package org.keycloak.authorization.admin;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.container.AsyncResponse;
import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.admin.representation.PolicyEvaluationRequest;
import org.keycloak.authorization.admin.representation.PolicyEvaluationResponse;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/authorization/admin/PolicyEvaluationService.class */
public class PolicyEvaluationService {
    private final AuthorizationProvider authorization;

    @Context
    private HttpRequest httpRequest;
    private final ResourceServer resourceServer;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public void evaluate(PolicyEvaluationRequest policyEvaluationRequest, @Suspended AsyncResponse asyncResponse) {
        EvaluationContext createEvaluationContext = createEvaluationContext(policyEvaluationRequest);
        this.authorization.evaluators().from(createPermissions(policyEvaluationRequest, createEvaluationContext, this.authorization), createEvaluationContext).evaluate(createDecisionCollector(policyEvaluationRequest, this.authorization, asyncResponse));
    }

    private DecisionResultCollector createDecisionCollector(final PolicyEvaluationRequest policyEvaluationRequest, final AuthorizationProvider authorizationProvider, final AsyncResponse asyncResponse) {
        return new DecisionResultCollector() { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.1
            protected void onComplete(List<Result> list) {
                try {
                    asyncResponse.resume(Response.ok(PolicyEvaluationResponse.build(policyEvaluationRequest, list, PolicyEvaluationService.this.resourceServer, authorizationProvider)).build());
                } catch (Throwable th) {
                    asyncResponse.resume(th);
                }
            }

            public void onError(Throwable th) {
                asyncResponse.resume(th);
            }
        };
    }

    private EvaluationContext createEvaluationContext(final PolicyEvaluationRequest policyEvaluationRequest) {
        return new KeycloakEvaluationContext(createIdentity(policyEvaluationRequest), this.authorization.getKeycloakSession()) { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.2
            @Override // org.keycloak.authorization.common.KeycloakEvaluationContext
            public Attributes getAttributes() {
                HashMap hashMap = new HashMap(super.getAttributes().toMap());
                Map<String, String> map = policyEvaluationRequest.getContext().get("attributes");
                if (map != null) {
                    map.forEach((str, str2) -> {
                        if (str2 != null) {
                            ArrayList arrayList = new ArrayList();
                            for (String str : str2.split(",")) {
                                arrayList.add(str);
                            }
                            hashMap.put(str, arrayList);
                        }
                    });
                }
                return Attributes.from(hashMap);
            }
        };
    }

    private List<ResourcePermission> createPermissions(PolicyEvaluationRequest policyEvaluationRequest, EvaluationContext evaluationContext, AuthorizationProvider authorizationProvider) {
        return policyEvaluationRequest.isEntitlements() ? Permissions.all(this.resourceServer, evaluationContext.getIdentity(), authorizationProvider) : (List) policyEvaluationRequest.getResources().stream().flatMap(resource -> {
            Set<String> scopes = resource.getScopes();
            if (scopes == null) {
                scopes = new HashSet();
            }
            StoreFactory storeFactory = authorizationProvider.getStoreFactory();
            List list = (List) scopes.stream().map(str -> {
                return storeFactory.getScopeStore().findByName(str, this.resourceServer.getId());
            }).collect(Collectors.toList());
            return resource.getId() != null ? Stream.of(new ResourcePermission(storeFactory.getResourceStore().findById(resource.getId()), list, this.resourceServer)) : resource.getType() != null ? storeFactory.getResourceStore().findByType(resource.getType()).stream().map(resource -> {
                return new ResourcePermission(resource, list, this.resourceServer);
            }) : list.stream().map(scope -> {
                return new ResourcePermission((Resource) null, Arrays.asList(scope), this.resourceServer);
            });
        }).collect(Collectors.toList());
    }

    private KeycloakIdentity createIdentity(PolicyEvaluationRequest policyEvaluationRequest) {
        UserModel userById;
        RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
        AccessToken accessToken = new AccessToken();
        accessToken.subject(policyEvaluationRequest.getUserId());
        accessToken.issuedFor(policyEvaluationRequest.getClientId());
        accessToken.audience(new String[]{policyEvaluationRequest.getClientId()});
        accessToken.issuer(Urls.realmIssuer(this.authorization.getKeycloakSession().getContext().getUri().getBaseUri(), realm.getName()));
        accessToken.setRealmAccess(new AccessToken.Access());
        Map otherClaims = accessToken.getOtherClaims();
        Map<String, String> map = policyEvaluationRequest.getContext().get("attributes");
        if (map != null) {
            map.forEach((str, str2) -> {
                otherClaims.put(str, Arrays.asList(str2));
            });
        }
        String subject = accessToken.getSubject();
        if (subject != null && (userById = this.authorization.getKeycloakSession().users().getUserById(subject, realm)) != null) {
            userById.getRoleMappings().stream().map((v0) -> {
                return v0.getName();
            }).forEach(str3 -> {
                accessToken.getRealmAccess().addRole(str3);
            });
            String clientId = policyEvaluationRequest.getClientId();
            if (clientId != null) {
                ClientModel clientById = realm.getClientById(clientId);
                accessToken.addAccess(clientById.getClientId());
                userById.getClientRoleMappings(clientById).stream().map((v0) -> {
                    return v0.getName();
                }).forEach(str4 -> {
                    accessToken.getResourceAccess(clientById.getClientId()).addRole(str4);
                });
            }
        }
        if (policyEvaluationRequest.getRoleIds() != null) {
            policyEvaluationRequest.getRoleIds().forEach(str5 -> {
                accessToken.getRealmAccess().addRole(str5);
            });
        }
        return new KeycloakIdentity(accessToken, this.authorization.getKeycloakSession());
    }
}
