package org.keycloak.services.resources.admin.permissions;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.ResourceWrapper;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.resources.KeycloakOpenAPI;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/GroupPermissionsV2.class */
public class GroupPermissionsV2 extends GroupPermissions {
    private final KeycloakSession session;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GroupPermissionsV2(KeycloakSession keycloakSession, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        super(authorizationProvider, mgmtPermissions);
        this.session = keycloakSession;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canView() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS)) {
            return true;
        }
        return hasPermission((String) null, AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canView(GroupModel groupModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS, AdminRoles.VIEW_USERS)) {
            return true;
        }
        return hasPermission(groupModel.getId(), AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManage() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission((String) null, AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManage(GroupModel groupModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(groupModel.getId(), AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canViewMembers(GroupModel groupModel) {
        if (this.root.hasOneAdminRole(AdminRoles.VIEW_USERS, AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(groupModel.getId(), "view-members");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManageMembers(GroupModel groupModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(groupModel.getId(), "manage-members");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public boolean canManageMembership(GroupModel groupModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return true;
        }
        return hasPermission(groupModel.getId(), "manage-membership");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator
    public Set<String> getGroupIdsWithViewPermission() {
        ResourceServer realmResourceServer;
        if (!this.root.hasOneAdminRole(AdminRoles.VIEW_USERS, AdminRoles.MANAGE_USERS) && this.root.isAdminSameRealm() && (realmResourceServer = this.root.realmResourceServer()) != null) {
            HashSet hashSet = new HashSet();
            this.policyStore.findByResourceType(realmResourceServer, KeycloakOpenAPI.Admin.Tags.GROUPS).stream().flatMap(policy -> {
                return policy.getResources().stream();
            }).forEach(resource -> {
                if (hasPermission(resource.getName(), "view-members", "manage-members")) {
                    hashSet.add(resource.getName());
                }
            });
            return hashSet;
        }
        return Collections.emptySet();
    }

    private boolean hasPermission(String str, String... strArr) {
        return hasPermission(str, (EvaluationContext) null, strArr);
    }

    private boolean hasPermission(String str, EvaluationContext evaluationContext, String... strArr) {
        ResourceServer realmResourceServer;
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null) {
            return false;
        }
        Resource resourceTypeResource = AdminPermissionsSchema.SCHEMA.getResourceTypeResource(this.session, realmResourceServer, KeycloakOpenAPI.Admin.Tags.GROUPS);
        Resource findByName = str == null ? resourceTypeResource : this.resourceStore.findByName(realmResourceServer, str);
        if (str != null && findByName == null) {
            findByName = new ResourceWrapper(str, str, new HashSet(resourceTypeResource.getScopes()), realmResourceServer);
        }
        Collection<Permission> evaluatePermission = evaluationContext == null ? this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.GROUPS, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer) : this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.GROUPS, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer, evaluationContext);
        List of = List.of((Object[]) strArr);
        for (Permission permission : evaluatePermission) {
            if (permission.getResourceId().equals(findByName.getId())) {
                Iterator it = permission.getScopes().iterator();
                while (it.hasNext()) {
                    if (of.contains((String) it.next())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public boolean isPermissionsEnabled(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public void setPermissionsEnabled(GroupModel groupModel, boolean z) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy viewMembersPermission(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy manageMembersPermission(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy manageMembershipPermission(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy viewPermission(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Policy managePermission(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Resource resource(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.GroupPermissions, org.keycloak.services.resources.admin.permissions.GroupPermissionManagement
    public Map<String, String> getPermissions(GroupModel groupModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }
}
