package org.keycloak.authorization.fgap.evaluation;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.fgap.AdminPermissionsSchema;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.Evaluation;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.Realm;

/* loaded from: input_file:org/keycloak/authorization/fgap/evaluation/FGAPEvaluation.class */
class FGAPEvaluation implements Evaluation {
    private final Evaluation evaluation;
    private final Map<Scope, Set<Resource>> scopesGrantedByResource;

    /* JADX INFO: Access modifiers changed from: package-private */
    public FGAPEvaluation(Evaluation evaluation, Map<Scope, Set<Resource>> map) {
        this.evaluation = evaluation;
        this.scopesGrantedByResource = map;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public boolean isGranted(Policy policy, Scope scope) {
        String resourceType = getPermission().getResourceType();
        if (resourceType == null) {
            return false;
        }
        Set<Scope> scopes = policy.getScopes();
        if (isForResourceType(policy, resourceType) && scopes.contains(scope)) {
            this.scopesGrantedByResource.computeIfAbsent(scope, scope2 -> {
                return new HashSet();
            }).addAll(policy.getResources());
            return true;
        }
        Set<String> scopeAliases = AdminPermissionsSchema.SCHEMA.getScopeAliases(resourceType, scope);
        if (scopeAliases.isEmpty()) {
            return false;
        }
        Stream<R> map = scopes.stream().map((v0) -> {
            return v0.getName();
        });
        Objects.requireNonNull(scopeAliases);
        boolean anyMatch = map.anyMatch((v1) -> {
            return r1.contains(v1);
        });
        if (anyMatch) {
            this.scopesGrantedByResource.computeIfAbsent(scope, scope3 -> {
                return new HashSet();
            }).addAll(policy.getResources());
        }
        return anyMatch;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public boolean isDenied(Policy policy, Scope scope) {
        ResourcePermission permission = getPermission();
        String resourceType = permission.getResourceType();
        if (resourceType == null) {
            return false;
        }
        if (isForSpecificResource(policy)) {
            return true;
        }
        if (isForResourceType(policy, resourceType)) {
            return !isGranted(permission.getResource(), scope);
        }
        Set<String> scopeAliases = AdminPermissionsSchema.SCHEMA.getScopeAliases(resourceType, scope);
        if (scopeAliases.isEmpty()) {
            return false;
        }
        Iterator<Scope> it = policy.getScopes().iterator();
        while (it.hasNext()) {
            if (scopeAliases.contains(it.next().getName())) {
                return !isGranted(scope);
            }
        }
        return false;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public ResourcePermission getPermission() {
        return this.evaluation.getPermission();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public EvaluationContext getContext() {
        return this.evaluation.getContext();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Policy getPolicy() {
        return this.evaluation.getPolicy();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Realm getRealm() {
        return this.evaluation.getRealm();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public AuthorizationProvider getAuthorizationProvider() {
        return this.evaluation.getAuthorizationProvider();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void grant() {
        this.evaluation.grant();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void deny() {
        this.evaluation.deny();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void denyIfNoEffect() {
        this.evaluation.denyIfNoEffect();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Policy getParentPolicy() {
        return this.evaluation.getParentPolicy();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Decision.Effect getEffect() {
        return this.evaluation.getEffect();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void setEffect(Decision.Effect effect) {
        this.evaluation.setEffect(effect);
    }

    private boolean isForResourceType(Policy policy, String str) {
        return policy.getResourceType().equals(str);
    }

    private boolean isForSpecificResource(Policy policy) {
        return !policy.getResources().contains(getResourceTypeResource(policy, policy.getResourceType()));
    }

    private boolean isGranted(Resource resource, Scope scope) {
        Stream<Resource> stream = this.scopesGrantedByResource.getOrDefault(scope, Set.of()).stream();
        Objects.requireNonNull(resource);
        return stream.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    private boolean isGranted(Scope scope) {
        return !this.scopesGrantedByResource.getOrDefault(scope, Set.of()).isEmpty();
    }

    private Resource getResourceTypeResource(Policy policy, String str) {
        return AdminPermissionsSchema.SCHEMA.getResourceTypeResource(getAuthorizationProvider().getKeycloakSession(), policy.getResourceServer(), str);
    }
}
