package info.elexis.server.core.security.oauth2.internal;

import info.elexis.server.core.common.security.ESAuthorizingRealm;
import info.elexis.server.core.security.oauth2.AccessToken;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {ESAuthorizingRealm.class})
/* loaded from: input_file:info/elexis/server/core/security/oauth2/internal/OAuth2AuthorizingRealm.class */
public class OAuth2AuthorizingRealm extends AuthorizingRealm implements ESAuthorizingRealm {
    private Logger log;
    public static final String REALM_NAME = "elexis-server.oauth2";
    private static final OAuth2ClientService oidClientService = new OAuth2ClientService();

    public OAuth2AuthorizingRealm() {
        super(new CredentialsMatcher() { // from class: info.elexis.server.core.security.oauth2.internal.OAuth2AuthorizingRealm.1
            public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {
                if (authenticationToken instanceof AccessToken) {
                    return OAuth2AuthorizingRealm.oidClientService.checkAccessToken((String) authenticationToken.getCredentials(), ((AccessToken) authenticationToken).getHttpServletRequest());
                }
                return false;
            }
        });
        this.log = LoggerFactory.getLogger(OAuth2AuthorizingRealm.class);
        setName(REALM_NAME);
    }

    public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken instanceof AccessToken) {
            return new SimpleAuthenticationInfo(authenticationToken, (Object) null, REALM_NAME);
        }
        return null;
    }

    public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
        validateScopesLocal(oidClientService.getIntrospectionToken((String) ((AccessToken) principalCollection.getPrimaryPrincipal()).getCredentials()), simpleAuthorizationInfo);
        return simpleAuthorizationInfo;
    }

    private void validateScopesLocal(OAuth2AccessToken oAuth2AccessToken, SimpleAuthorizationInfo simpleAuthorizationInfo) {
        String userId = oAuth2AccessToken.getUserId();
        if (userId == null) {
            this.log.warn("Token [{}] did not contain user_id, no scopes granted.", oAuth2AccessToken.getValue());
            return;
        }
        for (String str : oAuth2AccessToken.getScope()) {
            if (SecurityUtils.getSecurityManager().hasRole(new SimplePrincipalCollection(userId, "elexis-connector"), str)) {
                simpleAuthorizationInfo.addRole(str);
            } else {
                this.log.warn("User [{}] requested scope [{}] not backed by role. Denying request.", userId, str);
            }
        }
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof AccessToken;
    }
}
