package org.keycloak.migration.migrators;

import org.jboss.logging.Logger;
import org.keycloak.broker.provider.IdentityProviderMapper;
import org.keycloak.migration.ModelVersion;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.DefaultRequiredActions;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.RealmRepresentation;

/* loaded from: input_file:org/keycloak/migration/migrators/MigrateTo9_0_0.class */
public class MigrateTo9_0_0 implements Migration {
    public static final ModelVersion VERSION = new ModelVersion("9.0.0");
    private static final Logger LOG = Logger.getLogger(MigrateTo9_0_0.class);

    @Override // org.keycloak.migration.migrators.Migration
    public ModelVersion getVersion() {
        return VERSION;
    }

    @Override // org.keycloak.migration.migrators.Migration
    public void migrate(KeycloakSession keycloakSession) {
        keycloakSession.realms().getRealms().stream().forEach(realmModel -> {
            migrateRealmCommon(realmModel);
        });
    }

    @Override // org.keycloak.migration.migrators.Migration
    public void migrateImport(KeycloakSession keycloakSession, RealmModel realmModel, RealmRepresentation realmRepresentation, boolean z) {
        migrateRealmCommon(realmModel);
    }

    protected void migrateRealmCommon(RealmModel realmModel) {
        addAccountConsoleClient(realmModel);
        addAccountApiRoles(realmModel);
        enablePkceAdminAccountClients(realmModel);
        DefaultRequiredActions.addUpdateLocaleAction(realmModel);
    }

    private void addAccountApiRoles(RealmModel realmModel) {
        ClientModel clientByClientId = realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        clientByClientId.addRole(AccountRoles.VIEW_APPLICATIONS).setDescription("${role_view-applications}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.VIEW_APPLICATIONS, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        RoleModel addRole = clientByClientId.addRole(AccountRoles.VIEW_CONSENT);
        addRole.setDescription("${role_view-consent}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.VIEW_CONSENT, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        RoleModel addRole2 = clientByClientId.addRole(AccountRoles.MANAGE_CONSENT);
        addRole2.setDescription("${role_manage-consent}");
        LOG.debugf("Added the role %s to the '%s' client.", AccountRoles.MANAGE_CONSENT, Constants.ACCOUNT_MANAGEMENT_CLIENT_ID);
        addRole2.addCompositeRole(addRole);
        LOG.debugf("Added the %s role as a composite role to %s", AccountRoles.VIEW_CONSENT, AccountRoles.MANAGE_CONSENT);
    }

    protected void addAccountConsoleClient(RealmModel realmModel) {
        if (realmModel.getClientByClientId(Constants.ACCOUNT_CONSOLE_CLIENT_ID) == null) {
            ClientModel createClient = KeycloakModelUtils.createClient(realmModel, Constants.ACCOUNT_CONSOLE_CLIENT_ID);
            createClient.setName("${client_account-console}");
            createClient.setEnabled(true);
            createClient.setFullScopeAllowed(false);
            createClient.setPublicClient(true);
            createClient.setDirectAccessGrantsEnabled(false);
            createClient.setRootUrl(Constants.AUTH_BASE_URL_PROP);
            String str = "/realms/" + realmModel.getName() + "/account/";
            createClient.setBaseUrl(str);
            createClient.addRedirectUri(str + IdentityProviderMapper.ANY_PROVIDER);
            createClient.setProtocol(RepresentationToModel.OIDC);
            createClient.addScopeMapping(realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT));
            ProtocolMapperModel protocolMapperModel = new ProtocolMapperModel();
            protocolMapperModel.setName("audience resolve");
            protocolMapperModel.setProtocol(RepresentationToModel.OIDC);
            protocolMapperModel.setProtocolMapper("oidc-audience-resolve-mapper");
            createClient.addProtocolMapper(protocolMapperModel);
        }
    }

    private void enablePkceAdminAccountClients(RealmModel realmModel) {
        ClientModel clientByClientId = realmModel.getClientByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
        if (clientByClientId != null) {
            clientByClientId.setAttribute("pkce.code.challenge.method", "S256");
        }
        ClientModel clientByClientId2 = realmModel.getClientByClientId(Constants.ACCOUNT_CONSOLE_CLIENT_ID);
        if (clientByClientId2 != null) {
            clientByClientId2.setAttribute("pkce.code.challenge.method", "S256");
        }
    }
}
