package org.keycloak.services.resources.admin;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.text.MessageFormat;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.enums.SchemaType;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.media.Content;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponses;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.authorization.AdminPermissionsSchema;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.keys.Attributes;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelIllegalStateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.policy.PasswordPolicyNotMetException;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator;
import org.keycloak.userprofile.UserProfile;
import org.keycloak.userprofile.UserProfileContext;
import org.keycloak.userprofile.UserProfileProvider;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.SearchQueryUtils;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/UsersResource.class */
public class UsersResource {
    private static final Logger logger = Logger.getLogger(UsersResource.class);
    private static final String SEARCH_ID_PARAMETER = "id:";
    protected final RealmModel realm;
    private final AdminPermissionEvaluator auth;
    private final AdminEventBuilder adminEvent;
    protected final ClientConnection clientConnection;
    protected final KeycloakSession session;
    protected final HttpHeaders headers;

    public UsersResource(KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.auth = adminPermissionEvaluator;
        this.realm = keycloakSession.getContext().getRealm();
        this.adminEvent = adminEventBuilder.resource(ResourceType.USER);
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @APIResponses({@APIResponse(responseCode = "201", description = "Created"), @APIResponse(responseCode = "400", description = "Bad Request", content = {@Content(schema = @Schema(implementation = ErrorRepresentation.class))}), @APIResponse(responseCode = "403", description = "Forbidden"), @APIResponse(responseCode = "409", description = "Conflict", content = {@Content(schema = @Schema(implementation = ErrorRepresentation.class))}), @APIResponse(responseCode = "500", description = "Internal Server Error", content = {@Content(schema = @Schema(implementation = ErrorRepresentation.class))})})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Create a new user Username must be unique.")
    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public Response createUser(UserRepresentation userRepresentation) {
        try {
            this.auth.users().requireManage();
        } catch (ForbiddenException e) {
            if (!canCreateGroupMembers(userRepresentation)) {
                throw e;
            }
        }
        userRepresentation.getUsername();
        if (this.realm.isRegistrationEmailAsUsername()) {
            userRepresentation.getEmail();
        }
        UserProfile create = this.session.getProvider(UserProfileProvider.class).create(UserProfileContext.USER_API, userRepresentation.getRawAttributes());
        try {
            Response validateUserProfile = UserResource.validateUserProfile(create, this.session, this.auth.adminAuth());
            if (validateUserProfile != null) {
                return validateUserProfile;
            }
            UserModel create2 = create.create();
            UserResource.updateUserFromRep(create, create2, userRepresentation, this.session, false);
            RepresentationToModel.createFederatedIdentities(userRepresentation, this.session, this.realm, create2);
            RepresentationToModel.createGroups(this.session, userRepresentation, this.realm, create2);
            RepresentationToModel.createCredentials(userRepresentation, this.session, this.realm, create2, true);
            this.adminEvent.operation(OperationType.CREATE).resourcePath(this.session.getContext().getUri(), create2.getId()).representation(userRepresentation).success();
            return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(create2.getId()).build(new Object[0])).build();
        } catch (PasswordPolicyNotMetException e2) {
            logger.warn("Password policy not met for user " + e2.getUsername(), e2);
            throw new ErrorResponseException(e2.getMessage(), MessageFormat.format(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale()).getProperty(e2.getMessage(), e2.getMessage()), e2.getParameters()), Response.Status.BAD_REQUEST);
        } catch (ModelException e3) {
            logger.warn("Could not create user", e3);
            throw ErrorResponse.error("Could not create user", Response.Status.BAD_REQUEST);
        } catch (ModelIllegalStateException e4) {
            logger.error(e4.getMessage(), e4);
            throw ErrorResponse.error(e4.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        } catch (ModelDuplicateException e5) {
            throw ErrorResponse.exists("User exists with same username or email");
        }
    }

    private boolean canCreateGroupMembers(UserRepresentation userRepresentation) {
        if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
            return false;
        }
        List<GroupModel> list = (List) ((List) Optional.ofNullable(userRepresentation.getGroups()).orElse(Collections.emptyList())).stream().map(str -> {
            return KeycloakModelUtils.findGroupByPath(this.session, this.realm, str);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return false;
        }
        for (GroupModel groupModel : list) {
            this.auth.groups().requireManageMembers(groupModel);
            this.auth.groups().requireManageMembership(groupModel);
        }
        return true;
    }

    @Path("{user-id}")
    public UserResource user(@PathParam("user-id") String str) {
        UserModel userModel = null;
        if (LightweightUserAdapter.isLightweightUser(str)) {
            UserSessionModel userSession = this.session.sessions().getUserSession(this.realm, LightweightUserAdapter.getLightweightUserId(str));
            if (userSession != null) {
                userModel = userSession.getUser();
            }
        } else {
            userModel = this.session.users().getUserById(this.realm, str);
        }
        if (userModel != null) {
            return new UserResource(this.session, userModel, this.auth, this.adminEvent);
        }
        if (this.auth.users().canQuery()) {
            throw new NotFoundException("User not found");
        }
        throw new ForbiddenException();
    }

    @APIResponses({@APIResponse(responseCode = "200", description = "OK", content = {@Content(schema = @Schema(implementation = UserRepresentation.class, type = SchemaType.ARRAY))}), @APIResponse(responseCode = "403", description = "Forbidden")})
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get users Returns a stream of users, filtered according to query parameters.")
    @GET
    public Stream<UserRepresentation> getUsers(@Parameter(description = "A String contained in username, first or last name, or email. Default search behavior is prefix-based (e.g., foo or foo*). Use *foo* for infix search and \"foo\" for exact search.") @QueryParam("search") String str, @Parameter(description = "A String contained in lastName, or the complete lastName, if param \"exact\" is true") @QueryParam("lastName") String str2, @Parameter(description = "A String contained in firstName, or the complete firstName, if param \"exact\" is true") @QueryParam("firstName") String str3, @Parameter(description = "A String contained in email, or the complete email, if param \"exact\" is true") @QueryParam("email") String str4, @Parameter(description = "A String contained in username, or the complete username, if param \"exact\" is true") @QueryParam("username") String str5, @Parameter(description = "whether the email has been verified") @QueryParam("emailVerified") Boolean bool, @Parameter(description = "The alias of an Identity Provider linked to the user") @QueryParam("idpAlias") String str6, @Parameter(description = "The userId at an Identity Provider linked to the user") @QueryParam("idpUserId") String str7, @Parameter(description = "Pagination offset") @QueryParam("first") Integer num, @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer num2, @Parameter(description = "Boolean representing if user is enabled or not") @QueryParam("enabled") Boolean bool2, @Parameter(description = "Boolean which defines whether brief representations are returned (default: false)") @QueryParam("briefRepresentation") Boolean bool3, @Parameter(description = "Boolean which defines whether the params \"last\", \"first\", \"email\" and \"username\" must match exactly") @QueryParam("exact") Boolean bool4, @Parameter(description = "A query to search for custom attributes, in the format 'key1:value2 key2:value2'") @QueryParam("q") String str8) {
        UserPermissionEvaluator users = this.auth.users();
        users.requireQuery();
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : -1);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        Map<String, String> emptyMap = str8 == null ? Collections.emptyMap() : SearchQueryUtils.getFields(str8);
        Stream<UserModel> empty = Stream.empty();
        if (str != null) {
            if (!str.startsWith(SEARCH_ID_PARAMETER)) {
                HashMap hashMap = new HashMap();
                hashMap.put("keycloak.session.realm.users.query.search", str.trim());
                if (bool2 != null) {
                    hashMap.put(Attributes.ENABLED_KEY, bool2.toString());
                }
                return searchForUser(hashMap, this.realm, users, bool3, valueOf, valueOf2, false);
            }
            UserModel userById = this.session.users().getUserById(this.realm, str.substring(SEARCH_ID_PARAMETER.length()).trim());
            if (userById != null) {
                empty = Stream.of(userById);
                if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm)) {
                    Objects.requireNonNull(users);
                    empty = empty.filter(users::canView);
                }
            }
            return toRepresentation(this.realm, users, bool3, empty);
        }
        if (str2 == null && str3 == null && str4 == null && str5 == null && bool == null && str6 == null && str7 == null && bool2 == null && bool4 == null && emptyMap.isEmpty()) {
            return searchForUser(new HashMap(), this.realm, users, bool3, valueOf, valueOf2, false);
        }
        HashMap hashMap2 = new HashMap();
        if (str2 != null) {
            hashMap2.put("lastName", str2);
        }
        if (str3 != null) {
            hashMap2.put("firstName", str3);
        }
        if (str4 != null) {
            hashMap2.put("email", str4);
        }
        if (str5 != null) {
            hashMap2.put("username", str5);
        }
        if (bool != null) {
            hashMap2.put("emailVerified", bool.toString());
        }
        if (str6 != null) {
            hashMap2.put("keycloak.session.realm.users.query.idp_alias", str6);
        }
        if (str7 != null) {
            hashMap2.put("keycloak.session.realm.users.query.idp_user_id", str7);
        }
        if (bool2 != null) {
            hashMap2.put(Attributes.ENABLED_KEY, bool2.toString());
        }
        if (bool4 != null) {
            hashMap2.put("keycloak.session.realm.users.query.exact", bool4.toString());
        }
        hashMap2.putAll(emptyMap);
        return searchForUser(hashMap2, this.realm, users, bool3, valueOf, valueOf2, true);
    }

    @APIResponses({@APIResponse(responseCode = "200", description = "OK", content = {@Content(schema = @Schema(implementation = Integer.class))}), @APIResponse(responseCode = "403", description = "Forbidden")})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Path("count")
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Returns the number of users that match the given criteria.", description = "It can be called in three different ways. 1. Don’t specify any criteria and pass {@code null}. The number of all users within that realm will be returned. <p> 2. If {@code search} is specified other criteria such as {@code last} will be ignored even though you set them. The {@code search} string will be matched against the first and last name, the username and the email of a user. <p> 3. If {@code search} is unspecified but any of {@code last}, {@code first}, {@code email} or {@code username} those criteria are matched against their respective fields on a user entity. Combined with a logical and.")
    @GET
    public Integer getUsersCount(@Parameter(description = "arbitrary search string for all the fields below. Default search behavior is prefix-based (e.g., foo or foo*). Use *foo* for infix search and \"foo\" for exact search.") @QueryParam("search") String str, @Parameter(description = "last name filter") @QueryParam("lastName") String str2, @Parameter(description = "first name filter") @QueryParam("firstName") String str3, @Parameter(description = "email filter") @QueryParam("email") String str4, @QueryParam("emailVerified") Boolean bool, @Parameter(description = "username filter") @QueryParam("username") String str5, @Parameter(description = "Boolean representing if user is enabled or not") @QueryParam("enabled") Boolean bool2, @QueryParam("q") String str6) {
        UserPermissionEvaluator users = this.auth.users();
        users.requireQuery();
        Map<String, String> emptyMap = str6 == null ? Collections.emptyMap() : SearchQueryUtils.getFields(str6);
        if (str != null) {
            if (str.startsWith(SEARCH_ID_PARAMETER)) {
                UserModel userById = this.session.users().getUserById(this.realm, str.substring(SEARCH_ID_PARAMETER.length()).trim());
                return Integer.valueOf((userById == null || !users.canView(userById)) ? 0 : 1);
            }
            if (!users.canView() && !AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm)) {
                return Integer.valueOf(this.session.users().getUsersCount(this.realm, str.trim(), this.auth.groups().getGroupIdsWithViewPermission()));
            }
            return Integer.valueOf(this.session.users().getUsersCount(this.realm, str.trim()));
        }
        if (str2 == null && str3 == null && str4 == null && str5 == null && bool == null && bool2 == null && emptyMap.isEmpty()) {
            if (!users.canView() && !AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm)) {
                return Integer.valueOf(this.session.users().getUsersCount(this.realm, this.auth.groups().getGroupIdsWithViewPermission()));
            }
            return Integer.valueOf(this.session.users().getUsersCount(this.realm));
        }
        HashMap hashMap = new HashMap();
        if (str2 != null) {
            hashMap.put("lastName", str2);
        }
        if (str3 != null) {
            hashMap.put("firstName", str3);
        }
        if (str4 != null) {
            hashMap.put("email", str4);
        }
        if (str5 != null) {
            hashMap.put("username", str5);
        }
        if (bool != null) {
            hashMap.put("emailVerified", bool.toString());
        }
        if (bool2 != null) {
            hashMap.put(Attributes.ENABLED_KEY, bool2.toString());
        }
        hashMap.putAll(emptyMap);
        if (!users.canView() && !AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm)) {
            return Integer.valueOf(this.session.users().getUsersCount(this.realm, hashMap, this.auth.groups().getGroupIdsWithViewPermission()));
        }
        return Integer.valueOf(this.session.users().getUsersCount(this.realm, hashMap));
    }

    @Path(OIDCLoginProtocolFactory.PROFILE_CLAIM)
    public UserProfileResource userProfile() {
        return new UserProfileResource(this.session, this.auth, this.adminEvent);
    }

    private Stream<UserRepresentation> searchForUser(Map<String, String> map, RealmModel realmModel, UserPermissionEvaluator userPermissionEvaluator, Boolean bool, Integer num, Integer num2, Boolean bool2) {
        map.put("keycloak.session.realm.users.query.include_service_account", bool2.toString());
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realmModel)) {
            Set<String> groupIdsWithViewPermission = this.auth.groups().getGroupIdsWithViewPermission();
            if (!groupIdsWithViewPermission.isEmpty()) {
                this.session.setAttribute("keycloak.session.realm.users.query.groups", groupIdsWithViewPermission);
            }
        }
        return toRepresentation(realmModel, userPermissionEvaluator, bool, this.session.users().searchForUserStream(realmModel, map, num, num2));
    }

    private Stream<UserRepresentation> toRepresentation(RealmModel realmModel, UserPermissionEvaluator userPermissionEvaluator, Boolean bool, Stream<UserModel> stream) {
        boolean z = bool != null && bool.booleanValue();
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realmModel)) {
            userPermissionEvaluator.grantIfNoPermission(this.session.getAttribute("keycloak.session.realm.users.query.groups") != null);
            Objects.requireNonNull(userPermissionEvaluator);
            stream = stream.filter(userPermissionEvaluator::canView);
            userPermissionEvaluator.grantIfNoPermission(this.session.getAttribute("keycloak.session.realm.users.query.groups") != null);
        }
        return stream.map(userModel -> {
            UserRepresentation briefRepresentation = z ? ModelToRepresentation.toBriefRepresentation(userModel) : ModelToRepresentation.toRepresentation(this.session, realmModel, userModel);
            briefRepresentation.setAccess(userPermissionEvaluator.getAccessForListing(userModel));
            return briefRepresentation;
        });
    }
}
