package org.keycloak.admin.ui.rest;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import java.util.Comparator;
import java.util.HashSet;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.enums.SchemaType;
import org.eclipse.microprofile.openapi.annotations.media.Content;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.keycloak.admin.ui.rest.model.ClientRole;
import org.keycloak.admin.ui.rest.model.RoleMapper;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;

/* loaded from: input_file:org/keycloak/admin/ui/rest/EffectiveRoleMappingResource.class */
public class EffectiveRoleMappingResource extends RoleMappingResource {
    public EffectiveRoleMappingResource(KeycloakSession keycloakSession, RealmModel realmModel, AdminPermissionEvaluator adminPermissionEvaluator) {
        super(keycloakSession, realmModel, adminPermissionEvaluator);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all effective roles for this client scope", description = "This endpoint returns all the client role mapping for a specific client scope")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/clientScopes/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listCompositeClientScopeRoleMappings(@PathParam("id") String str) {
        ClientScopeModel clientScopeById = this.realm.getClientScopeById(str);
        if (clientScopeById == null) {
            throw new NotFoundException("Could not find client scope");
        }
        this.auth.clients().requireView(clientScopeById);
        return toSortedClientRoles(addSubClientRoles(clientScopeById.getScopeMappingsStream()));
    }

    @Produces({"application/json"})
    @Operation(summary = "List all effective roles for this client", description = "This endpoint returns all the client role mapping for a specific client")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/clients/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listCompositeClientsRoleMappings(@PathParam("id") String str) {
        ClientModel clientById = this.realm.getClientById(str);
        if (clientById == null) {
            throw new NotFoundException("Could not find client");
        }
        this.auth.clients().requireView(clientById);
        return toSortedClientRoles(addSubClientRoles(clientById.getScopeMappingsStream()));
    }

    @Produces({"application/json"})
    @Operation(summary = "List all effective roles for this group", description = "This endpoint returns all the client role mapping for a specific group")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/groups/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listCompositeGroupsRoleMappings(@PathParam("id") String str) {
        GroupModel groupById = this.realm.getGroupById(str);
        if (groupById == null) {
            throw new NotFoundException("Could not find group");
        }
        this.auth.groups().requireView(groupById);
        return toSortedClientRoles(addSubClientRoles(addParents(groupById).flatMap((v0) -> {
            return v0.getRoleMappingsStream();
        })));
    }

    @Produces({"application/json"})
    @Operation(summary = "List all effective roles for this users", description = "This endpoint returns all the client role mapping for a specific users")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/users/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listCompositeUsersRoleMappings(@PathParam("id") String str) {
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById != null) {
            this.auth.users().requireView(userById);
            return toSortedClientRoles(addSubClientRoles(Stream.concat(userById.getRoleMappingsStream(), userById.getGroupsStream().flatMap(groupModel -> {
                return addParents(groupModel);
            }).flatMap((v0) -> {
                return v0.getRoleMappingsStream();
            }))));
        }
        if (this.auth.users().canQuery()) {
            throw new NotFoundException("User not found");
        }
        throw new ForbiddenException();
    }

    @Produces({"application/json"})
    @Operation(summary = "List all effective roles for this realm role", description = "This endpoint returns all the client role mapping for a specific realm role")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/roles/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listCompositeRealmRoleMappings() {
        this.auth.roles().requireList(this.realm);
        return toSortedClientRoles(addSubClientRoles(Stream.of(this.realm.getDefaultRole())));
    }

    private Stream<RoleModel> addSubClientRoles(Stream<RoleModel> stream) {
        return addSubRoles(stream).filter((v0) -> {
            return v0.isClientRole();
        });
    }

    private List<ClientRole> toSortedClientRoles(Stream<RoleModel> stream) {
        return (List) stream.map(roleModel -> {
            return RoleMapper.convertToModel(roleModel, this.realm);
        }).sorted(Comparator.comparing((v0) -> {
            return v0.getClient();
        }).thenComparing((v0) -> {
            return v0.getRole();
        })).collect(Collectors.toList());
    }

    private Stream<RoleModel> addSubRoles(Stream<RoleModel> stream) {
        return addSubRoles(stream, new HashSet<>());
    }

    private Stream<RoleModel> addSubRoles(Stream<RoleModel> stream, HashSet<RoleModel> hashSet) {
        List list = (List) stream.collect(Collectors.toList());
        hashSet.addAll(list);
        return Stream.concat(list.stream(), list.stream().flatMap(roleModel -> {
            return addSubRoles(roleModel.getCompositesStream().filter(roleModel -> {
                return !hashSet.contains(roleModel);
            }), hashSet);
        }));
    }

    private Stream<GroupModel> addParents(GroupModel groupModel) {
        return groupModel.getParent() == null ? Stream.of(groupModel) : Stream.concat(Stream.of(groupModel), addParents(groupModel.getParent()));
    }
}
