package org.keycloak.services.clientregistration.policy.impl;

import java.util.LinkedList;
import java.util.List;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.clientregistration.ClientRegistrationContext;
import org.keycloak.services.clientregistration.ClientRegistrationProvider;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyException;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/services/clientregistration/policy/impl/ClientScopesClientRegistrationPolicy.class */
public class ClientScopesClientRegistrationPolicy implements ClientRegistrationPolicy {
    private static final Logger logger = Logger.getLogger((Class<?>) ClientScopesClientRegistrationPolicy.class);
    private final KeycloakSession session;
    private final RealmModel realm;
    private final ComponentModel componentModel;

    public ClientScopesClientRegistrationPolicy(KeycloakSession keycloakSession, ComponentModel componentModel) {
        this.session = keycloakSession;
        this.componentModel = componentModel;
        this.realm = keycloakSession.realms().getRealm(componentModel.getParentId());
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeRegister(ClientRegistrationContext clientRegistrationContext) throws ClientRegistrationPolicyException {
        List<String> defaultClientScopes = clientRegistrationContext.getClient().getDefaultClientScopes();
        List<String> optionalClientScopes = clientRegistrationContext.getClient().getOptionalClientScopes();
        List<String> allowedScopeNames = getAllowedScopeNames(this.realm, true);
        List<String> allowedScopeNames2 = getAllowedScopeNames(this.realm, false);
        checkClientScopesAllowed(defaultClientScopes, allowedScopeNames);
        checkClientScopesAllowed(optionalClientScopes, allowedScopeNames2);
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void afterRegister(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) {
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeUpdate(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) throws ClientRegistrationPolicyException {
        List<String> defaultClientScopes = clientRegistrationContext.getClient().getDefaultClientScopes();
        List<String> optionalClientScopes = clientRegistrationContext.getClient().getOptionalClientScopes();
        if (defaultClientScopes != null) {
            defaultClientScopes.removeAll(clientModel.getClientScopes(true, false).keySet());
        }
        if (optionalClientScopes != null) {
            optionalClientScopes.removeAll(clientModel.getClientScopes(false, false).keySet());
        }
        List<String> allowedScopeNames = getAllowedScopeNames(this.realm, true);
        List<String> allowedScopeNames2 = getAllowedScopeNames(this.realm, false);
        checkClientScopesAllowed(defaultClientScopes, allowedScopeNames);
        checkClientScopesAllowed(optionalClientScopes, allowedScopeNames2);
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void afterUpdate(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) {
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeView(ClientRegistrationProvider clientRegistrationProvider, ClientModel clientModel) throws ClientRegistrationPolicyException {
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeDelete(ClientRegistrationProvider clientRegistrationProvider, ClientModel clientModel) throws ClientRegistrationPolicyException {
    }

    private void checkClientScopesAllowed(List<String> list, List<String> list2) throws ClientRegistrationPolicyException {
        if (list != null) {
            for (String str : list) {
                if (!list2.contains(str)) {
                    logger.warnf("Requested scope '%s' not trusted in the list: %s", str, list2.toString());
                    throw new ClientRegistrationPolicyException("Not permitted to use specified clientScope");
                }
            }
        }
    }

    private List<String> getAllowedScopeNames(RealmModel realmModel, boolean z) {
        LinkedList linkedList = new LinkedList();
        List<String> list = this.componentModel.getConfig().getList(ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES);
        if (list != null) {
            linkedList.addAll(list);
        }
        if (this.componentModel.get(ClientScopesClientRegistrationPolicyFactory.ALLOW_DEFAULT_SCOPES, true)) {
            linkedList.addAll((List) realmModel.getDefaultClientScopes(z).stream().map(clientScopeModel -> {
                return clientScopeModel.getName();
            }).collect(Collectors.toList()));
        }
        return linkedList;
    }
}
