package org.keycloak.services.resources.admin.permissions;

import jakarta.ws.rs.ForbiddenException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Permission;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/RolePermissions.class */
public class RolePermissions implements RolePermissionEvaluator, RolePermissionManagement {
    private static final Logger logger = Logger.getLogger(RolePermissions.class);
    protected final KeycloakSession session;
    protected final RealmModel realm;
    protected final AuthorizationProvider authz;
    protected final MgmtPermissions root;
    private final ResourceStore resourceStore;
    private static final String RESOURCE_NAME_PREFIX = "role.resource.";

    public RolePermissions(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
        if (authorizationProvider != null) {
            this.resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
        } else {
            this.resourceStore = null;
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public boolean isPermissionsEnabled(RoleModel roleModel) {
        return mapRolePermission(roleModel) != null;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public void setPermissionsEnabled(RoleModel roleModel, boolean z) {
        if (z) {
            initialize(roleModel);
        } else {
            disablePermissions(roleModel);
        }
    }

    private void disablePermissions(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            return;
        }
        Policy mapRolePermission = mapRolePermission(roleModel);
        if (mapRolePermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(mapRolePermission.getId());
        }
        Policy mapClientScopePermission = mapClientScopePermission(roleModel);
        if (mapClientScopePermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(mapClientScopePermission.getId());
        }
        Policy mapCompositePermission = mapCompositePermission(roleModel);
        if (mapCompositePermission != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(mapCompositePermission.getId());
        }
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(resourceServer, getRoleResourceName(roleModel));
        if (findByName != null) {
            this.authz.getStoreFactory().getResourceStore().delete(findByName.getId());
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Map<String, String> getPermissions(RoleModel roleModel) {
        if (this.authz == null) {
            return null;
        }
        initialize(roleModel);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(roleModel).getId());
        linkedHashMap.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(roleModel).getId());
        linkedHashMap.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(roleModel).getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapRolePermission(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapRolePermissionName(roleModel));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapCompositePermission(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapCompositePermissionName(roleModel));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapClientScopePermission(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapClientScopePermissionName(roleModel));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Resource resource(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getResourceStore().findByName(resourceServer, getRoleResourceName(roleModel));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public ResourceServer resourceServer(RoleModel roleModel) {
        return this.root.resourceServer(getRoleClient(roleModel));
    }

    private boolean checkAdminRoles(RoleModel roleModel) {
        if (!AdminRoles.ALL_ROLES.contains(roleModel.getName()) || this.root.admin().hasRole(roleModel)) {
            return true;
        }
        if (!this.root.getRealmManagementClient().equals(roleModel.getContainer())) {
            if (roleModel.getContainer() instanceof RealmModel) {
                if (roleModel.getContainer().getName().equals(Config.getAdminRealm())) {
                    return adminConflictMessage(roleModel);
                }
                return true;
            }
            ClientModel container = roleModel.getContainer();
            if (container.getRealm().getName().equals(Config.getAdminRealm()) && container.getClientId().endsWith("-realm")) {
                return adminConflictMessage(roleModel);
            }
            return true;
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_CLIENTS) || roleModel.getName().equals(AdminRoles.CREATE_CLIENT)) {
            if (this.root.clients().canManage()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_CLIENTS)) {
            if (this.root.clients().canView()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.QUERY_REALMS) || roleModel.getName().equals(AdminRoles.QUERY_CLIENTS) || roleModel.getName().equals(AdminRoles.QUERY_USERS) || roleModel.getName().equals(AdminRoles.QUERY_GROUPS)) {
            return true;
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_AUTHORIZATION)) {
            if (this.root.realm().canManageAuthorization()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_AUTHORIZATION)) {
            if (this.root.realm().canViewAuthorization()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_EVENTS)) {
            if (this.root.realm().canManageEvents()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_EVENTS)) {
            if (this.root.realm().canViewEvents()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_USERS)) {
            if (this.root.users().canManage()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_USERS)) {
            if (this.root.users().canView()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_IDENTITY_PROVIDERS)) {
            if (this.root.realm().canManageIdentityProviders()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_IDENTITY_PROVIDERS)) {
            if (this.root.realm().canViewIdentityProviders()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.MANAGE_REALM)) {
            if (this.root.realm().canManageRealm()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(AdminRoles.VIEW_REALM)) {
            if (this.root.realm().canViewRealm()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (roleModel.getName().equals(ImpersonationConstants.IMPERSONATION_ROLE)) {
            if (this.root.users().canImpersonate()) {
                return true;
            }
            return adminConflictMessage(roleModel);
        }
        if (!roleModel.getName().equals(AdminRoles.REALM_ADMIN)) {
            return adminConflictMessage(roleModel);
        }
        if (this.root.adminsRealm() == null || !this.root.adminsRealm().getName().equals(Config.getAdminRealm())) {
            return adminConflictMessage(roleModel);
        }
        if (this.root.admin().hasRole(this.root.adminsRealm().getRole(AdminRoles.ADMIN))) {
            return true;
        }
        return adminConflictMessage(roleModel);
    }

    private boolean adminConflictMessage(RoleModel roleModel) {
        logger.debug("Trying to assign admin privileges of role: " + roleModel.getName() + " but admin doesn't have same privilege");
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapRole(RoleModel roleModel) {
        ResourceServer resourceServer;
        Policy findByName;
        if (this.root.users().canManageDefault()) {
            return checkAdminRoles(roleModel);
        }
        if (!this.root.isAdminSameRealm()) {
            return false;
        }
        if ((roleModel.getContainer() instanceof ClientModel) && this.root.clients().canMapRoles((ClientModel) roleModel.getContainer())) {
            return true;
        }
        if (!isPermissionsEnabled(roleModel) || (resourceServer = resourceServer(roleModel)) == null || (findByName = this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapRolePermissionName(roleModel))) == null || findByName.getAssociatedPolicies().isEmpty()) {
            return false;
        }
        if (this.root.evaluatePermission(resource(roleModel), resourceServer, mapRoleScope(resourceServer))) {
            return checkAdminRoles(roleModel);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireMapRole(RoleModel roleModel) {
        if (!canMapRole(roleModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canList(RoleContainerModel roleContainerModel) {
        if (canView(roleContainerModel)) {
            return true;
        }
        return roleContainerModel instanceof RealmModel ? this.root.realm().canViewRealm() || this.root.hasOneAdminRole(AdminRoles.ALL_QUERY_ROLES) : this.root.clients().canList((ClientModel) roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireList(RoleContainerModel roleContainerModel) {
        if (!canList(roleContainerModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canManage(RoleContainerModel roleContainerModel) {
        return roleContainerModel instanceof RealmModel ? this.root.realm().canManageRealm() : this.root.clients().canConfigure((ClientModel) roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireManage(RoleContainerModel roleContainerModel) {
        if (!canManage(roleContainerModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canView(RoleContainerModel roleContainerModel) {
        return roleContainerModel instanceof RealmModel ? this.root.realm().canViewRealm() : this.root.clients().canView((ClientModel) roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireView(RoleContainerModel roleContainerModel) {
        if (!canView(roleContainerModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapComposite(RoleModel roleModel) {
        ResourceServer resourceServer;
        Policy findByName;
        if (canManageDefault(roleModel)) {
            return checkAdminRoles(roleModel);
        }
        if (!this.root.isAdminSameRealm()) {
            return false;
        }
        if ((roleModel.getContainer() instanceof ClientModel) && this.root.clients().canMapCompositeRoles((ClientModel) roleModel.getContainer())) {
            return true;
        }
        if (!isPermissionsEnabled(roleModel) || (resourceServer = resourceServer(roleModel)) == null || (findByName = this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapCompositePermissionName(roleModel))) == null || findByName.getAssociatedPolicies().isEmpty()) {
            return false;
        }
        if (this.root.evaluatePermission(resource(roleModel), resourceServer, mapCompositeScope(resourceServer))) {
            return checkAdminRoles(roleModel);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireMapComposite(RoleModel roleModel) {
        if (!canMapComposite(roleModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapClientScope(RoleModel roleModel) {
        ResourceServer resourceServer;
        Policy findByName;
        if (this.root.clients().canManageClientsDefault()) {
            return true;
        }
        if (!this.root.isAdminSameRealm()) {
            return false;
        }
        if ((roleModel.getContainer() instanceof ClientModel) && this.root.clients().canMapClientScopeRoles((ClientModel) roleModel.getContainer())) {
            return true;
        }
        if (!isPermissionsEnabled(roleModel) || (resourceServer = resourceServer(roleModel)) == null || (findByName = this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapClientScopePermissionName(roleModel))) == null || findByName.getAssociatedPolicies().isEmpty()) {
            return false;
        }
        return this.root.evaluatePermission(resource(roleModel), resourceServer, mapClientScope(resourceServer));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireMapClientScope(RoleModel roleModel) {
        if (!canMapClientScope(roleModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canManage(RoleModel roleModel) {
        if (roleModel.getContainer() instanceof RealmModel) {
            return this.root.realm().canManageRealm();
        }
        if (!(roleModel.getContainer() instanceof ClientModel)) {
            return false;
        }
        return this.root.clients().canConfigure(roleModel.getContainer());
    }

    public boolean canManageDefault(RoleModel roleModel) {
        if (roleModel.getContainer() instanceof RealmModel) {
            return this.root.realm().canManageRealmDefault();
        }
        if (!(roleModel.getContainer() instanceof ClientModel)) {
            return false;
        }
        roleModel.getContainer();
        return this.root.clients().canManageClientsDefault();
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireManage(RoleModel roleModel) {
        if (!canManage(roleModel)) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canView(RoleModel roleModel) {
        if (roleModel.getContainer() instanceof RealmModel) {
            return this.root.realm().canViewRealm();
        }
        if (!(roleModel.getContainer() instanceof ClientModel)) {
            return false;
        }
        return this.root.clients().canView(roleModel.getContainer());
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public void requireView(RoleModel roleModel) {
        if (!canView(roleModel)) {
            throw new ForbiddenException();
        }
    }

    private ClientModel getRoleClient(RoleModel roleModel) {
        return roleModel.getContainer() instanceof ClientModel ? (ClientModel) roleModel.getContainer() : this.root.getRealmManagementClient();
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy manageUsersPolicy(ResourceServer resourceServer) {
        return rolePolicy(resourceServer, this.root.getRealmManagementClient().getRole(AdminRoles.MANAGE_USERS));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy viewUsersPolicy(ResourceServer resourceServer) {
        return rolePolicy(resourceServer, this.root.getRealmManagementClient().getRole(AdminRoles.VIEW_USERS));
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy rolePolicy(ResourceServer resourceServer, RoleModel roleModel) {
        String rolePolicyName = Helper.getRolePolicyName(roleModel);
        Policy findByName = this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, rolePolicyName);
        return findByName != null ? findByName : Helper.createRolePolicy(this.authz, resourceServer, roleModel, rolePolicyName);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public Set<String> getRolesWithPermission(String str) {
        ResourceServer realmResourceServer;
        if (this.root.isAdminSameRealm() && (realmResourceServer = this.root.realmResourceServer()) != null) {
            HashSet hashSet = new HashSet();
            this.resourceStore.findByType(realmResourceServer, "Role", resource -> {
                if (hasPermission(resource, str)) {
                    hashSet.add(resource.getName().substring(RESOURCE_NAME_PREFIX.length()));
                }
            });
            return hashSet;
        }
        return Collections.emptySet();
    }

    private boolean hasPermission(Resource resource, String str) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        Iterator<Permission> it = this.root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), realmResourceServer), realmResourceServer).iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getScopes().iterator();
            while (it2.hasNext()) {
                if (str.equals((String) it2.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private Scope mapRoleScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(resourceServer, RolePermissionManagement.MAP_ROLE_SCOPE);
    }

    private Scope mapClientScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(resourceServer, RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE);
    }

    private Scope mapCompositeScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(resourceServer, RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE);
    }

    private void initialize(RoleModel roleModel) {
        ResourceServer resourceServer = resourceServer(roleModel);
        if (resourceServer == null) {
            resourceServer = this.root.findOrCreateResourceServer(getRoleClient(roleModel));
            if (resourceServer == null) {
                return;
            }
        }
        Scope mapRoleScope = mapRoleScope(resourceServer);
        if (mapRoleScope == null) {
            mapRoleScope = this.authz.getStoreFactory().getScopeStore().create(resourceServer, RolePermissionManagement.MAP_ROLE_SCOPE);
        }
        Scope mapClientScope = mapClientScope(resourceServer);
        if (mapClientScope == null) {
            mapClientScope = this.authz.getStoreFactory().getScopeStore().create(resourceServer, RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE);
        }
        Scope mapCompositeScope = mapCompositeScope(resourceServer);
        if (mapCompositeScope == null) {
            mapCompositeScope = this.authz.getStoreFactory().getScopeStore().create(resourceServer, RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE);
        }
        String roleResourceName = getRoleResourceName(roleModel);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(resourceServer, roleResourceName);
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getResourceStore().create(resourceServer, roleResourceName, resourceServer.getClientId());
            HashSet hashSet = new HashSet();
            hashSet.add(mapClientScope);
            hashSet.add(mapCompositeScope);
            hashSet.add(mapRoleScope);
            findByName.updateScopes(hashSet);
            findByName.setType("Role");
        }
        if (mapRolePermission(roleModel) == null) {
            Helper.addEmptyScopePermission(this.authz, resourceServer, getMapRolePermissionName(roleModel), findByName, mapRoleScope).setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        }
        if (mapClientScopePermission(roleModel) == null) {
            Helper.addEmptyScopePermission(this.authz, resourceServer, getMapClientScopePermissionName(roleModel), findByName, mapClientScope).setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        }
        if (mapCompositePermission(roleModel) == null) {
            Helper.addEmptyScopePermission(this.authz, resourceServer, getMapCompositePermissionName(roleModel), findByName, mapCompositeScope).setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
        }
    }

    private String getMapRolePermissionName(RoleModel roleModel) {
        return "map-role.permission." + roleModel.getId();
    }

    private String getMapClientScopePermissionName(RoleModel roleModel) {
        return "map-role-client-scope.permission." + roleModel.getId();
    }

    private String getMapCompositePermissionName(RoleModel roleModel) {
        return "map-role-composite.permission." + roleModel.getId();
    }

    private static String getRoleResourceName(RoleModel roleModel) {
        return "role.resource." + roleModel.getId();
    }
}
