        if (str.equals("address")) {
            return false;
        }
        if (str.equals("groups")) {
            return true;
        }
        return StringUtils.contains(str2, str3);
    }

    private List<String> getAccessTokenClaims(String str, String str2) throws IdentityOAuth2Exception {
        try {
            String[] accessTokenClaims = OAuth2Util.getAppInformationByClientId(str, str2).getAccessTokenClaims();
            return accessTokenClaims == null ? new ArrayList() : new ArrayList(Arrays.asList(accessTokenClaims));
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error occurred while getting app information for client_id: " + str, (Throwable) e);
        }
    }

    private Map<String, Object> handleClaimsFormat(Map<String, Object> map, String str, String str2) throws IdentityOAuth2Exception {
        return OpenIDConnectServiceComponentHolder.getInstance().getHighestPriorityOpenIDConnectClaimFilter().getClaimsFilteredByOIDCScopes(map, (String[]) OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().getScopeNames(IdentityTenantUtil.getTenantId(str2)).toArray(new String[0]), str, str2);
    }

    private ServiceProvider getServiceProvider(String str, String str2) throws IdentityApplicationManagementException {
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        String serviceProviderNameByClientId = applicationMgtService.getServiceProviderNameByClientId(str2, "oauth2", str);
        if (log.isDebugEnabled()) {
            log.debug("Retrieving service provider for clientId: " + str2 + " in tenantDomain: " + str);
        }
        return applicationMgtService.getApplicationExcludingFileBasedSPs(serviceProviderNameByClientId, str);
    }

    private String getServiceProviderTenantDomain(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String str = (String) oAuthTokenReqMessageContext.getProperty("tenantDomain");
        if (str == null) {
            str = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        }
        return str;
    }
}
