package org.wso2.carbon.identity.oauth.dcr.service;

import com.google.gson.Gson;
import com.nimbusds.jwt.SignedJWT;
import java.lang.reflect.InvocationTargetException;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Pattern;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.AssociatedRolesConfig;
import org.wso2.carbon.identity.application.common.model.InboundAuthenticationConfig;
import org.wso2.carbon.identity.application.common.model.InboundAuthenticationRequestConfig;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.Error;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.IdentityOAuthClientException;
import org.wso2.carbon.identity.oauth.OAuthAdminService;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dcr.DCRConfigurationMgtServiceImpl;
import org.wso2.carbon.identity.oauth.dcr.DCRMConstants;
import org.wso2.carbon.identity.oauth.dcr.bean.Application;
import org.wso2.carbon.identity.oauth.dcr.bean.ApplicationRegistrationRequest;
import org.wso2.carbon.identity.oauth.dcr.bean.ApplicationUpdateRequest;
import org.wso2.carbon.identity.oauth.dcr.exception.DCRMClientException;
import org.wso2.carbon.identity.oauth.dcr.exception.DCRMException;
import org.wso2.carbon.identity.oauth.dcr.exception.DCRMServerException;
import org.wso2.carbon.identity.oauth.dcr.handler.AdditionalAttributeFilter;
import org.wso2.carbon.identity.oauth.dcr.internal.DCRDataHolder;
import org.wso2.carbon.identity.oauth.dcr.model.DCRConfiguration;
import org.wso2.carbon.identity.oauth.dcr.util.DCRConstants;
import org.wso2.carbon.identity.oauth.dcr.util.DCRMUtils;
import org.wso2.carbon.identity.oauth.dcr.util.ErrorCodes;
import org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.JWTSignatureValidationUtils;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth/dcr/service/DCRMService.class */
public class DCRMService {
    private static final String AUTH_TYPE_OAUTH_2 = "oauth2";
    private static final String OAUTH_VERSION = "OAuth-2.0";
    private static final String GRANT_TYPE_SEPARATOR = " ";
    private static final String APP_DISPLAY_NAME = "DisplayName";
    private static final String SSA_VALIDATION_JWKS = "OAuth.DCRM.SoftwareStatementJWKS";
    private static final Log log = LogFactory.getLog(DCRMService.class);
    private static OAuthAdminService oAuthAdminService = new OAuthAdminService();
    private static DCRConfigurationMgtServiceImpl dcrConfigurationMgtService = new DCRConfigurationMgtServiceImpl();
    private static Pattern clientIdRegexPattern = null;

    public Application getApplication(String str) throws DCRMException {
        validateRequestTenantDomain(str);
        OAuthConsumerAppDTO applicationById = getApplicationById(str, DCRMUtils.isApplicationRolePermissionRequired());
        String applicationName = applicationById.getApplicationName();
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        ServiceProvider serviceProvider = getServiceProvider(applicationName, tenantDomain);
        String jwksUri = serviceProvider.getJwksUri();
        if (StringUtils.isNotEmpty(jwksUri)) {
            applicationById.setJwksURI(jwksUri);
        }
        Application buildResponse = buildResponse(applicationById, tenantDomain);
        buildResponse.setExtAllowedAudience(serviceProvider.getAssociatedRolesConfig().getAllowedAudience());
        String property = IdentityUtil.getProperty("OAuth.DCRM.AdditionalAttributeFilter");
        if (StringUtils.isNotBlank(property)) {
            try {
                AdditionalAttributeFilter additionalAttributeFilter = (AdditionalAttributeFilter) Class.forName(property).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                List<String> responseAttributeKeys = additionalAttributeFilter.getResponseAttributeKeys();
                buildResponse.setAdditionalAttributes(additionalAttributeFilter.processDCRGetAttributes((Map) Arrays.stream(serviceProvider.getSpProperties()).filter(serviceProviderProperty -> {
                    return responseAttributeKeys.contains(serviceProviderProperty.getName());
                }).collect(HashMap::new, (hashMap, serviceProviderProperty2) -> {
                    hashMap.put(serviceProviderProperty2.getName(), serviceProviderProperty2.getValue());
                }, (v0, v1) -> {
                    v0.putAll(v1);
                })));
            } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
                log.error("Configured DCR additional attribute handler cannot be loaded");
                throw new DCRMServerException("server_error", DCRMConstants.ErrorMessages.ADDITIONAL_ATTRIBUTE_ERROR.getMessage(), e);
            }
        }
        return buildResponse;
    }

    public Application getApplicationByName(String str) throws DCRMException {
        if (StringUtils.isEmpty(str)) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INSUFFICIENT_DATA, null);
        }
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        if (!isServiceProviderExist(str, tenantDomain)) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.NOT_FOUND_APPLICATION_WITH_NAME, str);
        }
        try {
            OAuthConsumerAppDTO oAuthApplicationDataByAppName = oAuthAdminService.getOAuthApplicationDataByAppName(str);
            if (!isUserAuthorized(oAuthApplicationDataByAppName.getOauthConsumerKey())) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.FORBIDDEN_UNAUTHORIZED_USER, str);
            }
            Application buildResponse = buildResponse(oAuthApplicationDataByAppName, tenantDomain);
            buildResponse.setExtAllowedAudience(getServiceProvider(str, tenantDomain).getAssociatedRolesConfig().getAllowedAudience());
            return buildResponse;
        } catch (IdentityOAuthAdminException e) {
            if (Error.INVALID_OAUTH_CLIENT.getErrorCode().equals(e.getErrorCode())) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.NOT_FOUND_OAUTH_APPLICATION_WITH_NAME, str);
            }
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION, str, e);
        }
    }

    public Application registerApplication(ApplicationRegistrationRequest applicationRegistrationRequest) throws DCRMException {
        return createOAuthApplication(applicationRegistrationRequest);
    }

    public void deleteApplication(String str) throws DCRMException {
        validateRequestTenantDomain(str);
        OAuthConsumerAppDTO applicationById = getApplicationById(str);
        String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        try {
            String serviceProviderNameByClientId = DCRDataHolder.getInstance().getApplicationManagementService().getServiceProviderNameByClientId(applicationById.getOauthConsumerKey(), "oauth2", tenantDomain);
            if (StringUtils.equals(serviceProviderNameByClientId, "default")) {
                if (log.isDebugEnabled()) {
                    log.debug("The application with consumer key: " + applicationById.getOauthConsumerKey() + " doesn't have an associated service provider.");
                }
                deleteOAuthApplicationWithoutAssociatedSP(applicationById, tenantDomain, username);
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("The application with consumer key: " + applicationById.getOauthConsumerKey() + " has an association with the service provider: " + serviceProviderNameByClientId);
                }
                deleteServiceProvider(serviceProviderNameByClientId, tenantDomain, username);
            }
        } catch (IdentityApplicationManagementException e) {
            throw new DCRMException("Error while retrieving the service provider.", (Throwable) e);
        }
    }

    public Application updateApplication(ApplicationUpdateRequest applicationUpdateRequest, String str) throws DCRMException {
        validateRequestTenantDomain(str);
        OAuthConsumerAppDTO applicationById = getApplicationById(str);
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        String extApplicationOwner = StringUtils.isNotBlank(applicationUpdateRequest.getExtApplicationOwner()) ? applicationUpdateRequest.getExtApplicationOwner() : PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        String clientName = applicationUpdateRequest.getClientName();
        AdditionalAttributeFilter additionalAttributeFilter = null;
        Map<String, Object> map = null;
        ServiceProvider serviceProvider = getServiceProvider(applicationById.getApplicationName(), tenantDomain);
        if (StringUtils.isNotEmpty(clientName)) {
            if (!applicationById.getApplicationName().equals(clientName) && isServiceProviderExist(clientName, tenantDomain)) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.CONFLICT_EXISTING_APPLICATION, clientName);
            }
            if (!DCRMUtils.isRegexValidated(clientName)) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_SP_NAME, DCRMUtils.getSPValidatorRegex(), null);
            }
            if (serviceProvider == null) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.FAILED_TO_GET_SP, applicationById.getApplicationName(), null);
            }
            Map<String, Object> map2 = null;
            if (StringUtils.isNotEmpty(applicationUpdateRequest.getSoftwareStatement())) {
                try {
                    validateSSASignature(applicationUpdateRequest.getSoftwareStatement());
                    map2 = getSSAClaims(applicationUpdateRequest.getSoftwareStatement());
                } catch (IdentityOAuth2Exception e) {
                    throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage(), e);
                }
            }
            String property = IdentityUtil.getProperty("OAuth.DCRM.AdditionalAttributeFilter");
            if (StringUtils.isNotBlank(property)) {
                try {
                    additionalAttributeFilter = (AdditionalAttributeFilter) Class.forName(property).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                    if (map2 != null || !applicationUpdateRequest.getAdditionalAttributes().isEmpty()) {
                        map = additionalAttributeFilter.filterDCRUpdateAttributes(applicationUpdateRequest, map2, serviceProvider.getSpProperties());
                        addSPProperties(map, serviceProvider, true);
                    }
                } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e2) {
                    log.error("Configured DCR additional attribute handler cannot be loaded");
                    throw new DCRMServerException("server_error", DCRMConstants.ErrorMessages.ADDITIONAL_ATTRIBUTE_ERROR.getMessage(), e2);
                }
            }
            updateServiceProviderPropertyList(serviceProvider, applicationUpdateRequest.getExtApplicationDisplayName());
            if (StringUtils.isNotEmpty(applicationUpdateRequest.getJwksURI())) {
                serviceProvider.setJwksUri(applicationUpdateRequest.getJwksURI());
            }
            ServiceProvider cloneServiceProvider = cloneServiceProvider(serviceProvider);
            cloneServiceProvider.setApplicationName(clientName);
            updateServiceProvider(cloneServiceProvider, tenantDomain, extApplicationOwner);
        }
        try {
            if (StringUtils.isNotEmpty(clientName)) {
                if (!DCRMUtils.isRegexValidated(clientName)) {
                    throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_SP_NAME, DCRMUtils.getSPValidatorRegex(), null);
                }
                applicationById.setApplicationName(clientName);
            }
            if (!applicationUpdateRequest.getGrantTypes().isEmpty()) {
                applicationById.setGrantTypes(StringUtils.join(applicationUpdateRequest.getGrantTypes(), GRANT_TYPE_SEPARATOR));
            }
            if (!applicationUpdateRequest.getRedirectUris().isEmpty()) {
                applicationById.setCallbackUrl(validateAndSetCallbackURIs(applicationUpdateRequest.getRedirectUris(), applicationUpdateRequest.getGrantTypes()));
            }
            if (applicationUpdateRequest.getExtTokenType() != null) {
                applicationById.setTokenType(applicationUpdateRequest.getExtTokenType());
            } else if (applicationUpdateRequest.getTokenType() != null) {
                applicationById.setTokenType(applicationUpdateRequest.getTokenType());
            }
            if (StringUtils.isNotEmpty(applicationUpdateRequest.getBackchannelLogoutUri())) {
                applicationById.setBackChannelLogoutUrl(validateBackchannelLogoutURI(applicationUpdateRequest.getBackchannelLogoutUri()));
            }
            if (applicationUpdateRequest.getExtApplicationTokenLifetime() != null) {
                applicationById.setApplicationAccessTokenExpiryTime(applicationUpdateRequest.getExtApplicationTokenLifetime().longValue());
            }
            if (applicationUpdateRequest.getExtUserTokenLifetime() != null) {
                applicationById.setUserAccessTokenExpiryTime(applicationUpdateRequest.getExtUserTokenLifetime().longValue());
            }
            if (applicationUpdateRequest.getExtRefreshTokenLifetime() != null) {
                applicationById.setRefreshTokenExpiryTime(applicationUpdateRequest.getExtRefreshTokenLifetime().longValue());
            }
            if (applicationUpdateRequest.getExtIdTokenLifetime() != null) {
                applicationById.setIdTokenExpiryTime(applicationUpdateRequest.getExtIdTokenLifetime().longValue());
            }
            if (applicationUpdateRequest.getTokenEndpointAuthMethod() != null) {
                applicationById.setTokenEndpointAuthMethod(applicationUpdateRequest.getTokenEndpointAuthMethod());
            }
            applicationById.setTokenEndpointAllowReusePvtKeyJwt(applicationUpdateRequest.isTokenEndpointAllowReusePvtKeyJwt());
            if (applicationUpdateRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
                applicationById.setTokenEndpointAuthSignatureAlgorithm(applicationUpdateRequest.getTokenEndpointAuthSignatureAlgorithm());
            }
            if (applicationUpdateRequest.getSectorIdentifierURI() != null) {
                applicationById.setSectorIdentifierURI(applicationUpdateRequest.getSectorIdentifierURI());
            }
            if (applicationUpdateRequest.getIdTokenSignatureAlgorithm() != null) {
                applicationById.setIdTokenSignatureAlgorithm(applicationUpdateRequest.getIdTokenSignatureAlgorithm());
            }
            if (applicationUpdateRequest.getIdTokenEncryptionAlgorithm() != null) {
                applicationById.setIdTokenEncryptionAlgorithm(applicationUpdateRequest.getIdTokenEncryptionAlgorithm());
            }
            if (applicationUpdateRequest.getIdTokenEncryptionMethod() != null) {
                applicationById.setIdTokenEncryptionMethod(applicationUpdateRequest.getIdTokenEncryptionMethod());
            }
            if (applicationUpdateRequest.getRequestObjectSignatureAlgorithm() != null) {
                applicationById.setRequestObjectSignatureAlgorithm(applicationUpdateRequest.getRequestObjectSignatureAlgorithm());
            }
            if (applicationUpdateRequest.getTlsClientAuthSubjectDN() != null) {
                applicationById.setTlsClientAuthSubjectDN(applicationUpdateRequest.getTlsClientAuthSubjectDN());
            }
            if (applicationUpdateRequest.getSubjectType() != null) {
                applicationById.setSubjectType(applicationUpdateRequest.getSubjectType());
            }
            if (applicationUpdateRequest.getRequestObjectEncryptionAlgorithm() != null) {
                applicationById.setRequestObjectEncryptionAlgorithm(applicationUpdateRequest.getRequestObjectEncryptionAlgorithm());
            }
            if (applicationUpdateRequest.getRequestObjectEncryptionMethod() != null) {
                applicationById.setRequestObjectEncryptionMethod(applicationUpdateRequest.getRequestObjectEncryptionMethod());
            }
            applicationById.setRequestObjectSignatureValidationEnabled(applicationUpdateRequest.isRequireSignedRequestObject());
            applicationById.setRequirePushedAuthorizationRequests(applicationUpdateRequest.isRequirePushedAuthorizationRequests());
            if (!applicationUpdateRequest.isTlsClientCertificateBoundAccessTokens()) {
                applicationById.setTokenBindingType("None");
            } else if (DCRDataHolder.getInstance().getTokenBinders().stream().anyMatch(tokenBinder -> {
                return "certificate".equals(tokenBinder.getBindingType());
            })) {
                applicationById.setTokenBindingType("certificate");
                applicationById.setTokenBindingValidationEnabled(true);
            }
            applicationById.setPkceMandatory(applicationUpdateRequest.isExtPkceMandatory());
            applicationById.setPkceSupportPlain(applicationUpdateRequest.isExtPkceSupportPlain());
            applicationById.setBypassClientCredentials(applicationUpdateRequest.isExtPublicClient());
            oAuthAdminService.updateConsumerApplication(applicationById);
            if (StringUtils.isNotEmpty(applicationUpdateRequest.getExtAllowedAudience()) && (applicationUpdateRequest.getExtAllowedAudience().equalsIgnoreCase(DCRConstants.ORG_ROLE_AUDIENCE) || applicationUpdateRequest.getExtAllowedAudience().equalsIgnoreCase("application"))) {
                AssociatedRolesConfig associatedRolesConfig = new AssociatedRolesConfig();
                associatedRolesConfig.setAllowedAudience(applicationUpdateRequest.getExtAllowedAudience().toLowerCase());
                serviceProvider.setAssociatedRolesConfig(associatedRolesConfig);
            }
            OAuthConsumerAppDTO applicationById2 = getApplicationById(str);
            applicationById2.setJwksURI(applicationUpdateRequest.getJwksURI());
            Application buildResponse = buildResponse(applicationById2, tenantDomain);
            buildResponse.setSoftwareStatement(applicationUpdateRequest.getSoftwareStatement());
            buildResponse.setExtAllowedAudience(serviceProvider.getAssociatedRolesConfig().getAllowedAudience());
            if (map != null) {
                List<String> responseAttributeKeys = additionalAttributeFilter.getResponseAttributeKeys();
                buildResponse.setAdditionalAttributes((Map) map.entrySet().stream().filter(entry -> {
                    return responseAttributeKeys.contains(entry.getKey());
                }).collect(HashMap::new, (hashMap, entry2) -> {
                    hashMap.put((String) entry2.getKey(), entry2.getValue());
                }, (v0, v1) -> {
                    v0.putAll(v1);
                }));
            }
            return buildResponse;
        } catch (IdentityOAuthAdminException e3) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_UPDATE_APPLICATION, str, e3);
        } catch (IdentityOAuthClientException e4) {
            throw new DCRMClientException("invalid_client_metadata", e4.getMessage(), e4);
        }
    }

    private void updateServiceProviderPropertyList(ServiceProvider serviceProvider, String str) {
        ServiceProviderProperty[] spProperties = serviceProvider.getSpProperties();
        if (Arrays.stream(spProperties).anyMatch(serviceProviderProperty -> {
            return serviceProviderProperty.getName().equals(APP_DISPLAY_NAME);
        })) {
            ((ServiceProviderProperty) Arrays.stream(spProperties).filter(serviceProviderProperty2 -> {
                return serviceProviderProperty2.getName().equals(APP_DISPLAY_NAME);
            }).findFirst().get()).setValue(str);
            serviceProvider.setSpProperties(spProperties);
        } else {
            ServiceProviderProperty serviceProviderProperty3 = new ServiceProviderProperty();
            serviceProviderProperty3.setName(APP_DISPLAY_NAME);
            serviceProviderProperty3.setValue(str);
            serviceProvider.setSpProperties((ServiceProviderProperty[]) ArrayUtils.add(spProperties, serviceProviderProperty3));
        }
    }

    private String getDisplayNameProperty(ServiceProvider serviceProvider) {
        return (String) Arrays.stream(serviceProvider.getSpProperties()).filter(serviceProviderProperty -> {
            return serviceProviderProperty.getName().equals(APP_DISPLAY_NAME);
        }).findFirst().map((v0) -> {
            return v0.getValue();
        }).orElse(null);
    }

    private OAuthConsumerAppDTO getApplicationById(String str) throws DCRMException {
        return getApplicationById(str, true);
    }

    private OAuthConsumerAppDTO getApplicationById(String str, boolean z) throws DCRMException {
        if (StringUtils.isEmpty(str)) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_INPUT, "Invalid client_id");
        }
        try {
            OAuthConsumerAppDTO oAuthApplicationData = oAuthAdminService.getOAuthApplicationData(str);
            if (oAuthApplicationData == null || StringUtils.isEmpty(oAuthApplicationData.getApplicationName())) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.NOT_FOUND_APPLICATION_WITH_ID, str);
            }
            if (!z || isUserAuthorized(str)) {
                return oAuthApplicationData;
            }
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.FORBIDDEN_UNAUTHORIZED_USER, str);
        } catch (IdentityOAuthAdminException e) {
            if (e.getCause() instanceof InvalidOAuthClientException) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.NOT_FOUND_APPLICATION_WITH_ID, str);
            }
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION_BY_ID, str, e);
        }
    }

    private Application createOAuthApplication(ApplicationRegistrationRequest applicationRegistrationRequest) throws DCRMException {
        ServiceProvider createServiceProvider;
        String extApplicationOwner = StringUtils.isNotBlank(applicationRegistrationRequest.getExtApplicationOwner()) ? applicationRegistrationRequest.getExtApplicationOwner() : PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        if (StringUtils.isBlank(extApplicationOwner)) {
            DCRConfiguration dCRConfiguration = dcrConfigurationMgtService.getDCRConfiguration();
            if (!(dCRConfiguration.getAuthenticationRequired() != null ? dCRConfiguration.getAuthenticationRequired().booleanValue() : true)) {
                try {
                    extApplicationOwner = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm().getRealmConfiguration().getAdminUserName();
                } catch (UserStoreException e) {
                    throw new DCRMServerException(String.format(DCRMConstants.ErrorMessages.FAILED_TO_GET_TENANT_ADMIN.getMessage(), new Object[0]), (Throwable) e);
                }
            }
        }
        String clientName = applicationRegistrationRequest.getClientName();
        String spTemplateName = applicationRegistrationRequest.getSpTemplateName();
        boolean isManagementApp = applicationRegistrationRequest.isManagementApp();
        if (!DCRMUtils.isRegexValidated(clientName)) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_SP_NAME, DCRMUtils.getSPValidatorRegex(), null);
        }
        if (isServiceProviderExist(clientName, tenantDomain)) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.CONFLICT_EXISTING_APPLICATION, clientName);
        }
        if (StringUtils.isNotEmpty(applicationRegistrationRequest.getConsumerKey()) && isClientIdExist(applicationRegistrationRequest.getConsumerKey())) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.CONFLICT_EXISTING_CLIENT_ID, applicationRegistrationRequest.getConsumerKey());
        }
        if (isSSAMandated() && StringUtils.isEmpty(applicationRegistrationRequest.getSoftwareStatement())) {
            throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.MANDATORY_SOFTWARE_STATEMENT.getMessage());
        }
        Map<String, Object> map = null;
        if (StringUtils.isNotEmpty(applicationRegistrationRequest.getSoftwareStatement())) {
            try {
                validateSSASignature(applicationRegistrationRequest.getSoftwareStatement());
                map = getSSAClaims(applicationRegistrationRequest.getSoftwareStatement());
            } catch (IdentityOAuth2Exception e2) {
                throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage(), e2);
            }
        }
        Map<String, Object> map2 = null;
        AdditionalAttributeFilter additionalAttributeFilter = null;
        String property = IdentityUtil.getProperty("OAuth.DCRM.AdditionalAttributeFilter");
        if (StringUtils.isNotBlank(property)) {
            try {
                additionalAttributeFilter = (AdditionalAttributeFilter) Class.forName(property).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                if (map != null || !applicationRegistrationRequest.getAdditionalAttributes().isEmpty()) {
                    map2 = additionalAttributeFilter.filterDCRRegisterAttributes(applicationRegistrationRequest, map);
                }
                createServiceProvider = createServiceProvider(extApplicationOwner, tenantDomain, clientName, spTemplateName, isManagementApp, map2);
            } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e3) {
                log.error("Configured DCR additional attribute handler cannot be loaded");
                throw new DCRMServerException("server_error", DCRMConstants.ErrorMessages.ADDITIONAL_ATTRIBUTE_ERROR.getMessage(), e3);
            }
        } else {
            createServiceProvider = createServiceProvider(extApplicationOwner, tenantDomain, clientName, spTemplateName, isManagementApp);
        }
        if (StringUtils.isNotEmpty(applicationRegistrationRequest.getExtAllowedAudience()) && applicationRegistrationRequest.getExtAllowedAudience().equalsIgnoreCase(DCRConstants.ORG_ROLE_AUDIENCE)) {
            AssociatedRolesConfig associatedRolesConfig = new AssociatedRolesConfig();
            associatedRolesConfig.setAllowedAudience(applicationRegistrationRequest.getExtAllowedAudience().toLowerCase());
            createServiceProvider.setAssociatedRolesConfig(associatedRolesConfig);
        }
        try {
            OAuthConsumerAppDTO createOAuthApp = createOAuthApp(applicationRegistrationRequest, extApplicationOwner, tenantDomain, clientName);
            updateServiceProviderPropertyList(createServiceProvider, applicationRegistrationRequest.getExtApplicationDisplayName());
            if (StringUtils.isNotEmpty(applicationRegistrationRequest.getJwksURI())) {
                createServiceProvider.setJwksUri(applicationRegistrationRequest.getJwksURI());
            }
            try {
                updateServiceProviderWithOAuthAppDetails(createServiceProvider, createOAuthApp, extApplicationOwner, tenantDomain);
                createOAuthApp.setJwksURI(applicationRegistrationRequest.getJwksURI());
                Application buildResponse = buildResponse(createOAuthApp, tenantDomain);
                buildResponse.setSoftwareStatement(applicationRegistrationRequest.getSoftwareStatement());
                buildResponse.setExtAllowedAudience(createServiceProvider.getAssociatedRolesConfig().getAllowedAudience());
                if (map2 != null) {
                    List<String> responseAttributeKeys = additionalAttributeFilter.getResponseAttributeKeys();
                    buildResponse.setAdditionalAttributes((Map) map2.entrySet().stream().filter(entry -> {
                        return responseAttributeKeys.contains(entry.getKey());
                    }).collect(HashMap::new, (hashMap, entry2) -> {
                        hashMap.put((String) entry2.getKey(), entry2.getValue());
                    }, (v0, v1) -> {
                        v0.putAll(v1);
                    }));
                }
                return buildResponse;
            } catch (DCRMException e4) {
                deleteApplication(createOAuthApp.getOauthConsumerKey());
                throw e4;
            }
        } catch (DCRMException e5) {
            if (log.isDebugEnabled()) {
                log.debug("OAuth app: " + clientName + " registration failed in tenantDomain: " + tenantDomain + ". Deleting the service provider: " + clientName + " to rollback.");
            }
            deleteServiceProvider(clientName, tenantDomain, extApplicationOwner);
            throw e5;
        }
    }

    private boolean isSSAMandated() throws DCRMServerException {
        return Boolean.TRUE.equals(dcrConfigurationMgtService.getDCRConfiguration().getMandateSSA());
    }

    private Application buildResponse(OAuthConsumerAppDTO oAuthConsumerAppDTO, String str) throws DCRMException {
        Application application = new Application();
        application.setClientName(oAuthConsumerAppDTO.getApplicationName());
        application.setClientId(oAuthConsumerAppDTO.getOauthConsumerKey());
        application.setClientSecret(oAuthConsumerAppDTO.getOauthConsumerSecret());
        ArrayList arrayList = new ArrayList();
        arrayList.add(oAuthConsumerAppDTO.getCallbackUrl());
        application.setRedirectUris(arrayList);
        List<String> arrayList2 = new ArrayList();
        if (StringUtils.isNotEmpty(oAuthConsumerAppDTO.getGrantTypes())) {
            arrayList2 = Arrays.asList(oAuthConsumerAppDTO.getGrantTypes().split(GRANT_TYPE_SEPARATOR));
        }
        application.setGrantTypes(arrayList2);
        application.setExtApplicationDisplayName(getDisplayNameProperty(getServiceProvider(oAuthConsumerAppDTO.getApplicationName(), str)));
        application.setExtApplicationOwner(oAuthConsumerAppDTO.getUsername());
        application.setExtApplicationTokenLifetime(Long.valueOf(oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime()));
        application.setExtUserTokenLifetime(Long.valueOf(oAuthConsumerAppDTO.getUserAccessTokenExpiryTime()));
        application.setExtRefreshTokenLifetime(Long.valueOf(oAuthConsumerAppDTO.getRefreshTokenExpiryTime()));
        application.setExtIdTokenLifetime(Long.valueOf(oAuthConsumerAppDTO.getIdTokenExpiryTime()));
        application.setExtPkceMandatory(Boolean.valueOf(oAuthConsumerAppDTO.getPkceMandatory()));
        application.setExtPkceSupportPlain(Boolean.valueOf(oAuthConsumerAppDTO.getPkceSupportPlain()));
        application.setExtPublicClient(Boolean.valueOf(oAuthConsumerAppDTO.isBypassClientCredentials()));
        application.setExtTokenType(oAuthConsumerAppDTO.getTokenType());
        application.setJwksURI(oAuthConsumerAppDTO.getJwksURI());
        application.setTokenEndpointAuthMethod(oAuthConsumerAppDTO.getTokenEndpointAuthMethod());
        application.setTokenEndpointAllowReusePvtKeyJwt(oAuthConsumerAppDTO.isTokenEndpointAllowReusePvtKeyJwt());
        application.setTokenEndpointAuthSignatureAlgorithm(oAuthConsumerAppDTO.getTokenEndpointAuthSignatureAlgorithm());
        application.setSectorIdentifierURI(oAuthConsumerAppDTO.getSectorIdentifierURI());
        application.setIdTokenSignatureAlgorithm(oAuthConsumerAppDTO.getIdTokenSignatureAlgorithm());
        application.setIdTokenEncryptionAlgorithm(oAuthConsumerAppDTO.getIdTokenEncryptionAlgorithm());
        application.setIdTokenEncryptionMethod(oAuthConsumerAppDTO.getIdTokenEncryptionMethod());
        application.setRequestObjectSignatureValidationEnabled(oAuthConsumerAppDTO.isRequestObjectSignatureValidationEnabled());
        application.setRequestObjectSignatureAlgorithm(oAuthConsumerAppDTO.getRequestObjectSignatureAlgorithm());
        application.setTlsClientAuthSubjectDN(oAuthConsumerAppDTO.getTlsClientAuthSubjectDN());
        application.setSubjectType(oAuthConsumerAppDTO.getSubjectType());
        application.setRequestObjectEncryptionAlgorithm(oAuthConsumerAppDTO.getRequestObjectEncryptionAlgorithm());
        application.setRequestObjectEncryptionMethod(oAuthConsumerAppDTO.getRequestObjectEncryptionMethod());
        application.setRequirePushedAuthorizationRequests(oAuthConsumerAppDTO.getRequirePushedAuthorizationRequests());
        if ("certificate".equals(oAuthConsumerAppDTO.getTokenBindingType())) {
            application.setTlsClientCertificateBoundAccessTokens(true);
        }
        return application;
    }

    private void updateServiceProviderWithOAuthAppDetails(ServiceProvider serviceProvider, OAuthConsumerAppDTO oAuthConsumerAppDTO, String str, String str2) throws DCRMException {
        InboundAuthenticationConfig inboundAuthenticationConfig = new InboundAuthenticationConfig();
        ArrayList arrayList = new ArrayList();
        InboundAuthenticationRequestConfig inboundAuthenticationRequestConfig = new InboundAuthenticationRequestConfig();
        inboundAuthenticationRequestConfig.setInboundAuthKey(oAuthConsumerAppDTO.getOauthConsumerKey());
        inboundAuthenticationRequestConfig.setInboundAuthType("oauth2");
        arrayList.add(inboundAuthenticationRequestConfig);
        inboundAuthenticationConfig.setInboundAuthenticationRequestConfigs((InboundAuthenticationRequestConfig[]) arrayList.toArray(new InboundAuthenticationRequestConfig[arrayList.size()]));
        serviceProvider.setInboundAuthenticationConfig(inboundAuthenticationConfig);
        serviceProvider.setSaasApp(false);
        updateServiceProvider(serviceProvider, str2, str);
    }

    private OAuthConsumerAppDTO createOAuthApp(ApplicationRegistrationRequest applicationRegistrationRequest, String str, String str2, String str3) throws DCRMException {
        OAuthConsumerAppDTO oAuthConsumerAppDTO = new OAuthConsumerAppDTO();
        oAuthConsumerAppDTO.setApplicationName(str3);
        oAuthConsumerAppDTO.setUsername(str);
        oAuthConsumerAppDTO.setCallbackUrl(validateAndSetCallbackURIs(applicationRegistrationRequest.getRedirectUris(), applicationRegistrationRequest.getGrantTypes()));
        oAuthConsumerAppDTO.setGrantTypes(StringUtils.join(applicationRegistrationRequest.getGrantTypes(), GRANT_TYPE_SEPARATOR));
        oAuthConsumerAppDTO.setOAuthVersion(OAUTH_VERSION);
        if (applicationRegistrationRequest.getExtTokenType() != null) {
            oAuthConsumerAppDTO.setTokenType(applicationRegistrationRequest.getExtTokenType());
        } else if (applicationRegistrationRequest.getTokenType() != null) {
            oAuthConsumerAppDTO.setTokenType(applicationRegistrationRequest.getTokenType());
        }
        oAuthConsumerAppDTO.setBackChannelLogoutUrl(validateBackchannelLogoutURI(applicationRegistrationRequest.getBackchannelLogoutUri()));
        if (StringUtils.isNotEmpty(applicationRegistrationRequest.getConsumerKey())) {
            String clientIdValidationRegex = OAuthServerConfiguration.getInstance().getClientIdValidationRegex();
            if (!clientIdMatchesRegex(applicationRegistrationRequest.getConsumerKey(), clientIdValidationRegex)) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_CLIENT_ID_VIOLATES_PATTERN, clientIdValidationRegex);
            }
            oAuthConsumerAppDTO.setOauthConsumerKey(applicationRegistrationRequest.getConsumerKey());
        }
        if (StringUtils.isNotEmpty(applicationRegistrationRequest.getConsumerSecret())) {
            oAuthConsumerAppDTO.setOauthConsumerSecret(applicationRegistrationRequest.getConsumerSecret());
        }
        if (applicationRegistrationRequest.getExtApplicationTokenLifetime() != null) {
            oAuthConsumerAppDTO.setApplicationAccessTokenExpiryTime(applicationRegistrationRequest.getExtApplicationTokenLifetime().longValue());
        }
        if (applicationRegistrationRequest.getExtUserTokenLifetime() != null) {
            oAuthConsumerAppDTO.setUserAccessTokenExpiryTime(applicationRegistrationRequest.getExtUserTokenLifetime().longValue());
        }
        if (applicationRegistrationRequest.getExtRefreshTokenLifetime() != null) {
            oAuthConsumerAppDTO.setRefreshTokenExpiryTime(applicationRegistrationRequest.getExtRefreshTokenLifetime().longValue());
        }
        if (applicationRegistrationRequest.getExtIdTokenLifetime() != null) {
            oAuthConsumerAppDTO.setIdTokenExpiryTime(applicationRegistrationRequest.getExtIdTokenLifetime().longValue());
        }
        if (applicationRegistrationRequest.getTokenEndpointAuthMethod() != null) {
            oAuthConsumerAppDTO.setTokenEndpointAuthMethod(applicationRegistrationRequest.getTokenEndpointAuthMethod());
        }
        oAuthConsumerAppDTO.setTokenEndpointAllowReusePvtKeyJwt(applicationRegistrationRequest.isTokenEndpointAllowReusePvtKeyJwt());
        if (applicationRegistrationRequest.getTokenEndpointAuthSignatureAlgorithm() != null) {
            oAuthConsumerAppDTO.setTokenEndpointAuthSignatureAlgorithm(applicationRegistrationRequest.getTokenEndpointAuthSignatureAlgorithm());
        }
        if (applicationRegistrationRequest.getSectorIdentifierURI() != null) {
            oAuthConsumerAppDTO.setSectorIdentifierURI(applicationRegistrationRequest.getSectorIdentifierURI());
        }
        if (applicationRegistrationRequest.getIdTokenSignatureAlgorithm() != null) {
            oAuthConsumerAppDTO.setIdTokenSignatureAlgorithm(applicationRegistrationRequest.getIdTokenSignatureAlgorithm());
        }
        if (applicationRegistrationRequest.getIdTokenEncryptionAlgorithm() != null) {
            oAuthConsumerAppDTO.setIdTokenEncryptionAlgorithm(applicationRegistrationRequest.getIdTokenEncryptionAlgorithm());
            oAuthConsumerAppDTO.setIdTokenEncryptionEnabled(true);
        }
        if (applicationRegistrationRequest.getIdTokenEncryptionMethod() != null) {
            oAuthConsumerAppDTO.setIdTokenEncryptionMethod(applicationRegistrationRequest.getIdTokenEncryptionMethod());
        }
        if (applicationRegistrationRequest.getRequestObjectSignatureAlgorithm() != null) {
            oAuthConsumerAppDTO.setRequestObjectSignatureAlgorithm(applicationRegistrationRequest.getRequestObjectSignatureAlgorithm());
        }
        if (applicationRegistrationRequest.getTlsClientAuthSubjectDN() != null) {
            oAuthConsumerAppDTO.setTlsClientAuthSubjectDN(applicationRegistrationRequest.getTlsClientAuthSubjectDN());
        }
        if (applicationRegistrationRequest.getSubjectType() != null) {
            oAuthConsumerAppDTO.setSubjectType(applicationRegistrationRequest.getSubjectType());
        }
        if (applicationRegistrationRequest.getRequestObjectEncryptionAlgorithm() != null) {
            oAuthConsumerAppDTO.setRequestObjectEncryptionAlgorithm(applicationRegistrationRequest.getRequestObjectEncryptionAlgorithm());
        }
        if (applicationRegistrationRequest.getRequestObjectEncryptionMethod() != null) {
            oAuthConsumerAppDTO.setRequestObjectEncryptionMethod(applicationRegistrationRequest.getRequestObjectEncryptionMethod());
        }
        oAuthConsumerAppDTO.setRequestObjectSignatureValidationEnabled(applicationRegistrationRequest.isRequireSignedRequestObject());
        oAuthConsumerAppDTO.setRequirePushedAuthorizationRequests(applicationRegistrationRequest.isRequirePushedAuthorizationRequests());
        if (!applicationRegistrationRequest.isTlsClientCertificateBoundAccessTokens()) {
            oAuthConsumerAppDTO.setTokenBindingType("None");
        } else if (DCRDataHolder.getInstance().getTokenBinders().stream().anyMatch(tokenBinder -> {
            return "certificate".equals(tokenBinder.getBindingType());
        })) {
            oAuthConsumerAppDTO.setTokenBindingType("certificate");
            oAuthConsumerAppDTO.setTokenBindingValidationEnabled(true);
        }
        oAuthConsumerAppDTO.setPkceMandatory(applicationRegistrationRequest.isExtPkceMandatory());
        oAuthConsumerAppDTO.setPkceSupportPlain(applicationRegistrationRequest.isExtPkceSupportPlain());
        oAuthConsumerAppDTO.setBypassClientCredentials(applicationRegistrationRequest.isExtPublicClient());
        if (Boolean.parseBoolean(IdentityUtil.getProperty("OAuth.OpenIDConnect.FAPI.EnableFAPIValidation"))) {
            oAuthConsumerAppDTO.setFapiConformanceEnabled(dcrConfigurationMgtService.getDCRConfiguration().getEnableFapiEnforcement().booleanValue());
        }
        if (log.isDebugEnabled()) {
            log.debug("Creating OAuth Application: " + str3 + " in tenant: " + str2);
        }
        try {
            OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData = oAuthAdminService.registerAndRetrieveOAuthApplicationData(oAuthConsumerAppDTO);
            if (log.isDebugEnabled()) {
                log.debug("Created OAuth Application: " + str3 + " in tenant: " + str2);
            }
            if (registerAndRetrieveOAuthApplicationData == null) {
                throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_REGISTER_APPLICATION, str3);
            }
            return registerAndRetrieveOAuthApplicationData;
        } catch (IdentityOAuthAdminException e) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_REGISTER_APPLICATION, str3, e);
        } catch (IdentityOAuthClientException e2) {
            throw new DCRMClientException("invalid_client_metadata", e2.getMessage(), e2);
        }
    }

    private ServiceProvider createServiceProvider(String str, String str2, String str3, String str4, boolean z) throws DCRMException {
        return createServiceProvider(str, str2, str3, str4, z, null);
    }

    private ServiceProvider createServiceProvider(String str, String str2, String str3, String str4, boolean z, Map<String, Object> map) throws DCRMException {
        ServiceProvider serviceProvider = new ServiceProvider();
        serviceProvider.setApplicationName(str3);
        User user = new User();
        user.setUserName(str);
        user.setTenantDomain(str2);
        serviceProvider.setOwner(user);
        serviceProvider.setDescription("Service Provider for application " + str3);
        serviceProvider.setManagementApp(z);
        HashMap hashMap = new HashMap();
        if (map != null) {
            hashMap.putAll(map);
        }
        hashMap.put("isThirdPartyApp", true);
        addSPProperties(hashMap, serviceProvider, false);
        createServiceProvider(serviceProvider, str2, str, str4);
        ServiceProvider serviceProvider2 = getServiceProvider(str3, str2);
        if (serviceProvider2 == null) {
            throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.FAILED_TO_REGISTER_SP, str3);
        }
        return serviceProvider2;
    }

    private boolean isServiceProviderExist(String str, String str2) {
        ServiceProvider serviceProvider = null;
        try {
            serviceProvider = getServiceProvider(str, str2);
        } catch (DCRMException e) {
            log.error("Error while retrieving service provider: " + str + " in tenant: " + str2);
        }
        return serviceProvider != null;
    }

    private boolean isClientIdExist(String str) throws DCRMException {
        try {
            OAuthConsumerAppDTO oAuthApplicationData = oAuthAdminService.getOAuthApplicationData(str);
            if (oAuthApplicationData != null) {
                if (StringUtils.isNotBlank(oAuthApplicationData.getApplicationName())) {
                    return true;
                }
            }
            return false;
        } catch (IdentityOAuthAdminException e) {
            if (e.getCause() instanceof InvalidOAuthClientException) {
                return false;
            }
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION_BY_ID, str, e);
        }
    }

    private ServiceProvider getServiceProvider(String str, String str2) throws DCRMException {
        try {
            return DCRDataHolder.getInstance().getApplicationManagementService().getServiceProvider(str, str2);
        } catch (IdentityApplicationManagementException e) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_GET_SP, str, e);
        }
    }

    private void updateServiceProvider(ServiceProvider serviceProvider, String str, String str2) throws DCRMException {
        try {
            DCRDataHolder.getInstance().getApplicationManagementService().updateApplication(serviceProvider, str, str2);
        } catch (IdentityApplicationManagementException e) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_UPDATE_SP, serviceProvider.getApplicationName(), e);
        }
    }

    private void createServiceProvider(ServiceProvider serviceProvider, String str, String str2, String str3) throws DCRMException {
        if (str3 != null) {
            try {
                if (!DCRDataHolder.getInstance().getApplicationManagementService().isExistingApplicationTemplate(str3, str)) {
                    throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_SP_TEMPLATE_NAME, str3);
                }
            } catch (IdentityApplicationManagementException e) {
                throw new DCRMException(ErrorCodes.BAD_REQUEST.toString(), "Error while creating service provider: " + serviceProvider.getApplicationName() + " in tenant: " + str, e);
            }
        }
        DCRDataHolder.getInstance().getApplicationManagementService().createApplicationWithTemplate(serviceProvider, str, str2, str3);
    }

    private void deleteServiceProvider(String str, String str2, String str3) throws DCRMException {
        try {
            DCRDataHolder.getInstance().getApplicationManagementService().deleteApplication(str, str2, str3);
        } catch (IdentityApplicationManagementException e) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_DELETE_SP, str, e);
        }
    }

    private void deleteOAuthApplicationWithoutAssociatedSP(OAuthConsumerAppDTO oAuthConsumerAppDTO, String str, String str2) throws DCRMException {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Delete OAuth application with the consumer key: " + oAuthConsumerAppDTO.getOauthConsumerKey());
            }
            oAuthAdminService.removeOAuthApplicationData(oAuthConsumerAppDTO.getOauthConsumerKey());
            ApplicationManagementService applicationManagementService = DCRDataHolder.getInstance().getApplicationManagementService();
            try {
                if (log.isDebugEnabled()) {
                    log.debug("Get service provider with application name: " + oAuthConsumerAppDTO.getApplicationName());
                }
                ServiceProvider serviceProvider = applicationManagementService.getServiceProvider(oAuthConsumerAppDTO.getApplicationName(), str);
                if (serviceProvider == null) {
                    if (log.isDebugEnabled()) {
                        log.debug("There is no service provider exists with the name: " + oAuthConsumerAppDTO.getApplicationName());
                    }
                } else if (serviceProvider.getInboundAuthenticationConfig().getInboundAuthenticationRequestConfigs().length == 0) {
                    if (log.isDebugEnabled()) {
                        log.debug("Delete the service provider: " + serviceProvider.getApplicationName());
                    }
                    applicationManagementService.deleteApplication(serviceProvider.getApplicationName(), str, str2);
                } else if (log.isDebugEnabled()) {
                    log.debug("Service provider with name: " + serviceProvider.getApplicationName() + " can not be deleted since it has association with other application/s");
                }
            } catch (IdentityApplicationManagementException e) {
                throw new DCRMException("Error while deleting the service provider with the name: " + oAuthConsumerAppDTO.getApplicationName(), (Throwable) e);
            }
        } catch (IdentityOAuthAdminException e2) {
            throw new DCRMException("Error while deleting the OAuth application with consumer key: " + oAuthConsumerAppDTO.getOauthConsumerKey(), (Throwable) e2);
        }
    }

    private String validateAndSetCallbackURIs(List<String> list, List<String> list2) throws DCRMException {
        if (list.size() == 0) {
            if (isRedirectURIMandatory(list2)) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_INPUT, "RedirectUris property must have at least one URI value when using Authorization code or implicit grant types.");
            }
            return DCRConstants.DCR_VERSION;
        }
        if (list.size() != 1) {
            return "regexp=" + createRegexPattern(list);
        }
        String str = list.get(0);
        if (DCRMUtils.isRedirectionUriValid(str)) {
            return str;
        }
        throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_REDIRECT_URI, str);
    }

    private String validateBackchannelLogoutURI(String str) throws DCRMException {
        if (DCRMUtils.isBackchannelLogoutUriValid(str)) {
            return str;
        }
        throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_BACKCHANNEL_LOGOUT_URI, str);
    }

    private boolean isRedirectURIMandatory(List<String> list) {
        return list.contains(DCRConstants.GrantTypes.AUTHORIZATION_CODE) || list.contains(DCRConstants.GrantTypes.IMPLICIT);
    }

    protected String createRegexPattern(List<String> list) throws DCRMException {
        String str = DCRConstants.DCR_VERSION;
        ArrayList arrayList = new ArrayList();
        for (String str2 : list) {
            if (!DCRMUtils.isRedirectionUriValid(str2)) {
                throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_REDIRECT_URI, str2);
            }
            arrayList.add(escapeQueryParamsIfPresent(str2));
        }
        if (!arrayList.isEmpty()) {
            str = "(".concat(StringUtils.join(arrayList, "|")).concat(")");
        }
        return str;
    }

    private String escapeQueryParamsIfPresent(String str) {
        return str.replaceFirst("\\?", "\\\\?");
    }

    private boolean isUserAuthorized(String str) throws DCRMServerException {
        try {
            return ApplicationMgtUtil.isUserAuthorized(DCRDataHolder.getInstance().getApplicationManagementService().getServiceProviderNameByClientId(str, "oauth2", PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain()), CarbonContext.getThreadLocalCarbonContext().getUsername());
        } catch (IdentityApplicationManagementException e) {
            throw DCRMUtils.generateServerException(DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION_BY_ID, str, e);
        }
    }

    private static boolean clientIdMatchesRegex(String str, String str2) {
        if (clientIdRegexPattern == null) {
            clientIdRegexPattern = Pattern.compile(str2);
        }
        return clientIdRegexPattern.matcher(str).matches();
    }

    private void validateRequestTenantDomain(String str) throws DCRMException {
        try {
            OAuth2Util.validateRequestTenantDomain(OAuth2Util.getTenantDomainOfOauthApp(str));
        } catch (InvalidOAuthClientException e) {
            throw new DCRMClientException(DCRMConstants.ErrorMessages.TENANT_DOMAIN_MISMATCH.getErrorCode(), String.format(DCRMConstants.ErrorMessages.TENANT_DOMAIN_MISMATCH.getMessage(), str));
        } catch (IdentityOAuth2Exception e2) {
            throw new DCRMServerException(String.format(DCRMConstants.ErrorMessages.FAILED_TO_VALIDATE_TENANT_DOMAIN.getMessage(), str));
        }
    }

    private ServiceProvider cloneServiceProvider(ServiceProvider serviceProvider) {
        Gson gson = new Gson();
        return (ServiceProvider) gson.fromJson(gson.toJson(serviceProvider), ServiceProvider.class);
    }

    private void validateSSASignature(String str) throws DCRMClientException, IdentityOAuth2Exception, DCRMServerException {
        String ssaJwks = dcrConfigurationMgtService.getDCRConfiguration().getSsaJwks();
        if (!StringUtils.isNotEmpty(ssaJwks)) {
            log.debug("Skipping Software Statement signature validation as jwks_uri is not configured.");
            return;
        }
        try {
            if (JWTSignatureValidationUtils.validateUsingJWKSUri(SignedJWT.parse(str), ssaJwks)) {
            } else {
                throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage());
            }
        } catch (ParseException e) {
            throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.SIGNATURE_VALIDATION_FAILED.getMessage(), e);
        }
    }

    private Map<String, Object> getSSAClaims(String str) throws DCRMClientException {
        try {
            return SignedJWT.parse(str).getJWTClaimsSet().getClaims();
        } catch (ParseException e) {
            throw new DCRMClientException("invalid_software_statement", DCRMConstants.ErrorMessages.FAILED_TO_READ_SSA.getMessage(), e);
        }
    }

    private void addSPProperties(Map<String, Object> map, ServiceProvider serviceProvider, Boolean bool) {
        ServiceProviderProperty[] spProperties = serviceProvider.getSpProperties();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            Optional findFirst = Arrays.stream(spProperties).filter(serviceProviderProperty -> {
                return serviceProviderProperty.getName().equals(entry.getKey());
            }).findFirst();
            if (!findFirst.isPresent()) {
                ServiceProviderProperty serviceProviderProperty2 = new ServiceProviderProperty();
                serviceProviderProperty2.setName(entry.getKey());
                serviceProviderProperty2.setValue(entry.getValue().toString());
                spProperties = (ServiceProviderProperty[]) ArrayUtils.add(spProperties, serviceProviderProperty2);
            } else if (bool.booleanValue()) {
                ((ServiceProviderProperty) findFirst.get()).setValue(entry.getValue().toString());
            }
        }
        serviceProvider.setSpProperties(spProperties);
    }
}
