package org.keycloak.services.managers;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.resteasy.logging.Logger;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.SkeletonKeyScope;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.util.Base64Url;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/services/managers/TokenManager.class */
public class TokenManager {
    protected static final Logger logger = Logger.getLogger(TokenManager.class);
    protected Map<String, AccessCodeEntry> accessCodeMap = new ConcurrentHashMap();

    public void clearAccessCodes() {
        this.accessCodeMap.clear();
    }

    public AccessCodeEntry getAccessCode(String str) {
        return this.accessCodeMap.get(str);
    }

    public AccessCodeEntry pullAccessCode(String str) {
        return this.accessCodeMap.remove(str);
    }

    protected boolean desiresScope(SkeletonKeyScope skeletonKeyScope, String str, String str2) {
        if (skeletonKeyScope == null || skeletonKeyScope.isEmpty()) {
            return true;
        }
        List list = (List) skeletonKeyScope.get(str);
        if (list == null) {
            return false;
        }
        return list.contains(str2);
    }

    protected boolean desiresScopeGroup(SkeletonKeyScope skeletonKeyScope, String str) {
        if (skeletonKeyScope == null || skeletonKeyScope.isEmpty()) {
            return true;
        }
        return skeletonKeyScope.containsKey(str);
    }

    protected boolean isEmpty(SkeletonKeyScope skeletonKeyScope) {
        return skeletonKeyScope == null || skeletonKeyScope.isEmpty();
    }

    public static void applyScope(RoleModel roleModel, RoleModel roleModel2, Set<RoleModel> set, Set<RoleModel> set2) {
        if (set.contains(roleModel2)) {
            return;
        }
        set.add(roleModel2);
        if (roleModel.hasRole(roleModel2)) {
            set2.add(roleModel2);
        } else if (roleModel2.isComposite()) {
            Iterator it = roleModel2.getComposites().iterator();
            while (it.hasNext()) {
                applyScope(roleModel, (RoleModel) it.next(), set, set2);
            }
        }
    }

    public AccessCodeEntry createAccessCode(String str, String str2, String str3, RealmModel realmModel, UserModel userModel, UserModel userModel2) {
        AccessCodeEntry accessCodeEntry = new AccessCodeEntry();
        SkeletonKeyScope decodeScope = str != null ? decodeScope(str) : null;
        List<RoleModel> realmRolesRequested = accessCodeEntry.getRealmRolesRequested();
        MultivaluedMap<String, RoleModel> resourceRolesRequested = accessCodeEntry.getResourceRolesRequested();
        Set<RoleModel> roleMappings = realmModel.getRoleMappings(userModel2);
        Set scopeMappings = realmModel.getScopeMappings(userModel);
        ApplicationModel applicationByName = realmModel.getApplicationByName(userModel.getLoginName());
        Set roles = applicationByName == null ? null : applicationByName.getRoles();
        if (roles != null) {
            scopeMappings.addAll(roles);
        }
        HashSet<RoleModel> hashSet = new HashSet();
        for (RoleModel roleModel : roleMappings) {
            if (applicationByName != null && roleModel.getContainer().equals(applicationByName)) {
                hashSet.add(roleModel);
            }
            Iterator it = scopeMappings.iterator();
            while (it.hasNext()) {
                applyScope(roleModel, (RoleModel) it.next(), new HashSet(), hashSet);
            }
        }
        for (RoleModel roleModel2 : hashSet) {
            if ((roleModel2.getContainer() instanceof RealmModel) && desiresScope(decodeScope, "realm", roleModel2.getName())) {
                realmRolesRequested.add(roleModel2);
            } else if (roleModel2.getContainer() instanceof ApplicationModel) {
                ApplicationModel container = roleModel2.getContainer();
                if (desiresScope(decodeScope, container.getName(), roleModel2.getName())) {
                    resourceRolesRequested.add(container.getName(), roleModel2);
                }
            }
        }
        createToken(accessCodeEntry, realmModel, userModel, userModel2);
        accessCodeEntry.setRealm(realmModel);
        accessCodeEntry.setExpiration((System.currentTimeMillis() / 1000) + realmModel.getAccessCodeLifespan());
        accessCodeEntry.setClient(userModel);
        accessCodeEntry.setUser(userModel2);
        accessCodeEntry.setState(str2);
        accessCodeEntry.setRedirectUri(str3);
        this.accessCodeMap.put(accessCodeEntry.getId(), accessCodeEntry);
        try {
            accessCodeEntry.setCode(new JWSBuilder().content(accessCodeEntry.getId().getBytes("UTF-8")).rsa256(realmModel.getPrivateKey()));
            return accessCodeEntry;
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    protected SkeletonKeyToken initToken(RealmModel realmModel, UserModel userModel, UserModel userModel2) {
        SkeletonKeyToken skeletonKeyToken = new SkeletonKeyToken();
        skeletonKeyToken.id(KeycloakModelUtils.generateId());
        skeletonKeyToken.principal(userModel2.getLoginName());
        skeletonKeyToken.audience(realmModel.getName());
        skeletonKeyToken.issuedNow();
        skeletonKeyToken.issuedFor(userModel.getLoginName());
        if (realmModel.getTokenLifespan() > 0) {
            skeletonKeyToken.expiration((System.currentTimeMillis() / 1000) + realmModel.getTokenLifespan());
        }
        Set webOrigins = userModel.getWebOrigins();
        if (webOrigins != null) {
            skeletonKeyToken.setAllowedOrigins(webOrigins);
        }
        return skeletonKeyToken;
    }

    protected void addComposites(SkeletonKeyToken skeletonKeyToken, RoleModel roleModel) {
        SkeletonKeyToken.Access resourceAccess;
        if (roleModel.getContainer() instanceof RealmModel) {
            resourceAccess = skeletonKeyToken.getRealmAccess();
            if (skeletonKeyToken.getRealmAccess() == null) {
                resourceAccess = new SkeletonKeyToken.Access();
                skeletonKeyToken.setRealmAccess(resourceAccess);
            } else if (skeletonKeyToken.getRealmAccess().getRoles() != null && skeletonKeyToken.getRealmAccess().isUserInRole(roleModel.getName())) {
                return;
            }
        } else {
            ApplicationModel container = roleModel.getContainer();
            resourceAccess = skeletonKeyToken.getResourceAccess(container.getName());
            if (resourceAccess == null) {
                resourceAccess = skeletonKeyToken.addAccess(container.getName());
                if (container.isSurrogateAuthRequired()) {
                    resourceAccess.verifyCaller(true);
                }
            } else if (resourceAccess.isUserInRole(roleModel.getName())) {
                return;
            }
        }
        resourceAccess.addRole(roleModel.getName());
        if (roleModel.isComposite()) {
            Iterator it = roleModel.getComposites().iterator();
            while (it.hasNext()) {
                addComposites(skeletonKeyToken, (RoleModel) it.next());
            }
        }
    }

    protected void createToken(AccessCodeEntry accessCodeEntry, RealmModel realmModel, UserModel userModel, UserModel userModel2) {
        SkeletonKeyToken initToken = initToken(realmModel, userModel, userModel2);
        if (accessCodeEntry.getRealmRolesRequested().size() > 0) {
            Iterator<RoleModel> it = accessCodeEntry.getRealmRolesRequested().iterator();
            while (it.hasNext()) {
                addComposites(initToken, it.next());
            }
        }
        if (accessCodeEntry.getResourceRolesRequested().size() > 0) {
            Iterator it2 = accessCodeEntry.getResourceRolesRequested().values().iterator();
            while (it2.hasNext()) {
                Iterator it3 = ((List) it2.next()).iterator();
                while (it3.hasNext()) {
                    addComposites(initToken, (RoleModel) it3.next());
                }
            }
        }
        accessCodeEntry.setToken(initToken);
    }

    public String encodeScope(SkeletonKeyScope skeletonKeyScope) {
        try {
            return Base64Url.encode(JsonSerialization.writeValueAsString(skeletonKeyScope).getBytes());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public SkeletonKeyScope decodeScope(String str) {
        try {
            return (SkeletonKeyScope) JsonSerialization.readValue(Base64Url.decode(str), SkeletonKeyScope.class);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public SkeletonKeyToken createAccessToken(RealmModel realmModel, UserModel userModel) {
        SkeletonKeyToken skeletonKeyToken = new SkeletonKeyToken();
        skeletonKeyToken.id(KeycloakModelUtils.generateId());
        skeletonKeyToken.issuedNow();
        skeletonKeyToken.principal(userModel.getLoginName());
        skeletonKeyToken.audience(realmModel.getName());
        if (realmModel.getTokenLifespan() > 0) {
            skeletonKeyToken.expiration((System.currentTimeMillis() / 1000) + realmModel.getTokenLifespan());
        }
        Iterator it = realmModel.getRoleMappings(userModel).iterator();
        while (it.hasNext()) {
            addComposites(skeletonKeyToken, (RoleModel) it.next());
        }
        return skeletonKeyToken;
    }

    public String encodeToken(RealmModel realmModel, Object obj) {
        return new JWSBuilder().jsonContent(obj).rsa256(realmModel.getPrivateKey());
    }
}
