package org.keycloak.services.resources.admin;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.UriInfo;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.ScopeContainerModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/ScopeMappedClientResource.class */
public class ScopeMappedClientResource {
    protected RealmModel realm;
    protected AdminPermissionEvaluator auth;
    protected AdminPermissionEvaluator.RequirePermissionCheck managePermission;
    protected AdminPermissionEvaluator.RequirePermissionCheck viewPermission;
    protected ScopeContainerModel scopeContainer;
    protected KeycloakSession session;
    protected ClientModel scopedClient;
    protected AdminEventBuilder adminEvent;

    public ScopeMappedClientResource(RealmModel realmModel, AdminPermissionEvaluator adminPermissionEvaluator, ScopeContainerModel scopeContainerModel, KeycloakSession keycloakSession, ClientModel clientModel, AdminEventBuilder adminEventBuilder, AdminPermissionEvaluator.RequirePermissionCheck requirePermissionCheck, AdminPermissionEvaluator.RequirePermissionCheck requirePermissionCheck2) {
        this.realm = realmModel;
        this.auth = adminPermissionEvaluator;
        this.scopeContainer = scopeContainerModel;
        this.session = keycloakSession;
        this.scopedClient = clientModel;
        this.adminEvent = adminEventBuilder.resource(ResourceType.CLIENT_SCOPE_MAPPING);
        this.managePermission = requirePermissionCheck;
        this.viewPermission = requirePermissionCheck2;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.SCOPE_MAPPINGS)
    @Operation(summary = "Get the roles associated with a client's scope Returns roles for the client.")
    @GET
    public Stream<RoleRepresentation> getClientScopeMappings() {
        this.viewPermission.require();
        return KeycloakModelUtils.getClientScopeMappingsStream(this.scopedClient, this.scopeContainer).map(ModelToRepresentation::toBriefRepresentation);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.SCOPE_MAPPINGS)
    @Operation(summary = "The available client-level roles Returns the roles for the client that can be associated with the client's scope")
    @Path("available")
    @GET
    public Stream<RoleRepresentation> getAvailableClientScopeMappings() {
        this.viewPermission.require();
        Stream rolesStream = this.scopedClient.getRolesStream();
        ScopeContainerModel scopeContainerModel = this.scopeContainer;
        Objects.requireNonNull(scopeContainerModel);
        Predicate predicate = scopeContainerModel::hasDirectScope;
        Stream filter = rolesStream.filter(predicate.negate());
        RolePermissionEvaluator roles = this.auth.roles();
        Objects.requireNonNull(roles);
        return filter.filter(roles::canMapClientScope).map(ModelToRepresentation::toBriefRepresentation);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.SCOPE_MAPPINGS)
    @Operation(summary = "Get effective client roles Returns the roles for the client that are associated with the client's scope.")
    @Path("composite")
    @GET
    public Stream<RoleRepresentation> getCompositeClientScopeMappings(@Parameter(description = "if false, return roles with their attributes") @QueryParam("briefRepresentation") @DefaultValue("true") boolean z) {
        this.viewPermission.require();
        Function function = z ? ModelToRepresentation::toBriefRepresentation : ModelToRepresentation::toRepresentation;
        Stream rolesStream = this.scopedClient.getRolesStream();
        ScopeContainerModel scopeContainerModel = this.scopeContainer;
        Objects.requireNonNull(scopeContainerModel);
        return rolesStream.filter(scopeContainerModel::hasScope).map(function);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.SCOPE_MAPPINGS)
    @Operation(summary = "Add client-level roles to the client's scope")
    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public void addClientScopeMapping(List<RoleRepresentation> list) {
        this.managePermission.require();
        Iterator<RoleRepresentation> it = list.iterator();
        while (it.hasNext()) {
            RoleModel role = this.scopedClient.getRole(it.next().getName());
            if (role == null) {
                throw new NotFoundException("Role not found");
            }
            this.scopeContainer.addScopeMapping(role);
        }
        this.adminEvent.operation(OperationType.CREATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(list).success();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.SCOPE_MAPPINGS)
    @Operation(summary = "Remove client-level roles from the client's scope.")
    @DELETE
    @Consumes({MediaType.APPLICATION_JSON})
    public void deleteClientScopeMapping(List<RoleRepresentation> list) {
        this.managePermission.require();
        if (list == null) {
            Stream clientScopeMappingsStream = KeycloakModelUtils.getClientScopeMappingsStream(this.scopedClient, this.scopeContainer);
            ScopeContainerModel scopeContainerModel = this.scopeContainer;
            Objects.requireNonNull(scopeContainerModel);
            list = (List) clientScopeMappingsStream.peek(scopeContainerModel::deleteScopeMapping).map(ModelToRepresentation::toBriefRepresentation).collect(Collectors.toList());
        } else {
            Iterator<RoleRepresentation> it = list.iterator();
            while (it.hasNext()) {
                RoleModel role = this.scopedClient.getRole(it.next().getName());
                if (role == null) {
                    throw new NotFoundException("Role not found");
                }
                this.scopeContainer.deleteScopeMapping(role);
            }
        }
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(list).success();
    }
}
