package io.vertx.ext.auth.oauth2.rbac.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2ClientOptions;
import io.vertx.ext.auth.oauth2.OAuth2RBAC;
import io.vertx.reactivex.ext.auth.mongo.MongoAuth;
import java.util.Collections;
import java.util.Map;
import org.kie.kogito.explainability.api.ModelIdentifierDto;
import org.wildfly.security.http.HttpConstants;

/* loaded from: input_file:io/vertx/ext/auth/oauth2/rbac/impl/KeycloakRBACImpl.class */
public class KeycloakRBACImpl implements OAuth2RBAC {
    private static final JsonObject EMPTY_JSON = new JsonObject((Map<String, Object>) Collections.EMPTY_MAP);
    private static final JsonArray EMPTY_ARRAY = new JsonArray(Collections.EMPTY_LIST);
    private final OAuth2ClientOptions options;

    public KeycloakRBACImpl(OAuth2ClientOptions oAuth2ClientOptions) {
        if (oAuth2ClientOptions == null) {
            throw new IllegalArgumentException("options is a required argument");
        }
        this.options = oAuth2ClientOptions;
    }

    @Override // io.vertx.ext.auth.oauth2.OAuth2RBAC
    public void isAuthorized(AccessToken accessToken, String str, Handler<AsyncResult<Boolean>> handler) {
        JsonObject accessToken2 = accessToken.accessToken();
        if (accessToken2 == null) {
            handler.handle(Future.failedFuture("AccessToken is not a valid JWT"));
            return;
        }
        String[] split = str.split(ModelIdentifierDto.RESOURCE_ID_SEPARATOR);
        if (split.length == 1) {
            handler.handle(Future.succeededFuture(Boolean.valueOf(hasApplicationRole(accessToken2, this.options.getClientID(), split[0]))));
        } else if (HttpConstants.REALM.equals(split[0])) {
            handler.handle(Future.succeededFuture(Boolean.valueOf(hasRealmRole(accessToken2, split[1]))));
        } else {
            handler.handle(Future.succeededFuture(Boolean.valueOf(hasApplicationRole(accessToken2, split[0], split[1]))));
        }
    }

    private boolean hasApplicationRole(JsonObject jsonObject, String str, String str2) {
        JsonObject jsonObject2;
        if (jsonObject == null || (jsonObject2 = jsonObject.getJsonObject("resource_access", EMPTY_JSON).getJsonObject(str)) == null) {
            return false;
        }
        return jsonObject2.getJsonArray(MongoAuth.DEFAULT_ROLE_FIELD, EMPTY_ARRAY).contains(str2);
    }

    private boolean hasRealmRole(JsonObject jsonObject, String str) {
        if (jsonObject == null) {
            return false;
        }
        return jsonObject.getJsonObject("realm_access", EMPTY_JSON).getJsonArray(MongoAuth.DEFAULT_ROLE_FIELD, EMPTY_ARRAY).contains(str);
    }
}
