package org.openfact.services.security;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.ForbiddenException;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.representations.AccessToken;
import org.openfact.models.AdminRoles;
import org.openfact.models.OpenfactSession;
import org.openfact.models.OrganizationModel;
import org.openfact.models.OrganizationProvider;
import org.openfact.provider.SingleProviderType;
import org.openfact.services.resource.security.ClientUser;
import org.openfact.services.resource.security.OrganizationAuth;
import org.openfact.services.resource.security.Resource;
import org.openfact.services.resource.security.SecurityContextProvider;

@SingleProviderType(provider = "restSecurity", value = "keycloak")
@Stateless
/* loaded from: input_file:WEB-INF/lib/openfact-services-1.0.RC25.jar:org/openfact/services/security/KeycloakSecurityContextProvider.class */
public class KeycloakSecurityContextProvider implements SecurityContextProvider {
    public static final String KEYCLOAK_ORGANIZATION_USER_ATTRIBUTE = "organization";
    public static final String KEYCLOAK_CLIENT = "openfact";

    @Inject
    private OrganizationProvider provider;

    /* loaded from: input_file:WEB-INF/lib/openfact-services-1.0.RC25.jar:org/openfact/services/security/KeycloakSecurityContextProvider$KeycloakOrganizationAuth.class */
    public class KeycloakOrganizationAuth implements OrganizationAuth {
        private OpenfactSession session;
        private Resource resource;

        public KeycloakOrganizationAuth(OpenfactSession openfactSession, Resource resource) {
            this.session = openfactSession;
            this.resource = resource;
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public void init(Resource resource) {
            this.resource = resource;
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public void requireAny() {
            if (!KeycloakSecurityContextProvider.this.getClientUser(this.session).hasOneOfAppRole(AdminRoles.ALL_ORGANIZATION_ROLES)) {
                throw new ForbiddenException();
            }
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public boolean hasView() {
            return KeycloakSecurityContextProvider.this.getClientUser(this.session).hasOneOfAppRole(AdminRoles.getViewRole(this.resource), AdminRoles.getManageRole(this.resource));
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public boolean hasManage() {
            return KeycloakSecurityContextProvider.this.getClientUser(this.session).hasOneOfAppRole(AdminRoles.getManageRole(this.resource));
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public void requireView() {
            if (!hasView()) {
                throw new ForbiddenException();
            }
        }

        @Override // org.openfact.services.resource.security.OrganizationAuth
        public void requireManage() {
            if (!hasManage()) {
                throw new ForbiddenException();
            }
        }
    }

    private AccessToken init(OpenfactSession openfactSession) {
        KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) ((HttpServletRequest) openfactSession.getContext().getContextObject(HttpServletRequest.class)).getUserPrincipal();
        if (keycloakPrincipal != null) {
            return keycloakPrincipal.getKeycloakSecurityContext().getToken();
        }
        throw new IllegalStateException("Could not instantiate KeycloakSecurityContext, check if you installed Keycloak adapter");
    }

    @Override // org.openfact.services.resource.security.SecurityContextProvider
    public List<OrganizationModel> getPermittedOrganizations(OpenfactSession openfactSession) {
        return (List) getPermittedOrganizationNames(init(openfactSession)).stream().map(str -> {
            return this.provider.getOrganizationByName(str);
        }).collect(Collectors.toList());
    }

    @Override // org.openfact.services.resource.security.SecurityContextProvider
    public ClientUser getClientUser(final OpenfactSession openfactSession) {
        final AccessToken init = init(openfactSession);
        return new ClientUser() { // from class: org.openfact.services.security.KeycloakSecurityContextProvider.1
            @Override // org.openfact.services.resource.security.ClientUser
            public String getUsername() {
                return init.getPreferredUsername();
            }

            @Override // org.openfact.services.resource.security.ClientUser
            public boolean hasOrganizationRole(String str) {
                return KeycloakSecurityContextProvider.this.hasRole(str, init);
            }

            @Override // org.openfact.services.resource.security.ClientUser
            public boolean hasOneOfOrganizationRole(String... strArr) {
                for (String str : strArr) {
                    if (hasOrganizationRole(str)) {
                        return true;
                    }
                }
                return false;
            }

            @Override // org.openfact.services.resource.security.ClientUser
            public boolean hasAppRole(String str) {
                return KeycloakSecurityContextProvider.this.hasRole(str, init);
            }

            @Override // org.openfact.services.resource.security.ClientUser
            public boolean hasOneOfAppRole(String... strArr) {
                for (String str : strArr) {
                    if (hasAppRole(str)) {
                        return true;
                    }
                }
                return false;
            }

            @Override // org.openfact.services.resource.security.ClientUser
            public OrganizationAuth organizationAuth(Resource resource) {
                return new KeycloakOrganizationAuth(openfactSession, resource);
            }
        };
    }

    private Collection<String> getPermittedOrganizationNames(AccessToken accessToken) {
        Map<String, Object> otherClaims = accessToken.getOtherClaims();
        if (!otherClaims.containsKey("organization")) {
            return Collections.EMPTY_LIST;
        }
        Object obj = otherClaims.get("organization");
        return obj instanceof Collection ? (Collection) obj : Arrays.asList((String) obj);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean hasRole(String str, AccessToken accessToken) {
        Set<String> roles = accessToken.getRealmAccess().getRoles();
        AccessToken.Access resourceAccess = accessToken.getResourceAccess(KEYCLOAK_CLIENT);
        return roles.contains(str) || (resourceAccess != null ? resourceAccess.getRoles() : Collections.emptySet()).contains(str);
    }
}
