package org.wso2.carbon.identity.oauth2.validators.validationhandler.impl;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationContext;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/validationhandler/impl/RoleBasedScopeValidationHandler.class */
public class RoleBasedScopeValidationHandler implements ScopeValidationHandler {
    private static final Log LOG = LogFactory.getLog(DefaultOAuth2ScopeValidator.class);

    @Override // org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler
    public boolean canHandle(ScopeValidationContext scopeValidationContext) {
        return (!getPolicyID().equals(scopeValidationContext.getPolicyId()) || "client_credentials".equals(scopeValidationContext.getGrantType()) || ("organization_switch".equals(scopeValidationContext.getGrantType()) && "APPLICATION".equals(scopeValidationContext.getUserType()))) ? false : true;
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler
    public List<String> validateScopes(List<String> list, List<String> list2, ScopeValidationContext scopeValidationContext) throws ScopeValidationHandlerException {
        try {
            List<String> userRoles = AuthzUtil.getUserRoles(scopeValidationContext.getAuthenticatedUser(), scopeValidationContext.getAppId());
            if (userRoles.isEmpty()) {
                return new ArrayList();
            }
            String tenantDomain = scopeValidationContext.getAuthenticatedUser().getTenantDomain();
            if (!AuthzUtil.isUserAccessingResidentOrganization(scopeValidationContext.getAuthenticatedUser())) {
                tenantDomain = resolveTenantDomainByOrgId(scopeValidationContext.getAuthenticatedUser().getAccessingOrganization());
            }
            List<String> filteredRoleIds = getFilteredRoleIds(userRoles, scopeValidationContext.getAppId(), tenantDomain);
            if (filteredRoleIds.isEmpty()) {
                return new ArrayList();
            }
            List<String> associatedScopesForRoles = AuthzUtil.getAssociatedScopesForRoles(filteredRoleIds, tenantDomain);
            if (StringUtils.isNotBlank(scopeValidationContext.getAuthenticatedUser().getAccessingOrganization())) {
                List list3 = (List) associatedScopesForRoles.stream().filter(str -> {
                    return str.startsWith(Oauth2ScopeConstants.INTERNAL_ORG_SCOPE_PREFIX);
                }).collect(Collectors.toList());
                associatedScopesForRoles.removeIf(str2 -> {
                    return str2.startsWith(Oauth2ScopeConstants.INTERNAL_SCOPE_PREFIX);
                });
                associatedScopesForRoles.addAll(list3);
            }
            Stream<String> stream = list2.stream();
            Objects.requireNonNull(associatedScopesForRoles);
            List list4 = (List) stream.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList());
            Stream<String> stream2 = list.stream();
            Objects.requireNonNull(list4);
            return (List) stream2.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList());
        } catch (IdentityOAuth2Exception | IdentityRoleManagementException e) {
            throw new ScopeValidationHandlerException("Error while validation scope with RBAC Scope Validation handler", e);
        }
    }

    private List<String> getFilteredRoleIds(List<String> list, String str, String str2) throws ScopeValidationHandlerException, IdentityOAuth2Exception, IdentityRoleManagementException {
        List<String> roleIdsAssociatedWithApp = "application".equalsIgnoreCase(getApplicationAllowedAudience(str, str2)) ? getRoleIdsAssociatedWithApp(str) : (List) getAllOrganizationRoles(str2).stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
        Stream<String> distinct = list.stream().distinct();
        List<String> list2 = roleIdsAssociatedWithApp;
        Objects.requireNonNull(list2);
        return (List) distinct.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toList());
    }

    /* JADX WARN: Code restructure failed: missing block: B:11:0x005a, code lost:
    
        return r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:2:0x0019, code lost:
    
        if (r0 != null) goto L4;
     */
    /* JADX WARN: Code restructure failed: missing block: B:3:0x001c, code lost:
    
        r0 = r0.getRoles("audience eq organization", java.lang.Integer.valueOf(r0), java.lang.Integer.valueOf(r12), (java.lang.String) null, (java.lang.String) null, r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:4:0x0038, code lost:
    
        if (r0.isEmpty() != false) goto L7;
     */
    /* JADX WARN: Code restructure failed: missing block: B:5:0x003b, code lost:
    
        r0.addAll(r0);
        r12 = r12 + r0.size();
     */
    /* JADX WARN: Code restructure failed: missing block: B:7:0x0055, code lost:
    
        if (r0.isEmpty() == false) goto L12;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.util.List<org.wso2.carbon.identity.role.v2.mgt.core.model.RoleBasicInfo> getAllOrganizationRoles(java.lang.String r9) throws org.wso2.carbon.identity.role.v2.mgt.core.exception.IdentityRoleManagementException {
        /*
            r8 = this;
            org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder r0 = org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder.getInstance()
            org.wso2.carbon.identity.role.v2.mgt.core.RoleManagementService r0 = r0.getRoleV2ManagementService()
            r10 = r0
            r0 = 0
            r12 = r0
            int r0 = org.wso2.carbon.identity.core.util.IdentityUtil.getMaximumItemPerPage()
            r13 = r0
            java.util.ArrayList r0 = new java.util.ArrayList
            r1 = r0
            r1.<init>()
            r14 = r0
            r0 = r10
            if (r0 == 0) goto L58
        L1c:
            r0 = r10
            java.lang.String r1 = "audience eq organization"
            r2 = r13
            java.lang.Integer r2 = java.lang.Integer.valueOf(r2)
            r3 = r12
            java.lang.Integer r3 = java.lang.Integer.valueOf(r3)
            r4 = 0
            r5 = 0
            r6 = r9
            java.util.List r0 = r0.getRoles(r1, r2, r3, r4, r5, r6)
            r11 = r0
            r0 = r11
            boolean r0 = r0.isEmpty()
            if (r0 != 0) goto L4f
            r0 = r14
            r1 = r11
            boolean r0 = r0.addAll(r1)
            r0 = r12
            r1 = r11
            int r1 = r1.size()
            int r0 = r0 + r1
            r12 = r0
        L4f:
            r0 = r11
            boolean r0 = r0.isEmpty()
            if (r0 == 0) goto L1c
        L58:
            r0 = r14
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.wso2.carbon.identity.oauth2.validators.validationhandler.impl.RoleBasedScopeValidationHandler.getAllOrganizationRoles(java.lang.String):java.util.List");
    }

    private static String getApplicationAllowedAudience(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getApplicationMgtService().getAllowedAudienceForRoleAssociation(str, str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving allowed audience of application : " + str, (Throwable) e);
        }
    }

    private List<String> getRoleIdsAssociatedWithApp(String str) throws ScopeValidationHandlerException {
        ApplicationManagementService applicationManagementService = OAuthComponentServiceHolder.getInstance().getApplicationManagementService();
        try {
            return (List) applicationManagementService.getAssociatedRolesOfApplication(str, IdentityTenantUtil.getTenantDomain(applicationManagementService.getTenantIdByApp(str))).stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toCollection(ArrayList::new));
        } catch (IdentityApplicationManagementException e) {
            throw new ScopeValidationHandlerException("Error while retrieving role id list of app : " + str, e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler
    public String getPolicyID() {
        return "RBAC";
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler
    public String getName() {
        return "RoleBasedScopeValidationHandler";
    }

    private String resolveTenantDomainByOrgId(String str) throws ScopeValidationHandlerException {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getOrganizationManager().resolveTenantDomain(str);
        } catch (OrganizationManagementException e) {
            throw new ScopeValidationHandlerException("Error while resolving the tenant domain of the org ID: " + str, e);
        }
    }
}
