package org.keycloak.adapters.authorization;

import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.Set;
import org.apache.http.client.HttpClient;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.authorization.cip.spi.ClaimInformationPointProviderFactory;
import org.keycloak.adapters.authorization.spi.HttpRequest;
import org.keycloak.adapters.authorization.spi.HttpResponse;
import org.keycloak.adapters.authorization.util.JsonUtils;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthorizationContext;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.common.util.Base64;
import org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/adapters/authorization/PolicyEnforcer.class */
public class PolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(PolicyEnforcer.class);
    private static final String HTTP_METHOD_DELETE = "DELETE";
    private final AuthzClient authzClient;
    private final Map<String, PolicyEnforcerConfig.PathConfig> paths;
    private final PathConfigMatcher pathMatcher;
    private final HttpClient httpClient;
    private final PolicyEnforcerConfig enforcerConfig;
    private final Map<String, ClaimInformationPointProviderFactory> claimInformationPointProviderFactories = new HashMap();

    /* loaded from: input_file:org/keycloak/adapters/authorization/PolicyEnforcer$Builder.class */
    public static class Builder {
        Configuration authzClientConfig;

        private Builder() {
            this.authzClientConfig = new Configuration();
        }

        public Builder authServerUrl(String str) {
            this.authzClientConfig.setAuthServerUrl(str);
            return this;
        }

        public Builder realm(String str) {
            this.authzClientConfig.setRealm(str);
            return this;
        }

        public Builder clientId(String str) {
            this.authzClientConfig.setResource(str);
            return this;
        }

        public Builder bearerOnly(boolean z) {
            this.authzClientConfig.setBearerOnly(z);
            return this;
        }

        public Builder credentials(Map<String, Object> map) {
            this.authzClientConfig.setCredentials(map);
            return this;
        }

        public Builder enforcerConfig(PolicyEnforcerConfig policyEnforcerConfig) {
            this.authzClientConfig.setPolicyEnforcerConfig(policyEnforcerConfig);
            return this;
        }

        public Builder enforcerConfig(InputStream inputStream) {
            try {
                enforcerConfig((PolicyEnforcerConfig) JsonSerialization.readValue(inputStream, PolicyEnforcerConfig.class));
                return this;
            } catch (Exception e) {
                throw new RuntimeException("Failed to read configuration", e);
            }
        }

        public Builder httpClient(HttpClient httpClient) {
            this.authzClientConfig.setHttpClient(httpClient);
            return this;
        }

        public Builder credentialProvider(ClientCredentialsProvider clientCredentialsProvider) {
            this.authzClientConfig.setClientCredentialsProvider(clientCredentialsProvider);
            return this;
        }

        public PolicyEnforcer build() {
            return new PolicyEnforcer(this);
        }

        PolicyEnforcerConfig getEnforcerConfig() {
            return this.authzClientConfig.getPolicyEnforcerConfig();
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    protected PolicyEnforcer(Builder builder) {
        this.enforcerConfig = builder.getEnforcerConfig();
        Configuration configuration = builder.authzClientConfig;
        if (configuration.getRealm() == null) {
            configuration.setRealm(this.enforcerConfig.getRealm());
        }
        if (configuration.getAuthServerUrl() == null) {
            configuration.setAuthServerUrl(this.enforcerConfig.getAuthServerUrl());
        }
        if (configuration.getCredentials() == null || configuration.getCredentials().isEmpty()) {
            configuration.setCredentials(this.enforcerConfig.getCredentials());
        }
        if (configuration.getResource() == null) {
            configuration.setResource(this.enforcerConfig.getResource());
        }
        this.authzClient = AuthzClient.create(configuration);
        this.httpClient = this.authzClient.getConfiguration().getHttpClient();
        this.pathMatcher = new PathConfigMatcher(builder.getEnforcerConfig(), this.authzClient);
        this.paths = this.pathMatcher.getPathConfig();
        loadClaimInformationPointProviders(ServiceLoader.load(ClaimInformationPointProviderFactory.class, ClaimInformationPointProviderFactory.class.getClassLoader()));
        loadClaimInformationPointProviders(ServiceLoader.load(ClaimInformationPointProviderFactory.class, Thread.currentThread().getContextClassLoader()));
    }

    public AuthorizationContext enforce(HttpRequest httpRequest, HttpResponse httpResponse) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement is enabled. Enforcing policy decisions for path [{0}].", httpRequest.getURI());
        }
        AuthorizationContext authorize = authorize(httpRequest, httpResponse);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debugv("Policy enforcement result for path [{0}] is : {1}", httpRequest.getURI(), authorize.isGranted() ? "GRANTED" : "DENIED");
            LOGGER.debugv("Returning authorization context with permissions:", new Object[0]);
            Iterator it = authorize.getPermissions().iterator();
            while (it.hasNext()) {
                LOGGER.debug((Permission) it.next());
            }
        }
        return authorize;
    }

    public HttpClient getHttpClient() {
        return this.httpClient;
    }

    public AuthzClient getAuthzClient() {
        return this.authzClient;
    }

    public Map<String, PolicyEnforcerConfig.PathConfig> getPaths() {
        return Collections.unmodifiableMap(this.paths);
    }

    public Map<String, ClaimInformationPointProviderFactory> getClaimInformationPointProviderFactories() {
        return this.claimInformationPointProviderFactories;
    }

    public PathConfigMatcher getPathMatcher() {
        return this.pathMatcher;
    }

    private AuthorizationContext authorize(HttpRequest httpRequest, HttpResponse httpResponse) {
        PolicyEnforcerConfig.EnforcementMode enforcementMode = this.enforcerConfig.getEnforcementMode();
        TokenPrincipal principal = httpRequest.getPrincipal();
        boolean z = principal == null || principal.getRawToken() == null;
        if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(enforcementMode)) {
            if (z) {
                httpResponse.sendError(401, "Invalid bearer");
            }
            return createEmptyAuthorizationContext(true);
        }
        PolicyEnforcerConfig.PathConfig pathConfig = getPathConfig(httpRequest);
        if (z) {
            if (!isDefaultAccessDeniedUri(httpRequest)) {
                if (pathConfig == null) {
                    handleAccessDenied(httpResponse);
                } else {
                    if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
                        return createEmptyAuthorizationContext(true);
                    }
                    challenge(pathConfig, getRequiredScopes(pathConfig, httpRequest), httpRequest, httpResponse);
                }
            }
            return createEmptyAuthorizationContext(false);
        }
        AccessToken token = principal.getToken();
        if (token != null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debugf("Checking permissions for path [%s] with config [%s].", httpRequest.getURI(), pathConfig);
            }
            if (pathConfig == null) {
                if (PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
                    return createAuthorizationContext(token, null);
                }
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debugf("Could not find a configuration for path [%s]", getPath(httpRequest));
                }
                if (isDefaultAccessDeniedUri(httpRequest)) {
                    return createAuthorizationContext(token, null);
                }
                handleAccessDenied(httpResponse);
                return createEmptyAuthorizationContext(false);
            }
            if (PolicyEnforcerConfig.EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
                return createAuthorizationContext(token, pathConfig);
            }
            PolicyEnforcerConfig.MethodConfig requiredScopes = getRequiredScopes(pathConfig, httpRequest);
            Map<String, List<String>> resolveClaims = resolveClaims(pathConfig, httpRequest);
            if (isAuthorized(pathConfig, requiredScopes, token, httpRequest, resolveClaims)) {
                try {
                    return createAuthorizationContext(token, pathConfig);
                } catch (Exception e) {
                    throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
                }
            }
            AccessToken requestAuthorizationToken = requestAuthorizationToken(pathConfig, requiredScopes, httpRequest, resolveClaims);
            if (requestAuthorizationToken != null) {
                AccessToken.Authorization authorization = token.getAuthorization();
                if (authorization == null) {
                    authorization = new AccessToken.Authorization();
                    authorization.setPermissions(new ArrayList());
                }
                AccessToken.Authorization authorization2 = requestAuthorizationToken.getAuthorization();
                if (authorization2 != null) {
                    Collection permissions = authorization.getPermissions();
                    for (Permission permission : authorization2.getPermissions()) {
                        if (!permissions.contains(permission)) {
                            permissions.add(permission);
                        }
                    }
                }
                token.setAuthorization(authorization);
                if (isAuthorized(pathConfig, requiredScopes, requestAuthorizationToken, httpRequest, resolveClaims)) {
                    try {
                        return createAuthorizationContext(requestAuthorizationToken, pathConfig);
                    } catch (Exception e2) {
                        throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e2);
                    }
                }
            }
            if (requiredScopes != null && PolicyEnforcerConfig.ScopeEnforcementMode.DISABLED.equals(requiredScopes.getScopesEnforcementMode())) {
                return createEmptyAuthorizationContext(true);
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
            }
            if (!challenge(pathConfig, requiredScopes, httpRequest, httpResponse)) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", pathConfig);
                }
                handleAccessDenied(httpResponse);
            }
        }
        return createEmptyAuthorizationContext(false);
    }

    protected boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AccessToken accessToken, HttpRequest httpRequest, Map<String, List<String>> map) {
        if (isDefaultAccessDeniedUri(httpRequest)) {
            return true;
        }
        AccessToken.Authorization authorization = accessToken.getAuthorization();
        if (authorization == null) {
            return false;
        }
        boolean z = false;
        Collection<Permission> permissions = authorization.getPermissions();
        for (Permission permission : permissions) {
            if (permission.getResourceId() == null) {
                if (hasResourceScopePermission(methodConfig, permission)) {
                    return true;
                }
            } else if (isResourcePermission(pathConfig, permission)) {
                z = true;
                if (!pathConfig.isInstance() || matchResourcePermission(pathConfig, permission)) {
                    if (hasResourceScopePermission(methodConfig, permission)) {
                        if (LOGGER.isDebugEnabled()) {
                            LOGGER.debugf("Authorization GRANTED for path [%s]. Permissions [%s].", pathConfig, permissions);
                        }
                        if (HTTP_METHOD_DELETE.equalsIgnoreCase(httpRequest.getMethod()) && pathConfig.isInstance()) {
                            this.pathMatcher.removeFromCache(getPath(httpRequest));
                        }
                        return hasValidClaims(permission, map);
                    }
                }
            } else {
                continue;
            }
        }
        if (!z && PolicyEnforcerConfig.EnforcementMode.PERMISSIVE.equals(pathConfig.getEnforcementMode())) {
            return true;
        }
        if (!LOGGER.isDebugEnabled()) {
            return false;
        }
        LOGGER.debugf("Authorization FAILED for path [%s]. Not enough permissions [%s].", pathConfig, permissions);
        return false;
    }

    protected Map<String, List<String>> resolveClaims(PolicyEnforcerConfig.PathConfig pathConfig, HttpRequest httpRequest) {
        HashMap hashMap = new HashMap();
        resolveClaims(hashMap, this.enforcerConfig.getClaimInformationPointConfig(), httpRequest);
        resolveClaims(hashMap, pathConfig.getClaimInformationPointConfig(), httpRequest);
        return hashMap;
    }

    protected boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, HttpRequest httpRequest, HttpResponse httpResponse) {
        if (!isBearerAuthorization(httpRequest)) {
            handleAccessDenied(httpResponse);
            return true;
        }
        String permissionTicket = getPermissionTicket(pathConfig, methodConfig, this.authzClient, httpRequest);
        if (permissionTicket != null) {
            httpResponse.sendError(401);
            httpResponse.setHeader("WWW-Authenticate", "UMA realm=\"" + this.authzClient.getConfiguration().getRealm() + "\",as_uri=\"" + this.authzClient.getServerConfiguration().getIssuer() + "\",ticket=\"" + permissionTicket + "\"");
        } else {
            httpResponse.sendError(403);
        }
        if (!LOGGER.isDebugEnabled()) {
            return true;
        }
        LOGGER.debug("Sending challenge");
        return true;
    }

    protected void handleAccessDenied(HttpResponse httpResponse) {
        String onDenyRedirectTo = this.enforcerConfig.getOnDenyRedirectTo();
        if (onDenyRedirectTo == null) {
            httpResponse.sendError(403);
        } else {
            httpResponse.sendError(302);
            httpResponse.setHeader("Location", onDenyRedirectTo);
        }
    }

    private boolean hasValidClaims(Permission permission, Map<String, List<String>> map) {
        Map claims = permission.getClaims();
        if (claims == null) {
            return true;
        }
        if (map.isEmpty()) {
            return false;
        }
        for (Map.Entry entry : claims.entrySet()) {
            List<String> list = map.get(entry.getKey());
            if (list == null || list.isEmpty() || !((Set) entry.getValue()).containsAll(list)) {
                return false;
            }
        }
        return true;
    }

    private boolean isDefaultAccessDeniedUri(HttpRequest httpRequest) {
        String onDenyRedirectTo = this.enforcerConfig.getOnDenyRedirectTo();
        return onDenyRedirectTo != null && httpRequest.getURI().contains(onDenyRedirectTo);
    }

    private boolean hasResourceScopePermission(PolicyEnforcerConfig.MethodConfig methodConfig, Permission permission) {
        List scopes = methodConfig.getScopes();
        Set scopes2 = permission.getScopes();
        if (scopes2.isEmpty()) {
            return true;
        }
        PolicyEnforcerConfig.ScopeEnforcementMode scopesEnforcementMode = methodConfig.getScopesEnforcementMode();
        if (PolicyEnforcerConfig.ScopeEnforcementMode.ALL.equals(scopesEnforcementMode)) {
            return scopes2.containsAll(scopes);
        }
        if (PolicyEnforcerConfig.ScopeEnforcementMode.ANY.equals(scopesEnforcementMode)) {
            Iterator it = scopes.iterator();
            while (it.hasNext()) {
                if (scopes2.contains((String) it.next())) {
                    return true;
                }
            }
        }
        return scopes.isEmpty();
    }

    private AuthorizationContext createEmptyAuthorizationContext(final boolean z) {
        return new ClientAuthorizationContext(this.authzClient) { // from class: org.keycloak.adapters.authorization.PolicyEnforcer.1
            public boolean hasPermission(String str, String str2) {
                return z;
            }

            public boolean hasResourcePermission(String str) {
                return z;
            }

            public boolean hasScopePermission(String str) {
                return z;
            }

            public List<Permission> getPermissions() {
                return Collections.EMPTY_LIST;
            }

            public boolean isGranted() {
                return z;
            }
        };
    }

    private String getPath(HttpRequest httpRequest) {
        return httpRequest.getRelativePath();
    }

    private PolicyEnforcerConfig.MethodConfig getRequiredScopes(PolicyEnforcerConfig.PathConfig pathConfig, HttpRequest httpRequest) {
        String method = httpRequest.getMethod();
        for (PolicyEnforcerConfig.MethodConfig methodConfig : pathConfig.getMethods()) {
            if (methodConfig.getMethod().equals(method)) {
                return methodConfig;
            }
        }
        PolicyEnforcerConfig.MethodConfig methodConfig2 = new PolicyEnforcerConfig.MethodConfig();
        methodConfig2.setMethod(httpRequest.getMethod());
        ArrayList arrayList = new ArrayList();
        if (Boolean.TRUE.equals(this.enforcerConfig.getHttpMethodAsScope())) {
            arrayList.add(httpRequest.getMethod());
        } else {
            arrayList.addAll(pathConfig.getScopes());
        }
        methodConfig2.setScopes(arrayList);
        methodConfig2.setScopesEnforcementMode(PolicyEnforcerConfig.ScopeEnforcementMode.ANY);
        return methodConfig2;
    }

    private AuthorizationContext createAuthorizationContext(AccessToken accessToken, PolicyEnforcerConfig.PathConfig pathConfig) {
        return new ClientAuthorizationContext(accessToken, pathConfig, this.authzClient);
    }

    private boolean isResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        boolean matchResourcePermission = matchResourcePermission(pathConfig, permission);
        if (!matchResourcePermission && pathConfig.isInstance()) {
            matchResourcePermission = matchResourcePermission(pathConfig.getParentConfig(), permission);
        }
        return matchResourcePermission;
    }

    private boolean matchResourcePermission(PolicyEnforcerConfig.PathConfig pathConfig, Permission permission) {
        return permission.getResourceId().equals(pathConfig.getId());
    }

    private PolicyEnforcerConfig.PathConfig getPathConfig(HttpRequest httpRequest) {
        if (isDefaultAccessDeniedUri(httpRequest)) {
            return null;
        }
        return this.pathMatcher.m1matches(getPath(httpRequest));
    }

    private AccessToken requestAuthorizationToken(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, HttpRequest httpRequest, Map<String, List<String>> map) {
        AuthorizationResponse authorize;
        if (this.enforcerConfig.getUserManagedAccess() != null) {
            return null;
        }
        try {
            TokenPrincipal principal = httpRequest.getPrincipal();
            String rawToken = principal.getRawToken();
            AccessToken token = principal.getToken();
            AuthorizationRequest authorizationRequest = new AuthorizationRequest();
            if (isBearerAuthorization(httpRequest) || token.getAuthorization() != null) {
                authorizationRequest.addPermission(pathConfig.getId(), methodConfig.getScopes());
            }
            if (!map.isEmpty()) {
                authorizationRequest.setClaimTokenFormat("urn:ietf:params:oauth:token-type:jwt");
                authorizationRequest.setClaimToken(Base64.encodeBytes(JsonSerialization.writeValueAsBytes(map)));
            }
            if (token.getAuthorization() != null) {
                authorizationRequest.setRpt(rawToken);
            }
            LOGGER.debug("Obtaining authorization for authenticated user.");
            if (isBearerAuthorization(httpRequest)) {
                authorizationRequest.setSubjectToken(rawToken);
                authorize = this.authzClient.authorization().authorize(authorizationRequest);
            } else {
                authorize = this.authzClient.authorization(rawToken).authorize(authorizationRequest);
            }
            if (authorize != null) {
                return JsonUtils.asAccessToken(authorize.getToken());
            }
            return null;
        } catch (AuthorizationDeniedException e) {
            LOGGER.debug("Authorization denied", e);
            return null;
        } catch (Exception e2) {
            LOGGER.debug("Authorization failed", e2);
            return null;
        }
    }

    private String getPermissionTicket(PolicyEnforcerConfig.PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AuthzClient authzClient, HttpRequest httpRequest) {
        if (this.enforcerConfig.getUserManagedAccess() == null) {
            return null;
        }
        PermissionResource permission = authzClient.protection().permission();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceId(pathConfig.getId());
        permissionRequest.setScopes(new HashSet(methodConfig.getScopes()));
        Map<String, List<String>> resolveClaims = resolveClaims(pathConfig, httpRequest);
        if (!resolveClaims.isEmpty()) {
            permissionRequest.setClaims(resolveClaims);
        }
        return permission.create(permissionRequest).getTicket();
    }

    private boolean isBearerAuthorization(HttpRequest httpRequest) {
        List<String> headers = httpRequest.getHeaders("Authorization");
        if (headers != null) {
            Iterator<String> it = headers.iterator();
            while (it.hasNext()) {
                String[] split = it.next().trim().split("\\s+");
                if (split != null && split.length == 2 && split[0].equalsIgnoreCase("Bearer")) {
                    return true;
                }
            }
        }
        return this.authzClient.getConfiguration().isBearerOnly();
    }

    private void loadClaimInformationPointProviders(ServiceLoader<ClaimInformationPointProviderFactory> serviceLoader) {
        Iterator<ClaimInformationPointProviderFactory> it = serviceLoader.iterator();
        while (it.hasNext()) {
            ClaimInformationPointProviderFactory next = it.next();
            next.init(this);
            this.claimInformationPointProviderFactories.put(next.getName(), next);
        }
    }

    private void resolveClaims(Map<String, List<String>> map, Map<String, Map<String, Object>> map2, HttpRequest httpRequest) {
        if (map2 != null) {
            for (Map.Entry<String, Map<String, Object>> entry : map2.entrySet()) {
                ClaimInformationPointProviderFactory claimInformationPointProviderFactory = this.claimInformationPointProviderFactories.get(entry.getKey());
                if (claimInformationPointProviderFactory != null) {
                    map.putAll(claimInformationPointProviderFactory.create(entry.getValue()).resolve(httpRequest));
                }
            }
        }
    }
}
