package org.keycloak.authentication.authenticators.conditional;

import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/authentication/authenticators/conditional/ConditionalClientScopeAuthenticator.class */
public class ConditionalClientScopeAuthenticator implements ConditionalAuthenticator {
    protected static final ConditionalClientScopeAuthenticator SINGLETON = new ConditionalClientScopeAuthenticator();
    private static final Logger logger = Logger.getLogger(ConditionalClientScopeAuthenticator.class);

    @Override // org.keycloak.authentication.authenticators.conditional.ConditionalAuthenticator
    public boolean matchCondition(AuthenticationFlowContext authenticationFlowContext) {
        AuthenticatorConfigModel authenticatorConfig = authenticationFlowContext.getAuthenticatorConfig();
        if (authenticatorConfig == null || authenticatorConfig.getConfig() == null) {
            logger.warnf("No configuration defined for the conditional client scope authenticator.", new Object[0]);
            return false;
        }
        String str = (String) authenticatorConfig.getConfig().get(ConditionalClientScopeAuthenticatorFactory.CLIENT_SCOPE);
        boolean parseBoolean = Boolean.parseBoolean((String) authenticatorConfig.getConfig().get("negate"));
        if (str == null) {
            logger.warnf("No client scope configured in the option '%s' of the configuration '%s'.", ConditionalClientScopeAuthenticatorFactory.CLIENT_SCOPE, authenticatorConfig.getAlias());
            return false;
        }
        RealmModel realm = authenticationFlowContext.getRealm();
        ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(authenticationFlowContext.getRealm(), str);
        if (clientScopeByName == null) {
            logger.warnf("No client scope '%s' defined in the realm '%s'.", str, realm.getName());
            return false;
        }
        AuthenticationSessionModel authenticationSession = authenticationFlowContext.getAuthenticationSession();
        return parseBoolean != TokenManager.getRequestedClientScopes(authenticationFlowContext.getSession(), authenticationSession.getClientNote("scope"), authenticationSession.getClient(), authenticationSession.getAuthenticatedUser()).anyMatch(clientScopeModel -> {
            return clientScopeByName.getId().equals(clientScopeModel.getId());
        });
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }

    public boolean requiresUser() {
        return false;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    public void close() {
    }
}
