package org.keycloak.authorization.admin.representation;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.admin.PolicyEvaluationService;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;

/* loaded from: input_file:org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.class */
public class PolicyEvaluationResponseBuilder {
    public static PolicyEvaluationResponse build(PolicyEvaluationService.EvaluationDecisionCollector evaluationDecisionCollector, ResourceServer resourceServer, AuthorizationProvider authorizationProvider, KeycloakIdentity keycloakIdentity, PolicyEvaluationRequest policyEvaluationRequest) {
        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(authorizationProvider.getRealm(), resourceServer.getId())) {
            return FGAPPolicyEvaluationResponseBuilder.build(evaluationDecisionCollector, resourceServer, authorizationProvider, policyEvaluationRequest);
        }
        PolicyEvaluationResponse policyEvaluationResponse = new PolicyEvaluationResponse();
        ArrayList arrayList = new ArrayList();
        AccessToken accessToken = keycloakIdentity.getAccessToken();
        AccessToken.Authorization authorization = new AccessToken.Authorization();
        authorization.setPermissions(evaluationDecisionCollector.results());
        accessToken.setAuthorization(authorization);
        ClientModel clientById = authorizationProvider.getRealm().getClientById(resourceServer.getClientId());
        if (!accessToken.hasAudience(clientById.getClientId())) {
            accessToken.audience(new String[]{clientById.getClientId()});
        }
        policyEvaluationResponse.setRpt(accessToken);
        Collection<Result> results = evaluationDecisionCollector.getResults();
        if (results.stream().anyMatch(result -> {
            return result.getEffect().equals(Decision.Effect.DENY);
        })) {
            policyEvaluationResponse.setStatus(DecisionEffect.DENY);
        } else {
            policyEvaluationResponse.setStatus(DecisionEffect.PERMIT);
        }
        for (Result result2 : results) {
            PolicyEvaluationResponse.EvaluationResultRepresentation evaluationResultRepresentation = new PolicyEvaluationResponse.EvaluationResultRepresentation();
            if (result2.getEffect() == Decision.Effect.DENY) {
                evaluationResultRepresentation.setStatus(DecisionEffect.DENY);
            } else {
                evaluationResultRepresentation.setStatus(DecisionEffect.PERMIT);
            }
            arrayList.add(evaluationResultRepresentation);
            if (result2.getPermission().getResource() != null) {
                ResourceRepresentation resourceRepresentation = new ResourceRepresentation();
                resourceRepresentation.setId(result2.getPermission().getResource().getId());
                resourceRepresentation.setName(result2.getPermission().getResource().getName());
                evaluationResultRepresentation.setResource(resourceRepresentation);
            } else {
                ResourceRepresentation resourceRepresentation2 = new ResourceRepresentation();
                resourceRepresentation2.setName("Any Resource with Scopes " + String.valueOf(result2.getPermission().getScopes().stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toList())));
                evaluationResultRepresentation.setResource(resourceRepresentation2);
            }
            evaluationResultRepresentation.setScopes((List) result2.getPermission().getScopes().stream().map(scope -> {
                ScopeRepresentation scopeRepresentation = new ScopeRepresentation();
                scopeRepresentation.setId(scope.getId());
                scopeRepresentation.setName(scope.getName());
                return scopeRepresentation;
            }).collect(Collectors.toList()));
            HashSet hashSet = new HashSet();
            for (Result.PolicyResult policyResult : result2.getResults()) {
                PolicyEvaluationResponse.PolicyResultRepresentation representation = toRepresentation(policyResult, authorizationProvider);
                if ("resource".equals(policyResult.getPolicy().getType())) {
                    representation.getPolicy().setScopes((Set) result2.getPermission().getResource().getScopes().stream().map((v0) -> {
                        return v0.getName();
                    }).collect(Collectors.toSet()));
                }
                hashSet.add(representation);
            }
            evaluationResultRepresentation.setPolicies(hashSet);
        }
        arrayList.sort(Comparator.comparing(evaluationResultRepresentation2 -> {
            return evaluationResultRepresentation2.getResource().getName();
        }));
        HashMap hashMap = new HashMap();
        arrayList.forEach(evaluationResultRepresentation3 -> {
            PolicyEvaluationResponse.EvaluationResultRepresentation evaluationResultRepresentation3 = (PolicyEvaluationResponse.EvaluationResultRepresentation) hashMap.get(evaluationResultRepresentation3.getResource().getId());
            ResourceRepresentation resource = evaluationResultRepresentation3.getResource();
            if (evaluationResultRepresentation3 == null) {
                hashMap.put(resource.getId(), evaluationResultRepresentation3);
                evaluationResultRepresentation3 = evaluationResultRepresentation3;
            }
            if (evaluationResultRepresentation3.getStatus().equals(DecisionEffect.PERMIT) || (evaluationResultRepresentation3.getStatus().equals(DecisionEffect.PERMIT) && evaluationResultRepresentation3.getStatus().equals(DecisionEffect.DENY))) {
                evaluationResultRepresentation3.setStatus(DecisionEffect.PERMIT);
            }
            List scopes = evaluationResultRepresentation3.getScopes();
            if (DecisionEffect.PERMIT.equals(evaluationResultRepresentation3.getStatus())) {
                evaluationResultRepresentation3.setAllowedScopes(new HashSet(scopes));
            }
            if (resource.getId() == null) {
                evaluationResultRepresentation3.getResource().setName("Any Resource with Scopes " + String.valueOf(scopes.stream().flatMap(scopeRepresentation -> {
                    return Stream.of(scopeRepresentation.getName());
                }).toList()));
            } else if (scopes.isEmpty()) {
                evaluationResultRepresentation3.getResource().setName(evaluationResultRepresentation3.getResource().getName());
            } else {
                evaluationResultRepresentation3.getResource().setName(evaluationResultRepresentation3.getResource().getName() + " with scopes " + String.valueOf(scopes.stream().flatMap(scopeRepresentation2 -> {
                    return Stream.of(scopeRepresentation2.getName());
                }).toList()));
            }
            evaluationResultRepresentation3.getPolicies().addAll(evaluationResultRepresentation3.getPolicies());
        });
        policyEvaluationResponse.setResults(new ArrayList(hashMap.values()));
        return policyEvaluationResponse;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult policyResult, AuthorizationProvider authorizationProvider) {
        PolicyEvaluationResponse.PolicyResultRepresentation policyResultRepresentation = new PolicyEvaluationResponse.PolicyResultRepresentation();
        PolicyRepresentation policyRepresentation = new PolicyRepresentation();
        Policy policy = policyResult.getPolicy();
        ResourceServer resourceServer = policy.getResourceServer();
        policyRepresentation.setId(policy.getId());
        policyRepresentation.setName(policy.getName());
        policyRepresentation.setType(policy.getType());
        policyRepresentation.setDecisionStrategy(policy.getDecisionStrategy());
        policyRepresentation.setDescription(policy.getDescription());
        if ("uma".equals(policyRepresentation.getType())) {
            EnumMap enumMap = new EnumMap(PermissionTicket.FilterOption.class);
            enumMap.put((EnumMap) PermissionTicket.FilterOption.POLICY_ID, (PermissionTicket.FilterOption) policy.getId());
            List find = authorizationProvider.getStoreFactory().getPermissionTicketStore().find(resourceServer, enumMap, -1, 1);
            if (find.isEmpty()) {
                String description = policyRepresentation.getDescription();
                if (description != null) {
                    policyRepresentation.setDescription(description + " (User-Managed Policy)");
                } else {
                    policyRepresentation.setDescription("User-Managed Policy");
                }
            } else {
                KeycloakSession keycloakSession = authorizationProvider.getKeycloakSession();
                RealmModel realm = authorizationProvider.getRealm();
                PermissionTicket permissionTicket = (PermissionTicket) find.get(0);
                UserModel userById = keycloakSession.users().getUserById(realm, permissionTicket.getOwner());
                policyRepresentation.setDescription("Resource owner (" + (userById != null ? getUserEmailOrUserName(userById) : realm.getClientById(permissionTicket.getOwner()).getClientId()) + ") grants access to " + getUserEmailOrUserName(keycloakSession.users().getUserById(realm, permissionTicket.getRequester())));
            }
        }
        policyRepresentation.setResources((Set) policy.getResources().stream().map(resource -> {
            return resource.getName();
        }).collect(Collectors.toSet()));
        policyRepresentation.setScopes((Set) policy.getScopes().stream().map(scope -> {
            return scope.getName();
        }).collect(Collectors.toSet()));
        policyResultRepresentation.setPolicy(policyRepresentation);
        if (policyResult.getEffect() == Decision.Effect.DENY) {
            policyResultRepresentation.setStatus(DecisionEffect.DENY);
            policyResultRepresentation.setScopes(policyRepresentation.getScopes());
        } else {
            policyResultRepresentation.setStatus(DecisionEffect.PERMIT);
        }
        policyResultRepresentation.setAssociatedPolicies((List) policyResult.getAssociatedPolicies().stream().map(policyResult2 -> {
            return toRepresentation(policyResult2, authorizationProvider);
        }).collect(Collectors.toList()));
        return policyResultRepresentation;
    }

    private static String getUserEmailOrUserName(UserModel userModel) {
        return userModel.getEmail() != null ? userModel.getEmail() : userModel.getUsername();
    }
}
