package org.gcube.keycloak.protocol.oidc.mapper;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.rar.AuthorizationDetails;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;

/* loaded from: input_file:org/gcube/keycloak/protocol/oidc/mapper/D4ScienceDynamicScopeContextMapper.class */
public class D4ScienceDynamicScopeContextMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper {
    public static final String DYNAMIC_SCOPE_NAME = "d4scm.dynamic-scope-name";
    public static final String OVERWRITE_AUD = "d4scm.overwrite-aud";
    public static final String NARROW_RESOURCE_ACCESS = "d4scm.narrow-ra";
    private static final int PRIORITY = Integer.MAX_VALUE;
    private static final String DISPLAY_TYPE = "OIDC D4Science Dynamic Scope Context Mapper";
    private static final String PROVIDER_ID = "oidc-d4science-dynamic-scope-context-mapper";
    public static final String DEFAULT_DYNAMIC_SCOPE_NAME = "d4s-context";
    public static final String DEFAULT_TOKEN_CLAIM = "d4s_context";
    public static final String AUD_TOKEN_CLAIM = "aud";
    private static final Logger logger = Logger.getLogger(D4ScienceDynamicScopeContextMapper.class);
    private static final Map<String, ProviderConfigProperty> CONFIG_PROPERTIES_MAP = new HashMap();
    public static final ProtocolMapperModel audProtocolMapperModel = OIDCAttributeMapperHelper.createClaimMapper((String) null, (String) null, "aud", "String", true, true, true, (String) null);

    public String getDisplayCategory() {
        return "Token mapper";
    }

    public int getPriority() {
        return PRIORITY;
    }

    public String getDisplayType() {
        return DISPLAY_TYPE;
    }

    public String getHelpText() {
        return "Maps the D4Science context audience by reading the configured header's value and sets it as the configured token claim, if it is in scope";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return new ArrayList(CONFIG_PROPERTIES_MAP.values());
    }

    public String getId() {
        return PROVIDER_ID;
    }

    protected void setClaim(IDToken iDToken, ProtocolMapperModel protocolMapperModel, UserSessionModel userSessionModel, KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        if (iDToken instanceof AccessToken) {
            AccessToken accessToken = (AccessToken) iDToken;
            String str = (String) protocolMapperModel.getConfig().get(DYNAMIC_SCOPE_NAME);
            Optional findFirst = clientSessionContext.getAuthorizationRequestContext().getAuthorizationDetailEntries().stream().filter(authorizationDetails -> {
                return authorizationDetails.isDynamicScope() && authorizationDetails.getClientScope().getName().equals(str);
            }).findFirst();
            if (findFirst.isPresent()) {
                String dynamicScopeParam = ((AuthorizationDetails) findFirst.get()).getDynamicScopeParam();
                if (dynamicScopeParam.startsWith("/")) {
                    try {
                        logger.debugf("Requested context as decoded string, urlencoding it: %s", clientSessionContext);
                        dynamicScopeParam = URLEncoder.encode(dynamicScopeParam, "UTF-8");
                    } catch (UnsupportedEncodingException e) {
                        logger.error("Cannot encode context: " + dynamicScopeParam, e);
                    }
                }
                if (dynamicScopeParam == null || "".equals(dynamicScopeParam)) {
                    logger.tracef("Authorization detail for '%s' dynamic scope not found in request", str);
                    return;
                }
                logger.debugf("Checking resource access for the requested context: %s", dynamicScopeParam);
                AccessToken.Access resourceAccess = accessToken.getResourceAccess(dynamicScopeParam);
                if (!accessToken.getResourceAccess().isEmpty() && resourceAccess == null) {
                    logger.warnf("Requested context '%s' is not accessible to the client: %s", dynamicScopeParam, clientSessionContext.getClientSession().getClient().getName());
                    return;
                }
                logger.infof("Mapping context %s as the configured claim: %s", dynamicScopeParam, protocolMapperModel.getConfig().get("claim.name"));
                OIDCAttributeMapperHelper.mapClaim(iDToken, protocolMapperModel, dynamicScopeParam);
                if (Boolean.parseBoolean((String) protocolMapperModel.getConfig().get(OVERWRITE_AUD))) {
                    logger.infof("Adding/overwriting `aud` claim with %s", dynamicScopeParam);
                    OIDCAttributeMapperHelper.mapClaim(iDToken, audProtocolMapperModel, dynamicScopeParam);
                }
                if (Boolean.parseBoolean((String) protocolMapperModel.getConfig().get("d4scm.narrow-ra"))) {
                    logger.infof("Removing all access details but the requested context: %s", dynamicScopeParam);
                    accessToken.getResourceAccess().clear();
                    accessToken.getResourceAccess().put(dynamicScopeParam, resourceAccess);
                }
            }
        }
    }

    static {
        ArrayList arrayList = new ArrayList();
        OIDCAttributeMapperHelper.addTokenClaimNameConfig(arrayList);
        arrayList.forEach(providerConfigProperty -> {
            if ("claim.name".equals(providerConfigProperty.getName())) {
                providerConfigProperty.setDefaultValue(DEFAULT_TOKEN_CLAIM);
            }
            providerConfigProperty.setReadOnly(true);
        });
        OIDCAttributeMapperHelper.addIncludeInTokensConfig(arrayList, D4ScienceDynamicScopeContextMapper.class);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName(DYNAMIC_SCOPE_NAME);
        providerConfigProperty2.setLabel("Dynamic scope name with the requested context");
        providerConfigProperty2.setHelpText("The HTTP header that contains the requested context to be mapped in the configured claim");
        providerConfigProperty2.setType("String");
        providerConfigProperty2.setDefaultValue(DEFAULT_DYNAMIC_SCOPE_NAME);
        providerConfigProperty2.setReadOnly(true);
        providerConfigProperty2.setRequired(true);
        arrayList.add(providerConfigProperty2);
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setName(OVERWRITE_AUD);
        providerConfigProperty3.setLabel("Add/overwrite `aud` claim?");
        providerConfigProperty3.setType("boolean");
        providerConfigProperty3.setHelpText("Overwrite the `aud` claim to the requested context entry");
        providerConfigProperty3.setDefaultValue("true");
        arrayList.add(providerConfigProperty3);
        ProviderConfigProperty providerConfigProperty4 = new ProviderConfigProperty();
        providerConfigProperty4.setName("d4scm.narrow-ra");
        providerConfigProperty4.setLabel("Narrow down resource access array?");
        providerConfigProperty4.setType("boolean");
        providerConfigProperty4.setHelpText("Narrow down resource access claim to contain only the requested context entry");
        providerConfigProperty4.setDefaultValue("true");
        arrayList.add(providerConfigProperty4);
        arrayList.forEach(providerConfigProperty5 -> {
            CONFIG_PROPERTIES_MAP.put(providerConfigProperty5.getName(), providerConfigProperty5);
        });
    }
}
