package org.wso2.carbon.identity.openidconnect;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import net.minidev.json.JSONArray;
import org.apache.amber.oauth2.common.exception.OAuthSystemException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.saml2.core.Assertion;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;
import org.opensaml.xml.XMLObject;
import org.wso2.carbon.claim.mgt.ClaimManagerHandler;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.UserStoreManager;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/SAMLAssertionClaimsCallback.class */
public class SAMLAssertionClaimsCallback implements CustomClaimsCallbackHandler {
    private static final Log log = LogFactory.getLog(SAMLAssertionClaimsCallback.class);
    private static final String INBOUND_AUTH2_TYPE = "oauth2";
    private static final String SP_DIALECT = "http://wso2.org/oidc/claim";
    private static final String MULTI_ATTRIBUTE_SEPARATOR = "MultiAttributeSeparator";
    private String userAttributeSeparator = ",";
    private boolean isArrayBasedMultiValueEnabled;

    public SAMLAssertionClaimsCallback() {
        this.isArrayBasedMultiValueEnabled = false;
        this.isArrayBasedMultiValueEnabled = OAuthServerConfiguration.getInstance().isArrayBasedMultiValueAttributesEnabled();
    }

    @Override // org.wso2.carbon.identity.openidconnect.CustomClaimsCallbackHandler
    public void handleCustomClaims(org.apache.oltu.openidconnect.as.messages.IDTokenBuilder iDTokenBuilder, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        StringBuilder sb;
        Assertion assertion = (Assertion) oAuthTokenReqMessageContext.getProperty(OAuthConstants.OAUTH_SAML2_ASSERTION);
        if (assertion != null) {
            if (assertion.getAttributeStatements().size() <= 0) {
                log.debug("No AttributeStatement found! ");
                return;
            }
            for (Attribute attribute : ((AttributeStatement) assertion.getAttributeStatements().get(0)).getAttributes()) {
                JSONArray jSONArray = new JSONArray();
                List attributeValues = attribute.getAttributeValues();
                if (this.isArrayBasedMultiValueEnabled) {
                    Iterator it = attributeValues.iterator();
                    while (it.hasNext()) {
                        jSONArray.add(((XMLObject) it.next()).getDOM().getTextContent());
                    }
                    iDTokenBuilder.setClaim(attribute.getName(), jSONArray.toJSONString());
                } else {
                    StringBuilder sb2 = new StringBuilder();
                    Iterator it2 = attributeValues.iterator();
                    while (it2.hasNext()) {
                        sb2.append(((XMLObject) it2.next()).getDOM().getTextContent());
                        sb2.append(",");
                    }
                    iDTokenBuilder.setClaim(attribute.getName(), new StringBuilder(sb2.substring(0, sb2.length() - 1)).toString());
                }
                if (log.isDebugEnabled()) {
                    log.debug("Attribute: " + attribute.getName() + ", Value: " + jSONArray.toJSONString());
                }
            }
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Adding claims for user " + oAuthTokenReqMessageContext.getAuthorizedUser() + " to id token.");
        }
        try {
            Map<String, Object> response = getResponse(oAuthTokenReqMessageContext);
            Object obj = response.get(MULTI_ATTRIBUTE_SEPARATOR);
            if (obj != null) {
                this.userAttributeSeparator = (String) obj;
                response.remove(MULTI_ATTRIBUTE_SEPARATOR);
            }
            for (Map.Entry<String, Object> entry : response.entrySet()) {
                String obj2 = entry.getValue().toString();
                if (this.isArrayBasedMultiValueEnabled) {
                    JSONArray jSONArray2 = new JSONArray();
                    if (this.userAttributeSeparator == null || !obj2.contains(this.userAttributeSeparator)) {
                        jSONArray2.add(obj2);
                    } else {
                        StringTokenizer stringTokenizer = new StringTokenizer(obj2, this.userAttributeSeparator);
                        while (stringTokenizer.hasMoreElements()) {
                            String obj3 = stringTokenizer.nextElement().toString();
                            if (obj3 != null && obj3.trim().length() > 0) {
                                jSONArray2.add(obj3);
                            }
                        }
                    }
                    iDTokenBuilder.setClaim(entry.getKey(), jSONArray2.toJSONString());
                } else {
                    StringBuilder sb3 = new StringBuilder();
                    if (this.userAttributeSeparator == null || !obj2.contains(this.userAttributeSeparator)) {
                        sb = new StringBuilder(obj2);
                    } else {
                        StringTokenizer stringTokenizer2 = new StringTokenizer(obj2, this.userAttributeSeparator);
                        while (stringTokenizer2.hasMoreElements()) {
                            String obj4 = stringTokenizer2.nextElement().toString();
                            if (obj4 != null && obj4.trim().length() > 0) {
                                sb3.append(obj4);
                                sb3.append(",");
                            }
                        }
                        sb = new StringBuilder(sb3.substring(0, sb3.length() - 1));
                    }
                    iDTokenBuilder.setClaim(entry.getKey(), sb.toString());
                }
            }
        } catch (OAuthSystemException e) {
            log.error("Error occurred while adding claims of " + oAuthTokenReqMessageContext.getAuthorizedUser() + " to id token.", e);
        }
    }

    private Map<String, Object> getResponse(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws OAuthSystemException {
        Map<ClaimMapping, String> userAttributesFromCache = getUserAttributesFromCache(oAuthTokenReqMessageContext.getProperty("accessToken").toString());
        Map<String, Object> map = Collections.EMPTY_MAP;
        if ((userAttributesFromCache == null || userAttributesFromCache.isEmpty()) && getSubjectClaimUri(oAuthTokenReqMessageContext) == null) {
            if (log.isDebugEnabled()) {
                log.debug("User attributes not found in cache. Trying to retrieve attribute for user " + oAuthTokenReqMessageContext.getAuthorizedUser());
            }
            try {
                map = getClaimsFromUserStore(oAuthTokenReqMessageContext);
            } catch (Exception e) {
                log.error("Error occurred while getting claims for user " + oAuthTokenReqMessageContext.getAuthorizedUser(), e);
            }
        } else {
            map = getClaimsMap(userAttributesFromCache);
        }
        return map;
    }

    private Map<String, Object> getClaimsMap(Map<ClaimMapping, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null && map.size() > 0) {
            for (ClaimMapping claimMapping : map.keySet()) {
                hashMap.put(claimMapping.getRemoteClaim().getClaimUri(), map.get(claimMapping));
            }
        }
        return hashMap;
    }

    private static Map<String, Object> getClaimsFromUserStore(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws Exception {
        String authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        String tenantDomain = MultitenantUtils.getTenantDomain(oAuthTokenReqMessageContext.getAuthorizedUser());
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        ServiceProvider application = applicationMgtService.getApplication(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), INBOUND_AUTH2_TYPE));
        if (application == null) {
            return hashMap;
        }
        UserRealm realm = IdentityTenantUtil.getRealm(tenantDomain, authorizedUser);
        if (realm == null) {
            log.warn("No valid tenant domain provider. Empty claim returned back for tenant " + tenantDomain + " and user " + authorizedUser);
            return new HashMap();
        }
        UserStoreManager userStoreManager = realm.getUserStoreManager();
        ClaimMapping[] claimMappings = application.getClaimConfig().getClaimMappings();
        if (claimMappings != null && claimMappings.length > 0) {
            for (ClaimMapping claimMapping : claimMappings) {
                if (claimMapping.isRequested()) {
                    arrayList.add(claimMapping.getLocalClaim().getClaimUri());
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Requested number of local claims: " + arrayList.size());
            }
            Map mappingsMapFromOtherDialectToCarbon = ClaimManagerHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(SP_DIALECT, (Set) null, tenantDomain, false);
            Map userClaimValues = userStoreManager.getUserClaimValues(MultitenantUtils.getTenantAwareUsername(authorizedUser), (String[]) arrayList.toArray(new String[arrayList.size()]), (String) null);
            if (log.isDebugEnabled()) {
                log.debug("Number of user claims retrieved from user store: " + userClaimValues.size());
            }
            if (userClaimValues == null || userClaimValues.size() == 0) {
                return new HashMap();
            }
            for (Map.Entry entry : mappingsMapFromOtherDialectToCarbon.entrySet()) {
                String str = (String) userClaimValues.get(entry.getValue());
                if (str != null) {
                    hashMap.put(entry.getKey(), str);
                    if (log.isDebugEnabled()) {
                        log.debug("Mapped claim: key -  " + ((String) entry.getKey()) + " value -" + str);
                    }
                }
            }
            String userStoreProperty = userStoreManager.getSecondaryUserStoreManager(UserCoreUtil.extractDomainFromName(authorizedUser)).getRealmConfiguration().getUserStoreProperty(MULTI_ATTRIBUTE_SEPARATOR);
            if (userStoreProperty != null && !userStoreProperty.trim().isEmpty()) {
                hashMap.put(MULTI_ATTRIBUTE_SEPARATOR, userStoreProperty);
            }
        }
        return hashMap;
    }

    private Map<ClaimMapping, String> getUserAttributesFromCache(String str) {
        AuthorizationGrantCacheEntry authorizationGrantCacheEntry = (AuthorizationGrantCacheEntry) AuthorizationGrantCache.getInstance().getValueFromCache((CacheKey) new AuthorizationGrantCacheKey(str));
        return authorizationGrantCacheEntry == null ? new HashMap() : authorizationGrantCacheEntry.getUserAttributes();
    }

    private String getSubjectClaimUri(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        try {
            ServiceProvider application = applicationMgtService.getApplication(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), INBOUND_AUTH2_TYPE));
            if (application != null) {
                return application.getLocalAndOutBoundAuthenticationConfig().getSubjectClaimUri();
            }
            return null;
        } catch (IdentityApplicationManagementException e) {
            log.error("Error while getting service provider information.", e);
            return null;
        }
    }
}
