package org.keycloak.authorization.policy.evaluation;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.OAuth2Constants;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Permission;

/* loaded from: input_file:WEB-INF/lib/keycloak-server-spi-private-20.0.3.jar:org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.class */
public class DecisionPermissionCollector extends AbstractDecisionCollector {
    private final AuthorizationProvider authorizationProvider;
    private final ResourceServer resourceServer;
    private final AuthorizationRequest request;
    private final Set<Permission> permissions = new LinkedHashSet();

    public DecisionPermissionCollector(AuthorizationProvider authorizationProvider, ResourceServer resourceServer, AuthorizationRequest authorizationRequest) {
        this.authorizationProvider = authorizationProvider;
        this.resourceServer = resourceServer;
        this.request = authorizationRequest;
    }

    @Override // org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector
    public void onComplete(Result result) {
        ResourcePermission permission = result.getPermission();
        Resource resource = permission.getResource();
        Collection<Scope> scopes = permission.getScopes();
        if (Decision.Effect.PERMIT.equals(result.getEffect())) {
            if (!permission.getScopes().isEmpty() || resource.getScopes().isEmpty()) {
                grantPermission(this.authorizationProvider, this.permissions, permission, scopes, this.resourceServer, this.request, result);
                return;
            }
            return;
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        boolean z2 = false;
        for (Result.PolicyResult policyResult : result.getResults()) {
            Policy policy = policyResult.getPolicy();
            Set<Scope> scopes2 = policy.getScopes();
            Set<Resource> resources = policy.getResources();
            boolean contains = resources.contains(resource);
            if (isGranted(policyResult)) {
                if (isScopePermission(policy)) {
                    for (Scope scope : scopes) {
                        if (scopes2.contains(scope)) {
                            hashSet.add(scope);
                            if (resource != null && !resource.getScopes().contains(scope)) {
                                hashSet2.remove(scope);
                            }
                        }
                    }
                } else if (isResourcePermission(policy)) {
                    hashSet.addAll(scopes);
                } else if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
                    arrayList.add(policyResult);
                }
                if (!z) {
                    z = isGrantingAccessToResource(resource, policy) && contains;
                }
            } else {
                if (isResourcePermission(policy)) {
                    if (contains || !z) {
                        hashSet2.addAll(scopes);
                    }
                } else if (contains || resources.isEmpty()) {
                    hashSet2.addAll(scopes2);
                }
                if (!z2) {
                    z2 = true;
                }
            }
        }
        if (DecisionStrategy.AFFIRMATIVE.equals(this.resourceServer.getDecisionStrategy())) {
            hashSet2.removeAll(hashSet);
        }
        hashSet.removeAll(hashSet2);
        if (!arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                HashSet hashSet3 = new HashSet(((Result.PolicyResult) it.next()).getPolicy().getScopes());
                if (!scopes.isEmpty()) {
                    hashSet3.retainAll(scopes);
                }
                hashSet.addAll(hashSet3);
            }
            if (hashSet.isEmpty() && !resource.getScopes().isEmpty()) {
                return;
            } else {
                z2 = false;
            }
        } else if (!z && hashSet.isEmpty() && !scopes.isEmpty()) {
            return;
        }
        if (z2 && hashSet.isEmpty()) {
            return;
        }
        grantPermission(this.authorizationProvider, this.permissions, permission, hashSet, this.resourceServer, this.request, result);
    }

    private boolean isGrantingAccessToResource(Resource resource, Policy policy) {
        if (isScopePermission(policy)) {
            return (resource == null || resource.getOwner().equals(this.resourceServer.getClientId())) ? false : true;
        }
        return true;
    }

    public Collection<Permission> results() {
        return this.permissions;
    }

    @Override // org.keycloak.authorization.Decision
    public void onError(Throwable th) {
        throw new RuntimeException("Failed to evaluate permissions", th);
    }

    protected void grantPermission(AuthorizationProvider authorizationProvider, Set<Permission> set, ResourcePermission resourcePermission, Collection<Scope> collection, ResourceServer resourceServer, AuthorizationRequest authorizationRequest, Result result) {
        Set<String> set2 = (Set) collection.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        Resource resource = resourcePermission.getResource();
        if (resource != null) {
            set.add(createPermission(resource, set2, resourcePermission.getClaims(), authorizationRequest));
        } else {
            if (collection.isEmpty()) {
                return;
            }
            authorizationProvider.getStoreFactory().getResourceStore().findByScopes(resourceServer, new HashSet(collection), resource2 -> {
                set.add(createPermission(resource, set2, resourcePermission.getClaims(), authorizationRequest));
            });
            set.add(createPermission(null, set2, resourcePermission.getClaims(), authorizationRequest));
        }
    }

    private Permission createPermission(Resource resource, Set<String> set, Map<String, Set<String>> map, AuthorizationRequest authorizationRequest) {
        Permission permission;
        AuthorizationRequest.Metadata metadata = null;
        if (authorizationRequest != null) {
            metadata = authorizationRequest.getMetadata();
        }
        if (resource != null) {
            permission = new Permission(resource.getId(), (metadata == null || metadata.getIncludeResourceName().booleanValue()) ? resource.getName() : null, set, map);
        } else {
            permission = new Permission(null, null, set, map);
        }
        onGrant(permission);
        return permission;
    }

    protected void onGrant(Permission permission) {
    }

    private static boolean isResourcePermission(Policy policy) {
        return OAuth2Constants.RESOURCE.equals(policy.getType());
    }

    private static boolean isScopePermission(Policy policy) {
        return "scope".equals(policy.getType());
    }
}
