package org.wso2.carbon.identity.oauth2.token;

import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import org.apache.amber.oauth2.common.message.types.GrantType;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.openidconnect.as.util.OIDCAuthzServerUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.model.OAuthAppDO;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.BaseCache;
import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.ResponseHeader;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthentcationHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.clientauth.SAM2BearerClientAuthenticationHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantTypeHandler;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantTypeHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.api.Claim;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.api.UserStoreManager;
import org.wso2.carbon.user.core.config.RealmConfiguration;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/AccessTokenIssuer.class */
public class AccessTokenIssuer {
    private Map<String, AuthorizationGrantHandler> authzGrantHandlers = new Hashtable();
    private Map<String, ClientAuthenticationHandler> clientAuthenticationHandlers = new Hashtable();
    private List<String> supportedGrantTypes = OAuthServerConfiguration.getInstance().getSupportedGrantTypes();
    private List<String> supportedClientAuthenticationMethods;
    private static AccessTokenIssuer instance;
    private static Log log = LogFactory.getLog(AccessTokenIssuer.class);
    private BaseCache<String, Claim[]> userClaimsCache;
    private BaseCache<String, OAuthAppDO> appInfoCache;

    public static AccessTokenIssuer getInstance() throws IdentityOAuth2Exception {
        CarbonUtils.checkSecurity();
        if (instance == null) {
            synchronized (AccessTokenIssuer.class) {
                if (instance == null) {
                    instance = new AccessTokenIssuer();
                }
            }
        }
        return instance;
    }

    private AccessTokenIssuer() throws IdentityOAuth2Exception {
        this.authzGrantHandlers.put(GrantType.AUTHORIZATION_CODE.toString(), new AuthorizationCodeHandler());
        this.authzGrantHandlers.put(GrantType.PASSWORD.toString(), new PasswordGrantHandler());
        this.authzGrantHandlers.put(GrantType.CLIENT_CREDENTIALS.toString(), new ClientCredentialsGrantHandler());
        this.authzGrantHandlers.put(GrantType.REFRESH_TOKEN.toString(), new RefreshGrantTypeHandler());
        this.authzGrantHandlers.put(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString(), new SAML2BearerGrantTypeHandler());
        this.supportedClientAuthenticationMethods = OAuthServerConfiguration.getInstance().getSupportedClientAuthMethods();
        this.clientAuthenticationHandlers.put(OAuth2Constants.ClientAuthMethods.BASIC, new BasicAuthClientAuthentcationHandler());
        this.clientAuthenticationHandlers.put(OAuth2Constants.ClientAuthMethods.SAML_20_BEARER, new SAM2BearerClientAuthenticationHandler());
        this.userClaimsCache = new BaseCache<>("UserClaimsCache");
        this.appInfoCache = new BaseCache<>("AppInfoCache");
        if (this.userClaimsCache == null) {
            log.error("Error while creating UserClaimsCache");
        } else if (log.isDebugEnabled()) {
            log.debug("Successfully created UserClaimsCache under OAuthCacheManager");
        }
        if (this.appInfoCache == null) {
            log.error("Error while creating AppInfoCache");
        } else if (log.isDebugEnabled()) {
            log.debug("Successfully created AppInfoCache under OAuthCacheManager");
        }
    }

    public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityException, InvalidOAuthClientException {
        String grantType = oAuth2AccessTokenReqDTO.getGrantType();
        String clientAssertionType = oAuth2AccessTokenReqDTO.getClientAssertionType();
        String clientAssertion = oAuth2AccessTokenReqDTO.getClientAssertion();
        String clientId = oAuth2AccessTokenReqDTO.getClientId();
        String clientSecret = oAuth2AccessTokenReqDTO.getClientSecret();
        String str = null;
        if (!this.supportedGrantTypes.contains(grantType)) {
            log.debug("Unsupported Grant Type : " + grantType + " for client id : " + oAuth2AccessTokenReqDTO.getClientId());
            return handleError("unsupported_grant_type", "Unsupported Grant Type!", oAuth2AccessTokenReqDTO);
        }
        OAuthAppDO appInformation = getAppInformation(oAuth2AccessTokenReqDTO);
        if (appInformation.getGrantTypes() != null && !appInformation.getGrantTypes().contains(grantType)) {
            log.debug("Unsupported Grant Type : " + grantType + " for client id : " + oAuth2AccessTokenReqDTO.getClientId());
            return handleError("unsupported_grant_type", "Unsupported Grant Type!", oAuth2AccessTokenReqDTO);
        }
        if (clientAssertionType != null && clientAssertion != null) {
            str = OAuth2Constants.ClientAuthMethods.SAML_20_BEARER;
        } else if (clientId != null && clientSecret != null) {
            str = OAuth2Constants.ClientAuthMethods.BASIC;
        }
        if (str == null || !this.supportedClientAuthenticationMethods.contains(str)) {
            log.debug("Unsupported Client Authentication Method : " + str + " for client id : " + oAuth2AccessTokenReqDTO.getClientId());
            return handleError(OAuth2Constants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", oAuth2AccessTokenReqDTO);
        }
        AuthorizationGrantHandler authorizationGrantHandler = this.authzGrantHandlers.get(grantType);
        ClientAuthenticationHandler clientAuthenticationHandler = this.clientAuthenticationHandlers.get(str);
        OAuthTokenReqMessageContext oAuthTokenReqMessageContext = new OAuthTokenReqMessageContext(oAuth2AccessTokenReqDTO);
        boolean authenticateClient = clientAuthenticationHandler.authenticateClient(oAuthTokenReqMessageContext);
        boolean validateGrant = authorizationGrantHandler.validateGrant(oAuthTokenReqMessageContext);
        boolean authorizeAccessDelegation = authorizationGrantHandler.authorizeAccessDelegation(oAuthTokenReqMessageContext);
        boolean validateScope = authorizationGrantHandler.validateScope(oAuthTokenReqMessageContext);
        String applicationName = appInformation.getApplicationName();
        String authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        if (grantType.equals(GrantType.CLIENT_CREDENTIALS.toString())) {
            oAuthTokenReqMessageContext.setAuthorizedUser(appInformation.getUserName().toLowerCase());
            oAuthTokenReqMessageContext.setTenantID(appInformation.getTenantId());
        }
        if (!authenticateClient) {
            log.debug("Client Authentication Failed for client id=" + oAuth2AccessTokenReqDTO.getClientId() + ", user-name=" + authorizedUser + " to application=" + applicationName);
            return handleError(OAuth2ErrorCodes.INVALID_CLIENT, "Client credentials are invalid.", oAuth2AccessTokenReqDTO);
        }
        if (!validateGrant) {
            log.debug("Invalid Grant provided by the client, id=" + oAuth2AccessTokenReqDTO.getClientId() + ", user-name=" + authorizedUser + " to application=" + applicationName);
            return handleError(OAuth2ErrorCodes.INVALID_GRANT, "Provided Authorization Grant is invalid.", oAuth2AccessTokenReqDTO);
        }
        if (!authorizeAccessDelegation) {
            log.debug("Resource owner is not authorized to grant access, client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " user-name=" + authorizedUser + " to application=" + applicationName);
            return handleError(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, "Unauthorized Client!", oAuth2AccessTokenReqDTO);
        }
        if (!validateScope) {
            log.debug("Invalid Scope provided. client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " user-name=" + authorizedUser + " to application=" + applicationName);
            return handleError(OAuth2ErrorCodes.INVALID_SCOPE, "Invalid Scope!", oAuth2AccessTokenReqDTO);
        }
        ArrayList arrayList = new ArrayList();
        if (oAuth2AccessTokenReqDTO.getGrantType() != null && oAuth2AccessTokenReqDTO.getGrantType().equals(GrantType.PASSWORD.toString()) && oAuth2AccessTokenReqDTO.getResourceOwnerUsername() != null) {
            try {
                UserStoreManager userStoreManager = OAuthComponentServiceHolder.getRealmService().getTenantUserRealm(IdentityUtil.getTenantIdOFUser(oAuth2AccessTokenReqDTO.getResourceOwnerUsername())).getUserStoreManager();
                List<String> claimUrisRequiredInResponseHeader = getClaimUrisRequiredInResponseHeader();
                if (claimUrisRequiredInResponseHeader != null && claimUrisRequiredInResponseHeader.size() > 0) {
                    Claim[] userClaimValues = getUserClaimValues(oAuth2AccessTokenReqDTO, userStoreManager);
                    for (String str2 : claimUrisRequiredInResponseHeader) {
                        int i = 0;
                        while (true) {
                            if (i < userClaimValues.length) {
                                Claim claim = userClaimValues[i];
                                if (str2.equals(claim.getClaimUri())) {
                                    ResponseHeader responseHeader = new ResponseHeader();
                                    responseHeader.setKey(claim.getDisplayTag());
                                    responseHeader.setValue(claim.getValue());
                                    arrayList.add(responseHeader);
                                    break;
                                }
                                i++;
                            }
                        }
                    }
                }
            } catch (Exception e) {
                throw new IdentityOAuth2Exception(e.getMessage(), e);
            }
        }
        OAuth2AccessTokenRespDTO issue = authorizationGrantHandler.issue(oAuthTokenReqMessageContext);
        issue.setCallbackURI(appInformation.getCallbackUrl());
        issue.setRespHeaders((ResponseHeader[]) arrayList.toArray(new ResponseHeader[arrayList.size()]));
        if (log.isDebugEnabled()) {
            log.debug("Access Token issued to client. client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " user-name=" + authorizedUser + " to application=" + applicationName);
        }
        if (oAuthTokenReqMessageContext.getScope() != null && OIDCAuthzServerUtil.isOIDCAuthzRequest(oAuthTokenReqMessageContext.getScope())) {
            issue.setIDToken(OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder().buildIDToken(oAuthTokenReqMessageContext, issue));
        }
        return issue;
    }

    private OAuthAppDO getAppInformation(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) throws IdentityOAuthAdminException, InvalidOAuthClientException {
        OAuthAppDO valueFromCache = this.appInfoCache.getValueFromCache(oAuth2AccessTokenReqDTO.getClientId());
        if (valueFromCache != null) {
            return valueFromCache;
        }
        OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(oAuth2AccessTokenReqDTO.getClientId());
        this.appInfoCache.addToCache(oAuth2AccessTokenReqDTO.getClientId(), appInformation);
        return appInformation;
    }

    private Claim[] getUserClaimValues(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, UserStoreManager userStoreManager) throws UserStoreException {
        Claim[] valueFromCache = this.userClaimsCache.getValueFromCache(oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
        if (valueFromCache != null) {
            return valueFromCache;
        }
        if (log.isDebugEnabled()) {
            log.debug("Cache miss for user claims. Username :" + oAuth2AccessTokenReqDTO.getResourceOwnerUsername());
        }
        Claim[] userClaimValues = userStoreManager.getUserClaimValues(oAuth2AccessTokenReqDTO.getResourceOwnerUsername(), (String) null);
        this.userClaimsCache.addToCache(oAuth2AccessTokenReqDTO.getResourceOwnerUsername(), userClaimValues);
        return userClaimValues;
    }

    private List<String> getClaimUrisRequiredInResponseHeader() {
        return OAuthServerConfiguration.getInstance().getRequiredHeaderClaimUris();
    }

    private OAuth2AccessTokenRespDTO handleError(String str, String str2, OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO) {
        if (log.isDebugEnabled()) {
            log.debug("OAuth-Error-Code=" + str + " client-id=" + oAuth2AccessTokenReqDTO.getClientId() + " grant-type=" + oAuth2AccessTokenReqDTO.getGrantType() + " scope=" + OAuth2Util.buildScopeString(oAuth2AccessTokenReqDTO.getScope()));
        }
        OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO = new OAuth2AccessTokenRespDTO();
        oAuth2AccessTokenRespDTO.setError(true);
        oAuth2AccessTokenRespDTO.setErrorCode(str);
        oAuth2AccessTokenRespDTO.setErrorMsg(str2);
        return oAuth2AccessTokenRespDTO;
    }

    private boolean isResourceOwnerUsedEmail(String str) {
        return str.contains("@");
    }

    private String getUserfromEmail(String str) {
        String str2 = null;
        try {
            String[] userList = OAuthComponentServiceHolder.getRealmService().getUserRealm(new RealmConfiguration()).getUserStoreManager().getUserList("http://wso2.org/claims/emailaddress", str, (String) null);
            if (userList.length > 0) {
                str2 = userList[0].toString();
            }
        } catch (UserStoreException e) {
            log.error("Error while retrieving the username using the email : " + str, e);
        }
        return str2;
    }

    private String getResourceOwnerName(String str) {
        String str2 = str;
        if (isResourceOwnerUsedEmail(str)) {
            str2 = getUserfromEmail(str);
        }
        return str2;
    }
}
