package org.keycloak.services.resources.admin.permissions;

import jakarta.ws.rs.ForbiddenException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.identity.UserModelIdentity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.ResourceWrapper;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.resources.KeycloakOpenAPI;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/UserPermissionsV2.class */
public class UserPermissionsV2 extends UserPermissions {
    /* JADX INFO: Access modifiers changed from: package-private */
    public UserPermissionsV2(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, MgmtPermissionsV2 mgmtPermissionsV2) {
        super(keycloakSession, authorizationProvider, mgmtPermissionsV2);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView(UserModel userModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS)) {
            return true;
        }
        return hasPermission(userModel, null, AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canView() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS)) {
            return true;
        }
        return hasPermission((UserModel) null, null, AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage(UserModel userModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(userModel, null, AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManage() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        if (this.root.isAdminSameRealm()) {
            return hasPermission((UserModel) null, null, AdminPermissionManagement.MANAGE_SCOPE);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public void requireManage() {
        if (!canManage()) {
            throw new ForbiddenException();
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canImpersonate(UserModel userModel, ClientModel clientModel) {
        if (this.root.hasOneAdminRole(ImpersonationConstants.IMPERSONATION_ROLE)) {
            return true;
        }
        return hasPermission(userModel, clientModel == null ? null : new DefaultEvaluationContext(new UserModelIdentity(this.root.realm, userModel), Map.of("kc.client.id", List.of(clientModel.getClientId())), this.session), "impersonate");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canMapRoles(UserModel userModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(userModel, null, ClientPermissionManagement.MAP_ROLES_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean canManageGroupMembership(UserModel userModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(userModel, null, "manage-group-membership");
    }

    private boolean hasPermission(UserModel userModel, EvaluationContext evaluationContext, String str) {
        ResourceServer realmResourceServer;
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null) {
            return false;
        }
        Resource resourceTypeResource = AdminPermissionsSchema.SCHEMA.getResourceTypeResource(this.session, realmResourceServer, KeycloakOpenAPI.Admin.Tags.USERS);
        Resource findByName = userModel == null ? resourceTypeResource : this.resourceStore.findByName(realmResourceServer, userModel.getId());
        if (userModel != null && findByName == null) {
            findByName = new ResourceWrapper(userModel.getId(), userModel.getId(), new HashSet(resourceTypeResource.getScopes()), realmResourceServer);
        }
        for (Permission permission : evaluationContext == null ? this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.USERS, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer) : this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.USERS, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer, evaluationContext)) {
            if (permission.getResourceId().equals(findByName.getId()) && permission.getScopes().contains(str)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean canClientImpersonate(ClientModel clientModel, UserModel userModel) {
        return canImpersonate(userModel, clientModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator
    public boolean isImpersonatable(UserModel userModel, ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean isImpersonatable(UserModel userModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public boolean isPermissionsEnabled() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public void setPermissionsEnabled(boolean z) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Map<String, String> getPermissions() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Resource resource() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy managePermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy viewPermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy manageGroupMembershipPermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy mapRolesPermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy adminImpersonatingPermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.UserPermissions, org.keycloak.services.resources.admin.permissions.UserPermissionManagement
    public Policy userImpersonatedPermission() {
        throw new UnsupportedOperationException("Not supported in V2");
    }
}
