package org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl;

import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonException;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.core.util.PermissionUpdateUtil;
import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
import org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceComponent;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/application/authentication/framework/handler/provisioning/impl/DefaultProvisioningHandler.class */
public class DefaultProvisioningHandler implements ProvisioningHandler {
    private static final Log log = LogFactory.getLog(DefaultProvisioningHandler.class);
    private static volatile DefaultProvisioningHandler instance;
    private SecureRandom random = new SecureRandom();

    public static DefaultProvisioningHandler getInstance() {
        if (instance == null) {
            synchronized (DefaultProvisioningHandler.class) {
                if (instance == null) {
                    instance = new DefaultProvisioningHandler();
                }
            }
        }
        return instance;
    }

    @Override // org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.ProvisioningHandler
    public void handle(List<String> list, String str, Map<String, String> map, String str2, String str3) throws FrameworkException {
        RegistryService registryService = FrameworkServiceComponent.getRegistryService();
        RealmService realmService = FrameworkServiceComponent.getRealmService();
        try {
            int tenantId = realmService.getTenantManager().getTenantId(str3);
            UserRealm realmByTenantDomain = AnonymousSessionUtil.getRealmByTenantDomain(registryService, realmService, str3);
            String userStoreDomain = getUserStoreDomain(str2, realmByTenantDomain);
            String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(str);
            UserStoreManager userStoreManager = getUserStoreManager(realmByTenantDomain, userStoreDomain);
            if (realmByTenantDomain.getUserStoreManager().getRealmConfiguration().isPrimary()) {
                tenantAwareUsername = UserCoreUtil.removeDomainFromName(tenantAwareUsername);
            }
            String[] strArr = new String[0];
            if (list != null) {
                list = removeDomainFromNamesExcludeInternal(list);
                strArr = (String[]) list.toArray(new String[list.size()]);
            }
            if (log.isDebugEnabled()) {
                log.debug("User " + tenantAwareUsername + " contains roles : " + Arrays.toString(strArr) + " going to be provisioned");
            }
            Collection<String> rolesToAdd = getRolesToAdd(userStoreManager, strArr);
            Map<String, String> prepareClaimMappings = prepareClaimMappings(map);
            if (userStoreManager.isExistingUser(tenantAwareUsername)) {
                if (list != null && !list.isEmpty()) {
                    List asList = Arrays.asList(userStoreManager.getRoleListOfUser(tenantAwareUsername));
                    rolesToAdd.removeAll(asList);
                    ArrayList arrayList = new ArrayList();
                    arrayList.addAll(asList);
                    arrayList.removeAll(Arrays.asList(strArr));
                    arrayList.remove(realmByTenantDomain.getRealmConfiguration().getEveryOneRoleName());
                    handleFederatedUserNameEqualsToSuperAdminUserName(realmByTenantDomain, tenantAwareUsername, userStoreManager, arrayList);
                    updateUserWithNewRoleSet(tenantAwareUsername, userStoreManager, strArr, rolesToAdd, arrayList);
                }
                if (!prepareClaimMappings.isEmpty()) {
                    userStoreManager.setUserClaimValues(tenantAwareUsername, prepareClaimMappings, (String) null);
                }
            } else {
                userStoreManager.addUser(tenantAwareUsername, generatePassword(), (String[]) rolesToAdd.toArray(new String[rolesToAdd.size()]), prepareClaimMappings, (String) null);
                if (log.isDebugEnabled()) {
                    log.debug("Federated user: " + tenantAwareUsername + " is provisioned by authentication framework with roles : " + Arrays.toString(rolesToAdd.toArray(new String[rolesToAdd.size()])));
                }
            }
            PermissionUpdateUtil.updatePermissionTree(tenantId);
        } catch (UserStoreException | CarbonException e) {
            throw new FrameworkException("Error while provisioning user : " + str, e);
        }
    }

    private void updateUserWithNewRoleSet(String str, UserStoreManager userStoreManager, String[] strArr, Collection<String> collection, Collection<String> collection2) throws org.wso2.carbon.user.core.UserStoreException {
        if (log.isDebugEnabled()) {
            log.debug("Deleting roles : " + Arrays.toString(collection2.toArray(new String[collection2.size()])) + " and Adding roles : " + Arrays.toString(collection.toArray(new String[collection.size()])));
        }
        userStoreManager.updateRoleListOfUser(str, (String[]) collection2.toArray(new String[collection2.size()]), (String[]) collection.toArray(new String[collection.size()]));
        if (log.isDebugEnabled()) {
            log.debug("Federated user: " + str + " is updated by authentication framework with roles : " + Arrays.toString(strArr));
        }
    }

    private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm userRealm, String str, UserStoreManager userStoreManager, Collection<String> collection) throws org.wso2.carbon.user.core.UserStoreException, FrameworkException {
        if (userStoreManager.getRealmConfiguration().isPrimary() && str.equals(userRealm.getRealmConfiguration().getAdminUserName())) {
            if (log.isDebugEnabled()) {
                log.debug("Federated user's username is equal to super admin's username of local IdP.");
            }
            if (collection.contains(userRealm.getRealmConfiguration().getAdminRoleName())) {
                if (log.isDebugEnabled()) {
                    log.debug("Federated user doesn't have super admin role. Unable to sync roles, since super admin role cannot be unassigned from super admin user");
                }
                throw new FrameworkException("Federated user which having same username to super admin username of local IdP, trying login without having super admin role assigned");
            }
        }
    }

    private Map<String, String> prepareClaimMappings(Map<String, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null && !map.isEmpty()) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                if (!StringUtils.isEmpty(key) && !StringUtils.isEmpty(value)) {
                    hashMap.put(key, value);
                }
            }
        }
        return hashMap;
    }

    private Collection<String> getRolesToAdd(UserStoreManager userStoreManager, String[] strArr) throws org.wso2.carbon.user.core.UserStoreException {
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, strArr);
        arrayList.retainAll(removeDomainFromNamesExcludeInternal(Arrays.asList(userStoreManager.getRoleNames())));
        return arrayList;
    }

    private UserStoreManager getUserStoreManager(UserRealm userRealm, String str) throws org.wso2.carbon.user.core.UserStoreException, FrameworkException {
        UserStoreManager userStoreManager = (str == null || str.isEmpty()) ? userRealm.getUserStoreManager() : userRealm.getUserStoreManager().getSecondaryUserStoreManager(str);
        if (userStoreManager == null) {
            throw new FrameworkException("Specified user store is invalid");
        }
        return userStoreManager;
    }

    private String getUserStoreDomain(String str, UserRealm userRealm) throws FrameworkException, org.wso2.carbon.user.core.UserStoreException {
        if (str == null || userRealm.getUserStoreManager().getSecondaryUserStoreManager(str) != null) {
            return str;
        }
        throw new FrameworkException("Specified user store domain " + str + " is not valid.");
    }

    protected String generatePassword() {
        return new BigInteger(130, this.random).toString(32);
    }

    private List<String> removeDomainFromNamesExcludeInternal(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            if ("Internal".equalsIgnoreCase(UserCoreUtil.extractDomainFromName(str))) {
                arrayList.add(str);
            } else {
                arrayList.add(UserCoreUtil.removeDomainFromName(str));
            }
        }
        return arrayList;
    }
}
