package org.keycloak.authorization.protection.permission;

import java.util.EnumMap;
import java.util.Map;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.PermissionTicketRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/authorization/protection/permission/PermissionTicketService.class */
public class PermissionTicketService {
    private final AuthorizationProvider authorization;
    private final KeycloakIdentity identity;
    private final ResourceServer resourceServer;

    public PermissionTicketService(KeycloakIdentity keycloakIdentity, ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        this.identity = keycloakIdentity;
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public Response create(PermissionTicketRepresentation permissionTicketRepresentation) {
        PermissionTicketStore permissionTicketStore = this.authorization.getStoreFactory().getPermissionTicketStore();
        if (permissionTicketRepresentation == null) {
            throw new ErrorResponseException("invalid_request", "invalid_permission", Response.Status.BAD_REQUEST);
        }
        if (permissionTicketRepresentation.getId() != null) {
            throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
        }
        if (permissionTicketRepresentation.getResource() == null) {
            throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
        }
        if (permissionTicketRepresentation.getScope() == null && permissionTicketRepresentation.getScopeName() == null) {
            throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
        }
        if (permissionTicketRepresentation.getRequester() == null && permissionTicketRepresentation.getRequesterName() == null) {
            throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
        }
        Resource findById = this.authorization.getStoreFactory().getResourceStore().findById(this.resourceServer.getRealm(), this.resourceServer, permissionTicketRepresentation.getResource());
        if (findById == null) {
            throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + permissionTicketRepresentation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
        }
        if (!findById.getOwner().equals(this.identity.getId())) {
            throw new ErrorResponseException("not_authorised", "permissions for [" + permissionTicketRepresentation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
        }
        UserModel userById = permissionTicketRepresentation.getRequester() != null ? this.authorization.getKeycloakSession().users().getUserById(this.authorization.getRealm(), permissionTicketRepresentation.getRequester()) : this.authorization.getKeycloakSession().users().getUserByUsername(this.authorization.getRealm(), permissionTicketRepresentation.getRequesterName());
        if (userById == null) {
            throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
        }
        ScopeStore scopeStore = this.authorization.getStoreFactory().getScopeStore();
        Scope findByName = permissionTicketRepresentation.getScopeName() != null ? scopeStore.findByName(this.resourceServer, permissionTicketRepresentation.getScopeName()) : scopeStore.findById(this.resourceServer.getRealm(), this.resourceServer, permissionTicketRepresentation.getScope());
        if (findByName == null && permissionTicketRepresentation.getScope() != null) {
            throw new ErrorResponseException("invalid_scope", "Scope [" + permissionTicketRepresentation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
        }
        if (findByName == null && permissionTicketRepresentation.getScopeName() != null) {
            throw new ErrorResponseException("invalid_scope", "Scope [" + permissionTicketRepresentation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
        }
        if (!findById.getScopes().contains(findByName)) {
            throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + permissionTicketRepresentation.getResource() + "] does not have Scope [" + findByName.getName() + "]", Response.Status.BAD_REQUEST);
        }
        EnumMap enumMap = new EnumMap(PermissionTicket.FilterOption.class);
        enumMap.put((EnumMap) PermissionTicket.FilterOption.RESOURCE_ID, (PermissionTicket.FilterOption) findById.getId());
        enumMap.put((EnumMap) PermissionTicket.FilterOption.SCOPE_ID, (PermissionTicket.FilterOption) findByName.getId());
        enumMap.put((EnumMap) PermissionTicket.FilterOption.REQUESTER, (PermissionTicket.FilterOption) userById.getId());
        if (!permissionTicketStore.find(this.resourceServer.getRealm(), this.resourceServer, enumMap, (Integer) null, (Integer) null).isEmpty()) {
            throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
        }
        PermissionTicket create = permissionTicketStore.create(this.resourceServer, findById, findByName, userById.getId());
        if (permissionTicketRepresentation.isGranted()) {
            create.setGrantedTimestamp(Long.valueOf(System.currentTimeMillis()));
        }
        return Response.ok(ModelToRepresentation.toRepresentation(create, this.authorization)).build();
    }

    @PUT
    @Consumes({MediaType.APPLICATION_JSON})
    public Response update(PermissionTicketRepresentation permissionTicketRepresentation) {
        if (permissionTicketRepresentation == null || permissionTicketRepresentation.getId() == null) {
            throw new ErrorResponseException("invalid_request", "invalid_ticket", Response.Status.BAD_REQUEST);
        }
        PermissionTicket findById = this.authorization.getStoreFactory().getPermissionTicketStore().findById(this.resourceServer.getRealm(), this.resourceServer, permissionTicketRepresentation.getId());
        if (findById == null) {
            throw new ErrorResponseException("invalid_request", "invalid_ticket", Response.Status.BAD_REQUEST);
        }
        if (!findById.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer()) {
            throw new ErrorResponseException("not_authorised", "permissions for [" + permissionTicketRepresentation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN);
        }
        RepresentationToModel.toModel(permissionTicketRepresentation, this.resourceServer, this.authorization);
        return Response.noContent().build();
    }

    @Path("{id}")
    @Consumes({MediaType.APPLICATION_JSON})
    @DELETE
    public Response delete(@PathParam("id") String str) {
        if (str == null) {
            throw new ErrorResponseException("invalid_request", "invalid_ticket", Response.Status.BAD_REQUEST);
        }
        PermissionTicketStore permissionTicketStore = this.authorization.getStoreFactory().getPermissionTicketStore();
        PermissionTicket findById = permissionTicketStore.findById(this.resourceServer.getRealm(), this.resourceServer, str);
        if (findById == null) {
            throw new ErrorResponseException("invalid_request", "invalid_ticket", Response.Status.BAD_REQUEST);
        }
        if (!findById.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !findById.getRequester().equals(this.identity.getId())) {
            throw new ErrorResponseException("not_authorised", "permissions for [" + findById.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);
        }
        permissionTicketStore.delete(this.resourceServer.getRealm(), str);
        return Response.noContent().build();
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    public Response find(@QueryParam("scopeId") String str, @QueryParam("resourceId") String str2, @QueryParam("owner") String str3, @QueryParam("requester") String str4, @QueryParam("granted") Boolean bool, @QueryParam("returnNames") Boolean bool2, @QueryParam("first") Integer num, @QueryParam("max") Integer num2) {
        StoreFactory storeFactory = this.authorization.getStoreFactory();
        return Response.ok().entity(storeFactory.getPermissionTicketStore().find(this.resourceServer.getRealm(), this.resourceServer, getFilters(storeFactory, str2, str, str3, str4, bool), Integer.valueOf(num != null ? num.intValue() : -1), Integer.valueOf(num2 != null ? num2.intValue() : 100)).stream().map(permissionTicket -> {
            return ModelToRepresentation.toRepresentation(permissionTicket, this.authorization, bool2 == null ? false : bool2.booleanValue());
        }).collect(Collectors.toList())).build();
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @Path("/count")
    public Response getPermissionCount(@QueryParam("scopeId") String str, @QueryParam("resourceId") String str2, @QueryParam("owner") String str3, @QueryParam("requester") String str4, @QueryParam("granted") Boolean bool, @QueryParam("returnNames") Boolean bool2) {
        StoreFactory storeFactory = this.authorization.getStoreFactory();
        return Response.ok().entity(Long.valueOf(storeFactory.getPermissionTicketStore().count(this.resourceServer, getFilters(storeFactory, str2, str, str3, str4, bool)))).build();
    }

    private Map<PermissionTicket.FilterOption, String> getFilters(StoreFactory storeFactory, String str, String str2, String str3, String str4, Boolean bool) {
        EnumMap enumMap = new EnumMap(PermissionTicket.FilterOption.class);
        if (str != null) {
            enumMap.put((EnumMap) PermissionTicket.FilterOption.RESOURCE_ID, (PermissionTicket.FilterOption) str);
        }
        if (str2 != null) {
            ScopeStore scopeStore = storeFactory.getScopeStore();
            Scope findById = scopeStore.findById(this.resourceServer.getRealm(), this.resourceServer, str2);
            if (findById == null) {
                findById = scopeStore.findByName(this.resourceServer, str2);
            }
            enumMap.put((EnumMap) PermissionTicket.FilterOption.SCOPE_ID, (PermissionTicket.FilterOption) (findById != null ? findById.getId() : str2));
        }
        if (str3 != null) {
            enumMap.put((EnumMap) PermissionTicket.FilterOption.OWNER, (PermissionTicket.FilterOption) getUserId(str3));
        }
        if (str4 != null) {
            enumMap.put((EnumMap) PermissionTicket.FilterOption.REQUESTER, (PermissionTicket.FilterOption) getUserId(str4));
        }
        if (bool != null) {
            enumMap.put((EnumMap) PermissionTicket.FilterOption.GRANTED, (PermissionTicket.FilterOption) bool.toString());
        }
        return enumMap;
    }

    private String getUserId(String str) {
        UserProvider users = this.authorization.getKeycloakSession().users();
        RealmModel realm = this.authorization.getRealm();
        UserModel userById = users.getUserById(realm, str);
        if (userById != null) {
            return userById.getId();
        }
        UserModel userByUsername = users.getUserByUsername(realm, str);
        return userByUsername != null ? userByUsername.getId() : str;
    }
}
