package org.keycloak.authorization.fgap;

import jakarta.persistence.criteria.CriteriaBuilder;
import jakarta.persistence.criteria.CriteriaQuery;
import jakarta.persistence.criteria.Path;
import jakarta.persistence.criteria.Predicate;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.fgap.evaluation.FGAPPolicyEvaluator;
import org.keycloak.authorization.fgap.evaluation.partial.PartialEvaluationStorageProvider;
import org.keycloak.authorization.fgap.evaluation.partial.PartialEvaluator;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.evaluation.PolicyEvaluator;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.common.Profile;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientProvider;
import org.keycloak.models.Constants;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelValidationException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.provider.ProviderEvent;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationSchema;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ResourceType;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;

/* loaded from: input_file:org/keycloak/authorization/fgap/AdminPermissionsSchema.class */
public class AdminPermissionsSchema extends AuthorizationSchema {
    private static final String SKIP_EVALUATION = "kc.authz.fgap.skip";
    private final PartialEvaluator partialEvaluator;
    private final PolicyEvaluator policyEvaluator;
    public static final String CLIENTS_RESOURCE_TYPE = "Clients";
    public static final String MANAGE = "manage";
    public static final String MAP_ROLES = "map-roles";
    public static final String MAP_ROLES_CLIENT_SCOPE = "map-roles-client-scope";
    public static final String MAP_ROLES_COMPOSITE = "map-roles-composite";
    public static final String VIEW = "view";
    public static final ResourceType CLIENTS = new ResourceType(CLIENTS_RESOURCE_TYPE, Set.of(MANAGE, MAP_ROLES, MAP_ROLES_CLIENT_SCOPE, MAP_ROLES_COMPOSITE, VIEW));
    public static final String GROUPS_RESOURCE_TYPE = "Groups";
    public static final String MANAGE_MEMBERSHIP = "manage-membership";
    public static final String MANAGE_MEMBERS = "manage-members";
    public static final String VIEW_MEMBERS = "view-members";
    public static final String IMPERSONATE_MEMBERS = "impersonate-members";
    public static final ResourceType GROUPS = new ResourceType(GROUPS_RESOURCE_TYPE, Set.of(MANAGE, VIEW, MANAGE_MEMBERSHIP, MANAGE_MEMBERS, VIEW_MEMBERS, IMPERSONATE_MEMBERS));
    public static final String ROLES_RESOURCE_TYPE = "Roles";
    public static final String MAP_ROLE = "map-role";
    public static final String MAP_ROLE_CLIENT_SCOPE = "map-role-client-scope";
    public static final String MAP_ROLE_COMPOSITE = "map-role-composite";
    public static final ResourceType ROLES = new ResourceType(ROLES_RESOURCE_TYPE, Set.of(MAP_ROLE, MAP_ROLE_CLIENT_SCOPE, MAP_ROLE_COMPOSITE));
    public static final String USERS_RESOURCE_TYPE = "Users";
    public static final String IMPERSONATE = "impersonate";
    public static final String MANAGE_GROUP_MEMBERSHIP = "manage-group-membership";
    public static final ResourceType USERS = new ResourceType(USERS_RESOURCE_TYPE, Set.of(MANAGE, VIEW, IMPERSONATE, MAP_ROLES, MANAGE_GROUP_MEMBERSHIP), Map.of(VIEW, Set.of(VIEW_MEMBERS), MANAGE, Set.of(MANAGE_MEMBERS), IMPERSONATE, Set.of(IMPERSONATE_MEMBERS)), GROUPS.getType());
    public static final AdminPermissionsSchema SCHEMA = new AdminPermissionsSchema();

    private AdminPermissionsSchema() {
        super(Map.of(CLIENTS_RESOURCE_TYPE, CLIENTS, GROUPS_RESOURCE_TYPE, GROUPS, ROLES_RESOURCE_TYPE, ROLES, USERS_RESOURCE_TYPE, USERS));
        this.partialEvaluator = new PartialEvaluator();
        this.policyEvaluator = new FGAPPolicyEvaluator();
    }

    public Resource getOrCreateResource(KeycloakSession keycloakSession, ResourceServer resourceServer, String str, String str2, String str3) {
        String str4;
        if (!supportsAuthorizationSchema(keycloakSession, resourceServer)) {
            return null;
        }
        StoreFactory storeFactory = getStoreFactory(keycloakSession);
        ResourceStore resourceStore = storeFactory.getResourceStore();
        Resource findById = resourceStore.findById(resourceServer, str3);
        if (findById != null) {
            return findById;
        }
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1769726488:
                if (str2.equals(CLIENTS_RESOURCE_TYPE)) {
                    z = false;
                    break;
                }
                break;
            case 79142557:
                if (str2.equals(ROLES_RESOURCE_TYPE)) {
                    z = 2;
                    break;
                }
                break;
            case 82025960:
                if (str2.equals(USERS_RESOURCE_TYPE)) {
                    z = 3;
                    break;
                }
                break;
            case 2141373940:
                if (str2.equals(GROUPS_RESOURCE_TYPE)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                str4 = (String) resolveClient(keycloakSession, str3).map((v0) -> {
                    return v0.getId();
                }).orElse(str2);
                break;
            case true:
                str4 = (String) resolveGroup(keycloakSession, str3).map((v0) -> {
                    return v0.getId();
                }).orElse(str2);
                break;
            case true:
                str4 = (String) resolveRole(keycloakSession, str3).map((v0) -> {
                    return v0.getId();
                }).orElse(str2);
                break;
            case true:
                str4 = (String) resolveUser(keycloakSession, str3).map((v0) -> {
                    return v0.getId();
                }).orElse(str2);
                break;
            default:
                throw new IllegalStateException("Resource type [" + str2 + "] not found.");
        }
        Resource findByName = resourceStore.findByName(resourceServer, str4);
        if (findByName == null) {
            findByName = resourceStore.create(resourceServer, str4, resourceServer.getClientId());
            ScopeStore scopeStore = storeFactory.getScopeStore();
            findByName.updateScopes((Set) ((ResourceType) getResourceTypes().get(str2)).getScopes().stream().map(str5 -> {
                Scope findByName2 = scopeStore.findByName(resourceServer, str5);
                if (findByName2 == null) {
                    throw new ModelException("No scopes found.");
                }
                return findByName2;
            }).collect(Collectors.toSet()));
        }
        return findByName;
    }

    public Resource getResourceTypeResource(KeycloakSession keycloakSession, ResourceServer resourceServer, String str) {
        ResourceType resourceType;
        if (!supportsAuthorizationSchema(keycloakSession, resourceServer) || str == null || (resourceType = (ResourceType) getResourceTypes().get(str)) == null) {
            return null;
        }
        return getStoreFactory(keycloakSession).getResourceStore().findByName(resourceServer, resourceType.getType());
    }

    public boolean isSupportedPolicyType(KeycloakSession keycloakSession, ResourceServer resourceServer, String str) {
        return (supportsAuthorizationSchema(keycloakSession, resourceServer) && str.equals("resource")) ? false : true;
    }

    public boolean isAdminPermissionClient(RealmModel realmModel, String str) {
        return realmModel.getAdminPermissionsClient() != null && realmModel.getAdminPermissionsClient().getId().equals(str);
    }

    private boolean supportsAuthorizationSchema(KeycloakSession keycloakSession, ResourceServer resourceServer) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        if (isAdminPermissionsEnabled(realm)) {
            return isAdminPermissionClient(realm, resourceServer.getId());
        }
        return false;
    }

    public void throwExceptionIfAdminPermissionClient(KeycloakSession keycloakSession, String str) {
        if (isAdminPermissionClient(keycloakSession.getContext().getRealm(), str)) {
            throw new ModelValidationException("Not supported for this client.");
        }
    }

    private Optional<GroupModel> resolveGroup(KeycloakSession keycloakSession, String str) {
        return Optional.ofNullable(keycloakSession.groups().getGroupById(keycloakSession.getContext().getRealm(), str));
    }

    private Optional<RoleModel> resolveRole(KeycloakSession keycloakSession, String str) {
        return Optional.ofNullable(keycloakSession.roles().getRoleById(keycloakSession.getContext().getRealm(), str));
    }

    private Optional<UserModel> resolveUser(KeycloakSession keycloakSession, String str) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        UserModel userById = keycloakSession.users().getUserById(realm, str);
        if (userById == null) {
            userById = keycloakSession.users().getUserByUsername(realm, str);
        }
        return Optional.ofNullable(userById);
    }

    private Optional<ClientModel> resolveClient(KeycloakSession keycloakSession, String str) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        ClientModel clientById = keycloakSession.clients().getClientById(realm, str);
        if (clientById == null) {
            clientById = keycloakSession.clients().getClientByClientId(realm, str);
        }
        return Optional.ofNullable(clientById);
    }

    private StoreFactory getStoreFactory(KeycloakSession keycloakSession) {
        return ((AuthorizationProvider) keycloakSession.getProvider(AuthorizationProvider.class)).getStoreFactory();
    }

    public void throwExceptionIfResourceTypeOrScopesNotProvided(KeycloakSession keycloakSession, ResourceServer resourceServer, AbstractPolicyRepresentation abstractPolicyRepresentation) {
        if (supportsAuthorizationSchema(keycloakSession, resourceServer) && (abstractPolicyRepresentation instanceof ScopePermissionRepresentation)) {
            if (abstractPolicyRepresentation.getResourceType() == null || SCHEMA.getResourceTypes().get(abstractPolicyRepresentation.getResourceType()) == null) {
                throw new ModelValidationException("Resource type not provided.");
            }
            if (abstractPolicyRepresentation.getScopes() == null || abstractPolicyRepresentation.getScopes().isEmpty()) {
                throw new ModelValidationException("Scopes not provided.");
            }
        }
    }

    public Scope getScope(KeycloakSession keycloakSession, ResourceServer resourceServer, String str, String str2) {
        StoreFactory storeFactory = getStoreFactory(keycloakSession);
        Scope scope = (Scope) Optional.ofNullable(storeFactory.getScopeStore().findById(resourceServer, str2)).or(() -> {
            return Optional.ofNullable(storeFactory.getScopeStore().findByName(resourceServer, str2));
        }).orElseThrow(() -> {
            return new ModelValidationException(String.format("Scope [%s] does not exist.", str2));
        });
        if (!supportsAuthorizationSchema(keycloakSession, resourceServer) || ((ResourceType) SCHEMA.getResourceTypes().get(str)).getScopes().contains(scope.getName())) {
            return scope;
        }
        throw new ModelValidationException(String.format("Scope %s was not found for resource type %s.", scope.getName(), str));
    }

    public void init(KeycloakSession keycloakSession, RealmModel realmModel) {
        ClientProvider clients = keycloakSession.clients();
        if (realmModel.getAdminPermissionsClient() != null) {
            return;
        }
        ClientModel addClient = clients.addClient(realmModel, Constants.ADMIN_PERMISSIONS_CLIENT_ID);
        addClient.setProtocol(RepresentationToModel.OIDC);
        realmModel.setAdminPermissionsClient(addClient);
        ResourceServerRepresentation representation = ModelToRepresentation.toRepresentation(RepresentationToModel.createResourceServer(addClient, keycloakSession, false), addClient);
        representation.setScopes(List.copyOf((Set) SCHEMA.getResourceTypes().values().stream().flatMap(resourceType -> {
            return resourceType.getScopes().stream();
        }).map(ScopeRepresentation::new).collect(Collectors.toSet())));
        representation.setResources((List) SCHEMA.getResourceTypes().keySet().stream().map(str -> {
            ResourceRepresentation resourceRepresentation = new ResourceRepresentation(str, (String[]) ((ResourceType) SCHEMA.getResourceTypes().get(str)).getScopes().toArray(i -> {
                return new String[i];
            }));
            resourceRepresentation.setType(str);
            return resourceRepresentation;
        }).collect(Collectors.toList()));
        RepresentationToModel.toModel(representation, (AuthorizationProvider) keycloakSession.getProvider(AuthorizationProvider.class), addClient);
    }

    public boolean isAdminPermissionsEnabled(RealmModel realmModel) {
        return Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2) && realmModel != null && realmModel.isAdminPermissionsEnabled();
    }

    public AuthorizationSchema getAuthorizationSchema(ClientModel clientModel) {
        if (isAdminPermissionsEnabled(clientModel.getRealm()) && isAdminPermissionClient(clientModel.getRealm(), clientModel.getId())) {
            return SCHEMA;
        }
        return null;
    }

    public void removeResource(Resource resource, Policy policy, AuthorizationProvider authorizationProvider) {
        ResourceServer resourceServer = resource.getResourceServer();
        if (!isAdminPermissionClient(authorizationProvider.getRealm(), resourceServer.getId())) {
            policy.removeResource(resource);
            return;
        }
        if (getResourceTypes().get(resource.getName()) == null) {
            List<Policy> findByResource = authorizationProvider.getStoreFactory().getPolicyStore().findByResource(resourceServer, resource);
            if (findByResource.size() == 1 && policy.equals(findByResource.get(0))) {
                authorizationProvider.getStoreFactory().getResourceStore().delete(resource.getId());
            } else {
                policy.removeResource(resource);
            }
        }
    }

    public void removeOrphanResources(Policy policy, AuthorizationProvider authorizationProvider) {
        if (isAdminPermissionClient(authorizationProvider.getRealm(), policy.getResourceServer().getId())) {
            for (Resource resource : policy.getResources()) {
                if (getResourceTypes().get(resource.getName()) == null) {
                    List<Policy> findByResource = authorizationProvider.getStoreFactory().getPolicyStore().findByResource(policy.getResourceServer(), resource);
                    if (findByResource.size() == 1 && policy.equals(findByResource.get(0))) {
                        authorizationProvider.getStoreFactory().getResourceStore().delete(resource.getId());
                    }
                }
            }
        }
    }

    public String getResourceName(KeycloakSession keycloakSession, Policy policy, Resource resource) {
        ResourceServer resourceServer = policy.getResourceServer();
        return supportsAuthorizationSchema(keycloakSession, resourceServer) ? getResourceName(keycloakSession, resourceServer, policy.getResourceType(), resource.getName()) : resource.getDisplayName();
    }

    public String getResourceName(KeycloakSession keycloakSession, ResourceServer resourceServer, String str, String str2) {
        if (str != null && supportsAuthorizationSchema(keycloakSession, resourceServer)) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -1769726488:
                    if (str.equals(CLIENTS_RESOURCE_TYPE)) {
                        z = false;
                        break;
                    }
                    break;
                case 79142557:
                    if (str.equals(ROLES_RESOURCE_TYPE)) {
                        z = 2;
                        break;
                    }
                    break;
                case 82025960:
                    if (str.equals(USERS_RESOURCE_TYPE)) {
                        z = 3;
                        break;
                    }
                    break;
                case 2141373940:
                    if (str.equals(GROUPS_RESOURCE_TYPE)) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return (String) resolveClient(keycloakSession, str2).map((v0) -> {
                        return v0.getClientId();
                    }).orElse(str);
                case true:
                    return (String) resolveGroup(keycloakSession, str2).map((v0) -> {
                        return v0.getName();
                    }).orElse(str);
                case true:
                    return (String) resolveRole(keycloakSession, str2).map((v0) -> {
                        return v0.getName();
                    }).orElse(str);
                case true:
                    return (String) resolveUser(keycloakSession, str2).map((v0) -> {
                        return v0.getUsername();
                    }).orElse(str);
                default:
                    throw new IllegalStateException("Resource type [" + str + "] not found.");
            }
        }
        return str2;
    }

    public void addUResourceTypeResource(KeycloakSession keycloakSession, ResourceServer resourceServer, Policy policy, String str) {
        Resource resourceTypeResource = getResourceTypeResource(keycloakSession, resourceServer, str);
        if (resourceTypeResource != null) {
            Set<Resource> resources = policy.getResources();
            if (resources.isEmpty()) {
                policy.addResource(resourceTypeResource);
            } else if (resources.size() > 1) {
                policy.removeResource(resourceTypeResource);
            }
        }
    }

    public void removeResourceObject(AuthorizationProvider authorizationProvider, ProviderEvent providerEvent) {
        String id;
        if (!isAdminPermissionsEnabled(authorizationProvider.getRealm()) || authorizationProvider.getRealm().getAdminPermissionsClient() == null) {
            return;
        }
        if (providerEvent instanceof UserModel.UserRemovedEvent) {
            id = ((UserModel.UserRemovedEvent) providerEvent).getUser().getId();
        } else if (providerEvent instanceof ClientModel.ClientRemovedEvent) {
            id = ((ClientModel.ClientRemovedEvent) providerEvent).getClient().getId();
        } else if (providerEvent instanceof GroupModel.GroupRemovedEvent) {
            id = ((GroupModel.GroupRemovedEvent) providerEvent).getGroup().getId();
        } else if (!(providerEvent instanceof RoleContainerModel.RoleRemovedEvent)) {
            return;
        } else {
            id = ((RoleContainerModel.RoleRemovedEvent) providerEvent).getRole().getId();
        }
        ResourceServer findByClient = authorizationProvider.getStoreFactory().getResourceServerStore().findByClient(authorizationProvider.getRealm().getAdminPermissionsClient());
        Resource findByName = authorizationProvider.getStoreFactory().getResourceStore().findByName(findByClient, id);
        if (findByName != null) {
            for (Policy policy : authorizationProvider.getStoreFactory().getPolicyStore().findByResource(findByClient, findByName)) {
                if (policy.getResources().size() == 1) {
                    authorizationProvider.getStoreFactory().getPolicyStore().delete(policy.getId());
                } else {
                    policy.removeResource(findByName);
                }
            }
            authorizationProvider.getStoreFactory().getResourceStore().delete(findByName.getId());
        }
    }

    public List<Predicate> applyAuthorizationFilters(KeycloakSession keycloakSession, ResourceType resourceType, RealmModel realmModel, CriteriaBuilder criteriaBuilder, CriteriaQuery<?> criteriaQuery, Path<?> path) {
        return applyAuthorizationFilters(keycloakSession, resourceType, null, realmModel, criteriaBuilder, criteriaQuery, path);
    }

    public List<Predicate> applyAuthorizationFilters(KeycloakSession keycloakSession, ResourceType resourceType, PartialEvaluationStorageProvider partialEvaluationStorageProvider, RealmModel realmModel, CriteriaBuilder criteriaBuilder, CriteriaQuery<?> criteriaQuery, Path<?> path) {
        return this.partialEvaluator.getPredicates(keycloakSession, resourceType, partialEvaluationStorageProvider, realmModel, criteriaBuilder, criteriaQuery, path);
    }

    public PolicyEvaluator getPolicyEvaluator(KeycloakSession keycloakSession, ResourceServer resourceServer) {
        if (resourceServer != null && isAdminPermissionClient(keycloakSession.getContext().getRealm(), resourceServer.getId())) {
            return this.policyEvaluator;
        }
        return null;
    }

    public Set<String> getScopeAliases(String str, Scope scope) {
        ResourceType resourceType = (ResourceType) getResourceTypes().get(str);
        Set<String> set = (Set) resourceType.getScopeAliases().get(scope.getName());
        if (set == null) {
            set = new HashSet();
            for (Map.Entry entry : resourceType.getScopeAliases().entrySet()) {
                if (((Set) entry.getValue()).contains(scope.getName())) {
                    set.add((String) entry.getKey());
                }
            }
        }
        return set;
    }

    public static void runWithoutAuthorization(KeycloakSession keycloakSession, Runnable runnable) {
        if (isSkipEvaluation(keycloakSession)) {
            runnable.run();
            return;
        }
        try {
            keycloakSession.setAttribute(SKIP_EVALUATION, Boolean.TRUE.toString());
            runnable.run();
        } finally {
            keycloakSession.removeAttribute(SKIP_EVALUATION);
        }
    }

    public static boolean isSkipEvaluation(KeycloakSession keycloakSession) {
        RealmModel realm;
        if (keycloakSession == null || (realm = keycloakSession.getContext().getRealm()) == null || !SCHEMA.isAdminPermissionsEnabled(realm)) {
            return true;
        }
        return Boolean.parseBoolean((String) keycloakSession.getAttributeOrDefault(SKIP_EVALUATION, Boolean.FALSE.toString()));
    }
}
