package org.wso2.carbon.identity.oauth.listener;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.AuthorizedAPI;
import org.wso2.carbon.identity.base.IdentityRuntimeException;
import org.wso2.carbon.identity.core.bean.context.MessageContext;
import org.wso2.carbon.identity.core.handler.InitConfig;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.event.IdentityEventException;
import org.wso2.carbon.identity.event.event.Event;
import org.wso2.carbon.identity.event.handler.AbstractEventHandler;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.organization.management.organization.user.sharing.models.UserAssociation;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.role.mgt.core.GroupBasicInfo;
import org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException;
import org.wso2.carbon.identity.role.mgt.core.RoleManagementService;
import org.wso2.carbon.identity.role.mgt.core.UserBasicInfo;
import org.wso2.carbon.identity.role.v2.mgt.core.model.RoleDTO;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
import org.wso2.carbon.user.core.common.User;
import org.wso2.carbon.user.core.util.UserCoreUtil;

/* loaded from: input_file:org/wso2/carbon/identity/oauth/listener/IdentityOauthEventHandler.class */
public class IdentityOauthEventHandler extends AbstractEventHandler {
    private static final Log log = LogFactory.getLog(IdentityOauthEventHandler.class);

    public String getName() {
        return "identityOauthEventHandler";
    }

    public String getFriendlyName() {
        return "Identity Oauth Event Handler";
    }

    public void init(InitConfig initConfig) throws IdentityRuntimeException {
        super.init(initConfig);
    }

    public int getPriority(MessageContext messageContext) {
        int priority = super.getPriority(messageContext);
        if (priority == -1) {
            priority = 51;
        }
        return priority;
    }

    public void handleEvent(Event event) throws IdentityEventException {
        if ("POST_SET_USER_CLAIMS".equals(event.getEventName()) || "POST_SET_USER_CLAIM".equals(event.getEventName())) {
            String str = (String) event.getEventProperties().get("user-name");
            UserStoreManager userStoreManager = (UserStoreManager) event.getEventProperties().get("userStoreManager");
            try {
                revokeTokensOfLockedUser(str, userStoreManager);
                revokeCodesOfLockedUser(str, userStoreManager);
                revokeTokensOfDisabledUser(str, userStoreManager);
                OAuthUtil.removeUserClaimsFromCache(str, userStoreManager);
                return;
            } catch (UserStoreException e) {
                String str2 = "Error occurred while revoking  access token for User : " + str;
                log.error(str2, e);
                throw new IdentityEventException(str2);
            }
        }
        if ("POST_UPDATE_USER_LIST_OF_ROLE_EVENT".equals(event.getEventName()) || "POST_UPDATE_USER_LIST_OF_ROLE_V2_EVENT".equals(event.getEventName())) {
            Object obj = event.getEventProperties().get("DELETE_USER_ID_LIST");
            String str3 = (String) event.getEventProperties().get("role-id");
            String str4 = (String) event.getEventProperties().get("tenant-domain");
            if (obj instanceof List) {
                terminateSession((List) obj, str3, str4);
                return;
            }
            return;
        }
        if ("PRE_UPDATE_GROUP_LIST_OF_ROLE_EVENT".equals(event.getEventName()) || "PRE_UPDATE_GROUP_LIST_OF_ROLE_V2_EVENT".equals(event.getEventName())) {
            String str5 = (String) event.getEventProperties().get("tenant-domain");
            ArrayList arrayList = (ArrayList) event.getEventProperties().get("DELETE_GROUP_ID_LIST");
            ArrayList arrayList2 = new ArrayList();
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.addAll(getUserListOfGroup((String) it.next(), str5));
            }
            HashSet hashSet = new HashSet();
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                hashSet.add(((User) it2.next()).getUserID());
            }
            terminateSession(new ArrayList(hashSet), null, str5);
            return;
        }
        if ("PRE_DELETE_ROLE_EVENT".equals(event.getEventName()) || "POST_SET_PERMISSIONS_FOR_ROLE_EVENT".equals(event.getEventName())) {
            String str6 = (String) event.getEventProperties().get("role-id");
            String str7 = (String) event.getEventProperties().get("tenant-domain");
            try {
                RoleManagementService roleManagementService = OAuthComponentServiceHolder.getInstance().getRoleManagementService();
                List userListOfRole = roleManagementService.getUserListOfRole(str6, str7);
                List<GroupBasicInfo> groupListOfRole = roleManagementService.getGroupListOfRole(str6, str7);
                ArrayList arrayList3 = new ArrayList();
                for (GroupBasicInfo groupBasicInfo : groupListOfRole) {
                    updateUserListOfGroup(arrayList3, UserCoreUtil.removeDomainFromName(groupBasicInfo.getName()), str7, UserCoreUtil.extractDomainFromName(groupBasicInfo.getName()));
                }
                ArrayList arrayList4 = new ArrayList();
                Iterator it3 = userListOfRole.iterator();
                while (it3.hasNext()) {
                    arrayList4.add(((UserBasicInfo) it3.next()).getId());
                }
                Iterator<User> it4 = arrayList3.iterator();
                while (it4.hasNext()) {
                    arrayList4.add(it4.next().getUserID());
                }
                terminateSession(arrayList4, null, str7);
                return;
            } catch (IdentityRoleManagementException e2) {
                throw new IdentityEventException("Invalid role id :" + str6 + "in tenant domain " + str7);
            }
        }
        if ("PRE_DELETE_ROLE_V2_EVENT".equals(event.getEventName()) || "POST_UPDATE_PERMISSIONS_FOR_ROLE_V2_EVENT".equals(event.getEventName())) {
            String str8 = (String) event.getEventProperties().get("role-id");
            String str9 = (String) event.getEventProperties().get("tenant-domain");
            try {
                terminateSessionsForRole(str8, str9);
                for (RoleDTO roleDTO : OAuthComponentServiceHolder.getInstance().getRoleV2ManagementService().getSharedHybridRoles(str8, IdentityTenantUtil.getTenantId(str9))) {
                    str9 = IdentityTenantUtil.getTenantDomain(roleDTO.getTenantId());
                    str8 = roleDTO.getId();
                    terminateSessionsForRole(str8, str9);
                }
                return;
            } catch (org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException e3) {
                throw new IdentityEventException("Invalid role id :" + str8 + "in tenant domain " + str9);
            }
        }
        if ("PRE_UPDATE_AUTHORIZED_API_FOR_APPLICATION_EVENT".equals(event.getEventName())) {
            String str10 = (String) event.getEventProperties().get("application-id");
            String str11 = (String) event.getEventProperties().get("API_ID");
            List<String> list = (List) event.getEventProperties().get("DELETED_SCOPES");
            String str12 = (String) event.getEventProperties().get("tenant-domain");
            if (list.isEmpty()) {
                return;
            }
            try {
                OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(str10, str11, list, str12);
                return;
            } catch (IdentityOAuth2Exception e4) {
                String str13 = "Error occurred while revoking access token for application resource id: " + str10;
                log.error(str13, e4);
                throw new IdentityEventException(str13);
            }
        }
        if ("PRE_DELETE_AUTHORIZED_API_FOR_APPLICATION_EVENT".equals(event.getEventName())) {
            String str14 = (String) event.getEventProperties().get("application-id");
            String str15 = (String) event.getEventProperties().get("API_ID");
            String str16 = (String) event.getEventProperties().get("tenant-domain");
            try {
                AuthorizedAPI authorizedAPI = OAuthComponentServiceHolder.getInstance().getAuthorizedAPIManagementService().getAuthorizedAPI(str14, str15, str16);
                ArrayList arrayList5 = new ArrayList();
                arrayList5.addAll((Collection) authorizedAPI.getScopes().stream().map((v0) -> {
                    return v0.getName();
                }).filter(str17 -> {
                    return !arrayList5.contains(str17);
                }).collect(Collectors.toList()));
                if (!arrayList5.isEmpty()) {
                    OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(str14, str15, arrayList5, str16);
                }
            } catch (IdentityOAuth2Exception | IdentityApplicationManagementException e5) {
                String str18 = "Error occurred while revoking access token for application resource id: " + str14;
                log.error(str18, e5);
                throw new IdentityEventException(str18);
            }
        }
    }

    private void terminateSessionsForRole(String str, String str2) throws org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException, IdentityEventException {
        org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService roleV2ManagementService = OAuthComponentServiceHolder.getInstance().getRoleV2ManagementService();
        List userListOfRole = roleV2ManagementService.getUserListOfRole(str, str2);
        List<org.wso2.carbon.identity.role.v2.mgt.core.model.GroupBasicInfo> groupListOfRole = roleV2ManagementService.getGroupListOfRole(str, str2);
        ArrayList arrayList = new ArrayList();
        for (org.wso2.carbon.identity.role.v2.mgt.core.model.GroupBasicInfo groupBasicInfo : groupListOfRole) {
            updateUserListOfGroup(arrayList, UserCoreUtil.removeDomainFromName(groupBasicInfo.getName()), str2, UserCoreUtil.extractDomainFromName(groupBasicInfo.getName()));
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = userListOfRole.iterator();
        while (it.hasNext()) {
            arrayList2.add(((org.wso2.carbon.identity.role.v2.mgt.core.model.UserBasicInfo) it.next()).getId());
        }
        Iterator<User> it2 = arrayList.iterator();
        while (it2.hasNext()) {
            arrayList2.add(it2.next().getUserID());
        }
        terminateSession(arrayList2, str, str2);
    }

    private void updateUserListOfGroup(List<User> list, String str, String str2, String str3) throws IdentityEventException {
        try {
            AbstractUserStoreManager userStoreManager = getUserStoreManager(str2, str3);
            if (userStoreManager instanceof AbstractUserStoreManager) {
                list.addAll(userStoreManager.getUserListOfRoleWithID(str));
            } else if (log.isDebugEnabled()) {
                log.debug("Provided user store manager for the group: " + str + " of userstore domain: " + str3 + ", is not an instance of the AbstractUserStore manager");
            }
        } catch (UserStoreException e) {
            throw new IdentityEventException("Error while getting user list of group:" + str + "in tenant domain " + str2, e);
        }
    }

    private List<User> getUserListOfGroup(String str, String str2) throws IdentityEventException {
        try {
            try {
                return ((UserStoreManager) OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(str2)).getUserStoreManager()).getUserListOfGroup(str, (String) null, (String) null);
            } catch (org.wso2.carbon.user.api.UserStoreException e) {
                throw new IdentityEventException("Error while getting realm service in tenant domain " + str2, e);
            }
        } catch (UserStoreException e2) {
            throw new IdentityEventException("Error while getting user list of group: " + str + " in tenant domain " + str2, e2);
        }
    }

    private UserStoreManager getUserStoreManager(String str, String str2) throws IdentityEventException {
        try {
            return OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(str)).getUserStoreManager().getSecondaryUserStoreManager(str2);
        } catch (org.wso2.carbon.user.api.UserStoreException e) {
            throw new IdentityEventException("Error while getting realm service in tenant domain " + str, e);
        }
    }

    private void revokeTokensOfLockedUser(String str, UserStoreManager userStoreManager) throws IdentityEventException, UserStoreException {
        if ("17003".equalsIgnoreCase((String) ((Map) IdentityUtil.threadLocalProperties.get()).get("UserAccountState"))) {
            if (log.isDebugEnabled()) {
                log.debug(String.format("User %s is locked. Hence revoking user's access tokens.", str));
            }
            OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(str, userStoreManager);
            revokeTokensOfAssociatedUsers(str, userStoreManager);
        }
    }

    private void revokeCodesOfLockedUser(String str, UserStoreManager userStoreManager) throws UserStoreException {
        if ("17003".equalsIgnoreCase((String) ((Map) IdentityUtil.threadLocalProperties.get()).get("UserAccountState"))) {
            if (log.isDebugEnabled()) {
                log.debug(String.format("User %s is locked. Hence revoking user's authorization codes.", str));
            }
            OAuthUtil.revokeAuthzCodes(str, userStoreManager);
        }
    }

    private void revokeTokensOfDisabledUser(String str, UserStoreManager userStoreManager) throws IdentityEventException, UserStoreException {
        if ("17004".equalsIgnoreCase((String) ((Map) IdentityUtil.threadLocalProperties.get()).get("UserAccountState"))) {
            if (log.isDebugEnabled()) {
                log.debug(String.format("User %s is disabled. Hence revoking user's access tokens.", str));
            }
            OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(str, userStoreManager);
            revokeTokensOfAssociatedUsers(str, userStoreManager);
        }
    }

    private void revokeTokensOfAssociatedUsers(String str, UserStoreManager userStoreManager) throws IdentityEventException {
        if (log.isDebugEnabled()) {
            log.debug("Revoking access tokens of associated users of user: " + str);
        }
        try {
            List<UserAssociation> userAssociationsOfGivenUser = OAuthComponentServiceHolder.getInstance().getOrganizationUserSharingService().getUserAssociationsOfGivenUser(((AbstractUserStoreManager) userStoreManager).getUser((String) null, str).getUserID(), OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveOrganizationId(IdentityTenantUtil.getTenantDomain(userStoreManager.getTenantId())));
            if (CollectionUtils.isEmpty(userAssociationsOfGivenUser)) {
                return;
            }
            for (UserAssociation userAssociation : userAssociationsOfGivenUser) {
                UserStoreManager userStoreManager2 = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(IdentityTenantUtil.getTenantId(OAuthComponentServiceHolder.getInstance().getOrganizationManager().resolveTenantDomain(userAssociation.getOrganizationId()))).getUserStoreManager();
                OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(((AbstractUserStoreManager) userStoreManager2).getUserNameFromUserID(userAssociation.getUserId()), userStoreManager2);
            }
        } catch (OrganizationManagementException | org.wso2.carbon.user.api.UserStoreException e) {
            throw new IdentityEventException("Error occurred while revoking access tokens of associated users.", e);
        }
    }

    private UserStoreManager getUserStoreManager(int i) throws org.wso2.carbon.user.api.UserStoreException {
        UserStoreManager userStoreManager = CarbonContext.getThreadLocalCarbonContext().getUserRealm().getUserStoreManager();
        if (userStoreManager != null && userStoreManager.getTenantId() != i) {
            userStoreManager = (UserStoreManager) OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(i).getUserStoreManager();
        }
        return userStoreManager;
    }

    private void terminateSession(List<String> list, String str, String str2) throws IdentityEventException {
        try {
            UserStoreManager userStoreManager = getUserStoreManager(IdentityTenantUtil.getTenantId(str2));
            if (CollectionUtils.isNotEmpty(list)) {
                for (String str3 : list) {
                    try {
                        String resolveUserNameFromUserId = FrameworkUtils.resolveUserNameFromUserId(userStoreManager, str3);
                        if (resolveUserNameFromUserId == null) {
                            log.warn("User name is null for user id: " + str3 + ". Hence skipping token revocation and session termination processes.");
                        } else {
                            OAuth2ServiceComponentHolder.getInstance().getRevocationProcessor().revokeTokens(resolveUserNameFromUserId, userStoreManager, str);
                            OAuthUtil.removeUserClaimsFromCache(resolveUserNameFromUserId, userStoreManager);
                        }
                    } catch (UserSessionException e) {
                        String str4 = "Error occurred while revoking access token for user Id: " + str3;
                        log.error(str4, e);
                        throw new IdentityEventException(str4, e);
                    }
                }
            }
        } catch (org.wso2.carbon.user.api.UserStoreException e2) {
            log.error("Error occurred while retrieving user manager", e2);
            throw new IdentityEventException("Error occurred while retrieving user manager", e2);
        }
    }
}
