package org.wso2.carbon.identity.oauth2.validators.scope;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.axis2.util.JavaUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.saml2.core.Assertion;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.PermissionsAndRoleConfig;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.callback.OAuthCallback;
import org.wso2.carbon.identity.oauth.common.GrantType;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserCoreConstants;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/scope/RoleBasedScopeIssuer.class */
public class RoleBasedScopeIssuer extends AbstractRoleBasedScopeIssuer implements ScopeValidator {
    private static final Log log = LogFactory.getLog(RoleBasedScopeIssuer.class);
    private static final String RESOURCE = "resource";
    private static final String DEFAULT_SCOPE_NAME = "default";
    private static final String PRESERVED_CASE_SENSITIVE_VARIABLE = "preservedCaseSensitive";
    private static final String ACCESS_TOKEN_DO = "AccessTokenDO";
    public static final String CHECK_ROLES_FROM_SAML_ASSERTION = "checkRolesFromSamlAssertion";
    public static final String RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION = "retrieveRolesFromUserStoreForScopeValidation";
    private static final String SCOPE_VALIDATOR_NAME = "Role based scope validator";
    private static final String ISSUER_PREFIX = "default";
    private static final String REFRESH_TOKEN_GRANT_TYPE = "refresh_token";
    private IdentityProvider identityProvider = null;
    OAuthServerConfiguration oAuthServerConfiguration = OAuthServerConfiguration.getInstance();

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator
    public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
            return true;
        }
        oAuthAuthzReqMessageContext.setApprovedScope((String[]) getScopes(oAuthAuthzReqMessageContext).toArray(new String[0]));
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator
    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
            return true;
        }
        boolean equals = "refresh_token".equals(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType());
        boolean isFederatedUser = oAuthTokenReqMessageContext.getAuthorizedUser().isFederatedUser();
        if (equals && isFederatedUser) {
            return true;
        }
        oAuthTokenReqMessageContext.setScope((String[]) getScopes(oAuthTokenReqMessageContext).toArray(new String[0]));
        return true;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator
    public boolean validateScope(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        String[] scope;
        if (!OAuthServerConfiguration.getInstance().isRoleBasedScopeIssuerEnabled()) {
            return true;
        }
        AccessTokenDO accessTokenDO = (AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty(ACCESS_TOKEN_DO);
        if (accessTokenDO == null) {
            return false;
        }
        String resourceFromMessageContext = getResourceFromMessageContext(oAuth2TokenValidationMessageContext);
        if (resourceFromMessageContext == null || (scope = accessTokenDO.getScope()) == null || scope.length == 0) {
            return true;
        }
        String str = null;
        int i = -1;
        boolean z = false;
        CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(resourceFromMessageContext));
        if (cacheEntry instanceof ResourceScopeCacheEntry) {
            str = ((ResourceScopeCacheEntry) cacheEntry).getScope();
            i = ((ResourceScopeCacheEntry) cacheEntry).getTenantId();
            z = true;
        }
        if (!z) {
            Pair<String, Integer> findTenantAndScopeOfResource = OAuthTokenPersistenceFactory.getInstance().getTokenManagementDAO().findTenantAndScopeOfResource(resourceFromMessageContext);
            if (findTenantAndScopeOfResource != null) {
                str = (String) findTenantAndScopeOfResource.getLeft();
                i = ((Integer) findTenantAndScopeOfResource.getRight()).intValue();
            }
            OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(resourceFromMessageContext);
            ResourceScopeCacheEntry resourceScopeCacheEntry = new ResourceScopeCacheEntry(str);
            resourceScopeCacheEntry.setTenantId(i);
            OAuthCache.getInstance().addToCache(oAuthCacheKey, resourceScopeCacheEntry);
        }
        if (str == null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Resource '" + resourceFromMessageContext + "' is not protected with a scope");
            return true;
        }
        if (!new ArrayList(Arrays.asList(scope)).contains(str)) {
            if (!log.isDebugEnabled() || !IdentityUtil.isTokenLoggable("AccessToken")) {
                return false;
            }
            log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str + "'");
            return false;
        }
        if (accessTokenDO.getAuthzUser().isFederatedUser() && (Boolean.parseBoolean(System.getProperty("checkRolesFromSamlAssertion")) || !Boolean.parseBoolean(System.getProperty("retrieveRolesFromUserStoreForScopeValidation")))) {
            return true;
        }
        AuthenticatedUser authenticatedUser = OAuthUtil.getAuthenticatedUser(oAuth2TokenValidationMessageContext.getResponseDTO().getAuthorizedUser());
        String consumerKey = accessTokenDO.getConsumerKey();
        List<String> asList = Arrays.asList(scope);
        String[] strArr = null;
        Map<String, String> appScopes = getAppScopes(consumerKey, authenticatedUser, asList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, consumerKey)) {
                oAuth2TokenValidationMessageContext.getResponseDTO().setScope((String[]) getAllowedScopes(asList).toArray(new String[0]));
                return true;
            }
            strArr = getUserRoles(authenticatedUser, null);
            oAuth2TokenValidationMessageContext.getResponseDTO().setScope((String[]) getAuthorizedScopes(strArr, asList, appScopes).toArray(new String[0]));
        }
        if (!ArrayUtils.isEmpty(strArr)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("No roles associated for the user " + authenticatedUser.getUserName());
        return false;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator
    public String getName() {
        return SCOPE_VALIDATOR_NAME;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.AbstractRoleBasedScopeIssuer
    public String getPrefix() {
        return OAuth2Constants.RoleBasedScope.OAUTH2_DEFAULT_SCOPE;
    }

    private String getResourceFromMessageContext(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) {
        String str = null;
        if (oAuth2TokenValidationMessageContext.getRequestDTO().getContext() != null) {
            OAuth2TokenValidationRequestDTO.TokenValidationContextParam[] context = oAuth2TokenValidationMessageContext.getRequestDTO().getContext();
            int length = context.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam = context[i];
                    if (tokenValidationContextParam != null && RESOURCE.equals(tokenValidationContextParam.getKey())) {
                        str = tokenValidationContextParam.getValue();
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
        }
        return str;
    }

    public List<String> getScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        ArrayList<String> arrayList = null;
        ArrayList arrayList2 = new ArrayList();
        if (oAuthAuthzReqMessageContext.getApprovedScope() != null) {
            arrayList = new ArrayList(Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope()));
            for (String str : arrayList) {
                if (checkForProductRestAPIScopes(str)) {
                    arrayList2.add(str);
                }
            }
            arrayList.removeAll(arrayList2);
            if (arrayList.isEmpty()) {
                return arrayList2;
            }
        }
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        AuthenticatedUser user = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
        Map<String, String> appScopes = getAppScopes(consumerKey, user, arrayList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, consumerKey) && arrayList != null) {
                arrayList2.addAll(getAllowedScopes(arrayList));
                return arrayList2;
            }
            arrayList2.addAll(getAuthorizedScopes(getUserRoles(user, null), arrayList, appScopes));
        }
        return arrayList2;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.AbstractRoleBasedScopeIssuer
    public List<String> getScopes(OAuthCallback oAuthCallback) {
        List<String> list = null;
        List<String> asList = Arrays.asList(oAuthCallback.getRequestedScope());
        String client = oAuthCallback.getClient();
        AuthenticatedUser resourceOwner = oAuthCallback.getResourceOwner();
        Map<String, String> appScopes = getAppScopes(client, resourceOwner, asList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, client)) {
                return getAllowedScopes(asList);
            }
            list = getAuthorizedScopes(getUserRoles(resourceOwner, null), asList, appScopes);
        }
        return list;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.scope.AbstractRoleBasedScopeIssuer
    public List<String> getScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        ArrayList arrayList = new ArrayList();
        List<String> arrayList2 = new ArrayList<>(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
        for (String str : arrayList2) {
            if (checkForProductRestAPIScopes(str)) {
                arrayList.add(str);
            }
        }
        arrayList2.removeAll(arrayList);
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        if (arrayList2.isEmpty()) {
            return arrayList;
        }
        Map<String, String> appScopes = getAppScopes(clientId, authorizedUser, arrayList2);
        if (appScopes != null) {
            String[] strArr = new String[0];
            if (isAppScopesEmpty(appScopes, clientId)) {
                arrayList.addAll(getAuthorizedScopes(strArr, arrayList2, appScopes));
                return arrayList;
            }
            String grantType = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
            String property = System.getProperty("checkRolesFromSamlAssertion");
            String property2 = System.getProperty("retrieveRolesFromUserStoreForScopeValidation");
            if (GrantType.SAML20_BEARER.toString().equals(grantType) && Boolean.parseBoolean(property)) {
                authorizedUser.setUserStoreDomain("FEDERATED");
                oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
                strArr = getRolesFromAssertion((Assertion) oAuthTokenReqMessageContext.getProperty(OAuth2Constants.RoleBasedScope.SAML2_ASSERTION));
            } else if (!"urn:ietf:params:oauth:grant-type:jwt-bearer".equals(grantType) || Boolean.parseBoolean(property2)) {
                if (authorizedUser.isFederatedUser() && StringUtils.equals("refresh_token", grantType)) {
                    try {
                        authorizedUser.setUserName(OAuth2Util.getAppInformationByClientId(clientId).getAppOwner().getUserName());
                    } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
                        log.error("Error when retrieving the username " + e.getMessage(), e);
                    }
                }
                strArr = getUserRoles(authorizedUser, grantType);
            } else {
                configureForJWTGrant(oAuthTokenReqMessageContext);
                Map<ClaimMapping, String> userAttributes = authorizedUser.getUserAttributes();
                if (oAuthTokenReqMessageContext.getProperty(OAuth2Constants.RoleBasedScope.ROLE_CLAIM) != null) {
                    strArr = getRolesFromUserAttribute(userAttributes, oAuthTokenReqMessageContext.getProperty(OAuth2Constants.RoleBasedScope.ROLE_CLAIM).toString());
                }
            }
            arrayList.addAll(getAuthorizedScopes(strArr, arrayList2, appScopes));
        }
        return arrayList;
    }

    private boolean checkForProductRestAPIScopes(String str) {
        return str.startsWith(OAuth2Constants.RoleBasedScope.APIM_SCOPE_PREFIX) || str.startsWith(OAuth2Constants.RoleBasedScope.APIM_ANALYTICS_SCOPE_PREFIX) || str.startsWith(OAuth2Constants.RoleBasedScope.APIM_SERVICE_CATALOG_PREFIX);
    }

    private String[] getUserRoles(AuthenticatedUser authenticatedUser, String str) {
        String tenantDomain;
        String tenantAwareUsername;
        String[] strArr = null;
        if (!(authenticatedUser.isFederatedUser() && StringUtils.equals("refresh_token", str)) && authenticatedUser.isFederatedUser()) {
            tenantDomain = MultitenantUtils.getTenantDomain(authenticatedUser.getAuthenticatedSubjectIdentifier());
            tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(authenticatedUser.getAuthenticatedSubjectIdentifier());
        } else {
            tenantDomain = authenticatedUser.getTenantDomain();
            tenantAwareUsername = authenticatedUser.getUserName();
        }
        String userStoreDomain = authenticatedUser.getUserStoreDomain();
        RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
        try {
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            if (tenantId == 0 || tenantId == -1) {
                tenantId = getTenantIdOfUser(tenantAwareUsername);
            }
            strArr = realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(addDomainToName(tenantAwareUsername, userStoreDomain));
        } catch (UserStoreException e) {
            log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
        }
        return strArr;
    }

    private List<String> getAuthorizedScopes(String[] strArr, List<String> list, Map<String, String> map) {
        List<String> arrayList;
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(OAuth2Constants.RoleBasedScope.OAUTH2_DEFAULT_SCOPE);
        if (strArr == null || strArr.length == 0) {
            strArr = new String[0];
        }
        ArrayList arrayList3 = new ArrayList();
        boolean isTrueExplicitly = JavaUtils.isTrueExplicitly(System.getProperty(PRESERVED_CASE_SENSITIVE_VARIABLE));
        if (isTrueExplicitly) {
            arrayList = Arrays.asList(strArr);
        } else {
            arrayList = new ArrayList();
            for (String str : strArr) {
                arrayList.add(str.toLowerCase(Locale.ENGLISH));
            }
        }
        for (String str2 : list) {
            boolean isRestrictUnassignedScopes = OAuth2ServiceComponentHolder.isRestrictUnassignedScopes();
            if ((isRestrictUnassignedScopes && this.oAuthServerConfiguration.getAllowedScopes().contains(str2)) || map.containsKey(str2) || !isRestrictUnassignedScopes) {
                addAuthorizedRoles(map, str2, isTrueExplicitly, arrayList, arrayList3);
            }
        }
        return !arrayList3.isEmpty() ? arrayList3 : arrayList2;
    }

    private void addAuthorizedRoles(Map<String, String> map, String str, boolean z, List<String> list, List<String> list2) {
        String str2 = map.get(str);
        if (str2 == null || str2.isEmpty()) {
            list2.add(str);
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (String str3 : str2.split(OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER)) {
            if (z) {
                arrayList.add(str3.trim());
            } else {
                arrayList.add(str3.trim().toLowerCase(Locale.ENGLISH));
            }
        }
        arrayList.retainAll(list);
        if (arrayList.isEmpty()) {
            return;
        }
        list2.add(str);
    }

    private String[] getRolesFromUserAttribute(Map<ClaimMapping, String> map, String str) {
        return (String[]) map.entrySet().stream().filter(entry -> {
            return ((ClaimMapping) entry.getKey()).getLocalClaim() != null;
        }).filter(entry2 -> {
            return str.equals(((ClaimMapping) entry2.getKey()).getLocalClaim().getClaimUri());
        }).filter(entry3 -> {
            return StringUtils.isNotBlank((String) entry3.getValue());
        }).findFirst().map(entry4 -> {
            return getRolesFromRoleClaim((String) entry4.getValue());
        }).orElse(new String[0]);
    }

    private String[] getRolesFromRoleClaim(String str) {
        return str.replace("\\/", "/").replace("[", "").replace("]", "").replace("\"", "").split(FrameworkUtils.getMultiAttributeSeparator());
    }

    protected String addDomainToName(String str, String str2) {
        return UserCoreUtil.addDomainToName(str, str2);
    }

    protected void configureForJWTGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String[] stringArrayClaim;
        SignedJWT signedJWT = null;
        JWTClaimsSet jWTClaimsSet = null;
        String[] strArr = null;
        try {
            signedJWT = getSignedJWT(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            log.error("Couldn't retrieve signed JWT", e);
        }
        if (signedJWT != null) {
            jWTClaimsSet = getClaimSet(signedJWT);
        }
        String issuer = jWTClaimsSet != null ? jWTClaimsSet.getIssuer() : null;
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        try {
            this.identityProvider = IdentityProviderManager.getInstance().getIdPByMetadataProperty("idpIssuerName", issuer, tenantDomain, false);
            if (this.identityProvider == null) {
                if (log.isDebugEnabled()) {
                    log.debug("IDP not found when retrieving for IDP using property: idpIssuerName with value: " + issuer + ". Attempting to retrieve IDP using IDP Name as issuer.");
                }
                this.identityProvider = IdentityProviderManager.getInstance().getIdPByName(issuer, tenantDomain);
            }
            if (this.identityProvider == null) {
                log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
            } else if (StringUtils.equalsIgnoreCase(this.identityProvider.getIdentityProviderName(), OAuth2Constants.RoleBasedScope.OAUTH2_DEFAULT_SCOPE)) {
                this.identityProvider = getResidentIDPForIssuer(tenantDomain, issuer);
                if (this.identityProvider == null) {
                    log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
                }
            }
        } catch (IdentityProviderManagementException | IdentityOAuth2Exception e2) {
            log.error("Couldn't initiate identity provider instance", e2);
        }
        if (jWTClaimsSet != null) {
            try {
                stringArrayClaim = jWTClaimsSet.getStringArrayClaim(this.identityProvider.getClaimConfig().getRoleClaimURI());
            } catch (ParseException e3) {
                log.error("Couldn't retrieve roles:", e3);
            }
        } else {
            stringArrayClaim = null;
        }
        strArr = stringArrayClaim;
        Collection arrayList = new ArrayList();
        if (strArr != null) {
            arrayList = (List) Arrays.stream(strArr).map(str -> {
                return (String) Optional.ofNullable(getUpdatedRoleClaimValue(this.identityProvider, str)).orElse(str);
            }).collect(Collectors.toList());
        }
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        Map userAttributes = authorizedUser.getUserAttributes();
        String roleClaimURI = this.identityProvider.getClaimConfig().getRoleClaimURI();
        if (roleClaimURI != null) {
            userAttributes.put(ClaimMapping.build(roleClaimURI, roleClaimURI, (String) null, false), arrayList.toString().replace(Constants.SEPARATED_WITH_SPACE, ""));
            oAuthTokenReqMessageContext.addProperty(OAuth2Constants.RoleBasedScope.ROLE_CLAIM, roleClaimURI);
        }
        authorizedUser.setUserAttributes(userAttributes);
        oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals(OAuth2Constants.RoleBasedScope.OAUTH_ASSERTION)) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str)) {
            throw new IdentityOAuth2Exception("Error while retrieving assertion");
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (log.isDebugEnabled()) {
                log.debug(parse);
            }
            return parse;
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while parsing the JWT.", e);
        }
    }

    private JWTClaimsSet getClaimSet(SignedJWT signedJWT) {
        JWTClaimsSet jWTClaimsSet = null;
        try {
            jWTClaimsSet = signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            log.error("Error when trying to retrieve claimsSet from the JWT:", e);
        }
        return jWTClaimsSet;
    }

    private IdentityProvider getResidentIDPForIssuer(String str, String str2) throws IdentityOAuth2Exception {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (str2.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), SAML2BearerGrantHandler.IDP_ENTITY_ID).getValue() : "")) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", str), (Throwable) e);
        }
    }

    private String getUpdatedRoleClaimValue(IdentityProvider identityProvider, String str) {
        if (StringUtils.equalsIgnoreCase("LOCAL", identityProvider.getIdentityProviderName())) {
            return str;
        }
        String replace = str.replace("\\/", "/").replace("[", "").replace("]", "").replace("\"", "");
        PermissionsAndRoleConfig permissionAndRoleConfig = identityProvider.getPermissionAndRoleConfig();
        if (permissionAndRoleConfig == null || !org.apache.commons.lang3.ArrayUtils.isNotEmpty(permissionAndRoleConfig.getRoleMappings())) {
            if (OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                return null;
            }
            return replace;
        }
        List<String> updatedRoleClaimValues = getUpdatedRoleClaimValues(replace, permissionAndRoleConfig);
        if (updatedRoleClaimValues.isEmpty()) {
            return null;
        }
        return StringUtils.join(updatedRoleClaimValues, FrameworkUtils.getMultiAttributeSeparator());
    }

    private static List<String> getUpdatedRoleClaimValues(String str, PermissionsAndRoleConfig permissionsAndRoleConfig) {
        return (List) Arrays.stream(str.split(FrameworkUtils.getMultiAttributeSeparator())).flatMap(str2 -> {
            RoleMapping roleMapping = (RoleMapping) Arrays.stream(permissionsAndRoleConfig.getRoleMappings()).filter(roleMapping2 -> {
                return StringUtils.equals(roleMapping2.getRemoteRole(), str2);
            }).findFirst().orElse(null);
            if (roleMapping != null) {
                return Stream.of(StringUtils.isEmpty(roleMapping.getLocalRole().getUserStoreId()) ? roleMapping.getLocalRole().getLocalRoleName() : roleMapping.getLocalRole().getUserStoreId() + UserCoreConstants.DOMAIN_SEPARATOR + roleMapping.getLocalRole().getLocalRoleName());
            }
            return !OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles() ? Stream.of(str2) : Stream.empty();
        }).collect(Collectors.toList());
    }
}
