package org.keycloak.services.clientpolicy.condition;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.idm.ClientPolicyConditionConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyVote;
import org.keycloak.services.clientpolicy.context.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;

/* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientUpdaterSourceRolesCondition.class */
public class ClientUpdaterSourceRolesCondition extends AbstractClientPolicyConditionProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(ClientUpdaterSourceRolesCondition.class);

    /* renamed from: org.keycloak.services.clientpolicy.condition.ClientUpdaterSourceRolesCondition$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientUpdaterSourceRolesCondition$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/condition/ClientUpdaterSourceRolesCondition$Configuration.class */
    public static class Configuration extends ClientPolicyConditionConfigurationRepresentation {
        protected List<String> roles;

        public List<String> getRoles() {
            return this.roles;
        }

        public void setRoles(List<String> list) {
            this.roles = list;
        }
    }

    public ClientUpdaterSourceRolesCondition(KeycloakSession keycloakSession) {
        super(keycloakSession);
    }

    public Class<Configuration> getConditionConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return ClientUpdaterSourceRolesConditionFactory.PROVIDER_ID;
    }

    public ClientPolicyVote applyPolicy(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                if (clientPolicyContext instanceof AdminClientRegisterContext) {
                    return getVoteForRolesMatched(((ClientCRUDContext) clientPolicyContext).getAuthenticatedUser());
                }
                if (clientPolicyContext instanceof DynamicClientRegisterContext) {
                    return getVoteForRolesMatched(((ClientCRUDContext) clientPolicyContext).getToken());
                }
                throw new ClientPolicyException("server_error", "unexpected context type.");
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                if (clientPolicyContext instanceof AdminClientUpdateContext) {
                    return getVoteForRolesMatched(((ClientCRUDContext) clientPolicyContext).getAuthenticatedUser());
                }
                if (clientPolicyContext instanceof DynamicClientUpdateContext) {
                    return getVoteForRolesMatched(((ClientCRUDContext) clientPolicyContext).getToken());
                }
                throw new ClientPolicyException("server_error", "unexpected context type.");
            default:
                return ClientPolicyVote.ABSTAIN;
        }
    }

    private ClientPolicyVote getVoteForRolesMatched(UserModel userModel) {
        return isRolesMatched(userModel) ? ClientPolicyVote.YES : ClientPolicyVote.NO;
    }

    private ClientPolicyVote getVoteForRolesMatched(JsonWebToken jsonWebToken) {
        if (jsonWebToken != null && isRoleMatched(jsonWebToken.getSubject())) {
            return ClientPolicyVote.YES;
        }
        return ClientPolicyVote.NO;
    }

    private boolean isRoleMatched(String str) {
        if (str == null) {
            return false;
        }
        return isRolesMatched(this.session.users().getUserById(this.session.getContext().getRealm(), str));
    }

    private boolean isRolesMatched(UserModel userModel) {
        Set<String> instantiateRolesForMatching;
        if (userModel == null || (instantiateRolesForMatching = instantiateRolesForMatching()) == null) {
            return false;
        }
        if (logger.isTraceEnabled()) {
            ((Set) userModel.getRoleMappingsStream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet())).forEach(str -> {
                logger.tracev("user role = {0}", str);
            });
            instantiateRolesForMatching.forEach(str2 -> {
                logger.tracev("roles expected = {0}", str2);
            });
        }
        RealmModel realm = this.session.getContext().getRealm();
        Iterator<String> it = instantiateRolesForMatching.iterator();
        while (it.hasNext()) {
            RoleModel roleFromString = KeycloakModelUtils.getRoleFromString(realm, it.next());
            if (roleFromString != null && userModel.hasRole(roleFromString)) {
                return true;
            }
        }
        return false;
    }

    private Set<String> instantiateRolesForMatching() {
        List<String> roles = ((Configuration) this.configuration).getRoles();
        if (roles == null) {
            return null;
        }
        return new HashSet(roles);
    }
}
