package org.keycloak.services.managers;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonPropertyOrder;
import java.net.URI;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
import org.keycloak.credential.PasswordCredentialProviderFactory;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.representations.adapters.config.BaseRealmConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.condition.ClientAccessTypeConditionFactory;
import org.keycloak.sessions.AuthenticationSessionProvider;

/* loaded from: input_file:org/keycloak/services/managers/ClientManager.class */
public class ClientManager {
    private static final Logger logger = Logger.getLogger(ClientManager.class);
    protected RealmManager realmManager;

    @JsonPropertyOrder({PasswordCredentialProviderFactory.METER_REALM_TAG, "realm-public-key", ClientAccessTypeConditionFactory.TYPE_BEARERONLY, "auth-server-url", "ssl-required", "resource", "public-client", "verify-token-audience", "credentials", "use-resource-role-mappings"})
    /* loaded from: input_file:org/keycloak/services/managers/ClientManager$InstallationAdapterConfig.class */
    public static class InstallationAdapterConfig extends BaseRealmConfig {

        @JsonProperty("resource")
        protected String resource;

        @JsonProperty("use-resource-role-mappings")
        protected Boolean useResourceRoleMappings;

        @JsonProperty(ClientAccessTypeConditionFactory.TYPE_BEARERONLY)
        protected Boolean bearerOnly;

        @JsonProperty("public-client")
        protected Boolean publicClient;

        @JsonProperty("credentials")
        protected Map<String, Object> credentials;

        @JsonProperty("verify-token-audience")
        protected Boolean verifyTokenAudience;

        @JsonProperty("policy-enforcer")
        protected PolicyEnforcerConfig enforcerConfig;

        public Boolean isUseResourceRoleMappings() {
            return this.useResourceRoleMappings;
        }

        public void setUseResourceRoleMappings(Boolean bool) {
            this.useResourceRoleMappings = bool;
        }

        public String getResource() {
            return this.resource;
        }

        public void setResource(String str) {
            this.resource = str;
        }

        public Map<String, Object> getCredentials() {
            return this.credentials;
        }

        public void setCredentials(Map<String, Object> map) {
            this.credentials = map;
        }

        public Boolean getVerifyTokenAudience() {
            return this.verifyTokenAudience;
        }

        public void setVerifyTokenAudience(Boolean bool) {
            this.verifyTokenAudience = bool;
        }

        public Boolean getPublicClient() {
            return this.publicClient;
        }

        public void setPublicClient(Boolean bool) {
            this.publicClient = bool;
        }

        public Boolean getBearerOnly() {
            return this.bearerOnly;
        }

        public void setBearerOnly(Boolean bool) {
            this.bearerOnly = bool;
        }

        public PolicyEnforcerConfig getEnforcerConfig() {
            return this.enforcerConfig;
        }

        public void setEnforcerConfig(PolicyEnforcerConfig policyEnforcerConfig) {
            this.enforcerConfig = policyEnforcerConfig;
        }
    }

    public ClientManager(RealmManager realmManager) {
        this.realmManager = realmManager;
    }

    public ClientManager() {
    }

    public static ClientModel createClient(KeycloakSession keycloakSession, RealmModel realmModel, ClientRepresentation clientRepresentation) {
        ClientModel createClient = RepresentationToModel.createClient(keycloakSession, realmModel, clientRepresentation);
        if (clientRepresentation.getProtocol() != null) {
            keycloakSession.getKeycloakSessionFactory().getProviderFactory(LoginProtocol.class, clientRepresentation.getProtocol()).setupClientDefaults(clientRepresentation, createClient);
        }
        if (clientRepresentation.getProtocolMappers() == null && clientRepresentation.getClientTemplate() != null) {
            List list = (List) createClient.getProtocolMappersStream().collect(Collectors.toList());
            Objects.requireNonNull(createClient);
            list.forEach(createClient::removeProtocolMapper);
        }
        return createClient;
    }

    public boolean removeClient(RealmModel realmModel, ClientModel clientModel) {
        if (isInternalClient(realmModel.getName(), clientModel.getClientId()) || !realmModel.removeClient(clientModel.getId())) {
            return false;
        }
        UserSessionProvider sessions = this.realmManager.getSession().sessions();
        if (sessions != null) {
            sessions.onClientRemoved(realmModel, clientModel);
        }
        AuthenticationSessionProvider authenticationSessions = this.realmManager.getSession().authenticationSessions();
        if (authenticationSessions != null) {
            authenticationSessions.onClientRemoved(realmModel, clientModel);
        }
        UserModel serviceAccount = this.realmManager.getSession().users().getServiceAccount(clientModel);
        if (serviceAccount == null) {
            return true;
        }
        new UserManager(this.realmManager.getSession()).removeUser(realmModel, serviceAccount);
        return true;
    }

    public Set<String> validateRegisteredNodes(ClientModel clientModel) {
        Map registeredNodes = clientModel.getRegisteredNodes();
        if (registeredNodes == null || registeredNodes.isEmpty()) {
            return Collections.emptySet();
        }
        int currentTime = Time.currentTime();
        TreeSet treeSet = new TreeSet();
        if (clientModel.getNodeReRegistrationTimeout() > 0) {
            LinkedList linkedList = new LinkedList();
            for (Map.Entry entry : registeredNodes.entrySet()) {
                if (((Integer) entry.getValue()).intValue() + clientModel.getNodeReRegistrationTimeout() < currentTime) {
                    linkedList.add((String) entry.getKey());
                } else {
                    treeSet.add((String) entry.getKey());
                }
            }
            Iterator it = linkedList.iterator();
            while (it.hasNext()) {
                clientModel.unregisterNode((String) it.next());
            }
        } else {
            treeSet.addAll(registeredNodes.keySet());
        }
        return treeSet;
    }

    public void enableServiceAccount(ClientModel clientModel) {
        clientModel.setServiceAccountsEnabled(true);
        if (this.realmManager.getSession().users().getServiceAccount(clientModel) == null) {
            String str = "service-account-" + clientModel.getClientId();
            logger.debugf("Creating service account user '%s'", str);
            UserModel addUser = this.realmManager.getSession().users().addUser(clientModel.getRealm(), str);
            addUser.setEnabled(true);
            addUser.setServiceAccountClientLink(clientModel.getId());
        }
        if (!Profile.isFeatureEnabled(Profile.Feature.CLIENT_TYPES) || clientModel.getType() == null) {
            addServiceAccountProtocolMappersViaScope(clientModel);
        }
    }

    public void disableServiceAccount(ClientModel clientModel) {
        clientModel.setServiceAccountsEnabled(false);
        UserModel serviceAccount = this.realmManager.getSession().users().getServiceAccount(clientModel);
        if (serviceAccount != null) {
            new UserManager(this.realmManager.getSession()).removeUser(clientModel.getRealm(), serviceAccount);
        }
        if (!Profile.isFeatureEnabled(Profile.Feature.CLIENT_TYPES) || clientModel.getType() == null) {
            removeServiceAccountProtocolMappersViaScope(clientModel);
        }
    }

    private void addServiceAccountProtocolMappersViaScope(ClientModel clientModel) {
        ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(clientModel.getRealm(), "service_account");
        if (clientScopeByName == null) {
            logger.tracef("Service account scope not added to client %s because it does not exist", clientModel.getClientId());
            return;
        }
        if (clientModel.getClientScopes(false).containsKey("service_account")) {
            clientModel.removeClientScope(clientScopeByName);
        }
        clientModel.addClientScope(clientScopeByName, true);
    }

    private void removeServiceAccountProtocolMappersViaScope(ClientModel clientModel) {
        ClientScopeModel clientScopeByName = KeycloakModelUtils.getClientScopeByName(clientModel.getRealm(), "service_account");
        if (clientScopeByName != null) {
            clientModel.removeClientScope(clientScopeByName);
        } else {
            logger.tracef("Service account scope not removed from client %s because it does not exist", clientModel.getClientId());
        }
    }

    public void clientIdChanged(ClientModel clientModel, ClientRepresentation clientRepresentation) {
        String clientId = clientRepresentation.getClientId();
        logger.debugf("Updating clientId from '%s' to '%s'", clientModel.getClientId(), clientId);
        UserModel serviceAccount = this.realmManager.getSession().users().getServiceAccount(clientModel);
        if (serviceAccount != null) {
            serviceAccount.setUsername("service-account-" + clientId);
        }
        if ("saml".equals(clientModel.getProtocol())) {
            SamlClient samlClient = new SamlClient(clientModel);
            samlClient.setArtifactBindingIdentifierFrom(clientId);
            clientRepresentation.getAttributes().put(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, samlClient.getArtifactBindingIdentifier());
        }
    }

    public InstallationAdapterConfig toInstallationRepresentation(RealmModel realmModel, ClientModel clientModel, URI uri) {
        InstallationAdapterConfig installationAdapterConfig = new InstallationAdapterConfig();
        installationAdapterConfig.setAuthServerUrl(uri.toString());
        installationAdapterConfig.setRealm(realmModel.getName());
        installationAdapterConfig.setSslRequired(realmModel.getSslRequired().name().toLowerCase());
        if (clientModel.isPublicClient() && !clientModel.isBearerOnly()) {
            installationAdapterConfig.setPublicClient(true);
        }
        if (clientModel.isBearerOnly()) {
            installationAdapterConfig.setBearerOnly(true);
        }
        if (clientModel.getRolesStream().count() > 0) {
            installationAdapterConfig.setUseResourceRoleMappings(true);
        }
        installationAdapterConfig.setResource(clientModel.getClientId());
        if (showClientCredentialsAdapterConfig(clientModel)) {
            installationAdapterConfig.setCredentials(getClientCredentialsAdapterConfig(clientModel));
        }
        return installationAdapterConfig;
    }

    public String toJBossSubsystemConfig(RealmModel realmModel, ClientModel clientModel, URI uri) {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("<secure-deployment name=\"WAR MODULE NAME.war\">\n");
        stringBuffer.append("    <realm>").append(realmModel.getName()).append("</realm>\n");
        stringBuffer.append("    <auth-server-url>").append(uri.toString()).append("</auth-server-url>\n");
        if (clientModel.isBearerOnly()) {
            stringBuffer.append("    <bearer-only>true</bearer-only>\n");
        } else if (clientModel.isPublicClient()) {
            stringBuffer.append("    <public-client>true</public-client>\n");
        }
        stringBuffer.append("    <ssl-required>").append(realmModel.getSslRequired().name()).append("</ssl-required>\n");
        stringBuffer.append("    <resource>").append(clientModel.getClientId()).append("</resource>\n");
        clientModel.getSecret();
        if (showClientCredentialsAdapterConfig(clientModel)) {
            for (Map.Entry<String, Object> entry : getClientCredentialsAdapterConfig(clientModel).entrySet()) {
                stringBuffer.append("    <credential name=\"" + entry.getKey() + "\">");
                Object value = entry.getValue();
                if (value instanceof Map) {
                    stringBuffer.append("\n");
                    for (Map.Entry entry2 : ((Map) value).entrySet()) {
                        stringBuffer.append("        <" + ((String) entry2.getKey()) + ">" + entry2.getValue().toString() + "</" + ((String) entry2.getKey()) + ">\n");
                    }
                    stringBuffer.append("    </credential>\n");
                } else {
                    stringBuffer.append(value.toString()).append("</credential>\n");
                }
            }
        }
        if (clientModel.getRolesStream().count() > 0) {
            stringBuffer.append("    <use-resource-role-mappings>true</use-resource-role-mappings>\n");
        }
        stringBuffer.append("</secure-deployment>\n");
        return stringBuffer.toString();
    }

    private boolean showClientCredentialsAdapterConfig(ClientModel clientModel) {
        if (clientModel.isPublicClient()) {
            return false;
        }
        return !clientModel.isBearerOnly() || clientModel.getNodeReRegistrationTimeout() > 0;
    }

    private Map<String, Object> getClientCredentialsAdapterConfig(ClientModel clientModel) {
        return this.realmManager.getSession().getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, clientModel.getClientAuthenticatorType()).getAdapterConfiguration(clientModel);
    }

    private boolean isInternalClient(String str, String str2) {
        if (Constants.defaultClients.contains(str2)) {
            return true;
        }
        return "master".equals(str) && str2.endsWith("-realm") && this.realmManager.getSession().realms().getRealmByName(str2.substring(0, str2.length() - "-realm".length())) != null;
    }
}
