package org.wso2.carbon.identity.oauth.action;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.action.execution.ActionExecutionRequestBuilder;
import org.wso2.carbon.identity.action.execution.exception.ActionExecutionRequestBuilderException;
import org.wso2.carbon.identity.action.execution.model.ActionExecutionRequest;
import org.wso2.carbon.identity.action.execution.model.ActionType;
import org.wso2.carbon.identity.action.execution.model.AllowedOperation;
import org.wso2.carbon.identity.action.execution.model.Event;
import org.wso2.carbon.identity.action.execution.model.Operation;
import org.wso2.carbon.identity.action.execution.model.Organization;
import org.wso2.carbon.identity.action.execution.model.Request;
import org.wso2.carbon.identity.action.execution.model.Tenant;
import org.wso2.carbon.identity.action.execution.model.User;
import org.wso2.carbon.identity.action.execution.model.UserStore;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.action.model.AccessToken;
import org.wso2.carbon.identity.oauth.action.model.PreIssueAccessTokenEvent;
import org.wso2.carbon.identity.oauth.action.model.TokenRequest;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.OIDCClaimUtil;
import org.wso2.carbon.identity.openidconnect.util.ClaimHandlerUtil;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth/action/PreIssueAccessTokenRequestBuilder.class */
public class PreIssueAccessTokenRequestBuilder implements ActionExecutionRequestBuilder {
    public static final String CLAIMS_PATH_PREFIX = "/accessToken/claims/";
    public static final String SCOPES_PATH_PREFIX = "/accessToken/scopes/";
    private static final Log LOG = LogFactory.getLog(PreIssueAccessTokenRequestBuilder.class);

    public ActionType getSupportedActionType() {
        return ActionType.PRE_ISSUE_ACCESS_TOKEN;
    }

    public ActionExecutionRequest buildActionExecutionRequest(Map<String, Object> map) throws ActionExecutionRequestBuilderException {
        OAuthTokenReqMessageContext oAuthTokenReqMessageContext = (OAuthTokenReqMessageContext) map.get("tokenMessageContext");
        Map<String, Object> additionalClaimsToAddToToken = getAdditionalClaimsToAddToToken(oAuthTokenReqMessageContext);
        ActionExecutionRequest.Builder builder = new ActionExecutionRequest.Builder();
        builder.actionType(getSupportedActionType());
        builder.event(getEvent(oAuthTokenReqMessageContext, additionalClaimsToAddToToken));
        builder.allowedOperations(getAllowedOperations(additionalClaimsToAddToToken));
        return builder.build();
    }

    private Event getEvent(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, Object> map) throws ActionExecutionRequestBuilderException {
        OAuth2AccessTokenReqDTO oauth2AccessTokenReqDTO = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO();
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        PreIssueAccessTokenEvent.Builder builder = new PreIssueAccessTokenEvent.Builder();
        builder.tenant(new Tenant(String.valueOf(IdentityTenantUtil.getTenantId(oauth2AccessTokenReqDTO.getTenantDomain())), oauth2AccessTokenReqDTO.getTenantDomain()));
        if (isAccessTokenAuthorizedForUser(oauth2AccessTokenReqDTO.getGrantType(), oAuthTokenReqMessageContext)) {
            setUserForEventBuilder(builder, authorizedUser, oauth2AccessTokenReqDTO.getClientId(), oauth2AccessTokenReqDTO.getGrantType());
            setOrganizationForEventBuilder(builder, authorizedUser, oauth2AccessTokenReqDTO.getClientId(), oauth2AccessTokenReqDTO.getGrantType());
            builder.userStore(new UserStore(authorizedUser.getUserStoreDomain()));
        }
        builder.accessToken(getAccessToken(oAuthTokenReqMessageContext, map));
        builder.request(getRequest(oauth2AccessTokenReqDTO));
        return builder.build();
    }

    private void setUserForEventBuilder(PreIssueAccessTokenEvent.Builder builder, AuthenticatedUser authenticatedUser, String str, String str2) {
        try {
            builder.user(new User(authenticatedUser.getUserId()));
        } catch (UserIdNotFoundException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Error occurred while retrieving user id of the authorized user for application: " + str + "for grantType: " + str2, new Object[0]), e);
            }
        }
    }

    private void setOrganizationForEventBuilder(PreIssueAccessTokenEvent.Builder builder, AuthenticatedUser authenticatedUser, String str, String str2) {
        try {
            String userResidentOrganization = authenticatedUser.getUserResidentOrganization();
            if (userResidentOrganization != null && !userResidentOrganization.isEmpty()) {
                builder.organization(new Organization(authenticatedUser.getUserResidentOrganization(), OAuthComponentServiceHolder.getInstance().getOrganizationManager().getOrganizationNameById(authenticatedUser.getUserResidentOrganization())));
            }
        } catch (OrganizationManagementException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Error occurred while retrieving organization name of the authorized user for application: " + str + "for grantType: " + str2, new Object[0]), e);
            }
        }
    }

    private Request getRequest(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        TokenRequest.Builder builder = new TokenRequest.Builder();
        builder.clientId(oAuth2AccessTokenReqDTO.getClientId());
        builder.grantType(oAuth2AccessTokenReqDTO.getGrantType());
        builder.scopes(Arrays.asList(oAuth2AccessTokenReqDTO.getScope()));
        HttpRequestHeader[] httpRequestHeaders = oAuth2AccessTokenReqDTO.getHttpRequestHeaders();
        if (httpRequestHeaders != null) {
            for (HttpRequestHeader httpRequestHeader : httpRequestHeaders) {
                builder.addAdditionalHeader(httpRequestHeader.getName(), httpRequestHeader.getValue());
            }
        }
        RequestParameter[] requestParameters = oAuth2AccessTokenReqDTO.getRequestParameters();
        if (requestParameters != null) {
            for (RequestParameter requestParameter : requestParameters) {
                builder.addAdditionalParam(requestParameter.getKey(), requestParameter.getValue());
            }
        }
        return builder.build();
    }

    private boolean isAccessTokenAuthorizedForUser(String str, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws ActionExecutionRequestBuilderException {
        try {
            return OAuthServerConfiguration.getInstance().getSupportedGrantTypes().get(str).isOfTypeApplicationUser(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            throw new ActionExecutionRequestBuilderException("Failed to determine the authorized entity of the token for grant type: " + str, e);
        }
    }

    private AccessToken getAccessToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, Object> map) throws ActionExecutionRequestBuilderException {
        try {
            OAuthAppDO appInformation = getAppInformation(oAuthTokenReqMessageContext);
            String issuer = getIssuer(oAuthTokenReqMessageContext);
            List<String> audience = getAudience(oAuthTokenReqMessageContext, appInformation);
            String tokenType = appInformation.getTokenType();
            AccessToken.Builder builder = new AccessToken.Builder();
            handleStandardClaims(oAuthTokenReqMessageContext, tokenType, issuer, audience, builder);
            handleSubjectClaim(oAuthTokenReqMessageContext.getAuthorizedUser(), appInformation, builder);
            handleTokenBindingClaims(oAuthTokenReqMessageContext, builder);
            Objects.requireNonNull(builder);
            map.forEach(builder::addClaim);
            return builder.build();
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new ActionExecutionRequestBuilderException("Failed to generate pre issue access token action request for application: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + " grant type: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType(), e);
        }
    }

    private OAuthAppDO getAppInformation(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws InvalidOAuthClientException, IdentityOAuth2Exception {
        return OAuth2Util.getAppInformationByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
    }

    private String getIssuer(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return OAuth2Util.getIdTokenIssuer(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
    }

    private List<String> getAudience(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuthAppDO oAuthAppDO) {
        return oAuthTokenReqMessageContext.isPreIssueAccessTokenActionsExecuted() ? oAuthTokenReqMessageContext.getAudiences() : OAuth2Util.getOIDCAudience(oAuthAppDO.getOauthConsumerKey(), oAuthAppDO);
    }

    private void handleStandardClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str, String str2, List<String> list, AccessToken.Builder builder) {
        builder.tokenType(str).addClaim(AccessToken.ClaimNames.ISS.getName(), str2).addClaim(AccessToken.ClaimNames.CLIENT_ID.getName(), oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()).addClaim(AccessToken.ClaimNames.AUTHORIZED_USER_TYPE.getName(), String.valueOf(oAuthTokenReqMessageContext.getProperty(OAuth2Constants.OAuthColumnName.USER_TYPE))).addClaim(AccessToken.ClaimNames.EXPIRES_IN.getName(), Long.valueOf(oAuthTokenReqMessageContext.getValidityPeriod() / 1000)).addClaim(AccessToken.ClaimNames.AUD.getName(), list).scopes(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
    }

    private void handleSubjectClaim(AuthenticatedUser authenticatedUser, OAuthAppDO oAuthAppDO, AccessToken.Builder builder) throws IdentityOAuth2Exception {
        String authenticatedSubjectIdentifier = authenticatedUser.getAuthenticatedSubjectIdentifier();
        if (OAuth2Util.isPairwiseSubEnabledForAccessTokens()) {
            authenticatedSubjectIdentifier = OIDCClaimUtil.getSubjectClaim(authenticatedSubjectIdentifier, oAuthAppDO);
            builder.addClaim(AccessToken.ClaimNames.SUBJECT_TYPE.getName(), OIDCClaimUtil.getSubjectType(oAuthAppDO).getValue());
        }
        builder.addClaim(AccessToken.ClaimNames.SUB.getName(), authenticatedSubjectIdentifier);
    }

    private Map<String, Object> getAdditionalClaimsToAddToToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws ActionExecutionRequestBuilderException {
        if (oAuthTokenReqMessageContext.isPreIssueAccessTokenActionsExecuted()) {
            return oAuthTokenReqMessageContext.getAdditionalAccessTokenClaims();
        }
        try {
            return (Map) Optional.ofNullable(ClaimHandlerUtil.getClaimsCallbackHandler(getAppInformation(oAuthTokenReqMessageContext)).handleCustomClaims(new JWTClaimsSet.Builder(), oAuthTokenReqMessageContext)).map((v0) -> {
                return v0.getClaims();
            }).orElseGet(HashMap::new);
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new ActionExecutionRequestBuilderException("Failed to retrieve OIDC claim set for the access token for grant type: " + oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType(), e);
        }
    }

    private void handleTokenBindingClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, AccessToken.Builder builder) {
        if (oAuthTokenReqMessageContext.getTokenBinding() != null) {
            builder.addClaim(AccessToken.ClaimNames.TOKEN_BINDING_REF.getName(), oAuthTokenReqMessageContext.getTokenBinding().getBindingReference()).addClaim(AccessToken.ClaimNames.TOKEN_BINDING_TYPE.getName(), oAuthTokenReqMessageContext.getTokenBinding().getBindingType());
        }
    }

    public List<AllowedOperation> getAllowedOperations(Map<String, Object> map) {
        List<String> removeOrReplacePaths = getRemoveOrReplacePaths(map);
        ArrayList arrayList = new ArrayList(removeOrReplacePaths);
        arrayList.add(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.EXPIRES_IN.getName());
        return Arrays.asList(createAllowedOperation(Operation.ADD, Arrays.asList(CLAIMS_PATH_PREFIX, SCOPES_PATH_PREFIX, CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName() + "/")), createAllowedOperation(Operation.REMOVE, removeOrReplacePaths), createAllowedOperation(Operation.REPLACE, arrayList));
    }

    private List<String> getRemoveOrReplacePaths(Map<String, Object> map) {
        List<String> list = (List) map.entrySet().stream().filter(entry -> {
            return (entry.getValue() instanceof String) || (entry.getValue() instanceof Number) || (entry.getValue() instanceof Boolean) || (entry.getValue() instanceof List) || (entry.getValue() instanceof String[]);
        }).map(this::generatePathForClaim).collect(Collectors.toList());
        list.add(SCOPES_PATH_PREFIX);
        list.add(CLAIMS_PATH_PREFIX + AccessToken.ClaimNames.AUD.getName() + "/");
        return list;
    }

    private String generatePathForClaim(Map.Entry<String, Object> entry) {
        String str = CLAIMS_PATH_PREFIX + entry.getKey();
        if ((entry.getValue() instanceof List) || (entry.getValue() instanceof String[])) {
            str = str + "/";
        }
        return str;
    }

    private AllowedOperation createAllowedOperation(Operation operation, List<String> list) {
        AllowedOperation allowedOperation = new AllowedOperation();
        allowedOperation.setOp(operation);
        allowedOperation.setPaths(new ArrayList(list));
        return allowedOperation;
    }
}
