package org.gcube.keycloak.protocol.oidc.mapper;

import java.util.ArrayList;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;

/* loaded from: input_file:org/gcube/keycloak/protocol/oidc/mapper/D4ScienceContextMapper.class */
public class D4ScienceContextMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper {
    public static final String HTTP_REQUEST_HEADER_NAME = "d4scm.header-name";
    public static final String NARROW_RESOURCE_ACCESS = "d4scm.narrow-ra";
    private static final int PRIORITY = Integer.MAX_VALUE;
    private static final String DISPLAY_TYPE = "OIDC D4Science Context Mapper";
    private static final String PROVIDER_ID = "oidc-d4scince-context-mapper";
    public static final String DEFAULT_HEADER_NAME = "X-D4Science-Context";
    public static final String DEFAULT_TOKEN_CLAIM = "aud";
    private static final Logger logger = Logger.getLogger(D4ScienceContextMapper.class);
    private static final List<ProviderConfigProperty> CONFIG_PROPERTIES = new ArrayList();

    public String getDisplayCategory() {
        return "Token mapper";
    }

    public int getPriority() {
        return PRIORITY;
    }

    public String getDisplayType() {
        return DISPLAY_TYPE;
    }

    public String getHelpText() {
        return "Maps the D4Science context audience by reading the configured header's value and sets it as the configured token claim, if it is in scope";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return CONFIG_PROPERTIES;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    protected void setClaim(IDToken iDToken, ProtocolMapperModel protocolMapperModel, UserSessionModel userSessionModel, KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        if (iDToken instanceof AccessToken) {
            AccessToken accessToken = (AccessToken) iDToken;
            String str = (String) protocolMapperModel.getConfig().get(HTTP_REQUEST_HEADER_NAME);
            if (str == null || "".equals(str)) {
                str = DEFAULT_HEADER_NAME;
            }
            logger.tracef("Looking for the '%s' header", str);
            String headerString = keycloakSession.getContext().getRequestHeaders().getHeaderString(str);
            if (headerString == null || "".equals(headerString)) {
                logger.tracef("Header not found in request", new Object[0]);
                return;
            }
            logger.debugf("Checking resource access for the requested context: %s", headerString);
            AccessToken.Access resourceAccess = accessToken.getResourceAccess(headerString);
            if (resourceAccess == null) {
                logger.warnf("Requested context '%s' is not accessible to the client: %s", headerString, clientSessionContext.getClientSession().getClient().getName());
                return;
            }
            logger.debugf("Mapping it as the configured claim: %s", protocolMapperModel.getConfig().get("claim.name"));
            OIDCAttributeMapperHelper.mapClaim(iDToken, protocolMapperModel, headerString);
            if (Boolean.parseBoolean((String) protocolMapperModel.getConfig().get(NARROW_RESOURCE_ACCESS))) {
                logger.debugf("Removing all access details but the requested context", new Object[0]);
                accessToken.getResourceAccess().clear();
                accessToken.getResourceAccess().put(headerString, resourceAccess);
            }
        }
    }

    static {
        OIDCAttributeMapperHelper.addTokenClaimNameConfig(CONFIG_PROPERTIES);
        CONFIG_PROPERTIES.forEach(providerConfigProperty -> {
            if ("claim.name".equals(providerConfigProperty.getName())) {
                providerConfigProperty.setDefaultValue(DEFAULT_TOKEN_CLAIM);
            }
            providerConfigProperty.setReadOnly(true);
        });
        OIDCAttributeMapperHelper.addIncludeInTokensConfig(CONFIG_PROPERTIES, D4ScienceContextMapper.class);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName(HTTP_REQUEST_HEADER_NAME);
        providerConfigProperty2.setLabel("HTTP request header name with the requested context");
        providerConfigProperty2.setType("String");
        providerConfigProperty2.setHelpText("The HTTP header that contains the requested context to be mapped as the requested in the configured claim");
        providerConfigProperty2.setDefaultValue(DEFAULT_HEADER_NAME);
        providerConfigProperty2.setReadOnly(true);
        CONFIG_PROPERTIES.add(providerConfigProperty2);
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setName(NARROW_RESOURCE_ACCESS);
        providerConfigProperty3.setLabel("Narrow down resource access array?");
        providerConfigProperty3.setType("boolean");
        providerConfigProperty3.setHelpText("Narrow down resource access claim to contain only the requested context entry");
        CONFIG_PROPERTIES.add(providerConfigProperty3);
    }
}
