package org.keycloak.services.resources.admin.permissions;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.UserModelIdentity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.ForbiddenException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/UserPermissions.class */
public class UserPermissions implements UserPermissionEvaluator, UserPermissionManagement {
    private static final Logger logger = Logger.getLogger(UserPermissions.class);
    public static final String MAP_ROLES_SCOPE = "map-roles";
    public static final String IMPERSONATE_SCOPE = "impersonate";
    public static final String USER_IMPERSONATED_SCOPE = "user-impersonated";
    public static final String MANAGE_GROUP_MEMBERSHIP_SCOPE = "manage-group-membership";
    public static final String MAP_ROLES_PERMISSION_USERS = "map-roles.permission.users";
    public static final String ADMIN_IMPERSONATING_PERMISSION = "admin-impersonating.permission.users";
    public static final String USER_IMPERSONATED_PERMISSION = "user-impersonated.permission.users";
    public static final String MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS = "manage-group-membership.permission.users";
    public static final String MANAGE_PERMISSION_USERS = "manage.permission.users";
    public static final String VIEW_PERMISSION_USERS = "view.permission.users";
    public static final String USERS_RESOURCE = "Users";
    protected final KeycloakSession session;
    protected final RealmModel realm;
    protected final AuthorizationProvider authz;
    protected final MgmtPermissions root;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/resources/admin/permissions/UserPermissions$EvaluateGroup.class */
    public interface EvaluateGroup {
        boolean evaluate(GroupModel groupModel);
    }

    public UserPermissions(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
    }

    private void initialize() {
        this.root.initializeRealmResourceServer();
        this.root.initializeRealmDefaultScopes();
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        Scope realmManageScope = this.root.realmManageScope();
        Scope realmViewScope = this.root.realmViewScope();
        Scope initializeRealmScope = this.root.initializeRealmScope("map-roles");
        Scope initializeRealmScope2 = this.root.initializeRealmScope(IMPERSONATE_SCOPE);
        Scope initializeRealmScope3 = this.root.initializeRealmScope(USER_IMPERSONATED_SCOPE);
        Scope initializeRealmScope4 = this.root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId());
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, realmResourceServer, realmResourceServer.getClientId());
            HashSet hashSet = new HashSet();
            hashSet.add(realmManageScope);
            hashSet.add(realmViewScope);
            hashSet.add(initializeRealmScope);
            hashSet.add(initializeRealmScope2);
            hashSet.add(initializeRealmScope4);
            hashSet.add(initializeRealmScope3);
            findByName.updateScopes(hashSet);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MANAGE_PERMISSION_USERS, findByName, realmManageScope);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, VIEW_PERMISSION_USERS, findByName, realmViewScope);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MAP_ROLES_PERMISSION_USERS, findByName, initializeRealmScope);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, findByName, initializeRealmScope4);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, ADMIN_IMPERSONATING_PERMISSION, findByName, initializeRealmScope2);
        }
        if (this.authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, USER_IMPERSONATED_PERMISSION, findByName, initializeRealmScope3);
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Map<String, String> getPermissions() {
        initialize();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
        linkedHashMap.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
        linkedHashMap.put("map-roles", mapRolesPermission().getId());
        linkedHashMap.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
        linkedHashMap.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
        linkedHashMap.put(USER_IMPERSONATED_SCOPE, userImpersonatedPermission().getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean isPermissionsEnabled() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        return (realmResourceServer == null || this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId()) == null || managePermission() == null) ? false : true;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public void setPermissionsEnabled(boolean z) {
        if (z) {
            initialize();
        } else {
            deletePermissionSetup();
        }
    }

    private void deletePermissionSetup() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return;
        }
        Policy managePermission = managePermission();
        if (managePermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(managePermission.getId());
        }
        Policy viewPermission = viewPermission();
        if (viewPermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(viewPermission.getId());
        }
        Policy mapRolesPermission = mapRolesPermission();
        if (mapRolesPermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(mapRolesPermission.getId());
        }
        Policy manageGroupMembershipPermission = manageGroupMembershipPermission();
        if (manageGroupMembershipPermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(manageGroupMembershipPermission.getId());
        }
        Policy adminImpersonatingPermission = adminImpersonatingPermission();
        if (adminImpersonatingPermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(adminImpersonatingPermission.getId());
        }
        Policy userImpersonatedPermission = userImpersonatedPermission();
        if (userImpersonatedPermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(userImpersonatedPermission.getId());
        }
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId());
        if (findByName == null) {
            this.authz.getStoreFactory().getResourceStore().delete(findByName.getId());
        }
    }

    public boolean canManageDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Resource resource() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy managePermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy viewPermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy manageGroupMembershipPermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy mapRolesPermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy adminImpersonatingPermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy userImpersonatedPermission() {
        return this.authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage() {
        ResourceServer realmResourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canManageDefault()) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, realmResourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.root.realmManageScope(), realmResourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManage() {
        if (!canManage()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage(UserModel userModel) {
        return canManage() || canManageByGroup(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManage(UserModel userModel) {
        if (!canManage(userModel)) {
            throw new ForbiddenException();
        }
    }

    private boolean evaluateGroups(UserModel userModel, EvaluateGroup evaluateGroup) {
        Iterator it = userModel.getGroups().iterator();
        while (it.hasNext()) {
            if (evaluateGroup.evaluate((GroupModel) it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean evaluateHierarchy(UserModel userModel, EvaluateGroup evaluateGroup) {
        HashSet hashSet = new HashSet();
        Iterator it = userModel.getGroups().iterator();
        while (it.hasNext()) {
            if (evaluateHierarchy(evaluateGroup, (GroupModel) it.next(), hashSet)) {
                return true;
            }
        }
        return false;
    }

    private boolean evaluateHierarchy(EvaluateGroup evaluateGroup, GroupModel groupModel, Set<GroupModel> set) {
        if (set.contains(groupModel)) {
            return false;
        }
        if (evaluateGroup.evaluate(groupModel)) {
            return true;
        }
        set.add(groupModel);
        if (groupModel.getParent() == null) {
            return false;
        }
        return evaluateHierarchy(evaluateGroup, groupModel.getParent(), set);
    }

    private boolean canManageByGroup(UserModel userModel) {
        return evaluateHierarchy(userModel, groupModel -> {
            return this.root.groups().canManageMembers(groupModel);
        });
    }

    private boolean canViewByGroup(UserModel userModel) {
        return evaluateHierarchy(userModel, groupModel -> {
            return this.root.groups().canViewMembers(groupModel);
        });
    }

    public boolean canViewDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canQuery() {
        return canView() || this.root.hasOneAdminRole(AdminRoles.QUERY_USERS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireQuery() {
        if (!canQuery()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canQuery(UserModel userModel) {
        return canView(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireQuery(UserModel userModel) {
        if (!canQuery(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView() {
        if (canViewDefault()) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasViewPermission() || canManage();
        }
        return false;
    }

    private boolean hasViewPermission() {
        Resource findByName;
        Policy findByName2;
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer != null && (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) != null && (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(VIEW_PERMISSION_USERS, realmResourceServer.getId())) != null) {
            Set associatedPolicies = findByName2.getAssociatedPolicies();
            return (associatedPolicies == null || associatedPolicies.isEmpty()) ? canViewDefault() : this.root.evaluatePermission(findByName, this.root.realmViewScope(), realmResourceServer);
        }
        return canViewDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView(UserModel userModel) {
        return canView() || canViewByGroup(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireView(UserModel userModel) {
        if (!canView(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireView() {
        if (!canView()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canImpersonate(UserModel userModel) {
        ResourceServer realmResourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (!canImpersonate()) {
            return false;
        }
        UserModelIdentity userModelIdentity = new UserModelIdentity(this.root.realm, userModel);
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, realmResourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return true;
        }
        return this.root.evaluatePermission(findByName, this.root.realmScope(USER_IMPERSONATED_SCOPE), realmResourceServer, userModelIdentity);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canImpersonate() {
        ResourceServer realmResourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (this.root.hasOneAdminRole(ImpersonationConstants.IMPERSONATION_ROLE)) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(ADMIN_IMPERSONATING_PERMISSION, realmResourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.root.realmScope(IMPERSONATE_SCOPE), realmResourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireImpersonate(UserModel userModel) {
        if (!canImpersonate(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public Map<String, Boolean> getAccess(UserModel userModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(AdminPermissionManagement.VIEW_SCOPE, Boolean.valueOf(canView(userModel)));
        hashMap.put(AdminPermissionManagement.MANAGE_SCOPE, Boolean.valueOf(canManage(userModel)));
        hashMap.put("mapRoles", Boolean.valueOf(canMapRoles(userModel)));
        hashMap.put("manageGroupMembership", Boolean.valueOf(canManageGroupMembership(userModel)));
        hashMap.put(IMPERSONATE_SCOPE, Boolean.valueOf(canImpersonate(userModel)));
        return hashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canMapRoles(UserModel userModel) {
        ResourceServer realmResourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canManage(userModel)) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(MAP_ROLES_PERMISSION_USERS, realmResourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.root.realmScope("map-roles"), realmResourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireMapRoles(UserModel userModel) {
        if (!canMapRoles(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManageGroupMembership(UserModel userModel) {
        ResourceServer realmResourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canManage(userModel)) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, realmResourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, realmResourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.root.realmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE), realmResourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManageGroupMembership(UserModel userModel) {
        if (!canManageGroupMembership(userModel)) {
            throw new ForbiddenException();
        }
    }
}
