package org.keycloak.services.resources.admin.permissions;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.ResourceWrapper;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.resources.KeycloakOpenAPI;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.class */
public class ClientPermissionsV2 extends ClientPermissions {
    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientPermissionsV2(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissionsV2 mgmtPermissionsV2) {
        super(keycloakSession, realmModel, authorizationProvider, mgmtPermissionsV2);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canList() {
        return this.root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS) || canView();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public void requireConfigure(ClientModel clientModel) {
        super.requireManage(clientModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canConfigure(ClientModel clientModel) {
        return canManage(clientModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage(ClientModel clientModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS)) {
            return true;
        }
        return hasPermission(clientModel, AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS)) {
            return true;
        }
        return hasPermission(AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView(ClientModel clientModel) {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) {
            return true;
        }
        return hasPermission(clientModel, AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) {
            return true;
        }
        return hasPermission(AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapRoles(ClientModel clientModel) {
        return hasPermission(clientModel, ClientPermissionManagement.MAP_ROLES_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapCompositeRoles(ClientModel clientModel) {
        return hasPermission(clientModel, ClientPermissionManagement.MAP_ROLES_COMPOSITE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canMapClientScopeRoles(ClientModel clientModel) {
        return hasPermission(clientModel, ClientPermissionManagement.MAP_ROLES_CLIENT_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManageClientScopes() {
        if (this.root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS)) {
            return true;
        }
        return hasPermission(AdminPermissionManagement.MANAGE_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canManage(ClientScopeModel clientScopeModel) {
        return canManageClientScopes();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public boolean canView(ClientScopeModel clientScopeModel) {
        if (this.root.hasOneAdminRole(AdminRoles.VIEW_CLIENTS, AdminRoles.MANAGE_CLIENTS)) {
            return true;
        }
        return hasPermission(AdminPermissionManagement.VIEW_SCOPE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator
    public Set<String> getClientIdsByScope(String str) {
        ResourceServer realmResourceServer;
        if (this.root.isAdminSameRealm() && (realmResourceServer = this.root.realmResourceServer()) != null) {
            HashSet hashSet = new HashSet();
            this.policyStore.findByResourceType(realmResourceServer, KeycloakOpenAPI.Admin.Tags.CLIENTS).stream().flatMap(policy -> {
                return policy.getResources().stream();
            }).forEach(resource -> {
                if (hasGrantedPermission(resource, str)) {
                    hashSet.add(resource.getName());
                }
            });
            return hashSet;
        }
        return Collections.emptySet();
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public boolean canExchangeTo(ClientModel clientModel, ClientModel clientModel2, AccessToken accessToken) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy exchangeToPermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesPermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesClientScopePermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy mapRolesCompositePermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy managePermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy configurePermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Policy viewPermission(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public boolean isPermissionsEnabled(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionEvaluator, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public void setPermissionsEnabled(ClientModel clientModel, boolean z) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Resource resource(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    @Override // org.keycloak.services.resources.admin.permissions.ClientPermissions, org.keycloak.services.resources.admin.permissions.ClientPermissionManagement
    public Map<String, String> getPermissions(ClientModel clientModel) {
        throw new UnsupportedOperationException("Not supported in V2");
    }

    private boolean hasPermission(String str) {
        return hasPermission((ClientModel) null, str);
    }

    private boolean hasPermission(ClientModel clientModel, String str) {
        ResourceServer realmResourceServer;
        if (!this.root.isAdminSameRealm() || (realmResourceServer = this.root.realmResourceServer()) == null) {
            return false;
        }
        Resource resourceTypeResource = AdminPermissionsSchema.SCHEMA.getResourceTypeResource(this.session, realmResourceServer, KeycloakOpenAPI.Admin.Tags.CLIENTS);
        Resource findByName = clientModel == null ? resourceTypeResource : this.resourceStore.findByName(realmResourceServer, clientModel.getId());
        if (clientModel != null && findByName == null) {
            findByName = new ResourceWrapper(clientModel.getId(), clientModel.getId(), new HashSet(resourceTypeResource.getScopes()), realmResourceServer);
        }
        for (Permission permission : this.root.evaluatePermission(new ResourcePermission(KeycloakOpenAPI.Admin.Tags.CLIENTS, findByName, findByName.getScopes(), realmResourceServer), realmResourceServer)) {
            if (permission.getResourceId().equals(findByName.getId()) && permission.getScopes().contains(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasGrantedPermission(Resource resource, String str) {
        ResourceServer realmResourceServer = this.root.realmResourceServer();
        for (Permission permission : this.root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), realmResourceServer), realmResourceServer)) {
            if (permission.getResourceId().equals(resource.getId())) {
                Iterator it = permission.getScopes().iterator();
                while (it.hasNext()) {
                    if (str.equals((String) it.next())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
