package org.keycloak.protocol.oidc.mappers;

import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.IDToken;
import org.keycloak.social.stackoverflow.StackoverflowIdentityProvider;

/* loaded from: input_file:org/keycloak/protocol/oidc/mappers/AbstractUserRoleMappingMapper.class */
abstract class AbstractUserRoleMappingMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper {
    public static Stream<RoleModel> getAllUserRolesStream(UserModel userModel) {
        return Stream.concat(userModel.getRoleMappings().stream(), userModel.getGroups().stream().flatMap(groupModel -> {
            return groupAndItsParentsStream(groupModel);
        }).flatMap(groupModel2 -> {
            return groupModel2.getRoleMappings().stream();
        })).flatMap(RoleUtils::expandCompositeRolesStream);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Stream<GroupModel> groupAndItsParentsStream(GroupModel groupModel) {
        Stream.Builder builder = Stream.builder();
        while (groupModel != null) {
            builder.add(groupModel);
            groupModel = groupModel.getParent();
        }
        return builder.build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void setClaim(IDToken iDToken, ProtocolMapperModel protocolMapperModel, UserSessionModel userSessionModel, Predicate<RoleModel> predicate, String str) {
        String str2 = str == null ? StackoverflowIdentityProvider.DEFAULT_SCOPE : str;
        Stream<RoleModel> filter = getAllUserRolesStream(userSessionModel.getUser()).filter(predicate);
        if (!userSessionModel.getClientSessions().stream().anyMatch(clientSessionModel -> {
            return clientSessionModel.getClient().isFullScopeAllowed();
        })) {
            Set set = (Set) userSessionModel.getClientSessions().stream().flatMap(clientSessionModel2 -> {
                return clientSessionModel2.getClient().getScopeMappings().stream();
            }).collect(Collectors.toSet());
            set.getClass();
            filter = filter.filter((v1) -> {
                return r1.contains(v1);
            });
        }
        List list = (List) filter.map(roleModel -> {
            return str2 + roleModel.getName();
        }).collect(Collectors.toList());
        List list2 = list;
        if (!SamlProtocol.ATTRIBUTE_TRUE_VALUE.equals(protocolMapperModel.getConfig().get(ProtocolMapperUtils.MULTIVALUED))) {
            list2 = list.toString();
        }
        OIDCAttributeMapperHelper.mapClaim(iDToken, protocolMapperModel, list2);
    }
}
