package org.keycloak.services.resources.admin.permissions;

import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.common.UserModelIdentity;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.common.Profile;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.admin.AdminAuth;

/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/MgmtPermissions.class */
class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManagement, RealmsPermissionEvaluator {
    private static final Logger logger = Logger.getLogger(MgmtPermissions.class);
    protected RealmModel realm;
    protected KeycloakSession session;
    protected AuthorizationProvider authz;
    protected AdminAuth auth;
    protected Identity identity;
    protected UserModel admin;
    protected RealmModel adminsRealm;
    protected ResourceServer realmResourceServer;
    protected UserPermissions users;
    protected GroupPermissions groups;
    protected RealmPermissions realmPermissions;
    protected ClientPermissions clientPermissions;
    protected IdentityProviderPermissions idpPermissions;
    protected Scope manageScope;
    protected Scope viewScope;

    /* JADX INFO: Access modifiers changed from: package-private */
    public MgmtPermissions(KeycloakSession keycloakSession, RealmModel realmModel) {
        this.session = keycloakSession;
        this.realm = realmModel;
        KeycloakSessionFactory keycloakSessionFactory = keycloakSession.getKeycloakSessionFactory();
        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
            this.authz = keycloakSessionFactory.getProviderFactory(AuthorizationProvider.class).create(keycloakSession, realmModel);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MgmtPermissions(KeycloakSession keycloakSession, RealmModel realmModel, AdminAuth adminAuth) {
        this(keycloakSession, realmModel);
        this.auth = adminAuth;
        this.admin = adminAuth.getUser();
        this.adminsRealm = adminAuth.getRealm();
        if (!adminAuth.getRealm().equals(realmModel) && !adminAuth.getRealm().equals(new RealmManager(keycloakSession).getKeycloakAdminstrationRealm())) {
            throw new ForbiddenException();
        }
        initIdentity(keycloakSession, adminAuth);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MgmtPermissions(KeycloakSession keycloakSession, AdminAuth adminAuth) {
        this.session = keycloakSession;
        this.auth = adminAuth;
        this.admin = adminAuth.getUser();
        this.adminsRealm = adminAuth.getRealm();
        initIdentity(keycloakSession, adminAuth);
    }

    private void initIdentity(KeycloakSession keycloakSession, AdminAuth adminAuth) {
        if ("admin-cli".equals(adminAuth.getToken().getIssuedFor()) || "security-admin-console".equals(adminAuth.getToken().getIssuedFor())) {
            this.identity = new UserModelIdentity(adminAuth.getRealm(), adminAuth.getUser());
        } else {
            this.identity = new KeycloakIdentity(adminAuth.getToken(), keycloakSession);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MgmtPermissions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        this.session = keycloakSession;
        this.admin = userModel;
        this.adminsRealm = realmModel;
        this.identity = new UserModelIdentity(realmModel, userModel);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MgmtPermissions(KeycloakSession keycloakSession, RealmModel realmModel, RealmModel realmModel2, UserModel userModel) {
        this(keycloakSession, realmModel);
        this.admin = userModel;
        this.adminsRealm = realmModel2;
        this.identity = new UserModelIdentity(realmModel, userModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public ClientModel getRealmManagementClient() {
        return this.realm.getName().equals(Config.getAdminRealm()) ? this.realm.getClientByClientId(Config.getAdminRealm() + "-realm") : this.realm.getClientByClientId("realm-management");
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public AuthorizationProvider authz() {
        return this.authz;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator
    public void requireAnyAdminRole() {
        if (!hasAnyAdminRole()) {
            throw new ForbiddenException();
        }
    }

    public boolean hasAnyAdminRole() {
        return hasOneAdminRole(AdminRoles.ALL_REALM_ROLES);
    }

    public boolean hasAnyAdminRole(RealmModel realmModel) {
        return hasOneAdminRole(realmModel, AdminRoles.ALL_REALM_ROLES);
    }

    public boolean hasOneAdminRole(String... strArr) {
        return hasOneAdminRole(this.realm, strArr);
    }

    public boolean hasOneAdminRole(RealmModel realmModel, String... strArr) {
        String clientId;
        RealmManager realmManager = new RealmManager(this.session);
        if (this.adminsRealm.equals(realmManager.getKeycloakAdminstrationRealm())) {
            clientId = realmModel.getMasterAdminClient().getClientId();
        } else {
            if (!this.adminsRealm.equals(realmModel)) {
                return false;
            }
            clientId = realmModel.getClientByClientId(realmManager.getRealmAdminClientId(realmModel)).getClientId();
        }
        for (String str : strArr) {
            if (this.identity.hasClientRole(clientId, str)) {
                return true;
            }
        }
        return false;
    }

    public boolean isAdminSameRealm() {
        return this.auth == null || this.realm.getId().equals(this.auth.getRealm().getId());
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator
    public AdminAuth adminAuth() {
        return this.auth;
    }

    public Identity identity() {
        return this.identity;
    }

    public UserModel admin() {
        return this.admin;
    }

    public RealmModel adminsRealm() {
        return this.adminsRealm;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public RolePermissions roles() {
        return new RolePermissions(this.session, this.realm, this.authz, this);
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public UserPermissions users() {
        if (this.users != null) {
            return this.users;
        }
        this.users = new UserPermissions(this.session, this.authz, this);
        return this.users;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator
    public RealmPermissions realm() {
        if (this.realmPermissions != null) {
            return this.realmPermissions;
        }
        this.realmPermissions = new RealmPermissions(this.session, this.realm, this.authz, this);
        return this.realmPermissions;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public ClientPermissions clients() {
        if (this.clientPermissions != null) {
            return this.clientPermissions;
        }
        this.clientPermissions = new ClientPermissions(this.session, this.realm, this.authz, this);
        return this.clientPermissions;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public IdentityProviderPermissions idps() {
        if (this.idpPermissions != null) {
            return this.idpPermissions;
        }
        this.idpPermissions = new IdentityProviderPermissions(this.session, this.realm, this.authz, this);
        return this.idpPermissions;
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public GroupPermissions groups() {
        if (this.groups != null) {
            return this.groups;
        }
        this.groups = new GroupPermissions(this.authz, this);
        return this.groups;
    }

    public ResourceServer findOrCreateResourceServer(ClientModel clientModel) {
        return initializeRealmResourceServer();
    }

    public ResourceServer resourceServer(ClientModel clientModel) {
        return realmResourceServer();
    }

    @Override // org.keycloak.services.resources.admin.permissions.AdminPermissionManagement
    public ResourceServer realmResourceServer() {
        if (!Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
            return null;
        }
        if (this.realmResourceServer != null) {
            return this.realmResourceServer;
        }
        ClientModel realmManagementClient = getRealmManagementClient();
        if (realmManagementClient == null) {
            return null;
        }
        this.realmResourceServer = this.authz.getStoreFactory().getResourceServerStore().findByClient(realmManagementClient);
        return this.realmResourceServer;
    }

    public ResourceServer initializeRealmResourceServer() {
        if (!Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION)) {
            return null;
        }
        if (this.realmResourceServer != null) {
            return this.realmResourceServer;
        }
        ClientModel realmManagementClient = getRealmManagementClient();
        this.realmResourceServer = this.authz.getStoreFactory().getResourceServerStore().findByClient(realmManagementClient);
        if (this.realmResourceServer == null) {
            this.realmResourceServer = this.authz.getStoreFactory().getResourceServerStore().create(realmManagementClient);
        }
        return this.realmResourceServer;
    }

    public void initializeRealmDefaultScopes() {
        initializeRealmResourceServer();
        this.manageScope = initializeRealmScope(AdminPermissionManagement.MANAGE_SCOPE);
        this.viewScope = initializeRealmScope(AdminPermissionManagement.VIEW_SCOPE);
    }

    public Scope initializeRealmScope(String str) {
        ResourceServer initializeRealmResourceServer = initializeRealmResourceServer();
        Scope findByName = this.authz.getStoreFactory().getScopeStore().findByName(initializeRealmResourceServer, str);
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getScopeStore().create(initializeRealmResourceServer, str);
        }
        return findByName;
    }

    public Scope initializeScope(String str, ResourceServer resourceServer) {
        Scope findByName = this.authz.getStoreFactory().getScopeStore().findByName(resourceServer, str);
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getScopeStore().create(resourceServer, str);
        }
        return findByName;
    }

    public Scope realmManageScope() {
        if (this.manageScope != null) {
            return this.manageScope;
        }
        this.manageScope = realmScope(AdminPermissionManagement.MANAGE_SCOPE);
        return this.manageScope;
    }

    public Scope realmViewScope() {
        if (this.viewScope != null) {
            return this.viewScope;
        }
        this.viewScope = realmScope(AdminPermissionManagement.VIEW_SCOPE);
        return this.viewScope;
    }

    public Scope realmScope(String str) {
        ResourceServer realmResourceServer = realmResourceServer();
        if (realmResourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getScopeStore().findByName(realmResourceServer, str);
    }

    public boolean evaluatePermission(Resource resource, ResourceServer resourceServer, Scope... scopeArr) {
        Identity identity = identity();
        if (identity == null) {
            throw new RuntimeException("Identity of admin is not set for permission query");
        }
        return evaluatePermission(resource, resourceServer, identity, scopeArr);
    }

    public Collection<Permission> evaluatePermission(ResourcePermission resourcePermission, ResourceServer resourceServer) {
        return evaluatePermission(resourcePermission, resourceServer, new DefaultEvaluationContext(this.identity, this.session));
    }

    public Collection<Permission> evaluatePermission(ResourcePermission resourcePermission, ResourceServer resourceServer, EvaluationContext evaluationContext) {
        return evaluatePermission(Arrays.asList(resourcePermission), resourceServer, evaluationContext);
    }

    public boolean evaluatePermission(Resource resource, ResourceServer resourceServer, Identity identity, Scope... scopeArr) {
        return evaluatePermission(resource, resourceServer, new DefaultEvaluationContext(identity, this.session), scopeArr);
    }

    public boolean evaluatePermission(Resource resource, ResourceServer resourceServer, EvaluationContext evaluationContext, Scope... scopeArr) {
        return !evaluatePermission(Arrays.asList(new ResourcePermission(resource, Arrays.asList(scopeArr), resourceServer)), resourceServer, evaluationContext).isEmpty();
    }

    public Collection<Permission> evaluatePermission(List<ResourcePermission> list, ResourceServer resourceServer, EvaluationContext evaluationContext) {
        RealmModel realm = this.session.getContext().getRealm();
        try {
            this.session.getContext().setRealm(this.realm);
            Collection<Permission> evaluate = this.authz.evaluators().from(list, evaluationContext).evaluate(resourceServer, (AuthorizationRequest) null);
            this.session.getContext().setRealm(realm);
            return evaluate;
        } catch (Throwable th) {
            this.session.getContext().setRealm(realm);
            throw th;
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator
    public boolean canView(RealmModel realmModel) {
        return hasOneAdminRole(realmModel, AdminRoles.VIEW_REALM, AdminRoles.MANAGE_REALM);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator
    public boolean isAdmin(RealmModel realmModel) {
        return hasAnyAdminRole(realmModel);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator
    public boolean isAdmin() {
        if (!this.adminsRealm.equals(new RealmManager(this.session).getKeycloakAdminstrationRealm())) {
            return isAdmin(this.adminsRealm);
        }
        if (this.identity.hasRealmRole(AdminRoles.ADMIN) || this.identity.hasRealmRole(AdminRoles.CREATE_REALM)) {
            return true;
        }
        return this.session.realms().getRealmsStream().anyMatch(this::isAdmin);
    }

    @Override // org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator
    public boolean canCreateRealm() {
        if (this.auth.getRealm().equals(new RealmManager(this.session).getKeycloakAdminstrationRealm())) {
            return this.identity.hasRealmRole(AdminRoles.CREATE_REALM);
        }
        return false;
    }

    @Override // org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator
    public void requireCreateRealm() {
        if (!canCreateRealm()) {
            throw new ForbiddenException();
        }
    }
}
