package org.apache.causeway.security.keycloak.services;

import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.function.Predicate;
import lombok.Generated;
import lombok.NonNull;
import org.apache.causeway.commons.internal.base._Casts;
import org.apache.causeway.commons.internal.base._NullSafe;
import org.apache.causeway.core.config.CausewayConfiguration;
import org.springframework.lang.Nullable;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;

/* loaded from: input_file:org/apache/causeway/security/keycloak/services/KeycloakOauth2UserService.class */
public class KeycloakOauth2UserService extends OidcUserService {
    private static final OAuth2Error INVALID_REQUEST = new OAuth2Error("invalid_request");
    final JwtDecoder jwtDecoder;
    final GrantedAuthoritiesMapper authoritiesMapper;
    final CausewayConfiguration causewayConfiguration;

    public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
        OidcUser loadUser = super.loadUser(oidcUserRequest);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.addAll(loadUser.getAuthorities());
        linkedHashSet.addAll(extractKeycloakAuthorities(oidcUserRequest));
        return new DefaultOidcUser(linkedHashSet, oidcUserRequest.getIdToken(), loadUser.getUserInfo(), "preferred_username");
    }

    private Collection<? extends GrantedAuthority> extractKeycloakAuthorities(OidcUserRequest oidcUserRequest) {
        Jwt parseJwt = parseJwt(oidcUserRequest.getAccessToken().getTokenValue());
        ArrayList arrayList = new ArrayList();
        if (this.causewayConfiguration.getSecurity().getKeycloak().isExtractClientRoles()) {
            String str = (String) Optional.ofNullable(this.causewayConfiguration.getSecurity().getKeycloak().getClientRolePrefix()).orElse("");
            asNonEmptyMap(parseJwt.getClaims().get("resource_access")).ifPresent(map -> {
                asNonEmptyMap(map.get(oidcUserRequest.getClientRegistration().getClientId())).flatMap(map -> {
                    return asNonEmptyCollection(map.get("roles"));
                }).ifPresent(collection -> {
                    forEachNonNullIn(collection, obj -> {
                        arrayList.add(str + String.valueOf(obj));
                    });
                });
            });
        }
        if (this.causewayConfiguration.getSecurity().getKeycloak().isExtractRealmRoles()) {
            String str2 = (String) Optional.ofNullable(this.causewayConfiguration.getSecurity().getKeycloak().getRealmRolePrefix()).orElse("");
            asNonEmptyMap(parseJwt.getClaims().get("realm_access")).ifPresent(map2 -> {
                asNonEmptyCollection(map2.get("roles")).ifPresent(collection -> {
                    forEachNonNullIn(collection, obj -> {
                        arrayList.add(str2 + String.valueOf(obj));
                    });
                });
            });
        }
        if (this.causewayConfiguration.getSecurity().getKeycloak().isExtractRoles()) {
            String str3 = (String) Optional.ofNullable(this.causewayConfiguration.getSecurity().getKeycloak().getRolePrefix()).orElse("");
            asNonEmptyCollection(parseJwt.getClaims().get("roles")).ifPresent(collection -> {
                forEachNonNullIn(collection, obj -> {
                    arrayList.add(str3 + String.valueOf(obj));
                });
            });
        }
        List createAuthorityList = AuthorityUtils.createAuthorityList((String[]) arrayList.toArray(new String[0]));
        return this.authoritiesMapper == null ? createAuthorityList : this.authoritiesMapper.mapAuthorities(createAuthorityList);
    }

    private Optional<Map> asNonEmptyMap(@Nullable Object obj) {
        return _Casts.castTo(Map.class, obj).filter(Predicate.not(_NullSafe::isEmpty));
    }

    private void forEachNonNullIn(@NonNull Collection collection, @NonNull Consumer<Object> consumer) {
        if (collection == null) {
            throw new NullPointerException("x is marked non-null but is null");
        }
        if (consumer == null) {
            throw new NullPointerException("_do is marked non-null but is null");
        }
        collection.stream().filter(Objects::nonNull).forEach(consumer);
    }

    private Optional<Collection> asNonEmptyCollection(@Nullable Object obj) {
        return _Casts.castTo(Collection.class, obj).filter(Predicate.not(_NullSafe::isEmpty));
    }

    private Jwt parseJwt(String str) {
        try {
            return this.jwtDecoder.decode(str);
        } catch (JwtException e) {
            throw new OAuth2AuthenticationException(INVALID_REQUEST, e);
        }
    }

    @Generated
    public KeycloakOauth2UserService(JwtDecoder jwtDecoder, GrantedAuthoritiesMapper grantedAuthoritiesMapper, CausewayConfiguration causewayConfiguration) {
        this.jwtDecoder = jwtDecoder;
        this.authoritiesMapper = grantedAuthoritiesMapper;
        this.causewayConfiguration = causewayConfiguration;
    }
}
