package org.keycloak.adapters.authorization.integration.jakarta;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletContextAttributeListener;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.adapters.authorization.TokenPrincipal;
import org.keycloak.adapters.authorization.integration.elytron.ServletHttpRequest;
import org.keycloak.adapters.authorization.integration.elytron.ServletHttpResponse;
import org.keycloak.adapters.authorization.spi.ConfigurationResolver;
import org.keycloak.adapters.authorization.spi.HttpRequest;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/adapters/authorization/integration/jakarta/ServletPolicyEnforcerFilter.class */
public class ServletPolicyEnforcerFilter implements Filter, ServletContextAttributeListener {
    private final Logger logger = Logger.getLogger(getClass());
    private final Map<PolicyEnforcerConfig, PolicyEnforcer> policyEnforcer = Collections.synchronizedMap(new HashMap());
    private final ConfigurationResolver configResolver;

    public ServletPolicyEnforcerFilter(ConfigurationResolver configurationResolver) {
        this.configResolver = configurationResolver;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        ServletHttpRequest servletHttpRequest = new ServletHttpRequest(httpServletRequest, new TokenPrincipal() { // from class: org.keycloak.adapters.authorization.integration.jakarta.ServletPolicyEnforcerFilter.1
            @Override // org.keycloak.adapters.authorization.TokenPrincipal
            public String getRawToken() {
                return ServletPolicyEnforcerFilter.this.extractBearerToken(httpServletRequest);
            }
        });
        AuthorizationContext enforce = getOrCreatePolicyEnforcer(httpServletRequest, servletHttpRequest).enforce(servletHttpRequest, new ServletHttpResponse((HttpServletResponse) servletResponse));
        httpServletRequest.setAttribute(AuthorizationContext.class.getName(), enforce);
        if (!enforce.isGranted()) {
            this.logger.debugf("Unauthorized request to path [%s], aborting the filter chain", httpServletRequest.getRequestURI());
        } else {
            this.logger.debug("Request authorized, continuing the filter chain");
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected String extractBearerToken(HttpServletRequest httpServletRequest) {
        Enumeration headers = httpServletRequest.getHeaders("Authorization");
        while (headers.hasMoreElements()) {
            String[] split = ((String) headers.nextElement()).trim().split("\\s+");
            if (split.length == 2 && split[0].equalsIgnoreCase(TokenUtil.TOKEN_TYPE_BEARER)) {
                return split[1];
            }
        }
        return null;
    }

    private PolicyEnforcer getOrCreatePolicyEnforcer(final HttpServletRequest httpServletRequest, HttpRequest httpRequest) {
        return this.policyEnforcer.computeIfAbsent(this.configResolver.resolve(httpRequest), new Function<PolicyEnforcerConfig, PolicyEnforcer>() { // from class: org.keycloak.adapters.authorization.integration.jakarta.ServletPolicyEnforcerFilter.2
            @Override // java.util.function.Function
            public PolicyEnforcer apply(PolicyEnforcerConfig policyEnforcerConfig) {
                return ServletPolicyEnforcerFilter.this.createPolicyEnforcer(httpServletRequest, policyEnforcerConfig);
            }
        });
    }

    protected PolicyEnforcer createPolicyEnforcer(HttpServletRequest httpServletRequest, PolicyEnforcerConfig policyEnforcerConfig) {
        return PolicyEnforcer.builder().authServerUrl(policyEnforcerConfig.getAuthServerUrl()).realm(policyEnforcerConfig.getRealm()).clientId(policyEnforcerConfig.getResource()).credentials(policyEnforcerConfig.getCredentials()).bearerOnly(false).enforcerConfig(policyEnforcerConfig).build();
    }
}
