package io.quarkus.keycloak.pep.runtime;

import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerConfig;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import java.security.Permission;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.inject.Singleton;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

@Singleton
/* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.class */
public class KeycloakPolicyEnforcerAuthorizer implements HttpSecurityPolicy, BiFunction<RoutingContext, SecurityIdentity, HttpSecurityPolicy.CheckResult> {
    private volatile KeycloakAdapterPolicyEnforcer delegate;
    private volatile long readTimeout;

    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, SecurityIdentity securityIdentity, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        return authorizationRequestContext.runBlocking(routingContext, securityIdentity, this);
    }

    @Override // java.util.function.BiFunction
    public HttpSecurityPolicy.CheckResult apply(RoutingContext routingContext, SecurityIdentity securityIdentity) {
        AuthorizationContext authorize = this.delegate.authorize(new VertxHttpFacade(routingContext, this.readTimeout));
        return authorize.isGranted() ? new HttpSecurityPolicy.CheckResult(true, enhanceSecurityIdentity(securityIdentity, authorize)) : HttpSecurityPolicy.CheckResult.DENY;
    }

    private SecurityIdentity enhanceSecurityIdentity(SecurityIdentity securityIdentity, final AuthorizationContext authorizationContext) {
        HashMap hashMap = new HashMap(securityIdentity.getAttributes());
        if (authorizationContext != null) {
            hashMap.put("permissions", authorizationContext.getPermissions());
        }
        return new QuarkusSecurityIdentity.Builder().addAttributes(hashMap).setPrincipal(securityIdentity.getPrincipal()).addRoles(securityIdentity.getRoles()).addCredentials(securityIdentity.getCredentials()).addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.1
            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                if (authorizationContext == null) {
                    return Uni.createFrom().item(false);
                }
                String actions = permission.getActions();
                if (actions == null) {
                    return Uni.createFrom().item(Boolean.valueOf(authorizationContext.hasResourcePermission(permission.getName())));
                }
                for (String str : actions.split(",")) {
                    if (!authorizationContext.hasPermission(permission.getName(), str)) {
                        return Uni.createFrom().item(false);
                    }
                }
                return Uni.createFrom().item(true);
            }
        }).build();
    }

    public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig keycloakPolicyEnforcerConfig, HttpConfiguration httpConfiguration) {
        AdapterConfig adapterConfig = new AdapterConfig();
        String str = (String) oidcConfig.defaultTenant.getAuthServerUrl().get();
        try {
            adapterConfig.setRealm(str.substring(str.lastIndexOf(47) + 1));
            adapterConfig.setAuthServerUrl(str.substring(0, str.lastIndexOf("/realms")));
            adapterConfig.setResource((String) oidcConfig.defaultTenant.getClientId().get());
            adapterConfig.setCredentials(getCredentials(oidcConfig.defaultTenant));
            PolicyEnforcerConfig policyEnforcerConfig = getPolicyEnforcerConfig(keycloakPolicyEnforcerConfig, adapterConfig);
            if (policyEnforcerConfig == null) {
                return;
            }
            adapterConfig.setPolicyEnforcerConfig(policyEnforcerConfig);
            this.readTimeout = httpConfiguration.readTimeout.toMillis();
            this.delegate = new KeycloakAdapterPolicyEnforcer(new PolicyEnforcer(KeycloakDeploymentBuilder.build(adapterConfig), adapterConfig));
        } catch (Exception e) {
            throw new RuntimeException("Failed to parse the realm name.", e);
        }
    }

    private Map<String, Object> getCredentials(OidcTenantConfig oidcTenantConfig) {
        HashMap hashMap = new HashMap();
        Optional secret = oidcTenantConfig.getCredentials().getSecret();
        if (secret.isPresent()) {
            hashMap.put("secret", secret.orElse(null));
        }
        return hashMap;
    }

    private Map<String, Map<String, Object>> getClaimInformationPointConfig(KeycloakPolicyEnforcerConfig.KeycloakConfigPolicyEnforcer.ClaimInformationPointConfig claimInformationPointConfig) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Map<String, String>> entry : claimInformationPointConfig.simpleConfig.entrySet()) {
            hashMap.put(entry.getKey(), new HashMap(entry.getValue()));
        }
        for (Map.Entry<String, Map<String, Map<String, String>>> entry2 : claimInformationPointConfig.complexConfig.entrySet()) {
            ((Map) hashMap.computeIfAbsent(entry2.getKey(), str -> {
                return new HashMap();
            })).putAll(new HashMap(entry2.getValue()));
        }
        return hashMap;
    }

    private PolicyEnforcerConfig getPolicyEnforcerConfig(KeycloakPolicyEnforcerConfig keycloakPolicyEnforcerConfig, AdapterConfig adapterConfig) {
        if (keycloakPolicyEnforcerConfig.policyEnforcer == null || !keycloakPolicyEnforcerConfig.policyEnforcer.enable) {
            return null;
        }
        PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
        policyEnforcerConfig.setLazyLoadPaths(Boolean.valueOf(keycloakPolicyEnforcerConfig.policyEnforcer.lazyLoadPaths));
        policyEnforcerConfig.setEnforcementMode(PolicyEnforcerConfig.EnforcementMode.valueOf(keycloakPolicyEnforcerConfig.policyEnforcer.enforcementMode));
        policyEnforcerConfig.setHttpMethodAsScope(Boolean.valueOf(keycloakPolicyEnforcerConfig.policyEnforcer.httpMethodAsScope));
        KeycloakPolicyEnforcerConfig.KeycloakConfigPolicyEnforcer.PathCacheConfig pathCacheConfig = keycloakPolicyEnforcerConfig.policyEnforcer.pathCache;
        PolicyEnforcerConfig.PathCacheConfig pathCacheConfig2 = new PolicyEnforcerConfig.PathCacheConfig();
        pathCacheConfig2.setLifespan(pathCacheConfig.lifespan);
        pathCacheConfig2.setMaxEntries(pathCacheConfig.maxEntries);
        policyEnforcerConfig.setPathCacheConfig(pathCacheConfig2);
        policyEnforcerConfig.setClaimInformationPointConfig(getClaimInformationPointConfig(keycloakPolicyEnforcerConfig.policyEnforcer.claimInformationPoint));
        policyEnforcerConfig.setPaths((List) keycloakPolicyEnforcerConfig.policyEnforcer.paths.values().stream().map(pathConfig -> {
            PolicyEnforcerConfig.PathConfig pathConfig = new PolicyEnforcerConfig.PathConfig();
            pathConfig.setName(pathConfig.name.orElse(null));
            pathConfig.setPath(pathConfig.path.orElse(null));
            pathConfig.setEnforcementMode(pathConfig.enforcementMode);
            pathConfig.setMethods((List) pathConfig.methods.values().stream().map(methodConfig -> {
                PolicyEnforcerConfig.MethodConfig methodConfig = new PolicyEnforcerConfig.MethodConfig();
                methodConfig.setMethod(methodConfig.method);
                methodConfig.setScopes(methodConfig.scopes);
                methodConfig.setScopesEnforcementMode(methodConfig.scopesEnforcementMode);
                return methodConfig;
            }).collect(Collectors.toList()));
            pathConfig.setClaimInformationPointConfig(getClaimInformationPointConfig(pathConfig.claimInformationPoint));
            return pathConfig;
        }).collect(Collectors.toList()));
        return policyEnforcerConfig;
    }
}
