package org.keycloak.authorization.policy.evaluation;

import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;

/* loaded from: input_file:org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.class */
public class PermissionTicketAwareDecisionResultCollector extends DecisionResultCollector {
    private final AuthorizationRequest request;
    private PermissionTicketToken ticket;
    private final Identity identity;
    private ResourceServer resourceServer;
    private final AuthorizationProvider authorization;
    private List<Result> results;

    public PermissionTicketAwareDecisionResultCollector(AuthorizationRequest authorizationRequest, PermissionTicketToken permissionTicketToken, Identity identity, ResourceServer resourceServer, AuthorizationProvider authorizationProvider) {
        this.request = authorizationRequest;
        this.ticket = permissionTicketToken;
        this.identity = identity;
        this.resourceServer = resourceServer;
        this.authorization = authorizationProvider;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.keycloak.authorization.policy.evaluation.DecisionResultCollector, org.keycloak.authorization.Decision
    public void onDecision(DefaultEvaluation defaultEvaluation) {
        super.onDecision(defaultEvaluation);
        removePermissionsIfGranted(defaultEvaluation);
    }

    private void removePermissionsIfGranted(DefaultEvaluation defaultEvaluation) {
        if (Decision.Effect.PERMIT.equals(defaultEvaluation.getEffect())) {
            Policy parentPolicy = defaultEvaluation.getParentPolicy();
            if ("uma".equals(parentPolicy.getType())) {
                ResourcePermission permission = defaultEvaluation.getPermission();
                Iterator it = this.ticket.getResources().iterator();
                while (it.hasNext()) {
                    PermissionTicketToken.ResourcePermission resourcePermission = (PermissionTicketToken.ResourcePermission) it.next();
                    if (resourcePermission.getResourceId().equals(permission.getResource().getId())) {
                        Set scopes = resourcePermission.getScopes();
                        Iterator it2 = scopes.iterator();
                        while (it2.hasNext()) {
                            if (parentPolicy.getScopes().contains(this.authorization.getStoreFactory().getScopeStore().findByName((String) it2.next(), this.resourceServer.getId()))) {
                                it2.remove();
                            }
                        }
                        if (scopes.isEmpty()) {
                            it.remove();
                        }
                    }
                }
            }
        }
    }

    @Override // org.keycloak.authorization.policy.evaluation.DecisionResultCollector, org.keycloak.authorization.Decision
    public void onComplete() {
        super.onComplete();
        if (this.request.isSubmitRequest()) {
            ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
            List<PermissionTicketToken.ResourcePermission> resources = this.ticket.getResources();
            if (resources != null) {
                for (PermissionTicketToken.ResourcePermission resourcePermission : resources) {
                    Resource findById = resourceStore.findById(resourcePermission.getResourceId(), this.resourceServer.getId());
                    if (findById == null) {
                        findById = resourceStore.findByName(resourcePermission.getResourceId(), this.identity.getId(), this.resourceServer.getId());
                    }
                    if (findById != null && findById.isOwnerManagedAccess() && !findById.getOwner().equals(this.identity.getId()) && !findById.getOwner().equals(this.resourceServer.getId())) {
                        Set<String> scopes = resourcePermission.getScopes();
                        if (scopes.isEmpty()) {
                            scopes = (Set) findById.getScopes().stream().map((v0) -> {
                                return v0.getName();
                            }).collect(Collectors.toSet());
                        }
                        if (scopes.isEmpty()) {
                            HashMap hashMap = new HashMap();
                            hashMap.put(PermissionTicket.RESOURCE, findById.getId());
                            hashMap.put(PermissionTicket.REQUESTER, this.identity.getId());
                            hashMap.put(PermissionTicket.SCOPE_IS_NULL, Boolean.TRUE.toString());
                            if (this.authorization.getStoreFactory().getPermissionTicketStore().find(hashMap, findById.getResourceServer().getId(), -1, -1).isEmpty()) {
                                this.authorization.getStoreFactory().getPermissionTicketStore().create(findById.getId(), null, this.identity.getId(), findById.getResourceServer());
                            }
                        } else {
                            ScopeStore scopeStore = this.authorization.getStoreFactory().getScopeStore();
                            for (String str : scopes) {
                                Scope findByName = scopeStore.findByName(str, this.resourceServer.getId());
                                if (findByName == null) {
                                    findByName = scopeStore.findById(str, this.resourceServer.getId());
                                }
                                HashMap hashMap2 = new HashMap();
                                hashMap2.put(PermissionTicket.RESOURCE, findById.getId());
                                hashMap2.put(PermissionTicket.REQUESTER, this.identity.getId());
                                hashMap2.put(PermissionTicket.SCOPE, findByName.getId());
                                if (this.authorization.getStoreFactory().getPermissionTicketStore().find(hashMap2, findById.getResourceServer().getId(), -1, -1).isEmpty()) {
                                    this.authorization.getStoreFactory().getPermissionTicketStore().create(findById.getId(), findByName.getId(), this.identity.getId(), findById.getResourceServer());
                                }
                            }
                        }
                    }
                }
            }
        }
    }

    @Override // org.keycloak.authorization.policy.evaluation.DecisionResultCollector
    protected void onComplete(List<Result> list) {
        this.results = list;
    }

    public List<Result> results() {
        return this.results;
    }
}
