package io.quarkus.keycloak.pep.runtime;

import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerTenantConfig;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcCommonConfig;
import io.quarkus.oidc.common.runtime.OidcTlsSupport;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.runtime.configuration.ConfigurationException;
import java.net.URI;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.adapters.config.AdapterHttpClientConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

/* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.class */
public final class KeycloakPolicyEnforcerUtil {
    private KeycloakPolicyEnforcerUtil() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static PolicyEnforcer createPolicyEnforcer(OidcTenantConfig oidcTenantConfig, KeycloakPolicyEnforcerTenantConfig keycloakPolicyEnforcerTenantConfig, OidcTlsSupport.TlsConfigSupport tlsConfigSupport) {
        if (oidcTenantConfig.applicationType.orElse(OidcTenantConfig.ApplicationType.SERVICE) == OidcTenantConfig.ApplicationType.WEB_APP && oidcTenantConfig.roles.source.orElse(null) != OidcTenantConfig.Roles.Source.accesstoken) {
            throw new OIDCException("Application 'web-app' type is only supported if access token is the source of roles");
        }
        AdapterHttpClientConfig adapterConfig = new AdapterConfig();
        String str = (String) oidcTenantConfig.getAuthServerUrl().get();
        try {
            adapterConfig.setRealm(str.substring(str.lastIndexOf(47) + 1));
            adapterConfig.setAuthServerUrl(str.substring(0, str.lastIndexOf("/realms")));
            adapterConfig.setResource((String) oidcTenantConfig.getClientId().get());
            adapterConfig.setCredentials(getCredentials(oidcTenantConfig));
            if (!tlsConfigSupport.useTlsRegistry()) {
                if (oidcTenantConfig.tls.getVerification().isPresent() ? oidcTenantConfig.tls.getVerification().get() == OidcCommonConfig.Tls.Verification.NONE : tlsConfigSupport.isGlobalTrustAll()) {
                    adapterConfig.setDisableTrustManager(true);
                    adapterConfig.setAllowAnyHostname(true);
                } else if (oidcTenantConfig.tls.trustStoreFile.isPresent()) {
                    adapterConfig.setTruststore(((Path) oidcTenantConfig.tls.trustStoreFile.get()).toString());
                    adapterConfig.setTruststorePassword((String) oidcTenantConfig.tls.trustStorePassword.orElse("password"));
                    if (OidcCommonConfig.Tls.Verification.CERTIFICATE_VALIDATION == oidcTenantConfig.tls.verification.orElse(OidcCommonConfig.Tls.Verification.REQUIRED)) {
                        adapterConfig.setAllowAnyHostname(true);
                    }
                }
            }
            adapterConfig.setConnectionPoolSize(keycloakPolicyEnforcerTenantConfig.connectionPoolSize());
            if (oidcTenantConfig.proxy.host.isPresent()) {
                String str2 = (String) oidcTenantConfig.proxy.host.get();
                if (!str2.startsWith("http://") && !str2.startsWith("https://")) {
                    str2 = URI.create(str).getScheme() + "://" + str2;
                }
                adapterConfig.setProxyUrl(str2 + ":" + oidcTenantConfig.proxy.port);
            }
            PolicyEnforcerConfig policyEnforcerConfig = getPolicyEnforcerConfig(keycloakPolicyEnforcerTenantConfig);
            adapterConfig.setPolicyEnforcerConfig(policyEnforcerConfig);
            return PolicyEnforcer.builder().authServerUrl(adapterConfig.getAuthServerUrl()).realm(adapterConfig.getRealm()).clientId(adapterConfig.getResource()).credentials(adapterConfig.getCredentials()).bearerOnly(adapterConfig.isBearerOnly()).enforcerConfig(policyEnforcerConfig).httpClient(new HttpClientBuilder().sslContext(tlsConfigSupport.getSslContext()).build(adapterConfig)).build();
        } catch (Exception e) {
            throw new ConfigurationException("Failed to parse the realm name.", e);
        }
    }

    private static Map<String, Object> getCredentials(OidcTenantConfig oidcTenantConfig) {
        HashMap hashMap = new HashMap();
        Optional secret = oidcTenantConfig.getCredentials().getSecret();
        if (secret.isPresent()) {
            hashMap.put("secret", secret.orElse(null));
        }
        return hashMap;
    }

    private static Map<String, Map<String, Object>> getClaimInformationPointConfig(KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.ClaimInformationPointConfig claimInformationPointConfig) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Map<String, String>> entry : claimInformationPointConfig.simpleConfig().entrySet()) {
            if (!entry.getValue().isEmpty()) {
                HashMap hashMap2 = new HashMap();
                for (Map.Entry<String, String> entry2 : entry.getValue().entrySet()) {
                    if (isNotComplexConfigKey(entry2.getKey())) {
                        hashMap2.put(entry2.getKey(), entry2.getValue());
                    }
                }
                if (!hashMap2.isEmpty()) {
                    hashMap.put(entry.getKey(), hashMap2);
                }
            }
        }
        for (Map.Entry<String, Map<String, Map<String, String>>> entry3 : claimInformationPointConfig.complexConfig().entrySet()) {
            if (!entry3.getValue().isEmpty()) {
                HashMap hashMap3 = new HashMap();
                for (Map.Entry<String, Map<String, String>> entry4 : entry3.getValue().entrySet()) {
                    if (entry4.getValue() != null && !entry4.getValue().isEmpty()) {
                        hashMap3.put(entry4.getKey(), entry4.getValue());
                    }
                }
                if (!hashMap3.isEmpty()) {
                    ((Map) hashMap.computeIfAbsent(entry3.getKey(), str -> {
                        return new HashMap();
                    })).putAll(hashMap3);
                }
            }
        }
        return hashMap;
    }

    private static PolicyEnforcerConfig getPolicyEnforcerConfig(KeycloakPolicyEnforcerTenantConfig keycloakPolicyEnforcerTenantConfig) {
        PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
        policyEnforcerConfig.setLazyLoadPaths(Boolean.valueOf(keycloakPolicyEnforcerTenantConfig.policyEnforcer().lazyLoadPaths()));
        policyEnforcerConfig.setEnforcementMode(keycloakPolicyEnforcerTenantConfig.policyEnforcer().enforcementMode());
        policyEnforcerConfig.setHttpMethodAsScope(Boolean.valueOf(keycloakPolicyEnforcerTenantConfig.policyEnforcer().httpMethodAsScope()));
        KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathCacheConfig pathCache = keycloakPolicyEnforcerTenantConfig.policyEnforcer().pathCache();
        PolicyEnforcerConfig.PathCacheConfig pathCacheConfig = new PolicyEnforcerConfig.PathCacheConfig();
        pathCacheConfig.setLifespan(pathCache.lifespan());
        pathCacheConfig.setMaxEntries(pathCache.maxEntries());
        policyEnforcerConfig.setPathCacheConfig(pathCacheConfig);
        policyEnforcerConfig.setClaimInformationPointConfig(getClaimInformationPointConfig(keycloakPolicyEnforcerTenantConfig.policyEnforcer().claimInformationPoint()));
        policyEnforcerConfig.setPaths((List) keycloakPolicyEnforcerTenantConfig.policyEnforcer().paths().values().stream().flatMap(new Function<KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathConfig, Stream<? extends PolicyEnforcerConfig.PathConfig>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerUtil.1
            @Override // java.util.function.Function
            public Stream<? extends PolicyEnforcerConfig.PathConfig> apply(final KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathConfig pathConfig) {
                Set<String> pathConfigPaths = KeycloakPolicyEnforcerUtil.getPathConfigPaths(pathConfig);
                return pathConfigPaths.isEmpty() ? Stream.of(KeycloakPolicyEnforcerUtil.createKeycloakPathConfig(pathConfig, null)) : pathConfigPaths.stream().map(new Function<String, PolicyEnforcerConfig.PathConfig>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerUtil.1.1
                    @Override // java.util.function.Function
                    public PolicyEnforcerConfig.PathConfig apply(String str) {
                        return KeycloakPolicyEnforcerUtil.createKeycloakPathConfig(pathConfig, str);
                    }
                });
            }
        }).collect(Collectors.toList()));
        return policyEnforcerConfig;
    }

    private static Set<String> getPathConfigPaths(KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathConfig pathConfig) {
        HashSet hashSet = new HashSet();
        if (pathConfig.path().isPresent()) {
            hashSet.add(pathConfig.path().get());
        }
        if (pathConfig.paths().isPresent()) {
            hashSet.addAll(pathConfig.paths().get());
        }
        return hashSet;
    }

    private static PolicyEnforcerConfig.PathConfig createKeycloakPathConfig(KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.PathConfig pathConfig, String str) {
        PolicyEnforcerConfig.PathConfig pathConfig2 = new PolicyEnforcerConfig.PathConfig();
        pathConfig2.setName(pathConfig.name().orElse(null));
        pathConfig2.setPath(str);
        pathConfig2.setEnforcementMode(pathConfig.enforcementMode());
        pathConfig2.setMethods((List) pathConfig.methods().values().stream().map(new Function<KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.MethodConfig, PolicyEnforcerConfig.MethodConfig>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerUtil.2
            @Override // java.util.function.Function
            public PolicyEnforcerConfig.MethodConfig apply(KeycloakPolicyEnforcerTenantConfig.KeycloakConfigPolicyEnforcer.MethodConfig methodConfig) {
                PolicyEnforcerConfig.MethodConfig methodConfig2 = new PolicyEnforcerConfig.MethodConfig();
                methodConfig2.setMethod(methodConfig.method());
                methodConfig2.setScopes(methodConfig.scopes());
                methodConfig2.setScopesEnforcementMode(methodConfig.scopesEnforcementMode());
                return methodConfig2;
            }
        }).collect(Collectors.toList()));
        pathConfig2.setClaimInformationPointConfig(getClaimInformationPointConfig(pathConfig.claimInformationPoint()));
        return pathConfig2;
    }

    private static boolean isNotComplexConfigKey(String str) {
        return !str.contains(".");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OidcTenantConfig getOidcTenantConfig(OidcConfig oidcConfig, String str) {
        if (str == null || "Default".equals(str)) {
            return new OidcTenantConfig(OidcConfig.getDefaultTenant(oidcConfig), "Default");
        }
        io.quarkus.oidc.runtime.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.runtime.OidcTenantConfig) oidcConfig.namedTenants().get(str);
        if (oidcTenantConfig == null) {
            throw new ConfigurationException("Failed to find a matching OidcTenantConfig for tenant: " + str);
        }
        return new OidcTenantConfig(oidcTenantConfig, str);
    }
}
