package dk.grinn.keycloak.migration.resource;

import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.jboss.resteasy.core.ResourceMethodInvoker;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;

/* loaded from: input_file:dk/grinn/keycloak/migration/resource/RealmAccessAuthFilter.class */
public class RealmAccessAuthFilter implements ContainerRequestFilter {
    private static final Logger LOG = Logger.getLogger(RealmAccessAuthFilter.class);
    private static final String AUTH_REQUEST = RealmAccessAuthFilter.class.getName().concat(".AuthRequest");

    /* loaded from: input_file:dk/grinn/keycloak/migration/resource/RealmAccessAuthFilter$AuthRequest.class */
    private static class AuthRequest {
        final KeycloakSession session;
        final AppAuthManager appAuthManager;
        final List<String> realms;
        AuthenticationManager.AuthResult auth = null;

        AuthRequest(KeycloakSession keycloakSession, AppAuthManager appAuthManager, List<String> list) {
            this.appAuthManager = appAuthManager;
            this.session = keycloakSession;
            this.realms = list;
        }

        Optional<AuthenticationManager.AuthResult> getAuth(ContainerRequestContext containerRequestContext) {
            KeycloakContext context = this.session.getContext();
            if (this.realms.contains(context.getRealm().getName())) {
                AuthenticationManager.AuthResult authenticateBearerToken = this.appAuthManager.authenticateBearerToken(this.session, context.getRealm());
                this.auth = authenticateBearerToken;
                if (authenticateBearerToken == null) {
                    AuthenticationManager.AuthResult authenticateIdentityCookie = this.appAuthManager.authenticateIdentityCookie(this.session, context.getRealm());
                    this.auth = authenticateIdentityCookie;
                    if (authenticateIdentityCookie != null && RealmAccessAuthFilter.LOG.isDebugEnabled()) {
                        RealmAccessAuthFilter.LOG.debug("Cookie auth: " + this.auth.getUser().getUsername());
                    }
                } else if (RealmAccessAuthFilter.LOG.isDebugEnabled()) {
                    RealmAccessAuthFilter.LOG.debug("Bearer auth: " + this.auth.getToken().getPreferredUsername());
                }
            }
            if (this.auth == null) {
                containerRequestContext.abortWith(Response.status(401).build());
            }
            return Optional.ofNullable(this.auth);
        }
    }

    public static void requireAuthentatication(KeycloakSession keycloakSession, AppAuthManager appAuthManager, List<String> list) {
        ((HttpRequest) keycloakSession.getContext().getContextObject(HttpRequest.class)).setAttribute(AUTH_REQUEST, new AuthRequest(keycloakSession, appAuthManager, list));
    }

    public static AuthenticationManager.AuthResult getAuthResult(KeycloakSession keycloakSession) {
        return ((AuthRequest) ((HttpRequest) keycloakSession.getContext().getContextObject(HttpRequest.class)).getAttribute(AUTH_REQUEST)).auth;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        AuthRequest authRequest = (AuthRequest) containerRequestContext.getProperty(AUTH_REQUEST);
        if (authRequest != null) {
            authRequest.getAuth(containerRequestContext).ifPresent(authResult -> {
                checkRoles(authResult, containerRequestContext);
            });
        }
    }

    private void checkRoles(AuthenticationManager.AuthResult authResult, ContainerRequestContext containerRequestContext) {
        Method method = ((ResourceMethodInvoker) containerRequestContext.getProperty("org.jboss.resteasy.core.ResourceMethodInvoker")).getMethod();
        if (method.isAnnotationPresent(PermitAll.class)) {
            return;
        }
        if (method.isAnnotationPresent(DenyAll.class)) {
            containerRequestContext.abortWith(Response.status(401).build());
        } else {
            checkRoles(authResult, method).ifPresent(responseBuilder -> {
                containerRequestContext.abortWith(responseBuilder.build());
            });
        }
    }

    private Optional<Response.ResponseBuilder> checkRoles(AuthenticationManager.AuthResult authResult, Method method) {
        HashSet hashSet = new HashSet();
        Class<?> declaringClass = method.getDeclaringClass();
        if (method.isAnnotationPresent(RolesAllowed.class)) {
            hashSet.addAll(Arrays.asList(method.getAnnotation(RolesAllowed.class).value()));
        } else if (declaringClass.isAnnotationPresent(RolesAllowed.class)) {
            hashSet.addAll(Arrays.asList(declaringClass.getAnnotation(RolesAllowed.class).value()));
        } else if (declaringClass.isAnnotationPresent(PermitAll.class)) {
            return Optional.empty();
        }
        return (authResult.getToken() == null || authResult.getToken().getRealmAccess() == null) ? checkRoles(hashSet, authResult.getUser()) : checkRoles(hashSet, authResult.getToken());
    }

    private Optional<Response.ResponseBuilder> checkRoles(Set<String> set, AccessToken accessToken) {
        Stream<String> stream = set.stream();
        AccessToken.Access realmAccess = accessToken.getRealmAccess();
        Objects.requireNonNull(realmAccess);
        Optional<String> findFirst = stream.filter(realmAccess::isUserInRole).findFirst();
        if (!findFirst.isPresent()) {
            return Optional.of(Response.status(401));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("First matched role: " + findFirst.get());
        }
        return Optional.empty();
    }

    private Optional<Response.ResponseBuilder> checkRoles(Set<String> set, UserModel userModel) {
        Stream map = userModel.getRealmRoleMappings().stream().map((v0) -> {
            return v0.getName();
        });
        Objects.requireNonNull(set);
        Optional findFirst = map.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        if (!findFirst.isPresent()) {
            return Optional.of(Response.status(401));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("First matched role: " + ((String) findFirst.get()));
        }
        return Optional.empty();
    }
}
