package org.wso2.carbon.identity.oauth2;

import java.util.ArrayList;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.AbstractAdmin;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.OAuthAppDO;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuthRevocationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuthRevocationResponseDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RefreshTokenValidationDataDO;
import org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator;
import org.wso2.carbon.user.api.Claim;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/OAuth2Service.class */
public class OAuth2Service extends AbstractAdmin {
    private static Log log = LogFactory.getLog(OAuth2Service.class);

    public OAuth2AuthorizeRespDTO authorize(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("Authorization Request received for user : " + oAuth2AuthorizeReqDTO.getUsername() + ", Client ID : " + oAuth2AuthorizeReqDTO.getConsumerKey() + ", Authorization Response Type : " + oAuth2AuthorizeReqDTO.getResponseType() + ", Requested callback URI : " + oAuth2AuthorizeReqDTO.getCallbackUrl() + ", Requested Scope : " + OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes()));
        }
        try {
            return AuthorizationHandlerManager.getInstance().handleAuthorization(oAuth2AuthorizeReqDTO);
        } catch (Exception e) {
            log.error("Error occurred when processing the authorization request. Returning an error back to client.", e);
            OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO = new OAuth2AuthorizeRespDTO();
            oAuth2AuthorizeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
            oAuth2AuthorizeRespDTO.setErrorMsg("Error occurred when processing the authorization request. Returning an error back to client.");
            oAuth2AuthorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl());
            return oAuth2AuthorizeRespDTO;
        }
    }

    public OAuth2ClientValidationResponseDTO validateClientInfo(String str, String str2) {
        OAuth2ClientValidationResponseDTO oAuth2ClientValidationResponseDTO = new OAuth2ClientValidationResponseDTO();
        if (log.isDebugEnabled()) {
            log.debug("Validate Client information request for client_id : " + str + " and callback_uri " + str2);
        }
        try {
            OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(str);
            OAuth2Util.setClientTenatId(appInformation.getTenantId());
            if (str2 == null) {
                oAuth2ClientValidationResponseDTO.setValidClient(true);
                oAuth2ClientValidationResponseDTO.setCallbackURL(appInformation.getCallbackUrl());
                oAuth2ClientValidationResponseDTO.setApplicationName(appInformation.getApplicationName());
                return oAuth2ClientValidationResponseDTO;
            }
            if (log.isDebugEnabled()) {
                log.debug("Registered App found for the given Client Id : " + str + " ,App Name : " + appInformation.getApplicationName() + ", Callback URL : " + appInformation.getCallbackUrl());
            }
            if (appInformation.getCallbackUrl().equals(str2)) {
                oAuth2ClientValidationResponseDTO.setValidClient(true);
                oAuth2ClientValidationResponseDTO.setApplicationName(appInformation.getApplicationName());
                oAuth2ClientValidationResponseDTO.setCallbackURL(str2);
                return oAuth2ClientValidationResponseDTO;
            }
            log.warn("Provided Callback URL does not match with the provided one.");
            oAuth2ClientValidationResponseDTO.setValidClient(false);
            oAuth2ClientValidationResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CALLBACK);
            oAuth2ClientValidationResponseDTO.setErrorMsg("Registered callback does not match with the provided url.");
            return oAuth2ClientValidationResponseDTO;
        } catch (InvalidOAuthClientException e) {
            log.debug(e.getMessage());
            oAuth2ClientValidationResponseDTO.setValidClient(false);
            oAuth2ClientValidationResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CLIENT);
            oAuth2ClientValidationResponseDTO.setErrorMsg(e.getMessage());
            return oAuth2ClientValidationResponseDTO;
        } catch (IdentityOAuth2Exception e2) {
            log.error("Error when reading the Application Information.", e2);
            oAuth2ClientValidationResponseDTO.setValidClient(false);
            oAuth2ClientValidationResponseDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
            oAuth2ClientValidationResponseDTO.setErrorMsg("Error when processing the authorization request.");
            return oAuth2ClientValidationResponseDTO;
        }
    }

    public OAuth2AccessTokenRespDTO issueAccessToken(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("Access Token Request Received with the Client Id : " + oAuth2AccessTokenReqDTO.getClientId() + ", Grant Type : " + oAuth2AccessTokenReqDTO.getGrantType());
        }
        try {
            return AccessTokenIssuer.getInstance().issue(oAuth2AccessTokenReqDTO);
        } catch (InvalidOAuthClientException e) {
            log.debug(e.getMessage());
            OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
            oAuth2AccessTokenRespDTO.setError(true);
            oAuth2AccessTokenRespDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CLIENT);
            oAuth2AccessTokenRespDTO.setErrorMsg(e.getMessage());
            return oAuth2AccessTokenRespDTO;
        } catch (InvalidRefreshTokenException e2) {
            if (log.isDebugEnabled()) {
                log.debug(e2.getMessage());
            }
            OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO2 = new OAuth2AccessTokenRespDTO();
            oAuth2AccessTokenRespDTO2.setError(true);
            oAuth2AccessTokenRespDTO2.setErrorCode(OAuth2ErrorCodes.INVALID_GRANT);
            oAuth2AccessTokenRespDTO2.setErrorMsg(e2.getMessage());
            return oAuth2AccessTokenRespDTO2;
        } catch (Exception e3) {
            log.error("Error when issuing the access token. ", e3);
            OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO3 = new OAuth2AccessTokenRespDTO();
            oAuth2AccessTokenRespDTO3.setError(true);
            oAuth2AccessTokenRespDTO3.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
            oAuth2AccessTokenRespDTO3.setErrorMsg("Error when issuing the access token");
            return oAuth2AccessTokenRespDTO3;
        }
    }

    public OAuthRevocationResponseDTO revokeTokenByOAuthClient(OAuthRevocationRequestDTO oAuthRevocationRequestDTO) {
        TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
        OAuthRevocationResponseDTO oAuthRevocationResponseDTO = new OAuthRevocationResponseDTO();
        try {
            if (oAuthRevocationRequestDTO.getConsumerKey() == null || oAuthRevocationRequestDTO.getConsumerKey().equals("") || oAuthRevocationRequestDTO.getConsumerSecret() == null || oAuthRevocationRequestDTO.getConsumerSecret().equals("") || oAuthRevocationRequestDTO.getToken() == null || oAuthRevocationRequestDTO.getToken().equals("")) {
                oAuthRevocationResponseDTO.setError(true);
                oAuthRevocationResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST);
                oAuthRevocationResponseDTO.setErrorMsg("Invalid revocation request");
                return oAuthRevocationResponseDTO;
            }
            if (!OAuth2Util.authenticateClient(oAuthRevocationRequestDTO.getConsumerKey(), oAuthRevocationRequestDTO.getConsumerSecret())) {
                OAuthRevocationResponseDTO oAuthRevocationResponseDTO2 = new OAuthRevocationResponseDTO();
                oAuthRevocationResponseDTO2.setError(true);
                oAuthRevocationResponseDTO2.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
                oAuthRevocationResponseDTO2.setErrorMsg("Unauthorized Client");
                return oAuthRevocationResponseDTO2;
            }
            boolean z = false;
            if (oAuthRevocationRequestDTO.getToken_type() != null && oAuthRevocationRequestDTO.equals("refresh_token")) {
                z = true;
            }
            if (z) {
                RefreshTokenValidationDataDO validateRefreshToken = tokenMgtDAO.validateRefreshToken(oAuthRevocationRequestDTO.getConsumerKey(), oAuthRevocationRequestDTO.getToken());
                if (validateRefreshToken == null || validateRefreshToken.getRefreshTokenState() == null || !(validateRefreshToken.getRefreshTokenState().equals(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE) || validateRefreshToken.getRefreshTokenState().equals(OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED))) {
                    AccessTokenDO retrieveAccessToken = tokenMgtDAO.retrieveAccessToken(oAuthRevocationRequestDTO.getToken());
                    if (retrieveAccessToken != null) {
                        tokenMgtDAO.revokeTokensByClient(oAuthRevocationRequestDTO.getToken(), oAuthRevocationRequestDTO.getConsumerKey());
                        OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), retrieveAccessToken.getAuthzUser(), OAuth2Util.buildScopeString(retrieveAccessToken.getScope()));
                        addRevokeResponseHeaders(oAuthRevocationResponseDTO, retrieveAccessToken.getAccessToken(), retrieveAccessToken.getRefreshToken(), validateRefreshToken.getAuthorizedUser());
                    } else {
                        AccessTokenDO accessTokenInfo = tokenMgtDAO.getAccessTokenInfo(oAuthRevocationRequestDTO.getToken());
                        String buildScopeString = OAuth2Util.buildScopeString(accessTokenInfo.getScope());
                        OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(accessTokenInfo.getConsumerKey() + ":" + accessTokenInfo.getAuthzUser().toLowerCase() + ":" + buildScopeString);
                        if (accessTokenInfo != null && OAuthCache.getInstance().getValueFromCache((CacheKey) oAuthCacheKey) != null) {
                            OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), accessTokenInfo.getAuthzUser(), buildScopeString);
                        }
                    }
                } else {
                    tokenMgtDAO.revokeTokensByClient(validateRefreshToken.getAccessToken(), oAuthRevocationRequestDTO.getConsumerKey());
                    OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), validateRefreshToken.getAuthorizedUser(), OAuth2Util.buildScopeString(validateRefreshToken.getScope()));
                    addRevokeResponseHeaders(oAuthRevocationResponseDTO, validateRefreshToken.getAccessToken(), oAuthRevocationRequestDTO.getToken(), validateRefreshToken.getAuthorizedUser());
                }
            } else {
                AccessTokenDO retrieveAccessToken2 = tokenMgtDAO.retrieveAccessToken(oAuthRevocationRequestDTO.getToken());
                if (retrieveAccessToken2 != null) {
                    tokenMgtDAO.revokeTokensByClient(oAuthRevocationRequestDTO.getToken(), oAuthRevocationRequestDTO.getConsumerKey());
                    OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), retrieveAccessToken2.getAuthzUser(), OAuth2Util.buildScopeString(retrieveAccessToken2.getScope()));
                    addRevokeResponseHeaders(oAuthRevocationResponseDTO, oAuthRevocationRequestDTO.getToken(), retrieveAccessToken2.getRefreshToken(), retrieveAccessToken2.getAuthzUser());
                } else {
                    RefreshTokenValidationDataDO validateRefreshToken2 = tokenMgtDAO.validateRefreshToken(oAuthRevocationRequestDTO.getConsumerKey(), oAuthRevocationRequestDTO.getToken());
                    if (validateRefreshToken2 == null || validateRefreshToken2.getRefreshTokenState() == null || !(validateRefreshToken2.getRefreshTokenState().equals(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE) || validateRefreshToken2.getRefreshTokenState().equals(OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED))) {
                        AccessTokenDO accessTokenInfo2 = tokenMgtDAO.getAccessTokenInfo(oAuthRevocationRequestDTO.getToken());
                        String buildScopeString2 = OAuth2Util.buildScopeString(accessTokenInfo2.getScope());
                        OAuthCacheKey oAuthCacheKey2 = new OAuthCacheKey(accessTokenInfo2.getConsumerKey() + ":" + accessTokenInfo2.getAuthzUser().toLowerCase() + ":" + buildScopeString2);
                        if (accessTokenInfo2 != null && OAuthCache.getInstance().getValueFromCache((CacheKey) oAuthCacheKey2) != null) {
                            OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), accessTokenInfo2.getAuthzUser(), buildScopeString2);
                        }
                    } else {
                        tokenMgtDAO.revokeTokensByClient(validateRefreshToken2.getAccessToken(), oAuthRevocationRequestDTO.getConsumerKey());
                        OAuthUtil.clearOAuthCache(oAuthRevocationRequestDTO.getConsumerKey(), validateRefreshToken2.getAuthorizedUser(), OAuth2Util.buildScopeString(validateRefreshToken2.getScope()));
                        addRevokeResponseHeaders(oAuthRevocationResponseDTO, validateRefreshToken2.getAccessToken(), oAuthRevocationRequestDTO.getToken(), validateRefreshToken2.getAuthorizedUser());
                    }
                }
            }
            return oAuthRevocationResponseDTO;
        } catch (IdentityException e) {
            log.error(e.getMessage(), e);
            OAuthRevocationResponseDTO oAuthRevocationResponseDTO3 = new OAuthRevocationResponseDTO();
            oAuthRevocationResponseDTO3.setError(true);
            oAuthRevocationResponseDTO3.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
            oAuthRevocationResponseDTO3.setErrorMsg("Error occurred while revoking authorization grant for applications");
            return oAuthRevocationResponseDTO3;
        }
    }

    public Claim[] getUserClaims(String str) {
        OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO = new OAuth2TokenValidationRequestDTO();
        oAuth2TokenValidationRequestDTO.getClass();
        OAuth2TokenValidationRequestDTO.OAuth2AccessToken oAuth2AccessToken = new OAuth2TokenValidationRequestDTO.OAuth2AccessToken();
        oAuth2AccessToken.setTokenType(DefaultOAuth2TokenValidator.TOKEN_TYPE);
        oAuth2AccessToken.setIdentifier(str);
        oAuth2TokenValidationRequestDTO.setAccessToken(oAuth2AccessToken);
        OAuth2TokenValidationResponseDTO validate = new OAuth2TokenValidationService().validate(oAuth2TokenValidationRequestDTO);
        String authorizedUser = validate.getAuthorizedUser();
        if (authorizedUser == null) {
            log.debug(validate.getErrorMsg());
            return null;
        }
        boolean z = false;
        for (String str2 : validate.getScope()) {
            if ("openid".equals(str2)) {
                z = true;
            }
        }
        if (!z) {
            log.error("AccessToken does not have the openid scope");
            return null;
        }
        String tenantDomain = MultitenantUtils.getTenantDomain(authorizedUser);
        String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(authorizedUser);
        ArrayList arrayList = new ArrayList();
        Claim claim = new Claim();
        claim.setClaimUri("sub");
        claim.setValue(authorizedUser);
        arrayList.add(claim);
        try {
            UserStoreManager userStoreManager = IdentityTenantUtil.getRealm(tenantDomain, tenantAwareUsername).getUserStoreManager();
            String[] supportedClaims = OAuthServerConfiguration.getInstance().getSupportedClaims();
            if (supportedClaims != null) {
                Map userClaimValues = userStoreManager.getUserClaimValues(authorizedUser, supportedClaims, "default");
                for (String str3 : userClaimValues.keySet()) {
                    Claim claim2 = new Claim();
                    claim2.setClaimUri(str3);
                    claim2.setValue((String) userClaimValues.get(claim2));
                    arrayList.add(claim2);
                }
            }
            String[] strArr = {"http://wso2.org/claims/emailaddress", "http://wso2.org/claims/givenname", "http://wso2.org/claims/lastname"};
            String str4 = null;
            String str5 = null;
            Map userClaimValues2 = userStoreManager.getUserClaimValues(authorizedUser, strArr, "default");
            if (userClaimValues2.get(strArr[0]) != null) {
                String str6 = (String) userClaimValues2.get(strArr[0]);
                Claim claim3 = new Claim();
                claim3.setClaimUri("email");
                claim3.setValue(str6);
                arrayList.add(claim3);
                Claim claim4 = new Claim();
                claim4.setClaimUri("preferred_username");
                claim4.setValue(str6.split("@")[0]);
                arrayList.add(claim4);
            }
            if (userClaimValues2.get(strArr[1]) != null) {
                str4 = (String) userClaimValues2.get(strArr[1]);
                Claim claim5 = new Claim();
                claim5.setClaimUri("given_name");
                claim5.setValue(str4);
                arrayList.add(claim5);
            }
            if (userClaimValues2.get(strArr[2]) != null) {
                str5 = (String) userClaimValues2.get(strArr[2]);
                Claim claim6 = new Claim();
                claim6.setClaimUri("family_name");
                claim6.setValue(str5);
                arrayList.add(claim6);
            }
            if (str4 != null && str5 != null) {
                Claim claim7 = new Claim();
                claim7.setClaimUri("name");
                claim7.setValue(str4 + " " + str5);
                arrayList.add(claim7);
            }
        } catch (Exception e) {
            log.error("Error while reading user claims ", e);
        }
        Claim[] claimArr = new Claim[arrayList.size()];
        for (int i = 0; i < arrayList.size(); i++) {
            claimArr[i] = (Claim) arrayList.get(i);
        }
        return claimArr;
    }

    private void addRevokeResponseHeaders(OAuthRevocationResponseDTO oAuthRevocationResponseDTO, String str, String str2, String str3) {
        ArrayList arrayList = new ArrayList();
        ResponseHeader responseHeader = new ResponseHeader();
        responseHeader.setKey("RevokedAccessToken");
        responseHeader.setValue(str);
        arrayList.add(responseHeader);
        ResponseHeader responseHeader2 = new ResponseHeader();
        responseHeader2.setKey("AuthorizedUser");
        responseHeader2.setValue(str3);
        arrayList.add(responseHeader2);
        ResponseHeader responseHeader3 = new ResponseHeader();
        responseHeader3.setKey("RevokedRefreshToken");
        responseHeader3.setValue(str2);
        arrayList.add(responseHeader3);
        oAuthRevocationResponseDTO.setResponseHeaders((ResponseHeader[]) arrayList.toArray(new ResponseHeader[arrayList.size()]));
    }
}
