package org.keycloak.protocol.oidc.grants;

import jakarta.ws.rs.core.Response;
import java.util.List;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.managers.AppAuthManager;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/PermissionGrantType.class */
public class PermissionGrantType extends OAuth2GrantTypeBase {
    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        this.event.detail("auth_method", "oauth_credentials");
        String str = null;
        String str2 = (String) this.headers.getRequestHeaders().getFirst("Authorization");
        if (str2 != null && str2.toLowerCase().startsWith("bearer")) {
            new AppAuthManager();
            str = AppAuthManager.extractAuthorizationHeaderToken(this.headers);
        }
        if (str != null) {
            AccessToken accessToken = Tokens.getAccessToken(this.session);
            if (accessToken == null) {
                try {
                    ClientModel clientByClientId = this.realm.getClientByClientId(((AccessToken) new JWSInput(str).readJsonContent(AccessToken.class)).getIssuedFor());
                    this.cors.allowedOrigins(this.session, clientByClientId);
                    this.event.client(clientByClientId);
                } catch (JWSInputException e) {
                }
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, "invalid_grant", "Invalid bearer token", Response.Status.UNAUTHORIZED);
            }
            ClientModel clientByClientId2 = this.realm.getClientByClientId(accessToken.getIssuedFor());
            this.session.getContext().setClient(clientByClientId2);
            this.cors.allowedOrigins(this.session, clientByClientId2);
            this.event.client(clientByClientId2);
        }
        String str3 = null;
        if (this.formParams.containsKey("claim_token")) {
            str3 = (String) ((List) this.formParams.get("claim_token")).get(0);
        }
        String str4 = (String) this.formParams.getFirst("claim_token_format");
        if (str3 != null && str4 == null) {
            str4 = AuthorizationTokenService.CLAIM_TOKEN_FORMAT_ID_TOKEN;
        }
        String str5 = (String) this.formParams.getFirst("subject_token");
        if (str == null) {
            checkClient();
            if (AuthorizationTokenService.CLAIM_TOKEN_FORMAT_ID_TOKEN.equalsIgnoreCase(str4)) {
                str = str3;
            } else if (str5 != null) {
                str = str5;
            } else {
                OAuth2GrantType provider = this.session.getProvider(OAuth2GrantType.class, "client_credentials");
                context.setClient(this.client);
                context.setClientConfig(this.clientConfig);
                context.setClientAuthAttributes(this.clientAuthAttributes);
                str = ((AccessTokenResponse) AccessTokenResponse.class.cast(provider.process(context).getEntity())).getToken();
            }
        }
        AuthorizationTokenService.KeycloakAuthorizationRequest keycloakAuthorizationRequest = new AuthorizationTokenService.KeycloakAuthorizationRequest(this.session.getProvider(AuthorizationProvider.class), this.tokenManager, this.event, this.request, this.cors, this.clientConnection);
        keycloakAuthorizationRequest.setTicket((String) this.formParams.getFirst("ticket"));
        keycloakAuthorizationRequest.setClaimToken(str3);
        keycloakAuthorizationRequest.setClaimTokenFormat(str4);
        keycloakAuthorizationRequest.setPct((String) this.formParams.getFirst("pct"));
        String str6 = (String) this.formParams.getFirst("rpt");
        if (str6 != null) {
            AccessToken accessToken2 = (AccessToken) this.session.tokens().decode(str6, AccessToken.class);
            if (accessToken2 == null) {
                this.event.detail("reason", "RPT signature is invalid");
                this.event.error("invalid_request");
                throw new CorsErrorResponseException(this.cors, "invalid_rpt", "RPT signature is invalid", Response.Status.FORBIDDEN);
            }
            keycloakAuthorizationRequest.setRpt(accessToken2);
        }
        keycloakAuthorizationRequest.setScope((String) this.formParams.getFirst("scope"));
        String str7 = (String) this.formParams.getFirst("audience");
        keycloakAuthorizationRequest.setAudience(str7);
        keycloakAuthorizationRequest.setSubjectToken(str);
        this.event.detail("audience", str7);
        String str8 = (String) this.formParams.getFirst("submit_request");
        keycloakAuthorizationRequest.setSubmitRequest(str8 == null ? true : Boolean.valueOf(str8).booleanValue());
        List<String> list = (List) this.formParams.get("permission");
        String str9 = (String) this.formParams.getFirst("response_permissions_limit");
        Integer valueOf = str9 != null ? Integer.valueOf(Integer.parseInt(str9)) : null;
        if (list != null) {
            this.event.detail("permission", String.join("|", list));
            keycloakAuthorizationRequest.addPermissions(list, (String) this.formParams.getFirst("permission_resource_format"), Boolean.parseBoolean((String) this.formParams.getFirst("permission_resource_matching_uri")), valueOf);
        }
        AuthorizationRequest.Metadata metadata = new AuthorizationRequest.Metadata();
        String str10 = (String) this.formParams.getFirst("response_include_resource_name");
        if (str10 != null) {
            metadata.setIncludeResourceName(Boolean.valueOf(Boolean.parseBoolean(str10)));
        }
        if (str9 != null) {
            metadata.setLimit(valueOf);
        }
        metadata.setResponseMode((String) this.formParams.getFirst(OIDCLoginProtocol.RESPONSE_MODE_PARAM));
        keycloakAuthorizationRequest.setMetadata(metadata);
        Response authorize = AuthorizationTokenService.instance().authorize(keycloakAuthorizationRequest);
        this.event.success();
        return authorize;
    }

    public EventType getEventType() {
        return EventType.PERMISSION_TOKEN;
    }
}
