package org.keycloak.adapters.authorization;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.http.HttpStatus;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.common.util.Base64;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-4.8.3.Final.jar:org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.class */
public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(KeycloakAdapterPolicyEnforcer.class);

    public KeycloakAdapterPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        super(policyEnforcer);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    public boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AccessToken accessToken, OIDCHttpFacade oIDCHttpFacade, Map<String, List<String>> map) {
        if (super.isAuthorized(pathConfig, methodConfig, accessToken, oIDCHttpFacade, map)) {
            return true;
        }
        AccessToken requestAuthorizationToken = requestAuthorizationToken(pathConfig, methodConfig, oIDCHttpFacade, map);
        if (requestAuthorizationToken == null) {
            return false;
        }
        AccessToken.Authorization authorization = accessToken.getAuthorization();
        if (authorization == null) {
            authorization = new AccessToken.Authorization();
            authorization.setPermissions(new ArrayList());
        }
        AccessToken.Authorization authorization2 = requestAuthorizationToken.getAuthorization();
        if (authorization2 != null) {
            Collection<Permission> permissions = authorization.getPermissions();
            for (Permission permission : authorization2.getPermissions()) {
                if (!permissions.contains(permission)) {
                    permissions.add(permission);
                }
            }
        }
        accessToken.setAuthorization(authorization);
        return super.isAuthorized(pathConfig, methodConfig, requestAuthorizationToken, oIDCHttpFacade, map);
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade oIDCHttpFacade) {
        if (!isBearerAuthorization(oIDCHttpFacade)) {
            handleAccessDenied(oIDCHttpFacade);
            return true;
        }
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        AuthzClient authzClient = getAuthzClient();
        String permissionTicket = getPermissionTicket(pathConfig, methodConfig, authzClient, oIDCHttpFacade);
        if (permissionTicket != null) {
            response.setStatus(HttpStatus.SC_UNAUTHORIZED);
            response.setHeader("WWW-Authenticate", "UMA realm=\"" + authzClient.getConfiguration().getRealm() + "\",as_uri=\"" + authzClient.getServerConfiguration().getIssuer() + "\",ticket=\"" + permissionTicket + "\"");
        } else {
            response.setStatus(HttpStatus.SC_FORBIDDEN);
        }
        if (!LOGGER.isDebugEnabled()) {
            return true;
        }
        LOGGER.debug("Sending challenge");
        return true;
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected void handleAccessDenied(OIDCHttpFacade oIDCHttpFacade) {
        String onDenyRedirectTo = getEnforcerConfig().getOnDenyRedirectTo();
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        if (onDenyRedirectTo == null) {
            response.sendError(HttpStatus.SC_FORBIDDEN);
        } else {
            response.setStatus(HttpStatus.SC_MOVED_TEMPORARILY);
            response.setHeader("Location", onDenyRedirectTo);
        }
    }

    private AccessToken requestAuthorizationToken(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade oIDCHttpFacade, Map<String, List<String>> map) {
        AuthorizationResponse authorize;
        if (getEnforcerConfig().getUserManagedAccess() != null) {
            return null;
        }
        try {
            KeycloakSecurityContext securityContext = oIDCHttpFacade.getSecurityContext();
            String tokenString = securityContext.getTokenString();
            KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
            AccessToken token = securityContext.getToken();
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            if (isBearerAuthorization(oIDCHttpFacade) || token.getAuthorization() != null) {
                authorizationRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
            }
            if (!map.isEmpty()) {
                authorizationRequest.setClaimTokenFormat(OAuth2Constants.JWT_TOKEN_TYPE);
                authorizationRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(map)));
            }
            if (token.getAuthorization() != null) {
                authorizationRequest.setRpt(tokenString);
            }
            LOGGER.debug("Obtaining authorization for authenticated user.");
            if (isBearerAuthorization(oIDCHttpFacade)) {
                authorizationRequest.setSubjectToken(tokenString);
                authorize = getAuthzClient().authorization().authorize(authorizationRequest);
            } else {
                authorize = getAuthzClient().authorization(tokenString).authorize(authorizationRequest);
            }
            if (authorize != null) {
                return AdapterTokenVerifier.verifyToken(authorize.getToken(), deployment);
            }
            return null;
        } catch (AuthorizationDeniedException e) {
            LOGGER.debug("Authorization denied", e);
            return null;
        } catch (Exception e2) {
            throw new RuntimeException("Unexpected error during authorization request.", e2);
        }
    }

    private String getPermissionTicket(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, OIDCHttpFacade oIDCHttpFacade) {
        if (getEnforcerConfig().getUserManagedAccess() == null) {
            return null;
        }
        PermissionResource permission = authzClient.protection().permission();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId(pathConfig.getId());
        permissionRequest.setScopes(new HashSet(methodConfig.getScopes()));
        Map<String, List<String>> resolveClaims = resolveClaims(pathConfig, oIDCHttpFacade);
        if (!resolveClaims.isEmpty()) {
            permissionRequest.setClaims(resolveClaims);
        }
        return permission.create(permissionRequest).getTicket();
    }

    private boolean isBearerAuthorization(OIDCHttpFacade oIDCHttpFacade) {
        List<String> headers = oIDCHttpFacade.getRequest().getHeaders("Authorization");
        if (headers != null) {
            Iterator<String> it = headers.iterator();
            while (it.hasNext()) {
                String[] split = it.next().trim().split("\\s+");
                if (split != null && split.length == 2 && split[0].equalsIgnoreCase(TokenUtil.TOKEN_TYPE_BEARER)) {
                    return true;
                }
            }
        }
        return getPolicyEnforcer().getDeployment().isBearerOnly();
    }
}
