package org.keycloak.authorization.policy.evaluation;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

/* loaded from: input_file:org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.class */
public class DefaultPolicyEvaluator implements PolicyEvaluator {
    private final AuthorizationProvider authorization;
    private final StoreFactory storeFactory;
    private final PolicyStore policyStore;
    private final ResourceStore resourceStore;

    public DefaultPolicyEvaluator(AuthorizationProvider authorizationProvider) {
        this.authorization = authorizationProvider;
        this.storeFactory = this.authorization.getStoreFactory();
        this.policyStore = this.storeFactory.getPolicyStore();
        this.resourceStore = this.storeFactory.getResourceStore();
    }

    @Override // org.keycloak.authorization.policy.evaluation.PolicyEvaluator
    public void evaluate(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision) {
        ResourceServer resourceServer = resourcePermission.getResourceServer();
        PolicyEnforcementMode policyEnforcementMode = resourceServer.getPolicyEnforcementMode();
        if (PolicyEnforcementMode.DISABLED.equals(policyEnforcementMode)) {
            createEvaluation(resourcePermission, evaluationContext, decision, null).grant();
            return;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        Consumer<Policy> createDecisionConsumer = createDecisionConsumer(resourcePermission, evaluationContext, decision, atomicBoolean);
        Resource resource = resourcePermission.getResource();
        List<Scope> scopes = resourcePermission.getScopes();
        if (resource != null) {
            evaluatePolicies(() -> {
                return this.policyStore.findByResource(resource.getId(), resourceServer.getId());
            }, createDecisionConsumer);
            if (resource.getType() != null) {
                evaluatePolicies(() -> {
                    List<Policy> findByResourceType = this.policyStore.findByResourceType(resource.getType(), resourceServer.getId());
                    if (!resource.getOwner().equals(resourceServer.getId())) {
                        Iterator<Resource> it = this.resourceStore.findByType(resource.getType(), resourceServer.getId()).iterator();
                        while (it.hasNext()) {
                            findByResourceType.addAll(this.policyStore.findByResource(it.next().getId(), resourceServer.getId()));
                        }
                    }
                    return findByResourceType;
                }, createDecisionConsumer);
            }
        }
        if (!scopes.isEmpty()) {
            evaluatePolicies(() -> {
                return this.policyStore.findByScopeIds((List) scopes.stream().map((v0) -> {
                    return v0.getId();
                }).collect(Collectors.toList()), null, resourceServer.getId());
            }, createDecisionConsumer);
        }
        if (!PolicyEnforcementMode.PERMISSIVE.equals(policyEnforcementMode) || atomicBoolean.get()) {
            return;
        }
        createEvaluation(resourcePermission, evaluationContext, decision, null).grant();
    }

    private void evaluatePolicies(Supplier<List<Policy>> supplier, Consumer<Policy> consumer) {
        List<Policy> list = supplier.get();
        if (list.isEmpty()) {
            return;
        }
        list.forEach(consumer);
    }

    private Consumer<Policy> createDecisionConsumer(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision, AtomicBoolean atomicBoolean) {
        return policy -> {
            if (hasRequestedScopes(resourcePermission, policy)) {
                PolicyProvider provider = this.authorization.getProvider(policy.getType());
                if (provider == null) {
                    throw new RuntimeException("Unknown parentPolicy provider for type [" + policy.getType() + "].");
                }
                provider.evaluate(createEvaluation(resourcePermission, evaluationContext, decision, policy));
                atomicBoolean.compareAndSet(false, true);
            }
        };
    }

    private DefaultEvaluation createEvaluation(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision, Policy policy) {
        return new DefaultEvaluation(resourcePermission, evaluationContext, policy, decision, this.authorization);
    }

    private boolean hasRequestedScopes(ResourcePermission resourcePermission, Policy policy) {
        String str;
        Resource resource;
        String type;
        if (resourcePermission.getScopes().isEmpty()) {
            return true;
        }
        Resource resource2 = resourcePermission.getResource();
        Set<Resource> resources = policy.getResources();
        if (resource2 != null && !resources.isEmpty() && !resources.stream().filter(resource3 -> {
            Iterator<Resource> it = policy.getResources().iterator();
            Resource next = it.hasNext() ? it.next() : null;
            return resource3.getId().equals(resource2.getId()) || !(it == null || next.getType() == null || !next.getType().equals(resource2.getType()));
        }).findFirst().isPresent()) {
            return false;
        }
        HashSet<Scope> hashSet = new HashSet(policy.getScopes());
        if (hashSet.isEmpty()) {
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(resources);
            Iterator it = hashSet2.iterator();
            while (it.hasNext()) {
                hashSet.addAll(((Resource) it.next()).getScopes());
            }
            if (!hashSet2.isEmpty() && hashSet.isEmpty()) {
                return false;
            }
            if (hashSet.isEmpty() && (type = (resource = resourcePermission.getResource()).getType()) != null) {
                for (Resource resource4 : this.resourceStore.findByType(type, resource.getResourceServer().getId())) {
                    if (resource4.getOwner().equals(resource.getResourceServer().getId())) {
                        hashSet2.add(resource4);
                    }
                }
            }
            Iterator it2 = hashSet2.iterator();
            while (it2.hasNext()) {
                hashSet.addAll(((Resource) it2.next()).getScopes());
            }
        }
        for (Scope scope : hashSet) {
            Iterator<Scope> it3 = resourcePermission.getScopes().iterator();
            while (it3.hasNext()) {
                if (scope.getId().equals(it3.next().getId())) {
                    return true;
                }
            }
        }
        if (resources.isEmpty() && hashSet.isEmpty() && (str = policy.getConfig().get("defaultResourceType")) != null) {
            return str.equals(resourcePermission.getResource().getType());
        }
        return false;
    }
}
