package org.keycloak.authorization.policy.provider.role;

import java.util.Map;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.evaluation.Evaluation;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-authz-policy-common/main/keycloak-authz-policy-common-2.1.0.Final.jar:org/keycloak/authorization/policy/provider/role/RolePolicyProvider.class */
public class RolePolicyProvider implements PolicyProvider {
    private final Policy policy;
    private final AuthorizationProvider authorization;

    public RolePolicyProvider(Policy policy, AuthorizationProvider authorizationProvider) {
        this.policy = policy;
        this.authorization = authorizationProvider;
    }

    public RolePolicyProvider() {
        this(null, null);
    }

    @Override // org.keycloak.authorization.policy.provider.PolicyProvider
    public void evaluate(Evaluation evaluation) {
        Map<String, Object>[] roles = RolePolicyProviderFactory.getRoles(this.policy);
        if (roles.length > 0) {
            Identity identity = evaluation.getContext().getIdentity();
            for (Map<String, Object> map : roles) {
                RoleModel roleById = getCurrentRealm().getRoleById((String) map.get("id"));
                if (roleById != null) {
                    boolean hasRole = hasRole(identity, roleById);
                    if (!hasRole && Boolean.valueOf(isRequired(map)).booleanValue()) {
                        evaluation.deny();
                        return;
                    } else if (hasRole) {
                        evaluation.grant();
                    }
                }
            }
        }
    }

    private boolean isRequired(Map<String, Object> map) {
        return ((Boolean) map.getOrDefault("required", false)).booleanValue();
    }

    private boolean hasRole(Identity identity, RoleModel roleModel) {
        String name = roleModel.getName();
        return roleModel.isClientRole() ? identity.hasClientRole(getCurrentRealm().getClientById(roleModel.getContainerId()).getClientId(), name) : identity.hasRealmRole(name);
    }

    private RealmModel getCurrentRealm() {
        return this.authorization.getKeycloakSession().getContext().getRealm();
    }

    @Override // org.keycloak.provider.Provider
    public void close() {
    }
}
