package org.keycloak.services.resources.admin;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Encode;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.ProfileHelper;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/RoleContainerResource.class */
public class RoleContainerResource extends RoleResource {
    private final RealmModel realm;
    protected AdminPermissionEvaluator auth;
    protected RoleContainerModel roleContainer;
    private AdminEventBuilder adminEvent;
    private UriInfo uriInfo;
    private KeycloakSession session;

    public RoleContainerResource(KeycloakSession keycloakSession, UriInfo uriInfo, RealmModel realmModel, AdminPermissionEvaluator adminPermissionEvaluator, RoleContainerModel roleContainerModel, AdminEventBuilder adminEventBuilder) {
        super(realmModel);
        this.uriInfo = uriInfo;
        this.realm = realmModel;
        this.auth = adminPermissionEvaluator;
        this.roleContainer = roleContainerModel;
        this.adminEvent = adminEventBuilder;
        this.session = keycloakSession;
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Get all roles for the realm or client")
    @GET
    public Stream<RoleRepresentation> getRoles(@QueryParam("search") @DefaultValue("") String str, @QueryParam("first") Integer num, @QueryParam("max") Integer num2, @QueryParam("briefRepresentation") @DefaultValue("true") boolean z) {
        this.auth.roles().requireList(this.roleContainer);
        return ((str == null || str.trim().length() <= 0) ? (Objects.isNull(num) || Objects.isNull(num2)) ? this.roleContainer.getRolesStream() : this.roleContainer.getRolesStream(num, num2) : this.roleContainer.searchForRolesStream(str, num, num2)).map(z ? ModelToRepresentation::toBriefRepresentation : ModelToRepresentation::toRepresentation);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Create a new role for the realm or client")
    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public Response createRole(RoleRepresentation roleRepresentation) {
        this.auth.roles().requireManage(this.roleContainer);
        if (roleRepresentation.getName() == null) {
            throw new BadRequestException("role has no name");
        }
        try {
            RoleModel addRole = this.roleContainer.addRole(roleRepresentation.getName());
            addRole.setDescription(roleRepresentation.getDescription());
            Map attributes = roleRepresentation.getAttributes();
            if (attributes != null) {
                for (Map.Entry entry : attributes.entrySet()) {
                    addRole.setAttribute((String) entry.getKey(), (List) entry.getValue());
                }
            }
            roleRepresentation.setId(addRole.getId());
            if (addRole.isClientRole()) {
                this.adminEvent.resource(ResourceType.CLIENT_ROLE);
            } else {
                this.adminEvent.resource(ResourceType.REALM_ROLE);
            }
            if (roleRepresentation.isComposite() && roleRepresentation.getComposites() != null) {
                RoleRepresentation.Composites composites = roleRepresentation.getComposites();
                Set<String> realm = composites.getRealm();
                if (realm != null && !realm.isEmpty()) {
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    for (String str : realm) {
                        RoleModel role = this.realm.getRole(str);
                        if (role == null) {
                            throw ErrorResponse.error("Realm Role with name " + str + " does not exist", Response.Status.NOT_FOUND);
                        }
                        linkedHashSet.add(role);
                    }
                    Stream stream = linkedHashSet.stream();
                    RolePermissionEvaluator roles = this.auth.roles();
                    Objects.requireNonNull(roles);
                    Stream peek = stream.peek(roles::requireMapComposite);
                    Objects.requireNonNull(addRole);
                    peek.forEach(addRole::addCompositeRole);
                }
                Map client = composites.getClient();
                if (client != null && !client.isEmpty()) {
                    for (Map.Entry entry2 : client.entrySet()) {
                        String str2 = (String) entry2.getKey();
                        List<String> list = (List) entry2.getValue();
                        ClientModel clientByClientId = this.realm.getClientByClientId(str2);
                        if (clientByClientId != null) {
                            LinkedHashSet linkedHashSet2 = new LinkedHashSet();
                            for (String str3 : list) {
                                RoleModel role2 = clientByClientId.getRole(str3);
                                if (role2 == null) {
                                    throw ErrorResponse.error("Client Role with name " + str3 + " does not exist", Response.Status.NOT_FOUND);
                                }
                                linkedHashSet2.add(role2);
                            }
                            Stream stream2 = linkedHashSet2.stream();
                            RolePermissionEvaluator roles2 = this.auth.roles();
                            Objects.requireNonNull(roles2);
                            Stream peek2 = stream2.peek(roles2::requireMapComposite);
                            Objects.requireNonNull(addRole);
                            peek2.forEach(addRole::addCompositeRole);
                        }
                    }
                }
            }
            this.adminEvent.operation(OperationType.CREATE).resourcePath(this.uriInfo, addRole.getName()).representation(roleRepresentation).success();
            return Response.created(this.uriInfo.getAbsolutePathBuilder().path(Encode.encodePathSegmentAsIs(addRole.getName())).build(new Object[0])).build();
        } catch (ModelDuplicateException e) {
            throw ErrorResponse.exists("Role with name " + roleRepresentation.getName() + " already exists");
        }
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Get a role by name")
    @Path("{role-name}")
    @GET
    public RoleRepresentation getRole(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str) {
        this.auth.roles().requireView(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        return getRole(role);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Delete a role by name")
    @Path("{role-name}")
    @DELETE
    public void deleteRole(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str) {
        this.auth.roles().requireManage(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        if (this.realm.getDefaultRole().getId().equals(role.getId())) {
            throw ErrorResponse.error(str + " is default role of the realm and cannot be removed.", Response.Status.BAD_REQUEST);
        }
        deleteRole(role);
        if (role.isClientRole()) {
            this.adminEvent.resource(ResourceType.CLIENT_ROLE);
        } else {
            this.adminEvent.resource(ResourceType.REALM_ROLE);
        }
        this.adminEvent.operation(OperationType.DELETE).resourcePath(this.uriInfo).success();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Update a role by name")
    @PUT
    @Path("{role-name}")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response updateRole(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str, RoleRepresentation roleRepresentation) {
        this.auth.roles().requireManage(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        try {
            updateRole(roleRepresentation, role, this.realm, this.session);
            if (role.isClientRole()) {
                this.adminEvent.resource(ResourceType.CLIENT_ROLE);
            } else {
                this.adminEvent.resource(ResourceType.REALM_ROLE);
            }
            this.adminEvent.operation(OperationType.UPDATE).resourcePath(this.uriInfo).representation(roleRepresentation).success();
            return Response.noContent().build();
        } catch (ModelDuplicateException e) {
            throw ErrorResponse.exists("Role with name " + roleRepresentation.getName() + " already exists");
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Add a composite to the role")
    @APIResponse(responseCode = "204", description = "No Content")
    @POST
    @Path("{role-name}/composites")
    @Consumes({MediaType.APPLICATION_JSON})
    public void addComposites(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str, List<RoleRepresentation> list) {
        this.auth.roles().requireManage(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        addComposites(this.auth, this.adminEvent, this.uriInfo, list, role);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Get composites of the role")
    @Path("{role-name}/composites")
    @GET
    public Stream<RoleRepresentation> getRoleComposites(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str) {
        this.auth.roles().requireView(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        return role.getCompositesStream().map(ModelToRepresentation::toBriefRepresentation);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Get realm-level roles of the role's composite")
    @Path("{role-name}/composites/realm")
    @GET
    public Stream<RoleRepresentation> getRealmRoleComposites(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str) {
        this.auth.roles().requireView(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        return getRealmRoleComposites(role);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Get client-level roles for the client that are in the role's composite")
    @Path("{role-name}/composites/clients/{client-uuid}")
    @GET
    public Stream<RoleRepresentation> getClientRoleComposites(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str, @PathParam("client-uuid") String str2) {
        this.auth.roles().requireView(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        ClientModel clientById = this.realm.getClientById(str2);
        if (clientById == null) {
            throw new NotFoundException("Could not find client");
        }
        return getClientRoleComposites(clientById, role);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Remove roles from the role's composite")
    @Path("{role-name}/composites")
    @DELETE
    @Consumes({MediaType.APPLICATION_JSON})
    public void deleteComposites(@Parameter(description = "role's name (not id!)") @PathParam("role-name") String str, @Parameter(description = "roles to remove") List<RoleRepresentation> list) {
        this.auth.roles().requireManage(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        deleteComposites(this.adminEvent, this.uriInfo, list, role);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Return object stating whether role Authorization permissions have been initialized or not and a reference")
    @Path("{role-name}/management/permissions")
    @GET
    public ManagementPermissionReference getManagementPermissions(@PathParam("role-name") String str) {
        ProfileHelper.requireFeature(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ);
        this.auth.roles().requireView(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        return !management.roles().isPermissionsEnabled(role) ? new ManagementPermissionReference() : RoleByIdResource.toMgmtRef(role, management);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Path("{role-name}/management/permissions")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Return object stating whether role Authorization permissions have been initialized or not and a reference")
    @PUT
    public ManagementPermissionReference setManagementPermissionsEnabled(@PathParam("role-name") String str, ManagementPermissionReference managementPermissionReference) {
        ProfileHelper.requireFeature(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ);
        this.auth.roles().requireManage(this.roleContainer);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        management.roles().setPermissionsEnabled(role, managementPermissionReference.isEnabled());
        return managementPermissionReference.isEnabled() ? RoleByIdResource.toMgmtRef(role, management) : new ManagementPermissionReference();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Returns a stream of users that have the specified role name.")
    @Path("{role-name}/users")
    @GET
    public Stream<UserRepresentation> getUsersInRole(@Parameter(description = "the role name.") @PathParam("role-name") String str, @Parameter(description = "Boolean which defines whether brief representations are returned (default: false)") @QueryParam("briefRepresentation") Boolean bool, @Parameter(description = "first result to return. Ignored if negative or {@code null}.") @QueryParam("first") Integer num, @Parameter(description = "maximum number of results to return. Ignored if negative or {@code null}.") @QueryParam("max") Integer num2) {
        this.auth.roles().requireView(this.roleContainer);
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : 0);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        return this.session.users().getRoleMembersStream(this.realm, role, valueOf, valueOf2).map((bool == null || !bool.booleanValue()) ? userModel -> {
            return ModelToRepresentation.toRepresentation(this.session, this.realm, userModel);
        } : ModelToRepresentation::toBriefRepresentation);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.ROLES)
    @Operation(summary = "Returns a stream of groups that have the specified role name")
    @Path("{role-name}/groups")
    @GET
    public Stream<GroupRepresentation> getGroupsInRole(@Parameter(description = "the role name.") @PathParam("role-name") String str, @Parameter(description = "first result to return. Ignored if negative or {@code null}.") @QueryParam("first") Integer num, @Parameter(description = "maximum number of results to return. Ignored if negative or {@code null}.") @QueryParam("max") Integer num2, @Parameter(description = "if false, return a full representation of the {@code GroupRepresentation} objects.") @QueryParam("briefRepresentation") @DefaultValue("true") boolean z) {
        this.auth.roles().requireView(this.roleContainer);
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : 0);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        RoleModel role = this.roleContainer.getRole(str);
        if (role == null) {
            throw new NotFoundException("Could not find role");
        }
        return this.session.groups().getGroupsByRoleStream(this.realm, role, valueOf, valueOf2).map(groupModel -> {
            return ModelToRepresentation.toRepresentation(groupModel, !z);
        });
    }
}
