package org.keycloak.authorization.util;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:org/keycloak/authorization/util/Permissions.class */
public final class Permissions {
    public static List<ResourcePermission> permission(ResourceServer resourceServer, Resource resource, Scope scope) {
        return Arrays.asList(new ResourcePermission(resource, Arrays.asList(scope), resourceServer));
    }

    public static List<ResourcePermission> all(ResourceServer resourceServer, Identity identity, AuthorizationProvider authorizationProvider, AuthorizationRequest authorizationRequest) {
        ArrayList arrayList = new ArrayList();
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId()).stream().forEach(resource -> {
            arrayList.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorizationProvider, authorizationRequest));
        });
        resourceStore.findByOwner(identity.getId(), resourceServer.getId()).stream().forEach(resource2 -> {
            arrayList.addAll(createResourcePermissionsWithScopes(resource2, new LinkedList(resource2.getScopes()), authorizationProvider, authorizationRequest));
        });
        List<PermissionTicket> findGranted = storeFactory.getPermissionTicketStore().findGranted(identity.getId(), resourceServer.getId());
        HashMap hashMap = new HashMap();
        for (PermissionTicket permissionTicket : findGranted) {
            hashMap.computeIfAbsent(permissionTicket.getResource().getId(), str -> {
                return new ResourcePermission(permissionTicket.getResource(), new ArrayList(), resourceServer, authorizationRequest.getClaims());
            });
        }
        arrayList.addAll(hashMap.values());
        return arrayList;
    }

    public static ResourcePermission createResourcePermissions(Resource resource, Set<String> set, AuthorizationProvider authorizationProvider, AuthorizationRequest authorizationRequest) {
        List list;
        String type = resource.getType();
        ResourceServer resourceServer = resource.getResourceServer();
        if (set.isEmpty()) {
            list = new LinkedList(resource.getScopes());
            if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
                authorizationProvider.getStoreFactory().getResourceStore().findByType(type, resourceServer.getId()).forEach(resource2 -> {
                    if (resource2.getOwner().equals(resourceServer.getId())) {
                        for (Scope scope : resource2.getScopes()) {
                            if (!list.contains(scope)) {
                                list.add(scope);
                            }
                        }
                    }
                });
            }
        } else {
            ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
            list = (List) set.stream().map(str -> {
                Scope findByName = scopeStore.findByName(str, resource.getResourceServer().getId());
                if (findByName == null) {
                    throw new ErrorResponseException("invalid_scope", "Invalid scope [" + str + "].", Response.Status.BAD_REQUEST);
                }
                return findByName;
            }).collect(Collectors.toList());
        }
        return new ResourcePermission(resource, list, resource.getResourceServer(), authorizationRequest.getClaims());
    }

    public static List<ResourcePermission> createResourcePermissionsWithScopes(Resource resource, List<Scope> list, AuthorizationProvider authorizationProvider, AuthorizationRequest authorizationRequest) {
        ArrayList arrayList = new ArrayList();
        String type = resource.getType();
        ResourceServer resourceServer = resource.getResourceServer();
        if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
            authorizationProvider.getStoreFactory().getResourceStore().findByType(type, resourceServer.getId()).forEach(resource2 -> {
                if (resource2.getOwner().equals(resourceServer.getId())) {
                    for (Scope scope : resource2.getScopes()) {
                        if (!list.contains(scope)) {
                            list.add(scope);
                        }
                    }
                }
            });
        }
        arrayList.add(new ResourcePermission(resource, list, resource.getResourceServer(), authorizationRequest.getClaims()));
        return arrayList;
    }

    public static List<Permission> permits(List<Result> list, AuthorizationProvider authorizationProvider, ResourceServer resourceServer) {
        return permits(list, null, authorizationProvider, resourceServer);
    }

    public static List<Permission> permits(List<Result> list, AuthorizationRequest.Metadata metadata, AuthorizationProvider authorizationProvider, ResourceServer resourceServer) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Result result : list) {
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            boolean z = false;
            ResourcePermission permission = result.getPermission();
            List<Result.PolicyResult> results = result.getResults();
            ArrayList arrayList = new ArrayList();
            int size = results.size();
            Resource resource = permission.getResource();
            for (Result.PolicyResult policyResult : results) {
                Policy policy = policyResult.getPolicy();
                Set scopes = policy.getScopes();
                if (Decision.Effect.PERMIT.equals(policyResult.getStatus())) {
                    if (isScopePermission(policy)) {
                        for (Scope scope : permission.getScopes()) {
                            if (scopes.contains(scope)) {
                                hashSet2.add(scope);
                            }
                        }
                    } else if (isResourcePermission(policy)) {
                        hashSet2.addAll(permission.getScopes());
                    }
                    if (resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
                        arrayList.add(policyResult);
                    }
                    size--;
                } else if (isScopePermission(policy)) {
                    hashSet.addAll(scopes);
                } else if (isResourcePermission(policy)) {
                    z = true;
                    hashSet.addAll(resource.getScopes());
                }
            }
            if (!hashSet.isEmpty()) {
                hashSet2.removeAll(hashSet);
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                hashSet2.addAll(((Result.PolicyResult) it.next()).getPolicy().getScopes());
                z = false;
            }
            if (!results.isEmpty()) {
                permission.getScopes().clear();
                permission.getScopes().addAll(hashSet2);
            }
            if (size == 0) {
                result.setStatus(Decision.Effect.PERMIT);
                grantPermission(authorizationProvider, linkedHashMap, permission, resourceServer, metadata);
            } else if (size == results.size() || z || (!hashSet.isEmpty() && hashSet2.isEmpty())) {
                result.setStatus(Decision.Effect.DENY);
            } else {
                result.setStatus(Decision.Effect.PERMIT);
                grantPermission(authorizationProvider, linkedHashMap, permission, resourceServer, metadata);
            }
        }
        return (List) linkedHashMap.values().stream().collect(Collectors.toList());
    }

    private static boolean isResourcePermission(Policy policy) {
        return "resource".equals(policy.getType());
    }

    private static boolean isScopePermission(Policy policy) {
        return "scope".equals(policy.getType());
    }

    private static void grantPermission(AuthorizationProvider authorizationProvider, Map<String, Permission> map, ResourcePermission resourcePermission, ResourceServer resourceServer, AuthorizationRequest.Metadata metadata) {
        ArrayList<Resource> arrayList = new ArrayList();
        Resource resource = resourcePermission.getResource();
        Set<String> set = (Set) resourcePermission.getScopes().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        if (resource != null) {
            arrayList.add(resource);
        } else {
            List scopes = resourcePermission.getScopes();
            if (!scopes.isEmpty()) {
                arrayList.addAll(authorizationProvider.getStoreFactory().getResourceStore().findByScope((List) scopes.stream().map((v0) -> {
                    return v0.getId();
                }).collect(Collectors.toList()), resourceServer.getId()));
            }
        }
        if (arrayList.isEmpty()) {
            Permission permission = new Permission((String) null, (String) null, set, resourcePermission.getClaims());
            map.put(permission.toString(), permission);
            return;
        }
        for (Resource resource2 : arrayList) {
            String id = resource2.getId();
            String name = (metadata == null || metadata.getIncludeResourceName().booleanValue()) ? resource2.getName() : null;
            Permission permission2 = map.get(resource2.getId());
            if (permission2 == null) {
                permission2 = new Permission(id, name, set, resourcePermission.getClaims());
                map.put(id, permission2);
            }
            if (set != null && !set.isEmpty()) {
                Set scopes2 = permission2.getScopes();
                if (scopes2 == null) {
                    scopes2 = new HashSet();
                    permission2.setScopes(scopes2);
                }
                for (String str : set) {
                    if (!scopes2.contains(str)) {
                        scopes2.add(str);
                    }
                }
            }
        }
    }
}
