package org.wso2.carbon.apimgt.impl.issuers;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import org.apache.axis2.util.JavaUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml.saml2.core.Assertion;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.impl.utils.SystemScopeUtils;
import org.wso2.carbon.apimgt.impl.wsdl.util.SOAPToRESTConstants;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.PermissionsAndRoleConfig;
import org.wso2.carbon.identity.application.common.model.RoleMapping;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.callback.OAuthCallback;
import org.wso2.carbon.identity.oauth.common.GrantType;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.model.ResourceScopeCacheEntry;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
import org.wso2.carbon.identity.oauth2.validators.scope.ScopeValidator;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserCoreConstants;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/apimgt/impl/issuers/SystemScopesIssuer.class */
public class SystemScopesIssuer implements ScopeValidator {
    private static Log log = LogFactory.getLog(SystemScopesIssuer.class);
    private static final String DEFAULT_SCOPE_NAME = "default";
    private static final String PRESERVED_CASE_SENSITIVE_VARIABLE = "preservedCaseSensitive";
    private static final String ACCESS_TOKEN_DO = "AccessTokenDO";
    public static final String CHECK_ROLES_FROM_SAML_ASSERTION = "checkRolesFromSamlAssertion";
    public static final String RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION = "retrieveRolesFromUserStoreForScopeValidation";
    private static final String SCOPE_VALIDATOR_NAME = "System scope validator";
    private IdentityProvider identityProvider = null;
    private static final String ISSUER_PREFIX = "default";

    public boolean validateScope(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        List<String> scopes = getScopes(oAuthAuthzReqMessageContext);
        oAuthAuthzReqMessageContext.setApprovedScope((String[]) scopes.toArray(new String[scopes.size()]));
        return true;
    }

    public boolean validateScope(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        List<String> scopes = getScopes(oAuthTokenReqMessageContext);
        oAuthTokenReqMessageContext.setScope((String[]) scopes.toArray(new String[scopes.size()]));
        return true;
    }

    public boolean validateScope(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        String[] scope;
        AccessTokenDO accessTokenDO = (AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty(ACCESS_TOKEN_DO);
        if (accessTokenDO == null) {
            return false;
        }
        String resourceFromMessageContext = getResourceFromMessageContext(oAuth2TokenValidationMessageContext);
        if (resourceFromMessageContext == null || (scope = accessTokenDO.getScope()) == null || scope.length == 0) {
            return true;
        }
        String str = null;
        int i = -1;
        boolean z = false;
        ResourceScopeCacheEntry resourceScopeCacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(resourceFromMessageContext));
        if (resourceScopeCacheEntry != null && (resourceScopeCacheEntry instanceof ResourceScopeCacheEntry)) {
            str = resourceScopeCacheEntry.getScope();
            i = resourceScopeCacheEntry.getTenantId();
            z = true;
        }
        if (!z) {
            Pair findTenantAndScopeOfResource = OAuthTokenPersistenceFactory.getInstance().getTokenManagementDAO().findTenantAndScopeOfResource(resourceFromMessageContext);
            if (findTenantAndScopeOfResource != null) {
                str = (String) findTenantAndScopeOfResource.getLeft();
                i = ((Integer) findTenantAndScopeOfResource.getRight()).intValue();
            }
            OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(resourceFromMessageContext);
            ResourceScopeCacheEntry resourceScopeCacheEntry2 = new ResourceScopeCacheEntry(str);
            resourceScopeCacheEntry2.setTenantId(i);
            OAuthCache.getInstance().addToCache(oAuthCacheKey, resourceScopeCacheEntry2);
        }
        if (str == null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Resource '" + resourceFromMessageContext + "' is not protected with a scope");
            return true;
        }
        if (!new ArrayList(Arrays.asList(scope)).contains(str)) {
            if (!log.isDebugEnabled() || !IdentityUtil.isTokenLoggable("AccessToken")) {
                return false;
            }
            log.debug("Access token '" + accessTokenDO.getAccessToken() + "' does not bear the scope '" + str + "'");
            return false;
        }
        if (accessTokenDO.getAuthzUser().isFederatedUser() && (Boolean.parseBoolean(System.getProperty("checkRolesFromSamlAssertion")) || !Boolean.parseBoolean(System.getProperty("retrieveRolesFromUserStoreForScopeValidation")))) {
            return true;
        }
        AuthenticatedUser authenticatedUser = OAuthUtil.getAuthenticatedUser(oAuth2TokenValidationMessageContext.getResponseDTO().getAuthorizedUser());
        String consumerKey = accessTokenDO.getConsumerKey();
        List<String> asList = Arrays.asList(scope);
        String[] strArr = null;
        Map<String, String> appScopes = getAppScopes(consumerKey, authenticatedUser, asList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, consumerKey).booleanValue()) {
                List<String> allowedScopes = getAllowedScopes(asList);
                oAuth2TokenValidationMessageContext.getResponseDTO().setScope((String[]) allowedScopes.toArray(new String[allowedScopes.size()]));
                return true;
            }
            strArr = getUserRoles(authenticatedUser);
            List<String> authorizedScopes = getAuthorizedScopes(strArr, asList, appScopes);
            oAuth2TokenValidationMessageContext.getResponseDTO().setScope((String[]) authorizedScopes.toArray(new String[authorizedScopes.size()]));
        }
        if (!ArrayUtils.isEmpty(strArr)) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("No roles associated for the user " + authenticatedUser.getUserName());
        return false;
    }

    public String getName() {
        return SCOPE_VALIDATOR_NAME;
    }

    public String getPrefix() {
        return "default";
    }

    private String getResourceFromMessageContext(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) {
        String str = null;
        if (oAuth2TokenValidationMessageContext.getRequestDTO().getContext() != null) {
            OAuth2TokenValidationRequestDTO.TokenValidationContextParam[] context = oAuth2TokenValidationMessageContext.getRequestDTO().getContext();
            int length = context.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam = context[i];
                    if (tokenValidationContextParam != null && "resource".equals(tokenValidationContextParam.getKey())) {
                        str = tokenValidationContextParam.getValue();
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
        }
        return str;
    }

    public List<String> getScopes(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        List<String> list = null;
        List<String> arrayList = new ArrayList();
        if (oAuthAuthzReqMessageContext.getApprovedScope() != null) {
            arrayList = Arrays.asList(oAuthAuthzReqMessageContext.getApprovedScope());
        }
        String consumerKey = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey();
        AuthenticatedUser user = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser();
        Map<String, String> appScopes = getAppScopes(consumerKey, user, arrayList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, consumerKey).booleanValue()) {
                return getAllowedScopes(arrayList);
            }
            list = getAuthorizedScopes(getUserRoles(user), arrayList, appScopes);
        }
        return list;
    }

    public List<String> getScopes(OAuthCallback oAuthCallback) {
        List<String> list = null;
        List<String> asList = Arrays.asList(oAuthCallback.getRequestedScope());
        String client = oAuthCallback.getClient();
        AuthenticatedUser resourceOwner = oAuthCallback.getResourceOwner();
        Map<String, String> appScopes = getAppScopes(client, resourceOwner, asList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, client).booleanValue()) {
                return getAllowedScopes(asList);
            }
            list = getAuthorizedScopes(getUserRoles(resourceOwner), asList, appScopes);
        }
        return list;
    }

    public List<String> getScopes(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        List<String> list = null;
        ArrayList arrayList = new ArrayList(Arrays.asList(oAuthTokenReqMessageContext.getScope()));
        String clientId = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId();
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        Map<String, String> appScopes = getAppScopes(clientId, authorizedUser, arrayList);
        if (appScopes != null) {
            if (isAppScopesEmpty(appScopes, clientId).booleanValue()) {
                return getAllowedScopes(arrayList);
            }
            String grantType = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getGrantType();
            String[] strArr = null;
            String property = System.getProperty("checkRolesFromSamlAssertion");
            String property2 = System.getProperty("retrieveRolesFromUserStoreForScopeValidation");
            if (GrantType.SAML20_BEARER.toString().equals(grantType) && Boolean.parseBoolean(property)) {
                authorizedUser.setUserStoreDomain(APIConstants.FEDERATED_USER);
                oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
                strArr = getRolesFromAssertion((Assertion) oAuthTokenReqMessageContext.getProperty(APIConstants.SystemScopeConstants.SAML2_ASSERTION));
            } else if (!APIConstants.SystemScopeConstants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(grantType) || Boolean.parseBoolean(property2)) {
                strArr = getUserRoles(authorizedUser);
            } else {
                configureForJWTGrant(oAuthTokenReqMessageContext);
                Map<ClaimMapping, String> userAttributes = authorizedUser.getUserAttributes();
                if (oAuthTokenReqMessageContext.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM) != null) {
                    strArr = getRolesFromUserAttribute(userAttributes, oAuthTokenReqMessageContext.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM).toString());
                }
            }
            list = getAuthorizedScopes(strArr, arrayList, appScopes);
        }
        return list;
    }

    private String[] getUserRoles(AuthenticatedUser authenticatedUser) {
        String tenantDomain;
        String userName;
        String[] strArr = null;
        if (authenticatedUser.isFederatedUser()) {
            tenantDomain = MultitenantUtils.getTenantDomain(authenticatedUser.getAuthenticatedSubjectIdentifier());
            userName = MultitenantUtils.getTenantAwareUsername(authenticatedUser.getAuthenticatedSubjectIdentifier());
        } else {
            tenantDomain = authenticatedUser.getTenantDomain();
            userName = authenticatedUser.getUserName();
        }
        String userStoreDomain = authenticatedUser.getUserStoreDomain();
        RealmService realmService = getRealmService();
        try {
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            if (tenantId == 0 || tenantId == -1) {
                tenantId = getTenantIdOfUser(userName);
            }
            strArr = realmService.getTenantUserRealm(tenantId).getUserStoreManager().getRoleListOfUser(addDomainToName(userName, userStoreDomain));
        } catch (UserStoreException e) {
            log.error("Error when getting the tenant's UserStoreManager or when getting roles of user ", e);
        }
        return strArr;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v62, types: [java.util.List] */
    private List<String> getAuthorizedScopes(String[] strArr, List<String> list, Map<String, String> map) {
        ArrayList arrayList;
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add("default");
        if (strArr == null || strArr.length == 0) {
            strArr = new String[0];
        }
        ArrayList arrayList3 = new ArrayList();
        boolean isTrueExplicitly = JavaUtils.isTrueExplicitly(System.getProperty(PRESERVED_CASE_SENSITIVE_VARIABLE));
        if (isTrueExplicitly) {
            arrayList = Arrays.asList(strArr);
        } else {
            arrayList = new ArrayList();
            for (String str : strArr) {
                arrayList.add(str.toLowerCase(Locale.ENGLISH));
            }
        }
        for (String str2 : list) {
            String str3 = map.get(str2);
            if (str3 == null || str3.length() == 0) {
                arrayList3.add(str2);
            } else {
                ArrayList arrayList4 = new ArrayList();
                for (String str4 : str3.split(",")) {
                    if (isTrueExplicitly) {
                        arrayList4.add(str4.trim());
                    } else {
                        arrayList4.add(str4.trim().toLowerCase(Locale.ENGLISH));
                    }
                }
                arrayList4.retainAll(arrayList);
                if (!arrayList4.isEmpty()) {
                    arrayList3.add(str2);
                }
            }
        }
        return !arrayList3.isEmpty() ? arrayList3 : arrayList2;
    }

    private String[] getRolesFromUserAttribute(Map<ClaimMapping, String> map, String str) {
        for (Map.Entry<ClaimMapping, String> entry : map.entrySet()) {
            if (null != entry.getKey().getLocalClaim() && str.equals(entry.getKey().getLocalClaim().getClaimUri()) && StringUtils.isNotBlank(entry.getValue())) {
                return entry.getValue().replace("\\/", SOAPToRESTConstants.SequenceGen.PATH_SEPARATOR).replace("[", "").replace("]", "").replace("\"", "").split(FrameworkUtils.getMultiAttributeSeparator());
            }
        }
        return new String[0];
    }

    protected String addDomainToName(String str, String str2) {
        return UserCoreUtil.addDomainToName(str, str2);
    }

    protected String[] getRolesFromAssertion(Assertion assertion) {
        return SystemScopeUtils.getRolesFromAssertion(assertion);
    }

    protected void configureForJWTGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        String[] stringArrayClaim;
        SignedJWT signedJWT = null;
        String[] strArr = null;
        try {
            signedJWT = getSignedJWT(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            log.error("Couldn't retrieve signed JWT", e);
        }
        JWTClaimsSet claimSet = signedJWT != null ? getClaimSet(signedJWT) : null;
        String issuer = claimSet != null ? claimSet.getIssuer() : null;
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        try {
            this.identityProvider = IdentityProviderManager.getInstance().getIdPByName(issuer, tenantDomain);
            if (this.identityProvider == null) {
                log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
            } else if (StringUtils.equalsIgnoreCase(this.identityProvider.getIdentityProviderName(), "default")) {
                this.identityProvider = getResidentIDPForIssuer(tenantDomain, issuer);
                if (this.identityProvider == null) {
                    log.error("No Registered IDP found for the JWT with issuer name : " + issuer);
                }
            }
        } catch (IdentityProviderManagementException | IdentityOAuth2Exception e2) {
            log.error("Couldn't initiate identity provider instance", e2);
        }
        if (claimSet != null) {
            try {
                stringArrayClaim = claimSet.getStringArrayClaim(this.identityProvider.getClaimConfig().getRoleClaimURI());
            } catch (ParseException e3) {
                log.error("Couldn't retrieve roles:", e3);
            }
        } else {
            stringArrayClaim = null;
        }
        strArr = stringArrayClaim;
        ArrayList arrayList = new ArrayList();
        if (strArr != null) {
            for (String str : strArr) {
                String updatedRoleClaimValue = getUpdatedRoleClaimValue(this.identityProvider, str);
                if (updatedRoleClaimValue != null) {
                    arrayList.add(updatedRoleClaimValue);
                } else {
                    arrayList.add(str);
                }
            }
        }
        AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        Map userAttributes = authorizedUser.getUserAttributes();
        String roleClaimURI = this.identityProvider.getClaimConfig().getRoleClaimURI();
        if (roleClaimURI != null) {
            userAttributes.put(ClaimMapping.build(roleClaimURI, roleClaimURI, (String) null, false), arrayList.toString().replace(" ", ""));
            oAuthTokenReqMessageContext.addProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM, roleClaimURI);
        }
        authorizedUser.setUserAttributes(userAttributes);
        oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals(APIConstants.SystemScopeConstants.OAUTH_JWT_ASSERTION)) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str)) {
            throw new IdentityOAuth2Exception("Error while retrieving assertion");
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (log.isDebugEnabled()) {
                log.debug(parse);
            }
            return parse;
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while parsing the JWT.", e);
        }
    }

    private JWTClaimsSet getClaimSet(SignedJWT signedJWT) {
        JWTClaimsSet jWTClaimsSet = null;
        try {
            jWTClaimsSet = signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            log.error("Error when trying to retrieve claimsSet from the JWT:", e);
        }
        return jWTClaimsSet;
    }

    private IdentityProvider getResidentIDPForIssuer(String str, String str2) throws IdentityOAuth2Exception {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (str2.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "IdPEntityId").getValue() : "")) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", str), e);
        }
    }

    private String getUpdatedRoleClaimValue(IdentityProvider identityProvider, String str) {
        if (StringUtils.equalsIgnoreCase("LOCAL", identityProvider.getIdentityProviderName())) {
            return str;
        }
        String replace = str.replace("\\/", SOAPToRESTConstants.SequenceGen.PATH_SEPARATOR).replace("[", "").replace("]", "").replace("\"", "");
        PermissionsAndRoleConfig permissionAndRoleConfig = identityProvider.getPermissionAndRoleConfig();
        if (permissionAndRoleConfig == null || !org.apache.commons.lang3.ArrayUtils.isNotEmpty(permissionAndRoleConfig.getRoleMappings())) {
            if (OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                return null;
            }
            return replace;
        }
        String[] split = replace.split(FrameworkUtils.getMultiAttributeSeparator());
        ArrayList arrayList = new ArrayList();
        for (String str2 : split) {
            RoleMapping[] roleMappings = permissionAndRoleConfig.getRoleMappings();
            int length = roleMappings.length;
            int i = 0;
            while (true) {
                if (i < length) {
                    RoleMapping roleMapping = roleMappings[i];
                    if (roleMapping.getRemoteRole().equals(str2)) {
                        arrayList.add(StringUtils.isEmpty(roleMapping.getLocalRole().getUserStoreId()) ? roleMapping.getLocalRole().getLocalRoleName() : roleMapping.getLocalRole().getUserStoreId() + UserCoreConstants.DOMAIN_SEPARATOR + roleMapping.getLocalRole().getLocalRoleName());
                    } else {
                        i++;
                    }
                } else if (!OAuthServerConfiguration.getInstance().isReturnOnlyMappedLocalRoles()) {
                    arrayList.add(str2);
                }
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return StringUtils.join(arrayList, FrameworkUtils.getMultiAttributeSeparator());
    }

    public Map<String, String> getAppScopes(String str, AuthenticatedUser authenticatedUser, List<String> list) {
        HashMap hashMap = new HashMap();
        String str2 = null;
        try {
            str2 = OAuth2Util.getAppInformationByClientId(str).getAppOwner().getTenantDomain();
        } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
            log.error("Error when retrieving the tenant domain " + e.getMessage(), e);
        }
        try {
            Map<String, String> rESTAPIScopesForTenant = SystemScopeUtils.getRESTAPIScopesForTenant(str2);
            if (!rESTAPIScopesForTenant.isEmpty()) {
                hashMap.putAll(rESTAPIScopesForTenant);
            }
        } catch (APIManagementException e2) {
            log.error("Error while getting scopes of application " + e2.getMessage(), e2);
        }
        return hashMap;
    }

    public Boolean isAppScopesEmpty(Map<String, String> map, String str) {
        if (!map.isEmpty()) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("No scopes defined for the Application " + str);
        }
        return true;
    }

    public List<String> getAllowedScopes(List<String> list) {
        if (list.isEmpty()) {
            list.add("default");
        }
        return list;
    }

    protected RealmService getRealmService() {
        return ServiceReferenceHolder.getInstance().getRealmService();
    }

    protected int getTenantIdOfUser(String str) {
        return IdentityTenantUtil.getTenantIdOfUser(str);
    }
}
