package org.keycloak.adapters.authorization;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.RSATokenVerifier;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthorizationDeniedException;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.representation.AuthorizationRequest;
import org.keycloak.authorization.client.representation.AuthorizationResponse;
import org.keycloak.authorization.client.representation.EntitlementRequest;
import org.keycloak.authorization.client.representation.PermissionRequest;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

/* loaded from: input_file:org/keycloak/adapters/authorization/KeycloakAdapterPolicyEnforcer.class */
public class KeycloakAdapterPolicyEnforcer extends AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger(KeycloakAdapterPolicyEnforcer.class);

    public KeycloakAdapterPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        super(policyEnforcer);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    public boolean isAuthorized(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, AccessToken accessToken, OIDCHttpFacade oIDCHttpFacade) {
        for (int i = 2; i > 0; i--) {
            if (super.isAuthorized(pathConfig, set, accessToken, oIDCHttpFacade)) {
                return true;
            }
            accessToken = requestAuthorizationToken(pathConfig, set, oIDCHttpFacade);
            if (accessToken == null) {
                return false;
            }
            AccessToken.Authorization authorization = accessToken.getAuthorization();
            if (authorization == null) {
                authorization = new AccessToken.Authorization();
                authorization.setPermissions(new ArrayList());
            }
            AccessToken.Authorization authorization2 = accessToken.getAuthorization();
            if (authorization2 != null) {
                authorization.getPermissions().addAll(authorization2.getPermissions());
            }
            accessToken.setAuthorization(authorization);
        }
        return false;
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        String accessDeniedPath = getEnforcerConfig().getAccessDeniedPath();
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        if (accessDeniedPath == null) {
            response.sendError(403);
            return true;
        }
        response.setStatus(302);
        response.setHeader("Location", accessDeniedPath);
        return true;
    }

    private AccessToken requestAuthorizationToken(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        try {
            String tokenString = oIDCHttpFacade.getSecurityContext().getTokenString();
            AuthzClient authzClient = getAuthzClient();
            KeycloakDeployment deployment = getPolicyEnforcer().getDeployment();
            if (getEnforcerConfig().getUmaProtocolConfig() != null) {
                LOGGER.debug("Obtaining authorization for  authenticated user.");
                PermissionRequest permissionRequest = new PermissionRequest();
                permissionRequest.setResourceSetId(pathConfig.getId());
                permissionRequest.setScopes(set);
                AuthorizationResponse authorize = authzClient.authorization(tokenString).authorize(new AuthorizationRequest(authzClient.protection().permission().forResource(permissionRequest).getTicket()));
                if (authorize != null) {
                    return RSATokenVerifier.verifyToken(authorize.getRpt(), deployment.getRealmKey(), deployment.getRealmInfoUrl());
                }
                return null;
            }
            LOGGER.debug("Obtaining entitlements for authenticated user.");
            if (oIDCHttpFacade.getSecurityContext().getToken().getAuthorization() == null) {
                return RSATokenVerifier.verifyToken(authzClient.entitlement(tokenString).getAll(authzClient.getConfiguration().getClientId()).getRpt(), deployment.getRealmKey(), deployment.getRealmInfoUrl());
            }
            EntitlementRequest entitlementRequest = new EntitlementRequest();
            PermissionRequest permissionRequest2 = new PermissionRequest();
            permissionRequest2.setResourceSetId(pathConfig.getId());
            permissionRequest2.setResourceSetName(pathConfig.getName());
            permissionRequest2.setScopes(new HashSet(pathConfig.getScopes()));
            entitlementRequest.addPermission(permissionRequest2);
            return RSATokenVerifier.verifyToken(authzClient.entitlement(tokenString).get(authzClient.getConfiguration().getClientId(), entitlementRequest).getRpt(), deployment.getRealmKey(), deployment.getRealmInfoUrl());
        } catch (Exception e) {
            throw new RuntimeException("Unexpected error during authorization request.", e);
        } catch (AuthorizationDeniedException e2) {
            return null;
        }
    }
}
