package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.api.resource.mgt.APIResourceMgtException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.AuthorizedScopes;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dao.SharedAppResolveDAO;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.AuthzUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationContext;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandler;
import org.wso2.carbon.identity.oauth2.validators.validationhandler.ScopeValidationHandlerException;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/DefaultOAuth2ScopeValidator.class */
public class DefaultOAuth2ScopeValidator {
    public static final String CLIENT_TYPE = "oauth2";
    private static final Log LOG = LogFactory.getLog(DefaultOAuth2ScopeValidator.class);
    private static final String NO_POLICY_HANDLER = "NoPolicyScopeValidationHandler";
    private static final String IS_LEGACY_APP = "isLegacyApp";

    public List<String> validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        if (isScopesEmpty(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Requested scope list is empty. Therefore, default OAuth2 scope validation is skipped.");
            }
            return new ArrayList();
        }
        List<String> asList = Arrays.asList(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes());
        String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
        String applicationId = getApplicationId(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(), tenantDomain);
        if (!AuthzUtil.isUserAccessingResidentOrganization(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser())) {
            applicationId = SharedAppResolveDAO.resolveSharedApplication(resolveOrgIdByTenantDomain(tenantDomain), applicationId, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().getAccessingOrganization());
        }
        List<String> authorizedScopes = getAuthorizedScopes(asList, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), applicationId, null, null, tenantDomain);
        handleInternalLoginScope(asList, authorizedScopes);
        removeRegisteredScopes(oAuthAuthzReqMessageContext);
        return authorizedScopes;
    }

    public List<String> validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (isScopesEmpty(oAuthTokenReqMessageContext.getScope())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Requested scope list is empty. Therefore, default OAuth2 scope validation is skipped.");
            }
            return new ArrayList();
        }
        List<String> asList = Arrays.asList(oAuthTokenReqMessageContext.getScope());
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        String applicationId = getApplicationId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), tenantDomain);
        if (!AuthzUtil.isUserAccessingResidentOrganization(oAuthTokenReqMessageContext.getAuthorizedUser())) {
            applicationId = SharedAppResolveDAO.resolveSharedApplication(resolveOrgIdByTenantDomain(tenantDomain), applicationId, oAuthTokenReqMessageContext.getAuthorizedUser().getAccessingOrganization());
        }
        String grantType = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
        List<String> authorizedScopes = getAuthorizedScopes(asList, oAuthTokenReqMessageContext.getAuthorizedUser(), applicationId, grantType, oAuthTokenReqMessageContext.getProperty(OAuth2Constants.OAuthColumnName.USER_TYPE).toString(), tenantDomain);
        removeRegisteredScopes(oAuthTokenReqMessageContext);
        handleInternalLoginScope(asList, authorizedScopes);
        if ("client_credentials".equals(grantType)) {
            authorizedScopes.remove(OAuth2Util.INTERNAL_LOGIN_SCOPE);
            authorizedScopes.remove(OAuth2Util.OPENID_SCOPE);
        }
        return authorizedScopes;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v53, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v60, types: [java.util.List] */
    private List<String> getAuthorizedScopes(List<String> list, AuthenticatedUser authenticatedUser, String str, String str2, String str3, String str4) throws IdentityOAuth2Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Filtering OIDC scopes from requested scopes: " + StringUtils.join(list, Constants.SEPARATED_WITH_SPACE));
        }
        Set<String> requestedOIDCScopes = getRequestedOIDCScopes(str4, list);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Requested OIDC scopes : " + StringUtils.join(requestedOIDCScopes, Constants.SEPARATED_WITH_SPACE));
        }
        ArrayList arrayList = new ArrayList(requestedOIDCScopes);
        List<String> removeOIDCScopes = removeOIDCScopes(list, requestedOIDCScopes);
        if (removeOIDCScopes.isEmpty()) {
            return arrayList;
        }
        List<String> arrayList2 = new ArrayList();
        if (removeOIDCScopes.contains(Oauth2ScopeConstants.SYSTEM_SCOPE)) {
            if (CollectionUtils.isEmpty(arrayList2)) {
                arrayList2 = AuthzUtil.getInternalScopes(str4);
            }
            removeOIDCScopes.addAll(arrayList2);
            removeOIDCScopes.addAll(getConsoleScopes(str4));
        }
        List<AuthorizedScopes> authorizedScopes = getAuthorizedScopes(str, str4);
        List<ScopeValidationHandler> scopeValidationHandlers = OAuthComponentServiceHolder.getInstance().getScopeValidationHandlers();
        HashMap hashMap = new HashMap();
        for (AuthorizedScopes authorizedScopes2 : authorizedScopes) {
            String policyId = authorizedScopes2.getPolicyId();
            ScopeValidationContext scopeValidationContext = new ScopeValidationContext();
            scopeValidationContext.setAuthenticatedUser(authenticatedUser);
            scopeValidationContext.setAppId(str);
            scopeValidationContext.setPolicyId(policyId);
            scopeValidationContext.setGrantType(str2);
            scopeValidationContext.setUserType(str3);
            for (ScopeValidationHandler scopeValidationHandler : scopeValidationHandlers) {
                if (scopeValidationHandler.canHandle(scopeValidationContext)) {
                    scopeValidationContext.setValidatedScopesByHandler(hashMap);
                    try {
                        hashMap.put(scopeValidationHandler.getName(), scopeValidationHandler.validateScopes(removeOIDCScopes, authorizedScopes2.getScopes(), scopeValidationContext));
                    } catch (ScopeValidationHandlerException e) {
                        throw new IdentityOAuth2Exception("Error while validating policies roles from authorization service.", e);
                    }
                }
            }
        }
        HashSet hashSet = new HashSet((Collection) hashMap.getOrDefault(NO_POLICY_HANDLER, Collections.emptyList()));
        ArrayList arrayList3 = new ArrayList(hashMap.values());
        arrayList3.remove(hashMap.get(NO_POLICY_HANDLER));
        ArrayList arrayList4 = new ArrayList();
        if (!arrayList3.isEmpty()) {
            arrayList4 = (List) arrayList3.get(0);
            for (int i = 1; i < arrayList3.size(); i++) {
                Stream stream = arrayList4.stream();
                List list2 = (List) arrayList3.get(i);
                Objects.requireNonNull(list2);
                arrayList4 = (List) stream.filter((v1) -> {
                    return r1.contains(v1);
                }).collect(Collectors.toList());
            }
        }
        hashSet.addAll(arrayList4);
        arrayList.addAll(hashSet);
        if (OAuthServerConfiguration.getInstance().isUseLegacyScopesAsAliasForNewScopesEnabled()) {
            if (CollectionUtils.isEmpty(arrayList2)) {
                arrayList2 = AuthzUtil.getInternalScopes(str4);
            }
            Stream stream2 = arrayList.stream();
            List<String> list3 = arrayList2;
            Objects.requireNonNull(list3);
            if (!((List) stream2.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toList())).isEmpty() && isLegacyApp(str, str4)) {
                AuthzUtil.addNewScopesMappedToLegacyScopes(arrayList, arrayList2);
            }
        }
        return arrayList;
    }

    private List<AuthorizedScopes> getAuthorizedScopes(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getAuthorizedAPIManagementService().getAuthorizedScopes(str, str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving authorized scopes for app : " + str + "tenant domain : " + str2, (Throwable) e);
        }
    }

    private List<String> getConsoleScopes(String str) throws IdentityOAuth2Exception {
        try {
            return (List) OAuth2ServiceComponentHolder.getInstance().getApiResourceManager().getScopesByTenantDomain(str, "name sw console:").stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toCollection(ArrayList::new));
        } catch (APIResourceMgtException e) {
            throw new IdentityOAuth2Exception("Error while retrieving console scopes for tenant domain : " + str, (Throwable) e);
        }
    }

    private List<String> getRegisteredScopes(String str) throws IdentityOAuth2Exception {
        try {
            return (List) OAuth2ServiceComponentHolder.getInstance().getApiResourceManager().getScopesByTenantDomain(str, (String) null).stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toCollection(ArrayList::new));
        } catch (APIResourceMgtException e) {
            throw new IdentityOAuth2Exception("Error while retrieving internal scopes for tenant domain : " + str, (Throwable) e);
        }
    }

    private void removeRegisteredScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        if (oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes() == null) {
            return;
        }
        List<String> registeredScopes = getRegisteredScopes(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain());
        ArrayList arrayList = new ArrayList();
        for (String str : oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getScopes()) {
            if (!registeredScopes.contains(str)) {
                arrayList.add(str);
            }
        }
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setScopes((String[]) arrayList.toArray(new String[0]));
    }

    private void removeRegisteredScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        if (oAuthTokenReqMessageContext.getScope() == null) {
            return;
        }
        List<String> registeredScopes = getRegisteredScopes(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
        ArrayList arrayList = new ArrayList();
        for (String str : oAuthTokenReqMessageContext.getScope()) {
            if (!registeredScopes.contains(str)) {
                arrayList.add(str);
            }
        }
        oAuthTokenReqMessageContext.setScope((String[]) arrayList.toArray(new String[0]));
    }

    private Set<String> getRequestedOIDCScopes(String str, List<String> list) throws IdentityOAuth2Exception {
        try {
            List<String> registeredOIDCScope = OAuth2ServiceComponentHolder.getInstance().getOAuthAdminService().getRegisteredOIDCScope(str);
            Stream<String> distinct = list.stream().distinct();
            Objects.requireNonNull(registeredOIDCScope);
            return (Set) distinct.filter((v1) -> {
                return r1.contains(v1);
            }).collect(Collectors.toSet());
        } catch (IdentityOAuthAdminException e) {
            throw new IdentityOAuth2Exception("Error while retrieving oidc scopes for tenant domain : " + str, (Throwable) e);
        }
    }

    private List<String> removeOIDCScopes(List<String> list, Set<String> set) {
        return (List) list.stream().distinct().filter(str -> {
            return !set.contains(str);
        }).collect(Collectors.toList());
    }

    private String getApplicationId(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getApplicationMgtService().getApplicationResourceIDByInboundKey(str, "oauth2", str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving application resource id for client : " + str + " tenant : " + str2, (Throwable) e);
        }
    }

    private boolean isScopesEmpty(String[] strArr) {
        return ArrayUtils.isEmpty(strArr);
    }

    private String resolveOrgIdByTenantDomain(String str) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getInstance().getOrganizationManager().resolveOrganizationId(str);
        } catch (OrganizationManagementException e) {
            throw new IdentityOAuth2Exception("Error occured while resolving organization for tenant domain: " + str, (Throwable) e);
        }
    }

    private static void handleInternalLoginScope(List<String> list, List<String> list2) {
        if ((list.contains(Oauth2ScopeConstants.SYSTEM_SCOPE) || list.contains(OAuth2Util.INTERNAL_LOGIN_SCOPE)) && !list2.contains(OAuth2Util.INTERNAL_LOGIN_SCOPE)) {
            list2.add(OAuth2Util.INTERNAL_LOGIN_SCOPE);
        }
    }

    private boolean isLegacyApp(String str, String str2) throws IdentityOAuth2Exception {
        ServiceProviderProperty[] spProperties;
        try {
            ServiceProvider applicationByResourceId = OAuthComponentServiceHolder.getInstance().getApplicationManagementService().getApplicationByResourceId(str, str2);
            if (applicationByResourceId != null && (spProperties = applicationByResourceId.getSpProperties()) != null) {
                for (ServiceProviderProperty serviceProviderProperty : spProperties) {
                    if (IS_LEGACY_APP.equals(serviceProviderProperty.getName()) && Boolean.parseBoolean(serviceProviderProperty.getValue())) {
                        return true;
                    }
                }
            }
            return false;
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving service provider for app id : " + str + " tenant domain : " + str2, (Throwable) e);
        }
    }
}
