package io.phasetwo.service.resource;

import com.google.common.collect.ImmutableList;
import io.phasetwo.service.model.InvitationModel;
import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.model.OrganizationRoleModel;
import io.phasetwo.service.model.jpa.entity.ExtOrganizationEntity;
import io.phasetwo.service.model.jpa.entity.InvitationEntity;
import io.phasetwo.service.model.jpa.entity.OrganizationMemberEntity;
import jakarta.ws.rs.NotAuthorizedException;
import java.util.List;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.jpa.entities.UserEntity;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.resources.admin.AdminAuth;

/* loaded from: input_file:io/phasetwo/service/resource/OrganizationAdminAuth.class */
public class OrganizationAdminAuth extends AdminAuth {
    public static final String ROLE_CREATE_ORGANIZATION = "create-organization";
    public static final String ROLE_VIEW_ORGANIZATION = "view-organizations";
    public static final String ROLE_MANAGE_ORGANIZATION = "manage-organizations";
    private static final Logger log = Logger.getLogger(OrganizationAdminAuth.class);
    public static final String ORG_ROLE_VIEW_ORGANIZATION = "view-organization";
    public static final String ORG_ROLE_MANAGE_ORGANIZATION = "manage-organization";
    public static final String ORG_ROLE_VIEW_MEMBERS = "view-members";
    public static final String ORG_ROLE_MANAGE_MEMBERS = "manage-members";
    public static final String ORG_ROLE_VIEW_ROLES = "view-roles";
    public static final String ORG_ROLE_MANAGE_ROLES = "manage-roles";
    public static final String ORG_ROLE_VIEW_INVITATIONS = "view-invitations";
    public static final String ORG_ROLE_MANAGE_INVITATIONS = "manage-invitations";
    public static final String ORG_ROLE_VIEW_IDENTITY_PROVIDERS = "view-identity-providers";
    public static final String ORG_ROLE_MANAGE_IDENTITY_PROVIDERS = "manage-identity-providers";
    public static final String[] DEFAULT_ORG_ROLES = {ORG_ROLE_VIEW_ORGANIZATION, ORG_ROLE_MANAGE_ORGANIZATION, ORG_ROLE_VIEW_MEMBERS, ORG_ROLE_MANAGE_MEMBERS, ORG_ROLE_VIEW_ROLES, ORG_ROLE_MANAGE_ROLES, ORG_ROLE_VIEW_INVITATIONS, ORG_ROLE_MANAGE_INVITATIONS, ORG_ROLE_VIEW_IDENTITY_PROVIDERS, ORG_ROLE_MANAGE_IDENTITY_PROVIDERS};
    static String ORGANIZATIONS_CLAIM = "organizations";

    public OrganizationAdminAuth(RealmModel realmModel, AccessToken accessToken, UserModel userModel, ClientModel clientModel) {
        super(realmModel, accessToken, userModel, clientModel);
        log.debugf("Realm passed to ctr is %s", realmModel.getName());
    }

    void requireCreateOrg() {
        if (!hasAppRole(getClient(), ROLE_CREATE_ORGANIZATION)) {
            throw new NotAuthorizedException(ROLE_CREATE_ORGANIZATION, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasCreateOrg() {
        return hasAppRole(getClient(), ROLE_CREATE_ORGANIZATION);
    }

    void requireViewOrgs() {
        if (!hasAppRole(getClient(), ROLE_VIEW_ORGANIZATION)) {
            throw new NotAuthorizedException(ROLE_VIEW_ORGANIZATION, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasViewOrgs() {
        return hasAppRole(getClient(), ROLE_VIEW_ORGANIZATION);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void requireManageOrgs() {
        if (!hasAppRole(getClient(), ROLE_MANAGE_ORGANIZATION)) {
            throw new NotAuthorizedException(ROLE_MANAGE_ORGANIZATION, new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasManageOrgs() {
        return hasAppRole(getClient(), ROLE_MANAGE_ORGANIZATION);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasManageRealm() {
        return hasAppRole(getClient(), AdminRoles.MANAGE_REALM);
    }

    @Deprecated
    void requireOrgInRealm(ExtOrganizationEntity extOrganizationEntity) {
        if (!extOrganizationEntity.getRealmId().equals(getRealm().getId())) {
            throw new NotAuthorizedException(String.format("Organization %s not in realm %s", extOrganizationEntity.getId(), getRealm().getName()), new Object[0]);
        }
    }

    void requireOrgInRealm(OrganizationModel organizationModel) {
        if (!isOrgInRealm(organizationModel)) {
            throw new NotAuthorizedException(String.format("Organization %s not in realm %s", organizationModel.getId(), getRealm().getName()), new Object[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isOrgInRealm(OrganizationModel organizationModel) {
        return organizationModel.getRealm().getId().equals(getRealm().getId());
    }

    @Deprecated
    void requireUserInRealm(UserEntity userEntity) {
        if (!userEntity.getRealmId().equals(getRealm().getId())) {
            throw new NotAuthorizedException(String.format("User %s not in realm %s", userEntity.getId(), getRealm().getName()), new Object[0]);
        }
    }

    @Deprecated
    void requireInvitationInOrgInRealm(InvitationEntity invitationEntity, ExtOrganizationEntity extOrganizationEntity) {
        if (!invitationEntity.getOrganization().equals(extOrganizationEntity)) {
            throw new NotAuthorizedException(String.format("Invitation %s not in org %s", invitationEntity.getId(), extOrganizationEntity.getId()), new Object[0]);
        }
        requireOrgInRealm(extOrganizationEntity);
    }

    void requireInvitationInOrgInRealm(InvitationModel invitationModel, OrganizationModel organizationModel) {
        if (!isInvitationInOrgInRealm(invitationModel, organizationModel)) {
            throw new NotAuthorizedException(String.format("Invitation %s not in org %s", invitationModel.getId(), organizationModel.getId()), new Object[0]);
        }
    }

    boolean isInvitationInOrgInRealm(InvitationModel invitationModel, OrganizationModel organizationModel) {
        return invitationModel.getOrganization().equals(organizationModel) && isOrgInRealm(organizationModel);
    }

    @Deprecated
    void requireUserInOrgInRealm(UserEntity userEntity, OrganizationMemberEntity organizationMemberEntity, ExtOrganizationEntity extOrganizationEntity) {
        if (userEntity == null || organizationMemberEntity == null || extOrganizationEntity != null || !userEntity.getId().equals(organizationMemberEntity.getUserId()) || !organizationMemberEntity.getOrganization().equals(extOrganizationEntity)) {
            throw new NotAuthorizedException(String.format("User %s not in org %s", userEntity.getId(), extOrganizationEntity.getId()), new Object[0]);
        }
        requireOrgInRealm(extOrganizationEntity);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgViewOrg(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_VIEW_ORGANIZATION) || organizationModel.hasMembership(getUser());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgManageOrg(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_MANAGE_ORGANIZATION);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgViewMembers(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_VIEW_MEMBERS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgManageMembers(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_MANAGE_MEMBERS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgViewInvitations(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_VIEW_INVITATIONS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgManageInvitations(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_MANAGE_INVITATIONS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgViewRoles(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_VIEW_ROLES);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgManageRoles(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_MANAGE_ROLES);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgViewIdentityProviders(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_VIEW_IDENTITY_PROVIDERS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgManageIdentityProviders(OrganizationModel organizationModel) {
        return hasOrgRole(organizationModel, ORG_ROLE_MANAGE_IDENTITY_PROVIDERS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasOrgAll(OrganizationModel organizationModel) {
        for (String str : DEFAULT_ORG_ROLES) {
            if (!hasOrgRole(organizationModel, str)) {
                return false;
            }
        }
        return true;
    }

    boolean hasOrgViewAll(OrganizationModel organizationModel) {
        for (String str : DEFAULT_ORG_ROLES) {
            if (str.startsWith("view") && !hasOrgRole(organizationModel, str)) {
                return false;
            }
        }
        return true;
    }

    boolean hasOrgManageAll(OrganizationModel organizationModel) {
        for (String str : DEFAULT_ORG_ROLES) {
            if (str.startsWith("manage") && !hasOrgRole(organizationModel, str)) {
                return false;
            }
        }
        return true;
    }

    private List<String> getOrganizationRoles(OrganizationModel organizationModel) {
        Object obj = getToken().getOtherClaims().get(ORGANIZATIONS_CLAIM);
        if (obj == null || !(obj instanceof Map)) {
            return ImmutableList.of();
        }
        Object obj2 = ((Map) obj).get(organizationModel.getId());
        if (obj2 == null || !(obj2 instanceof Map)) {
            return ImmutableList.of();
        }
        Object obj3 = ((Map) obj2).get("roles");
        return (obj3 == null || !(obj3 instanceof List)) ? ImmutableList.of() : (List) obj3;
    }

    private boolean hasOrgRoleInToken(OrganizationModel organizationModel, String str) {
        return getOrganizationRoles(organizationModel).contains(str);
    }

    private boolean hasOrgRole(OrganizationModel organizationModel, String str) {
        OrganizationRoleModel roleByName = organizationModel.getRoleByName(str);
        boolean z = roleByName != null && roleByName.hasRole(getUser());
        log.debugf("%s has role %s? %b", getUser().getId(), str, Boolean.valueOf(z));
        return z;
    }

    private void requireOrgRole(OrganizationModel organizationModel, String str) {
        if (!hasOrgRole(organizationModel, str)) {
            throw new NotAuthorizedException(String.format("User %s doesn't have role %s in org %s", getUser().getId(), str, organizationModel.getName()), new Object[0]);
        }
    }
}
