package org.keycloak.authorization.protection;

import javax.ws.rs.Path;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.admin.ResourceSetService;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.protection.permission.PermissionService;
import org.keycloak.authorization.protection.permission.PermissionTicketService;
import org.keycloak.authorization.protection.policy.UserManagedPermissionService;
import org.keycloak.authorization.protection.resource.ResourceService;
import org.keycloak.common.ClientConnection;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.resources.admin.AdminEventBuilder;

/* loaded from: input_file:org/keycloak/authorization/protection/ProtectionService.class */
public class ProtectionService {

    @Context
    private KeycloakSession session;
    private final AuthorizationProvider authorization;

    @Context
    protected ClientConnection clientConnection;

    public ProtectionService(AuthorizationProvider authorizationProvider) {
        this.authorization = authorizationProvider;
    }

    @Path("/resource_set")
    public Object resource() {
        KeycloakIdentity createIdentity = createIdentity(true);
        ResourceServer resourceServer = getResourceServer(createIdentity);
        ResourceSetService resourceSetService = new ResourceSetService(this.session, resourceServer, this.authorization, null, createAdminEventBuilder(createIdentity, resourceServer));
        ResteasyProviderFactory.getInstance().injectProperties(resourceSetService);
        ResourceService resourceService = new ResourceService(this.session, resourceServer, createIdentity, resourceSetService);
        ResteasyProviderFactory.getInstance().injectProperties(resourceService);
        return resourceService;
    }

    private AdminEventBuilder createAdminEventBuilder(KeycloakIdentity keycloakIdentity, ResourceServer resourceServer) {
        RealmModel realm = this.authorization.getRealm();
        ClientModel clientById = realm.getClientById(resourceServer.getClientId());
        KeycloakSession keycloakSession = this.authorization.getKeycloakSession();
        UserModel serviceAccount = keycloakSession.users().getServiceAccount(clientById);
        return new AdminEventBuilder(realm, new AdminAuth(realm, keycloakIdentity.getAccessToken(), serviceAccount, clientById), keycloakSession, this.clientConnection).realm(realm).authClient(clientById).authUser(serviceAccount);
    }

    @Path("/permission")
    public Object permission() {
        KeycloakIdentity createIdentity = createIdentity(false);
        PermissionService permissionService = new PermissionService(createIdentity, getResourceServer(createIdentity), this.authorization);
        ResteasyProviderFactory.getInstance().injectProperties(permissionService);
        return permissionService;
    }

    @Path("/permission/ticket")
    public Object ticket() {
        KeycloakIdentity createIdentity = createIdentity(false);
        PermissionTicketService permissionTicketService = new PermissionTicketService(createIdentity, getResourceServer(createIdentity), this.authorization);
        ResteasyProviderFactory.getInstance().injectProperties(permissionTicketService);
        return permissionTicketService;
    }

    @Path("/uma-policy")
    public Object policy() {
        KeycloakIdentity createIdentity = createIdentity(false);
        UserManagedPermissionService userManagedPermissionService = new UserManagedPermissionService(createIdentity, getResourceServer(createIdentity), this.authorization, createAdminEventBuilder(createIdentity, getResourceServer(createIdentity)));
        ResteasyProviderFactory.getInstance().injectProperties(userManagedPermissionService);
        return userManagedPermissionService;
    }

    private KeycloakIdentity createIdentity(boolean z) {
        KeycloakIdentity keycloakIdentity = new KeycloakIdentity(this.authorization.getKeycloakSession());
        ClientModel clientById = this.authorization.getKeycloakSession().getContext().getRealm().getClientById(getResourceServer(keycloakIdentity).getClientId());
        if (!z || keycloakIdentity.hasClientRole(clientById.getClientId(), "uma_protection")) {
            return keycloakIdentity;
        }
        throw new ErrorResponseException("invalid_scope", "Requires uma_protection scope.", Response.Status.FORBIDDEN);
    }

    private ResourceServer getResourceServer(KeycloakIdentity keycloakIdentity) {
        String issuedFor = keycloakIdentity.getAccessToken().getIssuedFor();
        RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
        ClientModel clientByClientId = realm.getClientByClientId(issuedFor);
        if (clientByClientId == null) {
            clientByClientId = realm.getClientById(issuedFor);
            if (clientByClientId == null) {
                throw new ErrorResponseException("invalid_clientId", "Client application with id [" + issuedFor + "] does not exist in realm [" + realm.getName() + "]", Response.Status.BAD_REQUEST);
            }
        }
        ResourceServer findByClient = this.authorization.getStoreFactory().getResourceServerStore().findByClient(clientByClientId);
        if (findByClient == null) {
            throw new ErrorResponseException("invalid_clientId", "Client application [" + clientByClientId.getClientId() + "] is not registered as a resource server.", Response.Status.FORBIDDEN);
        }
        return findByClient;
    }
}
