package io.quarkus.keycloak.pep.runtime;

import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerTenantConfig;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcCommonConfig;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import java.net.URI;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.adapters.config.AdapterHttpClientConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

@Recorder
/* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.class */
public class KeycloakPolicyEnforcerRecorder {
    final HttpConfiguration httpConfiguration;

    public KeycloakPolicyEnforcerRecorder(HttpConfiguration httpConfiguration) {
        this.httpConfiguration = httpConfiguration;
    }

    public Supplier<PolicyEnforcerResolver> setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig keycloakPolicyEnforcerConfig, TlsConfig tlsConfig) {
        final PolicyEnforcer createPolicyEnforcer = createPolicyEnforcer(oidcConfig.defaultTenant, keycloakPolicyEnforcerConfig.defaultTenant, tlsConfig);
        final HashMap hashMap = new HashMap();
        for (Map.Entry<String, KeycloakPolicyEnforcerTenantConfig> entry : keycloakPolicyEnforcerConfig.namedTenants.entrySet()) {
            OidcTenantConfig oidcTenantConfig = (OidcTenantConfig) oidcConfig.namedTenants.get(entry.getKey());
            if (oidcTenantConfig == null) {
                throw new ConfigurationException("Failed to find a matching OidcTenantConfig for tenant: " + entry.getKey());
            }
            hashMap.put(entry.getKey(), createPolicyEnforcer(oidcTenantConfig, entry.getValue(), tlsConfig));
        }
        return new Supplier<PolicyEnforcerResolver>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public PolicyEnforcerResolver get() {
                return new PolicyEnforcerResolver(createPolicyEnforcer, hashMap, KeycloakPolicyEnforcerRecorder.this.httpConfiguration.readTimeout.toMillis());
            }
        };
    }

    private static PolicyEnforcer createPolicyEnforcer(OidcTenantConfig oidcTenantConfig, KeycloakPolicyEnforcerTenantConfig keycloakPolicyEnforcerTenantConfig, TlsConfig tlsConfig) {
        if (oidcTenantConfig.applicationType.orElse(OidcTenantConfig.ApplicationType.SERVICE) == OidcTenantConfig.ApplicationType.WEB_APP && oidcTenantConfig.roles.source.orElse(null) != OidcTenantConfig.Roles.Source.accesstoken) {
            throw new OIDCException("Application 'web-app' type is only supported if access token is the source of roles");
        }
        AdapterHttpClientConfig adapterConfig = new AdapterConfig();
        String str = (String) oidcTenantConfig.getAuthServerUrl().get();
        try {
            adapterConfig.setRealm(str.substring(str.lastIndexOf(47) + 1));
            adapterConfig.setAuthServerUrl(str.substring(0, str.lastIndexOf("/realms")));
            adapterConfig.setResource((String) oidcTenantConfig.getClientId().get());
            adapterConfig.setCredentials(getCredentials(oidcTenantConfig));
            if (oidcTenantConfig.tls.getVerification().isPresent() ? oidcTenantConfig.tls.getVerification().get() == OidcCommonConfig.Tls.Verification.NONE : tlsConfig.trustAll) {
                adapterConfig.setDisableTrustManager(true);
                adapterConfig.setAllowAnyHostname(true);
            } else if (oidcTenantConfig.tls.trustStoreFile.isPresent()) {
                adapterConfig.setTruststore(((Path) oidcTenantConfig.tls.trustStoreFile.get()).toString());
                adapterConfig.setTruststorePassword((String) oidcTenantConfig.tls.trustStorePassword.orElse("password"));
                if (OidcCommonConfig.Tls.Verification.CERTIFICATE_VALIDATION == oidcTenantConfig.tls.verification.orElse(OidcCommonConfig.Tls.Verification.REQUIRED)) {
                    adapterConfig.setAllowAnyHostname(true);
                }
            }
            adapterConfig.setConnectionPoolSize(keycloakPolicyEnforcerTenantConfig.connectionPoolSize);
            if (oidcTenantConfig.proxy.host.isPresent()) {
                String str2 = (String) oidcTenantConfig.proxy.host.get();
                if (!str2.startsWith("http://") && !str2.startsWith("https://")) {
                    str2 = URI.create(str).getScheme() + "://" + str2;
                }
                adapterConfig.setProxyUrl(str2 + ":" + oidcTenantConfig.proxy.port);
            }
            PolicyEnforcerConfig policyEnforcerConfig = getPolicyEnforcerConfig(keycloakPolicyEnforcerTenantConfig, adapterConfig);
            adapterConfig.setPolicyEnforcerConfig(policyEnforcerConfig);
            return PolicyEnforcer.builder().authServerUrl(adapterConfig.getAuthServerUrl()).realm(adapterConfig.getRealm()).clientId(adapterConfig.getResource()).credentials(adapterConfig.getCredentials()).bearerOnly(adapterConfig.isBearerOnly()).enforcerConfig(policyEnforcerConfig).httpClient(new HttpClientBuilder().build(adapterConfig)).build();
        } catch (Exception e) {
            throw new ConfigurationException("Failed to parse the realm name.", e);
        }
    }

    private static Map<String, Object> getCredentials(OidcTenantConfig oidcTenantConfig) {
        HashMap hashMap = new HashMap();
        Optional secret = oidcTenantConfig.getCredentials().getSecret();
        if (secret.isPresent()) {
            hashMap.put("secret", secret.orElse(null));
        }
        return hashMap;
    }

    private static Map<String, Map<String, Object>> getClaimInformationPointConfig(KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.ClaimInformationPointConfig claimInformationPointConfig) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Map<String, String>> entry : claimInformationPointConfig.simpleConfig.entrySet()) {
            hashMap.put(entry.getKey(), new HashMap(entry.getValue()));
        }
        for (Map.Entry<String, Map<String, Map<String, String>>> entry2 : claimInformationPointConfig.complexConfig.entrySet()) {
            ((Map) hashMap.computeIfAbsent(entry2.getKey(), str -> {
                return new HashMap();
            })).putAll(new HashMap(entry2.getValue()));
        }
        return hashMap;
    }

    private static PolicyEnforcerConfig getPolicyEnforcerConfig(KeycloakPolicyEnforcerTenantConfig keycloakPolicyEnforcerTenantConfig, AdapterConfig adapterConfig) {
        PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
        policyEnforcerConfig.setLazyLoadPaths(Boolean.valueOf(keycloakPolicyEnforcerTenantConfig.policyEnforcer.lazyLoadPaths));
        policyEnforcerConfig.setEnforcementMode(keycloakPolicyEnforcerTenantConfig.policyEnforcer.enforcementMode);
        policyEnforcerConfig.setHttpMethodAsScope(Boolean.valueOf(keycloakPolicyEnforcerTenantConfig.policyEnforcer.httpMethodAsScope));
        KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathCacheConfig pathCacheConfig = keycloakPolicyEnforcerTenantConfig.policyEnforcer.pathCache;
        PolicyEnforcerConfig.PathCacheConfig pathCacheConfig2 = new PolicyEnforcerConfig.PathCacheConfig();
        pathCacheConfig2.setLifespan(pathCacheConfig.lifespan);
        pathCacheConfig2.setMaxEntries(pathCacheConfig.maxEntries);
        policyEnforcerConfig.setPathCacheConfig(pathCacheConfig2);
        policyEnforcerConfig.setClaimInformationPointConfig(getClaimInformationPointConfig(keycloakPolicyEnforcerTenantConfig.policyEnforcer.claimInformationPoint));
        policyEnforcerConfig.setPaths((List) keycloakPolicyEnforcerTenantConfig.policyEnforcer.paths.values().stream().map(pathConfig -> {
            PolicyEnforcerConfig.PathConfig pathConfig = new PolicyEnforcerConfig.PathConfig();
            pathConfig.setName(pathConfig.name.orElse(null));
            pathConfig.setPath(pathConfig.path.orElse(null));
            pathConfig.setEnforcementMode(pathConfig.enforcementMode);
            pathConfig.setMethods((List) pathConfig.methods.values().stream().map(methodConfig -> {
                PolicyEnforcerConfig.MethodConfig methodConfig = new PolicyEnforcerConfig.MethodConfig();
                methodConfig.setMethod(methodConfig.method);
                methodConfig.setScopes(methodConfig.scopes);
                methodConfig.setScopesEnforcementMode(methodConfig.scopesEnforcementMode);
                return methodConfig;
            }).collect(Collectors.toList()));
            pathConfig.setClaimInformationPointConfig(getClaimInformationPointConfig(pathConfig.claimInformationPoint));
            return pathConfig;
        }).collect(Collectors.toList()));
        return policyEnforcerConfig;
    }
}
