package org.wso2.carbon.identity.organization.management.authz.service.handler;

import java.util.Iterator;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.authz.service.AuthorizationContext;
import org.wso2.carbon.identity.authz.service.AuthorizationResult;
import org.wso2.carbon.identity.authz.service.AuthorizationStatus;
import org.wso2.carbon.identity.authz.service.exception.AuthzServiceServerException;
import org.wso2.carbon.identity.authz.service.handler.AuthorizationHandler;
import org.wso2.carbon.identity.core.handler.InitConfig;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.organization.management.authz.service.OrganizationManagementAuthorizationContext;
import org.wso2.carbon.identity.organization.management.authz.service.OrganizationManagementAuthorizationManager;
import org.wso2.carbon.identity.organization.management.authz.service.constant.AuthorizationConstants;
import org.wso2.carbon.identity.organization.management.authz.service.exception.OrganizationManagementAuthzServiceServerException;
import org.wso2.carbon.identity.organization.management.authz.service.internal.OrganizationManagementAuthzServiceHolder;
import org.wso2.carbon.identity.organization.management.authz.service.util.OrganizationManagementAuthzUtil;
import org.wso2.carbon.user.api.Tenant;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/organization/management/authz/service/handler/OrganizationManagementAuthzHandler.class */
public class OrganizationManagementAuthzHandler extends AuthorizationHandler {
    private static final Log LOG = LogFactory.getLog(OrganizationManagementAuthzHandler.class);

    public AuthorizationResult handleAuthorization(AuthorizationContext authorizationContext) throws AuthzServiceServerException {
        if (!(authorizationContext instanceof OrganizationManagementAuthorizationContext)) {
            return super.handleAuthorization(authorizationContext);
        }
        AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY);
        User user = authorizationContext.getUser();
        String resolveAssociatedOrgUUIDForDomainInURL = resolveAssociatedOrgUUIDForDomainInURL(authorizationContext.getTenantDomainFromURLMapping());
        String permissionString = authorizationContext.getPermissionString();
        String[] strArr = authorizationContext.getParameter("oauth2-allowed-scopes") == null ? null : (String[]) authorizationContext.getParameter("oauth2-allowed-scopes");
        boolean booleanValue = authorizationContext.getParameter("oauth2-validate-scopes") == null ? false : ((Boolean) authorizationContext.getParameter("oauth2-validate-scopes")).booleanValue();
        if (StringUtils.isNotBlank(resolveAssociatedOrgUUIDForDomainInURL)) {
            try {
                if (isScopeValidationRequired(booleanValue, authorizationContext)) {
                    validateScopes(strArr, authorizationContext, authorizationResult);
                } else if (StringUtils.isNotBlank(permissionString)) {
                    validatePermissions(resolveAssociatedOrgUUIDForDomainInURL, permissionString, user, authorizationResult);
                }
            } catch (OrganizationManagementAuthzServiceServerException e) {
                String str = "Error occurred while evaluating authorization of user for organization management." + e.getMessage();
                LOG.error(str);
                throw new AuthzServiceServerException(str, e);
            }
        }
        return authorizationResult;
    }

    public void init(InitConfig initConfig) {
    }

    public String getName() {
        return "OrganizationManagementAuthorizationHandler";
    }

    public int getPriority() {
        return 50;
    }

    private String resolveAssociatedOrgUUIDForDomainInURL(String str) throws AuthzServiceServerException {
        try {
            if ("carbon.super".equalsIgnoreCase(str)) {
                return OrganizationManagementAuthorizationManager.getInstance().getRootOrganizationId();
            }
            Tenant tenant = OrganizationManagementAuthzServiceHolder.getInstance().getRealmService().getTenantManager().getTenant(IdentityTenantUtil.getTenantId(str));
            return tenant != null ? tenant.getAssociatedOrganizationUUID() : "";
        } catch (UserStoreException | OrganizationManagementAuthzServiceServerException e) {
            String str2 = "Error occurred while trying to authorize, " + e.getMessage();
            LOG.error(str2);
            throw new AuthzServiceServerException(str2, e);
        }
    }

    private void validatePermissions(String str, String str2, User user, AuthorizationResult authorizationResult) throws OrganizationManagementAuthzServiceServerException {
        if (AuthorizationConstants.RESOURCE_PERMISSION_NONE.equalsIgnoreCase(str2)) {
            authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
        } else if (OrganizationManagementAuthorizationManager.getInstance().isUserAuthorized(getUserId(user), str2, str)) {
            authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
        }
    }

    private String getUserId(User user) throws OrganizationManagementAuthzServiceServerException {
        try {
            return OrganizationManagementAuthzUtil.getUserStoreManager(user).getUser((String) null, user.getUserName()).getUserID();
        } catch (UserStoreException e) {
            throw new OrganizationManagementAuthzServiceServerException((Throwable) e);
        }
    }

    private boolean isScopeValidationRequired(boolean z, AuthorizationContext authorizationContext) {
        return z && CollectionUtils.isNotEmpty(authorizationContext.getRequiredScopes());
    }

    private void validateScopes(String[] strArr, AuthorizationContext authorizationContext, AuthorizationResult authorizationResult) throws OrganizationManagementAuthzServiceServerException {
        boolean z = true;
        if (strArr != null) {
            Iterator it = authorizationContext.getRequiredScopes().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (!ArrayUtils.contains(strArr, (String) it.next())) {
                    z = false;
                    break;
                }
            }
            if (z) {
                authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
            }
        }
    }
}
