package org.keycloak.authorization.protection.permission;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.protection.permission.representation.PermissionRequest;
import org.keycloak.authorization.protection.permission.representation.PermissionResponse;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.KeyManager;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:org/keycloak/authorization/protection/permission/AbstractPermissionService.class */
public class AbstractPermissionService {
    private final AuthorizationProvider authorization;
    private final KeycloakIdentity identity;
    private final ResourceServer resourceServer;

    public AbstractPermissionService(KeycloakIdentity keycloakIdentity, ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        this.identity = keycloakIdentity;
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
    }

    public Response create(List<PermissionRequest> list) {
        if (list == null) {
            throw new ErrorResponseException("invalid_permission_request", "Invalid permission request.", Response.Status.BAD_REQUEST);
        }
        return Response.status(Response.Status.CREATED).entity(new PermissionResponse(createPermissionTicket(verifyRequestedResource(list)))).build();
    }

    private List<ResourceRepresentation> verifyRequestedResource(List<PermissionRequest> list) {
        StoreFactory storeFactory = this.authorization.getStoreFactory();
        return (List) list.stream().map(permissionRequest -> {
            String resourceSetId = permissionRequest.getResourceSetId();
            String resourceSetName = permissionRequest.getResourceSetName();
            boolean z = resourceSetId == null && resourceSetName == null;
            if (z && (permissionRequest.getScopes() == null || permissionRequest.getScopes().isEmpty())) {
                throw new ErrorResponseException("invalid_resource_set_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST);
            }
            Resource resource = null;
            if (!z) {
                resource = resourceSetId != null ? storeFactory.getResourceStore().findById(resourceSetId) : storeFactory.getResourceStore().findByName(resourceSetName, this.resourceServer.getId());
                if (resource == null) {
                    if (resourceSetId != null) {
                        throw new ErrorResponseException("nonexistent_resource_set_id", "Resource set with id[" + resourceSetId + "] does not exists in this server.", Response.Status.BAD_REQUEST);
                    }
                    throw new ErrorResponseException("nonexistent_resource_set_name", "Resource set with name[" + resourceSetName + "] does not exists in this server.", Response.Status.BAD_REQUEST);
                }
            }
            Set<ScopeRepresentation> verifyRequestedScopes = verifyRequestedScopes(permissionRequest, resource);
            return resource != null ? (!verifyRequestedScopes.isEmpty() || permissionRequest.getScopes().isEmpty()) ? new ResourceRepresentation(resource.getName(), verifyRequestedScopes) : new ResourceRepresentation((String) null, (Set) permissionRequest.getScopes().stream().map(ScopeRepresentation::new).collect(Collectors.toSet())) : new ResourceRepresentation((String) null, verifyRequestedScopes);
        }).collect(Collectors.toList());
    }

    private Set<ScopeRepresentation> verifyRequestedScopes(PermissionRequest permissionRequest, Resource resource) {
        return (Set) permissionRequest.getScopes().stream().map(str -> {
            if (resource == null) {
                return new ScopeRepresentation(str);
            }
            Iterator it = resource.getScopes().iterator();
            while (it.hasNext()) {
                if (((Scope) it.next()).getName().equals(str)) {
                    return new ScopeRepresentation(str);
                }
            }
            for (Resource resource2 : this.authorization.getStoreFactory().getResourceStore().findByType(resource.getType())) {
                if (resource2.getOwner().equals(resource.getResourceServer().getClientId())) {
                    Iterator it2 = resource2.getScopes().iterator();
                    while (it2.hasNext()) {
                        if (((Scope) it2.next()).getName().equals(str)) {
                            return new ScopeRepresentation(str);
                        }
                    }
                }
            }
            return null;
        }).filter(scopeRepresentation -> {
            return scopeRepresentation != null;
        }).collect(Collectors.toSet());
    }

    private String createPermissionTicket(List<ResourceRepresentation> list) {
        KeyManager.ActiveKey activeKey = this.authorization.getKeycloakSession().keys().getActiveKey(this.authorization.getRealm());
        return new JWSBuilder().kid(activeKey.getKid()).jsonContent(new PermissionTicket(list, this.resourceServer.getId(), this.identity.getAccessToken())).rsa256(activeKey.getPrivateKey());
    }
}
