package org.keycloak.authorization;

import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelValidationException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.AuthorizationSchema;
import org.keycloak.representations.idm.authorization.ResourceType;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;

/* loaded from: input_file:org/keycloak/authorization/AdminPermissionsSchema.class */
public class AdminPermissionsSchema extends AuthorizationSchema {
    public static final String USERS_RESOURCE_TYPE = "Users";
    public static final ResourceType USERS = new ResourceType(USERS_RESOURCE_TYPE, Set.of("manage"));
    public static final AdminPermissionsSchema SCHEMA = new AdminPermissionsSchema();

    private AdminPermissionsSchema() {
        super(Map.of(USERS_RESOURCE_TYPE, USERS));
    }

    public Resource getOrCreateResource(KeycloakSession keycloakSession, ResourceServer resourceServer, String str, String str2) {
        if (!supportsAuthorizationSchema(keycloakSession, resourceServer)) {
            return null;
        }
        String str3 = null;
        if (USERS.getType().equals(str)) {
            str3 = resolveUser(keycloakSession, str2);
        }
        if (str3 == null) {
            throw new IllegalStateException("Could not map resource object with type [" + str + "] and id [" + str2 + "]");
        }
        return getOrCreateResource(keycloakSession, resourceServer, str3);
    }

    public boolean isSupportedPolicyType(KeycloakSession keycloakSession, ResourceServer resourceServer, String str) {
        return (supportsAuthorizationSchema(keycloakSession, resourceServer) && str.equals("resource")) ? false : true;
    }

    private boolean supportsAuthorizationSchema(KeycloakSession keycloakSession, ResourceServer resourceServer) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        if (realm.isAdminPermissionsEnabled()) {
            return isAdminPermissionClient(realm, resourceServer.getId());
        }
        return false;
    }

    private boolean isAdminPermissionClient(RealmModel realmModel, String str) {
        return realmModel.getAdminPermissionsClient() != null && realmModel.getAdminPermissionsClient().getId().equals(str);
    }

    public void throwExceptionIfAdminPermissionClient(KeycloakSession keycloakSession, String str) {
        if (isAdminPermissionClient(keycloakSession.getContext().getRealm(), str)) {
            throw new ModelValidationException("Not supported for this client.");
        }
    }

    private Resource getOrCreateResource(KeycloakSession keycloakSession, ResourceServer resourceServer, String str) {
        StoreFactory storeFactory = getStoreFactory(keycloakSession);
        Resource findByName = storeFactory.getResourceStore().findByName(resourceServer, str);
        return findByName == null ? storeFactory.getResourceStore().create(resourceServer, str, resourceServer.getClientId()) : findByName;
    }

    private String resolveUser(KeycloakSession keycloakSession, String str) {
        RealmModel realm = keycloakSession.getContext().getRealm();
        UserModel userById = keycloakSession.users().getUserById(realm, str);
        if (userById == null) {
            userById = keycloakSession.users().getUserByUsername(realm, str);
        }
        if (userById == null) {
            return null;
        }
        return userById.getId();
    }

    private StoreFactory getStoreFactory(KeycloakSession keycloakSession) {
        return ((AuthorizationProvider) keycloakSession.getProvider(AuthorizationProvider.class)).getStoreFactory();
    }

    public void throwExceptionIfResourceTypeOrScopesNotProvided(KeycloakSession keycloakSession, ResourceServer resourceServer, AbstractPolicyRepresentation abstractPolicyRepresentation) {
        if (supportsAuthorizationSchema(keycloakSession, resourceServer) && (abstractPolicyRepresentation instanceof ScopePermissionRepresentation)) {
            if (abstractPolicyRepresentation.getResourceType() == null || SCHEMA.getResourceTypes().get(abstractPolicyRepresentation.getResourceType()) == null) {
                throw new ModelValidationException("Resource type not provided.");
            }
            if (abstractPolicyRepresentation.getScopes() == null || abstractPolicyRepresentation.getScopes().isEmpty()) {
                throw new ModelValidationException("Scopes not provided.");
            }
        }
    }

    public Scope getScope(KeycloakSession keycloakSession, ResourceServer resourceServer, String str, String str2) {
        StoreFactory storeFactory = getStoreFactory(keycloakSession);
        Scope scope = (Scope) Optional.ofNullable(storeFactory.getScopeStore().findById(resourceServer, str2)).or(() -> {
            return Optional.ofNullable(storeFactory.getScopeStore().findByName(resourceServer, str2));
        }).orElseThrow(() -> {
            return new ModelValidationException(String.format("Scope [%s] does not exist.", str2));
        });
        if (!supportsAuthorizationSchema(keycloakSession, resourceServer) || ((ResourceType) SCHEMA.getResourceTypes().get(str)).getScopes().contains(scope.getName())) {
            return scope;
        }
        throw new ModelValidationException(String.format("Scope %s was not found for resource type %s.", scope.getName(), str));
    }
}
