package org.pac4j.oidc.authorization.generator;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.context.WebContext;
import org.pac4j.oidc.profile.keycloak.KeycloakOidcProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/oidc/authorization/generator/KeycloakRolesAuthorizationGenerator.class */
public class KeycloakRolesAuthorizationGenerator implements AuthorizationGenerator<KeycloakOidcProfile> {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakRolesAuthorizationGenerator.class);
    private final String clientId;

    public KeycloakRolesAuthorizationGenerator(String str) {
        this.clientId = str;
    }

    public KeycloakOidcProfile generate(WebContext webContext, KeycloakOidcProfile keycloakOidcProfile) {
        JSONObject jSONObject;
        JSONArray jSONArray;
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(keycloakOidcProfile.getAccessToken().getValue()).getJWTClaimsSet();
            JSONArray jSONArray2 = (JSONArray) jWTClaimsSet.getJSONObjectClaim("realm_access").get("roles");
            if (jSONArray2 != null) {
                jSONArray2.forEach(obj -> {
                    keycloakOidcProfile.addRole((String) obj);
                });
            }
            if (this.clientId != null && (jSONObject = (JSONObject) jWTClaimsSet.getJSONObjectClaim("resource_access").get(this.clientId)) != null && (jSONArray = (JSONArray) jSONObject.get("roles")) != null) {
                jSONArray.forEach(obj2 -> {
                    keycloakOidcProfile.addRole((String) obj2);
                });
            }
        } catch (Exception e) {
            LOGGER.warn("Cannot parse Keycloak roles", e);
        }
        return keycloakOidcProfile;
    }
}
