package org.keycloak.utils;

import java.util.Iterator;
import java.util.Map;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/utils/RoleResolveUtil.class */
public class RoleResolveUtil {
    private static final String RESOLVED_ROLES_ATTR = "RESOLVED_ROLES";

    public static AccessToken.Access getResolvedRealmRoles(KeycloakSession keycloakSession, ClientSessionContext clientSessionContext, boolean z) {
        AccessToken andCacheResolvedRoles = getAndCacheResolvedRoles(keycloakSession, clientSessionContext);
        AccessToken.Access realmAccess = andCacheResolvedRoles.getRealmAccess();
        if (realmAccess == null && z) {
            realmAccess = new AccessToken.Access();
            andCacheResolvedRoles.setRealmAccess(realmAccess);
        }
        return realmAccess;
    }

    public static AccessToken.Access getResolvedClientRoles(KeycloakSession keycloakSession, ClientSessionContext clientSessionContext, String str, boolean z) {
        AccessToken andCacheResolvedRoles = getAndCacheResolvedRoles(keycloakSession, clientSessionContext);
        AccessToken.Access resourceAccess = andCacheResolvedRoles.getResourceAccess(str);
        if (resourceAccess == null && z) {
            resourceAccess = andCacheResolvedRoles.addAccess(str);
        }
        return resourceAccess;
    }

    public static Map<String, AccessToken.Access> getAllResolvedClientRoles(KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        return getAndCacheResolvedRoles(keycloakSession, clientSessionContext).getResourceAccess();
    }

    private static AccessToken getAndCacheResolvedRoles(KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        String str = "RESOLVED_ROLES:" + clientSessionContext.getClientSession().getUserSession().getId() + ":" + clientSessionContext.getClientSession().getClient().getId();
        AccessToken accessToken = (AccessToken) keycloakSession.getAttribute(str, AccessToken.class);
        if (accessToken == null) {
            accessToken = new AccessToken();
            Iterator<RoleModel> it = clientSessionContext.getRoles().iterator();
            while (it.hasNext()) {
                addToToken(accessToken, it.next());
            }
            keycloakSession.setAttribute(str, accessToken);
        }
        return accessToken;
    }

    private static void addToToken(AccessToken accessToken, RoleModel roleModel) {
        AccessToken.Access resourceAccess;
        if (roleModel.getContainer() instanceof RealmModel) {
            resourceAccess = accessToken.getRealmAccess();
            if (accessToken.getRealmAccess() == null) {
                resourceAccess = new AccessToken.Access();
                accessToken.setRealmAccess(resourceAccess);
            } else if (accessToken.getRealmAccess().getRoles() != null && accessToken.getRealmAccess().isUserInRole(roleModel.getName())) {
                return;
            }
        } else {
            ClientModel clientModel = (ClientModel) roleModel.getContainer();
            resourceAccess = accessToken.getResourceAccess(clientModel.getClientId());
            if (resourceAccess == null) {
                resourceAccess = accessToken.addAccess(clientModel.getClientId());
                if (clientModel.isSurrogateAuthRequired()) {
                    resourceAccess.verifyCaller(true);
                }
            } else if (resourceAccess.isUserInRole(roleModel.getName())) {
                return;
            }
        }
        resourceAccess.addRole(roleModel.getName());
    }
}
