package org.wso2.carbon.identity.oauth2.impersonation.validators;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.impersonation.models.ImpersonationContext;
import org.wso2.carbon.identity.oauth2.impersonation.models.ImpersonationRequestDTO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2ScopeValidator;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/impersonation/validators/SubjectScopeValidator.class */
public class SubjectScopeValidator implements ImpersonationValidator {
    private static final String NAME = "SubjectScopeValidator";
    private static final Log LOG = LogFactory.getLog(SubjectScopeValidator.class);
    private DefaultOAuth2ScopeValidator scopeValidator = new DefaultOAuth2ScopeValidator();

    @Override // org.wso2.carbon.identity.oauth2.impersonation.validators.ImpersonationValidator
    public int getPriority() {
        return 80;
    }

    @Override // org.wso2.carbon.identity.oauth2.impersonation.validators.ImpersonationValidator
    public String getImpersonationValidatorName() {
        return NAME;
    }

    @Override // org.wso2.carbon.identity.oauth2.impersonation.validators.ImpersonationValidator
    public ImpersonationContext validateImpersonation(ImpersonationContext impersonationContext) throws IdentityOAuth2Exception {
        ImpersonationRequestDTO impersonationRequestDTO = impersonationContext.getImpersonationRequestDTO();
        OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext = impersonationRequestDTO.getoAuthAuthzReqMessageContext();
        String tenantDomain = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getTenantDomain();
        String requestedSubjectId = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getRequestedSubjectId();
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setScopes(oAuthAuthzReqMessageContext.getRequestedScopes());
        AuthenticatedUser impersonator = impersonationRequestDTO.getImpersonator();
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setUser(getAuthenticatedSubjectUser(requestedSubjectId, tenantDomain));
        oAuthAuthzReqMessageContext.setApprovedScope((String[]) this.scopeValidator.validateScope(oAuthAuthzReqMessageContext).toArray(new String[0]));
        oAuthAuthzReqMessageContext.getAuthorizationReqDTO().setUser(impersonator);
        impersonationContext.setValidated(true);
        return impersonationContext;
    }

    private AuthenticatedUser getAuthenticatedSubjectUser(String str, String str2) throws IdentityOAuth2Exception {
        try {
            AuthenticatedUser userFromUserName = OAuth2Util.getUserFromUserName(OAuth2Util.resolveUsernameFromUserId(str2, str));
            userFromUserName.setUserId(str);
            userFromUserName.setAuthenticatedSubjectIdentifier(str);
            return userFromUserName;
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("invalid_request", "Use mapped local subject is mandatory but a local user couldn't be found");
        }
    }
}
