package org.keycloak.services.resources.admin;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelIllegalStateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.ClientMappingsRepresentation;
import org.keycloak.representations.idm.MappingsRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/RoleMapperResource.class */
public class RoleMapperResource {
    protected static final Logger logger = Logger.getLogger(RoleMapperResource.class);
    protected final RealmModel realm;
    private final RoleMapperModel roleMapper;
    private final AdminEventBuilder adminEvent;
    protected final AdminPermissionEvaluator.RequirePermissionCheck managePermission;
    protected final AdminPermissionEvaluator.RequirePermissionCheck viewPermission;
    private final AdminPermissionEvaluator auth;
    protected final ClientConnection clientConnection;
    protected final KeycloakSession session;
    protected final HttpHeaders headers;

    public RoleMapperResource(KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, RoleMapperModel roleMapperModel, AdminEventBuilder adminEventBuilder, AdminPermissionEvaluator.RequirePermissionCheck requirePermissionCheck, AdminPermissionEvaluator.RequirePermissionCheck requirePermissionCheck2) {
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
        this.realm = keycloakSession.getContext().getRealm();
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.adminEvent = adminEventBuilder.resource(ResourceType.REALM_ROLE_MAPPING);
        this.roleMapper = roleMapperModel;
        this.managePermission = requirePermissionCheck;
        this.viewPermission = requirePermissionCheck2;
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Get role mappings")
    @GET
    public MappingsRepresentation getRoleMappings() {
        this.viewPermission.require();
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        AtomicReference atomicReference = new AtomicReference();
        this.roleMapper.getRoleMappingsStream().forEach(roleModel -> {
            ClientModel container = roleModel.getContainer();
            if (container instanceof RealmModel) {
                arrayList.add(ModelToRepresentation.toBriefRepresentation(roleModel));
                return;
            }
            if (container instanceof ClientModel) {
                ClientModel clientModel = container;
                atomicReference.set((ClientMappingsRepresentation) hashMap.get(clientModel.getClientId()));
                if (atomicReference.get() == null) {
                    atomicReference.set(new ClientMappingsRepresentation());
                    ((ClientMappingsRepresentation) atomicReference.get()).setId(clientModel.getId());
                    ((ClientMappingsRepresentation) atomicReference.get()).setClient(clientModel.getClientId());
                    ((ClientMappingsRepresentation) atomicReference.get()).setMappings(new ArrayList());
                    hashMap.put(clientModel.getClientId(), (ClientMappingsRepresentation) atomicReference.get());
                }
                ((ClientMappingsRepresentation) atomicReference.get()).getMappings().add(ModelToRepresentation.toBriefRepresentation(roleModel));
            }
        });
        MappingsRepresentation mappingsRepresentation = new MappingsRepresentation();
        if (!arrayList.isEmpty()) {
            mappingsRepresentation.setRealmMappings(arrayList);
        }
        if (!hashMap.isEmpty()) {
            mappingsRepresentation.setClientMappings(hashMap);
        }
        return mappingsRepresentation;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Get realm-level role mappings")
    @Path("realm")
    @GET
    public Stream<RoleRepresentation> getRealmRoleMappings() {
        this.viewPermission.require();
        return this.roleMapper.getRealmRoleMappingsStream().map(ModelToRepresentation::toBriefRepresentation);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Get effective realm-level role mappings This will recurse all composite roles to get the result.")
    @Path("realm/composite")
    @GET
    public Stream<RoleRepresentation> getCompositeRealmRoleMappings(@Parameter(description = "if false, return roles with their attributes") @QueryParam("briefRepresentation") @DefaultValue("true") boolean z) {
        this.viewPermission.require();
        Function function = z ? ModelToRepresentation::toBriefRepresentation : ModelToRepresentation::toRepresentation;
        Stream rolesStream = this.realm.getRolesStream();
        RoleMapperModel roleMapperModel = this.roleMapper;
        Objects.requireNonNull(roleMapperModel);
        return rolesStream.filter(roleMapperModel::hasRole).map(function);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Get realm-level roles that can be mapped")
    @Path("realm/available")
    @GET
    public Stream<RoleRepresentation> getAvailableRealmRoleMappings() {
        this.viewPermission.require();
        Stream filter = this.realm.getRolesStream().filter(this::canMapRole);
        RoleMapperModel roleMapperModel = this.roleMapper;
        Objects.requireNonNull(roleMapperModel);
        Predicate predicate = roleMapperModel::hasDirectRole;
        return filter.filter(predicate.negate()).map(ModelToRepresentation::toBriefRepresentation);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Add realm-level role mappings to the user")
    @APIResponse(responseCode = "204", description = "No Content")
    @POST
    @Path("realm")
    @Consumes({MediaType.APPLICATION_JSON})
    public void addRealmRoleMappings(@Parameter(description = "Roles to add") List<RoleRepresentation> list) {
        this.managePermission.require();
        logger.debugv("** addRealmRoleMappings: {0}", list);
        try {
            for (RoleRepresentation roleRepresentation : list) {
                RoleModel role = this.realm.getRole(roleRepresentation.getName());
                if (role == null || !role.getId().equals(roleRepresentation.getId())) {
                    throw new NotFoundException("Role not found");
                }
                this.auth.roles().requireMapRole(role);
                this.roleMapper.grantRole(role);
            }
            this.adminEvent.operation(OperationType.CREATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(list).success();
        } catch (ModelException | ReadOnlyException e) {
            logger.warn(e.getMessage(), e);
            throw new ErrorResponseException("invalid_request", "Could not add user role mappings!", Response.Status.BAD_REQUEST);
        } catch (ModelIllegalStateException e2) {
            logger.error(e2.getMessage(), e2);
            throw ErrorResponse.error(e2.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLE_MAPPER)
    @Operation(summary = "Delete realm-level role mappings")
    @Path("realm")
    @DELETE
    @Consumes({MediaType.APPLICATION_JSON})
    public void deleteRealmRoleMappings(List<RoleRepresentation> list) {
        this.managePermission.require();
        logger.debug("deleteRealmRoleMappings");
        if (list == null) {
            list = (List) this.roleMapper.getRealmRoleMappingsStream().peek(roleModel -> {
                this.auth.roles().requireMapRole(roleModel);
                this.roleMapper.deleteRoleMapping(roleModel);
            }).map(ModelToRepresentation::toBriefRepresentation).collect(Collectors.toList());
        } else {
            for (RoleRepresentation roleRepresentation : list) {
                RoleModel role = this.realm.getRole(roleRepresentation.getName());
                if (role == null || !role.getId().equals(roleRepresentation.getId())) {
                    throw new NotFoundException("Role not found");
                }
                this.auth.roles().requireMapRole(role);
                try {
                    this.roleMapper.deleteRoleMapping(role);
                } catch (ModelException | ReadOnlyException e) {
                    logger.warn(e.getMessage(), e);
                    throw new ErrorResponseException("invalid_request", "Could not remove user role mappings!", Response.Status.BAD_REQUEST);
                } catch (ModelIllegalStateException e2) {
                    logger.error(e2.getMessage(), e2);
                    throw ErrorResponse.error(e2.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
                }
            }
        }
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(list).success();
    }

    private boolean canMapRole(RoleModel roleModel) {
        return this.auth.roles().canMapRole(roleModel);
    }

    @Path("clients/{client-id}")
    public ClientRoleMappingsResource getUserClientRoleMappingsResource(@Parameter(description = "client id (not clientId!)") @PathParam("client-id") String str) {
        ClientModel clientById = this.realm.getClientById(str);
        if (clientById == null) {
            throw new NotFoundException("Client not found");
        }
        return new ClientRoleMappingsResource(this.session.getContext().getUri(), this.session, this.realm, this.auth, this.roleMapper, clientById, this.adminEvent, this.managePermission, this.viewPermission);
    }
}
