package org.keycloak.adapters.authorization.integration.elytron;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletContextAttributeListener;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.adapters.authorization.TokenPrincipal;
import org.keycloak.adapters.authorization.spi.ConfigurationResolver;
import org.keycloak.adapters.authorization.spi.HttpRequest;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.wildfly.security.http.oidc.OidcClientConfiguration;
import org.wildfly.security.http.oidc.RefreshableOidcSecurityContext;

/* loaded from: input_file:org/keycloak/adapters/authorization/integration/elytron/PolicyEnforcerFilter.class */
public class PolicyEnforcerFilter implements Filter, ServletContextAttributeListener {
    private final Logger logger = Logger.getLogger(getClass());
    private final Map<PolicyEnforcerConfig, PolicyEnforcer> policyEnforcer = Collections.synchronizedMap(new HashMap());
    private final ConfigurationResolver configResolver;

    public PolicyEnforcerFilter(ConfigurationResolver configurationResolver) {
        this.configResolver = configurationResolver;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (httpServletRequest.getSession(false) == null) {
            this.logger.debug("Anonymous request, continuing the filter chain");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        RefreshableOidcSecurityContext refreshableOidcSecurityContext = (RefreshableOidcSecurityContext) httpServletRequest.getUserPrincipal().getOidcSecurityContext();
        final String tokenString = refreshableOidcSecurityContext.getTokenString();
        ServletHttpRequest servletHttpRequest = new ServletHttpRequest(httpServletRequest, new TokenPrincipal() { // from class: org.keycloak.adapters.authorization.integration.elytron.PolicyEnforcerFilter.1
            @Override // org.keycloak.adapters.authorization.TokenPrincipal
            public String getRawToken() {
                return tokenString;
            }
        });
        AuthorizationContext enforce = getOrCreatePolicyEnforcer(servletHttpRequest, refreshableOidcSecurityContext).enforce(servletHttpRequest, new ServletHttpResponse((HttpServletResponse) servletResponse));
        httpServletRequest.setAttribute(AuthorizationContext.class.getName(), enforce);
        if (!enforce.isGranted()) {
            this.logger.debugf("Unauthorized request to path [%s], aborting the filter chain", httpServletRequest.getRequestURI());
        } else {
            this.logger.debug("Request authorized, continuing the filter chain");
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private PolicyEnforcer getOrCreatePolicyEnforcer(HttpRequest httpRequest, final RefreshableOidcSecurityContext refreshableOidcSecurityContext) {
        return this.policyEnforcer.computeIfAbsent(this.configResolver.resolve(httpRequest), new Function<PolicyEnforcerConfig, PolicyEnforcer>() { // from class: org.keycloak.adapters.authorization.integration.elytron.PolicyEnforcerFilter.2
            @Override // java.util.function.Function
            public PolicyEnforcer apply(PolicyEnforcerConfig policyEnforcerConfig) {
                OidcClientConfiguration oidcClientConfiguration = refreshableOidcSecurityContext.getOidcClientConfiguration();
                return PolicyEnforcer.builder().authServerUrl(oidcClientConfiguration.getAuthServerBaseUrl()).realm(oidcClientConfiguration.getRealm()).clientId(oidcClientConfiguration.getClientId()).credentials(oidcClientConfiguration.getResourceCredentials()).bearerOnly(false).enforcerConfig(policyEnforcerConfig).httpClient(oidcClientConfiguration.getClient()).build();
            }
        });
    }
}
