package org.apache.isis.security.keycloak.services;

import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.apache.isis.core.config.IsisConfiguration;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/apache/isis/security/keycloak/services/KeycloakOauth2UserService.class */
public class KeycloakOauth2UserService extends OidcUserService {
    private static final OAuth2Error INVALID_REQUEST = new OAuth2Error("invalid_request");
    final JwtDecoder jwtDecoder;
    final GrantedAuthoritiesMapper authoritiesMapper;
    final IsisConfiguration isisConfiguration;

    public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
        OidcUser loadUser = super.loadUser(oidcUserRequest);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.addAll(loadUser.getAuthorities());
        linkedHashSet.addAll(extractKeycloakAuthorities(oidcUserRequest));
        return new DefaultOidcUser(linkedHashSet, oidcUserRequest.getIdToken(), loadUser.getUserInfo(), "preferred_username");
    }

    private Collection<? extends GrantedAuthority> extractKeycloakAuthorities(OidcUserRequest oidcUserRequest) {
        Jwt parseJwt = parseJwt(oidcUserRequest.getAccessToken().getTokenValue());
        ArrayList arrayList = new ArrayList();
        if (this.isisConfiguration.getSecurity().getKeycloak().isExtractClientRoles()) {
            Object obj = parseJwt.getClaims().get("resource_access");
            if (obj instanceof Map) {
                Object obj2 = ((Map) obj).get(oidcUserRequest.getClientRegistration().getClientId());
                if (obj2 instanceof Map) {
                    Map map = (Map) obj2;
                    if (!CollectionUtils.isEmpty(map)) {
                        Object obj3 = map.get("roles");
                        if (obj2 instanceof List) {
                            List list = (List) obj3;
                            if (!CollectionUtils.isEmpty(list)) {
                                String str = (String) Optional.ofNullable(this.isisConfiguration.getSecurity().getKeycloak().getClientRolePrefix()).orElse("");
                                Stream map2 = list.stream().filter(Objects::nonNull).map(obj4 -> {
                                    return str + obj4;
                                });
                                Objects.requireNonNull(arrayList);
                                map2.forEach((v1) -> {
                                    r1.add(v1);
                                });
                            }
                        }
                    }
                }
            }
        }
        if (this.isisConfiguration.getSecurity().getKeycloak().isExtractRealmRoles()) {
            Object obj5 = parseJwt.getClaims().get("realm_access");
            if (obj5 instanceof Map) {
                Object obj6 = ((Map) obj5).get("roles");
                if (obj6 instanceof List) {
                    List list2 = (List) obj6;
                    String str2 = (String) Optional.ofNullable(this.isisConfiguration.getSecurity().getKeycloak().getRealmRolePrefix()).orElse("");
                    Stream map3 = list2.stream().filter(Objects::nonNull).map(obj7 -> {
                        return str2 + obj7;
                    });
                    Objects.requireNonNull(arrayList);
                    map3.forEach((v1) -> {
                        r1.add(v1);
                    });
                }
            }
        }
        if (this.isisConfiguration.getSecurity().getKeycloak().isExtractRoles()) {
            Object obj8 = parseJwt.getClaims().get("roles");
            if (obj8 instanceof List) {
                List list3 = (List) obj8;
                String str3 = (String) Optional.ofNullable(this.isisConfiguration.getSecurity().getKeycloak().getRolePrefix()).orElse("");
                Stream map4 = list3.stream().filter(Objects::nonNull).map(obj9 -> {
                    return str3 + obj9;
                });
                Objects.requireNonNull(arrayList);
                map4.forEach((v1) -> {
                    r1.add(v1);
                });
            }
        }
        List createAuthorityList = AuthorityUtils.createAuthorityList((String[]) arrayList.toArray(new String[0]));
        return this.authoritiesMapper == null ? createAuthorityList : this.authoritiesMapper.mapAuthorities(createAuthorityList);
    }

    private Jwt parseJwt(String str) {
        try {
            return this.jwtDecoder.decode(str);
        } catch (JwtException e) {
            throw new OAuth2AuthenticationException(INVALID_REQUEST, e);
        }
    }

    public KeycloakOauth2UserService(JwtDecoder jwtDecoder, GrantedAuthoritiesMapper grantedAuthoritiesMapper, IsisConfiguration isisConfiguration) {
        this.jwtDecoder = jwtDecoder;
        this.authoritiesMapper = grantedAuthoritiesMapper;
        this.isisConfiguration = isisConfiguration;
    }
}
