package org.keycloak.adapters.authorization;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.rotation.AdapterRSATokenVerifier;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.representation.AuthorizationRequest;
import org.keycloak.authorization.client.representation.AuthorizationResponse;
import org.keycloak.authorization.client.representation.EntitlementRequest;
import org.keycloak.authorization.client.representation.PermissionRequest;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-3.2.1.Final.jar:org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.class */
public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(KeycloakAdapterPolicyEnforcer.class);

    public KeycloakAdapterPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        super(policyEnforcer);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    public boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, AccessToken accessToken, OIDCHttpFacade oIDCHttpFacade) {
        if (super.isAuthorized(pathConfig, set, accessToken, oIDCHttpFacade)) {
            return true;
        }
        AccessToken requestAuthorizationToken = requestAuthorizationToken(pathConfig, set, oIDCHttpFacade);
        if (requestAuthorizationToken == null) {
            return false;
        }
        AccessToken.Authorization authorization = accessToken.getAuthorization();
        if (authorization == null) {
            authorization = new AccessToken.Authorization();
            authorization.setPermissions(new ArrayList());
        }
        AccessToken.Authorization authorization2 = requestAuthorizationToken.getAuthorization();
        if (authorization2 != null) {
            authorization.getPermissions().addAll(authorization2.getPermissions());
        }
        accessToken.setAuthorization(authorization);
        return super.isAuthorized(pathConfig, set, requestAuthorizationToken, oIDCHttpFacade);
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        handleAccessDenied(oIDCHttpFacade);
        return true;
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected void handleAccessDenied(OIDCHttpFacade oIDCHttpFacade) {
        String onDenyRedirectTo = getEnforcerConfig().getOnDenyRedirectTo();
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        if (onDenyRedirectTo == null) {
            response.sendError(403);
        } else {
            response.setStatus(302);
            response.setHeader("Location", onDenyRedirectTo);
        }
    }

    private AccessToken requestAuthorizationToken(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        try {
            String tokenString = oIDCHttpFacade.getSecurityContext().getTokenString();
            AuthzClient authzClient = getAuthzClient();
            KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
            if (getEnforcerConfig().getUserManagedAccess() != null) {
                LOGGER.debug("Obtaining authorization for authenticated user.");
                PermissionRequest permissionRequest = new PermissionRequest();
                permissionRequest.setResourceSetId(pathConfig.getId());
                permissionRequest.setScopes(set);
                AuthorizationResponse authorize = authzClient.authorization(tokenString).authorize(new AuthorizationRequest(authzClient.protection().permission().forResource(permissionRequest).getTicket()));
                if (authorize != null) {
                    return AdapterRSATokenVerifier.verifyToken(authorize.getRpt(), deployment);
                }
                return null;
            }
            LOGGER.debug("Obtaining entitlements for authenticated user.");
            if (oIDCHttpFacade.getSecurityContext().getToken().getAuthorization() == null) {
                return AdapterRSATokenVerifier.verifyToken(authzClient.entitlement(tokenString).getAll(authzClient.getConfiguration().getResource()).getRpt(), deployment);
            }
            EntitlementRequest entitlementRequest = new EntitlementRequest();
            PermissionRequest permissionRequest2 = new PermissionRequest();
            permissionRequest2.setResourceSetId(pathConfig.getId());
            permissionRequest2.setResourceSetName(pathConfig.getName());
            permissionRequest2.setScopes(new HashSet(pathConfig.getScopes()));
            LOGGER.debugf("Sending entitlements request: resource_set_id [%s], resource_set_name [%s], scopes [%s].", permissionRequest2.getResourceSetId(), permissionRequest2.getResourceSetName(), permissionRequest2.getScopes());
            entitlementRequest.addPermission(permissionRequest2);
            return AdapterRSATokenVerifier.verifyToken(authzClient.entitlement(tokenString).get(authzClient.getConfiguration().getResource(), entitlementRequest).getRpt(), deployment);
        } catch (Exception e) {
            throw new RuntimeException("Unexpected error during authorization request.", e);
        } catch (AuthorizationDeniedException e2) {
            LOGGER.debug("Authorization denied", e2);
            return null;
        }
    }
}
