package org.keycloak.services.resources.admin;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.authentication.ConfigurableAuthenticatorFactory;
import org.keycloak.authentication.FormAction;
import org.keycloak.authentication.FormAuthenticator;
import org.keycloak.authentication.RequiredActionFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.deployment.DeployedConfigurationsManager;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.utils.Base32;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.provider.ConfiguredProvider;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
import org.keycloak.representations.idm.AuthenticationExecutionRepresentation;
import org.keycloak.representations.idm.AuthenticationFlowRepresentation;
import org.keycloak.representations.idm.AuthenticatorConfigInfoRepresentation;
import org.keycloak.representations.idm.AuthenticatorConfigRepresentation;
import org.keycloak.representations.idm.ConfigPropertyRepresentation;
import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.utils.CredentialHelper;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.ReservedCharValidator;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/AuthenticationManagementResource.class */
public class AuthenticationManagementResource {
    private final RealmModel realm;
    private final KeycloakSession session;
    private final AdminPermissionEvaluator auth;
    private final AdminEventBuilder adminEvent;
    protected static final Logger logger = Logger.getLogger(AuthenticationManagementResource.class);

    public AuthenticationManagementResource(KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
        this.auth = adminPermissionEvaluator;
        this.adminEvent = adminEventBuilder.resource(ResourceType.AUTH_FLOW);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get form providers Returns a stream of form providers.")
    @Path("/form-providers")
    @GET
    public Stream<Map<String, Object>> getFormProviders() {
        this.auth.realm().requireViewRealm();
        return buildProviderMetadata(this.session.getKeycloakSessionFactory().getProviderFactoriesStream(FormAuthenticator.class));
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authenticator providers Returns a stream of authenticator providers.")
    @Path("/authenticator-providers")
    @GET
    public Stream<Map<String, Object>> getAuthenticatorProviders() {
        this.auth.realm().requireViewRealm();
        return buildProviderMetadata(this.session.getKeycloakSessionFactory().getProviderFactoriesStream(Authenticator.class));
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get client authenticator providers Returns a stream of client authenticator providers.")
    @Path("/client-authenticator-providers")
    @GET
    public Stream<Map<String, Object>> getClientAuthenticatorProviders() {
        this.auth.realm().requireViewClientAuthenticatorProviders();
        return buildProviderMetadata(this.session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientAuthenticator.class));
    }

    public Stream<Map<String, Object>> buildProviderMetadata(Stream<ProviderFactory> stream) {
        return stream.map(providerFactory -> {
            HashMap hashMap = new HashMap();
            hashMap.put("id", providerFactory.getId());
            ConfigurableAuthenticatorFactory configurableAuthenticatorFactory = (ConfigurableAuthenticatorFactory) providerFactory;
            hashMap.put("description", configurableAuthenticatorFactory.getHelpText());
            hashMap.put("displayName", configurableAuthenticatorFactory.getDisplayType());
            return hashMap;
        });
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get form action providers Returns a stream of form action providers.")
    @Path("/form-action-providers")
    @GET
    public Stream<Map<String, Object>> getFormActionProviders() {
        this.auth.realm().requireViewRealm();
        return buildProviderMetadata(this.session.getKeycloakSessionFactory().getProviderFactoriesStream(FormAction.class));
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authentication flows Returns a stream of authentication flows.")
    @Path("/flows")
    @GET
    public Stream<AuthenticationFlowRepresentation> getFlows() {
        this.auth.realm().requireViewAuthenticationFlows();
        return this.realm.getAuthenticationFlowsStream().filter(authenticationFlowModel -> {
            return authenticationFlowModel.isTopLevel() && !Objects.equals(authenticationFlowModel.getAlias(), "saml ecp");
        }).map(authenticationFlowModel2 -> {
            return ModelToRepresentation.toRepresentation(this.session, this.realm, authenticationFlowModel2);
        });
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Create a new authentication flow")
    @POST
    @Path("/flows")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response createFlow(@Parameter(description = "Authentication flow representation") AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        this.auth.realm().requireManageRealm();
        if (authenticationFlowRepresentation.getAlias() == null || authenticationFlowRepresentation.getAlias().isEmpty()) {
            throw ErrorResponse.exists("Failed to create flow with empty alias name");
        }
        if (this.realm.getFlowByAlias(authenticationFlowRepresentation.getAlias()) != null) {
            throw ErrorResponse.exists("Flow " + authenticationFlowRepresentation.getAlias() + " already exists");
        }
        if (Objects.isNull(authenticationFlowRepresentation.getDescription())) {
            authenticationFlowRepresentation.setDescription("");
        }
        ReservedCharValidator.validate(authenticationFlowRepresentation.getAlias());
        AuthenticationFlowModel addAuthenticationFlow = this.realm.addAuthenticationFlow(RepresentationToModel.toModel(authenticationFlowRepresentation));
        authenticationFlowRepresentation.setId(addAuthenticationFlow.getId());
        this.adminEvent.operation(OperationType.CREATE).resourcePath(this.session.getContext().getUri(), addAuthenticationFlow.getId()).representation(authenticationFlowRepresentation).success();
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(authenticationFlowRepresentation.getId()).build(new Object[0])).build();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authentication flow for id")
    @Path("/flows/{id}")
    @GET
    public AuthenticationFlowRepresentation getFlow(@Parameter(description = "Flow id") @PathParam("id") String str) {
        this.auth.realm().requireViewRealm();
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(str);
        if (authenticationFlowById == null) {
            throw new NotFoundException("Could not find flow with id");
        }
        return ModelToRepresentation.toRepresentation(this.session, this.realm, authenticationFlowById);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Path("/flows/{id}")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Update an authentication flow")
    @PUT
    public Response updateFlow(@PathParam("id") String str, AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        this.auth.realm().requireManageRealm();
        AuthenticationFlowRepresentation flow = getFlow(str);
        if (authenticationFlowRepresentation.getAlias() == null || authenticationFlowRepresentation.getAlias().isEmpty()) {
            throw ErrorResponse.exists("Failed to update flow with empty alias name");
        }
        ReservedCharValidator.validate(authenticationFlowRepresentation.getAlias());
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(str);
        if (authenticationFlowById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        if (this.realm.getFlowByAlias(authenticationFlowRepresentation.getAlias()) != null && !authenticationFlowById.getAlias().equals(authenticationFlowRepresentation.getAlias())) {
            throw ErrorResponse.exists("Flow alias name already exists");
        }
        if (authenticationFlowById.getAlias() != null && !authenticationFlowById.getAlias().equals(authenticationFlowRepresentation.getAlias())) {
            authenticationFlowById.setAlias(authenticationFlowRepresentation.getAlias());
        } else if (authenticationFlowById.getAlias() == null && authenticationFlowRepresentation.getAlias() != null) {
            authenticationFlowById.setAlias(authenticationFlowRepresentation.getAlias());
        }
        if (authenticationFlowById.getDescription() != null && !authenticationFlowById.getDescription().equals(authenticationFlowRepresentation.getDescription())) {
            authenticationFlowById.setDescription(authenticationFlowRepresentation.getDescription());
        } else if (authenticationFlowById.getDescription() == null && authenticationFlowRepresentation.getDescription() != null) {
            authenticationFlowById.setDescription(authenticationFlowRepresentation.getDescription());
        }
        authenticationFlowRepresentation.setId(flow.getId());
        this.realm.updateAuthenticationFlow(RepresentationToModel.toModel(authenticationFlowRepresentation));
        this.adminEvent.operation(OperationType.UPDATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(authenticationFlowRepresentation).success();
        return Response.accepted(authenticationFlowRepresentation).build();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Delete an authentication flow")
    @Path("/flows/{id}")
    @DELETE
    public void deleteFlow(@Parameter(description = "Flow id") @PathParam("id") String str) {
        this.auth.realm().requireManageRealm();
        KeycloakModelUtils.deepDeleteAuthenticationFlow(this.realm, this.realm.getAuthenticationFlowById(str), () -> {
            throw new NotFoundException("Could not find flow with id");
        }, () -> {
            throw new BadRequestException("Can't delete built in flow");
        });
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Copy existing authentication flow under a new name The new name is given as 'newName' attribute of the passed JSON object")
    @POST
    @Path("/flows/{flowAlias}/copy")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response copy(@Parameter(description = "name of the existing authentication flow") @PathParam("flowAlias") String str, Map<String, String> map) {
        this.auth.realm().requireManageRealm();
        String str2 = map.get("newName");
        if (this.realm.getFlowByAlias(str2) != null) {
            throw ErrorResponse.exists("New flow alias name already exists");
        }
        AuthenticationFlowModel flowByAlias = this.realm.getFlowByAlias(str);
        if (flowByAlias == null) {
            logger.debug("flow not found: " + str);
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        map.put("id", copyFlow(this.session, this.realm, flowByAlias, str2).getId());
        this.adminEvent.operation(OperationType.CREATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(map).success();
        return Response.status(Response.Status.CREATED).build();
    }

    public static AuthenticationFlowModel copyFlow(KeycloakSession keycloakSession, RealmModel realmModel, AuthenticationFlowModel authenticationFlowModel, String str) {
        AuthenticationFlowModel authenticationFlowModel2 = new AuthenticationFlowModel();
        authenticationFlowModel2.setAlias(str);
        authenticationFlowModel2.setDescription(authenticationFlowModel.getDescription());
        authenticationFlowModel2.setProviderId(authenticationFlowModel.getProviderId());
        authenticationFlowModel2.setBuiltIn(false);
        authenticationFlowModel2.setTopLevel(authenticationFlowModel.isTopLevel());
        AuthenticationFlowModel addAuthenticationFlow = realmModel.addAuthenticationFlow(authenticationFlowModel2);
        copy(keycloakSession, realmModel, str, authenticationFlowModel, addAuthenticationFlow);
        return addAuthenticationFlow;
    }

    public static void copy(KeycloakSession keycloakSession, RealmModel realmModel, String str, AuthenticationFlowModel authenticationFlowModel, AuthenticationFlowModel authenticationFlowModel2) {
        realmModel.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).forEachOrdered(authenticationExecutionModel -> {
            if (authenticationExecutionModel.isAuthenticatorFlow()) {
                AuthenticationFlowModel authenticationFlowById = realmModel.getAuthenticationFlowById(authenticationExecutionModel.getFlowId());
                AuthenticationFlowModel authenticationFlowModel3 = new AuthenticationFlowModel();
                authenticationFlowModel3.setAlias(str + " " + authenticationFlowById.getAlias());
                authenticationFlowModel3.setDescription(authenticationFlowById.getDescription());
                authenticationFlowModel3.setProviderId(authenticationFlowById.getProviderId());
                authenticationFlowModel3.setBuiltIn(false);
                authenticationFlowModel3.setTopLevel(false);
                AuthenticationFlowModel addAuthenticationFlow = realmModel.addAuthenticationFlow(authenticationFlowModel3);
                authenticationExecutionModel.setFlowId(addAuthenticationFlow.getId());
                copy(keycloakSession, realmModel, str, authenticationFlowById, addAuthenticationFlow);
            }
            if (authenticationExecutionModel.getAuthenticatorConfig() != null) {
                DeployedConfigurationsManager deployedConfigurationsManager = new DeployedConfigurationsManager(keycloakSession);
                AuthenticatorConfigModel authenticatorConfig = deployedConfigurationsManager.getAuthenticatorConfig(realmModel, authenticationExecutionModel.getAuthenticatorConfig());
                if (authenticatorConfig == null) {
                    logger.debugf("Authentication execution with id [%s] not found", authenticatorConfig.getId());
                    throw new IllegalStateException("Authentication execution configuration not found");
                }
                if (deployedConfigurationsManager.getDeployedAuthenticatorConfig(authenticationExecutionModel.getAuthenticatorConfig()) != null) {
                    authenticationExecutionModel.setAuthenticatorConfig(authenticatorConfig.getId());
                } else {
                    authenticatorConfig.setId((String) null);
                    if (authenticatorConfig.getAlias() != null) {
                        authenticatorConfig.setAlias(str + " " + authenticatorConfig.getAlias());
                    }
                    authenticationExecutionModel.setAuthenticatorConfig(realmModel.addAuthenticatorConfig(authenticatorConfig).getId());
                }
            }
            authenticationExecutionModel.setId((String) null);
            authenticationExecutionModel.setParentFlow(authenticationFlowModel2.getId());
            realmModel.addAuthenticatorExecution(authenticationExecutionModel);
        });
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Add new flow with new execution to existing flow")
    @POST
    @Path("/flows/{flowAlias}/executions/flow")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response addExecutionFlow(@Parameter(description = "Alias of parent authentication flow") @PathParam("flowAlias") String str, @Parameter(description = "New authentication flow / execution JSON data containing 'alias', 'type', 'provider', and 'description' attributes") Map<String, String> map) {
        this.auth.realm().requireManageRealm();
        AuthenticationFlowModel flowByAlias = this.realm.getFlowByAlias(str);
        if (flowByAlias == null) {
            throw ErrorResponse.error("Parent flow doesn't exist", Response.Status.BAD_REQUEST);
        }
        if (flowByAlias.isBuiltIn()) {
            throw new BadRequestException("It is illegal to add sub-flow to a built in flow");
        }
        String str2 = map.get("alias");
        String str3 = map.get("type");
        String str4 = map.get("provider");
        String str5 = Objects.isNull(map.get("description")) ? "" : map.get("description");
        if (this.realm.getFlowByAlias(str2) != null) {
            throw ErrorResponse.exists("New flow alias name already exists");
        }
        AuthenticationFlowModel authenticationFlowModel = new AuthenticationFlowModel();
        authenticationFlowModel.setAlias(str2);
        authenticationFlowModel.setDescription(str5);
        authenticationFlowModel.setProviderId(str3);
        AuthenticationFlowModel addAuthenticationFlow = this.realm.addAuthenticationFlow(authenticationFlowModel);
        AuthenticationExecutionModel authenticationExecutionModel = new AuthenticationExecutionModel();
        authenticationExecutionModel.setParentFlow(flowByAlias.getId());
        authenticationExecutionModel.setFlowId(addAuthenticationFlow.getId());
        authenticationExecutionModel.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
        authenticationExecutionModel.setAuthenticatorFlow(true);
        if (str3.equals("form-flow")) {
            authenticationExecutionModel.setAuthenticator(str4);
        }
        authenticationExecutionModel.setPriority(getNextPriority(flowByAlias));
        map.put("id", this.realm.addAuthenticatorExecution(authenticationExecutionModel).getId());
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.AUTH_EXECUTION_FLOW).resourcePath((UriInfo) this.session.getContext().getUri()).representation(map).success();
        return Response.created(this.session.getContext().getUri().getBaseUriBuilder().path(this.session.getContext().getUri().getPath().replace(UriBuilder.fromMethod(AuthenticationManagementResource.class, "addExecutionFlow").build(new Object[]{flowByAlias.getAlias()}).getPath(), "")).path("flows").path(addAuthenticationFlow.getId()).build(new Object[0])).build();
    }

    private int getNextPriority(AuthenticationFlowModel authenticationFlowModel) {
        List list = (List) this.realm.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).collect(Collectors.toList());
        if (list.isEmpty()) {
            return 0;
        }
        return ((AuthenticationExecutionModel) list.get(list.size() - 1)).getPriority() + 1;
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Add new authentication execution to a flow")
    @POST
    @Path("/flows/{flowAlias}/executions/execution")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response addExecutionToFlow(@Parameter(description = "Alias of parent flow") @PathParam("flowAlias") String str, @Parameter(description = "New execution JSON data containing 'provider' attribute") Map<String, String> map) {
        this.auth.realm().requireManageRealm();
        AuthenticationFlowModel flowByAlias = this.realm.getFlowByAlias(str);
        if (flowByAlias == null) {
            throw new BadRequestException("Parent flow doesn't exist");
        }
        if (flowByAlias.isBuiltIn()) {
            throw new BadRequestException("It is illegal to add execution to a built in flow");
        }
        String str2 = map.get("provider");
        ConfigurableAuthenticatorFactory providerFactory = getProviderFactory(flowByAlias, str2);
        AuthenticationExecutionModel authenticationExecutionModel = new AuthenticationExecutionModel();
        authenticationExecutionModel.setParentFlow(flowByAlias.getId());
        ConfigurableAuthenticatorFactory configurableAuthenticatorFactory = providerFactory;
        if (configurableAuthenticatorFactory.getRequirementChoices().length == 1) {
            authenticationExecutionModel.setRequirement(configurableAuthenticatorFactory.getRequirementChoices()[0]);
        } else {
            authenticationExecutionModel.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED);
        }
        authenticationExecutionModel.setAuthenticatorFlow(false);
        authenticationExecutionModel.setAuthenticator(str2);
        authenticationExecutionModel.setPriority(getNextPriority(flowByAlias));
        AuthenticationExecutionModel addAuthenticatorExecution = this.realm.addAuthenticatorExecution(authenticationExecutionModel);
        checkConfigForDeployedProvider(providerFactory, addAuthenticatorExecution);
        map.put("id", addAuthenticatorExecution.getId());
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(map).success();
        return Response.created(this.session.getContext().getUri().getBaseUriBuilder().path(this.session.getContext().getUri().getPath().replace(UriBuilder.fromMethod(AuthenticationManagementResource.class, "addExecutionToFlow").build(new Object[]{flowByAlias.getAlias()}).getPath(), "")).path("executions").path(addAuthenticatorExecution.getId()).build(new Object[0])).build();
    }

    private ProviderFactory getProviderFactory(AuthenticationFlowModel authenticationFlowModel, String str) {
        ProviderFactory providerFactory = authenticationFlowModel.getProviderId().equals("client-flow") ? this.session.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, str) : authenticationFlowModel.getProviderId().equals("form-flow") ? this.session.getKeycloakSessionFactory().getProviderFactory(FormAction.class, str) : this.session.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, str);
        if (providerFactory == null) {
            throw new BadRequestException("No authentication provider found for id: " + str);
        }
        return providerFactory;
    }

    private void checkConfigForDeployedProvider(ProviderFactory providerFactory, AuthenticationExecutionModel authenticationExecutionModel) {
        AuthenticatorConfigModel authenticatorConfigModel;
        if (!(providerFactory instanceof ConfiguredProvider) || (authenticatorConfigModel = (AuthenticatorConfigModel) ((ConfiguredProvider) providerFactory).getConfig()) == null) {
            return;
        }
        logger.tracef("Updating execution of provider '%s' with shared configuration.", authenticationExecutionModel.getAuthenticator());
        authenticationExecutionModel.setAuthenticatorConfig(authenticatorConfigModel.getId());
        this.realm.updateAuthenticatorExecution(authenticationExecutionModel);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authentication executions for a flow")
    @Path("/flows/{flowAlias}/executions")
    @GET
    public Response getExecutions(@Parameter(description = "Flow alias") @PathParam("flowAlias") String str) {
        this.auth.realm().requireViewRealm();
        AuthenticationFlowModel flowByAlias = this.realm.getFlowByAlias(str);
        if (flowByAlias == null) {
            logger.debug("flow not found: " + str);
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        LinkedList linkedList = new LinkedList();
        recurseExecutions(flowByAlias, linkedList, 0);
        return Response.ok(linkedList).build();
    }

    public void recurseExecutions(AuthenticationFlowModel authenticationFlowModel, List<AuthenticationExecutionInfoRepresentation> list, int i) {
        AtomicInteger atomicInteger = new AtomicInteger(0);
        this.realm.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).forEachOrdered(authenticationExecutionModel -> {
            String authenticatorConfig;
            AuthenticatorConfigModel authenticatorConfig2;
            AuthenticationExecutionInfoRepresentation authenticationExecutionInfoRepresentation = new AuthenticationExecutionInfoRepresentation();
            authenticationExecutionInfoRepresentation.setLevel(i);
            authenticationExecutionInfoRepresentation.setIndex(atomicInteger.getAndIncrement());
            authenticationExecutionInfoRepresentation.setRequirementChoices(new LinkedList());
            if (authenticationExecutionModel.isAuthenticatorFlow()) {
                AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(authenticationExecutionModel.getFlowId());
                if ("basic-flow".equals(authenticationFlowById.getProviderId())) {
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.CONDITIONAL.name());
                } else if ("form-flow".equals(authenticationFlowById.getProviderId())) {
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
                    authenticationExecutionInfoRepresentation.setProviderId(authenticationExecutionModel.getAuthenticator());
                    authenticationExecutionInfoRepresentation.setAuthenticationConfig(authenticationExecutionModel.getAuthenticatorConfig());
                } else if ("client-flow".equals(authenticationFlowById.getProviderId())) {
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name());
                    authenticationExecutionInfoRepresentation.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name());
                }
                authenticationExecutionInfoRepresentation.setDisplayName(authenticationFlowById.getAlias());
                authenticationExecutionInfoRepresentation.setDescription(authenticationFlowById.getDescription());
                authenticationExecutionInfoRepresentation.setConfigurable(false);
                authenticationExecutionInfoRepresentation.setId(authenticationExecutionModel.getId());
                authenticationExecutionInfoRepresentation.setAuthenticationFlow(Boolean.valueOf(authenticationExecutionModel.isAuthenticatorFlow()));
                authenticationExecutionInfoRepresentation.setRequirement(authenticationExecutionModel.getRequirement().name());
                authenticationExecutionInfoRepresentation.setFlowId(authenticationExecutionModel.getFlowId());
                list.add(authenticationExecutionInfoRepresentation);
                recurseExecutions(this.realm.getAuthenticationFlowById(authenticationExecutionModel.getFlowId()), list, i + 1);
                return;
            }
            String authenticator = authenticationExecutionModel.getAuthenticator();
            ConfigurableAuthenticatorFactory configurableAuthenticatorFactory = CredentialHelper.getConfigurableAuthenticatorFactory(this.session, authenticator);
            if (configurableAuthenticatorFactory == null) {
                logger.warnf("Cannot find authentication provider implementation with provider ID '%s'", authenticator);
                throw new NotFoundException("Could not find authenticator provider");
            }
            authenticationExecutionInfoRepresentation.setDisplayName(configurableAuthenticatorFactory.getDisplayType());
            authenticationExecutionInfoRepresentation.setConfigurable(Boolean.valueOf(configurableAuthenticatorFactory.isConfigurable()));
            for (AuthenticationExecutionModel.Requirement requirement : configurableAuthenticatorFactory.getRequirementChoices()) {
                authenticationExecutionInfoRepresentation.getRequirementChoices().add(requirement.name());
            }
            authenticationExecutionInfoRepresentation.setId(authenticationExecutionModel.getId());
            if (configurableAuthenticatorFactory.isConfigurable() && (authenticatorConfig = authenticationExecutionModel.getAuthenticatorConfig()) != null && (authenticatorConfig2 = new DeployedConfigurationsManager(this.session).getAuthenticatorConfig(this.realm, authenticatorConfig)) != null) {
                authenticationExecutionInfoRepresentation.setAlias(authenticatorConfig2.getAlias());
            }
            authenticationExecutionInfoRepresentation.setRequirement(authenticationExecutionModel.getRequirement().name());
            String authenticator2 = authenticationExecutionModel.getAuthenticator();
            if (authenticator2.startsWith("script-")) {
                authenticator2 = Base32.encode(authenticator2.getBytes());
            }
            authenticationExecutionInfoRepresentation.setProviderId(authenticator2);
            authenticationExecutionInfoRepresentation.setAuthenticationConfig(authenticationExecutionModel.getAuthenticatorConfig());
            list.add(authenticationExecutionInfoRepresentation);
        });
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Path("/flows/{flowAlias}/executions")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Update authentication executions of a Flow")
    @PUT
    public Response updateExecutions(@Parameter(description = "Flow alias") @PathParam("flowAlias") String str, @Parameter(description = "AuthenticationExecutionInfoRepresentation") AuthenticationExecutionInfoRepresentation authenticationExecutionInfoRepresentation) {
        this.auth.realm().requireManageRealm();
        AuthenticationFlowModel flowByAlias = this.realm.getFlowByAlias(str);
        if (flowByAlias == null) {
            logger.debug("flow not found: " + str);
            throw new NotFoundException("flow not found");
        }
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(authenticationExecutionInfoRepresentation.getId());
        if (authenticationExecutionById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        if (!authenticationExecutionById.getRequirement().name().equals(authenticationExecutionInfoRepresentation.getRequirement())) {
            authenticationExecutionById.setRequirement(AuthenticationExecutionModel.Requirement.valueOf(authenticationExecutionInfoRepresentation.getRequirement()));
            this.realm.updateAuthenticatorExecution(authenticationExecutionById);
            this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(authenticationExecutionInfoRepresentation).success();
            return Response.accepted(flowByAlias).build();
        }
        if (authenticationExecutionInfoRepresentation.getAuthenticationFlow() == null) {
            return Response.accepted(flowByAlias).build();
        }
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(authenticationExecutionInfoRepresentation.getFlowId());
        if (authenticationFlowById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        if (this.realm.getFlowByAlias(authenticationExecutionInfoRepresentation.getDisplayName()) != null && !authenticationFlowById.getAlias().equals(authenticationExecutionInfoRepresentation.getDisplayName())) {
            throw ErrorResponse.exists("Flow alias name already exists");
        }
        if (!authenticationFlowById.getAlias().equals(authenticationExecutionInfoRepresentation.getDisplayName())) {
            authenticationFlowById.setAlias(authenticationExecutionInfoRepresentation.getDisplayName());
        }
        if (Objects.isNull(authenticationFlowById.getDescription())) {
            authenticationFlowById.setDescription("");
        }
        if (!authenticationFlowById.getDescription().equals(authenticationExecutionInfoRepresentation.getDescription())) {
            authenticationFlowById.setDescription(authenticationExecutionInfoRepresentation.getDescription());
        }
        this.realm.updateAuthenticationFlow(authenticationFlowById);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(authenticationExecutionInfoRepresentation).success();
        return Response.accepted(flowByAlias).build();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get Single Execution")
    @Path("/executions/{executionId}")
    @GET
    public Response getExecution(@PathParam("executionId") String str) {
        this.auth.realm().requireManageRealm();
        Optional ofNullable = Optional.ofNullable(this.realm.getAuthenticationExecutionById(str));
        if (ofNullable.isPresent()) {
            return Response.ok(ofNullable.get()).build();
        }
        logger.debugv("Could not find execution by Id: {}", str);
        throw new NotFoundException("Illegal execution");
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Add new authentication execution")
    @POST
    @Path("/executions")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response addExecution(@Parameter(description = "JSON model describing authentication execution") AuthenticationExecutionRepresentation authenticationExecutionRepresentation) {
        this.auth.realm().requireManageRealm();
        AuthenticationExecutionModel model = RepresentationToModel.toModel(this.session, this.realm, authenticationExecutionRepresentation);
        AuthenticationFlowModel parentFlow = getParentFlow(model);
        if (parentFlow.isBuiltIn()) {
            throw new BadRequestException("It is illegal to add execution to a built in flow");
        }
        model.setPriority(getNextPriority(parentFlow));
        AuthenticationExecutionModel addAuthenticatorExecution = this.realm.addAuthenticatorExecution(model);
        if (!authenticationExecutionRepresentation.isAuthenticatorFlow()) {
            checkConfigForDeployedProvider(getProviderFactory(parentFlow, authenticationExecutionRepresentation.getAuthenticator()), addAuthenticatorExecution);
        }
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.AUTH_EXECUTION).resourcePath(this.session.getContext().getUri(), addAuthenticatorExecution.getId()).representation(authenticationExecutionRepresentation).success();
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(addAuthenticatorExecution.getId()).build(new Object[0])).build();
    }

    public AuthenticationFlowModel getParentFlow(AuthenticationExecutionModel authenticationExecutionModel) {
        if (authenticationExecutionModel.getParentFlow() == null) {
            throw new BadRequestException("parent flow not set on new execution");
        }
        AuthenticationFlowModel authenticationFlowById = this.realm.getAuthenticationFlowById(authenticationExecutionModel.getParentFlow());
        if (authenticationFlowById == null) {
            throw new BadRequestException("execution parent flow does not exist");
        }
        return authenticationFlowById;
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Raise execution's priority")
    @POST
    @Path("/executions/{executionId}/raise-priority")
    public void raisePriority(@Parameter(description = "Execution id") @PathParam("executionId") String str) {
        this.auth.realm().requireManageRealm();
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(str);
        if (authenticationExecutionById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        AuthenticationFlowModel parentFlow = getParentFlow(authenticationExecutionById);
        if (parentFlow.isBuiltIn()) {
            throw new BadRequestException("It is illegal to modify execution in a built in flow");
        }
        AuthenticationExecutionModel authenticationExecutionModel = null;
        for (AuthenticationExecutionModel authenticationExecutionModel2 : (List) this.realm.getAuthenticationExecutionsStream(parentFlow.getId()).collect(Collectors.toList())) {
            if (authenticationExecutionModel2.getId().equals(authenticationExecutionById.getId())) {
                break;
            } else {
                authenticationExecutionModel = authenticationExecutionModel2;
            }
        }
        if (authenticationExecutionModel == null) {
            return;
        }
        int priority = authenticationExecutionModel.getPriority();
        authenticationExecutionModel.setPriority(authenticationExecutionById.getPriority());
        this.realm.updateAuthenticatorExecution(authenticationExecutionModel);
        authenticationExecutionById.setPriority(priority);
        this.realm.updateAuthenticatorExecution(authenticationExecutionById);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Lower execution's priority")
    @POST
    @Path("/executions/{executionId}/lower-priority")
    public void lowerPriority(@Parameter(description = "Execution id") @PathParam("executionId") String str) {
        this.auth.realm().requireManageRealm();
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(str);
        if (authenticationExecutionById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        AuthenticationFlowModel parentFlow = getParentFlow(authenticationExecutionById);
        if (parentFlow.isBuiltIn()) {
            throw new BadRequestException("It is illegal to modify execution in a built in flow");
        }
        List list = (List) this.realm.getAuthenticationExecutionsStream(parentFlow.getId()).collect(Collectors.toList());
        int i = 0;
        while (i < list.size() && !((AuthenticationExecutionModel) list.get(i)).getId().equals(authenticationExecutionById.getId())) {
            i++;
        }
        if (i + 1 >= list.size()) {
            return;
        }
        AuthenticationExecutionModel authenticationExecutionModel = (AuthenticationExecutionModel) list.get(i + 1);
        int priority = authenticationExecutionById.getPriority();
        authenticationExecutionById.setPriority(authenticationExecutionModel.getPriority());
        this.realm.updateAuthenticatorExecution(authenticationExecutionById);
        authenticationExecutionModel.setPriority(priority);
        this.realm.updateAuthenticatorExecution(authenticationExecutionModel);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Delete execution")
    @Path("/executions/{executionId}")
    @DELETE
    public void removeExecution(@Parameter(description = "Execution id") @PathParam("executionId") String str) {
        this.auth.realm().requireManageRealm();
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(str);
        if (authenticationExecutionById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        if (getParentFlow(authenticationExecutionById).isBuiltIn()) {
            throw new BadRequestException("It is illegal to remove execution from a built in flow");
        }
        if (authenticationExecutionById.getFlowId() != null) {
            this.realm.removeAuthenticationFlow(this.realm.getAuthenticationFlowById(authenticationExecutionById.getFlowId()));
        }
        this.realm.removeAuthenticatorExecution(authenticationExecutionById);
        this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Update execution with new configuration")
    @POST
    @Path("/executions/{executionId}/config")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response newExecutionConfig(@Parameter(description = "Execution id") @PathParam("executionId") String str, @Parameter(description = "JSON with new configuration") AuthenticatorConfigRepresentation authenticatorConfigRepresentation) {
        this.auth.realm().requireManageRealm();
        ReservedCharValidator.validate(authenticatorConfigRepresentation.getAlias());
        AuthenticationExecutionModel authenticationExecutionById = this.realm.getAuthenticationExecutionById(str);
        if (authenticationExecutionById == null) {
            this.session.getTransactionManager().setRollbackOnly();
            throw new NotFoundException("Illegal execution");
        }
        AuthenticatorConfigModel model = RepresentationToModel.toModel(authenticatorConfigRepresentation);
        if (model.getAlias() == null) {
            throw ErrorResponse.error("Alias missing", Response.Status.BAD_REQUEST);
        }
        AuthenticatorConfigModel addAuthenticatorConfig = this.realm.addAuthenticatorConfig(model);
        authenticationExecutionById.setAuthenticatorConfig(addAuthenticatorConfig.getId());
        this.realm.updateAuthenticatorExecution(authenticationExecutionById);
        authenticatorConfigRepresentation.setId(addAuthenticatorConfig.getId());
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.AUTH_EXECUTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(authenticatorConfigRepresentation).success();
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(addAuthenticatorConfig.getId()).build(new Object[0])).build();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get execution's configuration", deprecated = true)
    @Path("/executions/{executionId}/config/{id}")
    @GET
    public AuthenticatorConfigRepresentation getAuthenticatorConfig(@Parameter(description = "Execution id") @PathParam("executionId") String str, @Parameter(description = "Configuration id") @PathParam("id") String str2) {
        this.auth.realm().requireViewRealm();
        AuthenticatorConfigModel authenticatorConfig = new DeployedConfigurationsManager(this.session).getAuthenticatorConfig(this.realm, str2);
        if (authenticatorConfig == null) {
            throw new NotFoundException("Could not find authenticator config");
        }
        return ModelToRepresentation.toRepresentation(authenticatorConfig);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get unregistered required actions Returns a stream of unregistered required actions.")
    @Path("unregistered-required-actions")
    @GET
    public Stream<Map<String, String>> getUnregisteredRequiredActions() {
        this.auth.realm().requireViewRealm();
        Set set = (Set) this.realm.getRequiredActionProvidersStream().map((v0) -> {
            return v0.getProviderId();
        }).collect(Collectors.toSet());
        return this.session.getKeycloakSessionFactory().getProviderFactoriesStream(RequiredActionProvider.class).filter(providerFactory -> {
            return !set.contains(providerFactory.getId());
        }).map(providerFactory2 -> {
            RequiredActionFactory requiredActionFactory = (RequiredActionFactory) providerFactory2;
            HashMap hashMap = new HashMap();
            hashMap.put("name", requiredActionFactory.getDisplayText());
            hashMap.put("providerId", requiredActionFactory.getId());
            return hashMap;
        });
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Register a new required actions")
    @POST
    @Path("register-required-action")
    @Consumes({MediaType.APPLICATION_JSON})
    public void registerRequiredAction(@Parameter(description = "JSON containing 'providerId', and 'name' attributes.") Map<String, String> map) {
        this.auth.realm().requireManageRealm();
        String str = map.get("providerId");
        String str2 = map.get("name");
        RequiredActionProviderModel requiredActionProviderModel = new RequiredActionProviderModel();
        requiredActionProviderModel.setAlias(str);
        requiredActionProviderModel.setName(str2);
        requiredActionProviderModel.setProviderId(str);
        requiredActionProviderModel.setDefaultAction(false);
        requiredActionProviderModel.setPriority(getNextRequiredActionPriority());
        requiredActionProviderModel.setEnabled(true);
        map.put("id", this.realm.addRequiredActionProvider(requiredActionProviderModel).getId());
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.REQUIRED_ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(map).success();
    }

    private int getNextRequiredActionPriority() {
        List list = (List) this.realm.getRequiredActionProvidersStream().collect(Collectors.toList());
        if (list.isEmpty()) {
            return 0;
        }
        return ((RequiredActionProviderModel) list.get(list.size() - 1)).getPriority() + 1;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get required actions Returns a stream of required actions.")
    @Path("required-actions")
    @GET
    public Stream<RequiredActionProviderRepresentation> getRequiredActions() {
        this.auth.realm().requireViewRequiredActions();
        return this.realm.getRequiredActionProvidersStream().map(AuthenticationManagementResource::toRepresentation);
    }

    public static RequiredActionProviderRepresentation toRepresentation(RequiredActionProviderModel requiredActionProviderModel) {
        RequiredActionProviderRepresentation requiredActionProviderRepresentation = new RequiredActionProviderRepresentation();
        requiredActionProviderRepresentation.setAlias(requiredActionProviderModel.getAlias());
        requiredActionProviderRepresentation.setProviderId(requiredActionProviderModel.getProviderId());
        requiredActionProviderRepresentation.setName(requiredActionProviderModel.getName());
        requiredActionProviderRepresentation.setDefaultAction(requiredActionProviderModel.isDefaultAction());
        requiredActionProviderRepresentation.setPriority(requiredActionProviderModel.getPriority());
        requiredActionProviderRepresentation.setEnabled(requiredActionProviderModel.isEnabled());
        requiredActionProviderRepresentation.setConfig(requiredActionProviderModel.getConfig());
        return requiredActionProviderRepresentation;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get required action for alias")
    @Path("required-actions/{alias}")
    @GET
    public RequiredActionProviderRepresentation getRequiredAction(@Parameter(description = "Alias of required action") @PathParam("alias") String str) {
        this.auth.realm().requireViewRealm();
        RequiredActionProviderModel requiredActionProviderByAlias = this.realm.getRequiredActionProviderByAlias(str);
        if (requiredActionProviderByAlias == null) {
            throw new NotFoundException("Failed to find required action");
        }
        return toRepresentation(requiredActionProviderByAlias);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Update required action")
    @PUT
    @Path("required-actions/{alias}")
    @Consumes({MediaType.APPLICATION_JSON})
    public void updateRequiredAction(@Parameter(description = "Alias of required action") @PathParam("alias") String str, @Parameter(description = "JSON describing new state of required action") RequiredActionProviderRepresentation requiredActionProviderRepresentation) {
        this.auth.realm().requireManageRealm();
        RequiredActionProviderModel requiredActionProviderByAlias = this.realm.getRequiredActionProviderByAlias(str);
        if (requiredActionProviderByAlias == null) {
            throw new NotFoundException("Failed to find required action");
        }
        RequiredActionProviderModel requiredActionProviderModel = new RequiredActionProviderModel();
        requiredActionProviderModel.setId(requiredActionProviderByAlias.getId());
        requiredActionProviderModel.setName(requiredActionProviderRepresentation.getName());
        requiredActionProviderModel.setAlias(requiredActionProviderRepresentation.getAlias());
        requiredActionProviderModel.setProviderId(requiredActionProviderByAlias.getProviderId());
        requiredActionProviderModel.setDefaultAction(requiredActionProviderRepresentation.isDefaultAction());
        requiredActionProviderModel.setPriority(requiredActionProviderRepresentation.getPriority());
        requiredActionProviderModel.setEnabled(requiredActionProviderRepresentation.isEnabled());
        requiredActionProviderModel.setConfig(requiredActionProviderRepresentation.getConfig());
        this.realm.updateRequiredActionProvider(requiredActionProviderModel);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.REQUIRED_ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(requiredActionProviderRepresentation).success();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Delete required action")
    @Path("required-actions/{alias}")
    @DELETE
    public void removeRequiredAction(@Parameter(description = "Alias of required action") @PathParam("alias") String str) {
        this.auth.realm().requireManageRealm();
        RequiredActionProviderModel requiredActionProviderByAlias = this.realm.getRequiredActionProviderByAlias(str);
        if (requiredActionProviderByAlias == null) {
            throw new NotFoundException("Failed to find required action.");
        }
        this.realm.removeRequiredActionProvider(requiredActionProviderByAlias);
        this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.REQUIRED_ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Raise required action's priority")
    @POST
    @Path("required-actions/{alias}/raise-priority")
    public void raiseRequiredActionPriority(@Parameter(description = "Alias of required action") @PathParam("alias") String str) {
        this.auth.realm().requireManageRealm();
        RequiredActionProviderModel requiredActionProviderByAlias = this.realm.getRequiredActionProviderByAlias(str);
        if (requiredActionProviderByAlias == null) {
            throw new NotFoundException("Failed to find required action.");
        }
        RequiredActionProviderModel requiredActionProviderModel = null;
        for (RequiredActionProviderModel requiredActionProviderModel2 : (List) this.realm.getRequiredActionProvidersStream().collect(Collectors.toList())) {
            if (requiredActionProviderModel2.getId().equals(requiredActionProviderByAlias.getId())) {
                break;
            } else {
                requiredActionProviderModel = requiredActionProviderModel2;
            }
        }
        if (requiredActionProviderModel == null) {
            return;
        }
        int priority = requiredActionProviderModel.getPriority();
        requiredActionProviderModel.setPriority(requiredActionProviderByAlias.getPriority());
        this.realm.updateRequiredActionProvider(requiredActionProviderModel);
        requiredActionProviderByAlias.setPriority(priority);
        this.realm.updateRequiredActionProvider(requiredActionProviderByAlias);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.REQUIRED_ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Lower required action's priority")
    @POST
    @Path("/required-actions/{alias}/lower-priority")
    public void lowerRequiredActionPriority(@Parameter(description = "Alias of required action") @PathParam("alias") String str) {
        this.auth.realm().requireManageRealm();
        RequiredActionProviderModel requiredActionProviderByAlias = this.realm.getRequiredActionProviderByAlias(str);
        if (requiredActionProviderByAlias == null) {
            throw new NotFoundException("Failed to find required action.");
        }
        List list = (List) this.realm.getRequiredActionProvidersStream().collect(Collectors.toList());
        int i = 0;
        while (i < list.size() && !((RequiredActionProviderModel) list.get(i)).getId().equals(requiredActionProviderByAlias.getId())) {
            i++;
        }
        if (i + 1 >= list.size()) {
            return;
        }
        RequiredActionProviderModel requiredActionProviderModel = (RequiredActionProviderModel) list.get(i + 1);
        int priority = requiredActionProviderByAlias.getPriority();
        requiredActionProviderByAlias.setPriority(requiredActionProviderModel.getPriority());
        this.realm.updateRequiredActionProvider(requiredActionProviderByAlias);
        requiredActionProviderModel.setPriority(priority);
        this.realm.updateRequiredActionProvider(requiredActionProviderModel);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.REQUIRED_ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authenticator provider's configuration description")
    @Path("config-description/{providerId}")
    @GET
    public AuthenticatorConfigInfoRepresentation getAuthenticatorConfigDescription(@PathParam("providerId") String str) {
        this.auth.realm().requireViewRealm();
        ConfigurableAuthenticatorFactory configurableAuthenticatorFactory = CredentialHelper.getConfigurableAuthenticatorFactory(this.session, str);
        if (configurableAuthenticatorFactory == null) {
            str = new String(Base32.decode(str));
            configurableAuthenticatorFactory = CredentialHelper.getConfigurableAuthenticatorFactory(this.session, str);
        }
        if (configurableAuthenticatorFactory == null) {
            throw new NotFoundException("Could not find authenticator provider");
        }
        AuthenticatorConfigInfoRepresentation authenticatorConfigInfoRepresentation = new AuthenticatorConfigInfoRepresentation();
        authenticatorConfigInfoRepresentation.setProviderId(str);
        authenticatorConfigInfoRepresentation.setName(configurableAuthenticatorFactory.getDisplayType());
        authenticatorConfigInfoRepresentation.setHelpText(configurableAuthenticatorFactory.getHelpText());
        authenticatorConfigInfoRepresentation.setProperties(new LinkedList());
        Iterator it = ((List) Optional.ofNullable(configurableAuthenticatorFactory.getConfigProperties()).orElse(Collections.emptyList())).iterator();
        while (it.hasNext()) {
            authenticatorConfigInfoRepresentation.getProperties().add(getConfigPropertyRep((ProviderConfigProperty) it.next()));
        }
        return authenticatorConfigInfoRepresentation;
    }

    private ConfigPropertyRepresentation getConfigPropertyRep(ProviderConfigProperty providerConfigProperty) {
        return ModelToRepresentation.toRepresentation(providerConfigProperty);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get configuration descriptions for all clients")
    @Path("per-client-config-description")
    @GET
    public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
        this.auth.realm().requireViewClientAuthenticatorProviders();
        return (Map) this.session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientAuthenticator.class).collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, providerFactory -> {
            return (List) CredentialHelper.getConfigurableAuthenticatorFactory(this.session, providerFactory.getId()).getConfigPropertiesPerClient().stream().map(this::getConfigPropertyRep).collect(Collectors.toList());
        }));
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Create new authenticator configuration", deprecated = true)
    @POST
    @Path("config")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response createAuthenticatorConfig(@Parameter(description = "JSON describing new authenticator configuration") AuthenticatorConfigRepresentation authenticatorConfigRepresentation) {
        this.auth.realm().requireManageRealm();
        ReservedCharValidator.validate(authenticatorConfigRepresentation.getAlias());
        AuthenticatorConfigModel addAuthenticatorConfig = this.realm.addAuthenticatorConfig(RepresentationToModel.toModel(authenticatorConfigRepresentation));
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.AUTHENTICATOR_CONFIG).resourcePath(this.session.getContext().getUri(), addAuthenticatorConfig.getId()).representation(authenticatorConfigRepresentation).success();
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(addAuthenticatorConfig.getId()).build(new Object[0])).build();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Get authenticator configuration")
    @Path("config/{id}")
    @GET
    public AuthenticatorConfigRepresentation getAuthenticatorConfig(@Parameter(description = "Configuration id") @PathParam("id") String str) {
        this.auth.realm().requireViewRealm();
        AuthenticatorConfigModel authenticatorConfig = new DeployedConfigurationsManager(this.session).getAuthenticatorConfig(this.realm, str);
        if (authenticatorConfig == null) {
            throw new NotFoundException("Could not find authenticator config");
        }
        return ModelToRepresentation.toRepresentation(authenticatorConfig);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Delete authenticator configuration")
    @Path("config/{id}")
    @DELETE
    public void removeAuthenticatorConfig(@Parameter(description = "Configuration id") @PathParam("id") String str) {
        this.auth.realm().requireManageRealm();
        AuthenticatorConfigModel authenticatorConfigById = this.realm.getAuthenticatorConfigById(str);
        if (authenticatorConfigById == null) {
            throw new NotFoundException("Could not find authenticator config");
        }
        this.realm.getAuthenticationFlowsStream().forEach(authenticationFlowModel -> {
            this.realm.getAuthenticationExecutionsStream(authenticationFlowModel.getId()).filter(authenticationExecutionModel -> {
                return Objects.equals(str, authenticationExecutionModel.getAuthenticatorConfig());
            }).forEachOrdered(authenticationExecutionModel2 -> {
                authenticationExecutionModel2.setAuthenticatorConfig((String) null);
                this.realm.updateAuthenticatorExecution(authenticationExecutionModel2);
            });
        });
        this.realm.removeAuthenticatorConfig(authenticatorConfigById);
        this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.AUTHENTICATOR_CONFIG).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.AUTHENTICATION_MANAGEMENT)
    @Operation(summary = "Update authenticator configuration")
    @PUT
    @Path("config/{id}")
    @Consumes({MediaType.APPLICATION_JSON})
    public void updateAuthenticatorConfig(@Parameter(description = "Configuration id") @PathParam("id") String str, @Parameter(description = "JSON describing new state of authenticator configuration") AuthenticatorConfigRepresentation authenticatorConfigRepresentation) {
        this.auth.realm().requireManageRealm();
        ReservedCharValidator.validate(authenticatorConfigRepresentation.getAlias());
        if (new DeployedConfigurationsManager(this.session).getDeployedAuthenticatorConfig(str) != null) {
            throw new BadRequestException("Authenticator config is read-only");
        }
        AuthenticatorConfigModel authenticatorConfigById = this.realm.getAuthenticatorConfigById(str);
        if (authenticatorConfigById == null) {
            throw new NotFoundException("Could not find authenticator config");
        }
        authenticatorConfigById.setAlias(authenticatorConfigRepresentation.getAlias());
        authenticatorConfigById.setConfig(RepresentationToModel.removeEmptyString(authenticatorConfigRepresentation.getConfig()));
        this.realm.updateAuthenticatorConfig(authenticatorConfigById);
        this.adminEvent.operation(OperationType.UPDATE).resource(ResourceType.AUTHENTICATOR_CONFIG).resourcePath((UriInfo) this.session.getContext().getUri()).representation(authenticatorConfigRepresentation).success();
    }
}
