package org.keycloak.authorization.authorization;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.util.Base64Url;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/authorization/authorization/AuthorizationTokenService.class */
public class AuthorizationTokenService {
    public static final String CLAIM_TOKEN_FORMAT_ID_TOKEN = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken";
    private static final String RESPONSE_MODE_DECISION = "decision";
    private static final String RESPONSE_MODE_PERMISSIONS = "permissions";
    private static final String RESPONSE_MODE_DECISION_RESULT = "result";
    private static final AuthorizationTokenService INSTANCE;
    private static final Logger logger = Logger.getLogger(AuthorizationTokenService.class);
    private static Map<String, BiFunction<KeycloakAuthorizationRequest, AuthorizationProvider, EvaluationContext>> SUPPORTED_CLAIM_TOKEN_FORMATS = new HashMap();

    /* loaded from: input_file:org/keycloak/authorization/authorization/AuthorizationTokenService$KeycloakAuthorizationRequest.class */
    public static class KeycloakAuthorizationRequest extends AuthorizationRequest {
        private final AuthorizationProvider authorization;
        private final TokenManager tokenManager;
        private final EventBuilder event;
        private final HttpRequest httpRequest;
        private final Cors cors;

        public KeycloakAuthorizationRequest(AuthorizationProvider authorizationProvider, TokenManager tokenManager, EventBuilder eventBuilder, HttpRequest httpRequest, Cors cors) {
            this.authorization = authorizationProvider;
            this.tokenManager = tokenManager;
            this.event = eventBuilder;
            this.httpRequest = httpRequest;
            this.cors = cors;
        }

        TokenManager getTokenManager() {
            return this.tokenManager;
        }

        EventBuilder getEvent() {
            return this.event;
        }

        HttpRequest getHttpRequest() {
            return this.httpRequest;
        }

        AuthorizationProvider getAuthorization() {
            return this.authorization;
        }

        Cors getCors() {
            return this.cors;
        }

        KeycloakSession getKeycloakSession() {
            return getAuthorization().getKeycloakSession();
        }

        RealmModel getRealm() {
            return getKeycloakSession().getContext().getRealm();
        }
    }

    public static AuthorizationTokenService instance() {
        return INSTANCE;
    }

    public Response authorize(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        if (keycloakAuthorizationRequest == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_grant", "Invalid authorization request.", Response.Status.BAD_REQUEST);
        }
        if (isPublicClientRequestingEntitlementWithClaims(keycloakAuthorizationRequest)) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_grant", "Public clients are not allowed to send claims", Response.Status.FORBIDDEN);
        }
        try {
            try {
                PermissionTicketToken permissionTicket = getPermissionTicket(keycloakAuthorizationRequest);
                keycloakAuthorizationRequest.setClaims(permissionTicket.getClaims());
                ResourceServer resourceServer = getResourceServer(permissionTicket, keycloakAuthorizationRequest);
                EvaluationContext createEvaluationContext = createEvaluationContext(keycloakAuthorizationRequest);
                KeycloakIdentity keycloakIdentity = (KeycloakIdentity) KeycloakIdentity.class.cast(createEvaluationContext.getIdentity());
                Collection<Permission> evaluateUserManagedPermissions = keycloakAuthorizationRequest.getTicket() != null ? evaluateUserManagedPermissions(keycloakAuthorizationRequest, permissionTicket, resourceServer, createEvaluationContext, keycloakIdentity) : (permissionTicket.getPermissions().isEmpty() && keycloakAuthorizationRequest.getRpt() == null) ? evaluateAllPermissions(keycloakAuthorizationRequest, resourceServer, createEvaluationContext, keycloakIdentity) : evaluatePermissions(keycloakAuthorizationRequest, permissionTicket, resourceServer, createEvaluationContext, keycloakIdentity);
                if (!isGranted(permissionTicket, keycloakAuthorizationRequest, evaluateUserManagedPermissions)) {
                    if (keycloakAuthorizationRequest.isSubmitRequest()) {
                        throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "request_submitted", Response.Status.FORBIDDEN);
                    }
                    throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "not_authorized", Response.Status.FORBIDDEN);
                }
                ClientModel clientById = keycloakAuthorizationRequest.getAuthorization().getRealm().getClientById(resourceServer.getId());
                AuthorizationRequest.Metadata metadata = keycloakAuthorizationRequest.getMetadata();
                if ((metadata != null ? metadata.getResponseMode() : null) == null) {
                    return createSuccessfulResponse(createAuthorizationResponse(keycloakIdentity, evaluateUserManagedPermissions, keycloakAuthorizationRequest, clientById), keycloakAuthorizationRequest);
                }
                if (RESPONSE_MODE_DECISION.equals(metadata.getResponseMode())) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(RESPONSE_MODE_DECISION_RESULT, true);
                    return createSuccessfulResponse(hashMap, keycloakAuthorizationRequest);
                }
                if (RESPONSE_MODE_PERMISSIONS.equals(metadata.getResponseMode())) {
                    return createSuccessfulResponse(evaluateUserManagedPermissions, keycloakAuthorizationRequest);
                }
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Invalid response_mode", Response.Status.BAD_REQUEST);
            } catch (CorsErrorResponseException | ErrorResponseException e) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Error while evaluating permissions", e);
                }
                throw e;
            }
        } catch (Exception e2) {
            logger.error("Unexpected error while evaluating permissions", e2);
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "server_error", "Unexpected error while evaluating permissions", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    private Response createSuccessfulResponse(Object obj, KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        return Cors.add(keycloakAuthorizationRequest.getHttpRequest(), Response.status(Response.Status.OK).type(MediaType.APPLICATION_JSON_TYPE).entity(obj)).allowedOrigins(keycloakAuthorizationRequest.getKeycloakSession().getContext().getUri(), keycloakAuthorizationRequest.getKeycloakSession().getContext().getClient()).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
    }

    private boolean isPublicClientRequestingEntitlementWithClaims(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        return keycloakAuthorizationRequest.getClaimToken() != null && keycloakAuthorizationRequest.getKeycloakSession().getContext().getClient().isPublicClient() && keycloakAuthorizationRequest.getTicket() == null;
    }

    private Collection<Permission> evaluatePermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, EvaluationContext evaluationContext, KeycloakIdentity keycloakIdentity) {
        AuthorizationProvider authorization = keycloakAuthorizationRequest.getAuthorization();
        return authorization.evaluators().from(createPermissions(permissionTicketToken, keycloakAuthorizationRequest, resourceServer, keycloakIdentity, authorization), evaluationContext).evaluate(resourceServer, keycloakAuthorizationRequest);
    }

    private Collection<Permission> evaluateUserManagedPermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, EvaluationContext evaluationContext, KeycloakIdentity keycloakIdentity) {
        AuthorizationProvider authorization = keycloakAuthorizationRequest.getAuthorization();
        return authorization.evaluators().from(createPermissions(permissionTicketToken, keycloakAuthorizationRequest, resourceServer, keycloakIdentity, authorization), evaluationContext).evaluate(new PermissionTicketAwareDecisionResultCollector(keycloakAuthorizationRequest, permissionTicketToken, keycloakIdentity, resourceServer, authorization)).results();
    }

    private Collection<Permission> evaluateAllPermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, EvaluationContext evaluationContext, KeycloakIdentity keycloakIdentity) {
        AuthorizationProvider authorization = keycloakAuthorizationRequest.getAuthorization();
        return authorization.evaluators().from(Permissions.all(resourceServer, keycloakIdentity, authorization, keycloakAuthorizationRequest), evaluationContext).evaluate(resourceServer, keycloakAuthorizationRequest);
    }

    private AuthorizationResponse createAuthorizationResponse(KeycloakIdentity keycloakIdentity, Collection<Permission> collection, KeycloakAuthorizationRequest keycloakAuthorizationRequest, ClientModel clientModel) {
        ClientSessionContext fromClientSessionScopeParameter;
        KeycloakSession keycloakSession = keycloakAuthorizationRequest.getKeycloakSession();
        AccessToken accessToken = keycloakIdentity.getAccessToken();
        RealmModel realm = keycloakAuthorizationRequest.getRealm();
        UserSessionProvider sessions = keycloakSession.sessions();
        UserSessionModel userSession = sessions.getUserSession(realm, accessToken.getSessionState());
        if (userSession == null) {
            userSession = sessions.getOfflineUserSession(realm, accessToken.getSessionState());
        }
        ClientModel clientByClientId = realm.getClientByClientId(accessToken.getIssuedFor());
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(clientModel.getId());
        if (authenticatedClientSessionByClient == null) {
            RootAuthenticationSessionModel rootAuthenticationSession = keycloakSession.authenticationSessions().getRootAuthenticationSession(realm, userSession.getId());
            if (rootAuthenticationSession == null) {
                rootAuthenticationSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(userSession.getId(), realm);
            }
            AuthenticationSessionModel createAuthenticationSession = rootAuthenticationSession.createAuthenticationSession(clientModel);
            createAuthenticationSession.setAuthenticatedUser(userSession.getUser());
            createAuthenticationSession.setProtocol("openid-connect");
            createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
            AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
            fromClientSessionScopeParameter = TokenManager.attachAuthenticationSession(keycloakSession, userSession, createAuthenticationSession);
        } else {
            fromClientSessionScopeParameter = DefaultClientSessionContext.fromClientSessionScopeParameter(authenticatedClientSessionByClient);
        }
        TokenManager.AccessTokenResponseBuilder generateRefreshToken = keycloakAuthorizationRequest.getTokenManager().responseBuilder(realm, clientByClientId, keycloakAuthorizationRequest.getEvent(), keycloakSession, userSession, fromClientSessionScopeParameter).generateAccessToken().generateRefreshToken();
        AccessToken accessToken2 = generateRefreshToken.getAccessToken();
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(collection);
        accessToken2.setAuthorization(authorization);
        RefreshToken refreshToken = generateRefreshToken.getRefreshToken();
        refreshToken.issuedFor(clientByClientId.getClientId());
        refreshToken.setAuthorization(authorization);
        if (!accessToken2.hasAudience(clientModel.getClientId())) {
            accessToken2.audience(new String[]{clientModel.getClientId()});
        }
        return new AuthorizationResponse(generateRefreshToken.build(), isUpgraded(keycloakAuthorizationRequest, authorization));
    }

    private boolean isUpgraded(AuthorizationRequest authorizationRequest, AccessToken.Authorization authorization) {
        Collection permissions;
        AccessToken rpt = authorizationRequest.getRpt();
        if (rpt == null) {
            return false;
        }
        AccessToken.Authorization authorization2 = rpt.getAuthorization();
        if (authorization2 == null || (permissions = authorization2.getPermissions()) == null) {
            return true;
        }
        Iterator it = permissions.iterator();
        while (it.hasNext()) {
            if (!authorization.getPermissions().contains((Permission) it.next())) {
                return false;
            }
        }
        return true;
    }

    private PermissionTicketToken getPermissionTicket(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        if (keycloakAuthorizationRequest.getTicket() != null) {
            return verifyPermissionTicket(keycloakAuthorizationRequest);
        }
        PermissionTicketToken permissions = keycloakAuthorizationRequest.getPermissions();
        permissions.issuedFor(keycloakAuthorizationRequest.getAudience());
        return permissions;
    }

    private ResourceServer getResourceServer(PermissionTicketToken permissionTicketToken, KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        ResourceServerStore resourceServerStore = keycloakAuthorizationRequest.getAuthorization().getStoreFactory().getResourceServerStore();
        String issuedFor = permissionTicketToken.getIssuedFor();
        if (issuedFor == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "You must provide the issuedFor", Response.Status.BAD_REQUEST);
        }
        ClientModel clientByClientId = keycloakAuthorizationRequest.getRealm().getClientByClientId(issuedFor);
        if (clientByClientId == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Unknown resource server id.", Response.Status.BAD_REQUEST);
        }
        ResourceServer findById = resourceServerStore.findById(clientByClientId.getId());
        if (findById == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Client does not support permissions", Response.Status.BAD_REQUEST);
        }
        return findById;
    }

    private EvaluationContext createEvaluationContext(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        String claimTokenFormat = keycloakAuthorizationRequest.getClaimTokenFormat();
        if (claimTokenFormat == null) {
            claimTokenFormat = CLAIM_TOKEN_FORMAT_ID_TOKEN;
        }
        BiFunction<KeycloakAuthorizationRequest, AuthorizationProvider, EvaluationContext> biFunction = SUPPORTED_CLAIM_TOKEN_FORMATS.get(claimTokenFormat);
        if (biFunction == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Claim token format [" + claimTokenFormat + "] not supported", Response.Status.BAD_REQUEST);
        }
        return biFunction.apply(keycloakAuthorizationRequest, keycloakAuthorizationRequest.getAuthorization());
    }

    private Collection<ResourcePermission> createPermissions(PermissionTicketToken permissionTicketToken, KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, KeycloakIdentity keycloakIdentity, AuthorizationProvider authorizationProvider) {
        AccessToken.Authorization authorization;
        Collection<Permission> permissions;
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        ScopeStore scopeStore = storeFactory.getScopeStore();
        AuthorizationRequest.Metadata metadata = keycloakAuthorizationRequest.getMetadata();
        AtomicInteger atomicInteger = (metadata == null || metadata.getLimit() == null) ? null : new AtomicInteger(metadata.getLimit().intValue());
        for (Permission permission : permissionTicketToken.getPermissions()) {
            if (atomicInteger != null && atomicInteger.get() <= 0) {
                break;
            }
            Set scopes = permission.getScopes();
            if (permission.getScopes() == null) {
                scopes = new HashSet();
            }
            ArrayList<Resource> arrayList = new ArrayList();
            String resourceId = permission.getResourceId();
            if (resourceId != null) {
                Resource findById = resourceId.indexOf(45) != -1 ? resourceStore.findById(resourceId, resourceServer.getId()) : null;
                if (findById != null) {
                    arrayList.add(findById);
                } else if (resourceId.startsWith("resource-type:")) {
                    String substring = resourceId.substring("resource-type:".length());
                    String id = resourceServer.getId();
                    String id2 = resourceServer.getId();
                    arrayList.getClass();
                    resourceStore.findByType(substring, id, id2, (v1) -> {
                        r4.add(v1);
                    });
                } else if (resourceId.startsWith("resource-type-any:")) {
                    String substring2 = resourceId.substring("resource-type-any:".length());
                    String id3 = resourceServer.getId();
                    arrayList.getClass();
                    resourceStore.findByType(substring2, (String) null, id3, (v1) -> {
                        r4.add(v1);
                    });
                } else if (resourceId.startsWith("resource-type-instance:")) {
                    String substring3 = resourceId.substring("resource-type-instance:".length());
                    String id4 = resourceServer.getId();
                    arrayList.getClass();
                    resourceStore.findByTypeInstance(substring3, id4, (v1) -> {
                        r3.add(v1);
                    });
                } else if (resourceId.startsWith("resource-type-owner:")) {
                    String substring4 = resourceId.substring("resource-type-owner:".length());
                    String id5 = keycloakIdentity.getId();
                    String id6 = resourceServer.getId();
                    arrayList.getClass();
                    resourceStore.findByType(substring4, id5, id6, (v1) -> {
                        r4.add(v1);
                    });
                } else {
                    Resource findByName = resourceStore.findByName(resourceId, keycloakIdentity.getId(), resourceServer.getId());
                    if (findByName != null) {
                        permission.setResourceId(findByName.getId());
                        arrayList.add(findByName);
                    }
                    if (!keycloakIdentity.isResourceServer()) {
                        Iterator it = storeFactory.getPermissionTicketStore().findGranted(resourceId, keycloakIdentity.getId(), resourceServer.getId()).iterator();
                        while (it.hasNext()) {
                            arrayList.add(((PermissionTicket) it.next()).getResource());
                        }
                        Resource findByName2 = resourceStore.findByName(resourceId, resourceServer.getId());
                        if (findByName2 != null) {
                            permission.setResourceId(findByName2.getId());
                            arrayList.add(findByName2);
                        }
                    }
                }
            }
            String scope = keycloakAuthorizationRequest.getScope();
            if (scope != null) {
                scopes.addAll(Arrays.asList(scope.split(" ")));
            }
            Set<Scope> set = (Set) scopes.stream().map(str -> {
                return scopeStore.findByName(str, resourceServer.getId());
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toSet());
            if (resourceId != null && arrayList.isEmpty()) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_resource", "Resource with id [" + resourceId + "] does not exist.", Response.Status.BAD_REQUEST);
            }
            if (!scopes.isEmpty() && set.isEmpty()) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_scope", "One of the given scopes " + permission.getScopes() + " is invalid", Response.Status.BAD_REQUEST);
            }
            if (arrayList.isEmpty()) {
                AtomicBoolean atomicBoolean = new AtomicBoolean();
                resourceStore.findByScope((List) set.stream().map((v0) -> {
                    return v0.getId();
                }).collect(Collectors.toList()), resourceServer.getId(), resource -> {
                    if (atomicInteger == null || atomicInteger.get() > 0) {
                        ResourcePermission resourcePermission = (ResourcePermission) linkedHashMap.get(resource.getId());
                        if (resourcePermission == null) {
                            linkedHashMap.put(resource.getId(), Permissions.createResourcePermissions(resource, set, authorizationProvider, keycloakAuthorizationRequest));
                            if (atomicInteger != null) {
                                atomicInteger.decrementAndGet();
                            }
                        } else {
                            Iterator it2 = set.iterator();
                            while (it2.hasNext()) {
                                resourcePermission.addScope((Scope) it2.next());
                            }
                        }
                        atomicBoolean.compareAndSet(false, true);
                    }
                });
                if (!atomicBoolean.get()) {
                    for (Scope scope2 : set) {
                        if (atomicInteger == null || atomicInteger.getAndDecrement() > 0) {
                            linkedHashMap.computeIfAbsent(scope2.getId(), str2 -> {
                                return new ResourcePermission((Resource) null, new ArrayList(Arrays.asList(scope2)), resourceServer, keycloakAuthorizationRequest.getClaims());
                            });
                        }
                    }
                }
            } else {
                for (Resource resource2 : arrayList) {
                    if (atomicInteger == null || atomicInteger.get() > 0) {
                        ResourcePermission resourcePermission = (ResourcePermission) linkedHashMap.get(resource2.getId());
                        if (resourcePermission == null) {
                            linkedHashMap.put(resource2.getId(), Permissions.createResourcePermissions(resource2, set, authorizationProvider, keycloakAuthorizationRequest));
                            if (atomicInteger != null) {
                                atomicInteger.decrementAndGet();
                            }
                        } else {
                            Iterator it2 = set.iterator();
                            while (it2.hasNext()) {
                                resourcePermission.addScope((Scope) it2.next());
                            }
                        }
                    }
                }
            }
        }
        AccessToken rpt = keycloakAuthorizationRequest.getRpt();
        if (rpt != null && rpt.isActive() && (authorization = rpt.getAuthorization()) != null && (permissions = authorization.getPermissions()) != null) {
            for (Permission permission2 : permissions) {
                if (atomicInteger != null && atomicInteger.get() <= 0) {
                    break;
                }
                Resource findById2 = resourceStore.findById(permission2.getResourceId(), permissionTicketToken.getIssuedFor());
                if (findById2 != null) {
                    ResourcePermission resourcePermission2 = (ResourcePermission) linkedHashMap.get(findById2.getId());
                    if (resourcePermission2 == null) {
                        resourcePermission2 = new ResourcePermission(findById2, new ArrayList(), resourceServer, permission2.getClaims());
                        linkedHashMap.put(findById2.getId(), resourcePermission2);
                        if (atomicInteger != null) {
                            atomicInteger.decrementAndGet();
                        }
                    } else if (permission2.getClaims() != null) {
                        for (Map.Entry entry : permission2.getClaims().entrySet()) {
                            Set set2 = (Set) resourcePermission2.getClaims().get(entry.getKey());
                            if (set2 != null) {
                                set2.addAll((Collection) entry.getValue());
                            }
                        }
                    }
                    Iterator it3 = permission2.getScopes().iterator();
                    while (it3.hasNext()) {
                        Scope findByName3 = scopeStore.findByName((String) it3.next(), resourceServer.getId());
                        if (findByName3 != null && !resourcePermission2.getScopes().contains(findByName3)) {
                            resourcePermission2.getScopes().add(findByName3);
                        }
                    }
                }
            }
        }
        return linkedHashMap.values();
    }

    private PermissionTicketToken verifyPermissionTicket(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        PermissionTicketToken decode = keycloakAuthorizationRequest.getKeycloakSession().tokens().decode(keycloakAuthorizationRequest.getTicket(), PermissionTicketToken.class);
        if (decode == null) {
            throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_ticket", "Ticket verification failed", Response.Status.FORBIDDEN);
        }
        if (decode.isActive()) {
            return decode;
        }
        throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_ticket", "Invalid permission ticket.", Response.Status.FORBIDDEN);
    }

    private boolean isGranted(PermissionTicketToken permissionTicketToken, AuthorizationRequest authorizationRequest, Collection<Permission> collection) {
        List permissions = permissionTicketToken.getPermissions();
        return (authorizationRequest.getRpt() == null || permissions.isEmpty() || !permissions.stream().anyMatch(permission -> {
            return !collection.contains(permission);
        })) && !collection.isEmpty();
    }

    static {
        SUPPORTED_CLAIM_TOKEN_FORMATS.put("urn:ietf:params:oauth:token-type:jwt", (keycloakAuthorizationRequest, authorizationProvider) -> {
            if (keycloakAuthorizationRequest.getClaimToken() == null) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Claim token can not be null", Response.Status.BAD_REQUEST);
            }
            try {
                Map map = (Map) JsonSerialization.readValue(Base64Url.decode(keycloakAuthorizationRequest.getClaimToken()), Map.class);
                keycloakAuthorizationRequest.setClaims(map);
                try {
                    return new DefaultEvaluationContext(new KeycloakIdentity(authorizationProvider.getKeycloakSession(), (IDToken) Tokens.getAccessToken(keycloakAuthorizationRequest.getSubjectToken(), authorizationProvider.getKeycloakSession())), map, authorizationProvider.getKeycloakSession());
                } catch (Exception e) {
                    throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "unauthorized_client", "Invalid identity", Response.Status.BAD_REQUEST);
                }
            } catch (Exception e2) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Invalid claims", Response.Status.BAD_REQUEST);
            }
        });
        SUPPORTED_CLAIM_TOKEN_FORMATS.put(CLAIM_TOKEN_FORMAT_ID_TOKEN, (keycloakAuthorizationRequest2, authorizationProvider2) -> {
            KeycloakSession keycloakSession = authorizationProvider2.getKeycloakSession();
            String subjectToken = keycloakAuthorizationRequest2.getSubjectToken();
            if (subjectToken == null) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "invalid_request", "Subject token can not be null and must be a valid ID or Access Token", Response.Status.BAD_REQUEST);
            }
            try {
                try {
                    return new DefaultEvaluationContext(new KeycloakIdentity(keycloakSession, new TokenManager().verifyIDTokenSignature(keycloakSession, subjectToken)), keycloakAuthorizationRequest2.getClaims(), keycloakSession);
                } catch (Exception e) {
                    throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "unauthorized_client", "Invalid identity", Response.Status.BAD_REQUEST);
                }
            } catch (Exception e2) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "unauthorized_client", "Invalid signature", Response.Status.BAD_REQUEST);
            }
        });
        INSTANCE = new AuthorizationTokenService();
    }
}
