package org.keycloak.authorization.protection.permission;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.Response;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionRequest;
import org.keycloak.representations.idm.authorization.PermissionResponse;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;

/* loaded from: input_file:org/keycloak/authorization/protection/permission/AbstractPermissionService.class */
public class AbstractPermissionService {
    private final AuthorizationProvider authorization;
    private final KeycloakIdentity identity;
    private final ResourceServer resourceServer;

    public AbstractPermissionService(KeycloakIdentity keycloakIdentity, ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        this.identity = keycloakIdentity;
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
    }

    public Response create(List<PermissionRequest> list) {
        if (list == null || list.isEmpty()) {
            throw new ErrorResponseException("invalid_permission_request", "Invalid permission request.", Response.Status.BAD_REQUEST);
        }
        return Response.status(Response.Status.CREATED).entity(new PermissionResponse(createPermissionTicket(list))).build();
    }

    private List<Permission> verifyRequestedResource(List<PermissionRequest> list) {
        Resource findByName;
        ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
        ArrayList arrayList = new ArrayList();
        for (PermissionRequest permissionRequest : list) {
            String resourceId = permissionRequest.getResourceId();
            ArrayList<Resource> arrayList2 = new ArrayList();
            if (resourceId != null) {
                Resource findById = resourceStore.findById(this.resourceServer.getRealm(), this.resourceServer, resourceId);
                if (findById != null) {
                    arrayList2.add(findById);
                } else {
                    Resource findByName2 = resourceStore.findByName(this.resourceServer, resourceId, this.identity.getId());
                    if (findByName2 != null) {
                        arrayList2.add(findByName2);
                    }
                    if (!this.identity.isResourceServer() && (findByName = resourceStore.findByName(this.resourceServer, resourceId)) != null) {
                        arrayList2.add(findByName);
                    }
                }
                if (arrayList2.isEmpty()) {
                    throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + resourceId + "] does not exists in this server.", Response.Status.BAD_REQUEST);
                }
            } else if (permissionRequest.getScopes() == null || permissionRequest.getScopes().isEmpty()) {
                throw new ErrorResponseException("invalid_resource_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST);
            }
            if (arrayList2.isEmpty()) {
                arrayList.add(new Permission((String) null, verifyRequestedScopes(permissionRequest, null)));
            } else {
                for (Resource resource : arrayList2) {
                    arrayList.add(new Permission(resource.getId(), verifyRequestedScopes(permissionRequest, resource)));
                }
            }
        }
        return arrayList;
    }

    private Set<String> verifyRequestedScopes(PermissionRequest permissionRequest, Resource resource) {
        Set scopes = permissionRequest.getScopes();
        if (scopes == null) {
            return Collections.emptySet();
        }
        ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
        return (Set) scopes.stream().map(str -> {
            Scope findByName;
            if (resource != null) {
                findByName = (Scope) resource.getScopes().stream().filter(scope -> {
                    return scope.getName().equals(str);
                }).findFirst().orElse(null);
                if (findByName == null && resource.getType() != null) {
                    findByName = (Scope) resourceStore.findByType(this.resourceServer, resource.getType()).stream().filter(resource2 -> {
                        return resource2.getOwner().equals(this.resourceServer.getClientId());
                    }).flatMap(resource3 -> {
                        return resource3.getScopes().stream();
                    }).filter(scope2 -> {
                        return scope2.getName().equals(str);
                    }).findFirst().orElse(null);
                }
            } else {
                findByName = this.authorization.getStoreFactory().getScopeStore().findByName(this.resourceServer, str);
            }
            if (findByName == null) {
                throw new ErrorResponseException("invalid_scope", "Scope [" + str + "] is invalid", Response.Status.BAD_REQUEST);
            }
            return findByName.getName();
        }).collect(Collectors.toSet());
    }

    private String createPermissionTicket(List<PermissionRequest> list) {
        PermissionTicketToken permissionTicketToken = new PermissionTicketToken(verifyRequestedResource(list), Urls.realmIssuer(this.authorization.getKeycloakSession().getContext().getUri().getBaseUri(), this.authorization.getRealm().getName()), this.identity.getAccessToken());
        HashMap hashMap = new HashMap();
        Iterator<PermissionRequest> it = list.iterator();
        while (it.hasNext()) {
            Map claims = it.next().getClaims();
            if (claims != null) {
                hashMap.putAll(claims);
            }
        }
        if (!hashMap.isEmpty()) {
            permissionTicketToken.setClaims(hashMap);
        }
        return this.authorization.getKeycloakSession().tokens().encode(permissionTicketToken);
    }
}
