package org.keycloak.services.resources.admin.permissions;

import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.ClientModelIdentity;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.UserModelIdentity;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ForbiddenException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/UserPermissions.class */
public class UserPermissions implements UserPermissionEvaluator, UserPermissionManagement {
    private static final String MAP_ROLES_SCOPE = "map-roles";
    private static final String IMPERSONATE_SCOPE = "impersonate";
    private static final String USER_IMPERSONATED_SCOPE = "user-impersonated";
    private static final String MANAGE_GROUP_MEMBERSHIP_SCOPE = "manage-group-membership";
    private static final String MAP_ROLES_PERMISSION_USERS = "map-roles.permission.users";
    private static final String ADMIN_IMPERSONATING_PERMISSION = "admin-impersonating.permission.users";
    private static final String USER_IMPERSONATED_PERMISSION = "user-impersonated.permission.users";
    private static final String MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS = "manage-group-membership.permission.users";
    private static final String MANAGE_PERMISSION_USERS = "manage.permission.users";
    private static final String VIEW_PERMISSION_USERS = "view.permission.users";
    private static final String USERS_RESOURCE = "Users";
    private final KeycloakSession session;
    private final AuthorizationProvider authz;
    private final MgmtPermissions root;
    private final PolicyStore policyStore;
    private final ResourceStore resourceStore;
    private boolean grantIfNoPermission = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserPermissions(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.session = keycloakSession;
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
        this.policyStore = authorizationProvider.getStoreFactory().getPolicyStore();
        this.resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
    }

    private void initialize() {
        this.root.initializeRealmResourceServer();
        this.root.initializeRealmDefaultScopes();
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        Scope realmManageScope = this.root.realmManageScope();
        Scope realmViewScope = this.root.realmViewScope();
        Scope initializeRealmScope = this.root.initializeRealmScope("map-roles");
        Scope initializeRealmScope2 = this.root.initializeRealmScope(IMPERSONATE_SCOPE);
        Scope initializeRealmScope3 = this.root.initializeRealmScope(USER_IMPERSONATED_SCOPE);
        Scope initializeRealmScope4 = this.root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
        Resource findByName = this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId());
        if (findByName == null) {
            findByName = this.resourceStore.create(USERS_RESOURCE, realmResourceServer, realmResourceServer.getId());
            HashSet hashSet = new HashSet();
            hashSet.add(realmManageScope);
            hashSet.add(realmViewScope);
            hashSet.add(initializeRealmScope);
            hashSet.add(initializeRealmScope2);
            hashSet.add(initializeRealmScope4);
            hashSet.add(initializeRealmScope3);
            findByName.updateScopes(hashSet);
        }
        if (this.policyStore.findByName(MANAGE_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MANAGE_PERMISSION_USERS, findByName, realmManageScope);
        }
        if (this.policyStore.findByName(VIEW_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, VIEW_PERMISSION_USERS, findByName, realmViewScope);
        }
        if (this.policyStore.findByName(MAP_ROLES_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MAP_ROLES_PERMISSION_USERS, findByName, initializeRealmScope);
        }
        if (this.policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, findByName, initializeRealmScope4);
        }
        if (this.policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, ADMIN_IMPERSONATING_PERMISSION, findByName, initializeRealmScope2);
        }
        if (this.policyStore.findByName(USER_IMPERSONATED_PERMISSION, realmResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, realmResourceServer, USER_IMPERSONATED_PERMISSION, findByName, initializeRealmScope3);
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Map<String, String> getPermissions() {
        initialize();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
        linkedHashMap.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
        linkedHashMap.put("map-roles", mapRolesPermission().getId());
        linkedHashMap.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
        linkedHashMap.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
        linkedHashMap.put(USER_IMPERSONATED_SCOPE, userImpersonatedPermission().getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean isPermissionsEnabled() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        return (realmResourceServer == null || this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId()) == null || managePermission() == null) ? false : true;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public void setPermissionsEnabled(boolean z) {
        if (z) {
            initialize();
        } else {
            deletePermissionSetup();
        }
    }

    public boolean canManageDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Resource resource() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy managePermission() {
        return this.policyStore.findByName(MANAGE_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy viewPermission() {
        return this.policyStore.findByName(VIEW_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy manageGroupMembershipPermission() {
        return this.policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy mapRolesPermission() {
        return this.policyStore.findByName(MAP_ROLES_PERMISSION_USERS, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy adminImpersonatingPermission() {
        return this.policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy userImpersonatedPermission() {
        return this.policyStore.findByName(USER_IMPERSONATED_PERMISSION, this.root.realmResourceServer().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage() {
        if (canManageDefault()) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(AdminPermissionManagement.MANAGE_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManage() {
        if (!canManage()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage(UserModel userModel) {
        return canManage() || canManageByGroup(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManage(UserModel userModel) {
        if (!canManage(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canQuery() {
        return canView() || this.root.hasOneAdminRole(AdminRoles.QUERY_USERS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireQuery() {
        if (!canQuery()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView() {
        if (canViewDefault() || canManageDefault()) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(AdminPermissionManagement.VIEW_SCOPE, AdminPermissionManagement.MANAGE_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView(UserModel userModel) {
        return canView() || canViewByGroup(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireView(UserModel userModel) {
        if (!canView(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireView() {
        if (!canView()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean canClientImpersonate(final ClientModel clientModel, UserModel userModel) {
        return canImpersonate(new DefaultEvaluationContext(new ClientModelIdentity(this.session, clientModel), this.session) { // from class: org.keycloak.services.resources.admin.permissions.UserPermissions.1
            @Override // org.keycloak.authorization.common.DefaultEvaluationContext
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> baseAttributes = super.getBaseAttributes();
                baseAttributes.put("kc.client.id", Arrays.asList(clientModel.getClientId()));
                return baseAttributes;
            }
        }) && isImpersonatable(userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canImpersonate(UserModel userModel) {
        if (canImpersonate()) {
            return isImpersonatable(userModel);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean isImpersonatable(UserModel userModel) {
        Policy findByName;
        Set associatedPolicies;
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null || this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId()) == null || (findByName = this.authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, realmResourceServer.getId())) == null || (associatedPolicies = findByName.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return true;
        }
        return hasPermission(new DefaultEvaluationContext(new UserModelIdentity(this.root.realm, userModel), this.session), USER_IMPERSONATED_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canImpersonate() {
        if (this.root.hasOneAdminRole(ImpersonationConstants.IMPERSONATION_ROLE)) {
            return true;
        }
        Identity identity = this.root.identity;
        if (this.root.isAdminSameRealm()) {
            return canImpersonate(new DefaultEvaluationContext(identity, this.session));
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireImpersonate(UserModel userModel) {
        if (!canImpersonate(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public Map<String, Boolean> getAccess(UserModel userModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(AdminPermissionManagement.VIEW_SCOPE, Boolean.valueOf(canView(userModel)));
        hashMap.put(AdminPermissionManagement.MANAGE_SCOPE, Boolean.valueOf(canManage(userModel)));
        hashMap.put("mapRoles", Boolean.valueOf(canMapRoles(userModel)));
        hashMap.put("manageGroupMembership", Boolean.valueOf(canManageGroupMembership(userModel)));
        hashMap.put(IMPERSONATE_SCOPE, Boolean.valueOf(canImpersonate(userModel)));
        return hashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canMapRoles(UserModel userModel) {
        if (canManage(userModel)) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission("map-roles");
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireMapRoles(UserModel userModel) {
        if (!canMapRoles(userModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManageGroupMembership(UserModel userModel) {
        if (canManage(userModel)) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission(MANAGE_GROUP_MEMBERSHIP_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void grantIfNoPermission(boolean z) {
        this.grantIfNoPermission = z;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManageGroupMembership(UserModel userModel) {
        if (!canManageGroupMembership(userModel)) {
            throw new ForbiddenException();
        }
    }

    private boolean hasPermission(String... strArr) {
        return hasPermission(null, strArr);
    }

    private boolean hasPermission(EvaluationContext evaluationContext, String... strArr) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return false;
        }
        Resource findByName = this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId());
        List asList = Arrays.asList(strArr);
        if (findByName == null) {
            return this.grantIfNoPermission && asList.contains(AdminPermissionManagement.MANAGE_SCOPE) && asList.contains(AdminPermissionManagement.VIEW_SCOPE);
        }
        Iterator<Permission> it = (evaluationContext == null ? this.root.evaluatePermission(new ResourcePermission(findByName, findByName.getScopes(), realmResourceServer), realmResourceServer) : this.root.evaluatePermission(new ResourcePermission(findByName, findByName.getScopes(), realmResourceServer), realmResourceServer, evaluationContext)).iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getScopes().iterator();
            while (it2.hasNext()) {
                if (asList.contains((String) it2.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private void deletePermissionSetup() {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        if (realmResourceServer == null) {
            return;
        }
        Policy managePermission = managePermission();
        if (managePermission != null) {
            this.policyStore.delete(managePermission.getId());
        }
        Policy viewPermission = viewPermission();
        if (viewPermission != null) {
            this.policyStore.delete(viewPermission.getId());
        }
        Policy mapRolesPermission = mapRolesPermission();
        if (mapRolesPermission != null) {
            this.policyStore.delete(mapRolesPermission.getId());
        }
        Policy manageGroupMembershipPermission = manageGroupMembershipPermission();
        if (manageGroupMembershipPermission != null) {
            this.policyStore.delete(manageGroupMembershipPermission.getId());
        }
        Policy adminImpersonatingPermission = adminImpersonatingPermission();
        if (adminImpersonatingPermission != null) {
            this.policyStore.delete(adminImpersonatingPermission.getId());
        }
        Policy userImpersonatedPermission = userImpersonatedPermission();
        if (userImpersonatedPermission != null) {
            this.policyStore.delete(userImpersonatedPermission.getId());
        }
        Resource findByName = this.resourceStore.findByName(USERS_RESOURCE, realmResourceServer.getId());
        if (findByName != null) {
            this.resourceStore.delete(findByName.getId());
        }
    }

    private boolean canImpersonate(EvaluationContext evaluationContext) {
        return hasPermission(evaluationContext, IMPERSONATE_SCOPE);
    }

    private boolean evaluateHierarchy(UserModel userModel, Predicate<GroupModel> predicate) {
        HashSet hashSet = new HashSet();
        return userModel.getGroupsStream().anyMatch(groupModel -> {
            return evaluateHierarchy(predicate, groupModel, hashSet);
        });
    }

    private boolean evaluateHierarchy(Predicate<GroupModel> predicate, GroupModel groupModel, Set<GroupModel> set) {
        if (set.contains(groupModel)) {
            return false;
        }
        if (predicate.test(groupModel)) {
            return true;
        }
        set.add(groupModel);
        if (groupModel.getParent() == null) {
            return false;
        }
        return evaluateHierarchy(predicate, groupModel.getParent(), set);
    }

    private boolean canManageByGroup(UserModel userModel) {
        return evaluateHierarchy(userModel, groupModel -> {
            return this.root.groups().canManageMembers(groupModel);
        });
    }

    private boolean canViewByGroup(UserModel userModel) {
        return evaluateHierarchy(userModel, groupModel -> {
            return this.root.groups().getGroupsWithViewPermission(groupModel);
        });
    }

    public boolean canViewDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS);
    }
}
