package net.optionfactory.keycloak.resources.auth;

import java.util.Objects;
import java.util.stream.Stream;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotAuthorizedException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;

/* loaded from: input_file:net/optionfactory/keycloak/resources/auth/DefaultResourceAuthenticator.class */
public class DefaultResourceAuthenticator implements ResourceAuthenticator {
    private final KeycloakSession session;

    public DefaultResourceAuthenticator(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // net.optionfactory.keycloak.resources.auth.ResourceAuthenticator
    public void enforceScope(String str) {
        AuthenticationManager.AuthResult authenticate = new AppAuthManager.BearerTokenAuthenticator(this.session).authenticate();
        if (authenticate == null) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        Stream of = Stream.of((Object[]) authenticate.getToken().getScope().split(" "));
        Objects.requireNonNull(str);
        if (of.noneMatch((v1) -> {
            return r1.equals(v1);
        })) {
            throw new ForbiddenException(String.format("Client does not have required scope '%s'", str));
        }
    }
}
