package org.keycloak.authorization.entitlement;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.container.AsyncResponse;
import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.entitlement.representation.EntitlementRequest;
import org.keycloak.authorization.entitlement.representation.EntitlementResponse;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/authorization/entitlement/EntitlementService.class */
public class EntitlementService {
    private final AuthorizationProvider authorization;

    @Context
    private HttpRequest request;

    @Context
    private KeycloakSession session;

    public EntitlementService(AuthorizationProvider authorizationProvider) {
        this.authorization = authorizationProvider;
    }

    @Path("{resource_server_id}")
    @OPTIONS
    public Response authorizePreFlight(@PathParam("resource_server_id") String str) {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @Path("{resource_server_id}")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    public void getAll(@PathParam("resource_server_id") String str, @Suspended final AsyncResponse asyncResponse) {
        final KeycloakIdentity keycloakIdentity = new KeycloakIdentity(this.authorization.getKeycloakSession());
        if (str == null) {
            throw new ErrorResponseException("invalid_request", "Requires resource_server_id request parameter.", Response.Status.BAD_REQUEST);
        }
        ClientModel clientByClientId = this.authorization.getKeycloakSession().getContext().getRealm().getClientByClientId(str);
        if (clientByClientId == null) {
            throw new ErrorResponseException("invalid_request", "Identifier is not associated with any client and resource server.", Response.Status.BAD_REQUEST);
        }
        this.authorization.evaluators().from(Permissions.all(this.authorization.getStoreFactory().getResourceServerStore().findByClient(clientByClientId.getId()), keycloakIdentity, this.authorization), new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate(new DecisionResultCollector() { // from class: org.keycloak.authorization.entitlement.EntitlementService.1
            public void onError(Throwable th) {
                asyncResponse.resume(th);
            }

            protected void onComplete(List<Result> list) {
                List<Permission> allPermits = Permissions.allPermits(list, EntitlementService.this.authorization);
                if (!allPermits.isEmpty()) {
                    asyncResponse.resume(Cors.add(EntitlementService.this.request, Response.ok().entity(new EntitlementResponse(EntitlementService.this.createRequestingPartyToken(allPermits)))).allowedOrigins(keycloakIdentity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                    return;
                }
                HashMap hashMap = new HashMap();
                hashMap.put("error", "not_authorized");
                asyncResponse.resume(Cors.add(EntitlementService.this.request, Response.status(Response.Status.FORBIDDEN).entity(hashMap)).allowedOrigins(keycloakIdentity.getAccessToken()).exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
            }
        });
    }

    @Path("{resource_server_id}")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public void get(@PathParam("resource_server_id") String str, EntitlementRequest entitlementRequest, @Suspended final AsyncResponse asyncResponse) {
        final KeycloakIdentity keycloakIdentity = new KeycloakIdentity(this.authorization.getKeycloakSession());
        if (entitlementRequest == null) {
            throw new ErrorResponseException("invalid_request", "Invalid entitlement request.", Response.Status.BAD_REQUEST);
        }
        if (str == null) {
            throw new ErrorResponseException("invalid_request", "Invalid resource_server_id.", Response.Status.BAD_REQUEST);
        }
        ClientModel clientByClientId = this.authorization.getKeycloakSession().getContext().getRealm().getClientByClientId(str);
        if (clientByClientId == null) {
            throw new ErrorResponseException("invalid_request", "Identifier is not associated with any resource server.", Response.Status.BAD_REQUEST);
        }
        this.authorization.evaluators().from(createPermissions(entitlementRequest, this.authorization.getStoreFactory().getResourceServerStore().findByClient(clientByClientId.getId()), this.authorization), new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate(new DecisionResultCollector() { // from class: org.keycloak.authorization.entitlement.EntitlementService.2
            public void onError(Throwable th) {
                asyncResponse.resume(th);
            }

            protected void onComplete(List<Result> list) {
                List<Permission> allPermits = Permissions.allPermits(list, EntitlementService.this.authorization);
                if (!allPermits.isEmpty()) {
                    asyncResponse.resume(Cors.add(EntitlementService.this.request, Response.ok().entity(new EntitlementResponse(EntitlementService.this.createRequestingPartyToken(allPermits)))).allowedOrigins(keycloakIdentity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
                    return;
                }
                HashMap hashMap = new HashMap();
                hashMap.put("error", "not_authorized");
                asyncResponse.resume(Cors.add(EntitlementService.this.request, Response.status(Response.Status.FORBIDDEN).entity(hashMap)).allowedOrigins(keycloakIdentity.getAccessToken()).exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String createRequestingPartyToken(List<Permission> list) {
        AccessToken accessToken = Tokens.getAccessToken(this.authorization.getKeycloakSession());
        RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(list);
        accessToken.setAuthorization(authorization);
        return new TokenManager().encodeToken(this.authorization.getKeycloakSession(), realm, accessToken);
    }

    private List<ResourcePermission> createPermissions(EntitlementRequest entitlementRequest, ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        AccessToken.Authorization authorization;
        List permissions;
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        HashMap hashMap = new HashMap();
        entitlementRequest.getPermissions().forEach(permissionRequest -> {
            Resource findById = permissionRequest.getResourceSetId() != null ? storeFactory.getResourceStore().findById(permissionRequest.getResourceSetId()) : storeFactory.getResourceStore().findByName(permissionRequest.getResourceSetName(), resourceServer.getId());
            if (findById == null && (permissionRequest.getScopes() == null || permissionRequest.getScopes().isEmpty())) {
                throw new ErrorResponseException("invalid_resource", "Resource with id [" + permissionRequest.getResourceSetId() + "] or name [" + permissionRequest.getResourceSetName() + "] does not exist.", Response.Status.FORBIDDEN);
            }
            Set set = (Set) permissionRequest.getScopes().stream().map(ScopeRepresentation::new).collect(Collectors.toSet());
            Set set2 = (Set) set.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet());
            if (findById != null) {
                hashMap.put(findById.getId(), set2);
                return;
            }
            ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
            ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(resourceStore.findByScope((String[]) ((List) set.stream().map(scopeRepresentation -> {
                Scope findByName = scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId());
                if (findByName == null) {
                    return null;
                }
                return findByName.getId();
            }).filter(str -> {
                return str != null;
            }).collect(Collectors.toList())).toArray(new String[set.size()])));
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                hashMap.put(((Resource) it.next()).getId(), set2);
            }
            hashMap.put("$KC_SCOPE_PERMISSION", set2);
        });
        String rpt = entitlementRequest.getRpt();
        if (rpt != null && !StackoverflowIdentityProvider.DEFAULT_SCOPE.equals(rpt)) {
            if (!Tokens.verifySignature(this.session, authorizationProvider.getKeycloakSession().getContext().getRealm(), rpt)) {
                throw new ErrorResponseException("invalid_rpt", "RPT signature is invalid", Response.Status.FORBIDDEN);
            }
            try {
                AccessToken accessToken = (AccessToken) new JWSInput(rpt).readJsonContent(AccessToken.class);
                if (accessToken.isActive() && (authorization = accessToken.getAuthorization()) != null && (permissions = authorization.getPermissions()) != null) {
                    permissions.forEach(permission -> {
                        Resource findById = storeFactory.getResourceStore().findById(permission.getResourceSetId());
                        if (findById != null) {
                            Set set = (Set) hashMap.get(findById.getId());
                            if (set == null) {
                                set = new HashSet();
                                hashMap.put(findById.getId(), set);
                            }
                            Set scopes = permission.getScopes();
                            if (scopes != null) {
                                set.addAll(scopes);
                            }
                        }
                    });
                }
            } catch (JWSInputException e) {
                throw new ErrorResponseException("invalid_rpt", "Invalid RPT", Response.Status.FORBIDDEN);
            }
        }
        return (List) hashMap.entrySet().stream().flatMap(entry -> {
            String str = (String) entry.getKey();
            if (!"$KC_SCOPE_PERMISSION".equals(str)) {
                return Permissions.createResourcePermissions(storeFactory.getResourceStore().findById(str), (Set) entry.getValue(), authorizationProvider).stream();
            }
            ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
            return Arrays.asList(new ResourcePermission((Resource) null, (List) ((Set) entry.getValue()).stream().map(str2 -> {
                return scopeStore.findByName(str2, resourceServer.getId());
            }).collect(Collectors.toList()), resourceServer)).stream();
        }).collect(Collectors.toList());
    }
}
