package digital.nedra.commons.starter.keycloak.session.config.support;

import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:digital/nedra/commons/starter/keycloak/session/config/support/KeycloakOauth2UserService.class */
public class KeycloakOauth2UserService extends OidcUserService {
    public static final String REALM_ACCESS = "realm_access";
    public static final String RESOURCE_ACCESS = "resource_access";
    private final JwtDecoder jwtDecoder;
    private final KeycloakAuthoritiesExtractor keycloakAuthoritiesExtractor;

    @Value("${spring.security.oauth2.client.provider.sso.user-name-attribute}")
    private String nameAttribute;
    private static final Logger log = LoggerFactory.getLogger(KeycloakOauth2UserService.class);
    private static final OAuth2Error INVALID_REQUEST = new OAuth2Error("invalid_request");

    public OidcUser loadUser(OidcUserRequest oidcUserRequest) throws OAuth2AuthenticationException {
        return withAuthorities(super.loadUser(oidcUserRequest), extractKeycloakAuthorities(oidcUserRequest));
    }

    private OidcUser withAuthorities(OidcUser oidcUser, Collection<? extends GrantedAuthority> collection) {
        return new DefaultOidcUser(collection, oidcUser.getIdToken(), oidcUser.getUserInfo(), this.nameAttribute);
    }

    private Collection<GrantedAuthority> extractKeycloakAuthorities(OidcUserRequest oidcUserRequest) {
        Jwt parseJwt = parseJwt(oidcUserRequest.getAccessToken().getTokenValue());
        String clientId = oidcUserRequest.getClientRegistration().getClientId();
        if (log.isTraceEnabled()) {
            log.trace("Client name: {}", clientId);
        }
        List list = (List) Optional.ofNullable(parseJwt.getClaimAsMap(RESOURCE_ACCESS)).map(map -> {
            return this.keycloakAuthoritiesExtractor.extractClientAuthorities(clientId, map);
        }).orElseGet(Collections::emptyList);
        Optional ofNullable = Optional.ofNullable(parseJwt.getClaimAsMap(REALM_ACCESS));
        KeycloakAuthoritiesExtractor keycloakAuthoritiesExtractor = this.keycloakAuthoritiesExtractor;
        Objects.requireNonNull(keycloakAuthoritiesExtractor);
        return (Collection) Stream.concat(list.stream(), ((List) ofNullable.map(keycloakAuthoritiesExtractor::extractRealmAuthorities).orElseGet(Collections::emptyList)).stream()).collect(Collectors.toUnmodifiableList());
    }

    private Jwt parseJwt(String str) {
        try {
            return this.jwtDecoder.decode(str);
        } catch (JwtException e) {
            throw new OAuth2AuthenticationException(INVALID_REQUEST, e);
        }
    }

    public KeycloakOauth2UserService(JwtDecoder jwtDecoder, KeycloakAuthoritiesExtractor keycloakAuthoritiesExtractor) {
        this.jwtDecoder = jwtDecoder;
        this.keycloakAuthoritiesExtractor = keycloakAuthoritiesExtractor;
    }
}
