package org.keycloak.authorization.admin;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.media.Content;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponses;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.ResourceWrapper;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.Permissions;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oid4vc.model.CredentialBuildConfig;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/authorization/admin/PolicyEvaluationService.class */
public class PolicyEvaluationService {
    private static final Logger logger = Logger.getLogger(PolicyEvaluationService.class);
    private final AuthorizationProvider authorization;
    private final AdminPermissionEvaluator auth;
    private final ResourceServer resourceServer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/authorization/admin/PolicyEvaluationService$CloseableKeycloakIdentity.class */
    public static class CloseableKeycloakIdentity extends KeycloakIdentity {
        private UserSessionModel userSession;

        public CloseableKeycloakIdentity(AccessToken accessToken, KeycloakSession keycloakSession, UserSessionModel userSessionModel) {
            super(accessToken, keycloakSession);
            this.userSession = userSessionModel;
        }

        public void close() {
            if (this.userSession != null) {
                this.keycloakSession.sessions().removeUserSession(this.realm, this.userSession);
            }
        }

        @Override // org.keycloak.authorization.common.KeycloakIdentity
        public String getId() {
            UserModel serviceAccount;
            if (this.userSession != null) {
                return super.getId();
            }
            String issuedFor = this.accessToken.getIssuedFor();
            if (issuedFor == null || (serviceAccount = this.keycloakSession.users().getServiceAccount(this.realm.getClientByClientId(issuedFor))) == null) {
                return null;
            }
            return serviceAccount.getId();
        }
    }

    /* loaded from: input_file:org/keycloak/authorization/admin/PolicyEvaluationService$EvaluationDecisionCollector.class */
    public static class EvaluationDecisionCollector extends DecisionPermissionCollector {
        public EvaluationDecisionCollector(AuthorizationProvider authorizationProvider, ResourceServer resourceServer, AuthorizationRequest authorizationRequest) {
            super(authorizationProvider, resourceServer, authorizationRequest);
        }

        protected boolean isGranted(Result.PolicyResult policyResult) {
            if (!super.isGranted(policyResult)) {
                return false;
            }
            policyResult.setEffect(Decision.Effect.PERMIT);
            return true;
        }

        protected void grantPermission(AuthorizationProvider authorizationProvider, Set<Permission> set, ResourcePermission resourcePermission, Collection<Scope> collection, ResourceServer resourceServer, AuthorizationRequest authorizationRequest, Result result) {
            result.setStatus(Decision.Effect.PERMIT);
            result.getPermission().getScopes().retainAll(collection);
            super.grantPermission(authorizationProvider, set, resourcePermission, collection, resourceServer, authorizationRequest, result);
        }

        public Collection<Result> getResults() {
            return this.results.values();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PolicyEvaluationService(ResourceServer resourceServer, AuthorizationProvider authorizationProvider, AdminPermissionEvaluator adminPermissionEvaluator) {
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
        this.auth = adminPermissionEvaluator;
    }

    @APIResponses({@APIResponse(responseCode = "200", content = {@Content(schema = @Schema(implementation = PolicyEvaluationResponse.class))}), @APIResponse(responseCode = "500", description = "Internal Server Error")})
    @Produces({MediaType.APPLICATION_JSON})
    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public Response evaluate(PolicyEvaluationRequest policyEvaluationRequest) {
        this.auth.realm().requireViewAuthorization(this.resourceServer);
        CloseableKeycloakIdentity createIdentity = createIdentity(policyEvaluationRequest);
        try {
            try {
                AuthorizationRequest authorizationRequest = new AuthorizationRequest();
                HashMap hashMap = new HashMap();
                Map map = (Map) policyEvaluationRequest.getContext().get("attributes");
                if (map != null) {
                    map.forEach((str, str2) -> {
                        if (str2 != null) {
                            ArrayList arrayList = new ArrayList();
                            Collections.addAll(arrayList, str2.split(CredentialBuildConfig.MULTIVALUED_STRING_SEPARATOR));
                            hashMap.put(str, arrayList);
                        }
                    });
                }
                authorizationRequest.setClaims(hashMap);
                Response build = Response.ok(PolicyEvaluationResponseBuilder.build(evaluate(policyEvaluationRequest, createEvaluationContext(policyEvaluationRequest, createIdentity), authorizationRequest), this.resourceServer, this.authorization, createIdentity, policyEvaluationRequest)).build();
                createIdentity.close();
                return build;
            } catch (Exception e) {
                logger.error("Error while evaluating permissions", e);
                throw new ErrorResponseException("server_error", "Error while evaluating permissions.", Response.Status.INTERNAL_SERVER_ERROR);
            }
        } catch (Throwable th) {
            createIdentity.close();
            throw th;
        }
    }

    private EvaluationDecisionCollector evaluate(PolicyEvaluationRequest policyEvaluationRequest, EvaluationContext evaluationContext, AuthorizationRequest authorizationRequest) {
        List<ResourcePermission> createPermissions = createPermissions(policyEvaluationRequest, evaluationContext, this.authorization, authorizationRequest);
        EvaluationDecisionCollector evaluationDecisionCollector = new EvaluationDecisionCollector(this.authorization, this.resourceServer, authorizationRequest);
        return createPermissions.isEmpty() ? AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.authorization.getRealm()) ? evaluationDecisionCollector : this.authorization.evaluators().from(evaluationContext, this.resourceServer, authorizationRequest).evaluate(evaluationDecisionCollector) : this.authorization.evaluators().from(createPermissions, this.resourceServer, evaluationContext).evaluate(evaluationDecisionCollector);
    }

    private EvaluationContext createEvaluationContext(final PolicyEvaluationRequest policyEvaluationRequest, KeycloakIdentity keycloakIdentity) {
        return new DefaultEvaluationContext(keycloakIdentity, this.authorization.getKeycloakSession()) { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.1
            @Override // org.keycloak.authorization.common.DefaultEvaluationContext
            public Attributes getAttributes() {
                HashMap hashMap = new HashMap(super.getAttributes().toMap());
                Map map = (Map) policyEvaluationRequest.getContext().get("attributes");
                if (map != null) {
                    map.forEach((str, str2) -> {
                        if (str2 != null) {
                            ArrayList arrayList = new ArrayList();
                            Collections.addAll(arrayList, str2.split(CredentialBuildConfig.MULTIVALUED_STRING_SEPARATOR));
                            hashMap.put(str, arrayList);
                        }
                    });
                }
                return Attributes.from(hashMap);
            }
        };
    }

    private List<ResourcePermission> createPermissions(PolicyEvaluationRequest policyEvaluationRequest, EvaluationContext evaluationContext, AuthorizationProvider authorizationProvider, AuthorizationRequest authorizationRequest) {
        List resources = policyEvaluationRequest.getResources();
        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(authorizationProvider.getRealm(), this.resourceServer.getId())) {
            if (resources.isEmpty()) {
                throw new BadRequestException("No resources provided");
            }
            if (policyEvaluationRequest.getResourceType() == null) {
                throw new BadRequestException("No resource type provided");
            }
            if (policyEvaluationRequest.getUserId() == null) {
                throw new BadRequestException("No user provided");
            }
        }
        return (List) resources.stream().flatMap(resourceRepresentation -> {
            Resource resourceTypeResource;
            StoreFactory storeFactory = authorizationProvider.getStoreFactory();
            if (resourceRepresentation == null) {
                resourceRepresentation = new ResourceRepresentation();
            }
            HashSet hashSet = new HashSet((Collection) Optional.ofNullable(resourceRepresentation.getScopes()).orElse(Set.of()));
            if (hashSet.isEmpty() && (resourceTypeResource = AdminPermissionsSchema.SCHEMA.getResourceTypeResource(authorizationProvider.getKeycloakSession(), this.resourceServer, policyEvaluationRequest.getResourceType())) != null) {
                hashSet.addAll((Collection) resourceTypeResource.getScopes().stream().map(new Function<Scope, ScopeRepresentation>() { // from class: org.keycloak.authorization.admin.PolicyEvaluationService.2
                    @Override // java.util.function.Function
                    public ScopeRepresentation apply(Scope scope) {
                        return new ScopeRepresentation(scope.getName());
                    }
                }).collect(Collectors.toSet()));
                resourceRepresentation.setScopes(hashSet);
            }
            ScopeStore scopeStore = storeFactory.getScopeStore();
            Set set = (Set) hashSet.stream().map(scopeRepresentation -> {
                return scopeStore.findByName(this.resourceServer, scopeRepresentation.getName());
            }).collect(Collectors.toSet());
            if (resourceRepresentation.getId() != null) {
                Resource findById = storeFactory.getResourceStore().findById(this.resourceServer, resourceRepresentation.getId());
                return findById == null ? Stream.empty() : new ArrayList(Arrays.asList(Permissions.createResourcePermissions(findById, this.resourceServer, set, authorizationProvider, authorizationRequest))).stream();
            }
            ResourceStore resourceStore = storeFactory.getResourceStore();
            if (resourceRepresentation.getName() != null) {
                Resource findByName = resourceStore.findByName(this.resourceServer, resourceRepresentation.getName());
                ArrayList arrayList = new ArrayList();
                String resourceType = policyEvaluationRequest.getResourceType();
                if (findByName != null) {
                    arrayList.add(Permissions.createResourcePermissions(resourceType, findByName, this.resourceServer, set, authorizationProvider, authorizationRequest));
                } else if (AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(authorizationProvider.getRealm(), this.resourceServer.getId())) {
                    arrayList.add(Permissions.createResourcePermissions(resourceType, new ResourceWrapper(resourceRepresentation.getName(), set, this.resourceServer), this.resourceServer, set, authorizationProvider, authorizationRequest));
                }
                if (!arrayList.isEmpty()) {
                    return arrayList.stream();
                }
            } else if (resourceRepresentation.getType() != null) {
                return resourceStore.findByType(this.resourceServer, resourceRepresentation.getType()).stream().map(resource -> {
                    return Permissions.createResourcePermissions(resource, this.resourceServer, set, authorizationProvider, authorizationRequest);
                });
            }
            if (set.isEmpty()) {
                return Stream.empty();
            }
            List findByScopes = storeFactory.getResourceStore().findByScopes(this.resourceServer, set);
            return findByScopes.isEmpty() ? set.stream().map(scope -> {
                return new ResourcePermission((Resource) null, new ArrayList(Arrays.asList(scope)), this.resourceServer);
            }) : findByScopes.stream().map(resource2 -> {
                return Permissions.createResourcePermissions(resource2, this.resourceServer, set, authorizationProvider, authorizationRequest);
            });
        }).collect(Collectors.toList());
    }

    private CloseableKeycloakIdentity createIdentity(PolicyEvaluationRequest policyEvaluationRequest) {
        KeycloakSession keycloakSession = this.authorization.getKeycloakSession();
        RealmModel realm = keycloakSession.getContext().getRealm();
        AccessToken accessToken = null;
        String userId = policyEvaluationRequest.getUserId();
        UserSessionModel userSessionModel = null;
        if (userId != null) {
            UserModel userById = keycloakSession.users().getUserById(realm, userId);
            if (userById == null) {
                userById = keycloakSession.users().getUserByUsername(realm, userId);
            }
            if (userById != null) {
                String clientId = policyEvaluationRequest.getClientId();
                if (clientId == null) {
                    clientId = this.resourceServer.getClientId();
                }
                if (clientId != null) {
                    ClientModel clientById = realm.getClientById(clientId);
                    AuthenticationSessionModel createAuthenticationSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(realm).createAuthenticationSession(clientById);
                    createAuthenticationSession.setProtocol("openid-connect");
                    createAuthenticationSession.setAuthenticatedUser(userById);
                    userSessionModel = new UserSessionManager(keycloakSession).createUserSession(createAuthenticationSession.getParentSession().getId(), realm, userById, userById.getUsername(), "127.0.0.1", "passwd", false, null, null, UserSessionModel.SessionPersistenceState.PERSISTENT);
                    AuthenticationManager.setClientScopesInSession(keycloakSession, createAuthenticationSession);
                    accessToken = new TokenManager().createClientAccessToken(keycloakSession, realm, clientById, userById, userSessionModel, TokenManager.attachAuthenticationSession(keycloakSession, userSessionModel, createAuthenticationSession));
                }
            }
        }
        if (accessToken == null) {
            accessToken = new AccessToken();
            accessToken.subject(policyEvaluationRequest.getUserId());
            ClientModel clientModel = null;
            String clientId2 = policyEvaluationRequest.getClientId();
            if (clientId2 != null) {
                clientModel = realm.getClientById(clientId2);
            }
            if (clientModel == null) {
                clientModel = realm.getClientById(this.resourceServer.getClientId());
            }
            accessToken.issuedFor(clientModel.getClientId());
            accessToken.audience(new String[]{clientModel.getId()});
            accessToken.issuer(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
            accessToken.setRealmAccess(new AccessToken.Access());
        }
        if (policyEvaluationRequest.getRoleIds() != null && !policyEvaluationRequest.getRoleIds().isEmpty()) {
            if (accessToken.getRealmAccess() == null) {
                accessToken.setRealmAccess(new AccessToken.Access());
            }
            AccessToken.Access realmAccess = accessToken.getRealmAccess();
            List roleIds = policyEvaluationRequest.getRoleIds();
            Objects.requireNonNull(realmAccess);
            roleIds.forEach(realmAccess::addRole);
        }
        return new CloseableKeycloakIdentity(accessToken, keycloakSession, userSessionModel);
    }
}
