package org.keycloak.services.resources.admin;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator;
import org.keycloak.authorization.admin.AuthorizationService;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.ClientInstallationProvider;
import org.keycloak.representations.adapters.action.GlobalRequestResult;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientregistration.ClientRegistrationTokenUtils;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;
import org.keycloak.services.managers.ClientManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.resources.KeycloakApplication;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.validation.ClientValidator;
import org.keycloak.services.validation.PairwiseClientValidator;
import org.keycloak.services.validation.ValidationMessages;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/admin/ClientResource.class */
public class ClientResource {
    protected static final Logger logger = Logger.getLogger(ClientResource.class);
    protected RealmModel realm;
    private AdminPermissionEvaluator auth;
    private AdminEventBuilder adminEvent;
    protected ClientModel client;
    protected KeycloakSession session;

    @Context
    protected KeycloakApplication keycloak;

    @Context
    protected ClientConnection clientConnection;

    protected KeycloakApplication getKeycloakApplication() {
        return this.keycloak;
    }

    public ClientResource(RealmModel realmModel, AdminPermissionEvaluator adminPermissionEvaluator, ClientModel clientModel, KeycloakSession keycloakSession, AdminEventBuilder adminEventBuilder) {
        this.realm = realmModel;
        this.auth = adminPermissionEvaluator;
        this.client = clientModel;
        this.session = keycloakSession;
        this.adminEvent = adminEventBuilder.resource(ResourceType.CLIENT);
    }

    @Path("protocol-mappers")
    public ProtocolMappersResource getProtocolMappers() {
        ProtocolMappersResource protocolMappersResource = new ProtocolMappersResource(this.realm, this.client, this.auth, this.adminEvent, () -> {
            this.auth.clients().requireManage(this.client);
        }, () -> {
            this.auth.clients().requireView(this.client);
        });
        ResteasyProviderFactory.getInstance().injectProperties(protocolMappersResource);
        return protocolMappersResource;
    }

    @PUT
    @Consumes({MediaType.APPLICATION_JSON})
    public Response update(ClientRepresentation clientRepresentation) {
        this.auth.clients().requireConfigure(this.client);
        ValidationMessages validationMessages = new ValidationMessages();
        if (!ClientValidator.validate(clientRepresentation, validationMessages) || !PairwiseClientValidator.validate(this.session, clientRepresentation, validationMessages)) {
            throw new ErrorResponseException(validationMessages.getStringMessages(), validationMessages.getStringMessages(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale())), Response.Status.BAD_REQUEST);
        }
        try {
            updateClientFromRep(clientRepresentation, this.client, this.session);
            this.adminEvent.operation(OperationType.UPDATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(clientRepresentation).success();
            updateAuthorizationSettings(clientRepresentation);
            return Response.noContent().build();
        } catch (ModelDuplicateException e) {
            return ErrorResponse.exists("Client " + clientRepresentation.getClientId() + " already exists");
        }
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    public ClientRepresentation getClient() {
        this.auth.clients().requireView(this.client);
        ClientRepresentation representation = ModelToRepresentation.toRepresentation(this.client, this.session);
        representation.setAccess(this.auth.clients().getAccess(this.client));
        return representation;
    }

    @Path("certificates/{attr}")
    public ClientAttributeCertificateResource getCertficateResource(@PathParam("attr") String str) {
        return new ClientAttributeCertificateResource(this.realm, this.auth, this.client, this.session, str, this.adminEvent);
    }

    @GET
    @NoCache
    @Path("installation/providers/{providerId}")
    public Response getInstallationProvider(@PathParam("providerId") String str) {
        this.auth.clients().requireView(this.client);
        ClientInstallationProvider provider = this.session.getProvider(ClientInstallationProvider.class, str);
        if (provider == null) {
            throw new NotFoundException("Unknown Provider");
        }
        return provider.generateInstallation(this.session, this.realm, this.client, this.keycloak.getBaseUri(this.session.getContext().getUri()));
    }

    @NoCache
    @DELETE
    public void deleteClient() {
        this.auth.clients().requireManage(this.client);
        if (this.client == null) {
            throw new NotFoundException("Could not find client");
        }
        new ClientManager(new RealmManager(this.session)).removeClient(this.realm, this.client);
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @Path(ClientIdAndSecretAuthenticator.PROVIDER_ID)
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public CredentialRepresentation regenerateSecret() {
        this.auth.clients().requireConfigure(this.client);
        logger.debug("regenerateSecret");
        CredentialRepresentation representation = ModelToRepresentation.toRepresentation(KeycloakModelUtils.generateSecret(this.client));
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(representation).success();
        return representation;
    }

    @Path("registration-access-token")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public ClientRepresentation regenerateRegistrationAccessToken() {
        this.auth.clients().requireManage(this.client);
        String updateRegistrationAccessToken = ClientRegistrationTokenUtils.updateRegistrationAccessToken(this.session, this.realm, this.client, RegistrationAuth.AUTHENTICATED);
        ClientRepresentation representation = ModelToRepresentation.toRepresentation(this.client, this.session);
        representation.setRegistrationAccessToken(updateRegistrationAccessToken);
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(representation).success();
        return representation;
    }

    @GET
    @Path(ClientIdAndSecretAuthenticator.PROVIDER_ID)
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public CredentialRepresentation getClientSecret() {
        this.auth.clients().requireView(this.client);
        logger.debug("getClientSecret");
        UserCredentialModel secret = UserCredentialModel.secret(this.client.getSecret());
        if (secret == null) {
            throw new NotFoundException("Client does not have a secret");
        }
        return ModelToRepresentation.toRepresentation(secret);
    }

    @Path("scope-mappings")
    public ScopeMappedResource getScopeMappedResource() {
        return new ScopeMappedResource(this.realm, this.auth, this.client, this.session, this.adminEvent, () -> {
            this.auth.clients().requireManage(this.client);
        }, () -> {
            this.auth.clients().requireView(this.client);
        });
    }

    @Path("roles")
    public RoleContainerResource getRoleContainerResource() {
        return new RoleContainerResource(this.session, this.session.getContext().getUri(), this.realm, this.auth, this.client, this.adminEvent);
    }

    @GET
    @NoCache
    @Path("default-client-scopes")
    @Produces({MediaType.APPLICATION_JSON})
    public List<ClientScopeRepresentation> getDefaultClientScopes() {
        return getDefaultClientScopes(true);
    }

    private List<ClientScopeRepresentation> getDefaultClientScopes(boolean z) {
        this.auth.clients().requireView(this.client);
        LinkedList linkedList = new LinkedList();
        for (ClientScopeModel clientScopeModel : this.client.getClientScopes(z, true).values()) {
            ClientScopeRepresentation clientScopeRepresentation = new ClientScopeRepresentation();
            clientScopeRepresentation.setId(clientScopeModel.getId());
            clientScopeRepresentation.setName(clientScopeModel.getName());
            linkedList.add(clientScopeRepresentation);
        }
        return linkedList;
    }

    @NoCache
    @Path("default-client-scopes/{clientScopeId}")
    @PUT
    public void addDefaultClientScope(@PathParam("clientScopeId") String str) {
        addDefaultClientScope(str, true);
    }

    private void addDefaultClientScope(String str, boolean z) {
        this.auth.clients().requireManage(this.client);
        ClientScopeModel clientScopeById = this.realm.getClientScopeById(str);
        if (clientScopeById == null) {
            throw new org.jboss.resteasy.spi.NotFoundException("Client scope not found");
        }
        this.client.addClientScope(clientScopeById, z);
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.CLIENT).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Path("default-client-scopes/{clientScopeId}")
    @DELETE
    public void removeDefaultClientScope(@PathParam("clientScopeId") String str) {
        this.auth.clients().requireManage(this.client);
        ClientScopeModel clientScopeById = this.realm.getClientScopeById(str);
        if (clientScopeById == null) {
            throw new org.jboss.resteasy.spi.NotFoundException("Client scope not found");
        }
        this.client.removeClientScope(clientScopeById);
        this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.CLIENT).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @GET
    @NoCache
    @Path("optional-client-scopes")
    @Produces({MediaType.APPLICATION_JSON})
    public List<ClientScopeRepresentation> getOptionalClientScopes() {
        return getDefaultClientScopes(false);
    }

    @NoCache
    @Path("optional-client-scopes/{clientScopeId}")
    @PUT
    public void addOptionalClientScope(@PathParam("clientScopeId") String str) {
        addDefaultClientScope(str, false);
    }

    @NoCache
    @Path("optional-client-scopes/{clientScopeId}")
    @DELETE
    public void removeOptionalClientScope(@PathParam("clientScopeId") String str) {
        removeDefaultClientScope(str);
    }

    @Path("evaluate-scopes")
    public ClientScopeEvaluateResource clientScopeEvaluateResource() {
        return new ClientScopeEvaluateResource(this.session, this.session.getContext().getUri(), this.realm, this.auth, this.client, this.clientConnection);
    }

    @GET
    @Path("service-account-user")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public UserRepresentation getServiceAccountUser() {
        this.auth.clients().requireView(this.client);
        UserModel serviceAccount = this.session.users().getServiceAccount(this.client);
        if (serviceAccount == null) {
            if (!this.client.isServiceAccountsEnabled()) {
                throw new BadRequestException("Service account not enabled for the client '" + this.client.getClientId() + "'");
            }
            new ClientManager(new RealmManager(this.session)).enableServiceAccount(this.client);
            serviceAccount = this.session.users().getServiceAccount(this.client);
        }
        return ModelToRepresentation.toRepresentation(this.session, this.realm, serviceAccount);
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Path("push-revocation")
    public GlobalRequestResult pushRevocation() {
        this.auth.clients().requireConfigure(this.client);
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).resource(ResourceType.CLIENT).success();
        return new ResourceAdminManager(this.session).pushClientRevocationPolicy(this.session.getContext().getUri().getRequestUri(), this.realm, this.client);
    }

    @GET
    @Path("session-count")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Map<String, Long> getApplicationSessionCount() {
        this.auth.clients().requireView(this.client);
        HashMap hashMap = new HashMap();
        hashMap.put("count", Long.valueOf(this.session.sessions().getActiveUserSessions(this.client.getRealm(), this.client)));
        return hashMap;
    }

    @GET
    @Path("user-sessions")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public List<UserSessionRepresentation> getUserSessions(@QueryParam("first") Integer num, @QueryParam("max") Integer num2) {
        this.auth.clients().requireView(this.client);
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : -1);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        ArrayList arrayList = new ArrayList();
        Iterator it = this.session.sessions().getUserSessions(this.client.getRealm(), this.client, valueOf.intValue(), valueOf2.intValue()).iterator();
        while (it.hasNext()) {
            arrayList.add(ModelToRepresentation.toRepresentation((UserSessionModel) it.next()));
        }
        return arrayList;
    }

    @GET
    @Path("offline-session-count")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Map<String, Long> getOfflineSessionCount() {
        this.auth.clients().requireView(this.client);
        HashMap hashMap = new HashMap();
        hashMap.put("count", Long.valueOf(this.session.sessions().getOfflineSessionsCount(this.client.getRealm(), this.client)));
        return hashMap;
    }

    @GET
    @Path("offline-sessions")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public List<UserSessionRepresentation> getOfflineUserSessions(@QueryParam("first") Integer num, @QueryParam("max") Integer num2) {
        this.auth.clients().requireView(this.client);
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : -1);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        ArrayList arrayList = new ArrayList();
        for (UserSessionModel userSessionModel : this.session.sessions().getOfflineUserSessions(this.client.getRealm(), this.client, valueOf.intValue(), valueOf2.intValue())) {
            UserSessionRepresentation representation = ModelToRepresentation.toRepresentation(userSessionModel);
            Iterator it = userSessionModel.getAuthenticatedClientSessions().entrySet().iterator();
            while (true) {
                if (it.hasNext()) {
                    Map.Entry entry = (Map.Entry) it.next();
                    String str = (String) entry.getKey();
                    AuthenticatedClientSessionModel authenticatedClientSessionModel = (AuthenticatedClientSessionModel) entry.getValue();
                    if (this.client.getId().equals(str)) {
                        representation.setLastAccess(Time.toMillis(authenticatedClientSessionModel.getTimestamp()));
                        break;
                    }
                }
            }
            arrayList.add(representation);
        }
        return arrayList;
    }

    @POST
    @Path("nodes")
    @Consumes({MediaType.APPLICATION_JSON})
    public void registerNode(Map<String, String> map) {
        this.auth.clients().requireConfigure(this.client);
        String str = map.get("node");
        if (str == null) {
            throw new BadRequestException("Node not found in params");
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Register node: " + str);
        }
        this.client.registerNode(str, Time.currentTime());
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.CLUSTER_NODE).resourcePath(this.session.getContext().getUri(), str).success();
    }

    @Path("nodes/{node}")
    @NoCache
    @DELETE
    public void unregisterNode(@PathParam("node") String str) {
        this.auth.clients().requireConfigure(this.client);
        if (logger.isDebugEnabled()) {
            logger.debug("Unregister node: " + str);
        }
        if (((Integer) this.client.getRegisteredNodes().get(str)) == null) {
            throw new NotFoundException("Client does not have node ");
        }
        this.client.unregisterNode(str);
        this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.CLUSTER_NODE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @GET
    @Path("test-nodes-available")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public GlobalRequestResult testNodesAvailable() {
        this.auth.clients().requireConfigure(this.client);
        logger.debug("Test availability of cluster nodes");
        GlobalRequestResult testNodesAvailability = new ResourceAdminManager(this.session).testNodesAvailability(this.session.getContext().getUri().getRequestUri(), this.realm, this.client);
        this.adminEvent.operation(OperationType.ACTION).resource(ResourceType.CLUSTER_NODE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(testNodesAvailability).success();
        return testNodesAvailability;
    }

    @Path("/authz")
    public AuthorizationService authorization() {
        AuthorizationService authorizationService = new AuthorizationService(this.session, this.client, this.auth, this.adminEvent);
        ResteasyProviderFactory.getInstance().injectProperties(authorizationService);
        return authorizationService;
    }

    @GET
    @Path("management/permissions")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public ManagementPermissionReference getManagementPermissions() {
        this.auth.roles().requireView((RoleContainerModel) this.client);
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        return !management.clients().isPermissionsEnabled(this.client) ? new ManagementPermissionReference() : toMgmtRef(this.client, management);
    }

    public static ManagementPermissionReference toMgmtRef(ClientModel clientModel, AdminPermissionManagement adminPermissionManagement) {
        ManagementPermissionReference managementPermissionReference = new ManagementPermissionReference();
        managementPermissionReference.setEnabled(true);
        managementPermissionReference.setResource(adminPermissionManagement.clients().resource(clientModel).getId());
        managementPermissionReference.setScopePermissions(adminPermissionManagement.clients().getPermissions(clientModel));
        return managementPermissionReference;
    }

    @Path("management/permissions")
    @NoCache
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @PUT
    public ManagementPermissionReference setManagementPermissionsEnabled(ManagementPermissionReference managementPermissionReference) {
        this.auth.clients().requireManage(this.client);
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        management.clients().setPermissionsEnabled(this.client, managementPermissionReference.isEnabled());
        return managementPermissionReference.isEnabled() ? toMgmtRef(this.client, management) : new ManagementPermissionReference();
    }

    private void updateClientFromRep(ClientRepresentation clientRepresentation, ClientModel clientModel, KeycloakSession keycloakSession) throws ModelDuplicateException {
        UserModel serviceAccount = this.session.users().getServiceAccount(clientModel);
        if (Boolean.TRUE.equals(clientRepresentation.isServiceAccountsEnabled())) {
            if (serviceAccount == null) {
                new ClientManager(new RealmManager(keycloakSession)).enableServiceAccount(clientModel);
            }
        } else if (serviceAccount != null) {
            new UserManager(keycloakSession).removeUser(this.realm, serviceAccount);
        }
        if (!clientRepresentation.getClientId().equals(clientModel.getClientId())) {
            new ClientManager(new RealmManager(keycloakSession)).clientIdChanged(clientModel, clientRepresentation.getClientId());
        }
        if (clientRepresentation.isFullScopeAllowed() != null && clientRepresentation.isFullScopeAllowed().booleanValue() != clientModel.isFullScopeAllowed()) {
            this.auth.clients().requireManage(clientModel);
        }
        RepresentationToModel.updateClient(clientRepresentation, clientModel);
    }

    private void updateAuthorizationSettings(ClientRepresentation clientRepresentation) {
        if (Boolean.TRUE.equals(clientRepresentation.getAuthorizationServicesEnabled())) {
            authorization().enable(false);
        } else {
            authorization().disable();
        }
    }
}
