package org.keycloak.services.resources.admin.permissions;

import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.ClientModelIdentity;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.ClientModel;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.class */
public class IdentityProviderPermissions implements IdentityProviderPermissionManagement {
    private static final Logger logger = Logger.getLogger(IdentityProviderPermissions.class);
    protected final KeycloakSession session;
    protected final RealmModel realm;
    protected final AuthorizationProvider authz;
    protected final MgmtPermissions root;

    public IdentityProviderPermissions(KeycloakSession keycloakSession, RealmModel realmModel, AuthorizationProvider authorizationProvider, MgmtPermissions mgmtPermissions) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.authz = authorizationProvider;
        this.root = mgmtPermissions;
    }

    private String getResourceName(IdentityProviderModel identityProviderModel) {
        return "idp.resource." + identityProviderModel.getInternalId();
    }

    private String getExchangeToPermissionName(IdentityProviderModel identityProviderModel) {
        return "token-exchange.permission.idp." + identityProviderModel.getInternalId();
    }

    private void initialize(IdentityProviderModel identityProviderModel) {
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        Scope initializeScope = this.root.initializeScope(AdminPermissionManagement.TOKEN_EXCHANGE, initializeRealmResourceServer);
        String resourceName = getResourceName(identityProviderModel);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(initializeRealmResourceServer, resourceName);
        if (findByName == null) {
            findByName = this.authz.getStoreFactory().getResourceStore().create(initializeRealmResourceServer, resourceName, initializeRealmResourceServer.getClientId());
            findByName.setType("IdentityProvider");
            HashSet hashSet = new HashSet();
            hashSet.add(initializeScope);
            findByName.updateScopes(hashSet);
        }
        String exchangeToPermissionName = getExchangeToPermissionName(identityProviderModel);
        if (this.authz.getStoreFactory().getPolicyStore().findByName(initializeRealmResourceServer, exchangeToPermissionName) == null) {
            Helper.addEmptyScopePermission(this.authz, initializeRealmResourceServer, exchangeToPermissionName, findByName, initializeScope);
        }
    }

    private void deletePolicy(String str, ResourceServer resourceServer) {
        Policy findByName = this.authz.getStoreFactory().getPolicyStore().findByName(resourceServer, str);
        if (findByName != null) {
            this.authz.getStoreFactory().getPolicyStore().delete(resourceServer.getRealm(), findByName.getId());
        }
    }

    private void deletePermissions(IdentityProviderModel identityProviderModel) {
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        if (initializeRealmResourceServer == null) {
            return;
        }
        deletePolicy(getExchangeToPermissionName(identityProviderModel), initializeRealmResourceServer);
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(initializeRealmResourceServer, getResourceName(identityProviderModel));
        if (findByName != null) {
            this.authz.getStoreFactory().getResourceStore().delete(initializeRealmResourceServer.getRealm(), findByName.getId());
        }
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public boolean isPermissionsEnabled(IdentityProviderModel identityProviderModel) {
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        return (initializeRealmResourceServer == null || this.authz.getStoreFactory().getResourceStore().findByName(initializeRealmResourceServer, getResourceName(identityProviderModel)) == null) ? false : true;
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public void setPermissionsEnabled(IdentityProviderModel identityProviderModel, boolean z) {
        if (z) {
            initialize(identityProviderModel);
        } else {
            deletePermissions(identityProviderModel);
        }
    }

    private Scope exchangeToScope(ResourceServer resourceServer) {
        return this.authz.getStoreFactory().getScopeStore().findByName(resourceServer, AdminPermissionManagement.TOKEN_EXCHANGE);
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public Resource resource(IdentityProviderModel identityProviderModel) {
        Resource findByName;
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        if (initializeRealmResourceServer == null || (findByName = this.authz.getStoreFactory().getResourceStore().findByName(initializeRealmResourceServer, getResourceName(identityProviderModel))) == null) {
            return null;
        }
        return findByName;
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public Map<String, String> getPermissions(IdentityProviderModel identityProviderModel) {
        initialize(identityProviderModel);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(AdminPermissionManagement.TOKEN_EXCHANGE, exchangeToPermission(identityProviderModel).getId());
        return linkedHashMap;
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public boolean canExchangeTo(final ClientModel clientModel, IdentityProviderModel identityProviderModel) {
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        if (initializeRealmResourceServer == null) {
            logger.debug("No resource server set up for target idp");
            return false;
        }
        Resource findByName = this.authz.getStoreFactory().getResourceStore().findByName(initializeRealmResourceServer, getResourceName(identityProviderModel));
        if (findByName == null) {
            logger.debug("No resource object set up for target idp");
            return false;
        }
        Policy findByName2 = this.authz.getStoreFactory().getPolicyStore().findByName(initializeRealmResourceServer, getExchangeToPermissionName(identityProviderModel));
        if (findByName2 == null) {
            logger.debug("No permission object set up for target idp");
            return false;
        }
        Set associatedPolicies = findByName2.getAssociatedPolicies();
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target idp");
            return false;
        }
        Scope exchangeToScope = exchangeToScope(initializeRealmResourceServer);
        if (exchangeToScope == null) {
            logger.debug("token-exchange not initialized");
            return false;
        }
        return this.root.evaluatePermission(findByName, initializeRealmResourceServer, new DefaultEvaluationContext(new ClientModelIdentity(this.session, clientModel), this.session) { // from class: org.keycloak.services.resources.admin.permissions.IdentityProviderPermissions.1
            @Override // org.keycloak.authorization.common.DefaultEvaluationContext
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> baseAttributes = super.getBaseAttributes();
                baseAttributes.put("kc.client.id", Arrays.asList(clientModel.getClientId()));
                return baseAttributes;
            }
        }, exchangeToScope);
    }

    @Override // org.keycloak.services.resources.admin.permissions.IdentityProviderPermissionManagement
    public Policy exchangeToPermission(IdentityProviderModel identityProviderModel) {
        ResourceServer initializeRealmResourceServer = this.root.initializeRealmResourceServer();
        if (initializeRealmResourceServer == null) {
            return null;
        }
        return this.authz.getStoreFactory().getPolicyStore().findByName(initializeRealmResourceServer, getExchangeToPermissionName(identityProviderModel));
    }
}
