package org.keycloak.authorization;

import java.util.HashSet;
import java.util.Set;
import java.util.function.Consumer;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:org/keycloak/authorization/UserResourceTypePolicyEvaluator.class */
public class UserResourceTypePolicyEvaluator implements ResourceTypePolicyEvaluator {
    @Override // org.keycloak.authorization.ResourceTypePolicyEvaluator
    public void evaluate(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider, Consumer<Policy> consumer) {
        UserModel resolveUser = resolveUser(resourcePermission, authorizationProvider);
        if (resolveUser != null) {
            evaluateGroupMembershipPermissions(resourcePermission, resolveUser, authorizationProvider, consumer);
        }
    }

    private UserModel resolveUser(ResourcePermission resourcePermission, AuthorizationProvider authorizationProvider) {
        Resource resource;
        RealmModel realm = authorizationProvider.getRealm();
        KeycloakSession keycloakSession = authorizationProvider.getKeycloakSession();
        String resourceType = resourcePermission.getResourceType();
        if (resourceType == null || (resource = resourcePermission.getResource()) == null) {
            return null;
        }
        String resourceName = AdminPermissionsSchema.SCHEMA.getResourceName(keycloakSession, resource.getResourceServer(), resourceType, resource.getName());
        if (resourceName == null) {
            return null;
        }
        return keycloakSession.users().getUserByUsername(realm, resourceName);
    }

    private void evaluateGroupMembershipPermissions(ResourcePermission resourcePermission, UserModel userModel, AuthorizationProvider authorizationProvider, Consumer<Policy> consumer) {
        StoreFactory storeFactory = authorizationProvider.getStoreFactory();
        PolicyStore policyStore = storeFactory.getPolicyStore();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        ResourceServer resourceServer = resourcePermission.getResourceServer();
        evaluateHierarchy(userModel, groupModel -> {
            Resource findByName = resourceStore.findByName(resourceServer, groupModel.getId());
            if (findByName != null) {
                policyStore.findByResource(resourceServer, findByName, consumer);
            }
        });
        if (userModel.getGroupsStream().findAny().isPresent()) {
            policyStore.findByResource(resourceServer, AdminPermissionsSchema.SCHEMA.getResourceTypeResource(authorizationProvider.getKeycloakSession(), resourceServer, AdminPermissionsSchema.GROUPS_RESOURCE_TYPE), consumer);
        }
    }

    private void evaluateHierarchy(UserModel userModel, Consumer<GroupModel> consumer) {
        userModel.getGroupsStream().forEach(groupModel -> {
            evaluateHierarchy(consumer, groupModel, new HashSet());
        });
    }

    private void evaluateHierarchy(Consumer<GroupModel> consumer, GroupModel groupModel, Set<GroupModel> set) {
        if (set.contains(groupModel)) {
            return;
        }
        consumer.accept(groupModel);
        set.add(groupModel);
        if (groupModel.getParent() == null) {
            return;
        }
        evaluateHierarchy(consumer, groupModel.getParent(), set);
    }
}
