package org.keycloak.migration.migrators;

import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.Config;
import org.keycloak.OAuthErrorException;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperContainerModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;

/* loaded from: input_file:WEB-INF/lib/keycloak-server-spi-private-21.1.2.jar:org/keycloak/migration/migrators/MigrationUtils.class */
public class MigrationUtils {
    public static void addAdminRole(RealmModel realmModel, String str) {
        ClientModel clientByClientId;
        ClientModel masterAdminClient = realmModel.getMasterAdminClient();
        if (masterAdminClient != null && masterAdminClient.getRole(str) == null) {
            RoleModel addRole = masterAdminClient.addRole(str);
            addRole.setDescription("${role_" + str + "}");
            masterAdminClient.getRealm().getRole(AdminRoles.ADMIN).addCompositeRole(addRole);
        }
        if (realmModel.getName().equals(Config.getAdminRealm()) || (clientByClientId = realmModel.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID)) == null || clientByClientId.getRole(str) != null) {
            return;
        }
        RoleModel addRole2 = clientByClientId.addRole(str);
        addRole2.setDescription("${role_" + str + "}");
        clientByClientId.getRole(AdminRoles.REALM_ADMIN).addCompositeRole(addRole2);
    }

    public static void updateOTPRequiredAction(RequiredActionProviderModel requiredActionProviderModel) {
        if (requiredActionProviderModel != null && UserModel.RequiredAction.CONFIGURE_TOTP.name().equals(requiredActionProviderModel.getProviderId()) && "Configure Totp".equals(requiredActionProviderModel.getName())) {
            requiredActionProviderModel.setName("Configure OTP");
        }
    }

    public static void updateProtocolMappers(ProtocolMapperContainerModel protocolMapperContainerModel) {
        Stream stream = ((Set) protocolMapperContainerModel.getProtocolMappersStream().filter(protocolMapperModel -> {
            return !protocolMapperModel.getConfig().containsKey("userinfo.token.claim") && protocolMapperModel.getConfig().containsKey("id.token.claim");
        }).peek(protocolMapperModel2 -> {
            protocolMapperModel2.getConfig().put("userinfo.token.claim", protocolMapperModel2.getConfig().get("id.token.claim"));
        }).collect(Collectors.toSet())).stream();
        Objects.requireNonNull(protocolMapperContainerModel);
        stream.forEach(protocolMapperContainerModel::updateProtocolMapper);
    }

    public static void migrateOldOfflineToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel) throws OAuthErrorException {
        UserConsentModel consentByClient;
        ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(realmModel, "offline_access");
        if (clientScopeByName == null) {
            throw new OAuthErrorException("invalid_grant", "Offline Access scope not found");
        }
        if (!clientModel.isConsentRequired() || (consentByClient = keycloakSession.users().getConsentByClient(realmModel, userModel.getId(), clientModel.getId())) == null) {
            return;
        }
        if (clientModel.isDisplayOnConsentScreen()) {
            consentByClient.addGrantedClientScope(clientModel);
        }
        if (clientScopeByName.isDisplayOnConsentScreen()) {
            consentByClient.addGrantedClientScope(clientScopeByName);
        }
        keycloakSession.users().updateConsent(realmModel, userModel.getId(), consentByClient);
    }

    public static void setDefaultClientAuthenticatorType(ClientModel clientModel) {
        clientModel.setClientAuthenticatorType(KeycloakModelUtils.getDefaultClientAuthenticatorType());
    }

    public static boolean isOIDCNonBearerOnlyClient(ClientModel clientModel) {
        return (clientModel.getProtocol() == null || RepresentationToModel.OIDC.equals(clientModel.getProtocol())) && !clientModel.isBearerOnly();
    }
}
