package org.keycloak.adapters.authorization.integration.elytron;

import jakarta.servlet.http.HttpServletRequest;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.adapters.authorization.integration.jakarta.ServletPolicyEnforcerFilter;
import org.keycloak.adapters.authorization.spi.ConfigurationResolver;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.wildfly.security.http.oidc.OidcClientConfiguration;
import org.wildfly.security.http.oidc.OidcPrincipal;
import org.wildfly.security.http.oidc.RefreshableOidcSecurityContext;

/* loaded from: input_file:org/keycloak/adapters/authorization/integration/elytron/ElytronPolicyEnforcerFilter.class */
public class ElytronPolicyEnforcerFilter extends ServletPolicyEnforcerFilter {
    public ElytronPolicyEnforcerFilter(ConfigurationResolver configurationResolver) {
        super(configurationResolver);
    }

    @Override // org.keycloak.adapters.authorization.integration.jakarta.ServletPolicyEnforcerFilter
    protected String extractBearerToken(HttpServletRequest httpServletRequest) {
        RefreshableOidcSecurityContext oidcSecurityContext;
        OidcPrincipal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null || (oidcSecurityContext = userPrincipal.getOidcSecurityContext()) == null) {
            return null;
        }
        return oidcSecurityContext.getTokenString();
    }

    @Override // org.keycloak.adapters.authorization.integration.jakarta.ServletPolicyEnforcerFilter
    protected PolicyEnforcer createPolicyEnforcer(HttpServletRequest httpServletRequest, PolicyEnforcerConfig policyEnforcerConfig) {
        OidcClientConfiguration oidcClientConfiguration = httpServletRequest.getUserPrincipal().getOidcSecurityContext().getOidcClientConfiguration();
        return PolicyEnforcer.builder().authServerUrl(oidcClientConfiguration.getAuthServerBaseUrl()).realm(oidcClientConfiguration.getRealm()).clientId(oidcClientConfiguration.getClientId()).credentials(oidcClientConfiguration.getResourceCredentials()).bearerOnly(false).enforcerConfig(policyEnforcerConfig).httpClient(oidcClientConfiguration.getClient()).build();
    }
}
