package org.keycloak.authorization;

import jakarta.persistence.criteria.CriteriaBuilder;
import jakarta.persistence.criteria.CriteriaQuery;
import jakarta.persistence.criteria.Path;
import jakarta.persistence.criteria.Predicate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import org.keycloak.Config;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PartialEvaluationContext;
import org.keycloak.authorization.policy.provider.PartialEvaluationPolicyProvider;
import org.keycloak.authorization.policy.provider.PartialEvaluationStorageProvider;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.ResourceType;

/* loaded from: input_file:org/keycloak/authorization/PartialEvaluator.class */
public class PartialEvaluator {
    private static final String NO_ID = "none";
    private static final String ID_FIELD = "id";
    private static final String PARTIAL_EVALUATION_CONTEXT_CACHE = "kc.authz.fgap.partial.evaluation.cache";

    public List<Predicate> getPredicates(KeycloakSession keycloakSession, ResourceType resourceType, PartialEvaluationStorageProvider partialEvaluationStorageProvider, RealmModel realmModel, CriteriaBuilder criteriaBuilder, CriteriaQuery<?> criteriaQuery, Path<?> path) {
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realmModel)) {
            return partialEvaluationStorageProvider == null ? List.of() : partialEvaluationStorageProvider.getFilters(new PartialEvaluationContext(partialEvaluationStorageProvider, criteriaBuilder, criteriaQuery, path));
        }
        UserModel user = keycloakSession.getContext().getUser();
        return shouldSkipPartialEvaluation(keycloakSession, user, resourceType) ? List.of() : buildPredicates(runEvaluation(keycloakSession, user, resourceType, partialEvaluationStorageProvider, criteriaBuilder, criteriaQuery, path));
    }

    private PartialEvaluationContext runEvaluation(KeycloakSession keycloakSession, UserModel userModel, ResourceType resourceType, PartialEvaluationStorageProvider partialEvaluationStorageProvider, CriteriaBuilder criteriaBuilder, CriteriaQuery<?> criteriaQuery, Path<?> path) {
        Map map = (Map) keycloakSession.getAttributeOrDefault(PARTIAL_EVALUATION_CONTEXT_CACHE, Map.of());
        if (((Map) map.getOrDefault(userModel.getId(), Map.of())).containsKey(resourceType.getType())) {
            PartialEvaluationContext partialEvaluationContext = (PartialEvaluationContext) ((Map) map.get(userModel.getId())).get(resourceType.getType());
            partialEvaluationContext.setStorage(partialEvaluationStorageProvider);
            partialEvaluationContext.setCriteriaBuilder(criteriaBuilder);
            partialEvaluationContext.setCriteriaQuery(criteriaQuery);
            partialEvaluationContext.setPath(path);
            return partialEvaluationContext;
        }
        Set<String> hashSet = new HashSet<>();
        Set<String> hashSet2 = new HashSet<>();
        List<PartialEvaluationPolicyProvider> partialEvaluationPolicyProviders = getPartialEvaluationPolicyProviders(keycloakSession);
        Iterator<PartialEvaluationPolicyProvider> it = partialEvaluationPolicyProviders.iterator();
        while (it.hasNext()) {
            it.next().getPermissions(keycloakSession, resourceType, userModel).forEach(policy -> {
                Set<String> resourceNames = policy.getResourceNames();
                for (Policy policy : policy.getAssociatedPolicies()) {
                    PartialEvaluationPolicyProvider partialEvaluationPolicyProvider = getPartialEvaluationPolicyProvider(policy, partialEvaluationPolicyProviders);
                    if (partialEvaluationPolicyProvider != null) {
                        boolean evaluate = partialEvaluationPolicyProvider.evaluate(keycloakSession, policy, userModel);
                        if (Logic.NEGATIVE.equals(policy.getLogic())) {
                            evaluate = !evaluate;
                        }
                        if (evaluate) {
                            hashSet.addAll(resourceNames);
                        } else {
                            hashSet2.addAll(resourceNames);
                        }
                    }
                }
            });
        }
        hashSet.removeAll(hashSet2);
        PartialEvaluationContext createEvaluationContext = createEvaluationContext(keycloakSession, resourceType, hashSet, hashSet2, partialEvaluationStorageProvider, criteriaBuilder, criteriaQuery, path, userModel);
        if (map.isEmpty()) {
            map = new HashMap();
        }
        ((Map) map.computeIfAbsent(userModel.getId(), str -> {
            return new HashMap();
        })).computeIfAbsent(resourceType.getType(), str2 -> {
            return createEvaluationContext;
        });
        if (keycloakSession.getAttribute(PARTIAL_EVALUATION_CONTEXT_CACHE) == null) {
            keycloakSession.setAttribute(PARTIAL_EVALUATION_CONTEXT_CACHE, map);
        }
        return (PartialEvaluationContext) ((Map) map.get(userModel.getId())).get(resourceType.getType());
    }

    private List<Predicate> buildPredicates(PartialEvaluationContext partialEvaluationContext) {
        List<Predicate> storageFilters = getStorageFilters(partialEvaluationContext);
        CriteriaBuilder criteriaBuilder = partialEvaluationContext.getCriteriaBuilder();
        Path<?> path = partialEvaluationContext.getPath();
        if (isDenied(storageFilters, partialEvaluationContext)) {
            return List.of(criteriaBuilder.equal(path.get(ID_FIELD), "none"));
        }
        Set<String> deniedResources = partialEvaluationContext.getDeniedResources();
        ResourceType resourceType = partialEvaluationContext.getResourceType();
        if (deniedResources.contains(resourceType.getType())) {
            deniedResources = Set.of();
        }
        ArrayList arrayList = new ArrayList();
        if (!deniedResources.isEmpty()) {
            arrayList.add(criteriaBuilder.not(path.get(ID_FIELD).in(deniedResources)));
        }
        arrayList.addAll(getStorageNegateFilters(partialEvaluationContext));
        Set<String> allowedResources = partialEvaluationContext.getAllowedResources();
        if (allowedResources.contains(resourceType.getType())) {
            allowedResources = Set.of();
        }
        if (allowedResources.isEmpty()) {
            arrayList.addAll(storageFilters);
            return arrayList;
        }
        if (storageFilters.isEmpty()) {
            arrayList.add(criteriaBuilder.and(new Predicate[]{path.get(ID_FIELD).in(allowedResources)}));
        } else {
            ArrayList arrayList2 = new ArrayList(storageFilters);
            arrayList2.add(path.get(ID_FIELD).in(allowedResources));
            arrayList.add(criteriaBuilder.or((Predicate[]) arrayList2.toArray(new Predicate[0])));
        }
        return arrayList;
    }

    private PartialEvaluationContext createEvaluationContext(KeycloakSession keycloakSession, ResourceType resourceType, Set<String> set, Set<String> set2, PartialEvaluationStorageProvider partialEvaluationStorageProvider, CriteriaBuilder criteriaBuilder, CriteriaQuery<?> criteriaQuery, Path<?> path, UserModel userModel) {
        PartialEvaluationContext partialEvaluationContext = new PartialEvaluationContext(resourceType, set, set2, partialEvaluationStorageProvider, criteriaBuilder, criteriaQuery, path);
        String groupType = resourceType.getGroupType();
        if (groupType != null) {
            ResourceType resourceType2 = (ResourceType) AdminPermissionsSchema.SCHEMA.getResourceTypes().get(groupType);
            if (resourceType2 == null) {
                return partialEvaluationContext;
            }
            PartialEvaluationContext runEvaluation = runEvaluation(keycloakSession, userModel, resourceType2, partialEvaluationStorageProvider, criteriaBuilder, criteriaQuery, path);
            partialEvaluationContext.setAllowedGroups(runEvaluation.getAllowedResources());
            partialEvaluationContext.setDeniedGroups(runEvaluation.getDeniedResources());
        }
        return partialEvaluationContext;
    }

    private List<Predicate> getStorageFilters(PartialEvaluationContext partialEvaluationContext) {
        PartialEvaluationStorageProvider storage = partialEvaluationContext.getStorage();
        return storage == null ? List.of() : storage.getFilters(partialEvaluationContext);
    }

    private List<Predicate> getStorageNegateFilters(PartialEvaluationContext partialEvaluationContext) {
        PartialEvaluationStorageProvider storage = partialEvaluationContext.getStorage();
        return storage == null ? List.of() : storage.getNegateFilters(partialEvaluationContext);
    }

    private boolean isDenied(List<Predicate> list, PartialEvaluationContext partialEvaluationContext) {
        return partialEvaluationContext.getAllowedResources().isEmpty() && list.isEmpty();
    }

    private List<PartialEvaluationPolicyProvider> getPartialEvaluationPolicyProviders(KeycloakSession keycloakSession) {
        Stream filter = keycloakSession.getAllProviders(PolicyProvider.class).stream().filter(policyProvider -> {
            return policyProvider instanceof PartialEvaluationPolicyProvider;
        });
        Class<PartialEvaluationPolicyProvider> cls = PartialEvaluationPolicyProvider.class;
        Objects.requireNonNull(PartialEvaluationPolicyProvider.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).toList();
    }

    private PartialEvaluationPolicyProvider getPartialEvaluationPolicyProvider(Policy policy, List<PartialEvaluationPolicyProvider> list) {
        return list.stream().filter(partialEvaluationPolicyProvider -> {
            return partialEvaluationPolicyProvider.supports(policy);
        }).findAny().orElse(null);
    }

    private boolean hasViewScope(Policy policy) {
        return policy.getScopes().stream().map((v0) -> {
            return v0.getName();
        }).anyMatch(str -> {
            return str.startsWith(AdminPermissionsSchema.VIEW);
        });
    }

    private boolean shouldSkipPartialEvaluation(KeycloakSession keycloakSession, UserModel userModel, ResourceType resourceType) {
        ClientModel realmManagementClient;
        if (AdminPermissionsSchema.isSkipEvaluation(keycloakSession) || userModel == null || (realmManagementClient = getRealmManagementClient(keycloakSession)) == null) {
            return true;
        }
        if (resourceType.equals(AdminPermissionsSchema.USERS) || resourceType.equals(AdminPermissionsSchema.GROUPS)) {
            return userModel.hasRole(realmManagementClient.getRole(AdminRoles.VIEW_USERS)) || userModel.hasRole(realmManagementClient.getRole(AdminRoles.MANAGE_USERS)) || !hasAnyQueryAdminRole(realmManagementClient, userModel);
        }
        if (resourceType.equals(AdminPermissionsSchema.CLIENTS)) {
            return userModel.hasRole(realmManagementClient.getRole(AdminRoles.VIEW_CLIENTS)) || userModel.hasRole(realmManagementClient.getRole(AdminRoles.MANAGE_CLIENTS)) || !hasAnyQueryAdminRole(realmManagementClient, userModel);
        }
        return false;
    }

    private ClientModel getRealmManagementClient(KeycloakSession keycloakSession) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        return realm.getName().equals(Config.getAdminRealm()) ? keycloakSession.clients().getClientByClientId(realm, realm.getMasterAdminClient().getClientId()) : realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
    }

    private boolean hasAnyQueryAdminRole(ClientModel clientModel, UserModel userModel) {
        boolean z = false;
        Iterator it = List.of(AdminRoles.QUERY_CLIENTS, AdminRoles.QUERY_GROUPS, AdminRoles.QUERY_USERS).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (userModel.hasRole(clientModel.getRole((String) it.next()))) {
                z = true;
                break;
            }
        }
        return z;
    }
}
