package org.keycloak.authorization.authorization;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/authorization/authorization/AuthorizationTokenService.class */
public class AuthorizationTokenService {
    public static final String CLAIM_TOKEN_FORMAT_ID_TOKEN = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken";
    private static final Logger logger = Logger.getLogger(AuthorizationTokenService.class);
    private static Map<String, BiFunction<AuthorizationRequest, AuthorizationProvider, KeycloakEvaluationContext>> SUPPORTED_CLAIM_TOKEN_FORMATS = new HashMap();
    private final TokenManager tokenManager;
    private final EventBuilder event;
    private final HttpRequest httpRequest;
    private final AuthorizationProvider authorization;
    private final Cors cors;

    public AuthorizationTokenService(AuthorizationProvider authorizationProvider, TokenManager tokenManager, EventBuilder eventBuilder, HttpRequest httpRequest, Cors cors) {
        this.tokenManager = tokenManager;
        this.event = eventBuilder;
        this.httpRequest = httpRequest;
        this.authorization = authorizationProvider;
        this.cors = cors;
    }

    public Response authorize(AuthorizationRequest authorizationRequest) {
        if (authorizationRequest == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Invalid authorization request.", Response.Status.BAD_REQUEST);
        }
        if (isPublicClientRequestingEntitlemesWithClaims(authorizationRequest)) {
            throw new CorsErrorResponseException(this.cors, "invalid_grant", "Public clients are not allowed to send claims", Response.Status.FORBIDDEN);
        }
        try {
            PermissionTicketToken permissionTicket = getPermissionTicket(authorizationRequest);
            authorizationRequest.setClaims(permissionTicket.getClaims());
            ResourceServer resourceServer = getResourceServer(permissionTicket);
            KeycloakEvaluationContext createEvaluationContext = createEvaluationContext(authorizationRequest);
            KeycloakIdentity keycloakIdentity = (KeycloakIdentity) KeycloakIdentity.class.cast(createEvaluationContext.getIdentity());
            List<Permission> permits = Permissions.permits((permissionTicket.getResources().isEmpty() && authorizationRequest.getRpt() == null) ? evaluateAllPermissions(resourceServer, createEvaluationContext, keycloakIdentity) : !authorizationRequest.getPermissions().getResources().isEmpty() ? evaluatePermissions(authorizationRequest, permissionTicket, resourceServer, createEvaluationContext, keycloakIdentity) : evaluateUserManagedPermissions(authorizationRequest, permissionTicket, resourceServer, createEvaluationContext, keycloakIdentity), authorizationRequest.getMetadata(), this.authorization, resourceServer);
            if (!permits.isEmpty()) {
                ClientModel clientById = this.authorization.getRealm().getClientById(resourceServer.getId());
                return Cors.add(this.httpRequest, Response.status(Response.Status.OK).type(MediaType.APPLICATION_JSON_TYPE).entity(new AuthorizationResponse(createRequestingPartyToken(keycloakIdentity, permits, authorizationRequest, clientById), authorizationRequest.getRpt() != null))).allowedOrigins(getKeycloakSession().getContext().getUri(), clientById).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
            }
            if (authorizationRequest.isSubmitRequest()) {
                throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "request_submitted", Response.Status.FORBIDDEN);
            }
            throw new CorsErrorResponseException(this.cors, AbstractOAuth2IdentityProvider.ACCESS_DENIED, "not_authorized", Response.Status.FORBIDDEN);
        } catch (Exception e) {
            logger.error("Unexpected error while evaluating permissions", e);
            throw new CorsErrorResponseException(this.cors, "server_error", "Unexpected error while evaluating permissions", Response.Status.INTERNAL_SERVER_ERROR);
        } catch (CorsErrorResponseException | ErrorResponseException e2) {
            if (logger.isDebugEnabled()) {
                logger.debug("Error while evaluating permissions", e2);
            }
            throw e2;
        }
    }

    private boolean isPublicClientRequestingEntitlemesWithClaims(AuthorizationRequest authorizationRequest) {
        return authorizationRequest.getClaimToken() != null && getKeycloakSession().getContext().getClient().isPublicClient() && authorizationRequest.getTicket() == null;
    }

    private List<Result> evaluatePermissions(AuthorizationRequest authorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, KeycloakEvaluationContext keycloakEvaluationContext, KeycloakIdentity keycloakIdentity) {
        return this.authorization.evaluators().from(createPermissions(permissionTicketToken, authorizationRequest, resourceServer, keycloakIdentity, this.authorization), keycloakEvaluationContext).evaluate();
    }

    private List<Result> evaluateUserManagedPermissions(AuthorizationRequest authorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, KeycloakEvaluationContext keycloakEvaluationContext, KeycloakIdentity keycloakIdentity) {
        return this.authorization.evaluators().from(createPermissions(permissionTicketToken, authorizationRequest, resourceServer, keycloakIdentity, this.authorization), keycloakEvaluationContext).evaluate(new PermissionTicketAwareDecisionResultCollector(authorizationRequest, permissionTicketToken, keycloakIdentity, resourceServer, this.authorization)).results();
    }

    private List<Result> evaluateAllPermissions(ResourceServer resourceServer, KeycloakEvaluationContext keycloakEvaluationContext, KeycloakIdentity keycloakIdentity) {
        return this.authorization.evaluators().from(Permissions.all(resourceServer, keycloakIdentity, this.authorization), keycloakEvaluationContext).evaluate();
    }

    private AccessTokenResponse createRequestingPartyToken(KeycloakIdentity keycloakIdentity, List<Permission> list, AuthorizationRequest authorizationRequest, ClientModel clientModel) {
        KeycloakSession keycloakSession = getKeycloakSession();
        AccessToken accessToken = keycloakIdentity.getAccessToken();
        UserSessionModel userSession = keycloakSession.sessions().getUserSession(getRealm(), accessToken.getSessionState());
        ClientModel clientByClientId = getRealm().getClientByClientId(accessToken.getIssuedFor());
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(clientByClientId.getId());
        TokenManager.AccessTokenResponseBuilder generateRefreshToken = this.tokenManager.responseBuilder(getRealm(), authenticatedClientSessionByClient.getClient(), this.event, keycloakSession, userSession, authenticatedClientSessionByClient).generateAccessToken().generateRefreshToken();
        AccessToken accessToken2 = generateRefreshToken.getAccessToken();
        accessToken2.issuedFor(clientByClientId.getClientId());
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(list);
        authorization.setClaims(authorizationRequest.getClaims());
        accessToken2.setAuthorization(authorization);
        RefreshToken refreshToken = generateRefreshToken.getRefreshToken();
        refreshToken.issuedFor(clientByClientId.getClientId());
        refreshToken.setAuthorization(authorization);
        if (!accessToken2.hasAudience(clientModel.getClientId())) {
            accessToken2.audience(new String[]{clientModel.getClientId()});
        }
        return generateRefreshToken.build();
    }

    private PermissionTicketToken getPermissionTicket(AuthorizationRequest authorizationRequest) {
        if (authorizationRequest.getTicket() != null) {
            return verifyPermissionTicket(authorizationRequest);
        }
        PermissionTicketToken permissions = authorizationRequest.getPermissions();
        permissions.audience(new String[]{authorizationRequest.getAudience()});
        return permissions;
    }

    private ResourceServer getResourceServer(PermissionTicketToken permissionTicketToken) {
        ResourceServerStore resourceServerStore = this.authorization.getStoreFactory().getResourceServerStore();
        String[] audience = permissionTicketToken.getAudience();
        if (audience == null || audience.length == 0) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "You must provide the audience", Response.Status.BAD_REQUEST);
        }
        ClientModel clientByClientId = getRealm().getClientByClientId(audience[0]);
        if (clientByClientId == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Unknown resource server id.", Response.Status.BAD_REQUEST);
        }
        ResourceServer findById = resourceServerStore.findById(clientByClientId.getId());
        if (findById == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Client does not support permissions", Response.Status.BAD_REQUEST);
        }
        return findById;
    }

    private KeycloakEvaluationContext createEvaluationContext(AuthorizationRequest authorizationRequest) {
        String claimTokenFormat = authorizationRequest.getClaimTokenFormat();
        if (claimTokenFormat == null) {
            claimTokenFormat = CLAIM_TOKEN_FORMAT_ID_TOKEN;
        }
        BiFunction<AuthorizationRequest, AuthorizationProvider, KeycloakEvaluationContext> biFunction = SUPPORTED_CLAIM_TOKEN_FORMATS.get(claimTokenFormat);
        if (biFunction == null) {
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Claim token format [" + claimTokenFormat + "] not supported", Response.Status.BAD_REQUEST);
        }
        return biFunction.apply(authorizationRequest, this.authorization);
    }

    private List<ResourcePermission> createPermissions(PermissionTicketToken permissionTicketToken, AuthorizationRequest authorizationRequest, ResourceServer resourceServer, KeycloakIdentity keycloakIdentity, AuthorizationProvider authorizationProvider) {
        AccessToken.Authorization authorization;
        List<Permission> permissions;
        Resource findByName;
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        AuthorizationRequest.Metadata metadata = authorizationRequest.getMetadata();
        Integer limit = metadata != null ? metadata.getLimit() : null;
        for (PermissionTicketToken.ResourcePermission resourcePermission : permissionTicketToken.getResources()) {
            if (limit != null && limit.intValue() <= 0) {
                break;
            }
            Set scopes = resourcePermission.getScopes();
            if (resourcePermission.getScopes() == null) {
                scopes = new HashSet();
            }
            ArrayList<Resource> arrayList = new ArrayList();
            if (resourcePermission.getResourceId() != null) {
                Resource findById = resourceStore.findById(resourcePermission.getResourceId(), resourceServer.getId());
                if (findById != null) {
                    arrayList.add(findById);
                } else {
                    Resource findByName2 = resourceStore.findByName(resourcePermission.getResourceId(), keycloakIdentity.getId(), resourceServer.getId());
                    if (findByName2 != null) {
                        arrayList.add(findByName2);
                    }
                    if (!keycloakIdentity.isResourceServer() && (findByName = resourceStore.findByName(resourcePermission.getResourceId(), resourceServer.getId())) != null) {
                        arrayList.add(findByName);
                    }
                }
            }
            if (arrayList.isEmpty() && (scopes == null || scopes.isEmpty())) {
                throw new CorsErrorResponseException(this.cors, "invalid_resource", "Resource with id [" + resourcePermission.getResourceId() + "] does not exist.", Response.Status.FORBIDDEN);
            }
            String scope = authorizationRequest.getScope();
            if (scope != null) {
                scopes.addAll(Arrays.asList(scope.split(" ")));
            }
            if (arrayList.isEmpty()) {
                Iterator it = resourceStore.findByScope(new ArrayList(scopes), permissionTicketToken.getAudience()[0]).iterator();
                while (it.hasNext()) {
                    linkedHashMap.put(((Resource) it.next()).getId(), scopes);
                    if (limit != null) {
                        limit = Integer.valueOf(limit.intValue() - 1);
                    }
                }
                linkedHashMap.put("$KC_SCOPE_PERMISSION", scopes);
            } else {
                for (Resource resource : arrayList) {
                    Set set = (Set) linkedHashMap.get(resource.getId());
                    if (set == null) {
                        set = new HashSet();
                        linkedHashMap.put(resource.getId(), set);
                        if (limit != null) {
                            limit = Integer.valueOf(limit.intValue() - 1);
                        }
                    }
                    set.addAll(scopes);
                }
            }
        }
        String rpt = authorizationRequest.getRpt();
        if (rpt != null) {
            if (!Tokens.verifySignature(getKeycloakSession(), getRealm(), rpt)) {
                throw new CorsErrorResponseException(this.cors, "invalid_rpt", "RPT signature is invalid", Response.Status.FORBIDDEN);
            }
            try {
                AccessToken accessToken = (AccessToken) new JWSInput(rpt).readJsonContent(AccessToken.class);
                if (accessToken.isActive() && (authorization = accessToken.getAuthorization()) != null && (permissions = authorization.getPermissions()) != null) {
                    for (Permission permission : permissions) {
                        if (limit != null && limit.intValue() <= 0) {
                            break;
                        }
                        Resource findById2 = resourceStore.findById(permission.getResourceId(), permissionTicketToken.getAudience()[0]);
                        if (findById2 != null) {
                            Set set2 = (Set) linkedHashMap.get(findById2.getId());
                            if (set2 == null) {
                                set2 = new HashSet();
                                linkedHashMap.put(findById2.getId(), set2);
                                if (limit != null) {
                                    limit = Integer.valueOf(limit.intValue() - 1);
                                }
                            }
                            Set scopes2 = permission.getScopes();
                            if (scopes2 != null) {
                                set2.addAll(scopes2);
                            }
                        }
                    }
                }
            } catch (JWSInputException e) {
                throw new CorsErrorResponseException(this.cors, "invalid_rpt", "Invalid RPT", Response.Status.FORBIDDEN);
            }
        }
        ScopeStore scopeStore = storeFactory.getScopeStore();
        return (List) linkedHashMap.entrySet().stream().flatMap(entry -> {
            String str = (String) entry.getKey();
            return "$KC_SCOPE_PERMISSION".equals(str) ? Arrays.asList(new ResourcePermission((Resource) null, (List) ((Set) entry.getValue()).stream().map(str2 -> {
                return scopeStore.findByName(str2, resourceServer.getId());
            }).filter(scope2 -> {
                return Objects.nonNull(scope2);
            }).collect(Collectors.toList()), resourceServer)).stream() : Permissions.createResourcePermissions(resourceStore.findById(str, resourceServer.getId()), (Set) entry.getValue(), authorizationProvider).stream();
        }).collect(Collectors.toList());
    }

    private PermissionTicketToken verifyPermissionTicket(AuthorizationRequest authorizationRequest) {
        String ticket = authorizationRequest.getTicket();
        if (ticket == null || !Tokens.verifySignature(getKeycloakSession(), getRealm(), ticket)) {
            throw new CorsErrorResponseException(this.cors, "invalid_ticket", "Ticket verification failed", Response.Status.FORBIDDEN);
        }
        try {
            PermissionTicketToken permissionTicketToken = (PermissionTicketToken) new JWSInput(ticket).readJsonContent(PermissionTicketToken.class);
            if (permissionTicketToken.isActive()) {
                return permissionTicketToken;
            }
            throw new CorsErrorResponseException(this.cors, "invalid_ticket", "Invalid permission ticket.", Response.Status.FORBIDDEN);
        } catch (JWSInputException e) {
            throw new CorsErrorResponseException(this.cors, "invalid_ticket", "Could not parse permission ticket.", Response.Status.FORBIDDEN);
        }
    }

    private KeycloakSession getKeycloakSession() {
        return this.authorization.getKeycloakSession();
    }

    private RealmModel getRealm() {
        return getKeycloakSession().getContext().getRealm();
    }

    static {
        SUPPORTED_CLAIM_TOKEN_FORMATS.put("urn:ietf:params:oauth:token-type:jwt", (authorizationRequest, authorizationProvider) -> {
            String claimToken = authorizationRequest.getClaimToken();
            if (claimToken == null) {
                throw new RuntimeException("Claim token can not be null");
            }
            try {
                Map map = (Map) JsonSerialization.readValue(Base64Url.decode(authorizationRequest.getClaimToken()), Map.class);
                authorizationRequest.setClaims(map);
                return new KeycloakEvaluationContext(new KeycloakIdentity(authorizationProvider.getKeycloakSession(), (IDToken) Tokens.getAccessToken(authorizationRequest.getAccessToken(), authorizationProvider.getKeycloakSession())), map, authorizationProvider.getKeycloakSession());
            } catch (IOException e) {
                throw new RuntimeException("Failed to map claims from claim token [" + claimToken + "]", e);
            }
        });
        SUPPORTED_CLAIM_TOKEN_FORMATS.put(CLAIM_TOKEN_FORMAT_ID_TOKEN, (authorizationRequest2, authorizationProvider2) -> {
            try {
                KeycloakSession keycloakSession = authorizationProvider2.getKeycloakSession();
                RealmModel realm = authorizationProvider2.getRealm();
                String accessToken = authorizationRequest2.getAccessToken();
                if (accessToken == null) {
                    throw new RuntimeException("Claim token can not be null and must be a valid IDToken");
                }
                return new KeycloakEvaluationContext(new KeycloakIdentity(keycloakSession, new TokenManager().verifyIDTokenSignature(keycloakSession, realm, accessToken)), authorizationRequest2.getClaims(), keycloakSession);
            } catch (OAuthErrorException e) {
                throw new RuntimeException("Failed to verify ID token", e);
            }
        });
    }
}
