package org.wso2.carbon.identity.oauth2.token;

import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.impersonation.models.ImpersonationContext;
import org.wso2.carbon.identity.oauth2.impersonation.models.ImpersonationRequestDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.SubjectTokenDO;
import org.wso2.carbon.utils.DiagnosticLog;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/SubjectTokenIssuer.class */
public class SubjectTokenIssuer {
    private static final String OAUTH_APP_DO = "OAuthAppDO";

    public SubjectTokenDO issue(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        ImpersonationContext validateImpersonationRequest = OAuth2ServiceComponentHolder.getInstance().getImpersonationMgtService().validateImpersonationRequest(buildImpersonationRequestDTO(oAuthAuthzReqMessageContext));
        if (!validateImpersonationRequest.isValidated()) {
            String str = "Impersonation request rejected for client : " + validateImpersonationRequest.getImpersonationRequestDTO().getClientId() + " impersonator : " + validateImpersonationRequest.getImpersonationRequestDTO().getImpersonator().getLoggableMaskedUserId() + " subject : " + validateImpersonationRequest.getImpersonationRequestDTO().getSubject();
            if (StringUtils.isNotBlank(validateImpersonationRequest.getValidationFailureErrorCode()) || StringUtils.isNotBlank(validateImpersonationRequest.getValidationFailureErrorMessage())) {
                throw new IdentityOAuth2Exception(validateImpersonationRequest.getValidationFailureErrorCode(), str + " Error Message : " + validateImpersonationRequest.getValidationFailureErrorMessage());
            }
            throw new IdentityOAuth2Exception(str);
        }
        OauthTokenIssuer oauthTokenIssuer = OAuthServerConfiguration.getInstance().getOauthTokenIssuerMap().get("JWT");
        SubjectTokenDO subjectTokenDO = new SubjectTokenDO();
        subjectTokenDO.setSubjectToken(oauthTokenIssuer.issueSubjectToken(oAuthAuthzReqMessageContext));
        OAuthAppDO oAuthAppDO = (OAuthAppDO) oAuthAuthzReqMessageContext.getProperty("OAuthAppDO");
        int subjectTokenExpiryTime = oAuthAppDO.getSubjectTokenExpiryTime() <= 0 ? 180 : oAuthAppDO.getSubjectTokenExpiryTime();
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "issue-subject-token");
            diagnosticLogBuilder.inputParam("client id", oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey()).inputParam("authorized scopes", oAuthAuthzReqMessageContext.getApprovedScope()).inputParam("response type", oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getResponseType()).inputParam("token expiry time (s)", Integer.valueOf(subjectTokenExpiryTime)).resultStatus(DiagnosticLog.ResultStatus.SUCCESS).resultMessage("Subject token issued for the application.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION);
            AuthenticatedUser user = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
            if (user != null) {
                try {
                    diagnosticLogBuilder.inputParam("user id", user.getUserId());
                } catch (UserIdNotFoundException e) {
                    if (StringUtils.isNotBlank(user.getAuthenticatedSubjectIdentifier())) {
                        diagnosticLogBuilder.inputParam("user", LoggerUtils.isLogMaskingEnable ? LoggerUtils.getMaskedContent(user.getAuthenticatedSubjectIdentifier()) : user.getAuthenticatedSubjectIdentifier());
                    }
                }
            }
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        return subjectTokenDO;
    }

    private ImpersonationRequestDTO buildImpersonationRequestDTO(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        ImpersonationRequestDTO impersonationRequestDTO = new ImpersonationRequestDTO();
        impersonationRequestDTO.setoAuthAuthzReqMessageContext(oAuthAuthzReqMessageContext);
        impersonationRequestDTO.setSubject(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getRequestedSubjectId());
        impersonationRequestDTO.setImpersonator(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
        impersonationRequestDTO.setClientId(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey());
        impersonationRequestDTO.setScopes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes());
        impersonationRequestDTO.setTenantDomain(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain());
        return impersonationRequestDTO;
    }
}
