package org.keycloak.services.resources.admin.permissions;

import jakarta.ws.rs.ForbiddenException;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/RealmAuth.class */
class RealmAuth {
    private AdminAuth.Resource resource;
    private AdminAuth auth;
    private ClientModel realmAdminApp;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.services.resources.admin.permissions.RealmAuth$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/resources/admin/permissions/RealmAuth$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource = new int[AdminAuth.Resource.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.CLIENT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.USER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.REALM.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.EVENTS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.IDENTITY_PROVIDER.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.AUTHORIZATION.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[AdminAuth.Resource.IMPERSONATION.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    public RealmAuth(AdminAuth adminAuth, ClientModel clientModel) {
        this.auth = adminAuth;
        this.realmAdminApp = clientModel;
    }

    public RealmAuth init(AdminAuth.Resource resource) {
        this.resource = resource;
        return this;
    }

    public AdminAuth getAuth() {
        return this.auth;
    }

    public void requireAny() {
        if (!hasAny()) {
            throw new ForbiddenException();
        }
    }

    public boolean hasAny() {
        return this.auth.hasOneOfAppRole(this.realmAdminApp, AdminRoles.ALL_REALM_ROLES);
    }

    public boolean hasView() {
        return this.auth.hasOneOfAppRole(this.realmAdminApp, getViewRole(this.resource), getManageRole(this.resource));
    }

    public boolean hasManage() {
        return this.auth.hasOneOfAppRole(this.realmAdminApp, getManageRole(this.resource));
    }

    public void requireView() {
        if (!hasView()) {
            throw new ForbiddenException();
        }
    }

    public void requireManage() {
        if (!hasManage()) {
            throw new ForbiddenException();
        }
    }

    private String getViewRole(AdminAuth.Resource resource) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[resource.ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                return AdminRoles.VIEW_CLIENTS;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                return AdminRoles.VIEW_USERS;
            case 3:
                return AdminRoles.VIEW_REALM;
            case 4:
                return AdminRoles.VIEW_EVENTS;
            case 5:
                return AdminRoles.VIEW_IDENTITY_PROVIDERS;
            case 6:
                return AdminRoles.VIEW_AUTHORIZATION;
            default:
                throw new IllegalStateException();
        }
    }

    private String getManageRole(AdminAuth.Resource resource) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$resources$admin$AdminAuth$Resource[resource.ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                return AdminRoles.MANAGE_CLIENTS;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                return AdminRoles.MANAGE_USERS;
            case 3:
                return AdminRoles.MANAGE_REALM;
            case 4:
                return AdminRoles.MANAGE_EVENTS;
            case 5:
                return AdminRoles.MANAGE_IDENTITY_PROVIDERS;
            case 6:
                return AdminRoles.MANAGE_AUTHORIZATION;
            case 7:
                return ImpersonationConstants.IMPERSONATION_ROLE;
            default:
                throw new IllegalStateException();
        }
    }
}
