package org.keycloak.adapters.authorization;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.representation.ResourceRepresentation;
import org.keycloak.authorization.client.representation.ScopeRepresentation;
import org.keycloak.authorization.client.resource.ProtectedResource;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.Permission;

/* loaded from: input_file:org/keycloak/adapters/authorization/PolicyEnforcer.class */
public class PolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(PolicyEnforcer.class);
    private final KeycloakDeployment deployment;
    private final AuthzClient authzClient;
    private final PolicyEnforcerConfig enforcerConfig;
    private final List<PolicyEnforcerConfig.PathConfig> paths;

    public PolicyEnforcer(KeycloakDeployment keycloakDeployment, AdapterConfig adapterConfig) {
        this.deployment = keycloakDeployment;
        this.enforcerConfig = adapterConfig.getPolicyEnforcerConfig();
        this.authzClient = AuthzClient.create(new Configuration(adapterConfig.getAuthServerUrl(), adapterConfig.getRealm(), adapterConfig.getResource(), adapterConfig.getCredentials(), keycloakDeployment.getClient()));
        this.paths = configurePaths(this.authzClient.protection().resource(), this.enforcerConfig);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Initialization complete. Path configurations:");
            Iterator<PolicyEnforcerConfig.PathConfig> it = this.paths.iterator();
            while (it.hasNext()) {
                LOGGER.debug(it.next());
            }
        }
    }

    public AuthorizationContext enforce(OIDCHttpFacade oIDCHttpFacade) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement is enable. Enforcing policy decisions for path [{0}].", oIDCHttpFacade.getRequest().getURI());
        }
        AuthorizationContext authorize = this.deployment.isBearerOnly() ? new BearerTokenPolicyEnforcer(this).authorize(oIDCHttpFacade) : new KeycloakAdapterPolicyEnforcer(this).authorize(oIDCHttpFacade);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement result for path [{0}] is : {1}", oIDCHttpFacade.getRequest().getURI(), authorize.isGranted() ? "GRANTED" : "DENIED");
            LOGGER.debugv("Returning authorization context with permissions:", new Object[0]);
            Iterator it = authorize.getPermissions().iterator();
            while (it.hasNext()) {
                LOGGER.debug((Permission) it.next());
            }
        }
        return authorize;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyEnforcerConfig getEnforcerConfig() {
        return this.enforcerConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthzClient getClient() {
        return this.authzClient;
    }

    public List<PolicyEnforcerConfig.PathConfig> getPaths() {
        return Collections.unmodifiableList(this.paths);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeycloakDeployment getDeployment() {
        return this.deployment;
    }

    private List<PolicyEnforcerConfig.PathConfig> configurePaths(ProtectedResource protectedResource, PolicyEnforcerConfig policyEnforcerConfig) {
        if (policyEnforcerConfig.getPaths().isEmpty()) {
            LOGGER.info("No path provided in configuration.");
            return configureAllPathsForResourceServer(protectedResource);
        }
        LOGGER.info("Paths provided in configuration.");
        return configureDefinedPaths(protectedResource, policyEnforcerConfig);
    }

    private List<PolicyEnforcerConfig.PathConfig> configureDefinedPaths(ProtectedResource protectedResource, PolicyEnforcerConfig policyEnforcerConfig) {
        Set findByFilter;
        ArrayList arrayList = new ArrayList();
        for (PolicyEnforcerConfig.PathConfig pathConfig : policyEnforcerConfig.getPaths()) {
            String name = pathConfig.getName();
            String path = pathConfig.getPath();
            if (name != null) {
                LOGGER.debugf("Trying to find resource with name [%s] for path [%s].", name, path);
                findByFilter = protectedResource.findByFilter("name=" + name);
            } else {
                LOGGER.debugf("Trying to find resource with uri [%s] for path [%s].", path, path);
                findByFilter = protectedResource.findByFilter("uri=" + path);
            }
            if (!findByFilter.isEmpty()) {
                pathConfig.setId((String) findByFilter.iterator().next());
            } else {
                if (!policyEnforcerConfig.isCreateResources().booleanValue()) {
                    throw new RuntimeException("Could not find matching resource on server with uri [" + path + "] or name [" + name + "]. Make sure you have created a resource on the server that matches with the path configuration.");
                }
                LOGGER.debugf("Creating resource on server for path [%s].", pathConfig);
                ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
                resourceRepresentation.setName(name);
                resourceRepresentation.setType(pathConfig.getType());
                resourceRepresentation.setUri(path);
                HashSet hashSet = new HashSet();
                for (String str : pathConfig.getScopes()) {
                    ScopeRepresentation scopeRepresentation = new ScopeRepresentation();
                    scopeRepresentation.setName(str);
                    hashSet.add(scopeRepresentation);
                }
                resourceRepresentation.setScopes(hashSet);
                pathConfig.setId(protectedResource.create(resourceRepresentation).getId());
            }
            PolicyEnforcerConfig.PathConfig pathConfig2 = null;
            Iterator it = arrayList.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                PolicyEnforcerConfig.PathConfig pathConfig3 = (PolicyEnforcerConfig.PathConfig) it.next();
                if (pathConfig3.getId().equals(pathConfig.getId()) && pathConfig3.getPath().equals(pathConfig.getPath())) {
                    pathConfig2 = pathConfig3;
                    break;
                }
            }
            if (pathConfig2 == null) {
                arrayList.add(pathConfig);
            } else {
                pathConfig2.getMethods().addAll(pathConfig.getMethods());
                pathConfig2.getScopes().addAll(pathConfig.getScopes());
            }
        }
        return arrayList;
    }

    private List<PolicyEnforcerConfig.PathConfig> configureAllPathsForResourceServer(ProtectedResource protectedResource) {
        LOGGER.info("Querying the server for all resources associated with this application.");
        ArrayList arrayList = new ArrayList();
        Iterator it = protectedResource.findAll().iterator();
        while (it.hasNext()) {
            ResourceRepresentation resourceDescription = protectedResource.findById((String) it.next()).getResourceDescription();
            if (resourceDescription.getUri() != null) {
                arrayList.add(createPathConfig(resourceDescription));
            }
        }
        return arrayList;
    }

    private PolicyEnforcerConfig.PathConfig createPathConfig(ResourceRepresentation resourceRepresentation) {
        PolicyEnforcerConfig.PathConfig pathConfig = new PolicyEnforcerConfig.PathConfig();
        pathConfig.setId(resourceRepresentation.getId());
        pathConfig.setName(resourceRepresentation.getName());
        pathConfig.setPath(resourceRepresentation.getUri());
        ArrayList arrayList = new ArrayList();
        Iterator it = resourceRepresentation.getScopes().iterator();
        while (it.hasNext()) {
            arrayList.add(((ScopeRepresentation) it.next()).getName());
        }
        pathConfig.setScopes(arrayList);
        pathConfig.setType(resourceRepresentation.getType());
        return pathConfig;
    }
}
