package org.keycloak.services.resources.admin.permissions;

import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.ClientModelIdentity;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.ForbiddenException;
import org.keycloak.storage.StorageId;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/ClientPermissions.class */
public class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionManagement {
    private static final Logger logger = Logger.getLogger(ClientPermissions.class);
    protected final KeycloakSession session;
    protected final RealmModel realm;
    protected final AuthorizationProvider authz;
    protected final MgmtPermissions root;

    public ClientPermissions(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
    }

    private String getResourceName(ClientModel clientModel) {
        return "client.resource." + clientModel.getId();
    }

    private String getManagePermissionName(ClientModel clientModel) {
        return "manage.permission.client." + clientModel.getId();
    }

    private String getConfigurePermissionName(ClientModel clientModel) {
        return "configure.permission.client." + clientModel.getId();
    }

    private String getViewPermissionName(ClientModel clientModel) {
        return "view.permission.client." + clientModel.getId();
    }

    private String getMapRolesPermissionName(ClientModel clientModel) {
        return "map-roles.permission.client." + clientModel.getId();
    }

    private String getMapRolesClientScopePermissionName(ClientModel clientModel) {
        return "map-roles-client-scope.permission.client." + clientModel.getId();
    }

    private String getMapRolesCompositePermissionName(ClientModel clientModel) {
        return "map-roles-composite.permission.client." + clientModel.getId();
    }

    private String getExchangeToPermissionName(ClientModel clientModel) {
        return "token-exchange.permission.client." + clientModel.getId();
    }

    private void initialize(ClientModel clientModel) {
        ResourceServer findOrCreateResourceServer = this.root.findOrCreateResourceServer(clientModel);
        Scope manageScope = manageScope(findOrCreateResourceServer);
        if (manageScope == null) {
            manageScope = this.authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.MANAGE_SCOPE, findOrCreateResourceServer);
        }
        Scope viewScope = viewScope(findOrCreateResourceServer);
        if (viewScope == null) {
            viewScope = this.authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.VIEW_SCOPE, findOrCreateResourceServer);
        }
        Scope mapRolesScope = mapRolesScope(findOrCreateResourceServer);
        if (mapRolesScope == null) {
            mapRolesScope = this.authz.getStoreFactory().getScopeStore().create("map-roles", findOrCreateResourceServer);
        }
        Scope initializeScope = this.root.initializeScope(ClientPermissionManagement.MAP_ROLES_CLIENT_SCOPE, findOrCreateResourceServer);
        Scope initializeScope2 = this.root.initializeScope(ClientPermissionManagement.MAP_ROLES_COMPOSITE_SCOPE, findOrCreateResourceServer);
        Scope initializeScope3 = this.root.initializeScope(ClientPermissionManagement.CONFIGURE_SCOPE, findOrCreateResourceServer);
        Scope initializeScope4 = this.root.initializeScope(AdminPermissionManagement.TOKEN_EXCHANGE, findOrCreateResourceServer);
        String resourceName = getResourceName(clientModel);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(resourceName, findOrCreateResourceServer.getId());
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getResourceStore().create(resourceName, findOrCreateResourceServer, findOrCreateResourceServer.getId());
            findByName.setType("Client");
            HashSet hashSet = new HashSet();
            hashSet.add(initializeScope3);
            hashSet.add(manageScope);
            hashSet.add(viewScope);
            hashSet.add(mapRolesScope);
            hashSet.add(initializeScope);
            hashSet.add(initializeScope2);
            hashSet.add(initializeScope4);
            findByName.updateScopes(hashSet);
        }
        String managePermissionName = getManagePermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(managePermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, managePermissionName, findByName, manageScope);
        }
        String configurePermissionName = getConfigurePermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(configurePermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, configurePermissionName, findByName, initializeScope3);
        }
        String viewPermissionName = getViewPermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(viewPermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, viewPermissionName, findByName, viewScope);
        }
        String mapRolesPermissionName = getMapRolesPermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(mapRolesPermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, mapRolesPermissionName, findByName, mapRolesScope);
        }
        String mapRolesClientScopePermissionName = getMapRolesClientScopePermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(mapRolesClientScopePermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, mapRolesClientScopePermissionName, findByName, initializeScope);
        }
        String mapRolesCompositePermissionName = getMapRolesCompositePermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(mapRolesCompositePermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, mapRolesCompositePermissionName, findByName, initializeScope2);
        }
        String exchangeToPermissionName = getExchangeToPermissionName(clientModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(exchangeToPermissionName, findOrCreateResourceServer.getId()) == null) {
            Helper.addEmptyScopePermission(this.authz, findOrCreateResourceServer, exchangeToPermissionName, findByName, initializeScope4);
        }
    }

    private void deletePolicy(String str, ResourceServer resourceServer) {
        Policy findByName = this.authz.getStoreFactory().getPolicyStore().findByName(str, resourceServer.getId());
        if (findByName != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(findByName.getId());
        }
    }

    private void deletePermissions(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return;
        }
        deletePolicy(getManagePermissionName(clientModel), resourceServer);
        deletePolicy(getViewPermissionName(clientModel), resourceServer);
        deletePolicy(getMapRolesPermissionName(clientModel), resourceServer);
        deletePolicy(getMapRolesClientScopePermissionName(clientModel), resourceServer);
        deletePolicy(getMapRolesCompositePermissionName(clientModel), resourceServer);
        deletePolicy(getConfigurePermissionName(clientModel), resourceServer);
        deletePolicy(getExchangeToPermissionName(clientModel), resourceServer);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId());
        if (findByName != null) {
            this.authz.getStoreFactory().getResourceStore().delete(findByName.getId());
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public boolean isPermissionsEnabled(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        return (resourceServer == null || this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId()) == null) ? false : true;
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public void setPermissionsEnabled(ClientModel clientModel, boolean z) {
        if (z) {
            initialize(clientModel);
        } else {
            deletePermissions(clientModel);
        }
    }

    private Scope manageScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.MANAGE_SCOPE, resourceServer.getId());
    }

    private Scope exchangeToScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.TOKEN_EXCHANGE, resourceServer.getId());
    }

    private Scope configureScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(ClientPermissionManagement.CONFIGURE_SCOPE, resourceServer.getId());
    }

    private Scope viewScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.VIEW_SCOPE, resourceServer.getId());
    }

    private Scope mapRolesScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName("map-roles", resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canList() {
        return this.root.hasAnyAdminRole();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireList() {
        if (!canList()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canListClientScopes() {
        return this.root.hasAnyAdminRole();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireListClientScopes() {
        if (!canListClientScopes()) {
            throw new ForbiddenException();
        }
    }

    public boolean canManageClientsDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS);
    }

    public boolean canViewClientDefault() {
        return this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage() {
        return canManageClientsDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireManage() {
        if (!canManage()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView() {
        return canManageClientsDefault() || canViewClientDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireView() {
        if (!canView()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Resource resource(ClientModel clientModel) {
        Resource findByName;
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null) {
            return null;
        }
        return findByName;
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Map<String, String> getPermissions(ClientModel clientModel) {
        initialize(clientModel);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(clientModel).getId());
        linkedHashMap.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(clientModel).getId());
        linkedHashMap.put(ClientPermissionManagement.CONFIGURE_SCOPE, configurePermission(clientModel).getId());
        linkedHashMap.put("map-roles", mapRolesPermission(clientModel).getId());
        linkedHashMap.put(ClientPermissionManagement.MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(clientModel).getId());
        linkedHashMap.put(ClientPermissionManagement.MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(clientModel).getId());
        linkedHashMap.put(AdminPermissionManagement.TOKEN_EXCHANGE, exchangeToPermission(clientModel).getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public boolean canExchangeTo(final ClientModel clientModel, ClientModel clientModel2) {
        if (clientModel.equals(clientModel2)) {
            return true;
        }
        ResourceServer resourceServer = resourceServer(clientModel2);
        if (resourceServer == null) {
            logger.debug("No resource server set up for target client");
            return false;
        }
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel2), resourceServer.getId());
        if (findByName == null) {
            logger.debug("No resource object set up for target client");
            return false;
        }
        Policy findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(clientModel2), resourceServer.getId());
        if (findByName2 == null) {
            logger.debug("No permission object set up for target client");
            return false;
        }
        Set associatedPolicies = findByName2.getAssociatedPolicies();
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target client");
            return false;
        }
        Scope exchangeToScope = exchangeToScope(resourceServer);
        if (exchangeToScope == null) {
            logger.debug("token-exchange not initialized");
            return false;
        }
        return this.root.evaluatePermission(findByName, exchangeToScope, resourceServer, new DefaultEvaluationContext(new ClientModelIdentity(this.session, clientModel), this.session) { // from class: org.keycloak.services.resources.admin.permissions.ClientPermissions.1
            @Override // org.keycloak.authorization.common.DefaultEvaluationContext
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> baseAttributes = super.getBaseAttributes();
                baseAttributes.put("kc.client.id", Arrays.asList(clientModel.getClientId()));
                return baseAttributes;
            }
        });
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage(ClientModel clientModel) {
        ResourceServer resourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canManageClientsDefault()) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (resourceServer = resourceServer(clientModel)) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, manageScope(resourceServer), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canConfigure(ClientModel clientModel) {
        ResourceServer resourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canManage(clientModel)) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (resourceServer = resourceServer(clientModel)) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, configureScope(resourceServer), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireConfigure(ClientModel clientModel) {
        if (!canConfigure(clientModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireManage(ClientModel clientModel) {
        if (!canManage(clientModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView(ClientModel clientModel) {
        return hasView(clientModel) || canConfigure(clientModel);
    }

    private boolean hasView(ClientModel clientModel) {
        ResourceServer resourceServer;
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        if (canView()) {
            return true;
        }
        if (!this.root.isAdminSameRealm() || (resourceServer = resourceServer(clientModel)) == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, viewScope(resourceServer), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireView(ClientModel clientModel) {
        if (!canView(clientModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canViewClientScopes() {
        return canView();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManageClientScopes() {
        return canManageClientsDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireManageClientScopes() {
        if (!canManageClientScopes()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireViewClientScopes() {
        if (!canViewClientScopes()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage(ClientScopeModel clientScopeModel) {
        return canManageClientsDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireManage(ClientScopeModel clientScopeModel) {
        if (!canManage(clientScopeModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView(ClientScopeModel clientScopeModel) {
        return canViewClientDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireView(ClientScopeModel clientScopeModel) {
        if (!canView(clientScopeModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapRoles(ClientModel clientModel) {
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, mapRolesScope(resourceServer), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy exchangeToPermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesPermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesClientScopePermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesCompositePermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesCompositePermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy managePermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy configurePermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy viewPermission(ClientModel clientModel) {
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(clientModel), resourceServer.getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public ResourceServer resourceServer(ClientModel clientModel) {
        return this.root.resourceServer(clientModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapCompositeRoles(ClientModel clientModel) {
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesCompositePermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.authz.getStoreFactory().getScopeStore().findByName(ClientPermissionManagement.MAP_ROLES_COMPOSITE_SCOPE, resourceServer.getId()), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapClientScopeRoles(ClientModel clientModel) {
        Resource findByName;
        Policy findByName2;
        Set associatedPolicies;
        ResourceServer resourceServer = resourceServer(clientModel);
        if (resourceServer == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(getResourceName(clientModel), resourceServer.getId())) == null || (findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(clientModel), resourceServer.getId())) == null || (associatedPolicies = findByName2.getAssociatedPolicies()) == null || associatedPolicies.isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(findByName, this.authz.getStoreFactory().getScopeStore().findByName(ClientPermissionManagement.MAP_ROLES_CLIENT_SCOPE, resourceServer.getId()), resourceServer);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public Map<String, Boolean> getAccess(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(AdminPermissionManagement.VIEW_SCOPE, Boolean.valueOf(canView(clientModel)));
        hashMap.put(AdminPermissionManagement.MANAGE_SCOPE, Boolean.valueOf(StorageId.isLocalStorage(clientModel) && canManage(clientModel)));
        hashMap.put(ClientPermissionManagement.CONFIGURE_SCOPE, Boolean.valueOf(StorageId.isLocalStorage(clientModel) && canConfigure(clientModel)));
        return hashMap;
    }
}
