package org.keycloak.admin.ui.rest;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.enums.SchemaType;
import org.eclipse.microprofile.openapi.annotations.media.Content;
import org.eclipse.microprofile.openapi.annotations.media.Schema;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.keycloak.admin.ui.rest.model.ClientRole;
import org.keycloak.admin.ui.rest.model.RoleMapper;
import org.keycloak.authorization.fgap.AdminPermissionsSchema;
import org.keycloak.common.Profile;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.resources.admin.fgap.AdminPermissionEvaluator;

/* loaded from: input_file:org/keycloak/admin/ui/rest/AvailableRoleMappingResource.class */
public class AvailableRoleMappingResource extends RoleMappingResource {
    public AvailableRoleMappingResource(KeycloakSession keycloakSession, RealmModel realmModel, AdminPermissionEvaluator adminPermissionEvaluator) {
        super(keycloakSession, realmModel, adminPermissionEvaluator);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all available client roles for this client scope", description = "This endpoint returns all the client roles the user can add to a specific client scope")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/clientScopes/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listAvailableClientScopeRoleMappings(@PathParam("id") String str, @QueryParam("first") @DefaultValue("0") int i, @QueryParam("max") @DefaultValue("10") int i2, @QueryParam("search") @DefaultValue("") String str2) {
        ClientScopeModel clientScopeById = this.realm.getClientScopeById(str);
        if (clientScopeById == null) {
            if (this.auth.clients().canListClientScopes()) {
                throw new NotFoundException("Could not find client scope");
            }
            throw new ForbiddenException();
        }
        if (this.auth.hasOneAdminRole(new String[]{"manage-clients"})) {
            return searchForClientRolesByExcludedIds(this.realm, str2, i, i2, clientScopeById.getScopeMappingsStream().filter((v0) -> {
                return v0.isClientRole();
            }).map((v0) -> {
                return v0.getId();
            }));
        }
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
            return Collections.emptyList();
        }
        this.auth.clients().requireView(clientScopeById);
        Set<String> roleIdsWithPermissions = getRoleIdsWithPermissions("map-role-client-scope", "map-roles-client-scope");
        clientScopeById.getScopeMappingsStream().forEach(roleModel -> {
            roleIdsWithPermissions.remove(roleModel.getId());
        });
        return searchForClientRolesByIds(this.realm, roleIdsWithPermissions.stream(), str2, i, i2);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all available client roles for the scope mapping of this client", description = "This endpoint returns all the client roles a user can add to the scope mapping of a specific client")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/clients/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listAvailableClientRoleMappings(@PathParam("id") String str, @QueryParam("first") @DefaultValue("0") int i, @QueryParam("max") @DefaultValue("10") int i2, @QueryParam("search") @DefaultValue("") String str2) {
        ClientModel clientById = this.realm.getClientById(str);
        if (clientById == null) {
            if (this.auth.clients().canList()) {
                throw new NotFoundException("Could not find client");
            }
            throw new ForbiddenException();
        }
        if (this.auth.hasOneAdminRole(new String[]{"manage-clients"})) {
            return searchForClientRolesByExcludedIds(this.realm, str2, i, i2, Stream.concat(clientById.getScopeMappingsStream(), clientById.getRolesStream()).filter((v0) -> {
                return v0.isClientRole();
            }).map((v0) -> {
                return v0.getId();
            }));
        }
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
            return Collections.emptyList();
        }
        this.auth.clients().requireView(clientById);
        Set<String> roleIdsWithPermissions = getRoleIdsWithPermissions("map-role-client-scope", "map-roles-client-scope");
        Stream.concat(clientById.getScopeMappingsStream(), clientById.getRolesStream()).forEach(roleModel -> {
            roleIdsWithPermissions.remove(roleModel.getId());
        });
        return searchForClientRolesByIds(this.realm, roleIdsWithPermissions.stream(), str2, i, i2);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all available client roles for this group", description = "This endpoint returns all available client roles a user can add to a specific group")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/groups/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listAvailableGroupRoleMappings(@PathParam("id") String str, @QueryParam("first") @DefaultValue("0") int i, @QueryParam("max") @DefaultValue("10") int i2, @QueryParam("search") @DefaultValue("") String str2) {
        GroupModel groupById = this.realm.getGroupById(str);
        if (groupById == null) {
            if (this.auth.groups().canList()) {
                throw new NotFoundException("Could not find group");
            }
            throw new ForbiddenException();
        }
        if (this.auth.hasOneAdminRole(new String[]{"manage-users"})) {
            return searchForClientRolesByExcludedIds(this.realm, str2, i, i2, groupById.getRoleMappingsStream().filter((v0) -> {
                return v0.isClientRole();
            }).map((v0) -> {
                return v0.getId();
            }));
        }
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
            return Collections.emptyList();
        }
        this.auth.groups().requireView(groupById);
        Set<String> roleIdsWithPermissions = getRoleIdsWithPermissions("map-role", "map-roles");
        groupById.getRoleMappingsStream().forEach(roleModel -> {
            roleIdsWithPermissions.remove(roleModel.getId());
        });
        return searchForClientRolesByIds(this.realm, roleIdsWithPermissions.stream(), str2, i, i2);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all available client roles for this user", description = "This endpoint returns all the available client roles a user can add to a specific user")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/users/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listAvailableUserRoleMappings(@PathParam("id") String str, @QueryParam("first") @DefaultValue("0") int i, @QueryParam("max") @DefaultValue("10") int i2, @QueryParam("search") @DefaultValue("") String str2) {
        UserModel userById = ((KeycloakSession) Objects.requireNonNull(this.session)).users().getUserById(this.realm, str);
        if (userById == null) {
            if (this.auth.users().canQuery()) {
                throw new NotFoundException("User not found");
            }
            throw new ForbiddenException();
        }
        if (this.auth.hasOneAdminRole(new String[]{"manage-users"})) {
            return searchForClientRolesByExcludedIds(this.realm, str2, i, i2, userById.getRoleMappingsStream().filter((v0) -> {
                return v0.isClientRole();
            }).map((v0) -> {
                return v0.getId();
            }));
        }
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
            return Collections.emptyList();
        }
        this.auth.users().requireView(userById);
        if (!this.auth.users().canMapRoles(userById)) {
            return Collections.emptyList();
        }
        Set<String> roleIdsWithPermissions = getRoleIdsWithPermissions("map-role", "map-roles");
        userById.getRoleMappingsStream().forEach(roleModel -> {
            roleIdsWithPermissions.remove(roleModel.getId());
        });
        return searchForClientRolesByIds(this.realm, roleIdsWithPermissions.stream(), str2, i, i2);
    }

    @Produces({"application/json"})
    @Operation(summary = "List all available client roles to map as composite role", description = "This endpoint returns all available client roles to map as composite role")
    @APIResponse(responseCode = "200", description = "", content = {@Content(schema = @Schema(implementation = ClientRole.class, type = SchemaType.ARRAY))})
    @GET
    @Path("/roles/{id}")
    @Consumes({"application/json"})
    public final List<ClientRole> listAvailableRoleMappings(@PathParam("id") String str, @QueryParam("first") @DefaultValue("0") int i, @QueryParam("max") @DefaultValue("10") int i2, @QueryParam("search") @DefaultValue("") String str2) {
        if (this.auth.hasOneAdminRole(new String[]{"manage-users"})) {
            return searchForClientRolesByExcludedIds(this.realm, str2, i, i2, Stream.of(str));
        }
        if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && !Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
            return Collections.emptyList();
        }
        Set<String> roleIdsWithPermissions = getRoleIdsWithPermissions("map-role-composite", "map-roles-composite");
        roleIdsWithPermissions.remove(str);
        return searchForClientRolesByIds(this.realm, roleIdsWithPermissions.stream(), str2, i, i2);
    }

    private Set<String> getRoleIdsWithPermissions(String str, String str2) {
        Set<String> roleIdsByScope;
        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(this.realm) && canPerformOnAllClients(str2)) {
            roleIdsByScope = (Set) this.session.clients().getClientsStream(this.realm).flatMap(clientModel -> {
                return clientModel.getRolesStream();
            }).map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toSet());
        } else {
            roleIdsByScope = this.auth.roles().getRoleIdsByScope(str);
            this.auth.clients().getClientIdsByScope(str2).stream().flatMap(str3 -> {
                return this.realm.getClientById(str3).getRolesStream();
            }).forEach(roleModel -> {
                roleIdsByScope.add(roleModel.getId());
            });
        }
        return roleIdsByScope;
    }

    private List<ClientRole> searchForClientRolesByIds(RealmModel realmModel, Stream<String> stream, String str, int i, int i2) {
        return (List) this.session.roles().searchForClientRolesStream(realmModel, stream, str, Integer.valueOf(i), Integer.valueOf(i2)).map(roleModel -> {
            return RoleMapper.convertToModel(roleModel, realmModel);
        }).collect(Collectors.toList());
    }

    private List<ClientRole> searchForClientRolesByExcludedIds(RealmModel realmModel, String str, int i, int i2, Stream<String> stream) {
        return (List) this.session.roles().searchForClientRolesStream(realmModel, str, stream, Integer.valueOf(i), Integer.valueOf(i2)).map(roleModel -> {
            return RoleMapper.convertToModel(roleModel, realmModel);
        }).collect(Collectors.toList());
    }

    private boolean canPerformOnAllClients(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -176958708:
                if (str.equals("map-roles")) {
                    z = false;
                    break;
                }
                break;
            case 423282950:
                if (str.equals("map-roles-composite")) {
                    z = true;
                    break;
                }
                break;
            case 2008524531:
                if (str.equals("map-roles-client-scope")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return this.auth.clients().canMapRoles((ClientModel) null);
            case true:
                return this.auth.clients().canMapCompositeRoles((ClientModel) null);
            case true:
                return this.auth.clients().canMapClientScopeRoles((ClientModel) null);
            default:
                return false;
        }
    }
}
