package org.keycloak.adapters.authorization;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.authentication.ClientCredentialsProviderUtils;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthenticator;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.resource.ProtectedResource;
import org.keycloak.common.util.PathMatcher;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-4.8.3.Final.jar:org/keycloak/adapters/authorization/PolicyEnforcer.class */
public class PolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(PolicyEnforcer.class);
    private final KeycloakDeployment deployment;
    private final AuthzClient authzClient;
    private final PolicyEnforcerConfig enforcerConfig;
    private final PathConfigMatcher pathMatcher;
    private final Map<String, PolicyEnforcerConfig.PathConfig> paths;
    private final Map<String, ClaimInformationPointProviderFactory> claimInformationPointProviderFactories = new HashMap();

    /* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-4.8.3.Final.jar:org/keycloak/adapters/authorization/PolicyEnforcer$PathConfigMatcher.class */
    public class PathConfigMatcher extends PathMatcher<PolicyEnforcerConfig.PathConfig> {
        private final Map<String, PolicyEnforcerConfig.PathConfig> paths;
        private final PathCache pathCache;
        private final AuthzClient authzClient;
        private final PolicyEnforcerConfig enforcerConfig;

        public PathConfigMatcher(Map<String, PolicyEnforcerConfig.PathConfig> map, PolicyEnforcerConfig policyEnforcerConfig, AuthzClient authzClient) {
            this.paths = map;
            this.enforcerConfig = policyEnforcerConfig;
            PolicyEnforcerConfig.PathCacheConfig pathCacheConfig = policyEnforcerConfig.getPathCacheConfig();
            pathCacheConfig = pathCacheConfig == null ? new PolicyEnforcerConfig.PathCacheConfig() : pathCacheConfig;
            this.pathCache = new PathCache(pathCacheConfig.getMaxEntries(), pathCacheConfig.getLifespan());
            this.authzClient = authzClient;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.keycloak.common.util.PathMatcher
        public PolicyEnforcerConfig.PathConfig matches(String str) {
            PolicyEnforcerConfig.PathConfig pathConfig = this.pathCache.get(str);
            if (this.pathCache.containsKey(str) || pathConfig != null) {
                return pathConfig;
            }
            PolicyEnforcerConfig.PathConfig pathConfig2 = (PolicyEnforcerConfig.PathConfig) super.matches(str);
            if ((this.enforcerConfig.getLazyLoadPaths().booleanValue() || this.enforcerConfig.getPathCacheConfig() != null) && (pathConfig2 == null || pathConfig2.getPath().contains("*"))) {
                try {
                    List findByMatchingUri = this.authzClient.protection().resource().findByMatchingUri(str);
                    if (!findByMatchingUri.isEmpty()) {
                        Map<String, Map<String, Object>> map = null;
                        if (pathConfig2 != null) {
                            map = pathConfig2.getClaimInformationPointConfig();
                        }
                        pathConfig2 = PolicyEnforcerConfig.PathConfig.createPathConfigs((ResourceRepresentation) findByMatchingUri.get(0)).iterator().next();
                        if (map != null) {
                            pathConfig2.setClaimInformationPointConfig(map);
                        }
                    }
                } catch (Exception e) {
                    PolicyEnforcer.LOGGER.errorf(e, "Could not lazy load resource with path [" + str + "] from server", new Object[0]);
                    return null;
                }
            }
            this.pathCache.put(str, pathConfig2);
            return pathConfig2;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.keycloak.common.util.PathMatcher
        public String getPath(PolicyEnforcerConfig.PathConfig pathConfig) {
            return pathConfig.getPath();
        }

        @Override // org.keycloak.common.util.PathMatcher
        protected Collection<PolicyEnforcerConfig.PathConfig> getPaths() {
            return this.paths.values();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.keycloak.common.util.PathMatcher
        public PolicyEnforcerConfig.PathConfig resolvePathConfig(PolicyEnforcerConfig.PathConfig pathConfig, String str) {
            if (!pathConfig.hasPattern()) {
                return null;
            }
            ProtectedResource resource = this.authzClient.protection().resource();
            List findByUri = resource.findByUri(str);
            if (findByUri.isEmpty()) {
                findByUri = resource.findByUri(buildUriFromTemplate(pathConfig.getPath(), str, true));
            }
            if (findByUri.isEmpty()) {
                return null;
            }
            PolicyEnforcerConfig.PathConfig next = PolicyEnforcerConfig.PathConfig.createPathConfigs((ResourceRepresentation) findByUri.get(0)).iterator().next();
            next.setScopes(pathConfig.getScopes());
            next.setMethods(pathConfig.getMethods());
            next.setParentConfig(pathConfig);
            next.setEnforcementMode(pathConfig.getEnforcementMode());
            next.setClaimInformationPointConfig(pathConfig.getClaimInformationPointConfig());
            return next;
        }

        public void removeFromCache(String str) {
            this.pathCache.remove(str);
        }
    }

    public PolicyEnforcer(KeycloakDeployment keycloakDeployment, AdapterConfig adapterConfig) {
        this.deployment = keycloakDeployment;
        this.enforcerConfig = adapterConfig.getPolicyEnforcerConfig();
        this.authzClient = AuthzClient.create(new Configuration(adapterConfig.getAuthServerUrl(), adapterConfig.getRealm(), adapterConfig.getResource(), adapterConfig.getCredentials(), keycloakDeployment.getClient()), new ClientAuthenticator() { // from class: org.keycloak.adapters.authorization.PolicyEnforcer.1
            /* JADX WARN: Multi-variable type inference failed */
            public void configureClientCredentials(Map<String, List<String>> map, Map<String, String> map2) {
                HashMap hashMap = new HashMap();
                ClientCredentialsProviderUtils.setClientCredentials(PolicyEnforcer.this.deployment, map2, hashMap);
                for (Map.Entry entry : hashMap.entrySet()) {
                    map.put(entry.getKey(), Arrays.asList((String) entry.getValue()));
                }
            }
        });
        this.paths = configurePaths(this.authzClient.protection().resource(), this.enforcerConfig);
        this.pathMatcher = new PathConfigMatcher(this.paths, this.enforcerConfig, this.authzClient);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Initialization complete. Path configurations:");
            Iterator<PolicyEnforcerConfig.PathConfig> it = this.paths.values().iterator();
            while (it.hasNext()) {
                LOGGER.debug(it.next());
            }
        }
        loadClaimInformationPointProviders(ServiceLoader.load(ClaimInformationPointProviderFactory.class, ClaimInformationPointProviderFactory.class.getClassLoader()));
        loadClaimInformationPointProviders(ServiceLoader.load(ClaimInformationPointProviderFactory.class, Thread.currentThread().getContextClassLoader()));
    }

    public AuthorizationContext enforce(OIDCHttpFacade oIDCHttpFacade) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement is enabled. Enforcing policy decisions for path [{0}].", oIDCHttpFacade.getRequest().getURI());
        }
        AuthorizationContext authorize = new KeycloakAdapterPolicyEnforcer(this).authorize(oIDCHttpFacade);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement result for path [{0}] is : {1}", oIDCHttpFacade.getRequest().getURI(), authorize.isGranted() ? "GRANTED" : "DENIED");
            LOGGER.debugv("Returning authorization context with permissions:", new Object[0]);
            Iterator<Permission> it = authorize.getPermissions().iterator();
            while (it.hasNext()) {
                LOGGER.debug(it.next());
            }
        }
        return authorize;
    }

    public PolicyEnforcerConfig getEnforcerConfig() {
        return this.enforcerConfig;
    }

    public AuthzClient getClient() {
        return this.authzClient;
    }

    public Map<String, PolicyEnforcerConfig.PathConfig> getPaths() {
        return this.paths;
    }

    public PathConfigMatcher getPathMatcher() {
        return this.pathMatcher;
    }

    public KeycloakDeployment getDeployment() {
        return this.deployment;
    }

    public Map<String, ClaimInformationPointProviderFactory> getClaimInformationPointProviderFactories() {
        return this.claimInformationPointProviderFactories;
    }

    private void loadClaimInformationPointProviders(ServiceLoader<ClaimInformationPointProviderFactory> serviceLoader) {
        Iterator<ClaimInformationPointProviderFactory> it = serviceLoader.iterator();
        while (it.hasNext()) {
            ClaimInformationPointProviderFactory next = it.next();
            next.init(this);
            this.claimInformationPointProviderFactories.put(next.getName(), next);
        }
    }

    private Map<String, PolicyEnforcerConfig.PathConfig> configurePaths(ProtectedResource protectedResource, PolicyEnforcerConfig policyEnforcerConfig) {
        boolean z = true;
        Iterator<PolicyEnforcerConfig.PathConfig> it = policyEnforcerConfig.getPaths().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (!PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(it.next().getEnforcementMode())) {
                z = false;
                break;
            }
        }
        if (!z) {
            LOGGER.info("Paths provided in configuration.");
            return configureDefinedPaths(protectedResource, policyEnforcerConfig);
        }
        LOGGER.info("No path provided in configuration.");
        Map<String, PolicyEnforcerConfig.PathConfig> configureAllPathsForResourceServer = configureAllPathsForResourceServer(protectedResource);
        configureAllPathsForResourceServer.putAll(configureDefinedPaths(protectedResource, policyEnforcerConfig));
        return configureAllPathsForResourceServer;
    }

    private Map<String, PolicyEnforcerConfig.PathConfig> configureDefinedPaths(ProtectedResource protectedResource, PolicyEnforcerConfig policyEnforcerConfig) {
        ResourceRepresentation resourceRepresentation;
        Map<String, PolicyEnforcerConfig.PathConfig> synchronizedMap = Collections.synchronizedMap(new LinkedHashMap());
        for (PolicyEnforcerConfig.PathConfig pathConfig : policyEnforcerConfig.getPaths()) {
            String name = pathConfig.getName();
            String path = pathConfig.getPath();
            if (name != null) {
                LOGGER.debugf("Trying to find resource with name [%s] for path [%s].", name, path);
                resourceRepresentation = protectedResource.findByName(name);
            } else {
                LOGGER.debugf("Trying to find resource with uri [%s] for path [%s].", path, path);
                List findByUri = protectedResource.findByUri(path);
                if (findByUri.isEmpty()) {
                    findByUri = protectedResource.findByMatchingUri(path);
                }
                if (findByUri.size() == 1) {
                    resourceRepresentation = (ResourceRepresentation) findByUri.get(0);
                } else {
                    if (findByUri.size() > 1) {
                        throw new RuntimeException("Multiple resources found with the same uri");
                    }
                    resourceRepresentation = null;
                }
            }
            if (resourceRepresentation != null) {
                pathConfig.setId(resourceRepresentation.getId());
            }
            PolicyEnforcerConfig.PathConfig pathConfig2 = null;
            Iterator<PolicyEnforcerConfig.PathConfig> it = synchronizedMap.values().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                PolicyEnforcerConfig.PathConfig next = it.next();
                if (next.getPath().equals(pathConfig.getPath())) {
                    pathConfig2 = next;
                    break;
                }
            }
            if (pathConfig2 == null) {
                synchronizedMap.put(pathConfig.getPath(), pathConfig);
            } else {
                pathConfig2.getMethods().addAll(pathConfig.getMethods());
                pathConfig2.getScopes().addAll(pathConfig.getScopes());
            }
        }
        return synchronizedMap;
    }

    private Map<String, PolicyEnforcerConfig.PathConfig> configureAllPathsForResourceServer(ProtectedResource protectedResource) {
        LOGGER.info("Querying the server for all resources associated with this application.");
        Map<String, PolicyEnforcerConfig.PathConfig> synchronizedMap = Collections.synchronizedMap(new HashMap());
        if (!this.enforcerConfig.getLazyLoadPaths().booleanValue()) {
            for (String str : protectedResource.findAll()) {
                ResourceRepresentation findById = protectedResource.findById(str);
                if (findById.getUris() != null && !findById.getUris().isEmpty()) {
                    for (PolicyEnforcerConfig.PathConfig pathConfig : PolicyEnforcerConfig.PathConfig.createPathConfigs(findById)) {
                        synchronizedMap.put(pathConfig.getPath(), pathConfig);
                    }
                }
            }
        }
        return synchronizedMap;
    }
}
