package org.keycloak.adapters.authorization;

import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthorizationContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.Permission;

/* loaded from: input_file:m2repo/org/keycloak/keycloak-adapter-core/3.4.0.Final/keycloak-adapter-core-3.4.0.Final.jar:org/keycloak/adapters/authorization/AbstractPolicyEnforcer.class */
public abstract class AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger((Class<?>) AbstractPolicyEnforcer.class);
    private final PolicyEnforcerConfig enforcerConfig;
    private final PolicyEnforcer policyEnforcer;
    private Map<String, PolicyEnforcerConfig.PathConfig> paths;
    private AuthzClient authzClient;
    private PathMatcher pathMatcher;

    public AbstractPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        this.policyEnforcer = policyEnforcer;
        this.enforcerConfig = policyEnforcer.getEnforcerConfig();
        this.authzClient = policyEnforcer.getClient();
        this.pathMatcher = policyEnforcer.getPathMatcher();
        this.paths = policyEnforcer.getPaths();
    }

    public AuthorizationContext authorize(OIDCHttpFacade oIDCHttpFacade) {
        AccessToken token;
        PolicyEnforcerConfig.EnforcementMode enforcementMode = this.enforcerConfig.getEnforcementMode();
        if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(enforcementMode)) {
            return createEmptyAuthorizationContext(true);
        }
        KeycloakSecurityContext securityContext = oIDCHttpFacade.getSecurityContext();
        if (securityContext != null && (token = securityContext.getToken()) != null) {
            HttpFacade.Request request = oIDCHttpFacade.getRequest();
            String path = getPath(request);
            PolicyEnforcerConfig.PathConfig matches = this.pathMatcher.matches(path, this.paths);
            LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), matches);
            if (matches == null) {
                if (PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
                    return createAuthorizationContext(token, null);
                }
                LOGGER.debugf("Could not find a configuration for path [%s]", path);
                if (isDefaultAccessDeniedUri(request, this.enforcerConfig)) {
                    return createAuthorizationContext(token, null);
                }
                handleAccessDenied(oIDCHttpFacade);
                return createEmptyAuthorizationContext(false);
            }
            if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(matches.getEnforcementMode())) {
                return createEmptyAuthorizationContext(true);
            }
            Set<String> requiredScopes = getRequiredScopes(matches, request);
            if (isAuthorized(matches, requiredScopes, token, oIDCHttpFacade)) {
                try {
                    return createAuthorizationContext(token, matches);
                } catch (Exception e) {
                    throw new RuntimeException("Error processing path [" + matches.getPath() + "].", e);
                }
            }
            LOGGER.debugf("Sending challenge to the client. Path [%s]", matches);
            if (!challenge(matches, requiredScopes, oIDCHttpFacade)) {
                LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", matches);
                handleAccessDenied(oIDCHttpFacade);
            }
        }
        return createEmptyAuthorizationContext(false);
    }

    protected abstract boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade);

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, AccessToken accessToken, OIDCHttpFacade oIDCHttpFacade) {
        HttpFacade.Request request = oIDCHttpFacade.getRequest();
        if (isDefaultAccessDeniedUri(request, getEnforcerConfig())) {
            return true;
        }
        AccessToken.Authorization authorization = accessToken.getAuthorization();
        if (authorization == null) {
            return false;
        }
        List<Permission> permissions = authorization.getPermissions();
        boolean z = false;
        for (Permission permission : permissions) {
            if (permission.getResourceSetId() == null) {
                if (hasResourceScopePermission(set, permission, pathConfig)) {
                    return true;
                }
            } else if (isResourcePermission(pathConfig, permission)) {
                z = true;
                if (!pathConfig.isInstance() || matchResourcePermission(pathConfig, permission)) {
                    if (hasResourceScopePermission(set, permission, pathConfig)) {
                        LOGGER.debugf("Authorization GRANTED for path [%s]. Permissions [%s].", pathConfig, permissions);
                        if (!request.getMethod().equalsIgnoreCase("DELETE") || !pathConfig.isInstance()) {
                            return true;
                        }
                        this.paths.remove(pathConfig);
                        return true;
                    }
                }
            } else {
                continue;
            }
        }
        if (!z && PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(pathConfig.getEnforcementMode())) {
            return true;
        }
        LOGGER.debugf("Authorization FAILED for path [%s]. No enough permissions [%s].", pathConfig, permissions);
        return false;
    }

    protected void handleAccessDenied(OIDCHttpFacade oIDCHttpFacade) {
        oIDCHttpFacade.getResponse().sendError(403);
    }

    private boolean isDefaultAccessDeniedUri(HttpFacade.Request request, PolicyEnforcerConfig policyEnforcerConfig) {
        String onDenyRedirectTo = policyEnforcerConfig.getOnDenyRedirectTo();
        return onDenyRedirectTo != null && request.getURI().contains(onDenyRedirectTo);
    }

    private boolean hasResourceScopePermission(Set<String> set, Permission permission, PolicyEnforcerConfig.PathConfig pathConfig) {
        Set<String> scopes = permission.getScopes();
        return scopes.containsAll(set) || scopes.isEmpty();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthzClient getAuthzClient() {
        return this.authzClient;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PolicyEnforcerConfig getEnforcerConfig() {
        return this.enforcerConfig;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PolicyEnforcer getPolicyEnforcer() {
        return this.policyEnforcer;
    }

    private AuthorizationContext createEmptyAuthorizationContext(final boolean z) {
        return new ClientAuthorizationContext(this.authzClient) { // from class: org.keycloak.adapters.authorization.AbstractPolicyEnforcer.1
            @Override // org.keycloak.AuthorizationContext
            public boolean hasPermission(String str, String str2) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean hasResourcePermission(String str) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean hasScopePermission(String str) {
                return z;
            }

            @Override // org.keycloak.AuthorizationContext
            public List<Permission> getPermissions() {
                return Collections.EMPTY_LIST;
            }

            @Override // org.keycloak.AuthorizationContext
            public boolean isGranted() {
                return z;
            }
        };
    }

    private String getPath(HttpFacade.Request request) {
        return request.getRelativePath();
    }

    private Set<String> getRequiredScopes(PolicyEnforcerConfig.PathConfig pathConfig, HttpFacade.Request request) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(pathConfig.getScopes());
        String method = request.getMethod();
        for (PolicyEnforcerConfig.MethodConfig methodConfig : pathConfig.getMethods()) {
            if (methodConfig.getMethod().equals(method)) {
                hashSet.addAll(methodConfig.getScopes());
            }
        }
        return hashSet;
    }

    private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PolicyEnforcerConfig.PathConfig pathConfig) {
        return new ClientAuthorizationContext(accessToken, pathConfig, this.paths, this.authzClient);
    }

    private boolean isResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        boolean matchResourcePermission = matchResourcePermission(pathConfig, permission);
        if (!matchResourcePermission && pathConfig.isInstance()) {
            matchResourcePermission = matchResourcePermission(pathConfig.getParentConfig(), permission);
        }
        return matchResourcePermission;
    }

    private boolean matchResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        return permission.getResourceSetId().equals(pathConfig.getId());
    }
}
