package org.keycloak.authorization.authorization;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.container.AsyncResponse;
import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.authorization.representation.AuthorizationRequest;
import org.keycloak.authorization.authorization.representation.AuthorizationResponse;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.protection.permission.PermissionTicket;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/authorization/authorization/AuthorizationTokenService.class */
public class AuthorizationTokenService {
    private final AuthorizationProvider authorization;

    @Context
    private HttpRequest httpRequest;

    @Context
    private KeycloakSession session;

    public AuthorizationTokenService(AuthorizationProvider authorizationProvider) {
        this.authorization = authorizationProvider;
    }

    @OPTIONS
    public Response authorizepPreFlight() {
        return Cors.add(this.httpRequest, Response.ok()).auth().preflight().build();
    }

    @POST
    @Produces({"application/json"})
    @Consumes({"application/json"})
    public void authorize(AuthorizationRequest authorizationRequest, @Suspended final AsyncResponse asyncResponse) {
        KeycloakEvaluationContext keycloakEvaluationContext = new KeycloakEvaluationContext(this.authorization.getKeycloakSession());
        final KeycloakIdentity keycloakIdentity = (KeycloakIdentity) keycloakEvaluationContext.getIdentity();
        if (!keycloakIdentity.hasRole(Constants.AUTHZ_UMA_AUTHORIZATION)) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_SCOPE, "Requires uma_authorization scope.", Response.Status.FORBIDDEN);
        }
        if (authorizationRequest == null) {
            throw new ErrorResponseException("invalid_request", "Invalid authorization request.", Response.Status.BAD_REQUEST);
        }
        final PermissionTicket verifyPermissionTicket = verifyPermissionTicket(authorizationRequest);
        this.authorization.evaluators().from(createPermissions(verifyPermissionTicket, authorizationRequest, this.authorization), keycloakEvaluationContext).evaluate(new DecisionResultCollector() { // from class: org.keycloak.authorization.authorization.AuthorizationTokenService.1
            @Override // org.keycloak.authorization.policy.evaluation.DecisionResultCollector
            public void onComplete(List<Result> list) {
                List<Permission> permits = Permissions.permits(list, AuthorizationTokenService.this.authorization, verifyPermissionTicket.getResourceServerId());
                if (!permits.isEmpty()) {
                    asyncResponse.resume(Cors.add(AuthorizationTokenService.this.httpRequest, Response.status(Response.Status.CREATED).entity(new AuthorizationResponse(AuthorizationTokenService.this.createRequestingPartyToken(permits, keycloakIdentity.getAccessToken())))).allowedOrigins(keycloakIdentity.getAccessToken()).allowedMethods("POST").exposedHeaders("Access-Control-Allow-Methods").build());
                } else {
                    HashMap hashMap = new HashMap();
                    hashMap.put("error", "not_authorized");
                    asyncResponse.resume(Cors.add(AuthorizationTokenService.this.httpRequest, Response.status(Response.Status.FORBIDDEN).entity(hashMap)).allowedOrigins(keycloakIdentity.getAccessToken()).exposedHeaders("Access-Control-Allow-Methods").build());
                }
            }

            @Override // org.keycloak.authorization.Decision
            public void onError(Throwable th) {
                asyncResponse.resume(th);
            }
        });
    }

    private List<ResourcePermission> createPermissions(PermissionTicket permissionTicket, AuthorizationRequest authorizationRequest, AuthorizationProvider authorizationProvider) {
        AccessToken.Authorization authorization;
        List<Permission> permissions;
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        HashMap hashMap = new HashMap();
        permissionTicket.getResources().forEach(resourceRepresentation -> {
            Resource findById = resourceRepresentation.getId() != null ? storeFactory.getResourceStore().findById(resourceRepresentation.getId(), permissionTicket.getResourceServerId()) : storeFactory.getResourceStore().findByName(resourceRepresentation.getName(), permissionTicket.getResourceServerId());
            if (findById == null && (resourceRepresentation.getScopes() == null || resourceRepresentation.getScopes().isEmpty())) {
                throw new ErrorResponseException("invalid_resource", "Resource with id [" + resourceRepresentation.getId() + "] or name [" + resourceRepresentation.getName() + "] does not exist.", Response.Status.FORBIDDEN);
            }
            Set<ScopeRepresentation> scopes = resourceRepresentation.getScopes();
            Set set = (Set) scopes.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet());
            if (findById != null) {
                hashMap.put(findById.getId(), set);
                return;
            }
            ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
            ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(resourceStore.findByScope((List) scopes.stream().map(scopeRepresentation -> {
                Scope findByName = scopeStore.findByName(scopeRepresentation.getName(), permissionTicket.getResourceServerId());
                if (findByName == null) {
                    return null;
                }
                return findByName.getId();
            }).filter(str -> {
                return str != null;
            }).collect(Collectors.toList()), permissionTicket.getResourceServerId()));
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                hashMap.put(((Resource) it.next()).getId(), set);
            }
            hashMap.put("$KC_SCOPE_PERMISSION", set);
        });
        String rpt = authorizationRequest.getRpt();
        if (rpt != null && !"".equals(rpt)) {
            if (!Tokens.verifySignature(this.session, getRealm(), rpt)) {
                throw new ErrorResponseException("invalid_rpt", "RPT signature is invalid", Response.Status.FORBIDDEN);
            }
            try {
                AccessToken accessToken = (AccessToken) new JWSInput(rpt).readJsonContent(AccessToken.class);
                if (accessToken.isActive() && (authorization = accessToken.getAuthorization()) != null && (permissions = authorization.getPermissions()) != null) {
                    permissions.forEach(permission -> {
                        Resource findById = storeFactory.getResourceStore().findById(permission.getResourceSetId(), permissionTicket.getResourceServerId());
                        if (findById != null) {
                            Set set = (Set) hashMap.get(findById.getId());
                            if (set == null) {
                                set = new HashSet();
                                hashMap.put(findById.getId(), set);
                            }
                            Set<String> scopes = permission.getScopes();
                            if (scopes != null) {
                                set.addAll(scopes);
                            }
                        }
                    });
                }
            } catch (JWSInputException e) {
                throw new ErrorResponseException("invalid_rpt", "Invalid RPT", Response.Status.FORBIDDEN);
            }
        }
        ResourceServer findById = authorizationProvider.getStoreFactory().getResourceServerStore().findById(permissionTicket.getResourceServerId());
        return (List) hashMap.entrySet().stream().flatMap(entry -> {
            String str = (String) entry.getKey();
            if (!"$KC_SCOPE_PERMISSION".equals(str)) {
                return Permissions.createResourcePermissions(storeFactory.getResourceStore().findById(str, findById.getId()), (Set) entry.getValue(), authorizationProvider).stream();
            }
            ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
            return Arrays.asList(new ResourcePermission(null, (List) ((Set) entry.getValue()).stream().map(str2 -> {
                return scopeStore.findByName(str2, findById.getId());
            }).collect(Collectors.toList()), findById)).stream();
        }).collect(Collectors.toList());
    }

    private RealmModel getRealm() {
        return this.authorization.getKeycloakSession().getContext().getRealm();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String createRequestingPartyToken(List<Permission> list, AccessToken accessToken) {
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(list);
        accessToken.setAuthorization(authorization);
        return new TokenManager().encodeToken(this.session, getRealm(), accessToken);
    }

    private PermissionTicket verifyPermissionTicket(AuthorizationRequest authorizationRequest) {
        String ticket = authorizationRequest.getTicket();
        if (ticket == null || !Tokens.verifySignature(this.session, getRealm(), ticket)) {
            throw new ErrorResponseException("invalid_ticket", "Ticket verification failed", Response.Status.FORBIDDEN);
        }
        try {
            PermissionTicket permissionTicket = (PermissionTicket) new JWSInput(ticket).readJsonContent(PermissionTicket.class);
            if (permissionTicket.isActive()) {
                return permissionTicket;
            }
            throw new ErrorResponseException("invalid_ticket", "Invalid permission ticket.", Response.Status.FORBIDDEN);
        } catch (JWSInputException e) {
            throw new ErrorResponseException("invalid_ticket", "Could not parse permission ticket.", Response.Status.FORBIDDEN);
        }
    }
}
