package org.keycloak.services.resources.admin.permissions;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.GroupModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ForbiddenException;

/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/GroupPermissions.class */
class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManagement {
    private static final String MANAGE_MEMBERSHIP_SCOPE = "manage-membership";
    private static final String MANAGE_MEMBERS_SCOPE = "manage-members";
    private static final String VIEW_MEMBERS_SCOPE = "view-members";
    private static final String RESOURCE_NAME_PREFIX = "group.resource.";
    private final AuthorizationProvider authz;
    private final MgmtPermissions root;
    private final ResourceStore resourceStore;
    private final PolicyStore policyStore;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GroupPermissions(AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
        this.resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
        this.policyStore = authorizationProvider.getStoreFactory().getPolicyStore();
    }

    private static String getGroupResourceName(GroupModel groupModel) {
        return RESOURCE_NAME_PREFIX + groupModel.getId();
    }

    private static String getManagePermissionGroup(GroupModel groupModel) {
        return "manage.permission.group." + groupModel.getId();
    }

    private static String getManageMembersPermissionGroup(GroupModel groupModel) {
        return "manage.members.permission.group." + groupModel.getId();
    }

    private static String getManageMembershipPermissionGroup(GroupModel groupModel) {
        return "manage.membership.permission.group." + groupModel.getId();
    }

    private static String getViewPermissionGroup(GroupModel groupModel) {
        return "view.permission.group." + groupModel.getId();
    }

    private static String getViewMembersPermissionGroup(GroupModel groupModel) {
        return "view.members.permission.group." + groupModel.getId();
    }

    private void initialize(GroupModel groupModel) {
        this.root.initializeRealmResourceServer();
        this.root.initializeRealmDefaultScopes();
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        Scope realmManageScope = this.root.realmManageScope();
        Scope realmViewScope = this.root.realmViewScope();
        Scope initializeRealmScope = this.root.initializeRealmScope(MANAGE_MEMBERS_SCOPE);
        Scope initializeRealmScope2 = this.root.initializeRealmScope(VIEW_MEMBERS_SCOPE);
        Scope initializeRealmScope3 = this.root.initializeRealmScope(MANAGE_MEMBERSHIP_SCOPE);
        String groupResourceName = getGroupResourceName(groupModel);
        Resource findByName = this.resourceStore.findByName(groupResourceName, realmResourceServer.getId());
        if (findByName == null) {
            findByName = this.resourceStore.create(groupResourceName, realmResourceServer, realmResourceServer.getId());
            HashSet hashSet = new HashSet();
            hashSet.add(realmManageScope);
            hashSet.add(realmViewScope);
            hashSet.add(initializeRealmScope2);
            hashSet.add(initializeRealmScope3);
            hashSet.add(initializeRealmScope);
            findByName.updateScopes(hashSet);
            findByName.setType("Group");
        }
        String managePermissionGroup = getManagePermissionGroup(groupModel);
        if (this.policyStore.findByName(managePermissionGroup, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, managePermissionGroup, findByName, realmManageScope);
        }
        String viewPermissionGroup = getViewPermissionGroup(groupModel);
        if (this.policyStore.findByName(viewPermissionGroup, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, viewPermissionGroup, findByName, realmViewScope);
        }
        String manageMembersPermissionGroup = getManageMembersPermissionGroup(groupModel);
        if (this.policyStore.findByName(manageMembersPermissionGroup, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, manageMembersPermissionGroup, findByName, initializeRealmScope);
        }
        String viewMembersPermissionGroup = getViewMembersPermissionGroup(groupModel);
        if (this.policyStore.findByName(viewMembersPermissionGroup, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, viewMembersPermissionGroup, findByName, initializeRealmScope2);
        }
        String manageMembershipPermissionGroup = getManageMembershipPermissionGroup(groupModel);
        if (this.policyStore.findByName(manageMembershipPermissionGroup, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, manageMembershipPermissionGroup, findByName, initializeRealmScope3);
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canList() {
        return canView() || this.root.hasOneAdminRole(AdminRoles.VIEW_USERS, AdminRoles.MANAGE_USERS, AdminRoles.QUERY_GROUPS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireList() {
        if (!canList()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public boolean isPermissionsEnabled(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        return (realmResourceServer == null || this.resourceStore.findByName(getGroupResourceName(groupModel), realmResourceServer.getId()) == null) ? false : true;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public void setPermissionsEnabled(GroupModel groupModel, boolean z) {
        if (z) {
            initialize(groupModel);
        } else {
            deletePermissions(groupModel);
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy viewMembersPermission(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.policyStore.findByName(getViewMembersPermissionGroup(groupModel), realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy manageMembersPermission(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.policyStore.findByName(getManageMembersPermissionGroup(groupModel), realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy manageMembershipPermission(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.policyStore.findByName(getManageMembershipPermissionGroup(groupModel), realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy viewPermission(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.policyStore.findByName(getViewPermissionGroup(groupModel), realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy managePermission(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.policyStore.findByName(getManagePermissionGroup(groupModel), realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Resource resource(GroupModel groupModel) {
        Resource findByName;
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null || (findByName = this.resourceStore.findByName(getGroupResourceName(groupModel), realmResourceServer.getId())) == null) {
            return null;
        }
        return findByName;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Map<String, String> getPermissions(GroupModel groupModel) {
        initialize(groupModel);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(groupModel).getId());
        linkedHashMap.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(groupModel).getId());
        linkedHashMap.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(groupModel).getId());
        linkedHashMap.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(groupModel).getId());
        linkedHashMap.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(groupModel).getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManage(GroupModel groupModel) {
        if (canManage()) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(groupModel, AdminPermissionManagement.MANAGE_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireManage(GroupModel groupModel) {
        if (!canManage(groupModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canView(GroupModel groupModel) {
        if (canView() || canManage()) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(groupModel, AdminPermissionManagement.VIEW_SCOPE, AdminPermissionManagement.MANAGE_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireView(GroupModel groupModel) {
        if (!canView(groupModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManage() {
        return this.root.users().canManageDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireManage() {
        if (!canManage()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canView() {
        return this.root.users().canViewDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireView() {
        if (!canView()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean getGroupsWithViewPermission(GroupModel groupModel) {
        if (this.root.users().canView() || this.root.users().canManage()) {
            return true;
        }
        if (this.root.isAdminSameRealm() && this.root.realmResourceServer() != null) {
            return hasPermission(groupModel, VIEW_MEMBERS_SCOPE, MANAGE_MEMBERS_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public Set<String> getGroupsWithViewPermission() {
        ResourceServer realmResourceServer;
        if (this.root.users().canView() || this.root.users().canManage()) {
            return Collections.emptySet();
        }
        if (this.root.isAdminSameRealm() && (realmResourceServer = this.root.realmResourceServer()) != null) {
            HashSet hashSet = new HashSet();
            this.resourceStore.findByType("Group", realmResourceServer.getId(), resource -> {
                if (hasPermission(resource, (EvaluationContext) null, VIEW_MEMBERS_SCOPE, MANAGE_MEMBERS_SCOPE)) {
                    hashSet.add(resource.getName().substring(RESOURCE_NAME_PREFIX.length()));
                }
            });
            return hashSet;
        }
        return Collections.emptySet();
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireViewMembers(GroupModel groupModel) {
        if (!getGroupsWithViewPermission(groupModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManageMembers(GroupModel groupModel) {
        if (this.root.users().canManage()) {
            return true;
        }
        if (this.root.isAdminSameRealm() && this.root.realmResourceServer() != null) {
            return hasPermission(groupModel, MANAGE_MEMBERS_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManageMembership(GroupModel groupModel) {
        if (canManage(groupModel)) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(groupModel, MANAGE_MEMBERSHIP_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireManageMembership(GroupModel groupModel) {
        if (!canManageMembership(groupModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public void requireManageMembers(GroupModel groupModel) {
        if (!canManageMembers(groupModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public Map<String, Boolean> getAccess(GroupModel groupModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(AdminPermissionManagement.VIEW_SCOPE, Boolean.valueOf(canView(groupModel)));
        hashMap.put(AdminPermissionManagement.MANAGE_SCOPE, Boolean.valueOf(canManage(groupModel)));
        hashMap.put("manageMembership", Boolean.valueOf(canManageMembership(groupModel)));
        return hashMap;
    }

    private boolean hasPermission(GroupModel groupModel, String... strArr) {
        return hasPermission(groupModel, (EvaluationContext) null, strArr);
    }

    private boolean hasPermission(GroupModel groupModel, EvaluationContext evaluationContext, String... strArr) {
        Resource findByName;
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null || (findByName = this.resourceStore.findByName(getGroupResourceName(groupModel), realmResourceServer.getId())) == null) {
            return false;
        }
        return hasPermission(findByName, evaluationContext, strArr);
    }

    private boolean hasPermission(Resource resource, EvaluationContext evaluationContext, String... strArr) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        Collection<Permission> evaluatePermission = evaluationContext == null ? this.root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), realmResourceServer), realmResourceServer) : this.root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), realmResourceServer), realmResourceServer, evaluationContext);
        List asList = Arrays.asList(strArr);
        Iterator<Permission> it = evaluatePermission.iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getScopes().iterator();
            while (it2.hasNext()) {
                if (asList.contains((String) it2.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private Resource groupResource(GroupModel groupModel) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.resourceStore.findByName(getGroupResourceName(groupModel), realmResourceServer.getId());
    }

    private void deletePermissions(GroupModel groupModel) {
        if (this.root.realmResourceServer() == null) {
            return;
        }
        Policy managePermission = managePermission(groupModel);
        if (managePermission != null) {
            this.policyStore.delete(managePermission.getId());
        }
        Policy viewPermission = viewPermission(groupModel);
        if (viewPermission != null) {
            this.policyStore.delete(viewPermission.getId());
        }
        Policy manageMembersPermission = manageMembersPermission(groupModel);
        if (manageMembersPermission != null) {
            this.policyStore.delete(manageMembersPermission.getId());
        }
        Policy viewMembersPermission = viewMembersPermission(groupModel);
        if (viewMembersPermission != null) {
            this.policyStore.delete(viewMembersPermission.getId());
        }
        Policy manageMembershipPermission = manageMembershipPermission(groupModel);
        if (manageMembershipPermission != null) {
            this.policyStore.delete(manageMembershipPermission.getId());
        }
        Resource groupResource = groupResource(groupModel);
        if (groupResource != null) {
            this.resourceStore.delete(groupResource.getId());
        }
    }
}
