package org.wso2.carbon.identity.oauth2.validators;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.class */
public class JDBCScopeValidator extends OAuth2ScopeValidator {
    Log log = LogFactory.getLog(JDBCScopeValidator.class);

    @Override // org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator
    public boolean validateScope(AccessTokenDO accessTokenDO, String str) throws IdentityOAuth2Exception {
        String[] scope = accessTokenDO.getScope();
        if (scope == null || scope.length == 0) {
            return true;
        }
        String str2 = null;
        TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
        boolean z = false;
        if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
            CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(str));
            if (cacheEntry instanceof ResourceScopeCacheEntry) {
                str2 = ((ResourceScopeCacheEntry) cacheEntry).getScope();
                z = true;
            }
        }
        if (!z) {
            str2 = tokenMgtDAO.findScopeOfResource(str);
            if (OAuthServerConfiguration.getInstance().isCacheEnabled()) {
                OAuthCache.getInstance().addToCache(new OAuthCacheKey(str), new ResourceScopeCacheEntry(str2));
            }
        }
        if (str2 == null) {
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Resource '" + str + "' is not protected with a scope");
            return true;
        }
        if (!new ArrayList(Arrays.asList(scope)).contains(str2)) {
            if (!this.log.isDebugEnabled()) {
                return false;
            }
            this.log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str2 + "'");
            return false;
        }
        try {
            Set<String> rolesOfScopeByScopeKey = tokenMgtDAO.getRolesOfScopeByScopeKey(str2);
            if (rolesOfScopeByScopeKey == null || rolesOfScopeByScopeKey.isEmpty()) {
                if (!this.log.isDebugEnabled()) {
                    return true;
                }
                this.log.debug("Did not find any roles associated to the scope " + str2);
                return true;
            }
            if (this.log.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder("Found roles of scope '" + str2 + "' ");
                Iterator<String> it = rolesOfScopeByScopeKey.iterator();
                while (it.hasNext()) {
                    sb.append(it.next());
                    sb.append(", ");
                }
                this.log.debug(sb.toString());
            }
            User authzUser = accessTokenDO.getAuthzUser();
            RealmService realmService = OAuthComponentServiceHolder.getRealmService();
            int tenantId = realmService.getTenantManager().getTenantId(authzUser.getTenantDomain());
            if (tenantId == 0 || tenantId == -1) {
                tenantId = IdentityTenantUtil.getTenantIdOfUser(authzUser.getUserName());
            }
            boolean z2 = false;
            if (tenantId != -1234) {
                try {
                    PrivilegedCarbonContext.startTenantFlow();
                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(realmService.getTenantManager().getDomain(tenantId), true);
                    z2 = true;
                } catch (Throwable th) {
                    if (z2) {
                        PrivilegedCarbonContext.endTenantFlow();
                    }
                    throw th;
                }
            }
            String[] roleListOfUser = realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(MultitenantUtils.getTenantAwareUsername(authzUser.getUserName()));
            if (z2) {
                PrivilegedCarbonContext.endTenantFlow();
            }
            if (roleListOfUser == null || roleListOfUser.length <= 0) {
                if (!this.log.isDebugEnabled()) {
                    return false;
                }
                this.log.debug("No roles associated for the user " + authzUser.getUserName());
                return false;
            }
            if (this.log.isDebugEnabled()) {
                StringBuilder sb2 = new StringBuilder("Found roles of user ");
                sb2.append(authzUser.getUserName());
                sb2.append(" ");
                for (String str3 : roleListOfUser) {
                    sb2.append(str3);
                    sb2.append(", ");
                }
                this.log.debug(sb2.toString());
            }
            rolesOfScopeByScopeKey.retainAll(Arrays.asList(roleListOfUser));
            return !rolesOfScopeByScopeKey.isEmpty();
        } catch (UserStoreException e) {
            this.log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
            return false;
        }
    }
}
