package org.pac4j.oidc.authorization.generator;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.oidc.profile.keycloak.KeycloakOidcProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/oidc/authorization/generator/KeycloakRolesAuthorizationGenerator.class */
public class KeycloakRolesAuthorizationGenerator implements AuthorizationGenerator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakRolesAuthorizationGenerator.class);
    private String clientId;

    public KeycloakRolesAuthorizationGenerator() {
    }

    public KeycloakRolesAuthorizationGenerator(String str) {
        this.clientId = str;
    }

    public Optional<UserProfile> generate(WebContext webContext, SessionStore sessionStore, UserProfile userProfile) {
        Map jSONObjectClaim;
        Map map;
        List list;
        List list2;
        if (userProfile instanceof KeycloakOidcProfile) {
            try {
                JWTClaimsSet jWTClaimsSet = SignedJWT.parse(((KeycloakOidcProfile) userProfile).getAccessToken().getValue()).getJWTClaimsSet();
                Map jSONObjectClaim2 = jWTClaimsSet.getJSONObjectClaim("realm_access");
                if (jSONObjectClaim2 != null && (list2 = (List) jSONObjectClaim2.get("roles")) != null) {
                    list2.forEach(str -> {
                        userProfile.addRole(str);
                    });
                }
                if (this.clientId != null && (jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("resource_access")) != null && (map = (Map) jSONObjectClaim.get(this.clientId)) != null && (list = (List) map.get("roles")) != null) {
                    Objects.requireNonNull(userProfile);
                    list.forEach(userProfile::addRole);
                }
            } catch (Exception e) {
                LOGGER.warn("Cannot parse Keycloak roles", e);
            }
        }
        return Optional.of(userProfile);
    }

    @Generated
    public String getClientId() {
        return this.clientId;
    }

    @Generated
    public void setClientId(String str) {
        this.clientId = str;
    }
}
