package org.keycloak.services.resources.admin;

import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/resources/admin/ClientScopeEvaluateScopeMappingsResource.class */
public class ClientScopeEvaluateScopeMappingsResource {
    private final RoleContainerModel roleContainer;
    private final AdminPermissionEvaluator auth;
    private final ClientModel client;
    private final String scopeParam;
    private final KeycloakSession session;

    public ClientScopeEvaluateScopeMappingsResource(RoleContainerModel roleContainerModel, AdminPermissionEvaluator adminPermissionEvaluator, ClientModel clientModel, String str, KeycloakSession keycloakSession) {
        this.roleContainer = roleContainerModel;
        this.auth = adminPermissionEvaluator;
        this.client = clientModel;
        this.scopeParam = str;
        this.session = keycloakSession;
    }

    @GET
    @Path("/granted")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Stream<RoleRepresentation> getGrantedScopeMappings() {
        return getGrantedRoles().map(ModelToRepresentation::toBriefRepresentation);
    }

    @GET
    @Path("/not-granted")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Stream<RoleRepresentation> getNotGrantedScopeMappings() {
        Set set = (Set) getGrantedRoles().collect(Collectors.toSet());
        Stream rolesStream = this.roleContainer.getRolesStream();
        Objects.requireNonNull(set);
        Predicate predicate = (v1) -> {
            return r1.contains(v1);
        };
        return rolesStream.filter(predicate.negate()).map(ModelToRepresentation::toBriefRepresentation);
    }

    private Stream<RoleModel> getGrantedRoles() {
        if (this.client.isFullScopeAllowed()) {
            return this.roleContainer.getRolesStream();
        }
        Set set = (Set) TokenManager.getRequestedClientScopes(this.scopeParam, this.client).collect(Collectors.toSet());
        Predicate predicate = roleModel -> {
            return set.stream().anyMatch(clientScopeModel -> {
                return clientScopeModel.hasScope(roleModel);
            });
        };
        Stream rolesStream = this.roleContainer.getRolesStream();
        RolePermissionEvaluator roles = this.auth.roles();
        Objects.requireNonNull(roles);
        return rolesStream.filter(roles::canView).filter(predicate);
    }
}
