package org.keycloak.authorization.authorization;

import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.BiFunction;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.Permissions;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.PathMatcher;
import org.keycloak.events.EventBuilder;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationResponse;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.RootAuthenticationSessionModel;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/authorization/authorization/AuthorizationTokenService.class */
public class AuthorizationTokenService {
    public static final String CLAIM_TOKEN_FORMAT_ID_TOKEN = "http://openid.net/specs/openid-connect-core-1_0.html#IDToken";
    public static final String CLAIM_TOKEN_FORMAT_JWT = "urn:ietf:params:oauth:token-type:jwt";
    private static final String RESPONSE_MODE_DECISION = "decision";
    private static final String RESPONSE_MODE_PERMISSIONS = "permissions";
    private static final String RESPONSE_MODE_DECISION_RESULT = "result";
    private static final AuthorizationTokenService INSTANCE;
    private static final Logger logger = Logger.getLogger(AuthorizationTokenService.class);
    private static Map<String, BiFunction<KeycloakAuthorizationRequest, AuthorizationProvider, EvaluationContext>> SUPPORTED_CLAIM_TOKEN_FORMATS = new HashMap();

    /* loaded from: input_file:org/keycloak/authorization/authorization/AuthorizationTokenService$KeycloakAuthorizationRequest.class */
    public static class KeycloakAuthorizationRequest extends AuthorizationRequest {
        private final AuthorizationProvider authorization;
        private final TokenManager tokenManager;
        private final EventBuilder event;
        private final HttpRequest httpRequest;
        private final Cors cors;
        private final ClientConnection clientConnection;

        public KeycloakAuthorizationRequest(AuthorizationProvider authorizationProvider, TokenManager tokenManager, EventBuilder eventBuilder, HttpRequest httpRequest, Cors cors, ClientConnection clientConnection) {
            this.authorization = authorizationProvider;
            this.tokenManager = tokenManager;
            this.event = eventBuilder;
            this.httpRequest = httpRequest;
            this.cors = cors;
            this.clientConnection = clientConnection;
        }

        TokenManager getTokenManager() {
            return this.tokenManager;
        }

        EventBuilder getEvent() {
            return this.event;
        }

        HttpRequest getHttpRequest() {
            return this.httpRequest;
        }

        AuthorizationProvider getAuthorization() {
            return this.authorization;
        }

        Cors getCors() {
            return this.cors;
        }

        KeycloakSession getKeycloakSession() {
            return getAuthorization().getKeycloakSession();
        }

        RealmModel getRealm() {
            return getKeycloakSession().getContext().getRealm();
        }

        ClientConnection getClientConnection() {
            return this.clientConnection;
        }

        public void addPermissions(List<String> list, String str, boolean z) {
            if (str == null) {
                str = "id";
            }
            String str2 = str;
            boolean z2 = -1;
            switch (str2.hashCode()) {
                case 3355:
                    if (str2.equals("id")) {
                        z2 = false;
                        break;
                    }
                    break;
                case 116076:
                    if (str2.equals("uri")) {
                        z2 = true;
                        break;
                    }
                    break;
            }
            switch (z2) {
                case false:
                    addPermissionsById(list);
                    return;
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    addPermissionsByUri(list, z);
                    return;
                default:
                    return;
            }
        }

        private void addPermissionsById(List<String> list) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                String[] split = it.next().split("#");
                String str = split[0];
                if (split.length == 1) {
                    addPermission(str, new String[0]);
                } else {
                    addPermission(str, split[1].split(","));
                }
            }
        }

        private void addPermissionsByUri(List<String> list, boolean z) {
            StoreFactory storeFactory = this.authorization.getStoreFactory();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                String[] split = it.next().split("#");
                String str = split[0];
                if (split.length != 1) {
                    String[] split2 = split[1].split(",");
                    if (str.isEmpty()) {
                        addPermission("", split2);
                        return;
                    }
                    List<Resource> resourceListByUri = getResourceListByUri(str, storeFactory, z);
                    if (resourceListByUri == null || resourceListByUri.isEmpty()) {
                        WebApplicationException corsErrorResponseException = new CorsErrorResponseException(getCors(), "invalid_resource", "Resource with uri [" + str + "] does not exist.", Response.Status.BAD_REQUEST);
                        AuthorizationTokenService.fireErrorEvent(getEvent(), "invalid_request", corsErrorResponseException);
                        throw corsErrorResponseException;
                    }
                    resourceListByUri.stream().forEach(resource -> {
                        addPermission(resource.getId(), split2);
                    });
                } else {
                    if (str.isEmpty()) {
                        WebApplicationException corsErrorResponseException2 = new CorsErrorResponseException(getCors(), "invalid_request", "You must provide the uri", Response.Status.BAD_REQUEST);
                        AuthorizationTokenService.fireErrorEvent(getEvent(), "invalid_request", corsErrorResponseException2);
                        throw corsErrorResponseException2;
                    }
                    List<Resource> resourceListByUri2 = getResourceListByUri(str, storeFactory, z);
                    if (resourceListByUri2 == null || resourceListByUri2.isEmpty()) {
                        WebApplicationException corsErrorResponseException3 = new CorsErrorResponseException(getCors(), "invalid_resource", "Resource with uri [" + str + "] does not exist.", Response.Status.BAD_REQUEST);
                        AuthorizationTokenService.fireErrorEvent(getEvent(), "invalid_request", corsErrorResponseException3);
                        throw corsErrorResponseException3;
                    }
                    resourceListByUri2.stream().forEach(resource2 -> {
                        addPermission(resource2.getId(), new String[0]);
                    });
                }
            }
        }

        private List<Resource> getResourceListByUri(String str, StoreFactory storeFactory, boolean z) {
            EnumMap enumMap = new EnumMap(Resource.FilterOption.class);
            enumMap.put((EnumMap) Resource.FilterOption.URI, (Resource.FilterOption) new String[]{str});
            ResourceServer findByClient = storeFactory.getResourceServerStore().findByClient(getRealm().getClientByClientId(getAudience()));
            List<Resource> find = storeFactory.getResourceStore().find(findByClient, enumMap, -1, 100);
            if (!z || !find.isEmpty()) {
                return find;
            }
            EnumMap enumMap2 = new EnumMap(Resource.FilterOption.class);
            enumMap2.put((EnumMap) Resource.FilterOption.URI_NOT_NULL, (Resource.FilterOption) new String[]{"true"});
            enumMap2.put((EnumMap) Resource.FilterOption.OWNER, (Resource.FilterOption) new String[]{findByClient.getClientId()});
            final List find2 = storeFactory.getResourceStore().find(findByClient, enumMap2, -1, -1);
            Map.Entry entry = (Map.Entry) new PathMatcher<Map.Entry<String, Resource>>() { // from class: org.keycloak.authorization.authorization.AuthorizationTokenService.KeycloakAuthorizationRequest.1
                /* JADX INFO: Access modifiers changed from: protected */
                public String getPath(Map.Entry<String, Resource> entry2) {
                    return entry2.getKey();
                }

                protected Collection<Map.Entry<String, Resource>> getPaths() {
                    HashMap hashMap = new HashMap();
                    find2.forEach(resource -> {
                        resource.getUris().forEach(str2 -> {
                            hashMap.put(str2, resource);
                        });
                    });
                    return hashMap.entrySet();
                }
            }.matches(str);
            if (entry != null) {
                return Collections.singletonList((Resource) entry.getValue());
            }
            return null;
        }
    }

    public static AuthorizationTokenService instance() {
        return INSTANCE;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static void fireErrorEvent(EventBuilder eventBuilder, String str, Exception exc) {
        if (exc instanceof CorsErrorResponseException) {
            CorsErrorResponseException corsErrorResponseException = (CorsErrorResponseException) exc;
            eventBuilder.detail("reason", corsErrorResponseException.getErrorDescription() == null ? "<unknown>" : corsErrorResponseException.getErrorDescription()).error(str);
        } else {
            eventBuilder.detail("reason", (exc == 0 || exc.getMessage() == null) ? "<unknown>" : exc.getMessage()).error(str);
        }
        logger.debug(eventBuilder.getEvent().getType(), exc);
    }

    public Response authorize(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        EventBuilder event = keycloakAuthorizationRequest.getEvent();
        if (isPublicClientRequestingEntitlementWithClaims(keycloakAuthorizationRequest)) {
            WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_grant", "Public clients are not allowed to send claims", Response.Status.FORBIDDEN);
            fireErrorEvent(event, "invalid_request", corsErrorResponseException);
            throw corsErrorResponseException;
        }
        try {
            try {
                PermissionTicketToken permissionTicket = getPermissionTicket(keycloakAuthorizationRequest);
                keycloakAuthorizationRequest.setClaims(permissionTicket.getClaims());
                EvaluationContext createEvaluationContext = createEvaluationContext(keycloakAuthorizationRequest);
                KeycloakIdentity keycloakIdentity = (KeycloakIdentity) KeycloakIdentity.class.cast(createEvaluationContext.getIdentity());
                if (keycloakIdentity != null) {
                    event.user(keycloakIdentity.getId());
                }
                ResourceServer resourceServer = getResourceServer(permissionTicket, keycloakAuthorizationRequest);
                Collection<Permission> evaluateUserManagedPermissions = keycloakAuthorizationRequest.getTicket() != null ? evaluateUserManagedPermissions(keycloakAuthorizationRequest, permissionTicket, resourceServer, createEvaluationContext) : (permissionTicket.getPermissions().isEmpty() && keycloakAuthorizationRequest.getRpt() == null) ? evaluateAllPermissions(keycloakAuthorizationRequest, resourceServer, createEvaluationContext) : evaluatePermissions(keycloakAuthorizationRequest, permissionTicket, resourceServer, createEvaluationContext, keycloakIdentity);
                if (!isGranted(permissionTicket, keycloakAuthorizationRequest, evaluateUserManagedPermissions)) {
                    if (keycloakAuthorizationRequest.isSubmitRequest()) {
                        WebApplicationException corsErrorResponseException2 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "request_submitted", Response.Status.FORBIDDEN);
                        fireErrorEvent(event, AbstractOAuth2IdentityProvider.ACCESS_DENIED, corsErrorResponseException2);
                        throw corsErrorResponseException2;
                    }
                    WebApplicationException corsErrorResponseException3 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "not_authorized", Response.Status.FORBIDDEN);
                    fireErrorEvent(event, AbstractOAuth2IdentityProvider.ACCESS_DENIED, corsErrorResponseException3);
                    throw corsErrorResponseException3;
                }
                ClientModel clientById = keycloakAuthorizationRequest.getAuthorization().getRealm().getClientById(resourceServer.getClientId());
                AuthorizationRequest.Metadata metadata = keycloakAuthorizationRequest.getMetadata();
                if ((metadata != null ? metadata.getResponseMode() : null) == null) {
                    return createSuccessfulResponse(createAuthorizationResponse(keycloakIdentity, evaluateUserManagedPermissions, keycloakAuthorizationRequest, clientById), keycloakAuthorizationRequest);
                }
                if (RESPONSE_MODE_DECISION.equals(metadata.getResponseMode())) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(RESPONSE_MODE_DECISION_RESULT, true);
                    return createSuccessfulResponse(hashMap, keycloakAuthorizationRequest);
                }
                if (RESPONSE_MODE_PERMISSIONS.equals(metadata.getResponseMode())) {
                    return createSuccessfulResponse(evaluateUserManagedPermissions, keycloakAuthorizationRequest);
                }
                WebApplicationException corsErrorResponseException4 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Invalid response_mode", Response.Status.BAD_REQUEST);
                fireErrorEvent(event, "invalid_request", corsErrorResponseException4);
                throw corsErrorResponseException4;
            } catch (Exception e) {
                logger.error("Unexpected error while evaluating permissions", e);
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "server_error", "Unexpected error while evaluating permissions", Response.Status.INTERNAL_SERVER_ERROR);
            }
        } catch (CorsErrorResponseException | ErrorResponseException e2) {
            if (logger.isDebugEnabled()) {
                logger.debug("Error while evaluating permissions", e2);
            }
            throw e2;
        }
    }

    private Response createSuccessfulResponse(Object obj, KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        return Cors.builder().allowedOrigins(keycloakAuthorizationRequest.getKeycloakSession(), keycloakAuthorizationRequest.getKeycloakSession().getContext().getClient()).allowedMethods(new String[]{"POST"}).exposedHeaders(new String[]{"Access-Control-Allow-Methods"}).add(Response.status(Response.Status.OK).type(MediaType.APPLICATION_JSON_TYPE).entity(obj));
    }

    private boolean isPublicClientRequestingEntitlementWithClaims(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        return keycloakAuthorizationRequest.getClaimToken() != null && keycloakAuthorizationRequest.getKeycloakSession().getContext().getClient().isPublicClient() && keycloakAuthorizationRequest.getTicket() == null;
    }

    private Collection<Permission> evaluatePermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, EvaluationContext evaluationContext, KeycloakIdentity keycloakIdentity) {
        AuthorizationProvider authorization = keycloakAuthorizationRequest.getAuthorization();
        return authorization.evaluators().from(createPermissions(permissionTicketToken, keycloakAuthorizationRequest, resourceServer, authorization, evaluationContext), evaluationContext).evaluate(resourceServer, keycloakAuthorizationRequest);
    }

    private Collection<Permission> evaluateUserManagedPermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, PermissionTicketToken permissionTicketToken, ResourceServer resourceServer, EvaluationContext evaluationContext) {
        AuthorizationProvider authorization = keycloakAuthorizationRequest.getAuthorization();
        return authorization.evaluators().from(createPermissions(permissionTicketToken, keycloakAuthorizationRequest, resourceServer, authorization, evaluationContext), evaluationContext).evaluate(new PermissionTicketAwareDecisionResultCollector(keycloakAuthorizationRequest, permissionTicketToken, evaluationContext.getIdentity(), resourceServer, authorization)).results();
    }

    private Collection<Permission> evaluateAllPermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, EvaluationContext evaluationContext) {
        return keycloakAuthorizationRequest.getAuthorization().evaluators().from(evaluationContext, resourceServer, keycloakAuthorizationRequest).evaluate(resourceServer, keycloakAuthorizationRequest);
    }

    private AuthorizationResponse createAuthorizationResponse(KeycloakIdentity keycloakIdentity, Collection<Permission> collection, KeycloakAuthorizationRequest keycloakAuthorizationRequest, ClientModel clientModel) {
        UserSessionModel userSession;
        ClientSessionContext fromClientSessionScopeParameter;
        KeycloakSession keycloakSession = keycloakAuthorizationRequest.getKeycloakSession();
        AccessToken accessToken = keycloakIdentity.getAccessToken();
        RealmModel realm = keycloakAuthorizationRequest.getRealm();
        UserSessionProvider sessions = keycloakSession.sessions();
        if (accessToken.getSessionState() == null) {
            UserModel lookupUserFromStatelessToken = TokenManager.lookupUserFromStatelessToken(keycloakSession, realm, accessToken);
            userSession = new UserSessionManager(keycloakSession).createUserSession(KeycloakModelUtils.generateId(), realm, lookupUserFromStatelessToken, lookupUserFromStatelessToken.getUsername(), keycloakAuthorizationRequest.getClientConnection().getRemoteAddr(), "client_auth", false, null, null, UserSessionModel.SessionPersistenceState.TRANSIENT);
        } else {
            userSession = sessions.getUserSession(realm, accessToken.getSessionState());
            if (userSession == null) {
                userSession = sessions.getOfflineUserSession(realm, accessToken.getSessionState());
            }
        }
        ClientModel clientByClientId = realm.getClientByClientId(accessToken.getIssuedFor());
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSession.getAuthenticatedClientSessionByClient(clientModel.getId());
        if (authenticatedClientSessionByClient == null) {
            RootAuthenticationSessionModel rootAuthenticationSession = keycloakSession.authenticationSessions().getRootAuthenticationSession(realm, userSession.getId());
            if (rootAuthenticationSession == null) {
                rootAuthenticationSession = userSession.getUser().getServiceAccountClientLink() == null ? keycloakSession.authenticationSessions().createRootAuthenticationSession(realm, userSession.getId()) : new AuthenticationSessionManager(keycloakSession).createAuthenticationSession(realm, false);
            }
            AuthenticationSessionModel createAuthenticationSession = rootAuthenticationSession.createAuthenticationSession(clientModel);
            createAuthenticationSession.setAuthenticatedUser(userSession.getUser());
            createAuthenticationSession.setProtocol("openid-connect");
            createAuthenticationSession.setClientNote(OIDCLoginProtocol.ISSUER, Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
            AuthenticationManager.setClientScopesInSession(createAuthenticationSession);
            fromClientSessionScopeParameter = TokenManager.attachAuthenticationSession(keycloakSession, userSession, createAuthenticationSession);
        } else {
            fromClientSessionScopeParameter = DefaultClientSessionContext.fromClientSessionScopeParameter(authenticatedClientSessionByClient, keycloakSession);
        }
        TokenManager.AccessTokenResponseBuilder generateAccessToken = keycloakAuthorizationRequest.getTokenManager().responseBuilder(realm, clientByClientId, keycloakAuthorizationRequest.getEvent(), keycloakSession, userSession, fromClientSessionScopeParameter).generateAccessToken();
        AccessToken accessToken2 = generateAccessToken.getAccessToken();
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(collection);
        accessToken2.setAuthorization(authorization);
        if (accessToken.getSessionState() == null) {
            accessToken2.setSessionId((String) null);
        } else if (OIDCAdvancedConfigWrapper.fromClientModel(clientByClientId).isUseRefreshToken()) {
            generateAccessToken.generateRefreshToken();
            RefreshToken refreshToken = generateAccessToken.getRefreshToken();
            refreshToken.issuedFor(clientByClientId.getClientId());
            refreshToken.setAuthorization(authorization);
        }
        if (!accessToken2.hasAudience(clientModel.getClientId())) {
            accessToken2.audience(new String[]{clientModel.getClientId()});
        }
        return new AuthorizationResponse(generateAccessToken.build(), isUpgraded(keycloakAuthorizationRequest, authorization));
    }

    private boolean isUpgraded(AuthorizationRequest authorizationRequest, AccessToken.Authorization authorization) {
        Collection permissions;
        AccessToken rpt = authorizationRequest.getRpt();
        if (rpt == null) {
            return false;
        }
        AccessToken.Authorization authorization2 = rpt.getAuthorization();
        if (authorization2 == null || (permissions = authorization2.getPermissions()) == null) {
            return true;
        }
        Iterator it = permissions.iterator();
        while (it.hasNext()) {
            if (!authorization.getPermissions().contains((Permission) it.next())) {
                return false;
            }
        }
        return true;
    }

    private PermissionTicketToken getPermissionTicket(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        if (keycloakAuthorizationRequest.getTicket() != null) {
            return verifyPermissionTicket(keycloakAuthorizationRequest);
        }
        PermissionTicketToken permissions = keycloakAuthorizationRequest.getPermissions();
        permissions.issuedFor(keycloakAuthorizationRequest.getAudience());
        return permissions;
    }

    private ResourceServer getResourceServer(PermissionTicketToken permissionTicketToken, KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        ResourceServerStore resourceServerStore = keycloakAuthorizationRequest.getAuthorization().getStoreFactory().getResourceServerStore();
        String issuedFor = permissionTicketToken.getIssuedFor();
        if (issuedFor == null) {
            WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "You must provide the issuedFor", Response.Status.BAD_REQUEST);
            fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException);
            throw corsErrorResponseException;
        }
        ClientModel clientByClientId = keycloakAuthorizationRequest.getRealm().getClientByClientId(issuedFor);
        if (clientByClientId == null) {
            WebApplicationException corsErrorResponseException2 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Unknown resource server id: [" + issuedFor + "]", Response.Status.BAD_REQUEST);
            fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException2);
            throw corsErrorResponseException2;
        }
        ResourceServer findByClient = resourceServerStore.findByClient(clientByClientId);
        if (findByClient != null) {
            return findByClient;
        }
        WebApplicationException corsErrorResponseException3 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Client does not support permissions", Response.Status.BAD_REQUEST);
        fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException3);
        throw corsErrorResponseException3;
    }

    private EvaluationContext createEvaluationContext(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        String claimTokenFormat = keycloakAuthorizationRequest.getClaimTokenFormat();
        if (claimTokenFormat == null) {
            claimTokenFormat = CLAIM_TOKEN_FORMAT_JWT;
        }
        BiFunction<KeycloakAuthorizationRequest, AuthorizationProvider, EvaluationContext> biFunction = SUPPORTED_CLAIM_TOKEN_FORMATS.get(claimTokenFormat);
        if (biFunction != null) {
            return biFunction.apply(keycloakAuthorizationRequest, keycloakAuthorizationRequest.getAuthorization());
        }
        WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Claim token format [" + claimTokenFormat + "] not supported", Response.Status.BAD_REQUEST);
        fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException);
        throw corsErrorResponseException;
    }

    private Collection<ResourcePermission> createPermissions(PermissionTicketToken permissionTicketToken, KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext) {
        KeycloakIdentity keycloakIdentity = (KeycloakIdentity) evaluationContext.getIdentity();
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        ScopeStore scopeStore = storeFactory.getScopeStore();
        AuthorizationRequest.Metadata metadata = keycloakAuthorizationRequest.getMetadata();
        AtomicInteger atomicInteger = (metadata == null || metadata.getLimit() == null) ? null : new AtomicInteger(metadata.getLimit().intValue());
        for (Permission permission : permissionTicketToken.getPermissions()) {
            if (atomicInteger != null && atomicInteger.get() <= 0) {
                break;
            }
            Set<Scope> resolveRequestedScopes = resolveRequestedScopes(keycloakAuthorizationRequest, resourceServer, scopeStore, permission);
            String resourceId = permission.getResourceId();
            if (resourceId != null) {
                resolveResourcePermission(keycloakAuthorizationRequest, resourceServer, keycloakIdentity, authorizationProvider, storeFactory, linkedHashMap, resourceStore, atomicInteger, permission, resolveRequestedScopes, resourceId);
            } else {
                resolveScopePermissions(keycloakAuthorizationRequest, resourceServer, authorizationProvider, linkedHashMap, resourceStore, atomicInteger, resolveRequestedScopes);
            }
        }
        resolvePreviousGrantedPermissions(keycloakAuthorizationRequest, resourceServer, linkedHashMap, resourceStore, scopeStore, atomicInteger);
        return linkedHashMap.values();
    }

    private void resolvePreviousGrantedPermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, Map<String, ResourcePermission> map, ResourceStore resourceStore, ScopeStore scopeStore, AtomicInteger atomicInteger) {
        AccessToken.Authorization authorization;
        Collection<Permission> permissions;
        AccessToken rpt = keycloakAuthorizationRequest.getRpt();
        if (rpt == null || !rpt.isActive() || (authorization = rpt.getAuthorization()) == null || (permissions = authorization.getPermissions()) == null) {
            return;
        }
        for (Permission permission : permissions) {
            if (atomicInteger != null && atomicInteger.get() <= 0) {
                return;
            }
            Resource findById = resourceStore.findById(resourceServer, permission.getResourceId());
            if (findById != null) {
                ResourcePermission resourcePermission = map.get(findById.getId());
                if (resourcePermission == null) {
                    resourcePermission = new ResourcePermission(findById, new ArrayList(), resourceServer, permission.getClaims());
                    map.put(findById.getId(), resourcePermission);
                    if (atomicInteger != null) {
                        atomicInteger.decrementAndGet();
                    }
                } else if (permission.getClaims() != null) {
                    for (Map.Entry entry : permission.getClaims().entrySet()) {
                        Set set = (Set) resourcePermission.getClaims().get(entry.getKey());
                        if (set != null) {
                            set.addAll((Collection) entry.getValue());
                        }
                    }
                }
                Iterator it = permission.getScopes().iterator();
                while (it.hasNext()) {
                    Scope findByName = scopeStore.findByName(resourceServer, (String) it.next());
                    if (findByName != null && !resourcePermission.getScopes().contains(findByName)) {
                        resourcePermission.getScopes().add(findByName);
                    }
                }
            }
        }
    }

    private void resolveScopePermissions(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, AuthorizationProvider authorizationProvider, Map<String, ResourcePermission> map, ResourceStore resourceStore, AtomicInteger atomicInteger, Set<Scope> set) {
        AtomicBoolean atomicBoolean = new AtomicBoolean();
        resourceStore.findByScopes(resourceServer, set, resource -> {
            if (atomicInteger == null || atomicInteger.get() > 0) {
                ResourcePermission resourcePermission = (ResourcePermission) map.get(resource.getId());
                if (resourcePermission == null) {
                    map.put(resource.getId(), Permissions.createResourcePermissions(resource, resourceServer, set, authorizationProvider, keycloakAuthorizationRequest));
                    if (atomicInteger != null) {
                        atomicInteger.decrementAndGet();
                    }
                } else {
                    Iterator it = set.iterator();
                    while (it.hasNext()) {
                        resourcePermission.addScope((Scope) it.next());
                    }
                }
                atomicBoolean.compareAndSet(false, true);
            }
        });
        if (atomicBoolean.get()) {
            return;
        }
        for (Scope scope : set) {
            if (atomicInteger != null && atomicInteger.getAndDecrement() <= 0) {
                return;
            } else {
                map.computeIfAbsent(scope.getId(), str -> {
                    return new ResourcePermission((Resource) null, new ArrayList(Arrays.asList(scope)), resourceServer, keycloakAuthorizationRequest.getClaims());
                });
            }
        }
    }

    private void resolveResourcePermission(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, KeycloakIdentity keycloakIdentity, AuthorizationProvider authorizationProvider, StoreFactory storeFactory, Map<String, ResourcePermission> map, ResourceStore resourceStore, AtomicInteger atomicInteger, Permission permission, Set<Scope> set, String str) {
        Collection scopes;
        Resource findById = str.indexOf(45) != -1 ? resourceStore.findById(resourceServer, str) : null;
        if (findById != null) {
            addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, findById);
        } else if (str.startsWith("resource-type:")) {
            resourceStore.findByType(resourceServer, str.substring("resource-type:".length()), resourceServer.getClientId(), resource -> {
                addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, resource);
            });
        } else if (str.startsWith("resource-type-any:")) {
            resourceStore.findByType(resourceServer, str.substring("resource-type-any:".length()), (String) null, resource2 -> {
                addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, resource2);
            });
        } else if (str.startsWith("resource-type-instance:")) {
            resourceStore.findByTypeInstance(resourceServer, str.substring("resource-type-instance:".length()), resource3 -> {
                addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, resource3);
            });
        } else if (str.startsWith("resource-type-owner:")) {
            resourceStore.findByType(resourceServer, str.substring("resource-type-owner:".length()), keycloakIdentity.getId(), resource4 -> {
                addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, resource4);
            });
        } else {
            Resource findByName = resourceStore.findByName(resourceServer, str, keycloakIdentity.getId());
            if (findByName != null) {
                permission.setResourceId(findByName.getId());
                addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, findByName);
            }
            if (!keycloakIdentity.isResourceServer() || !keycloakIdentity.getId().equals(resourceServer.getClientId())) {
                List<PermissionTicket> findGranted = storeFactory.getPermissionTicketStore().findGranted(resourceServer, str, keycloakIdentity.getId());
                if (!findGranted.isEmpty()) {
                    ArrayList arrayList = new ArrayList();
                    Resource resource5 = null;
                    for (PermissionTicket permissionTicket : findGranted) {
                        if (resource5 == null) {
                            resource5 = permissionTicket.getResource();
                        }
                        arrayList.add(permissionTicket.getScope());
                    }
                    set.retainAll(arrayList);
                    ResourcePermission addPermission = addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, resource5);
                    if (addPermission != null && (scopes = addPermission.getScopes()) != null) {
                        scopes.retainAll(arrayList);
                    }
                    addPermission.setGranted(true);
                }
                Resource findByName2 = resourceStore.findByName(resourceServer, str);
                if (findByName2 != null) {
                    permission.setResourceId(findByName2.getId());
                    addPermission(keycloakAuthorizationRequest, resourceServer, authorizationProvider, map, atomicInteger, set, findByName2);
                }
            }
        }
        if (map.isEmpty()) {
            WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_resource", "Resource with id [" + str + "] does not exist.", Response.Status.BAD_REQUEST);
            fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException);
            throw corsErrorResponseException;
        }
    }

    private Set<Scope> resolveRequestedScopes(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, ScopeStore scopeStore, Permission permission) {
        String scope = keycloakAuthorizationRequest.getScope();
        Set scopes = permission.getScopes();
        if (permission.getScopes() == null) {
            scopes = new HashSet();
        }
        if (scope != null) {
            scopes.addAll(Arrays.asList(scope.split(" ")));
        }
        Set<Scope> set = (Set) scopes.stream().map(str -> {
            return scopeStore.findByName(resourceServer, str);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet());
        if (scopes.isEmpty() || !set.isEmpty()) {
            return set;
        }
        WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_scope", "One of the given scopes " + String.valueOf(permission.getScopes()) + " is invalid", Response.Status.BAD_REQUEST);
        fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_request", corsErrorResponseException);
        throw corsErrorResponseException;
    }

    private ResourcePermission addPermission(KeycloakAuthorizationRequest keycloakAuthorizationRequest, ResourceServer resourceServer, AuthorizationProvider authorizationProvider, Map<String, ResourcePermission> map, AtomicInteger atomicInteger, Set<Scope> set, Resource resource) {
        ResourcePermission resourcePermission = map.get(resource.getId());
        if (resourcePermission == null) {
            resourcePermission = new ResourcePermission(resource, Permissions.resolveScopes(resource, resourceServer, set, authorizationProvider), resourceServer, keycloakAuthorizationRequest.getClaims());
            if (!set.isEmpty() && resourcePermission.getScopes().isEmpty()) {
                return null;
            }
            map.put(resource.getId(), resourcePermission);
            if (atomicInteger != null) {
                atomicInteger.decrementAndGet();
            }
        }
        return resourcePermission;
    }

    private PermissionTicketToken verifyPermissionTicket(KeycloakAuthorizationRequest keycloakAuthorizationRequest) {
        PermissionTicketToken decode = keycloakAuthorizationRequest.getKeycloakSession().tokens().decode(keycloakAuthorizationRequest.getTicket(), PermissionTicketToken.class);
        if (decode == null) {
            WebApplicationException corsErrorResponseException = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_ticket", "Ticket verification failed", Response.Status.FORBIDDEN);
            fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_permission_ticket", corsErrorResponseException);
            throw corsErrorResponseException;
        }
        if (decode.isActive()) {
            return decode;
        }
        WebApplicationException corsErrorResponseException2 = new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_ticket", "Invalid permission ticket.", Response.Status.FORBIDDEN);
        fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_permission_ticket", corsErrorResponseException2);
        throw corsErrorResponseException2;
    }

    private boolean isGranted(PermissionTicketToken permissionTicketToken, AuthorizationRequest authorizationRequest, Collection<Permission> collection) {
        List permissions = permissionTicketToken.getPermissions();
        return (authorizationRequest.getRpt() == null || permissions.isEmpty() || !permissions.stream().anyMatch(permission -> {
            return !collection.contains(permission);
        })) && !collection.isEmpty();
    }

    static {
        SUPPORTED_CLAIM_TOKEN_FORMATS.put(CLAIM_TOKEN_FORMAT_JWT, (keycloakAuthorizationRequest, authorizationProvider) -> {
            Map claims = keycloakAuthorizationRequest.getClaims();
            if (keycloakAuthorizationRequest.getClaimToken() != null) {
                try {
                    claims = (Map) JsonSerialization.readValue(Base64Url.decode(keycloakAuthorizationRequest.getClaimToken()), Map.class);
                    keycloakAuthorizationRequest.setClaims(claims);
                } catch (Exception e) {
                    throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "invalid_request", "Invalid claims", Response.Status.BAD_REQUEST);
                }
            }
            try {
                return new DefaultEvaluationContext(new KeycloakIdentity(authorizationProvider.getKeycloakSession(), (IDToken) Tokens.getAccessToken(keycloakAuthorizationRequest.getSubjectToken(), authorizationProvider.getKeycloakSession())), claims, authorizationProvider.getKeycloakSession());
            } catch (Exception e2) {
                fireErrorEvent(keycloakAuthorizationRequest.getEvent(), "invalid_token", e2);
                throw new CorsErrorResponseException(keycloakAuthorizationRequest.getCors(), "unauthorized_client", "Invalid identity", Response.Status.BAD_REQUEST);
            }
        });
        SUPPORTED_CLAIM_TOKEN_FORMATS.put(CLAIM_TOKEN_FORMAT_ID_TOKEN, (keycloakAuthorizationRequest2, authorizationProvider2) -> {
            KeycloakSession keycloakSession = authorizationProvider2.getKeycloakSession();
            String subjectToken = keycloakAuthorizationRequest2.getSubjectToken();
            if (subjectToken == null) {
                throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "invalid_request", "Subject token can not be null and must be a valid ID or Access Token", Response.Status.BAD_REQUEST);
            }
            try {
                try {
                    return new DefaultEvaluationContext(new KeycloakIdentity(keycloakSession, new TokenManager().verifyIDTokenSignature(keycloakSession, subjectToken)), keycloakAuthorizationRequest2.getClaims(), keycloakSession);
                } catch (Exception e) {
                    fireErrorEvent(keycloakAuthorizationRequest2.getEvent(), "invalid_token", e);
                    throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "unauthorized_client", "Invalid identity", Response.Status.BAD_REQUEST);
                }
            } catch (Exception e2) {
                fireErrorEvent(keycloakAuthorizationRequest2.getEvent(), "invalid_signature", e2);
                throw new CorsErrorResponseException(keycloakAuthorizationRequest2.getCors(), "unauthorized_client", "Invalid signature", Response.Status.BAD_REQUEST);
            }
        });
        INSTANCE = new AuthorizationTokenService();
    }
}
