package org.keycloak.adapters.authorization;

import com.mysema.codegen.Symbols;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.representation.PermissionRequest;
import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

/* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-3.2.0.Final.jar:org/keycloak/adapters/authorization/BearerTokenPolicyEnforcer.class */
public class BearerTokenPolicyEnforcer extends AbstractPolicyEnforcer {
    private static Logger LOGGER = Logger.getLogger((Class<?>) BearerTokenPolicyEnforcer.class);

    public BearerTokenPolicyEnforcer(PolicyEnforcer policyEnforcer) {
        super(policyEnforcer);
    }

    @Override // org.keycloak.adapters.authorization.AbstractPolicyEnforcer
    protected boolean challenge(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        if (getEnforcerConfig().getUserManagedAccess() != null) {
            challengeUmaAuthentication(pathConfig, set, oIDCHttpFacade);
            return true;
        }
        challengeEntitlementAuthentication(oIDCHttpFacade);
        return true;
    }

    private void challengeEntitlementAuthentication(OIDCHttpFacade oIDCHttpFacade) {
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        AuthzClient authzClient = getAuthzClient();
        String resource = authzClient.getConfiguration().getResource();
        String str = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/entitlement";
        response.setStatus(401);
        response.setHeader("WWW-Authenticate", "KC_ETT realm=\"" + resource + "\",as_uri=\"" + str + Symbols.QUOTE);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Sending Entitlement challenge");
        }
    }

    private void challengeUmaAuthentication(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, OIDCHttpFacade oIDCHttpFacade) {
        HttpFacade.Response response = oIDCHttpFacade.getResponse();
        AuthzClient authzClient = getAuthzClient();
        String permissionTicket = getPermissionTicket(pathConfig, set, authzClient);
        String resource = authzClient.getConfiguration().getResource();
        String str = authzClient.getServerConfiguration().getIssuer().toString() + "/authz/authorize";
        response.setStatus(401);
        response.setHeader("WWW-Authenticate", "UMA realm=\"" + resource + "\",as_uri=\"" + str + "\",ticket=\"" + permissionTicket + Symbols.QUOTE);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Sending UMA challenge");
        }
    }

    private String getPermissionTicket(PolicyEnforcerConfig.PathConfig pathConfig, Set<String> set, AuthzClient authzClient) {
        PermissionResource permission = authzClient.protection().permission();
        PermissionRequest permissionRequest = new PermissionRequest();
        permissionRequest.setResourceSetId(pathConfig.getId());
        permissionRequest.setScopes(set);
        return permission.forResource(permissionRequest).getTicket();
    }
}
