package org.apache.isis.security.keycloak.services;

import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/apache/isis/security/keycloak/services/KeycloakOauth2UserService.class */
public class KeycloakOauth2UserService extends OidcUserService {
    private static final OAuth2Error INVALID_REQUEST = new OAuth2Error("invalid_request");
    final JwtDecoder jwtDecoder;
    final GrantedAuthoritiesMapper authoritiesMapper;

    public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
        OidcUser loadUser = super.loadUser(oidcUserRequest);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.addAll(loadUser.getAuthorities());
        linkedHashSet.addAll(extractKeycloakAuthorities(oidcUserRequest));
        return new DefaultOidcUser(linkedHashSet, oidcUserRequest.getIdToken(), loadUser.getUserInfo(), "preferred_username");
    }

    private Collection<? extends GrantedAuthority> extractKeycloakAuthorities(OidcUserRequest oidcUserRequest) {
        Map map = (Map) ((Map) parseJwt(oidcUserRequest.getAccessToken().getTokenValue()).getClaims().get("resource_access")).get(oidcUserRequest.getClientRegistration().getClientId());
        if (CollectionUtils.isEmpty(map)) {
            return Collections.emptyList();
        }
        List list = (List) map.get("roles");
        if (CollectionUtils.isEmpty(list)) {
            return Collections.emptyList();
        }
        List createAuthorityList = AuthorityUtils.createAuthorityList((String[]) list.toArray(new String[0]));
        return this.authoritiesMapper == null ? createAuthorityList : this.authoritiesMapper.mapAuthorities(createAuthorityList);
    }

    private Jwt parseJwt(String str) {
        try {
            return this.jwtDecoder.decode(str);
        } catch (JwtException e) {
            throw new OAuth2AuthenticationException(INVALID_REQUEST, e);
        }
    }

    public KeycloakOauth2UserService(JwtDecoder jwtDecoder, GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        this.jwtDecoder = jwtDecoder;
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }
}
