package org.keycloak.services.util;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/services/util/DefaultClientSessionContext.class */
public class DefaultClientSessionContext implements ClientSessionContext {
    private static Logger logger = Logger.getLogger((Class<?>) DefaultClientSessionContext.class);
    private final AuthenticatedClientSessionModel clientSession;
    private final Set<String> clientScopeIds;
    private Set<ClientScopeModel> clientScopes;
    private Set<RoleModel> roles;
    private Set<ProtocolMapperModel> protocolMappers;
    private Set<RoleModel> userRoles;
    private Map<String, Object> attributes = new HashMap();

    private DefaultClientSessionContext(AuthenticatedClientSessionModel authenticatedClientSessionModel, Set<String> set) {
        this.clientSession = authenticatedClientSessionModel;
        this.clientScopeIds = set;
    }

    public static DefaultClientSessionContext fromClientSessionScopeParameter(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return fromClientSessionAndScopeParameter(authenticatedClientSessionModel, authenticatedClientSessionModel.getNote("scope"));
    }

    public static DefaultClientSessionContext fromClientSessionAndScopeParameter(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str) {
        return fromClientSessionAndClientScopes(authenticatedClientSessionModel, TokenManager.getRequestedClientScopes(str, authenticatedClientSessionModel.getClient()));
    }

    public static DefaultClientSessionContext fromClientSessionAndClientScopeIds(AuthenticatedClientSessionModel authenticatedClientSessionModel, Set<String> set) {
        return new DefaultClientSessionContext(authenticatedClientSessionModel, set);
    }

    public static DefaultClientSessionContext fromClientSessionAndClientScopes(AuthenticatedClientSessionModel authenticatedClientSessionModel, Set<ClientScopeModel> set) {
        HashSet hashSet = new HashSet();
        Iterator<ClientScopeModel> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getId());
        }
        return new DefaultClientSessionContext(authenticatedClientSessionModel, hashSet);
    }

    @Override // org.keycloak.models.ClientSessionContext
    public AuthenticatedClientSessionModel getClientSession() {
        return this.clientSession;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public Set<String> getClientScopeIds() {
        return this.clientScopeIds;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public Set<ClientScopeModel> getClientScopes() {
        if (this.clientScopes == null) {
            this.clientScopes = loadClientScopes();
        }
        return this.clientScopes;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public Set<RoleModel> getRoles() {
        if (this.roles == null) {
            this.roles = loadRoles();
        }
        return this.roles;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public Set<ProtocolMapperModel> getProtocolMappers() {
        if (this.protocolMappers == null) {
            this.protocolMappers = loadProtocolMappers();
        }
        return this.protocolMappers;
    }

    private Set<RoleModel> getUserRoles() {
        if (this.userRoles == null) {
            this.userRoles = loadUserRoles();
        }
        return this.userRoles;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public String getScopeString() {
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (ClientScopeModel clientScopeModel : getClientScopes()) {
            if (!(clientScopeModel instanceof ClientModel) && clientScopeModel.isIncludeInTokenScope()) {
                if (z) {
                    z = false;
                } else {
                    sb.append(" ");
                }
                sb.append(clientScopeModel.getName());
            }
        }
        String sb2 = sb.toString();
        if (TokenUtil.isOIDCRequest(this.clientSession.getNote("scope"))) {
            sb2 = TokenUtil.attachOIDCScope(sb2);
        }
        return sb2;
    }

    @Override // org.keycloak.models.ClientSessionContext
    public void setAttribute(String str, Object obj) {
        this.attributes.put(str, obj);
    }

    @Override // org.keycloak.models.ClientSessionContext
    public <T> T getAttribute(String str, Class<T> cls) {
        return cls.cast(this.attributes.get(str));
    }

    private Set<ClientScopeModel> loadClientScopes() {
        HashSet hashSet = new HashSet();
        Iterator<String> it = this.clientScopeIds.iterator();
        while (it.hasNext()) {
            ClientScopeModel findClientScopeById = KeycloakModelUtils.findClientScopeById(this.clientSession.getClient().getRealm(), getClientSession().getClient(), it.next());
            if (findClientScopeById != null) {
                if (isClientScopePermittedForUser(findClientScopeById)) {
                    hashSet.add(findClientScopeById);
                } else if (logger.isTraceEnabled()) {
                    logger.tracef("User '%s' not permitted to have client scope '%s'", this.clientSession.getUserSession().getUser().getUsername(), findClientScopeById.getName());
                }
            }
        }
        return hashSet;
    }

    private boolean isClientScopePermittedForUser(ClientScopeModel clientScopeModel) {
        if (clientScopeModel instanceof ClientModel) {
            return true;
        }
        Set<RoleModel> scopeMappings = clientScopeModel.getScopeMappings();
        if (scopeMappings.isEmpty()) {
            return true;
        }
        Set<RoleModel> expandCompositeRoles = RoleUtils.expandCompositeRoles(scopeMappings);
        expandCompositeRoles.retainAll(getUserRoles());
        return !expandCompositeRoles.isEmpty();
    }

    private Set<RoleModel> loadRoles() {
        return TokenManager.getAccess(this.clientSession.getUserSession().getUser(), this.clientSession.getClient(), getClientScopes());
    }

    private Set<ProtocolMapperModel> loadProtocolMappers() {
        Set<ClientScopeModel> clientScopes = getClientScopes();
        String protocol = this.clientSession.getClient().getProtocol();
        if (protocol == null) {
            logger.warnf("Client '%s' doesn't have protocol set. Fallback to openid-connect. Please fix client configuration", this.clientSession.getClient().getClientId());
            protocol = "openid-connect";
        }
        HashSet hashSet = new HashSet();
        Iterator<ClientScopeModel> it = clientScopes.iterator();
        while (it.hasNext()) {
            for (ProtocolMapperModel protocolMapperModel : it.next().getProtocolMappers()) {
                if (protocol.equals(protocolMapperModel.getProtocol())) {
                    hashSet.add(protocolMapperModel);
                }
            }
        }
        return hashSet;
    }

    private Set<RoleModel> loadUserRoles() {
        return RoleUtils.getDeepUserRoleMappings(this.clientSession.getUserSession().getUser());
    }
}
