package org.keycloak.authorization.policy.evaluation;

import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;

/* loaded from: input_file:org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.class */
public class DefaultPolicyEvaluator implements PolicyEvaluator {
    @Override // org.keycloak.authorization.policy.evaluation.PolicyEvaluator
    public void evaluate(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> map) {
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        storeFactory.getPolicyStore();
        storeFactory.getResourceStore();
        PolicyEnforcementMode policyEnforcementMode = resourcePermission.getResourceServer().getPolicyEnforcementMode();
        if (PolicyEnforcementMode.DISABLED.equals(policyEnforcementMode)) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
            return;
        }
        if (resourcePermission.isGranted()) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
            return;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean();
        Consumer<Policy> createPolicyEvaluator = createPolicyEvaluator(resourcePermission, authorizationProvider, evaluationContext, decision, atomicBoolean, map);
        if (resourcePermission.getResource() != null) {
            evaluateResourcePolicies(resourcePermission, authorizationProvider, createPolicyEvaluator);
            evaluateResourceTypePolicies(resourcePermission, authorizationProvider, createPolicyEvaluator);
        }
        evaluateScopePolicies(resourcePermission, authorizationProvider, createPolicyEvaluator);
        if (atomicBoolean.get()) {
            decision.onComplete(resourcePermission);
        } else if (PolicyEnforcementMode.PERMISSIVE.equals(policyEnforcementMode)) {
            grantAndComplete(resourcePermission, authorizationProvider, evaluationContext, decision);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void evaluateResourcePolicies(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, Consumer<Policy> consumer) {
        authorizationProvider.getStoreFactory().getPolicyStore().findByResource(resourcePermission.getResourceServer(), resourcePermission.getResource(), consumer);
    }

    protected void evaluateResourceTypePolicies(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, Consumer<Policy> consumer) {
        Resource resource = resourcePermission.getResource();
        if (resource.getType() != null) {
            StoreFactory storeFactory = authorizationProvider.getStoreFactory();
            PolicyStore policyStore = storeFactory.getPolicyStore();
            ResourceServer resourceServer = resourcePermission.getResourceServer();
            policyStore.findByResourceType(resourceServer, resource.getType(), consumer);
            if (resource.getOwner().equals(resourceServer.getClientId())) {
                return;
            }
            Iterator<Resource> it = storeFactory.getResourceStore().findByType(resourceServer, resource.getType()).iterator();
            while (it.hasNext()) {
                policyStore.findByResource(resourceServer, it.next(), consumer);
            }
        }
    }

    protected void evaluateScopePolicies(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, Consumer<Policy> consumer) {
        Collection<Scope> scopes = resourcePermission.getScopes();
        if (scopes.isEmpty()) {
            return;
        }
        authorizationProvider.getStoreFactory().getPolicyStore().findByScopes(resourcePermission.getResourceServer(), null, new LinkedList(scopes), consumer);
    }

    private void grantAndComplete(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision) {
        new DefaultEvaluation(resourcePermission, evaluationContext, decision, authorizationProvider).grant();
        decision.onComplete(resourcePermission);
    }

    protected Consumer<Policy> createPolicyEvaluator(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, EvaluationContext evaluationContext, Decision decision, AtomicBoolean atomicBoolean, Map<Policy, Map<Object, Decision.Effect>> map) {
        return policy -> {
            PolicyProvider provider = authorizationProvider.getProvider(policy.getType());
            if (provider == null) {
                throw new RuntimeException("Unknown parentPolicy provider for type [" + policy.getType() + "].");
            }
            provider.evaluate(new DefaultEvaluation(resourcePermission, evaluationContext, policy, decision, authorizationProvider, map));
            atomicBoolean.compareAndSet(false, true);
        };
    }
}
