package org.pac4j.oidc.authorization.generator;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.util.Map;
import java.util.Optional;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.pac4j.core.authorization.generator.AuthorizationGenerator;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.oidc.profile.keycloak.KeycloakOidcProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/pac4j-oidc-4.5.0.jar:org/pac4j/oidc/authorization/generator/KeycloakRolesAuthorizationGenerator.class */
public class KeycloakRolesAuthorizationGenerator implements AuthorizationGenerator {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KeycloakRolesAuthorizationGenerator.class);
    private String clientId;

    public KeycloakRolesAuthorizationGenerator() {
    }

    public KeycloakRolesAuthorizationGenerator(String str) {
        this.clientId = str;
    }

    @Override // org.pac4j.core.authorization.generator.AuthorizationGenerator
    public Optional<UserProfile> generate(WebContext webContext, UserProfile userProfile) {
        Map<String, Object> jSONObjectClaim;
        JSONObject jSONObject;
        JSONArray jSONArray;
        JSONArray jSONArray2;
        if (userProfile instanceof KeycloakOidcProfile) {
            try {
                JWTClaimsSet jWTClaimsSet = SignedJWT.parse(((KeycloakOidcProfile) userProfile).getAccessToken().getValue()).getJWTClaimsSet();
                Map<String, Object> jSONObjectClaim2 = jWTClaimsSet.getJSONObjectClaim("realm_access");
                if (jSONObjectClaim2 != null && (jSONArray2 = (JSONArray) jSONObjectClaim2.get("roles")) != null) {
                    jSONArray2.forEach(obj -> {
                        userProfile.addRole((String) obj);
                    });
                }
                if (this.clientId != null && (jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("resource_access")) != null && (jSONObject = (JSONObject) jSONObjectClaim.get(this.clientId)) != null && (jSONArray = (JSONArray) jSONObject.get("roles")) != null) {
                    jSONArray.forEach(obj2 -> {
                        userProfile.addRole((String) obj2);
                    });
                }
            } catch (Exception e) {
                LOGGER.warn("Cannot parse Keycloak roles", (Throwable) e);
            }
        }
        return Optional.of(userProfile);
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }
}
