package org.keycloak.authorization.policy.evaluation;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

/* loaded from: input_file:org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.class */
public class DefaultPolicyEvaluator implements PolicyEvaluator {
    private final AuthorizationProvider authorization;
    private Map<String, PolicyProviderFactory> policyProviders = new HashMap();

    public DefaultPolicyEvaluator(AuthorizationProvider authorizationProvider, List<PolicyProviderFactory> list) {
        this.authorization = authorizationProvider;
        for (PolicyProviderFactory policyProviderFactory : list) {
            this.policyProviders.put(policyProviderFactory.getId(), policyProviderFactory);
        }
    }

    @Override // org.keycloak.authorization.policy.evaluation.PolicyEvaluator
    public void evaluate(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision) {
        ResourceServer resourceServer = resourcePermission.getResourceServer();
        if (PolicyEnforcementMode.DISABLED.equals(resourceServer.getPolicyEnforcementMode())) {
            createEvaluation(resourcePermission, evaluationContext, decision, null, null).grant();
            return;
        }
        PolicyStore policyStore = this.authorization.getStoreFactory().getPolicyStore();
        AtomicInteger atomicInteger = new AtomicInteger(0);
        Consumer<Policy> createDecisionConsumer = createDecisionConsumer(resourcePermission, evaluationContext, decision, atomicInteger);
        Resource resource = resourcePermission.getResource();
        if (resource != null) {
            List<Policy> findByResource = policyStore.findByResource(resource.getId());
            if (!findByResource.isEmpty()) {
                findByResource.forEach(createDecisionConsumer);
            }
            if (resource.getType() != null) {
                policyStore.findByResourceType(resource.getType(), resourceServer.getId()).forEach(createDecisionConsumer);
            }
            if (resourcePermission.getScopes().isEmpty() && !resource.getScopes().isEmpty()) {
                policyStore.findByScopeIds((List) resource.getScopes().stream().map((v0) -> {
                    return v0.getId();
                }).collect(Collectors.toList()), resourceServer.getId()).forEach(createDecisionConsumer);
            }
        }
        if (!resourcePermission.getScopes().isEmpty()) {
            policyStore.findByScopeIds((List) resourcePermission.getScopes().stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toList()), resourceServer.getId()).forEach(createDecisionConsumer);
        }
        if (PolicyEnforcementMode.PERMISSIVE.equals(resourceServer.getPolicyEnforcementMode()) && atomicInteger.get() == 0) {
            createEvaluation(resourcePermission, evaluationContext, decision, null, null).grant();
        }
    }

    private Consumer<Policy> createDecisionConsumer(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision, AtomicInteger atomicInteger) {
        return policy -> {
            if (hasRequestedScopes(resourcePermission, policy)) {
                for (Policy policy : policy.getAssociatedPolicies()) {
                    PolicyProviderFactory policyProviderFactory = this.policyProviders.get(policy.getType());
                    if (policyProviderFactory == null) {
                        throw new RuntimeException("Could not find a policy provider for policy type [" + policy.getType() + "].");
                    }
                    PolicyProvider create = policyProviderFactory.create(policy, this.authorization);
                    if (create == null) {
                        throw new RuntimeException("Unknown parentPolicy provider for type [" + policy.getType() + "].");
                    }
                    DefaultEvaluation createEvaluation = createEvaluation(resourcePermission, evaluationContext, decision, policy, policy);
                    create.evaluate(createEvaluation);
                    createEvaluation.denyIfNoEffect();
                    atomicInteger.incrementAndGet();
                }
            }
        };
    }

    private DefaultEvaluation createEvaluation(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision, Policy policy, Policy policy2) {
        return new DefaultEvaluation(resourcePermission, evaluationContext, policy, policy2, decision);
    }

    private boolean hasRequestedScopes(ResourcePermission resourcePermission, Policy policy) {
        Resource resource;
        String type;
        if (resourcePermission.getScopes().isEmpty()) {
            return true;
        }
        HashSet<Scope> hashSet = new HashSet(policy.getScopes());
        if (hashSet.isEmpty()) {
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(policy.getResources());
            Iterator it = hashSet2.iterator();
            while (it.hasNext()) {
                hashSet.addAll(((Resource) it.next()).getScopes());
            }
            if (!hashSet2.isEmpty() && hashSet.isEmpty()) {
                return false;
            }
            if (hashSet.isEmpty() && (type = (resource = resourcePermission.getResource()).getType()) != null) {
                for (Resource resource2 : this.authorization.getStoreFactory().getResourceStore().findByType(type)) {
                    if (resource2.getOwner().equals(resource.getResourceServer().getClientId())) {
                        hashSet2.add(resource2);
                    }
                }
            }
            Iterator it2 = hashSet2.iterator();
            while (it2.hasNext()) {
                hashSet.addAll(((Resource) it2.next()).getScopes());
            }
        }
        for (Scope scope : hashSet) {
            Iterator<Scope> it3 = resourcePermission.getScopes().iterator();
            while (it3.hasNext()) {
                if (scope.getId().equals(it3.next().getId())) {
                    return true;
                }
            }
        }
        return false;
    }
}
