package org.wso2.carbon.identity.oauth2.util;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.util.OrganizationSharedUserUtil;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.NotImplementedException;
import org.wso2.carbon.user.core.common.Group;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/AuthzUtil.class */
public class AuthzUtil {
    private static final Log LOG = LogFactory.getLog(AuthzUtil.class);

    public static List<String> getUserRoles(AuthenticatedUser authenticatedUser, String str) throws IdentityOAuth2Exception {
        return authenticatedUser.isFederatedUser() ? (!StringUtils.isNotBlank(authenticatedUser.getAccessingOrganization()) || authenticatedUser.getAccessingOrganization().equals(authenticatedUser.getUserResidentOrganization())) ? getFederatedUserRoles(authenticatedUser, str) : getSwitchUserRoles(authenticatedUser) : (!StringUtils.isNotBlank(authenticatedUser.getAccessingOrganization()) || authenticatedUser.getAccessingOrganization().equals(authenticatedUser.getUserResidentOrganization())) ? getRoles(getUserId(authenticatedUser), authenticatedUser.getTenantDomain()) : getSwitchUserRoles(authenticatedUser);
    }

    private static List<String> getSwitchUserRoles(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        return getRoles(getUserIdOfAssociatedUser(authenticatedUser), getAccessingTenantDomain(authenticatedUser));
    }

    private static List<String> getRoles(String str, String str2) throws IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList(getRoleIdsOfUser(str, str2));
        List<String> userGroups = getUserGroups(str, str2);
        if (!userGroups.isEmpty()) {
            arrayList.addAll(getRoleIdsOfGroups(userGroups, str2));
        }
        return arrayList;
    }

    private static List<String> getFederatedUserRoles(AuthenticatedUser authenticatedUser, String str) throws IdentityOAuth2Exception {
        String tenantDomain = authenticatedUser.getTenantDomain();
        String str2 = null;
        Map userAttributes = authenticatedUser.getUserAttributes();
        if (userAttributes == null) {
            return new ArrayList();
        }
        Iterator it = userAttributes.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry entry = (Map.Entry) it.next();
            if ("identityProviderMappedUserRoles".equals(((ClaimMapping) entry.getKey()).getLocalClaim().getClaimUri())) {
                str2 = (String) entry.getValue();
                break;
            }
        }
        List list = null;
        if (StringUtils.isNotBlank(str2)) {
            list = Arrays.asList(str2.split(FrameworkUtils.getMultiAttributeSeparator()));
        }
        return (list == null || list.isEmpty()) ? new ArrayList() : "organization".equalsIgnoreCase(getApplicationAllowedAudience(str, tenantDomain)) ? getRoleIdsFromNames(list, "organization", getOrganizationId(tenantDomain), tenantDomain) : getRoleIdsFromNames(list, "application", str, tenantDomain);
    }

    private static String getAccessingTenantDomain(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveTenantDomain(authenticatedUser.getAccessingOrganization());
        } catch (OrganizationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving accessing tenant domain", (Throwable) e);
        }
    }

    private static String getUserIdOfAssociatedUser(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        try {
            return (String) OrganizationSharedUserUtil.getUserIdOfAssociatedUserByOrgId(authenticatedUser.isFederatedUser() ? UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(authenticatedUser.getUserName())) : getUserId(authenticatedUser), authenticatedUser.getAccessingOrganization()).orElseThrow(() -> {
                return new IdentityOAuth2ClientException("User is not allowed to access the organization");
            });
        } catch (OrganizationManagementException e) {
            throw new IdentityOAuth2Exception("Error while resolving shared user ID", (Throwable) e);
        }
    }

    public static List<String> getAssociatedScopesForRoles(List<String> list, String str) throws IdentityOAuth2Exception {
        try {
            List<String> permissionListOfRoles = OAuth2ServiceComponentHolder.getInstance().getRoleManagementServiceV2().getPermissionListOfRoles(list, str);
            if (permissionListOfRoles == null) {
                permissionListOfRoles = new ArrayList();
            }
            permissionListOfRoles.add(OAuth2Util.INTERNAL_LOGIN_SCOPE);
            return permissionListOfRoles;
        } catch (IdentityRoleManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving scope list of roles : " + StringUtils.join(list, OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER) + "tenant domain : " + str, (Throwable) e);
        }
    }

    public static boolean isUserAuthorized(AuthenticatedUser authenticatedUser, List<String> list) throws IdentityOAuth2Exception {
        List<String> associatedScopesForRoles = getAssociatedScopesForRoles(getUserRoles(authenticatedUser, null), authenticatedUser.getTenantDomain());
        if (OAuthServerConfiguration.getInstance().isUseLegacyPermissionAccessForUserBasedAuth()) {
            List<String> internalScopes = getInternalScopes(authenticatedUser.getTenantDomain());
            Stream<String> stream = associatedScopesForRoles.stream();
            Objects.requireNonNull(internalScopes);
            if (!((List) stream.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList())).isEmpty()) {
                addNewScopesMappedToLegacyScopes(associatedScopesForRoles, internalScopes);
            }
        }
        return new HashSet(associatedScopesForRoles).containsAll(list);
    }

    private static List<String> getRoleIdsOfUser(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getRoleManagementServiceV2().getRoleIdListOfUser(str, str2);
        } catch (IdentityRoleManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving role id list of user : " + str + "tenant domain : " + str2, (Throwable) e);
        }
    }

    private static String getUserId(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        try {
            return authenticatedUser.getUserId();
        } catch (UserIdNotFoundException e) {
            throw new IdentityOAuth2Exception("Error while resolving user id of user", (Throwable) e);
        }
    }

    private static String getOrganizationId(String str) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveOrganizationId(str);
        } catch (OrganizationManagementException e) {
            throw new IdentityOAuth2Exception("Error while resolving org id of tenant : " + str, (Throwable) e);
        }
    }

    private static String getApplicationAllowedAudience(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getApplicationMgtService().getAllowedAudienceForRoleAssociation(str, str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving allowed audience of app : " + str, (Throwable) e);
        }
    }

    private static List<String> getRoleIdsFromNames(List<String> list, String str, String str2, String str3) throws IdentityOAuth2Exception {
        ArrayList arrayList = new ArrayList();
        try {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(OAuth2ServiceComponentHolder.getInstance().getRoleManagementServiceV2().getRoleIdByName(it.next(), str, str2, str3));
            }
            return arrayList;
        } catch (IdentityRoleManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving role ids of  list of role name : " + StringUtils.join(list, OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER) + " tenant domain : " + str3, (Throwable) e);
        }
    }

    /* JADX WARN: Type inference failed for: r9v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    private static List<String> getUserGroups(String str, String str2) throws IdentityOAuth2Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Started group fetching for scope validation.");
        }
        ArrayList arrayList = new ArrayList();
        try {
            for (Group group : UserCoreUtil.getRealmService().getTenantUserRealm(OAuth2Util.getTenantId(str2)).getUserStoreManager().getGroupListOfUser(str, (String) null, (String) null)) {
                String extractDomainFromName = UserCoreUtil.extractDomainFromName(group.getGroupName());
                if (!"Internal".equalsIgnoreCase(extractDomainFromName) && !"Application".equalsIgnoreCase(extractDomainFromName)) {
                    arrayList.add(group.getGroupID());
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Completed group fetching for scope validation.");
            }
            return arrayList;
        } catch (UserStoreException e) {
            if (isDoGetGroupListOfUserNotImplemented(e)) {
                return arrayList;
            }
            throw new IdentityOAuth2Exception(e.getMessage(), (Throwable) e);
        } catch (IdentityOAuth2Exception e2) {
            throw new IdentityOAuth2Exception(e2.getMessage(), (Throwable) e2);
        }
    }

    private static List<String> getRoleIdsOfGroups(List<String> list, String str) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getRoleManagementServiceV2().getRoleIdListOfGroups(list, str);
        } catch (IdentityRoleManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving role id list of groups : " + StringUtils.join(list, OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER) + "tenant domain : " + str, (Throwable) e);
        }
    }

    private static boolean isDoGetGroupListOfUserNotImplemented(UserStoreException userStoreException) {
        Throwable cause = userStoreException.getCause();
        while (true) {
            Throwable th = cause;
            if (th == null) {
                return false;
            }
            if (th instanceof NotImplementedException) {
                return true;
            }
            cause = th.getCause();
        }
    }

    public static boolean isLegacyAuthzRuntime() {
        return CarbonConstants.ENABLE_LEGACY_AUTHZ_RUNTIME.booleanValue();
    }

    public static boolean isUserAccessingResidentOrganization(AuthenticatedUser authenticatedUser) {
        return authenticatedUser.getAccessingOrganization() == null || authenticatedUser.getAccessingOrganization().equals(authenticatedUser.getUserResidentOrganization());
    }

    public static List<String> getInternalScopes(String str) throws IdentityOAuth2Exception {
        try {
            return (List) OAuth2ServiceComponentHolder.getInstance().getApiResourceManager().getScopesByTenantDomain(str, "name sw internal_").stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toCollection(ArrayList::new));
        } catch (APIResourceMgtException e) {
            throw new IdentityOAuth2Exception("Error while retrieving internal scopes for tenant domain : " + str, (Throwable) e);
        }
    }

    public static void addNewScopesMappedToLegacyScopes(List<String> list, List<String> list2) {
        Stream<String> stream = list.stream();
        Objects.requireNonNull(list2);
        Set<String> set = (Set) stream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
        Map<String, Set<String>> legacyScopesToNewScopesMap = OAuth2ServiceComponentHolder.getInstance().getLegacyScopesToNewScopesMap();
        Map<String, Set<String>> legacyMultipleScopesToNewScopesMap = OAuth2ServiceComponentHolder.getInstance().getLegacyMultipleScopesToNewScopesMap();
        HashSet<String> hashSet = new HashSet();
        for (String str : set) {
            if (legacyScopesToNewScopesMap.containsKey(str)) {
                hashSet.addAll(legacyScopesToNewScopesMap.get(str));
            }
        }
        for (Map.Entry<String, Set<String>> entry : legacyMultipleScopesToNewScopesMap.entrySet()) {
            if (set.containsAll(Arrays.asList(entry.getKey().split(OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER)))) {
                hashSet.addAll(entry.getValue());
            }
        }
        for (String str2 : hashSet) {
            if (!set.contains(str2)) {
                list.add(str2);
            }
        }
    }
}
