package org.eclipse.digitaltwin.basyx.authorization.rbac;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import org.eclipse.digitaltwin.basyx.authorization.SubjectInformation;
import org.eclipse.digitaltwin.basyx.authorization.SubjectInformationProvider;
import org.eclipse.digitaltwin.basyx.core.exceptions.NullSubjectException;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.stereotype.Service;

@Service
@ConditionalOnExpression("${basyx.feature.authorization.enabled:false} and ('${basyx.feature.authorization.jwtBearerTokenProvider}'.equals('keycloak') or '${basyx.feature.authorization.jwtBearerTokenProvider}'.isEmpty())")
/* loaded from: input_file:BOOT-INF/lib/basyx.authorization-2.0.0-milestone-03.jar:org/eclipse/digitaltwin/basyx/authorization/rbac/KeycloakRoleProvider.class */
public class KeycloakRoleProvider implements RoleProvider {
    private static final String CLAIM_REALM_ACCESS = "realm_access";
    private static final String CLAIM_ROLES = "roles";
    private SubjectInformationProvider<Object> subjectInformationProvider;

    public KeycloakRoleProvider(SubjectInformationProvider<Object> subjectInformationProvider) {
        this.subjectInformationProvider = subjectInformationProvider;
    }

    @Override // org.eclipse.digitaltwin.basyx.authorization.rbac.RoleProvider
    public List<String> getRoles() {
        Jwt jwt = (Jwt) getSubjectInformation().get();
        validateJwt(jwt);
        return getRolesFromRealmAccess((Map) jwt.getClaim(CLAIM_REALM_ACCESS));
    }

    private List<String> getRolesFromRealmAccess(Map<String, Collection<String>> map) {
        if (map == null || map.isEmpty()) {
            return new ArrayList();
        }
        Collection<String> collection = map.get(CLAIM_ROLES);
        return (collection == null || collection.isEmpty()) ? new ArrayList() : new ArrayList(collection);
    }

    private void validateJwt(Jwt jwt) {
        if (jwt == null) {
            throw new NullSubjectException("Jwt subject information is null.");
        }
    }

    private SubjectInformation<Object> getSubjectInformation() {
        SubjectInformation<Object> subjectInformation = this.subjectInformationProvider.get();
        if (subjectInformation == null) {
            throw new NullSubjectException("Subject information is null.");
        }
        return subjectInformation;
    }
}
