package org.keycloak.authorization.admin;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.container.AsyncResponse;
import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.admin.representation.PolicyEvaluationRequest;
import org.keycloak.authorization.admin.representation.PolicyEvaluationResponse;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/authorization/admin/PolicyEvaluationService.class */
public class PolicyEvaluationService {
    private final AuthorizationProvider authorization;
    private final RealmAuth auth;

    @Context
    private HttpRequest httpRequest;
    private final ResourceServer resourceServer;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorizationProvider, RealmAuth realmAuth) {
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
        this.auth = realmAuth;
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public void evaluate(PolicyEvaluationRequest policyEvaluationRequest, @Suspended AsyncResponse asyncResponse) {
        this.auth.requireView();
        KeycloakIdentity createIdentity = createIdentity(policyEvaluationRequest);
        EvaluationContext createEvaluationContext = createEvaluationContext(policyEvaluationRequest, createIdentity);
        this.authorization.evaluators().from(createPermissions(policyEvaluationRequest, createEvaluationContext, this.authorization), createEvaluationContext).evaluate(createDecisionCollector(this.authorization, createIdentity, asyncResponse));
    }

    private DecisionResultCollector createDecisionCollector(final AuthorizationProvider authorizationProvider, final KeycloakIdentity keycloakIdentity, final AsyncResponse asyncResponse) {
        return new DecisionResultCollector() { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.1
            protected void onComplete(List<Result> list) {
                try {
                    asyncResponse.resume(Response.ok(PolicyEvaluationResponse.build(list, PolicyEvaluationService.this.resourceServer, authorizationProvider, keycloakIdentity)).build());
                } catch (Throwable th) {
                    asyncResponse.resume(th);
                }
            }

            public void onError(Throwable th) {
                asyncResponse.resume(th);
            }
        };
    }

    private EvaluationContext createEvaluationContext(final PolicyEvaluationRequest policyEvaluationRequest, KeycloakIdentity keycloakIdentity) {
        return new KeycloakEvaluationContext(keycloakIdentity, this.authorization.getKeycloakSession()) { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.2
            @Override // org.keycloak.authorization.common.KeycloakEvaluationContext
            public Attributes getAttributes() {
                HashMap hashMap = new HashMap(super.getAttributes().toMap());
                Map<String, String> map = policyEvaluationRequest.getContext().get("attributes");
                if (map != null) {
                    map.forEach((str, str2) -> {
                        if (str2 != null) {
                            ArrayList arrayList = new ArrayList();
                            for (String str : str2.split(",")) {
                                arrayList.add(str);
                            }
                            hashMap.put(str, arrayList);
                        }
                    });
                }
                return Attributes.from(hashMap);
            }
        };
    }

    private List<ResourcePermission> createPermissions(PolicyEvaluationRequest policyEvaluationRequest, EvaluationContext evaluationContext, AuthorizationProvider authorizationProvider) {
        return (List) policyEvaluationRequest.getResources().stream().flatMap(resource -> {
            StoreFactory storeFactory = authorizationProvider.getStoreFactory();
            if (resource == null) {
                resource = new PolicyEvaluationRequest.Resource();
            }
            Set scopes = resource.getScopes();
            if (scopes == null) {
                scopes = new HashSet();
            }
            Set set = (Set) scopes.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet());
            if (resource.getId() != null) {
                return Permissions.createResourcePermissions(storeFactory.getResourceStore().findById(resource.getId(), this.resourceServer.getId()), set, authorizationProvider).stream();
            }
            if (resource.getType() != null) {
                return storeFactory.getResourceStore().findByType(resource.getType(), this.resourceServer.getId()).stream().flatMap(resource -> {
                    return Permissions.createResourcePermissions(resource, set, authorizationProvider).stream();
                });
            }
            ScopeStore scopeStore = storeFactory.getScopeStore();
            List list = (List) set.stream().map(str -> {
                return scopeStore.findByName(str, this.resourceServer.getId());
            }).collect(Collectors.toList());
            ArrayList arrayList = new ArrayList();
            if (list.isEmpty()) {
                arrayList.addAll(Permissions.all(this.resourceServer, evaluationContext.getIdentity(), authorizationProvider));
            } else {
                arrayList.addAll((Collection) list.stream().map(scope -> {
                    return new ResourcePermission((Resource) null, Arrays.asList(scope), this.resourceServer);
                }).collect(Collectors.toList()));
            }
            return arrayList.stream();
        }).collect(Collectors.toList());
    }

    /* JADX WARN: Finally extract failed */
    private KeycloakIdentity createIdentity(PolicyEvaluationRequest policyEvaluationRequest) {
        UserModel userById;
        KeycloakSession keycloakSession = this.authorization.getKeycloakSession();
        RealmModel realm = keycloakSession.getContext().getRealm();
        AccessToken accessToken = new AccessToken();
        accessToken.subject(policyEvaluationRequest.getUserId());
        accessToken.issuedFor(policyEvaluationRequest.getClientId());
        accessToken.audience(new String[]{policyEvaluationRequest.getClientId()});
        accessToken.issuer(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
        accessToken.setRealmAccess(new AccessToken.Access());
        AccessToken.Access realmAccess = accessToken.getRealmAccess();
        Map otherClaims = accessToken.getOtherClaims();
        Map<String, String> map = policyEvaluationRequest.getContext().get("attributes");
        if (map != null) {
            map.forEach((str, str2) -> {
                otherClaims.put(str, Arrays.asList(str2));
            });
        }
        String subject = accessToken.getSubject();
        if (subject != null && (userById = keycloakSession.users().getUserById(subject, realm)) != null) {
            Map attributes = userById.getAttributes();
            otherClaims.getClass();
            attributes.forEach((v1, v2) -> {
                r1.put(v1, v2);
            });
            userById.getRoleMappings().stream().map((v0) -> {
                return v0.getName();
            }).forEach(str3 -> {
                realmAccess.addRole(str3);
            });
            String clientId = policyEvaluationRequest.getClientId();
            if (clientId == null) {
                clientId = this.resourceServer.getClientId();
            }
            if (clientId != null) {
                ClientModel clientById = realm.getClientById(clientId);
                ClientSessionModel clientSessionModel = null;
                UserSessionModel userSessionModel = null;
                try {
                    clientSessionModel = keycloakSession.sessions().createClientSession(realm, clientById);
                    userSessionModel = keycloakSession.sessions().createUserSession(realm, userById, userById.getUsername(), "127.0.0.1", "passwd", false, (String) null, (String) null);
                    for (ProtocolMapperModel protocolMapperModel : clientById.getProtocolMappers()) {
                        OIDCAccessTokenMapper oIDCAccessTokenMapper = (ProtocolMapper) keycloakSession.getKeycloakSessionFactory().getProviderFactory(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
                        if (oIDCAccessTokenMapper != null && (oIDCAccessTokenMapper instanceof OIDCAccessTokenMapper)) {
                            accessToken = oIDCAccessTokenMapper.transformAccessToken(accessToken, protocolMapperModel, keycloakSession, userSessionModel, clientSessionModel);
                        }
                    }
                    if (clientSessionModel != null) {
                        keycloakSession.sessions().removeClientSession(realm, clientSessionModel);
                    }
                    if (userSessionModel != null) {
                        keycloakSession.sessions().removeUserSession(realm, userSessionModel);
                    }
                    AccessToken.Access addAccess = accessToken.addAccess(clientById.getClientId());
                    addAccess.roles(new HashSet());
                    userById.getClientRoleMappings(clientById).stream().map((v0) -> {
                        return v0.getName();
                    }).forEach(str4 -> {
                        addAccess.addRole(str4);
                    });
                    ClientModel clientById2 = realm.getClientById(this.resourceServer.getClientId());
                    AccessToken.Access addAccess2 = accessToken.addAccess(clientById2.getClientId());
                    addAccess2.roles(new HashSet());
                    userById.getClientRoleMappings(clientById2).stream().map((v0) -> {
                        return v0.getName();
                    }).forEach(str5 -> {
                        addAccess2.addRole(str5);
                    });
                } catch (Throwable th) {
                    if (clientSessionModel != null) {
                        keycloakSession.sessions().removeClientSession(realm, clientSessionModel);
                    }
                    if (userSessionModel != null) {
                        keycloakSession.sessions().removeUserSession(realm, userSessionModel);
                    }
                    throw th;
                }
            }
        }
        if (policyEvaluationRequest.getRoleIds() != null) {
            policyEvaluationRequest.getRoleIds().forEach(str6 -> {
                realmAccess.addRole(str6);
            });
        }
        return new KeycloakIdentity(accessToken, keycloakSession);
    }
}
