package org.keycloak.models.jpa;

import jakarta.persistence.EntityManager;
import jakarta.persistence.criteria.CriteriaBuilder;
import jakarta.persistence.criteria.CriteriaQuery;
import jakarta.persistence.criteria.Path;
import jakarta.persistence.criteria.Predicate;
import jakarta.persistence.criteria.Root;
import jakarta.persistence.criteria.Subquery;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.jpa.entities.ResourceEntity;
import org.keycloak.authorization.policy.provider.PartialEvaluationContext;
import org.keycloak.authorization.policy.provider.PartialEvaluationStorageProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.jpa.entities.UserGroupMembershipEntity;

/* loaded from: input_file:org/keycloak/models/jpa/JpaUserPartialEvaluationProvider.class */
public interface JpaUserPartialEvaluationProvider extends PartialEvaluationStorageProvider {
    KeycloakSession getSession();

    EntityManager getEntityManager();

    default List<Predicate> getFilters(PartialEvaluationContext partialEvaluationContext) {
        KeycloakSession session = getSession();
        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(session.getContext().getRealm())) {
            return (List) Optional.ofNullable(getAllowedGroupFilters(partialEvaluationContext)).map((v0) -> {
                return List.of(v0);
            }).orElse(List.of());
        }
        Set<String> set = (Set) session.getAttribute("keycloak.session.realm.users.query.groups");
        return set != null ? List.of(getFilterByGroupMembership(session, partialEvaluationContext, set)) : List.of();
    }

    default List<Predicate> getNegateFilters(PartialEvaluationContext partialEvaluationContext) {
        return (List) Optional.ofNullable(getDeniedGroupsFilters(partialEvaluationContext)).map((v0) -> {
            return List.of(v0);
        }).orElse(List.of());
    }

    private default Predicate getAllowedGroupFilters(PartialEvaluationContext partialEvaluationContext) {
        Set allowedGroups = partialEvaluationContext.getAllowedGroups();
        if (allowedGroups.isEmpty() || partialEvaluationContext.deniedResources().contains("Users") || partialEvaluationContext.isResourceTypeAllowed()) {
            return null;
        }
        CriteriaBuilder criteriaBuilder = getEntityManager().getCriteriaBuilder();
        return allowedGroups.contains("Groups") ? criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext)) : criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext, root -> {
            return root.get("groupId").in(allowedGroups);
        }));
    }

    private default Predicate getDeniedGroupsFilters(PartialEvaluationContext partialEvaluationContext) {
        CriteriaBuilder criteriaBuilder = partialEvaluationContext.getCriteriaBuilder();
        Set allowedGroups = partialEvaluationContext.getAllowedGroups();
        Set deniedGroups = partialEvaluationContext.getDeniedGroups();
        if (deniedGroups.contains("Groups")) {
            Predicate not = criteriaBuilder.not(criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext)));
            return partialEvaluationContext.isResourceTypeAllowed() ? allowedGroups.isEmpty() ? partialEvaluationContext.getDeniedGroupIds().isEmpty() ? criteriaBuilder.and(new Predicate[]{criteriaBuilder.or(not, partialEvaluationContext.getPath().get("id").in(partialEvaluationContext.getAllowedResourceIds()))}) : not : criteriaBuilder.and(new Predicate[]{criteriaBuilder.or(not, criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext, root -> {
                return root.get("groupId").in(allowedGroups);
            })))}) : criteriaBuilder.not(criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext, root2 -> {
                return root2.get("groupId").in(partialEvaluationContext.getDeniedGroupIds());
            })));
        }
        if ((partialEvaluationContext.getAllowedResources().isEmpty() && (allowedGroups.isEmpty() || partialEvaluationContext.deniedResources().contains("Users"))) || deniedGroups.isEmpty()) {
            return null;
        }
        return criteriaBuilder.not(criteriaBuilder.exists(createUserMembershipSubquery(partialEvaluationContext, root3 -> {
            return root3.get("groupId").in(deniedGroups);
        })));
    }

    private default Subquery<?> createUserMembershipSubquery(PartialEvaluationContext partialEvaluationContext) {
        return createUserMembershipSubquery(partialEvaluationContext, null);
    }

    private default Subquery<?> createUserMembershipSubquery(PartialEvaluationContext partialEvaluationContext, Function<Root<?>, Predicate> function) {
        CriteriaBuilder criteriaBuilder = getEntityManager().getCriteriaBuilder();
        Subquery<?> subquery = partialEvaluationContext.criteriaQuery().subquery(Integer.class);
        Root<?> from = subquery.from(UserGroupMembershipEntity.class);
        subquery.select(criteriaBuilder.literal(1));
        Path path = partialEvaluationContext.getPath();
        ArrayList arrayList = new ArrayList();
        if (function != null) {
            arrayList.add(function.apply(from));
        }
        arrayList.add(criteriaBuilder.equal(from.get("user").get("id"), path.get("id")));
        subquery.where((Predicate[]) arrayList.toArray(i -> {
            return new Predicate[i];
        }));
        return subquery;
    }

    @Deprecated
    private default Predicate getFilterByGroupMembership(KeycloakSession keycloakSession, PartialEvaluationContext partialEvaluationContext, Set<String> set) {
        CriteriaBuilder criteriaBuilder = getEntityManager().getCriteriaBuilder();
        CriteriaQuery criteriaQuery = partialEvaluationContext.criteriaQuery();
        Subquery subquery = criteriaQuery.subquery(Integer.class);
        Root from = subquery.from(UserGroupMembershipEntity.class);
        subquery.select(criteriaBuilder.literal(1));
        ArrayList arrayList = new ArrayList();
        arrayList.add(from.get("groupId").in(set));
        arrayList.add(criteriaBuilder.equal(from.get("user").get("id"), partialEvaluationContext.getPath().get("id")));
        Subquery subquery2 = criteriaQuery.subquery(Integer.class);
        subquery2.select(criteriaBuilder.literal(1));
        Root from2 = subquery2.from(ResourceEntity.class);
        ArrayList arrayList2 = new ArrayList();
        Path path = from.get("groupId");
        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(keycloakSession.getContext().getRealm())) {
            arrayList2.add(criteriaBuilder.like(from2.get("name"), path));
        } else {
            arrayList2.add(criteriaBuilder.like(from2.get("name"), criteriaBuilder.concat("group.resource.", path)));
        }
        subquery2.where((Predicate[]) arrayList2.toArray(i -> {
            return new Predicate[i];
        }));
        arrayList.add(criteriaBuilder.exists(subquery2));
        subquery.where((Predicate[]) arrayList.toArray(i2 -> {
            return new Predicate[i2];
        }));
        return criteriaBuilder.exists(subquery);
    }
}
