package org.keycloak.authorization.protection.policy;

import java.io.IOException;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.admin.PermissionService;
import org.keycloak.authorization.admin.PolicyTypeResourceService;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.common.Profile;
import org.keycloak.representations.idm.authorization.UmaPermissionRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.admin.AdminEventBuilder;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/authorization/protection/policy/UserManagedPermissionService.class */
public class UserManagedPermissionService {
    private final ResourceServer resourceServer;
    private final Identity identity;
    private final AuthorizationProvider authorization;
    private final PermissionService delegate;

    public UserManagedPermissionService(KeycloakIdentity keycloakIdentity, ResourceServer resourceServer, AuthorizationProvider authorizationProvider, AdminEventBuilder adminEventBuilder) {
        this.identity = keycloakIdentity;
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
        this.delegate = new PermissionService(resourceServer, authorizationProvider, null, adminEventBuilder);
        ResteasyProviderFactory.getInstance().injectProperties(this.delegate);
    }

    @Path("{resourceId}")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response create(@PathParam("resourceId") String str, UmaPermissionRepresentation umaPermissionRepresentation) {
        if (umaPermissionRepresentation.getId() != null) {
            throw new ErrorResponseException("invalid_request", "Newly created uma policies should not have an id", Response.Status.BAD_REQUEST);
        }
        checkRequest(str, umaPermissionRepresentation);
        umaPermissionRepresentation.addResource(str);
        umaPermissionRepresentation.setOwner(this.identity.getId());
        return findById(this.delegate.create(umaPermissionRepresentation).getId());
    }

    @Path("{policyId}")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @PUT
    public Response update(@PathParam("policyId") String str, String str2) {
        try {
            checkRequest(getAssociatedResourceId(str), (UmaPermissionRepresentation) JsonSerialization.readValue(str2, UmaPermissionRepresentation.class));
            return ((PolicyTypeResourceService) PolicyTypeResourceService.class.cast(this.delegate.getResource(str))).update(str2);
        } catch (IOException e) {
            throw new ErrorResponseException("invalid_request", "Failed to parse representation", Response.Status.BAD_REQUEST);
        }
    }

    @Path("{policyId}")
    @DELETE
    public Response delete(@PathParam("policyId") String str) {
        checkRequest(getAssociatedResourceId(str), null);
        ((PolicyTypeResourceService) PolicyTypeResourceService.class.cast(this.delegate.getResource(str))).delete();
        return Response.noContent().build();
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @Path("{policyId}")
    public Response findById(@PathParam("policyId") String str) {
        checkRequest(getAssociatedResourceId(str), null);
        return ((PolicyTypeResourceService) PolicyTypeResourceService.class.cast(this.delegate.getResource(str))).findById(null);
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    public Response find(@QueryParam("name") String str, @QueryParam("resource") String str2, @QueryParam("scope") String str3, @QueryParam("first") Integer num, @QueryParam("max") Integer num2) {
        return this.delegate.findAll(null, str, "uma", str2, str3, true, this.identity.getId(), null, num, num2);
    }

    private Policy getPolicy(@PathParam("policyId") String str) {
        Policy findById = this.authorization.getStoreFactory().getPolicyStore().findById(str, this.resourceServer.getId());
        if (findById == null) {
            throw new ErrorResponseException("invalid_request", "Policy with [" + str + "] does not exist", Response.Status.NOT_FOUND);
        }
        return findById;
    }

    private void checkRequest(String str, UmaPermissionRepresentation umaPermissionRepresentation) {
        Resource findById = this.authorization.getStoreFactory().getResourceStore().findById(str, this.resourceServer.getId());
        if (findById == null) {
            throw new ErrorResponseException("invalid_request", "Resource [" + str + "] cannot be found", Response.Status.BAD_REQUEST);
        }
        if (!findById.getOwner().equals(this.identity.getId())) {
            throw new ErrorResponseException("invalid_request", "Only resource owner can access policies for resource [" + str + "]", Response.Status.BAD_REQUEST);
        }
        if (!findById.isOwnerManagedAccess()) {
            throw new ErrorResponseException("invalid_request", "Only resources with owner managed accessed can have policies", Response.Status.BAD_REQUEST);
        }
        if (!this.resourceServer.isAllowRemoteResourceManagement()) {
            throw new ErrorResponseException("request_not_supported", "Remote Resource Management not enabled on resource server [" + this.resourceServer.getId() + "]", Response.Status.FORBIDDEN);
        }
        if (umaPermissionRepresentation != null) {
            Set set = (Set) findById.getScopes().stream().map(scope -> {
                return scope.getName();
            }).collect(Collectors.toSet());
            Set scopes = umaPermissionRepresentation.getScopes();
            if (scopes == null || scopes.isEmpty()) {
                scopes = set;
                umaPermissionRepresentation.setScopes(scopes);
            }
            if (!set.containsAll(scopes)) {
                throw new ErrorResponseException("invalid_request", "Some of the scopes [" + scopes + "] are not valid for resource [" + str + "]", Response.Status.BAD_REQUEST);
            }
            if (umaPermissionRepresentation.getCondition() != null && !Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
                throw new ErrorResponseException("invalid_request", "Script upload not supported", Response.Status.BAD_REQUEST);
            }
        }
    }

    private String getAssociatedResourceId(String str) {
        return ((Resource) getPolicy(str).getResources().iterator().next()).getId();
    }
}
