package org.keycloak.services.clientregistration;

import java.util.List;
import java.util.Map;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.spi.Failure;
import org.jboss.resteasy.spi.NotFoundException;
import org.jboss.resteasy.spi.UnauthorizedException;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.common.util.Time;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ForbiddenException;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.1.0.Final.jar:org/keycloak/services/clientregistration/ClientRegistrationAuth.class */
public class ClientRegistrationAuth {
    private KeycloakSession session;
    private EventBuilder event;
    private RealmModel realm;
    private JsonWebToken jwt;
    private ClientInitialAccessModel initialAccessModel;

    public ClientRegistrationAuth(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.event = eventBuilder;
    }

    private void init() {
        this.realm = this.session.getContext().getRealm();
        UriInfo uri = this.session.getContext().getUri();
        String first = this.session.getContext().getRequestHeaders().getRequestHeaders().getFirst("Authorization");
        if (first == null) {
            return;
        }
        String[] split = first.split(" ");
        if (split[0].equalsIgnoreCase("bearer")) {
            this.jwt = ClientRegistrationTokenUtils.verifyToken(this.realm, uri, split[1]);
            if (this.jwt == null) {
                throw unauthorized();
            }
            if (isInitialAccessToken()) {
                this.initialAccessModel = this.session.sessions().getClientInitialAccessModel(this.session.getContext().getRealm(), this.jwt.getId());
                if (this.initialAccessModel == null) {
                    throw unauthorized();
                }
            }
        }
    }

    private boolean isBearerToken() {
        return this.jwt != null && TokenUtil.TOKEN_TYPE_BEARER.equals(this.jwt.getType());
    }

    public boolean isInitialAccessToken() {
        return this.jwt != null && ClientRegistrationTokenUtils.TYPE_INITIAL_ACCESS_TOKEN.equals(this.jwt.getType());
    }

    public boolean isRegistrationAccessToken() {
        return this.jwt != null && ClientRegistrationTokenUtils.TYPE_REGISTRATION_ACCESS_TOKEN.equals(this.jwt.getType());
    }

    public void requireCreate() {
        init();
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
                throw forbidden();
            }
        } else if (!isInitialAccessToken() || this.initialAccessModel.getRemainingCount() <= 0 || (this.initialAccessModel.getExpiration() != 0 && this.initialAccessModel.getTimestamp() + this.initialAccessModel.getExpiration() <= Time.currentTime())) {
            throw unauthorized();
        }
    }

    public void requireView(ClientModel clientModel) {
        init();
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) {
                throw forbidden();
            }
            if (clientModel == null) {
                throw notFound();
            }
            return;
        }
        if (isRegistrationAccessToken()) {
            if (clientModel.getRegistrationToken() != null && clientModel != null && clientModel.getRegistrationToken().equals(this.jwt.getId())) {
                return;
            }
        } else {
            if (isInitialAccessToken()) {
                throw unauthorized();
            }
            if (authenticateClient(clientModel)) {
                return;
            }
        }
        throw unauthorized();
    }

    public void requireUpdate(ClientModel clientModel) {
        init();
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS)) {
                throw forbidden();
            }
            if (clientModel == null) {
                throw notFound();
            }
            return;
        }
        if (!isRegistrationAccessToken() || clientModel.getRegistrationToken() == null || clientModel == null || !clientModel.getRegistrationToken().equals(this.jwt.getId())) {
            throw unauthorized();
        }
    }

    public ClientInitialAccessModel getInitialAccessModel() {
        return this.initialAccessModel;
    }

    private boolean hasRole(String... strArr) {
        Map map;
        try {
            if (this.jwt.getOtherClaims() == null || (map = (Map) this.jwt.getOtherClaims().get("resource_access")) == null) {
                return false;
            }
            Map map2 = this.realm.getName().equals(Config.getAdminRealm()) ? (Map) map.get(this.realm.getMasterAdminClient().getClientId()) : (Map) map.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
            List list = map2 != null ? (List) map2.get("roles") : null;
            if (list == null) {
                return false;
            }
            for (String str : strArr) {
                if (list.contains(str)) {
                    return true;
                }
            }
            return false;
        } catch (Throwable th) {
            return false;
        }
    }

    private boolean authenticateClient(ClientModel clientModel) {
        if (clientModel.isPublicClient()) {
            return true;
        }
        AuthenticationProcessor authenticationProcessor = AuthorizeClientUtil.getAuthenticationProcessor(this.session, this.event);
        if (authenticationProcessor.authenticateClient() != null) {
            this.event.client(clientModel.getClientId()).error(Errors.NOT_ALLOWED);
            throw unauthorized();
        }
        ClientModel client = authenticationProcessor.getClient();
        if (clientModel == null) {
            this.event.client(clientModel.getClientId()).error(Errors.NOT_ALLOWED);
            throw unauthorized();
        }
        if (client.getClientId().equals(clientModel.getClientId())) {
            return true;
        }
        this.event.client(clientModel.getClientId()).error(Errors.NOT_ALLOWED);
        throw unauthorized();
    }

    private Failure unauthorized() {
        this.event.error(Errors.NOT_ALLOWED);
        return new UnauthorizedException();
    }

    private Failure forbidden() {
        this.event.error(Errors.NOT_ALLOWED);
        return new ForbiddenException();
    }

    private Failure notFound() {
        this.event.error(Errors.NOT_ALLOWED);
        return new NotFoundException("Client not found");
    }
}
