package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import net.minidev.json.JSONArray;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.xml.XMLObject;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/SAMLAssertionClaimsCallback.class */
public class SAMLAssertionClaimsCallback implements CustomClaimsCallbackHandler {
    private static final Log log = LogFactory.getLog(SAMLAssertionClaimsCallback.class);
    private static final String INBOUND_AUTH2_TYPE = "oauth2";
    private static final String SP_DIALECT = "http://wso2.org/oidc/claim";
    private static String userAttributeSeparator;

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public void handleCustomClaims(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        Assertion assertion = (Assertion) oAuthTokenReqMessageContext.getProperty(OAuthConstants.OAUTH_SAML2_ASSERTION);
        if (assertion == null) {
            if (log.isDebugEnabled()) {
                log.debug("Adding claims for user " + oAuthTokenReqMessageContext.getAuthorizedUser() + " to id token.");
            }
            try {
                setClaimsToJwtClaimSet(getResponse(oAuthTokenReqMessageContext), jWTClaimsSet);
                return;
            } catch (OAuthSystemException e) {
                log.error("Error occurred while adding claims of " + oAuthTokenReqMessageContext.getAuthorizedUser() + " to id token.", e);
                return;
            }
        }
        if (assertion.getSubject() != null) {
            String value = assertion.getSubject().getNameID().getValue();
            if (log.isDebugEnabled()) {
                log.debug("NameID in Assertion " + value);
            }
            jWTClaimsSet.setSubject(value);
        }
        List attributeStatements = assertion.getAttributeStatements();
        if (!CollectionUtils.isNotEmpty(attributeStatements)) {
            log.debug("No AttributeStatement found! ");
            return;
        }
        Iterator it = attributeStatements.iterator();
        while (it.hasNext()) {
            for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                List attributeValues = attribute.getAttributeValues();
                String str = null;
                if (attributeValues != null) {
                    for (int i = 0; i < attributeValues.size(); i++) {
                        String textContent = ((XMLObject) attribute.getAttributeValues().get(i)).getDOM().getTextContent();
                        if (log.isDebugEnabled()) {
                            log.debug("Attribute: " + attribute.getName() + ", Value: " + textContent);
                        }
                        str = StringUtils.isBlank(str) ? textContent : str + userAttributeSeparator + textContent;
                        jWTClaimsSet.setClaim(attribute.getName(), str);
                    }
                }
            }
        }
    }

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public void handleCustomClaims(JWTClaimsSet jWTClaimsSet, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        if (log.isDebugEnabled()) {
            log.debug("Adding claims for user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser() + " to id token.");
        }
        try {
            setClaimsToJwtClaimSet(getResponse(oAuthAuthzReqMessageContext), jWTClaimsSet);
        } catch (OAuthSystemException e) {
            log.error("Error occurred while adding claims of " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser() + " to id token.", e);
        }
    }

    private Map<String, Object> getResponse(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws OAuthSystemException {
        Map<ClaimMapping, String> userAttributesFromCache = getUserAttributesFromCache(oAuthTokenReqMessageContext.getProperty(OAuthConstants.ACCESS_TOKEN).toString());
        Map<String, Object> emptyMap = Collections.emptyMap();
        if (userAttributesFromCache.isEmpty() && oAuthTokenReqMessageContext.getProperty(OAuthConstants.AUTHZ_CODE) != null) {
            userAttributesFromCache = getUserAttributesFromCache(oAuthTokenReqMessageContext.getProperty(OAuthConstants.AUTHZ_CODE).toString());
        }
        if (!MapUtils.isEmpty(userAttributesFromCache) || oAuthTokenReqMessageContext.getAuthorizedUser().isFederatedUser()) {
            emptyMap = getClaimsMap(userAttributesFromCache);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache. Trying to retrieve attribute for user " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
            try {
                emptyMap = getClaimsFromUserStore(oAuthTokenReqMessageContext);
            } catch (UserStoreException | IdentityApplicationManagementException | IdentityException e) {
                log.error("Error occurred while getting claims for user " + oAuthTokenReqMessageContext.getAuthorizedUser(), e);
            }
        }
        return emptyMap;
    }

    private Map<String, Object> getResponse(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws OAuthSystemException {
        Map<ClaimMapping, String> userAttributesFromCache = getUserAttributesFromCache(oAuthAuthzReqMessageContext.getProperty(OAuthConstants.ACCESS_TOKEN).toString());
        Map<String, Object> emptyMap = Collections.emptyMap();
        if (!MapUtils.isEmpty(userAttributesFromCache) || oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().isFederatedUser()) {
            emptyMap = getClaimsMap(userAttributesFromCache);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache. Trying to retrieve attribute for user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
            }
            try {
                emptyMap = getClaimsFromUserStore(oAuthAuthzReqMessageContext);
            } catch (UserStoreException | IdentityApplicationManagementException | IdentityException e) {
                log.error("Error occurred while getting claims for user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser(), e);
            }
        }
        return emptyMap;
    }

    private Map<String, Object> getClaimsMap(Map<ClaimMapping, String> map) {
        HashMap hashMap = new HashMap();
        if (MapUtils.isNotEmpty(map)) {
            for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
                hashMap.put(entry.getKey().getRemoteClaim().getClaimUri(), entry.getValue());
            }
        }
        return hashMap;
    }

    private static Map<String, Object> getClaimsFromUserStore(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws UserStoreException, IdentityApplicationManagementException, IdentityException {
        HashMap hashMap = new HashMap();
        String str = (String) oAuthTokenReqMessageContext.getProperty("tenantDomain");
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        ServiceProvider applicationExcludingFileBasedSPs = applicationMgtService.getApplicationExcludingFileBasedSPs(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), "oauth2", str), str);
        if (applicationExcludingFileBasedSPs == null) {
            return hashMap;
        }
        ClaimMapping[] claimMappings = applicationExcludingFileBasedSPs.getClaimConfig().getClaimMappings();
        if (claimMappings == null || claimMappings.length <= 0) {
            return new HashMap();
        }
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        String tenantDomain = authorizedUser.getTenantDomain();
        String authenticatedUser = authorizedUser.toString();
        UserRealm realm = IdentityTenantUtil.getRealm(tenantDomain, authenticatedUser);
        if (realm == null) {
            log.warn("Invalid tenant domain provided. Empty claim returned back for tenant " + tenantDomain + " and user " + authenticatedUser);
            return new HashMap();
        }
        ArrayList arrayList = new ArrayList();
        for (ClaimMapping claimMapping : claimMappings) {
            if (claimMapping.isRequested()) {
                arrayList.add(claimMapping.getLocalClaim().getClaimUri());
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Requested number of local claims: " + arrayList.size());
        }
        Map mappingsMapFromOtherDialectToCarbon = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(SP_DIALECT, (Set) null, str, false);
        Map map = null;
        try {
            map = realm.getUserStoreManager().getUserClaimValues(MultitenantUtils.getTenantAwareUsername(authenticatedUser), (String[]) arrayList.toArray(new String[arrayList.size()]), (String) null);
        } catch (UserStoreException e) {
            if (!e.getMessage().contains("UserNotFound")) {
                throw e;
            }
            if (log.isDebugEnabled()) {
                log.debug("User " + authenticatedUser + " not found in user store");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Number of user claims retrieved from user store: " + map.size());
        }
        if (MapUtils.isEmpty(map)) {
            return new HashMap();
        }
        for (Map.Entry entry : mappingsMapFromOtherDialectToCarbon.entrySet()) {
            String str2 = (String) map.get(entry.getValue());
            if (str2 != null) {
                hashMap.put(entry.getKey(), str2);
                if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                    log.debug("Mapped claim: key -  " + ((String) entry.getKey()) + " value -" + str2);
                }
            }
        }
        String userStoreProperty = realm.getUserStoreManager().getSecondaryUserStoreManager(IdentityUtil.extractDomainFromName(authenticatedUser)).getRealmConfiguration().getUserStoreProperty("MultiAttributeSeparator");
        if (StringUtils.isNotBlank(userStoreProperty)) {
            hashMap.put("MultiAttributeSeparator", userStoreProperty);
        }
        return hashMap;
    }

    private static Map<String, Object> getClaimsFromUserStore(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityApplicationManagementException, IdentityException, UserStoreException {
        HashMap hashMap = new HashMap();
        String str = (String) oAuthAuthzReqMessageContext.getProperty("tenantDomain");
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        ServiceProvider applicationExcludingFileBasedSPs = applicationMgtService.getApplicationExcludingFileBasedSPs(applicationMgtService.getServiceProviderNameByClientId(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey(), "oauth2", str), str);
        if (applicationExcludingFileBasedSPs == null) {
            return hashMap;
        }
        ClaimMapping[] claimMappings = applicationExcludingFileBasedSPs.getClaimConfig().getClaimMappings();
        if (claimMappings == null || claimMappings.length <= 0) {
            return new HashMap();
        }
        AuthenticatedUser user = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
        String tenantDomain = user.getTenantDomain();
        UserRealm realm = IdentityTenantUtil.getRealm(tenantDomain, user.toString());
        if (realm == null) {
            log.warn("Invalid tenant domain provided. Empty claim returned back for tenant " + tenantDomain + " and user " + user);
            return new HashMap();
        }
        ArrayList arrayList = new ArrayList();
        for (ClaimMapping claimMapping : claimMappings) {
            if (claimMapping.isRequested()) {
                arrayList.add(claimMapping.getLocalClaim().getClaimUri());
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Requested number of local claims: " + arrayList.size());
        }
        Map mappingsMapFromOtherDialectToCarbon = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(SP_DIALECT, (Set) null, str, false);
        Map map = null;
        try {
            map = realm.getUserStoreManager().getUserClaimValues(UserCoreUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()), (String[]) arrayList.toArray(new String[arrayList.size()]), (String) null);
        } catch (UserStoreException e) {
            if (!e.getMessage().contains("UserNotFound")) {
                throw e;
            }
            if (log.isDebugEnabled()) {
                log.debug("User " + user + " not found in user store");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Number of user claims retrieved from user store: " + map.size());
        }
        if (MapUtils.isEmpty(map)) {
            return new HashMap();
        }
        for (Map.Entry entry : mappingsMapFromOtherDialectToCarbon.entrySet()) {
            String str2 = (String) map.get(entry.getValue());
            if (str2 != null) {
                hashMap.put(entry.getKey(), str2);
                if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("UserClaims")) {
                    log.debug("Mapped claim: key -  " + ((String) entry.getKey()) + " value -" + str2);
                }
            }
        }
        String userStoreProperty = realm.getUserStoreManager().getSecondaryUserStoreManager(user.getUserStoreDomain()).getRealmConfiguration().getUserStoreProperty("MultiAttributeSeparator");
        if (StringUtils.isNotBlank(userStoreProperty)) {
            hashMap.put("MultiAttributeSeparator", userStoreProperty);
        }
        return hashMap;
    }

    private Map<ClaimMapping, String> getUserAttributesFromCache(String str) {
        AuthorizationGrantCacheEntry valueFromCacheByToken = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(new AuthorizationGrantCacheKey(str));
        return valueFromCacheByToken == null ? new HashMap() : valueFromCacheByToken.getUserAttributes();
    }

    private void setClaimsToJwtClaimSet(Map<String, Object> map, JWTClaimsSet jWTClaimsSet) {
        Object obj = map.get("MultiAttributeSeparator");
        if (obj != null) {
            if (StringUtils.isNotBlank((String) obj)) {
                userAttributeSeparator = (String) obj;
            }
            map.remove("MultiAttributeSeparator");
        }
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String obj2 = entry.getValue().toString();
            JSONArray jSONArray = new JSONArray();
            if (userAttributeSeparator == null || !obj2.contains(userAttributeSeparator)) {
                jWTClaimsSet.setClaim(entry.getKey(), obj2);
            } else {
                StringTokenizer stringTokenizer = new StringTokenizer(obj2, userAttributeSeparator);
                while (stringTokenizer.hasMoreElements()) {
                    String obj3 = stringTokenizer.nextElement().toString();
                    if (StringUtils.isNotBlank(obj3)) {
                        jSONArray.add(obj3);
                    }
                }
                jWTClaimsSet.setClaim(entry.getKey(), jSONArray);
            }
        }
    }

    static {
        userAttributeSeparator = ",,,";
        try {
            userAttributeSeparator = OAuthComponentServiceHolder.getInstance().getRealmService().getTenantUserRealm(-1234).getUserStoreManager().getRealmConfiguration().getUserStoreProperty("MultiAttributeSeparator");
        } catch (UserStoreException e) {
            log.warn("Error while reading MultiAttributeSeparator value from primary user store ", e);
        }
    }
}
