package org.keycloak.services.resources.admin.permissions;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.ResourceWrapper;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.resources.KeycloakOpenAPI;

/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/RolePermissionsV2.class */
public class RolePermissionsV2 extends RolePermissions {
    /* JADX INFO: Access modifiers changed from: package-private */
    public RolePermissionsV2(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        super(keycloakSession, realmModel, authorizationProvider, mgmtPermissions);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapClientScope(RoleModel roleModel) {
        if (this.root.clients().canManageClientsDefault()) {
            return true;
        }
        ClientModel container = roleModel.getContainer();
        if ((container instanceof ClientModel) && this.root.clients().canMapClientScopeRoles(container)) {
            return true;
        }
        return hasPermission(roleModel, RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapComposite(RoleModel roleModel) {
        if (canManageDefault(roleModel)) {
            return checkAdminRoles(roleModel);
        }
        ClientModel container = roleModel.getContainer();
        if ((container instanceof ClientModel) && this.root.clients().canMapCompositeRoles(container)) {
            return true;
        }
        return hasPermission(roleModel, RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE) && checkAdminRoles(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public boolean canMapRole(RoleModel roleModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) {
            return checkAdminRoles(roleModel);
        }
        ClientModel container = roleModel.getContainer();
        if ((container instanceof ClientModel) && this.root.clients().canMapRoles(container)) {
            return true;
        }
        return hasPermission(roleModel, RolePermissionManagement.MAP_ROLE_SCOPE) && checkAdminRoles(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public Set<String> getRoleIdsByScope(String str) {
        ResourceServer realmResourceServer;
        if (this.root.isAdminSameRealm() && (realmResourceServer = this.root.realmResourceServer()) != null) {
            HashSet hashSet = new HashSet();
            this.policyStore.findByResourceType(realmResourceServer, KeycloakOpenAPI.Admin.Tags.ROLES).stream().flatMap(policy -> {
                return policy.getResources().stream();
            }).forEach(resource -> {
                if (hasGrantedPermission(realmResourceServer, resource, str)) {
                    hashSet.add(resource.getName());
                }
            });
            return hashSet;
        }
        return Collections.emptySet();
    }

    private boolean hasPermission(RoleModel roleModel, String... strArr) {
        return hasPermission(roleModel, null, strArr);
    }

    private boolean hasPermission(RoleModel roleModel, EvaluationContext evaluationContext, String... strArr) {
        ResourceServer realmResourceServer;
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null) {
            return false;
        }
        Resource resourceTypeResource = AdminPermissionsSchema.SCHEMA.getResourceTypeResource(this.session, realmResourceServer, KeycloakOpenAPI.Admin.Tags.ROLES);
        Resource findByName = roleModel == null ? resourceTypeResource : this.resourceStore.findByName(realmResourceServer, roleModel.getId());
        if (roleModel != null && findByName == null) {
            findByName = new ResourceWrapper(roleModel.getId(), roleModel.getId(), new HashSet(resourceTypeResource.getScopes()), realmResourceServer);
        }
        Collection<Permission> evaluatePermission = evaluationContext == null ? this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.ROLES, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer) : this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.ROLES, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer, evaluationContext);
        List of = List.of((Object[]) strArr);
        for (Permission permission : evaluatePermission) {
            if (permission.getResourceId().equals(findByName.getId())) {
                Iterator it = permission.getScopes().iterator();
                while (it.hasNext()) {
                    if (of.contains((String) it.next())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean hasGrantedPermission(ResourceServer resourceServer, Resource resource, String str) {
        for (Permission permission : this.root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), resourceServer), resourceServer)) {
            if (permission.getResourceId().equals(resource.getId())) {
                Iterator it = permission.getScopes().iterator();
                while (it.hasNext()) {
                    if (str.equals((String) it.next())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public boolean isPermissionsEnabled(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public void setPermissionsEnabled(RoleModel roleModel, boolean z) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Map<String, String> getPermissions(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapRolePermission(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapCompositePermission(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy mapClientScopePermission(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Resource resource(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public ResourceServer resourceServer(RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy manageUsersPolicy(ResourceServer resourceServer) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy viewUsersPolicy(ResourceServer resourceServer) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionManagement
    public Policy rolePolicy(ResourceServer resourceServer, RoleModel roleModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireView(RoleModel roleModel) {
        super.requireView(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ boolean canView(RoleModel roleModel) {
        return super.canView(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireManage(RoleModel roleModel) {
        super.requireManage(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions
    public /* bridge */ /* synthetic */ boolean canManageDefault(RoleModel roleModel) {
        return super.canManageDefault(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ boolean canManage(RoleModel roleModel) {
        return super.canManage(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireMapClientScope(RoleModel roleModel) {
        super.requireMapClientScope(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireMapComposite(RoleModel roleModel) {
        super.requireMapComposite(roleModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireView(RoleContainerModel roleContainerModel) {
        super.requireView(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ boolean canView(RoleContainerModel roleContainerModel) {
        return super.canView(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireManage(RoleContainerModel roleContainerModel) {
        super.requireManage(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ boolean canManage(RoleContainerModel roleContainerModel) {
        return super.canManage(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireList(RoleContainerModel roleContainerModel) {
        super.requireList(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ boolean canList(RoleContainerModel roleContainerModel) {
        return super.canList(roleContainerModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RolePermissions, org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator
    public /* bridge */ /* synthetic */ void requireMapRole(RoleModel roleModel) {
        super.requireMapRole(roleModel);
    }
}
