package org.wso2.carbon.consent.mgt.core;

import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.consent.mgt.core.connector.ConsentMgtInterceptor;
import org.wso2.carbon.consent.mgt.core.constant.ConsentConstants;
import org.wso2.carbon.consent.mgt.core.exception.ConsentManagementClientException;
import org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException;
import org.wso2.carbon.consent.mgt.core.model.ConsentManagerConfigurationHolder;
import org.wso2.carbon.consent.mgt.core.model.Receipt;
import org.wso2.carbon.consent.mgt.core.model.ReceiptListResponse;
import org.wso2.carbon.consent.mgt.core.util.ConsentUtils;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.AuthorizationManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;

/* loaded from: input_file:org/wso2/carbon/consent/mgt/core/InterceptingConsentManager.class */
public class InterceptingConsentManager extends PrivilegedConsentManagerImpl {
    private static final Log log = LogFactory.getLog(InterceptingConsentManager.class);
    private RealmService realmService;

    public InterceptingConsentManager(ConsentManagerConfigurationHolder consentManagerConfigurationHolder, List<ConsentMgtInterceptor> list) {
        super(consentManagerConfigurationHolder, list);
        this.realmService = consentManagerConfigurationHolder.getRealmService();
    }

    @Override // org.wso2.carbon.consent.mgt.core.PrivilegedConsentManagerImpl, org.wso2.carbon.consent.mgt.core.ConsentManager
    public Receipt getReceipt(String str) throws ConsentManagementException {
        validateAuthorizationForGetOrRevokeReceipts(str, ConsentConstants.GET_RECEIPT);
        return super.getReceipt(str);
    }

    @Override // org.wso2.carbon.consent.mgt.core.PrivilegedConsentManagerImpl, org.wso2.carbon.consent.mgt.core.ConsentManager
    public List<ReceiptListResponse> searchReceipts(int i, int i2, String str, String str2, String str3, String str4) throws ConsentManagementException {
        validateAuthorizationForListReceipts(str);
        return super.searchReceipts(i, i2, str, str2, str3, str4);
    }

    @Override // org.wso2.carbon.consent.mgt.core.PrivilegedConsentManagerImpl, org.wso2.carbon.consent.mgt.core.ConsentManager
    public void revokeReceipt(String str) throws ConsentManagementException {
        validateAuthorizationForGetOrRevokeReceipts(str, ConsentConstants.REVOKE_RECEIPT);
        super.revokeReceipt(str);
    }

    private void validateAuthorizationForListReceipts(String str) throws ConsentManagementException {
        String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        if (StringUtils.isBlank(username)) {
            throw ConsentUtils.handleClientException(ConsentConstants.ErrorMessages.ERROR_CODE_NO_USER_FOUND, ConsentConstants.LIST_RECEIPT);
        }
        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
        if (!StringUtils.isNotBlank(str) || !str.equalsIgnoreCase(username)) {
            handleAuthorization(ConsentConstants.LIST_RECEIPT, username, tenantId);
        } else if (log.isDebugEnabled()) {
            log.debug("User: " + str + " is authorized to perform a search on own consent receipts.");
        }
    }

    private void validateAuthorizationForGetOrRevokeReceipts(String str, String str2) throws ConsentManagementException {
        String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername();
        if (StringUtils.isBlank(username)) {
            throw ConsentUtils.handleClientException(ConsentConstants.ErrorMessages.ERROR_CODE_NO_USER_FOUND, str2);
        }
        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
        if (!super.isReceiptExist(str, username, tenantId)) {
            handleAuthorization(str2, username, tenantId);
            handleCrossDomainPermission(str);
        } else if (log.isDebugEnabled()) {
            log.debug("User: " + username + " is authorized to perform a " + str2 + " on own consent receipt.");
        }
    }

    private void handleCrossDomainPermission(String str) throws ConsentManagementException {
        String tenantDomainFromCarbonContext = ConsentUtils.getTenantDomainFromCarbonContext();
        Receipt receipt = super.getReceipt(str);
        if (receipt == null || !(StringUtils.equals(receipt.getTenantDomain(), tenantDomainFromCarbonContext) || receipt.getServices().stream().anyMatch(receiptService -> {
            return StringUtils.equals(receiptService.getTenantDomain(), tenantDomainFromCarbonContext);
        }))) {
            throw new ConsentManagementClientException(String.format(ConsentConstants.ErrorMessages.ERROR_CODE_RECEIPT_ID_INVALID.getMessage(), str) + " in tenant: " + tenantDomainFromCarbonContext, ConsentConstants.ErrorMessages.ERROR_CODE_RECEIPT_ID_INVALID.getCode());
        }
    }

    private void handleAuthorization(String str, String str2, int i) throws ConsentManagementException {
        try {
            boolean z = false;
            AuthorizationManager authorizationManager = this.realmService.getTenantUserRealm(i).getAuthorizationManager();
            if (ConsentConstants.GET_RECEIPT.equals(str)) {
                z = authorizationManager.isUserAuthorized(str2, ConsentConstants.PERMISSION_CONSENT_MGT_VIEW, "ui.execute");
            } else if (ConsentConstants.LIST_RECEIPT.equals(str)) {
                z = authorizationManager.isUserAuthorized(str2, ConsentConstants.PERMISSION_CONSENT_MGT_LIST, "ui.execute");
            } else if (ConsentConstants.REVOKE_RECEIPT.equals(str)) {
                z = authorizationManager.isUserAuthorized(str2, ConsentConstants.PERMISSION_CONSENT_MGT_DELETE, "ui.execute");
            }
            if (z) {
                if (log.isDebugEnabled()) {
                    log.debug("User: " + str2 + " is successfully authorized to perform the operation: " + str);
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("LoggedIn user: " + str2 + " is not authorized to perform operation :" + str + " of another users");
                }
                throw ConsentUtils.handleClientException(ConsentConstants.ErrorMessages.ERROR_CODE_USER_NOT_AUTHORIZED, str2);
            }
        } catch (UserStoreException e) {
            throw ConsentUtils.handleServerException(ConsentConstants.ErrorMessages.ERROR_CODE_UNEXPECTED, null, e);
        }
    }
}
