package org.keycloak.services.managers;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.keycloak.Config;
import org.keycloak.common.Profile;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.common.util.Encode;
import org.keycloak.events.log.JBossLoggingEventListenerProviderFactory;
import org.keycloak.models.AbstractKeycloakTransaction;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.OTPPolicy;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RealmProvider;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.DefaultClientScopes;
import org.keycloak.models.utils.DefaultKeyProviders;
import org.keycloak.models.utils.DefaultRequiredActions;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.protocol.oidc.mappers.AudienceResolveProtocolMapper;
import org.keycloak.protocol.oidc.utils.WebOriginsUtils;
import org.keycloak.representations.idm.ApplicationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.OAuthClientRepresentation;
import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.clientregistration.policy.DefaultClientRegistrationPolicies;
import org.keycloak.sessions.AuthenticationSessionProvider;
import org.keycloak.storage.StoreMigrateRepresentationEvent;
import org.keycloak.storage.StoreSyncEvent;
import org.keycloak.utils.ReservedCharValidator;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/services/managers/RealmManager.class */
public class RealmManager {
    protected KeycloakSession session;
    protected RealmProvider model;

    public RealmManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.model = keycloakSession.realms();
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public RealmModel getKeycloakAdminstrationRealm() {
        return getRealmByName(Config.getAdminRealm());
    }

    public static boolean isAdministrationRealm(RealmModel realmModel) {
        return realmModel.getName().equals(Config.getAdminRealm());
    }

    public RealmModel getRealm(String str) {
        return this.model.getRealm(str);
    }

    public RealmModel getRealmByName(String str) {
        return this.model.getRealmByName(str);
    }

    public RealmModel createRealm(String str) {
        return createRealm(null, str);
    }

    public RealmModel createRealm(String str, String str2) {
        if (str == null || str.trim().isEmpty()) {
            str = KeycloakModelUtils.generateId();
        } else {
            ReservedCharValidator.validate(str);
        }
        ReservedCharValidator.validate(str2);
        RealmModel createRealm = this.model.createRealm(str, str2);
        createRealm.setName(str2);
        setupRealmDefaults(createRealm);
        KeycloakModelUtils.setupDefaultRole(createRealm, "default-roles-" + str2.toLowerCase());
        setupMasterAdminManagement(createRealm);
        setupRealmAdminManagement(createRealm);
        setupAccountManagement(createRealm);
        setupBrokerService(createRealm);
        setupAdminConsole(createRealm);
        setupAdminConsoleLocaleMapper(createRealm);
        setupAdminCli(createRealm);
        setupImpersonationService(createRealm);
        setupAuthenticationFlows(createRealm);
        setupRequiredActions(createRealm);
        setupOfflineTokens(createRealm, null);
        createDefaultClientScopes(createRealm);
        setupAuthorizationServices(createRealm);
        setupClientRegistrations(createRealm);
        this.session.clientPolicy().setupClientPoliciesOnCreatedRealm(createRealm);
        fireRealmPostCreate(createRealm);
        return createRealm;
    }

    protected void setupAuthenticationFlows(RealmModel realmModel) {
        if (realmModel.getAuthenticationFlowsStream().count() == 0) {
            DefaultAuthenticationFlows.addFlows(realmModel);
        }
    }

    protected void setupRequiredActions(RealmModel realmModel) {
        if (realmModel.getRequiredActionProvidersStream().count() == 0) {
            DefaultRequiredActions.addActions(realmModel);
        }
    }

    private void setupOfflineTokens(RealmModel realmModel, RealmRepresentation realmRepresentation) {
        RoleModel roleModel = KeycloakModelUtils.setupOfflineRole(realmModel);
        if (realmRepresentation != null && hasRealmRole(realmRepresentation, "offline_access")) {
            List realm = realmRepresentation.getRoles().getRealm();
            Iterator it = realm.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RoleRepresentation roleRepresentation = (RoleRepresentation) it.next();
                if ("offline_access".equals(roleRepresentation.getName())) {
                    realm.remove(roleRepresentation);
                    break;
                }
            }
        }
        if (realmRepresentation == null || !hasClientScope(realmRepresentation, "offline_access")) {
            DefaultClientScopes.createOfflineAccessClientScope(realmModel, roleModel);
        }
    }

    protected void createDefaultClientScopes(RealmModel realmModel) {
        DefaultClientScopes.createDefaultClientScopes(this.session, realmModel, true);
    }

    protected void setupAdminConsole(RealmModel realmModel) {
        ClientModel clientByClientId = realmModel.getClientByClientId("security-admin-console");
        if (clientByClientId == null) {
            clientByClientId = KeycloakModelUtils.createPublicClient(realmModel, "security-admin-console");
        }
        clientByClientId.setName("${client_security-admin-console}");
        clientByClientId.setRootUrl("${authAdminUrl}");
        String str = "/admin/" + Encode.encodePathAsIs(realmModel.getName()) + "/console/";
        clientByClientId.setBaseUrl(str);
        clientByClientId.addRedirectUri(str + "*");
        clientByClientId.setAttribute("post.logout.redirect.uris", WebOriginsUtils.INCLUDE_REDIRECTS);
        clientByClientId.setWebOrigins(Collections.singleton(WebOriginsUtils.INCLUDE_REDIRECTS));
        clientByClientId.setEnabled(true);
        clientByClientId.setAlwaysDisplayInConsole(false);
        clientByClientId.setFullScopeAllowed(true);
        clientByClientId.setPublicClient(true);
        clientByClientId.setProtocol("openid-connect");
        clientByClientId.setAttribute("pkce.code.challenge.method", OIDCLoginProtocol.PKCE_METHOD_S256);
        clientByClientId.setAttribute("client.use.lightweight.access.token.enabled", "true");
    }

    protected void setupAdminConsoleLocaleMapper(RealmModel realmModel) {
        ProtocolMapperModel findLocaleMapper;
        ClientModel clientByClientId = this.session.clients().getClientByClientId(realmModel, "security-admin-console");
        if (clientByClientId.getProtocolMapperByName("openid-connect", OIDCLoginProtocolFactory.LOCALE) != null || (findLocaleMapper = ProtocolMapperUtils.findLocaleMapper(this.session)) == null) {
            return;
        }
        clientByClientId.addProtocolMapper(findLocaleMapper);
    }

    public void setupAdminCli(RealmModel realmModel) {
        if (realmModel.getClientByClientId("admin-cli") == null) {
            ClientModel createPublicClient = KeycloakModelUtils.createPublicClient(realmModel, "admin-cli");
            createPublicClient.setName("${client_admin-cli}");
            createPublicClient.setEnabled(true);
            createPublicClient.setAlwaysDisplayInConsole(false);
            createPublicClient.setFullScopeAllowed(true);
            createPublicClient.setStandardFlowEnabled(false);
            createPublicClient.setDirectAccessGrantsEnabled(true);
            createPublicClient.setProtocol("openid-connect");
            createPublicClient.setAttribute("client.use.lightweight.access.token.enabled", "true");
        }
    }

    public void addQueryCompositeRoles(ClientModel clientModel) {
        RoleModel role = clientModel.getRole(AdminRoles.QUERY_CLIENTS);
        RoleModel role2 = clientModel.getRole(AdminRoles.QUERY_USERS);
        RoleModel role3 = clientModel.getRole(AdminRoles.QUERY_GROUPS);
        clientModel.getRole(AdminRoles.VIEW_CLIENTS).addCompositeRole(role);
        RoleModel role4 = clientModel.getRole(AdminRoles.VIEW_USERS);
        role4.addCompositeRole(role2);
        role4.addCompositeRole(role3);
    }

    public String getRealmAdminClientId(RealmModel realmModel) {
        return "realm-management";
    }

    public String getRealmAdminClientId(RealmRepresentation realmRepresentation) {
        return "realm-management";
    }

    protected void setupRealmDefaults(RealmModel realmModel) {
        realmModel.setBrowserSecurityHeaders(BrowserSecurityHeaders.realmDefaultHeaders);
        realmModel.setBruteForceProtected(false);
        realmModel.setPermanentLockout(false);
        realmModel.setMaxTemporaryLockouts(0);
        realmModel.setBruteForceStrategy(RealmRepresentation.BruteForceStrategy.MULTIPLE);
        realmModel.setMaxFailureWaitSeconds(900);
        realmModel.setMinimumQuickLoginWaitSeconds(60);
        realmModel.setWaitIncrementSeconds(60);
        realmModel.setQuickLoginCheckMilliSeconds(1000L);
        realmModel.setMaxDeltaTimeSeconds(43200);
        realmModel.setFailureFactor(30);
        realmModel.setSslRequired(SslRequired.EXTERNAL);
        realmModel.setOTPPolicy(OTPPolicy.DEFAULT_POLICY);
        realmModel.setLoginWithEmailAllowed(true);
        realmModel.setEventsListeners(Collections.singleton(JBossLoggingEventListenerProviderFactory.ID));
    }

    public boolean removeRealm(RealmModel realmModel) {
        ClientModel masterAdminClient = realmModel.getMasterAdminClient();
        boolean removeRealm = this.model.removeRealm(realmModel.getId());
        if (removeRealm) {
            if (masterAdminClient != null) {
                this.session.clients().removeClient(getKeycloakAdminstrationRealm(), masterAdminClient.getId());
            }
            UserSessionProvider sessions = this.session.sessions();
            if (sessions != null) {
                sessions.onRealmRemoved(realmModel);
            }
            AuthenticationSessionProvider authenticationSessions = this.session.authenticationSessions();
            if (authenticationSessions != null) {
                authenticationSessions.onRealmRemoved(realmModel);
            }
            StoreSyncEvent.fire(this.session, realmModel, true);
        }
        return removeRealm;
    }

    public void updateRealmEventsConfig(RealmEventsConfigRepresentation realmEventsConfigRepresentation, RealmModel realmModel) {
        realmModel.setEventsEnabled(realmEventsConfigRepresentation.isEventsEnabled());
        realmModel.setEventsExpiration(realmEventsConfigRepresentation.getEventsExpiration() != null ? realmEventsConfigRepresentation.getEventsExpiration().longValue() : 0L);
        if (realmEventsConfigRepresentation.getEventsListeners() != null) {
            realmModel.setEventsListeners(new HashSet(realmEventsConfigRepresentation.getEventsListeners()));
        }
        if (realmEventsConfigRepresentation.getEnabledEventTypes() != null) {
            realmModel.setEnabledEventTypes(new HashSet(realmEventsConfigRepresentation.getEnabledEventTypes()));
        }
        if (realmEventsConfigRepresentation.isAdminEventsEnabled() != null) {
            realmModel.setAdminEventsEnabled(realmEventsConfigRepresentation.isAdminEventsEnabled().booleanValue());
        }
        if (realmEventsConfigRepresentation.isAdminEventsDetailsEnabled() != null) {
            realmModel.setAdminEventsDetailsEnabled(realmEventsConfigRepresentation.isAdminEventsDetailsEnabled().booleanValue());
        }
    }

    public void setupMasterAdminManagement(RealmModel realmModel) {
        ClientModel clientByClientId = this.model.getRealmByName(Config.getAdminRealm()).getClientByClientId(KeycloakModelUtils.getMasterRealmAdminApplicationClientId(realmModel.getName()));
        if (clientByClientId == null) {
            createMasterAdminManagement(realmModel);
        } else {
            realmModel.setMasterAdminClient(clientByClientId);
        }
    }

    private void createMasterAdminManagement(RealmModel realmModel) {
        RealmModel realmByName;
        RoleModel role;
        if (realmModel.getName().equals(Config.getAdminRealm())) {
            realmByName = realmModel;
            role = realmModel.addRole(AdminRoles.ADMIN);
            RoleModel addRole = realmModel.addRole(AdminRoles.CREATE_REALM);
            role.addCompositeRole(addRole);
            addRole.setDescription("${role_" + AdminRoles.CREATE_REALM + "}");
        } else {
            realmByName = this.model.getRealmByName(Config.getAdminRealm());
            role = realmByName.getRole(AdminRoles.ADMIN);
        }
        role.setDescription("${role_" + AdminRoles.ADMIN + "}");
        ClientModel createManagementClient = KeycloakModelUtils.createManagementClient(realmByName, KeycloakModelUtils.getMasterRealmAdminApplicationClientId(realmModel.getName()));
        createManagementClient.setName(realmModel.getName() + " Realm");
        realmModel.setMasterAdminClient(createManagementClient);
        for (String str : AdminRoles.ALL_REALM_ROLES) {
            RoleModel addRole2 = createManagementClient.addRole(str);
            addRole2.setDescription("${role_" + str + "}");
            role.addCompositeRole(addRole2);
        }
        addQueryCompositeRoles(createManagementClient);
    }

    private void checkMasterAdminManagementRoles(RealmModel realmModel) {
        RoleModel role = this.model.getRealmByName(Config.getAdminRealm()).getRole(AdminRoles.ADMIN);
        ClientModel masterAdminClient = realmModel.getMasterAdminClient();
        for (String str : AdminRoles.ALL_REALM_ROLES) {
            if (masterAdminClient.getRole(str) == null) {
                addAndSetAdminRole(str, masterAdminClient, role);
            }
        }
        addQueryCompositeRoles(masterAdminClient);
    }

    private void setupRealmAdminManagement(RealmModel realmModel) {
        if (realmModel.getName().equals(Config.getAdminRealm())) {
            return;
        }
        String realmAdminClientId = getRealmAdminClientId(realmModel);
        ClientModel clientByClientId = realmModel.getClientByClientId(realmAdminClientId);
        if (clientByClientId == null) {
            clientByClientId = KeycloakModelUtils.createManagementClient(realmModel, realmAdminClientId);
            clientByClientId.setName("${client_" + realmAdminClientId + "}");
        }
        RoleModel addRole = clientByClientId.addRole(AdminRoles.REALM_ADMIN);
        addRole.setDescription("${role_" + AdminRoles.REALM_ADMIN + "}");
        clientByClientId.setBearerOnly(true);
        clientByClientId.setFullScopeAllowed(false);
        clientByClientId.setProtocol("openid-connect");
        for (String str : AdminRoles.ALL_REALM_ROLES) {
            addAndSetAdminRole(str, clientByClientId, addRole);
        }
        addQueryCompositeRoles(clientByClientId);
    }

    private void addAndSetAdminRole(String str, ClientModel clientModel, RoleModel roleModel) {
        RoleModel addRole = clientModel.addRole(str);
        addRole.setDescription("${role_" + str + "}");
        roleModel.addCompositeRole(addRole);
    }

    private void checkRealmAdminManagementRoles(RealmModel realmModel) {
        if (realmModel.getName().equals(Config.getAdminRealm())) {
            return;
        }
        ClientModel clientByClientId = realmModel.getClientByClientId(getRealmAdminClientId(realmModel));
        RoleModel role = clientByClientId.getRole(AdminRoles.REALM_ADMIN);
        if (role == null) {
            role = clientByClientId.addRole(AdminRoles.REALM_ADMIN);
            role.setDescription("${role_" + AdminRoles.REALM_ADMIN + "}");
        }
        for (String str : AdminRoles.ALL_REALM_ROLES) {
            if (clientByClientId.getRole(str) == null) {
                addAndSetAdminRole(str, clientByClientId, role);
            }
        }
        addQueryCompositeRoles(clientByClientId);
    }

    private void setupAccountManagement(RealmModel realmModel) {
        if (realmModel.getClientByClientId("account") == null) {
            ClientModel createPublicClient = KeycloakModelUtils.createPublicClient(realmModel, "account");
            createPublicClient.setName("${client_account}");
            createPublicClient.setEnabled(true);
            createPublicClient.setAlwaysDisplayInConsole(false);
            createPublicClient.setFullScopeAllowed(false);
            createPublicClient.setRootUrl("${authBaseUrl}");
            String str = "/realms/" + Encode.encodePathAsIs(realmModel.getName()) + "/account/";
            createPublicClient.setBaseUrl(str);
            createPublicClient.addRedirectUri(str + "*");
            createPublicClient.setAttribute("post.logout.redirect.uris", WebOriginsUtils.INCLUDE_REDIRECTS);
            createPublicClient.setProtocol("openid-connect");
            for (String str2 : AccountRoles.DEFAULT) {
                RoleModel addRole = createPublicClient.addRole(str2);
                addRole.setDescription("${role_" + str2 + "}");
                realmModel.addToDefaultRoles(addRole);
            }
            RoleModel addRole2 = createPublicClient.addRole("manage-account-links");
            addRole2.setDescription("${role_manage-account-links}");
            createPublicClient.getRole("manage-account").addCompositeRole(addRole2);
            createPublicClient.addRole("view-applications").setDescription("${role_view-applications}");
            RoleModel addRole3 = createPublicClient.addRole("view-consent");
            addRole3.setDescription("${role_view-consent}");
            RoleModel addRole4 = createPublicClient.addRole("manage-consent");
            addRole4.setDescription("${role_manage-consent}");
            addRole4.addCompositeRole(addRole3);
            createPublicClient.addRole("view-groups").setDescription("${role_view-groups}");
            KeycloakModelUtils.setupDeleteAccount(createPublicClient);
            if (realmModel.getClientByClientId("account-console") == null) {
                ClientModel createPublicClient2 = KeycloakModelUtils.createPublicClient(realmModel, "account-console");
                createPublicClient2.setName("${client_account-console}");
                createPublicClient2.setEnabled(true);
                createPublicClient2.setAlwaysDisplayInConsole(false);
                createPublicClient2.setFullScopeAllowed(false);
                createPublicClient2.setDirectAccessGrantsEnabled(false);
                createPublicClient2.setRootUrl("${authBaseUrl}");
                createPublicClient2.setBaseUrl(str);
                createPublicClient2.addRedirectUri(str + "*");
                createPublicClient2.setAttribute("post.logout.redirect.uris", WebOriginsUtils.INCLUDE_REDIRECTS);
                createPublicClient2.setProtocol("openid-connect");
                createPublicClient2.addScopeMapping(createPublicClient.getRole("manage-account"));
                createPublicClient2.addScopeMapping(createPublicClient.getRole("view-groups"));
                ProtocolMapperModel protocolMapperModel = new ProtocolMapperModel();
                protocolMapperModel.setName(OIDCLoginProtocolFactory.AUDIENCE_RESOLVE);
                protocolMapperModel.setProtocol("openid-connect");
                protocolMapperModel.setProtocolMapper(AudienceResolveProtocolMapper.PROVIDER_ID);
                createPublicClient2.addProtocolMapper(protocolMapperModel);
                createPublicClient2.setAttribute("pkce.code.challenge.method", OIDCLoginProtocol.PKCE_METHOD_S256);
            }
        }
    }

    public void setupImpersonationService(RealmModel realmModel) {
        ImpersonationConstants.setupImpersonationService(this.session, realmModel);
    }

    public void setupBrokerService(RealmModel realmModel) {
        if (realmModel.getClientByClientId("broker") == null) {
            ClientModel createManagementClient = KeycloakModelUtils.createManagementClient(realmModel, "broker");
            createManagementClient.setEnabled(true);
            createManagementClient.setAlwaysDisplayInConsole(false);
            createManagementClient.setName("${client_broker}");
            createManagementClient.setFullScopeAllowed(false);
            createManagementClient.setProtocol("openid-connect");
            for (String str : Constants.BROKER_SERVICE_ROLES) {
                createManagementClient.addRole(str).setDescription("${role_" + str.toLowerCase().replaceAll("_", "-") + "}");
            }
        }
    }

    public RealmModel importRealm(RealmRepresentation realmRepresentation) {
        return importRealm(realmRepresentation, false);
    }

    public RealmModel importRealm(RealmRepresentation realmRepresentation, boolean z) {
        String id = realmRepresentation.getId();
        if (id == null || id.trim().isEmpty()) {
            id = KeycloakModelUtils.generateId();
        } else {
            ReservedCharValidator.validate(id);
        }
        if (StringUtil.isBlank(realmRepresentation.getRealm())) {
            throw new ModelException("Realm name cannot be empty");
        }
        final RealmModel createRealm = this.model.createRealm(id, realmRepresentation.getRealm());
        RealmModel realm = this.session.getContext().getRealm();
        try {
            this.session.getContext().setRealm(createRealm);
            ReservedCharValidator.validate(realmRepresentation.getRealm());
            ReservedCharValidator.validateLocales(realmRepresentation.getSupportedLocales());
            createRealm.setName(realmRepresentation.getRealm());
            setupRealmDefaults(createRealm);
            if (realmRepresentation.getDefaultRole() == null) {
                KeycloakModelUtils.setupDefaultRole(createRealm, determineDefaultRoleName(realmRepresentation));
            } else {
                createRealm.setDefaultRole(RepresentationToModel.createRole(createRealm, realmRepresentation.getDefaultRole()));
            }
            boolean postponeMasterClientSetup = postponeMasterClientSetup(realmRepresentation);
            if (!postponeMasterClientSetup) {
                setupMasterAdminManagement(createRealm);
            }
            if (!hasRealmAdminManagementClient(realmRepresentation)) {
                setupRealmAdminManagement(createRealm);
            }
            if (!hasAccountManagementClient(realmRepresentation)) {
                setupAccountManagement(createRealm);
            }
            boolean hasRealmAdminManagementClient = hasRealmAdminManagementClient(realmRepresentation);
            if (!hasRealmAdminManagementClient) {
                setupImpersonationService(createRealm);
            }
            if (!hasBrokerClient(realmRepresentation)) {
                setupBrokerService(createRealm);
            }
            if (!hasAdminConsoleClient(realmRepresentation)) {
                setupAdminConsole(createRealm);
            }
            boolean z2 = false;
            if (!hasAdminCliClient(realmRepresentation)) {
                z2 = hasRealmAdminManagementClient(realmRepresentation);
                if (!z2) {
                    setupAdminCli(createRealm);
                }
            }
            if (!hasRealmRole(realmRepresentation, "offline_access") || !hasClientScope(realmRepresentation, "offline_access")) {
                setupOfflineTokens(createRealm, realmRepresentation);
            }
            if (realmRepresentation.getClientScopes() == null) {
                createDefaultClientScopes(createRealm);
            }
            RepresentationToModel.importRealm(this.session, realmRepresentation, createRealm, z);
            setupClientServiceAccountsAndAuthorizationOnImport(realmRepresentation, z);
            setupAdminConsoleLocaleMapper(createRealm);
            if (postponeMasterClientSetup) {
                setupMasterAdminManagement(createRealm);
            }
            if (realmRepresentation.getRoles() != null || hasRealmAdminManagementClient(realmRepresentation)) {
                checkMasterAdminManagementRoles(createRealm);
                checkRealmAdminManagementRoles(createRealm);
            }
            if (hasRealmAdminManagementClient) {
                setupImpersonationService(createRealm);
            }
            if (z2) {
                setupAdminCli(createRealm);
            }
            setupAuthenticationFlows(createRealm);
            setupRequiredActions(createRealm);
            if (!hasRealmRole(realmRepresentation, "delete-account")) {
                KeycloakModelUtils.setupDeleteAccount(createRealm.getClientByClientId("account"));
            }
            this.session.getTransactionManager().enlistAfterCompletion(new AbstractKeycloakTransaction() { // from class: org.keycloak.services.managers.RealmManager.1
                protected void commitImpl() {
                    StoreSyncEvent.fire(RealmManager.this.session, createRealm, false);
                }

                protected void rollbackImpl() {
                }
            });
            setupAuthorizationServices(createRealm);
            setupClientRegistrations(createRealm);
            if (realmRepresentation.getKeycloakVersion() != null) {
                StoreMigrateRepresentationEvent.fire(this.session, createRealm, realmRepresentation, z);
            }
            this.session.clientPolicy().updateRealmModelFromRepresentation(createRealm, realmRepresentation);
            fireRealmPostCreate(createRealm);
            this.session.getContext().setRealm(realm);
            return createRealm;
        } catch (Throwable th) {
            this.session.getContext().setRealm(realm);
            throw th;
        }
    }

    private String determineDefaultRoleName(RealmRepresentation realmRepresentation) {
        String str = "default-roles-" + realmRepresentation.getRealm().toLowerCase();
        if (!hasRealmRole(realmRepresentation, str)) {
            return str;
        }
        for (int i = 1; i < Integer.MAX_VALUE; i++) {
            String str2 = "default-roles-" + realmRepresentation.getRealm().toLowerCase() + "-" + i;
            if (!hasRealmRole(realmRepresentation, str2)) {
                return str2;
            }
        }
        return null;
    }

    private boolean postponeMasterClientSetup(RealmRepresentation realmRepresentation) {
        if (Config.getAdminRealm().equals(realmRepresentation.getRealm())) {
            return hasRealmAdminManagementClient(realmRepresentation);
        }
        return false;
    }

    private boolean hasRealmAdminManagementClient(RealmRepresentation realmRepresentation) {
        return hasClient(realmRepresentation, Config.getAdminRealm().equals(realmRepresentation.getRealm()) ? KeycloakModelUtils.getMasterRealmAdminApplicationClientId(realmRepresentation.getRealm()) : getRealmAdminClientId(realmRepresentation));
    }

    private boolean hasAccountManagementClient(RealmRepresentation realmRepresentation) {
        return hasClient(realmRepresentation, "account");
    }

    private boolean hasBrokerClient(RealmRepresentation realmRepresentation) {
        return hasClient(realmRepresentation, "broker");
    }

    private boolean hasAdminConsoleClient(RealmRepresentation realmRepresentation) {
        return hasClient(realmRepresentation, "security-admin-console");
    }

    private boolean hasAdminCliClient(RealmRepresentation realmRepresentation) {
        return hasClient(realmRepresentation, "admin-cli");
    }

    private boolean hasClient(RealmRepresentation realmRepresentation, String str) {
        if (realmRepresentation.getClients() != null) {
            for (ClientRepresentation clientRepresentation : realmRepresentation.getClients()) {
                if (clientRepresentation.getClientId() != null && clientRepresentation.getClientId().equals(str)) {
                    return true;
                }
            }
        }
        if (realmRepresentation.getApplications() != null) {
            Iterator it = realmRepresentation.getApplications().iterator();
            while (it.hasNext()) {
                if (((ApplicationRepresentation) it.next()).getName().equals(str)) {
                    return true;
                }
            }
        }
        if (realmRepresentation.getOauthClients() == null) {
            return false;
        }
        Iterator it2 = realmRepresentation.getOauthClients().iterator();
        while (it2.hasNext()) {
            if (((OAuthClientRepresentation) it2.next()).getName().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasRealmRole(RealmRepresentation realmRepresentation, String str) {
        if (realmRepresentation.getRoles() == null || realmRepresentation.getRoles().getRealm() == null) {
            return false;
        }
        Iterator it = realmRepresentation.getRoles().getRealm().iterator();
        while (it.hasNext()) {
            if (str.equals(((RoleRepresentation) it.next()).getName())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasClientScope(RealmRepresentation realmRepresentation, String str) {
        if (realmRepresentation.getClientScopes() == null) {
            return false;
        }
        Iterator it = realmRepresentation.getClientScopes().iterator();
        while (it.hasNext()) {
            if (str.equals(((ClientScopeRepresentation) it.next()).getName())) {
                return true;
            }
        }
        return false;
    }

    private void setupAuthorizationServices(RealmModel realmModel) {
        KeycloakModelUtils.setupAuthorizationServices(realmModel);
    }

    private void setupClientRegistrations(RealmModel realmModel) {
        DefaultClientRegistrationPolicies.addDefaultPolicies(realmModel);
    }

    private void fireRealmPostCreate(final RealmModel realmModel) {
        this.session.getKeycloakSessionFactory().publish(new RealmModel.RealmPostCreateEvent() { // from class: org.keycloak.services.managers.RealmManager.2
            public RealmModel getCreatedRealm() {
                return realmModel;
            }

            public KeycloakSession getKeycloakSession() {
                return RealmManager.this.session;
            }
        });
    }

    public void setupClientServiceAccountsAndAuthorizationOnImport(RealmRepresentation realmRepresentation, boolean z) {
        List<ClientRepresentation> clients = realmRepresentation.getClients();
        if (clients == null || z) {
            return;
        }
        ClientManager clientManager = new ClientManager(this);
        for (ClientRepresentation clientRepresentation : clients) {
            RealmModel realmByName = getRealmByName(realmRepresentation.getRealm());
            Optional ofNullable = Optional.ofNullable(clientRepresentation.getId());
            Objects.requireNonNull(realmByName);
            ClientModel clientModel = (ClientModel) ofNullable.map(realmByName::getClientById).orElseGet(() -> {
                return realmByName.getClientByClientId(clientRepresentation.getClientId());
            });
            if (clientModel == null) {
                throw new RuntimeException("Cannot find provided client by dir import.");
            }
            UserModel userModel = null;
            if (clientModel.isServiceAccountsEnabled()) {
                userModel = getSession().users().getServiceAccount(clientModel);
                if (userModel == null) {
                    clientManager.enableServiceAccount(clientModel);
                }
            }
            if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && Boolean.TRUE.equals(clientRepresentation.getAuthorizationServicesEnabled())) {
                RepresentationToModel.createResourceServer(clientModel, this.session, userModel == null);
                RepresentationToModel.importAuthorizationSettings(clientRepresentation, clientModel, this.session);
            }
        }
    }

    public void setDefaultsForNewRealm(RealmModel realmModel) {
        setupRealmDefaults(realmModel);
        KeycloakModelUtils.setupDefaultRole(realmModel, "default-roles-" + realmModel.getName().toLowerCase());
        setupRealmAdminManagement(realmModel);
        setupAccountManagement(realmModel);
        setupBrokerService(realmModel);
        setupAdminConsole(realmModel);
        setupAdminConsoleLocaleMapper(realmModel);
        setupAdminCli(realmModel);
        setupAuthenticationFlows(realmModel);
        setupRequiredActions(realmModel);
        setupOfflineTokens(realmModel, null);
        createDefaultClientScopes(realmModel);
        setupAuthorizationServices(realmModel);
        setupClientRegistrations(realmModel);
        this.session.clientPolicy().setupClientPoliciesOnCreatedRealm(realmModel);
        DefaultKeyProviders.createProviders(realmModel);
    }
}
