package org.keycloak.authorization.policy.provider.clientscope;

import java.util.Set;
import java.util.function.BiFunction;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.evaluation.Evaluation;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.authorization.ClientScopePolicyRepresentation;

/* loaded from: input_file:org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProvider.class */
public class ClientScopePolicyProvider implements PolicyProvider {
    private static final Logger logger = Logger.getLogger(ClientScopePolicyProvider.class);
    private final BiFunction<Policy, AuthorizationProvider, ClientScopePolicyRepresentation> representationFunction;

    public ClientScopePolicyProvider(BiFunction<Policy, AuthorizationProvider, ClientScopePolicyRepresentation> biFunction) {
        this.representationFunction = biFunction;
    }

    public void close() {
    }

    public void evaluate(Evaluation evaluation) {
        Policy policy = evaluation.getPolicy();
        Set<ClientScopePolicyRepresentation.ClientScopeDefinition> clientScopes = this.representationFunction.apply(policy, evaluation.getAuthorizationProvider()).getClientScopes();
        RealmModel realm = evaluation.getAuthorizationProvider().getKeycloakSession().getContext().getRealm();
        Identity identity = evaluation.getContext().getIdentity();
        for (ClientScopePolicyRepresentation.ClientScopeDefinition clientScopeDefinition : clientScopes) {
            ClientScopeModel clientScopeById = realm.getClientScopeById(clientScopeDefinition.getId());
            if (clientScopeById != null) {
                boolean hasClientScope = hasClientScope(identity, clientScopeById);
                if (!hasClientScope && clientScopeDefinition.isRequired()) {
                    evaluation.deny();
                    return;
                } else if (hasClientScope) {
                    evaluation.grant();
                }
            }
        }
        logger.debugf("Client Scope Policy %s evaluated to %s", policy.getName(), evaluation.getEffect());
    }

    private boolean hasClientScope(Identity identity, ClientScopeModel clientScopeModel) {
        String name = clientScopeModel.getName();
        for (String str : identity.getAttributes().getValue("scope").asString(0).split(" ")) {
            if (name.equals(str)) {
                return true;
            }
        }
        return false;
    }
}
