package org.keycloak.adapters.authorization;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthorizationContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.Permission;

/* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-14.0.0.jar:org/keycloak/adapters/authorization/AbstractPolicyEnforcer.class */
public abstract class AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger((Class<?>) AbstractPolicyEnforcer.class);
    private static final String HTTP_METHOD_DELETE = "DELETE";
    private final PolicyEnforcer policyEnforcer;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        this.policyEnforcer = policyEnforcer;
    }

    public AuthorizationContext authorize(OIDCHttpFacade oIDCHttpFacade) {
        PolicyEnforcerConfig.EnforcementMode enforcementMode = getEnforcerConfig().getEnforcementMode();
        KeycloakSecurityContext securityContext = oIDCHttpFacade.getSecurityContext();
        if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(enforcementMode)) {
            if (securityContext == null) {
                oIDCHttpFacade.getResponse().sendError(401, "Invalid bearer");
            }
            return createEmptyAuthorizationContext(true);
        }
        HttpFacade.Request request = oIDCHttpFacade.getRequest();
        PolicyEnforcerConfig.PathConfig pathConfig = getPathConfig(request);
        if (securityContext == null) {
            if (!isDefaultAccessDeniedUri(request)) {
                if (pathConfig == null) {
                    handleAccessDenied(oIDCHttpFacade);
                } else {
                    if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
                        return createEmptyAuthorizationContext(true);
                    }
                    challenge(pathConfig, getRequiredScopes(pathConfig, request), oIDCHttpFacade);
                }
            }
            return createEmptyAuthorizationContext(false);
        }
        AccessToken token = securityContext.getToken();
        if (token != null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
            }
            if (pathConfig == null) {
                if (PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
                    return createAuthorizationContext(token, null);
                }
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debugf("Could not find a configuration for path [%s]", getPath(request));
                }
                if (isDefaultAccessDeniedUri(request)) {
                    return createAuthorizationContext(token, null);
                }
                handleAccessDenied(oIDCHttpFacade);
                return createEmptyAuthorizationContext(false);
            }
            if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
                return createAuthorizationContext(token, pathConfig);
            }
            PolicyEnforcerConfig.MethodConfig requiredScopes = getRequiredScopes(pathConfig, request);
            if (isAuthorized(pathConfig, requiredScopes, token, oIDCHttpFacade, resolveClaims(pathConfig, oIDCHttpFacade))) {
                try {
                    return createAuthorizationContext(token, pathConfig);
                } catch (Exception e) {
                    throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
                }
            }
            if (requiredScopes != null && PolicyEnforcerConfig.ScopeEnforcementMode.DISABLED.equals(requiredScopes.getScopesEnforcementMode())) {
                return createEmptyAuthorizationContext(true);
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
            }
            if (!challenge(pathConfig, requiredScopes, oIDCHttpFacade)) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", pathConfig);
                }
                handleAccessDenied(oIDCHttpFacade);
            }
        }
        return createEmptyAuthorizationContext(false);
    }

    protected abstract boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, OIDCHttpFacade oIDCHttpFacade);

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AccessToken accessToken, OIDCHttpFacade oIDCHttpFacade, Map<String, List<String>> map) {
        HttpFacade.Request request = oIDCHttpFacade.getRequest();
        if (isDefaultAccessDeniedUri(request)) {
            return true;
        }
        AccessToken.Authorization authorization = accessToken.getAuthorization();
        if (authorization == null) {
            return false;
        }
        boolean z = false;
        Collection<Permission> permissions = authorization.getPermissions();
        for (Permission permission : permissions) {
            if (permission.getResourceId() == null) {
                if (hasResourceScopePermission(methodConfig, permission)) {
                    return true;
                }
            } else if (isResourcePermission(pathConfig, permission)) {
                z = true;
                if (!pathConfig.isInstance() || matchResourcePermission(pathConfig, permission)) {
                    if (hasResourceScopePermission(methodConfig, permission)) {
                        if (LOGGER.isDebugEnabled()) {
                            LOGGER.debugf("Authorization GRANTED for path [%s]. Permissions [%s].", pathConfig, permissions);
                        }
                        if ("DELETE".equalsIgnoreCase(request.getMethod()) && pathConfig.isInstance()) {
                            this.policyEnforcer.getPathMatcher().removeFromCache(getPath(request));
                        }
                        return hasValidClaims(permission, map);
                    }
                }
            } else {
                continue;
            }
        }
        if (!z && PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(pathConfig.getEnforcementMode())) {
            return true;
        }
        if (!LOGGER.isDebugEnabled()) {
            return false;
        }
        LOGGER.debugf("Authorization FAILED for path [%s]. Not enough permissions [%s].", pathConfig, permissions);
        return false;
    }

    private boolean hasValidClaims(Permission permission, Map<String, List<String>> map) {
        Map<String, Set<String>> claims = permission.getClaims();
        if (claims == null) {
            return true;
        }
        if (map.isEmpty()) {
            return false;
        }
        for (Map.Entry<String, Set<String>> entry : claims.entrySet()) {
            List<String> list = map.get(entry.getKey());
            if (list == null || list.isEmpty() || !entry.getValue().containsAll(list)) {
                return false;
            }
        }
        return true;
    }

    protected void handleAccessDenied(OIDCHttpFacade oIDCHttpFacade) {
        oIDCHttpFacade.getResponse().sendError(403);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthzClient getAuthzClient() {
        return this.policyEnforcer.getClient();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PolicyEnforcerConfig getEnforcerConfig() {
        return this.policyEnforcer.getEnforcerConfig();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PolicyEnforcer getPolicyEnforcer() {
        return this.policyEnforcer;
    }

    private boolean isDefaultAccessDeniedUri(HttpFacade.Request request) {
        String onDenyRedirectTo = getEnforcerConfig().getOnDenyRedirectTo();
        return onDenyRedirectTo != null && request.getURI().contains(onDenyRedirectTo);
    }

    private boolean hasResourceScopePermission(PolicyEnforcerConfig.MethodConfig methodConfig, Permission permission) {
        List<String> scopes = methodConfig.getScopes();
        Set<String> scopes2 = permission.getScopes();
        if (scopes2.isEmpty()) {
            return true;
        }
        PolicyEnforcerConfig.ScopeEnforcementMode scopesEnforcementMode = methodConfig.getScopesEnforcementMode();
        if (PolicyEnforcerConfig.ScopeEnforcementMode.ALL.equals(scopesEnforcementMode)) {
            return scopes2.containsAll(scopes);
        }
        if (PolicyEnforcerConfig.ScopeEnforcementMode.ANY.equals(scopesEnforcementMode)) {
            Iterator<String> it = scopes.iterator();
            while (it.hasNext()) {
                if (scopes2.contains(it.next())) {
                    return true;
                }
            }
        }
        return scopes.isEmpty();
    }

    private AuthorizationContext createEmptyAuthorizationContext(final boolean z) {
        return new ClientAuthorizationContext(getAuthzClient()) { // from class: org.keycloak.adapters.authorization.AbstractPolicyEnforcer.1
            @Override // org.keycloak.AuthorizationContext
            public boolean hasPermission(String str, String str2) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean hasResourcePermission(String str) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean hasScopePermission(String str) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public List<Permission> getPermissions() {
                return Collections.EMPTY_LIST;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean isGranted() {
                return z;
            }
        };
    }

    private String getPath(HttpFacade.Request request) {
        return request.getRelativePath();
    }

    private PolicyEnforcerConfig.MethodConfig getRequiredScopes(PolicyEnforcerConfig.PathConfig pathConfig, HttpFacade.Request request) {
        String method = request.getMethod();
        for (PolicyEnforcerConfig.MethodConfig methodConfig : pathConfig.getMethods()) {
            if (methodConfig.getMethod().equals(method)) {
                return methodConfig;
            }
        }
        PolicyEnforcerConfig.MethodConfig methodConfig2 = new PolicyEnforcerConfig.MethodConfig();
        methodConfig2.setMethod(request.getMethod());
        ArrayList arrayList = new ArrayList();
        if (Boolean.TRUE.equals(getEnforcerConfig().getHttpMethodAsScope())) {
            arrayList.add(request.getMethod());
        } else {
            arrayList.addAll(pathConfig.getScopes());
        }
        methodConfig2.setScopes(arrayList);
        methodConfig2.setScopesEnforcementMode(PolicyEnforcerConfig.ScopeEnforcementMode.ANY);
        return methodConfig2;
    }

    private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PolicyEnforcerConfig.PathConfig pathConfig) {
        return new ClientAuthorizationContext(accessToken, pathConfig, getAuthzClient());
    }

    private boolean isResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        boolean matchResourcePermission = matchResourcePermission(pathConfig, permission);
        if (!matchResourcePermission && pathConfig.isInstance()) {
            matchResourcePermission = matchResourcePermission(pathConfig.getParentConfig(), permission);
        }
        return matchResourcePermission;
    }

    private boolean matchResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        return permission.getResourceId().equals(pathConfig.getId());
    }

    private PolicyEnforcerConfig.PathConfig getPathConfig(HttpFacade.Request request) {
        if (isDefaultAccessDeniedUri(request)) {
            return null;
        }
        return this.policyEnforcer.getPathMatcher().matches(getPath(request));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, List<String>> resolveClaims(PolicyEnforcerConfig.PathConfig pathConfig, OIDCHttpFacade oIDCHttpFacade) {
        HashMap hashMap = new HashMap();
        resolveClaims(hashMap, getEnforcerConfig().getClaimInformationPointConfig(), oIDCHttpFacade);
        resolveClaims(hashMap, pathConfig.getClaimInformationPointConfig(), oIDCHttpFacade);
        return hashMap;
    }

    private void resolveClaims(Map<String, List<String>> map, Map<String, Map<String, Object>> map2, HttpFacade httpFacade) {
        if (map2 != null) {
            for (Map.Entry<String, Map<String, Object>> entry : map2.entrySet()) {
                ClaimInformationPointProviderFactory claimInformationPointProviderFactory = getPolicyEnforcer().getClaimInformationPointProviderFactories().get(entry.getKey());
                if (claimInformationPointProviderFactory != null) {
                    map.putAll(claimInformationPointProviderFactory.create(entry.getValue()).resolve(httpFacade));
                }
            }
        }
    }
}
