package org.keycloak.authorization.policy.evaluation;

import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

/* loaded from: input_file:BOOT-INF/lib/keycloak-server-spi-private-20.0.2.jar:org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.class */
public class DefaultPolicyEvaluator implements PolicyEvaluator {
    @Override // org.keycloak.authorization.policy.evaluation.PolicyEvaluator
    public void evaluate(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> map) {
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        PolicyStore policyStore = storeFactory.getPolicyStore();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        ResourceServer resourceServer = resourcePermission.getResourceServer();
        PolicyEnforcementMode policyEnforcementMode = resourceServer.getPolicyEnforcementMode();
        if (PolicyEnforcementMode.DISABLED.equals(policyEnforcementMode)) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
            return;
        }
        if (resourcePermission.isGranted()) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
            return;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean();
        Consumer<Policy> createPolicyEvaluator = createPolicyEvaluator(resourcePermission, authorizationProvider, evaluationContext, decision, atomicBoolean, map);
        Resource resource = resourcePermission.getResource();
        if (resource != null) {
            policyStore.findByResource(resourceServer, resource, createPolicyEvaluator);
            if (resource.getType() != null) {
                policyStore.findByResourceType(resourceServer, resource.getType(), createPolicyEvaluator);
                if (!resource.getOwner().equals(resourceServer.getClientId())) {
                    Iterator<Resource> it2 = resourceStore.findByType(resourceServer, resource.getType()).iterator();
                    while (it2.hasNext()) {
                        policyStore.findByResource(resourceServer, it2.next(), createPolicyEvaluator);
                    }
                }
            }
        }
        Collection<Scope> scopes = resourcePermission.getScopes();
        if (!scopes.isEmpty()) {
            policyStore.findByScopes(resourceServer, null, new LinkedList(scopes), createPolicyEvaluator);
        }
        if (atomicBoolean.get()) {
            decision.onComplete(resourcePermission);
        } else if (PolicyEnforcementMode.PERMISSIVE.equals(policyEnforcementMode)) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
        }
    }

    private void grantAndComplete(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision) {
        new DefaultEvaluation(resourcePermission, evaluationContext, decision, authorizationProvider).grant();
        decision.onComplete(resourcePermission);
    }

    private Consumer<Policy> createPolicyEvaluator(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision, AtomicBoolean atomicBoolean, Map<Policy, Map<Object, Decision.Effect>> map) {
        return policy -> {
            PolicyProvider provider = authorizationProvider.getProvider(policy.getType());
            if (provider == null) {
                throw new RuntimeException("Unknown parentPolicy provider for type [" + policy.getType() + "].");
            }
            provider.evaluate(new DefaultEvaluation(resourcePermission, evaluationContext, policy, decision, authorizationProvider, map));
            atomicBoolean.compareAndSet(false, true);
        };
    }
}
