package org.keycloak.services.resources.account;

import com.fasterxml.jackson.annotation.JsonIgnore;
import java.io.IOException;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.authentication.Authenticator;
import org.keycloak.common.util.reflections.Types;
import org.keycloak.credential.CredentialProvider;
import org.keycloak.credential.CredentialProviderFactory;
import org.keycloak.credential.CredentialTypeMetadata;
import org.keycloak.credential.CredentialTypeMetadataContext;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.account.CredentialMetadataRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.messages.Messages;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.CredentialHelper;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/account/AccountCredentialResource.class */
public class AccountCredentialResource {
    public static final String TYPE = "type";
    public static final String USER_CREDENTIALS = "user-credentials";
    private final KeycloakSession session;
    private final UserModel user;
    private final RealmModel realm;
    private Auth auth;

    /* loaded from: input_file:org/keycloak/services/resources/account/AccountCredentialResource$CredentialContainer.class */
    public static class CredentialContainer {
        private String type;
        private String category;
        private String displayName;
        private String helptext;
        private String iconCssClass;
        private String createAction;
        private String updateAction;
        private boolean removeable;
        private List<CredentialMetadataRepresentation> userCredentialMetadatas;
        private CredentialTypeMetadata metadata;

        public CredentialContainer() {
        }

        public CredentialContainer(CredentialTypeMetadata credentialTypeMetadata, List<CredentialMetadataRepresentation> list) {
            this.metadata = credentialTypeMetadata;
            this.type = credentialTypeMetadata.getType();
            this.category = credentialTypeMetadata.getCategory().toString();
            this.displayName = credentialTypeMetadata.getDisplayName();
            this.helptext = credentialTypeMetadata.getHelpText();
            this.iconCssClass = credentialTypeMetadata.getIconCssClass();
            this.createAction = credentialTypeMetadata.getCreateAction();
            this.updateAction = credentialTypeMetadata.getUpdateAction();
            this.removeable = credentialTypeMetadata.isRemoveable();
            this.userCredentialMetadatas = list;
        }

        public String getCategory() {
            return this.category;
        }

        public String getType() {
            return this.type;
        }

        public String getDisplayName() {
            return this.displayName;
        }

        public String getHelptext() {
            return this.helptext;
        }

        public String getIconCssClass() {
            return this.iconCssClass;
        }

        public String getCreateAction() {
            return this.createAction;
        }

        public String getUpdateAction() {
            return this.updateAction;
        }

        public boolean isRemoveable() {
            return this.removeable;
        }

        public List<CredentialMetadataRepresentation> getUserCredentialMetadatas() {
            return this.userCredentialMetadatas;
        }

        @JsonIgnore
        public CredentialTypeMetadata getMetadata() {
            return this.metadata;
        }
    }

    public AccountCredentialResource(KeycloakSession keycloakSession, UserModel userModel, Auth auth) {
        this.session = keycloakSession;
        this.user = userModel;
        this.auth = auth;
        this.realm = keycloakSession.getContext().getRealm();
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    public Stream<CredentialContainer> credentialTypes(@QueryParam("type") String str, @QueryParam("user-credentials") Boolean bool) {
        this.auth.requireOneOf("manage-account", "view-profile");
        boolean z = bool == null || bool.booleanValue();
        List<CredentialProvider> list = (List) this.session.getKeycloakSessionFactory().getProviderFactoriesStream(CredentialProvider.class).filter(providerFactory -> {
            return Types.supports(CredentialProvider.class, providerFactory, CredentialProviderFactory.class);
        }).map(providerFactory2 -> {
            return this.session.getProvider(CredentialProvider.class, providerFactory2.getId());
        }).collect(Collectors.toList());
        Set<String> enabledCredentialTypes = getEnabledCredentialTypes(list);
        List list2 = (List) (z ? this.user.credentialManager().getStoredCredentialsStream() : Stream.empty()).collect(Collectors.toList());
        return list.stream().filter(credentialProvider -> {
            return str == null || Objects.equals(credentialProvider.getType(), str);
        }).filter(credentialProvider2 -> {
            return enabledCredentialTypes.contains(credentialProvider2.getType());
        }).map(credentialProvider3 -> {
            CredentialTypeMetadata credentialTypeMetadata = credentialProvider3.getCredentialTypeMetadata(CredentialTypeMetadataContext.builder().user(this.user).build(this.session));
            List list3 = null;
            if (z) {
                List list4 = (List) ((List) list2.stream().filter(credentialModel -> {
                    return credentialProvider3.getType().equals(credentialModel.getType());
                }).collect(Collectors.toList())).stream().map(credentialModel2 -> {
                    return credentialProvider3.getCredentialMetadata(credentialProvider3.getCredentialFromModel(credentialModel2), credentialTypeMetadata);
                }).collect(Collectors.toList());
                list4.stream().forEach(credentialMetadata -> {
                    credentialMetadata.getCredentialModel().setSecretData((String) null);
                });
                list3 = (List) list4.stream().map(ModelToRepresentation::toRepresentation).collect(Collectors.toList());
                if (list3.isEmpty() && this.user.credentialManager().isConfiguredFor(credentialProvider3.getType())) {
                    CredentialMetadataRepresentation credentialMetadataRepresentation = new CredentialMetadataRepresentation();
                    credentialMetadataRepresentation.setCredential(CredentialHelper.createUserStorageCredentialRepresentation(credentialProvider3.getType()));
                    list3 = Collections.singletonList(credentialMetadataRepresentation);
                }
                if (list3.isEmpty() && credentialTypeMetadata.getCreateAction() == null && credentialTypeMetadata.getUpdateAction() == null) {
                    return null;
                }
            }
            return new CredentialContainer(credentialTypeMetadata, list3);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).sorted(Comparator.comparing((v0) -> {
            return v0.getMetadata();
        }));
    }

    private Set<String> getEnabledCredentialTypes(List<CredentialProvider> list) {
        Stream authenticationFlowsStream = this.realm.getAuthenticationFlowsStream();
        Predicate predicate = this::isFlowEffectivelyDisabled;
        Stream flatMap = authenticationFlowsStream.filter(predicate.negate()).flatMap(authenticationFlowModel -> {
            return this.realm.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).filter(authenticationExecutionModel -> {
                return Objects.nonNull(authenticationExecutionModel.getAuthenticator()) && authenticationExecutionModel.getRequirement() != AuthenticationExecutionModel.Requirement.DISABLED;
            }).map(authenticationExecutionModel2 -> {
                return this.session.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, authenticationExecutionModel2.getAuthenticator());
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).map((v0) -> {
                return v0.getReferenceCategory();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            });
        });
        Set set = (Set) list.stream().map((v0) -> {
            return v0.getType();
        }).collect(Collectors.toSet());
        Objects.requireNonNull(set);
        return (Set) flatMap.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
    }

    private boolean isFlowEffectivelyDisabled(AuthenticationFlowModel authenticationFlowModel) {
        AuthenticationExecutionModel authenticationExecutionByFlowId;
        while (!authenticationFlowModel.isTopLevel() && (authenticationExecutionByFlowId = this.realm.getAuthenticationExecutionByFlowId(authenticationFlowModel.getId())) != null) {
            if (AuthenticationExecutionModel.Requirement.DISABLED == authenticationExecutionByFlowId.getRequirement()) {
                return true;
            }
            if (authenticationExecutionByFlowId.getParentFlow() == null) {
                return false;
            }
            authenticationFlowModel = this.realm.getAuthenticationFlowById(authenticationExecutionByFlowId.getParentFlow());
            if (authenticationFlowModel == null) {
                return false;
            }
        }
        return false;
    }

    @Path("{credentialId}")
    @NoCache
    @DELETE
    public void removeCredential(@PathParam("credentialId") String str) {
        this.auth.require("manage-account");
        if (this.user.credentialManager().getStoredCredentialById(str) == null) {
            throw new NotFoundException("Credential not found");
        }
        this.user.credentialManager().removeStoredCredentialById(str);
    }

    @Path("{credentialId}/label")
    @NoCache
    @Consumes({MediaType.APPLICATION_JSON})
    @PUT
    public void setLabel(@PathParam("credentialId") String str, String str2) {
        this.auth.require("manage-account");
        if (this.user.credentialManager().getStoredCredentialById(str) == null) {
            throw new NotFoundException("Credential not found");
        }
        try {
            this.user.credentialManager().updateCredentialLabel(str, (String) JsonSerialization.readValue(str2, String.class));
        } catch (IOException e) {
            throw new ErrorResponseException(ErrorResponse.error(Messages.INVALID_REQUEST, Response.Status.BAD_REQUEST));
        }
    }
}
