package org.keycloak.services.util;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.rar.AuthorizationRequestContext;
import org.keycloak.rar.AuthorizationRequestSource;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/services/util/DefaultClientSessionContext.class */
public class DefaultClientSessionContext implements ClientSessionContext {
    private static Logger logger = Logger.getLogger(DefaultClientSessionContext.class);
    private final AuthenticatedClientSessionModel clientSession;
    private final Set<String> clientScopeIds;
    private final KeycloakSession session;
    private Set<ClientScopeModel> clientScopes;
    private Set<RoleModel> roles;
    private Set<ProtocolMapperModel> protocolMappers;
    private Set<RoleModel> userRoles;
    private Map<String, Object> attributes = new HashMap();

    private DefaultClientSessionContext(AuthenticatedClientSessionModel authenticatedClientSessionModel, Set<String> set, KeycloakSession keycloakSession) {
        this.clientScopeIds = set;
        this.clientSession = authenticatedClientSessionModel;
        this.session = keycloakSession;
    }

    public static DefaultClientSessionContext fromClientSessionScopeParameter(AuthenticatedClientSessionModel authenticatedClientSessionModel, KeycloakSession keycloakSession) {
        return fromClientSessionAndScopeParameter(authenticatedClientSessionModel, authenticatedClientSessionModel.getNote("scope"), keycloakSession);
    }

    public static DefaultClientSessionContext fromClientSessionAndScopeParameter(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, KeycloakSession keycloakSession) {
        Stream<ClientScopeModel> requestedClientScopes;
        if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
            keycloakSession.getContext().setClient(authenticatedClientSessionModel.getClient());
            requestedClientScopes = AuthorizationContextUtil.getClientScopesStreamFromAuthorizationRequestContextWithClient(keycloakSession, str);
        } else {
            requestedClientScopes = TokenManager.getRequestedClientScopes(str, authenticatedClientSessionModel.getClient());
        }
        return fromClientSessionAndClientScopes(authenticatedClientSessionModel, requestedClientScopes, keycloakSession);
    }

    public static DefaultClientSessionContext fromClientSessionAndClientScopeIds(AuthenticatedClientSessionModel authenticatedClientSessionModel, Set<String> set, KeycloakSession keycloakSession) {
        return new DefaultClientSessionContext(authenticatedClientSessionModel, set, keycloakSession);
    }

    private static DefaultClientSessionContext fromClientSessionAndClientScopes(AuthenticatedClientSessionModel authenticatedClientSessionModel, Stream<ClientScopeModel> stream, KeycloakSession keycloakSession) {
        return new DefaultClientSessionContext(authenticatedClientSessionModel, (Set) stream.map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet()), keycloakSession);
    }

    public AuthenticatedClientSessionModel getClientSession() {
        return this.clientSession;
    }

    public Set<String> getClientScopeIds() {
        return this.clientScopeIds;
    }

    public Stream<ClientScopeModel> getClientScopesStream() {
        if (this.clientScopes == null) {
            this.clientScopes = loadClientScopes();
        }
        return this.clientScopes.stream();
    }

    public Stream<RoleModel> getRolesStream() {
        if (this.roles == null) {
            this.roles = loadRoles();
        }
        return this.roles.stream();
    }

    public Stream<ProtocolMapperModel> getProtocolMappersStream() {
        if (this.protocolMappers == null) {
            this.protocolMappers = loadProtocolMappers();
        }
        return this.protocolMappers.stream();
    }

    private Set<RoleModel> getUserRoles() {
        if (this.userRoles == null) {
            this.userRoles = loadUserRoles();
        }
        return this.userRoles;
    }

    public String getScopeString() {
        return getScopeString(false);
    }

    public String getScopeString(boolean z) {
        if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
            String buildScopesStringFromAuthorizationRequest = buildScopesStringFromAuthorizationRequest(z);
            logger.tracef("Generated scope param with Dynamic Scopes enabled: %1s", buildScopesStringFromAuthorizationRequest);
            if (TokenUtil.isOIDCRequest(this.clientSession.getNote("scope"))) {
                buildScopesStringFromAuthorizationRequest = TokenUtil.attachOIDCScope(buildScopesStringFromAuthorizationRequest);
            }
            return buildScopesStringFromAuthorizationRequest;
        }
        Stream<ClientScopeModel> clientScopesStream = getClientScopesStream();
        Class<ClientModel> cls = ClientModel.class;
        Objects.requireNonNull(ClientModel.class);
        Predicate predicate = (v1) -> {
            return r1.isInstance(v1);
        };
        String str = (String) clientScopesStream.filter(predicate.negate()).filter(clientScopeModel -> {
            return clientScopeModel.isIncludeInTokenScope() || z;
        }).map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(" "));
        if (TokenUtil.isOIDCRequest(this.clientSession.getNote("scope"))) {
            str = TokenUtil.attachOIDCScope(str);
        }
        return str;
    }

    private String buildScopesStringFromAuthorizationRequest(boolean z) {
        return (String) AuthorizationContextUtil.getAuthorizationRequestContextFromScopes(this.session, this.clientSession.getNote("scope")).getAuthorizationDetailEntries().stream().filter(authorizationDetails -> {
            return authorizationDetails.getSource().equals(AuthorizationRequestSource.SCOPE);
        }).filter(authorizationDetails2 -> {
            return authorizationDetails2.getClientScope().isIncludeInTokenScope() || z;
        }).filter(authorizationDetails3 -> {
            return isClientScopePermittedForUser(authorizationDetails3.getClientScope());
        }).map(authorizationDetails4 -> {
            return authorizationDetails4.getAuthorizationDetails().getScopeNameFromCustomData();
        }).collect(Collectors.joining(" "));
    }

    public void setAttribute(String str, Object obj) {
        this.attributes.put(str, obj);
    }

    public <T> T getAttribute(String str, Class<T> cls) {
        return cls.cast(this.attributes.get(str));
    }

    public AuthorizationRequestContext getAuthorizationRequestContext() {
        return AuthorizationContextUtil.getAuthorizationRequestContextFromScopes(this.session, this.clientSession.getNote("scope"));
    }

    private Set<ClientScopeModel> loadClientScopes() {
        HashSet hashSet = new HashSet();
        Iterator<String> it = this.clientScopeIds.iterator();
        while (it.hasNext()) {
            ClientScopeModel findClientScopeById = KeycloakModelUtils.findClientScopeById(this.clientSession.getClient().getRealm(), getClientSession().getClient(), it.next());
            if (findClientScopeById != null) {
                if (isClientScopePermittedForUser(findClientScopeById)) {
                    hashSet.add(findClientScopeById);
                } else if (logger.isTraceEnabled()) {
                    logger.tracef("User '%s' not permitted to have client scope '%s'", this.clientSession.getUserSession().getUser().getUsername(), findClientScopeById.getName());
                }
            }
        }
        return hashSet;
    }

    private boolean isClientScopePermittedForUser(ClientScopeModel clientScopeModel) {
        if (clientScopeModel instanceof ClientModel) {
            return true;
        }
        Set set = (Set) clientScopeModel.getScopeMappingsStream().collect(Collectors.toSet());
        if (set.isEmpty()) {
            return true;
        }
        Set expandCompositeRoles = RoleUtils.expandCompositeRoles(set);
        expandCompositeRoles.retainAll(getUserRoles());
        return !expandCompositeRoles.isEmpty();
    }

    private Set<RoleModel> loadRoles() {
        return TokenManager.getAccess(this.clientSession.getUserSession().getUser(), this.clientSession.getClient(), getClientScopesStream());
    }

    private Set<ProtocolMapperModel> loadProtocolMappers() {
        String protocol = this.clientSession.getClient().getProtocol();
        if (protocol == null) {
            logger.warnf("Client '%s' doesn't have protocol set. Fallback to openid-connect. Please fix client configuration", this.clientSession.getClient().getClientId());
            protocol = "openid-connect";
        }
        String str = protocol;
        return (Set) getClientScopesStream().flatMap(clientScopeModel -> {
            return clientScopeModel.getProtocolMappersStream().filter(protocolMapperModel -> {
                return Objects.equals(str, protocolMapperModel.getProtocol()) && ProtocolMapperUtils.isEnabled(this.session, protocolMapperModel);
            });
        }).collect(Collectors.toSet());
    }

    private Set<RoleModel> loadUserRoles() {
        return RoleUtils.getDeepUserRoleMappings(this.clientSession.getUserSession().getUser());
    }
}
