package org.keycloak.authorization.common;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.saml.common.util.StringUtil;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/authorization/common/KeycloakIdentity.class */
public class KeycloakIdentity implements Identity {
    protected final AccessToken accessToken;
    protected final RealmModel realm;
    protected final KeycloakSession keycloakSession;
    protected final Attributes attributes;

    public KeycloakIdentity(KeycloakSession keycloakSession) {
        this(Tokens.getAccessToken(keycloakSession), keycloakSession);
    }

    public KeycloakIdentity(KeycloakSession keycloakSession, IDToken iDToken) {
        this(iDToken, keycloakSession, keycloakSession.getContext().getRealm());
    }

    public KeycloakIdentity(IDToken iDToken, KeycloakSession keycloakSession, RealmModel realmModel) {
        if (iDToken == null) {
            throw new ErrorResponseException("invalid_bearer_token", "Could not obtain bearer access_token from request.", Response.Status.FORBIDDEN);
        }
        if (keycloakSession == null) {
            throw new ErrorResponseException("no_keycloak_session", "No keycloak session", Response.Status.FORBIDDEN);
        }
        if (realmModel == null) {
            throw new ErrorResponseException("no_keycloak_session", "No realm set", Response.Status.FORBIDDEN);
        }
        this.keycloakSession = keycloakSession;
        this.realm = realmModel;
        HashMap hashMap = new HashMap();
        try {
            ObjectNode createObjectNode = JsonSerialization.createObjectNode(iDToken);
            Iterator fieldNames = createObjectNode.fieldNames();
            while (fieldNames.hasNext()) {
                String str = (String) fieldNames.next();
                JsonNode jsonNode = createObjectNode.get(str);
                ArrayList arrayList = new ArrayList();
                if (jsonNode.isArray()) {
                    Iterator it = jsonNode.iterator();
                    while (it.hasNext()) {
                        arrayList.add(((JsonNode) it.next()).asText());
                    }
                } else {
                    String asText = jsonNode.asText();
                    if (!StringUtil.isNullOrEmpty(asText)) {
                        arrayList.add(asText);
                    }
                }
                if (!arrayList.isEmpty()) {
                    hashMap.put(str, arrayList);
                }
            }
            if (iDToken instanceof AccessToken) {
                this.accessToken = (AccessToken) AccessToken.class.cast(iDToken);
            } else {
                UserSessionProvider sessions = keycloakSession.sessions();
                UserSessionModel userSession = sessions.getUserSession(realmModel, iDToken.getSessionState());
                userSession = userSession == null ? sessions.getOfflineUserSession(realmModel, iDToken.getSessionState()) : userSession;
                ClientModel clientByClientId = realmModel.getClientByClientId(iDToken.getIssuedFor());
                this.accessToken = new TokenManager().createClientAccessToken(keycloakSession, realmModel, clientByClientId, userSession.getUser(), userSession, DefaultClientSessionContext.fromClientSessionScopeParameter((AuthenticatedClientSessionModel) userSession.getAuthenticatedClientSessions().get(clientByClientId.getId())));
            }
            AccessToken.Access realmAccess = this.accessToken.getRealmAccess();
            if (realmAccess != null) {
                hashMap.put("kc.realm.roles", realmAccess.getRoles());
            }
            Map resourceAccess = this.accessToken.getResourceAccess();
            if (resourceAccess != null) {
                resourceAccess.forEach((str2, access) -> {
                });
            }
            this.attributes = Attributes.from(hashMap);
        } catch (Exception e) {
            throw new RuntimeException("Error while reading attributes from security token.", e);
        }
    }

    public KeycloakIdentity(AccessToken accessToken, KeycloakSession keycloakSession) {
        if (accessToken == null) {
            throw new ErrorResponseException("invalid_bearer_token", "Could not obtain bearer access_token from request.", Response.Status.FORBIDDEN);
        }
        if (keycloakSession == null) {
            throw new ErrorResponseException("no_keycloak_session", "No keycloak session", Response.Status.FORBIDDEN);
        }
        this.accessToken = accessToken;
        this.keycloakSession = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
        HashMap hashMap = new HashMap();
        try {
            ObjectNode createObjectNode = JsonSerialization.createObjectNode(this.accessToken);
            Iterator fieldNames = createObjectNode.fieldNames();
            while (fieldNames.hasNext()) {
                String str = (String) fieldNames.next();
                JsonNode jsonNode = createObjectNode.get(str);
                ArrayList arrayList = new ArrayList();
                if (jsonNode.isArray()) {
                    Iterator it = jsonNode.iterator();
                    while (it.hasNext()) {
                        arrayList.add(((JsonNode) it.next()).asText());
                    }
                } else {
                    String asText = jsonNode.asText();
                    if (!StringUtil.isNullOrEmpty(asText)) {
                        arrayList.add(asText);
                    }
                }
                if (!arrayList.isEmpty()) {
                    hashMap.put(str, arrayList);
                }
            }
            AccessToken.Access realmAccess = accessToken.getRealmAccess();
            if (realmAccess != null) {
                hashMap.put("kc.realm.roles", realmAccess.getRoles());
            }
            Map resourceAccess = accessToken.getResourceAccess();
            if (resourceAccess != null) {
                resourceAccess.forEach((str2, access) -> {
                });
            }
            this.attributes = Attributes.from(hashMap);
        } catch (Exception e) {
            throw new RuntimeException("Error while reading attributes from security token.", e);
        }
    }

    public String getId() {
        if (!isResourceServer()) {
            return getUserFromSessionState().getId();
        }
        ClientModel targetClient = getTargetClient();
        if (targetClient == null) {
            return null;
        }
        return targetClient.getId();
    }

    public Attributes getAttributes() {
        return this.attributes;
    }

    public AccessToken getAccessToken() {
        return this.accessToken;
    }

    public boolean isResourceServer() {
        UserModel userModel = null;
        ClientModel targetClient = getTargetClient();
        if (targetClient != null) {
            userModel = this.keycloakSession.users().getServiceAccount(targetClient);
        }
        if (userModel == null) {
            return false;
        }
        return getUserFromSessionState().getId().equals(userModel.getId());
    }

    private ClientModel getTargetClient() {
        if (this.accessToken.getIssuedFor() != null) {
            return this.realm.getClientByClientId(this.accessToken.getIssuedFor());
        }
        if (this.accessToken.getAudience() == null || this.accessToken.getAudience().length <= 0) {
            return null;
        }
        return this.realm.getClientByClientId(this.accessToken.getAudience()[0]);
    }

    private UserModel getUserFromSessionState() {
        UserSessionProvider sessions = this.keycloakSession.sessions();
        UserSessionModel userSession = sessions.getUserSession(this.realm, this.accessToken.getSessionState());
        if (userSession == null) {
            userSession = sessions.getOfflineUserSession(this.realm, this.accessToken.getSessionState());
        }
        return userSession.getUser();
    }
}
