package org.keycloak.services.clientpolicy.condition;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.grants.ciba.channel.CIBAAuthenticationRequest;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelTokenRequestContext;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelTokenResponseContext;
import org.keycloak.representations.idm.ClientPolicyConditionConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyVote;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.services.clientpolicy.context.ServiceAccountTokenRequestContext;
import org.keycloak.services.clientpolicy.context.ServiceAccountTokenResponseContext;
import org.keycloak.services.clientpolicy.context.TokenRequestContext;
import org.keycloak.services.clientpolicy.context.TokenResponseContext;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientScopesCondition.class */
public class ClientScopesCondition extends AbstractClientPolicyConditionProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(ClientScopesCondition.class);

    /* renamed from: org.keycloak.services.clientpolicy.condition.ClientScopesCondition$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientScopesCondition$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_RESPONSE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SERVICE_ACCOUNT_TOKEN_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SERVICE_ACCOUNT_TOKEN_RESPONSE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.BACKCHANNEL_TOKEN_REQUEST.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.BACKCHANNEL_TOKEN_RESPONSE.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientScopesCondition$Configuration.class */
    public static class Configuration extends ClientPolicyConditionConfigurationRepresentation {
        protected String type;
        protected List<String> scopes;

        public String getType() {
            return this.type;
        }

        public void setType(String str) {
            this.type = str;
        }

        public List<String> getScopes() {
            return this.scopes;
        }

        public void setScopes(List<String> list) {
            this.scopes = list;
        }
    }

    public ClientScopesCondition(KeycloakSession keycloakSession) {
        super(keycloakSession);
    }

    public Class<Configuration> getConditionConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return ClientScopesConditionFactory.PROVIDER_ID;
    }

    public ClientPolicyVote applyPolicy(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                return isScopeMatched(((AuthorizationRequestContext) clientPolicyContext).getAuthorizationEndpointRequest()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                return isScopeMatched(((TokenRequestContext) clientPolicyContext).getParseResult().getClientSession()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 3:
                return isScopeMatched(((TokenResponseContext) clientPolicyContext).getParseResult().getClientSession()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 4:
                return isScopeMatched(((ServiceAccountTokenRequestContext) clientPolicyContext).getClientSession()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 5:
                return isScopeMatched(((ServiceAccountTokenResponseContext) clientPolicyContext).getClientSession()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 6:
                return isScopeMatched(((BackchannelAuthenticationRequestContext) clientPolicyContext).getParsedRequest()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 7:
                return isScopeMatched(((BackchannelTokenRequestContext) clientPolicyContext).getParsedRequest()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            case 8:
                return isScopeMatched(((BackchannelTokenResponseContext) clientPolicyContext).getParsedRequest()) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
            default:
                return ClientPolicyVote.ABSTAIN;
        }
    }

    private boolean isScopeMatched(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        if (authenticatedClientSessionModel == null) {
            return false;
        }
        return isScopeMatched(authenticatedClientSessionModel.getNote("scope"), authenticatedClientSessionModel.getClient());
    }

    private boolean isScopeMatched(AuthorizationEndpointRequest authorizationEndpointRequest) {
        if (authorizationEndpointRequest == null) {
            return false;
        }
        return isScopeMatched(authorizationEndpointRequest.getScope(), this.session.getContext().getRealm().getClientByClientId(authorizationEndpointRequest.getClientId()));
    }

    private boolean isScopeMatched(CIBAAuthenticationRequest cIBAAuthenticationRequest) {
        if (cIBAAuthenticationRequest == null || cIBAAuthenticationRequest.getClient() == null) {
            return false;
        }
        return isScopeMatched(cIBAAuthenticationRequest.getScope(), this.session.getContext().getRealm().getClientByClientId(cIBAAuthenticationRequest.getClient().getClientId()));
    }

    private boolean isScopeMatched(String str, ClientModel clientModel) {
        if (str == null) {
            str = "";
        }
        HashSet hashSet = new HashSet(Arrays.asList(str.split(" ")));
        Set keySet = clientModel.getClientScopes(true).keySet();
        Set keySet2 = clientModel.getClientScopes(false).keySet();
        Set<String> scopesForMatching = getScopesForMatching();
        if (scopesForMatching == null) {
            return false;
        }
        if (logger.isTraceEnabled()) {
            hashSet.forEach(str2 -> {
                logger.tracev("explicit specified client scope = {0}", str2);
            });
            keySet.forEach(str3 -> {
                logger.tracev("default client scope = {0}", str3);
            });
            keySet2.forEach(str4 -> {
                logger.tracev("optional client scope = {0}", str4);
            });
            scopesForMatching.forEach(str5 -> {
                logger.tracev("expected scope = {0}", str5);
            });
        }
        if (ClientScopesConditionFactory.DEFAULT.equals(((Configuration) this.configuration).getType())) {
            scopesForMatching.retainAll(keySet);
            return !scopesForMatching.isEmpty();
        }
        hashSet.retainAll(scopesForMatching);
        hashSet.retainAll(keySet2);
        if (hashSet.isEmpty()) {
            return false;
        }
        if (!logger.isTraceEnabled()) {
            return true;
        }
        hashSet.forEach(str6 -> {
            logger.tracev("matched scope = {0}", str6);
        });
        return true;
    }

    private Set<String> getScopesForMatching() {
        List<String> scopes = ((Configuration) this.configuration).getScopes();
        if (scopes == null) {
            return null;
        }
        return new HashSet(scopes);
    }
}
