package io.corbel.iam.auth.rule;

import com.google.common.collect.Sets;
import io.corbel.iam.auth.AuthorizationRequestContext;
import io.corbel.iam.auth.AuthorizationRule;
import io.corbel.iam.exception.UnauthorizedException;
import io.corbel.iam.model.Scope;
import io.corbel.iam.service.GroupService;
import io.corbel.iam.service.ScopeService;
import io.corbel.iam.utils.Message;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:io/corbel/iam/auth/rule/ScopesAuthorizationRule.class */
public class ScopesAuthorizationRule implements AuthorizationRule {
    private final ScopeService scopeService;
    private final GroupService groupService;

    public ScopesAuthorizationRule(ScopeService scopeService, GroupService groupService) {
        this.scopeService = scopeService;
        this.groupService = groupService;
    }

    @Override // io.corbel.iam.auth.AuthorizationRule
    public void process(AuthorizationRequestContext authorizationRequestContext) throws UnauthorizedException {
        Set<String> scopes = authorizationRequestContext.getRequestedDomain().getScopes();
        Set<String> requestedScopes = authorizationRequestContext.isCrossDomain() ? scopes : getRequestedScopes(authorizationRequestContext);
        Set<Scope> allowedScopes = getAllowedScopes(scopes, requestedScopes);
        if (authorizationRequestContext.getRequestedScopes().isEmpty()) {
            authorizationRequestContext.setExpandedRequestedScopes(allowedScopes);
            authorizationRequestContext.setTokenScopes(requestedScopes);
        } else {
            Set<Scope> expandScopes = this.scopeService.expandScopes(authorizationRequestContext.getRequestedScopes());
            checkRequestedScopes(expandScopes, allowedScopes);
            authorizationRequestContext.setExpandedRequestedScopes(expandScopes);
            authorizationRequestContext.setTokenScopes(authorizationRequestContext.getRequestedScopes());
        }
    }

    private Set<String> getRequestedScopes(AuthorizationRequestContext authorizationRequestContext) {
        Set scopes = authorizationRequestContext.getIssuerClient().getScopes();
        if (authorizationRequestContext.hasPrincipal()) {
            scopes = Sets.union(scopes, Sets.union(authorizationRequestContext.getPrincipal().getScopes(), this.groupService.getGroupScopes(authorizationRequestContext.getPrincipal().getGroups())));
        }
        return scopes;
    }

    private Set<Scope> getAllowedScopes(Set<String> set, Set<String> set2) {
        return Sets.intersection(this.scopeService.expandScopes(set2), this.scopeService.expandScopes(set));
    }

    private void checkRequestedScopes(Set<Scope> set, Set<Scope> set2) throws UnauthorizedException {
        if (set2.containsAll(set)) {
            return;
        }
        throw new UnauthorizedException(Message.REQUESTED_SCOPES_UNAUTHORIZED.getMessage(Sets.difference((Set) set.stream().map((v0) -> {
            return v0.getIdWithParameters();
        }).collect(Collectors.toSet()), (Set) set2.stream().map((v0) -> {
            return v0.getIdWithParameters();
        }).collect(Collectors.toSet()))));
    }
}
