package org.keycloak.authorization.policy.evaluation;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.representations.idm.authorization.Logic;

/* loaded from: input_file:BOOT-INF/lib/keycloak-server-spi-private-8.0.0.jar:org/keycloak/authorization/policy/evaluation/DefaultEvaluation.class */
public class DefaultEvaluation implements Evaluation {
    private final ResourcePermission permission;
    private final EvaluationContext executionContext;
    private final Decision decision;
    private Policy policy;
    private final Policy parentPolicy;
    private final AuthorizationProvider authorizationProvider;
    private Map<Policy, Map<Object, Decision.Effect>> decisionCache;
    private final Realm realm;
    private Decision.Effect effect;

    public DefaultEvaluation(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Policy policy, Decision decision, AuthorizationProvider authorizationProvider, Map<Policy, Map<Object, Decision.Effect>> map) {
        this(resourcePermission, evaluationContext, policy, null, decision, authorizationProvider, map);
    }

    public DefaultEvaluation(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Decision decision, AuthorizationProvider authorizationProvider) {
        this(resourcePermission, evaluationContext, null, null, decision, authorizationProvider, Collections.emptyMap());
    }

    public DefaultEvaluation(ResourcePermission resourcePermission, EvaluationContext evaluationContext, Policy policy, Policy policy2, Decision decision, AuthorizationProvider authorizationProvider, Map<Policy, Map<Object, Decision.Effect>> map) {
        this.permission = resourcePermission;
        this.executionContext = evaluationContext;
        this.parentPolicy = policy;
        this.policy = policy2;
        this.decision = decision;
        this.authorizationProvider = authorizationProvider;
        this.decisionCache = map;
        this.realm = createRealm();
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public ResourcePermission getPermission() {
        return this.permission;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public EvaluationContext getContext() {
        return this.executionContext;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void grant() {
        if (this.policy == null || !Logic.NEGATIVE.equals(this.policy.getLogic())) {
            setEffect(Decision.Effect.PERMIT);
        } else {
            setEffect(Decision.Effect.DENY);
        }
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void deny() {
        if (this.policy == null || !Logic.NEGATIVE.equals(this.policy.getLogic())) {
            setEffect(Decision.Effect.DENY);
        } else {
            setEffect(Decision.Effect.PERMIT);
        }
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Policy getPolicy() {
        return this.policy == null ? this.parentPolicy : this.policy;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public Realm getRealm() {
        return this.realm;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public AuthorizationProvider getAuthorizationProvider() {
        return this.authorizationProvider;
    }

    public Policy getParentPolicy() {
        return this.parentPolicy;
    }

    public Decision.Effect getEffect() {
        return this.effect;
    }

    public Map<Policy, Map<Object, Decision.Effect>> getDecisionCache() {
        return this.decisionCache;
    }

    @Override // org.keycloak.authorization.policy.evaluation.Evaluation
    public void denyIfNoEffect() {
        if (this.effect == null) {
            deny();
        }
    }

    private Realm createRealm() {
        return new Realm() { // from class: org.keycloak.authorization.policy.evaluation.DefaultEvaluation.1
            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public boolean isUserInGroup(String str, String str2, boolean z) {
                KeycloakSession keycloakSession = DefaultEvaluation.this.authorizationProvider.getKeycloakSession();
                UserModel user = getUser(str, keycloakSession);
                if (Objects.isNull(user)) {
                    return false;
                }
                GroupModel findGroupByPath = KeycloakModelUtils.findGroupByPath(keycloakSession.getContext().getRealm(), str2);
                if (Objects.isNull(findGroupByPath)) {
                    return false;
                }
                return z ? RoleUtils.isMember(user.getGroups(), findGroupByPath) : user.isMemberOf(findGroupByPath);
            }

            private UserModel getUser(String str, KeycloakSession keycloakSession) {
                RealmModel realm = keycloakSession.getContext().getRealm();
                UserModel userById = keycloakSession.users().getUserById(str, realm);
                if (Objects.isNull(userById)) {
                    userById = keycloakSession.users().getUserByUsername(str, realm);
                }
                if (Objects.isNull(userById)) {
                    userById = keycloakSession.users().getUserByEmail(str, realm);
                }
                if (Objects.isNull(userById)) {
                    userById = keycloakSession.users().getServiceAccount(realm.getClientById(str));
                }
                return userById;
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public boolean isUserInRealmRole(String str, String str2) {
                KeycloakSession keycloakSession = DefaultEvaluation.this.authorizationProvider.getKeycloakSession();
                UserModel user = getUser(str, keycloakSession);
                if (Objects.isNull(user)) {
                    return false;
                }
                return RoleUtils.hasRole((Set) user.getRoleMappings().stream().filter(roleModel -> {
                    return !roleModel.isClientRole();
                }).collect(Collectors.toSet()), keycloakSession.getContext().getRealm().getRole(str2));
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public boolean isUserInClientRole(String str, String str2, String str3) {
                KeycloakSession keycloakSession = DefaultEvaluation.this.authorizationProvider.getKeycloakSession();
                RealmModel realm = keycloakSession.getContext().getRealm();
                UserModel user = getUser(str, keycloakSession);
                if (Objects.isNull(user)) {
                    return false;
                }
                Set set = (Set) user.getRoleMappings().stream().filter(roleModel -> {
                    return roleModel.isClientRole() && ((ClientModel) ClientModel.class.cast(roleModel.getContainer())).getClientId().equals(str2);
                }).collect(Collectors.toSet());
                if (set.isEmpty()) {
                    return false;
                }
                RoleModel role = realm.getClientById(((ClientModel) ClientModel.class.cast(((RoleModel) set.iterator().next()).getContainer())).getId()).getRole(str3);
                if (Objects.isNull(role)) {
                    return false;
                }
                return RoleUtils.hasRole(set, role);
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public boolean isGroupInRole(String str, String str2) {
                RealmModel realm = DefaultEvaluation.this.authorizationProvider.getKeycloakSession().getContext().getRealm();
                return RoleUtils.hasRoleFromGroup(KeycloakModelUtils.findGroupByPath(realm, str), realm.getRole(str2), false);
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public List<String> getUserRealmRoles(String str) {
                return (List) getUser(str, DefaultEvaluation.this.authorizationProvider.getKeycloakSession()).getRoleMappings().stream().filter(roleModel -> {
                    return !roleModel.isClientRole();
                }).map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toList());
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public List<String> getUserClientRoles(String str, String str2) {
                return (List) getUser(str, DefaultEvaluation.this.authorizationProvider.getKeycloakSession()).getRoleMappings().stream().filter(roleModel -> {
                    return roleModel.isClientRole();
                }).map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toList());
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public List<String> getUserGroups(String str) {
                return (List) getUser(str, DefaultEvaluation.this.authorizationProvider.getKeycloakSession()).getGroups().stream().map(ModelToRepresentation::buildGroupPath).collect(Collectors.toList());
            }

            @Override // org.keycloak.authorization.policy.evaluation.Realm
            public Map<String, List<String>> getUserAttributes(String str) {
                return Collections.unmodifiableMap(getUser(str, DefaultEvaluation.this.authorizationProvider.getKeycloakSession()).getAttributes());
            }
        };
    }

    public void setPolicy(Policy policy) {
        this.policy = policy;
        this.effect = null;
    }

    public void setEffect(Decision.Effect effect) {
        this.effect = effect;
        this.decision.onDecision(this);
    }
}
