package org.keycloak.services.clientregistration;

import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisteredContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdatedContext;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyManager;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;
import org.keycloak.services.managers.ClientManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.validation.ValidationUtil;

/* loaded from: input_file:org/keycloak/services/clientregistration/AbstractClientRegistrationProvider.class */
public abstract class AbstractClientRegistrationProvider implements ClientRegistrationProvider {
    protected KeycloakSession session;
    protected EventBuilder event;
    protected ClientRegistrationAuth auth;

    public AbstractClientRegistrationProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public ClientRepresentation create(ClientRegistrationContext clientRegistrationContext) {
        ClientRepresentation client = clientRegistrationContext.getClient();
        this.event.event(EventType.CLIENT_REGISTER);
        RegistrationAuth requireCreate = this.auth.requireCreate(clientRegistrationContext);
        try {
            RealmModel realm = this.session.getContext().getRealm();
            ClientModel createClient = ClientManager.createClient(this.session, realm, client);
            if (client.getDefaultRoles() != null) {
                for (String str : client.getDefaultRoles()) {
                    addDefaultRole(createClient, str);
                }
            }
            if (createClient.isServiceAccountsEnabled()) {
                new ClientManager(new RealmManager(this.session)).enableServiceAccount(createClient);
            }
            if (Boolean.TRUE.equals(client.getAuthorizationServicesEnabled())) {
                RepresentationToModel.createResourceServer(createClient, this.session, true);
            }
            this.session.getContext().setClient(createClient);
            this.session.clientPolicy().triggerOnEvent(new DynamicClientRegisteredContext(clientRegistrationContext, createClient, this.auth.getJwt(), realm));
            ClientRegistrationPolicyManager.triggerAfterRegister(clientRegistrationContext, requireCreate, createClient);
            ClientRepresentation representation = ModelToRepresentation.toRepresentation(createClient, this.session);
            representation.setSecret(createClient.getSecret());
            representation.setRegistrationAccessToken(ClientRegistrationTokenUtils.updateRegistrationAccessToken(this.session, createClient, requireCreate));
            if (this.auth.isInitialAccessToken()) {
                this.session.realms().decreaseRemainingCount(realm, this.auth.getInitialAccessModel());
            }
            representation.setDirectAccessGrantsEnabled(false);
            Stream<String> defaultRolesStream = getDefaultRolesStream(createClient);
            if (defaultRolesStream != null) {
                representation.setDefaultRoles((String[]) defaultRolesStream.toArray(i -> {
                    return new String[i];
                }));
            }
            this.event.client(representation.getClientId()).success();
            return representation;
        } catch (ModelDuplicateException e) {
            throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client Identifier in use", Response.Status.BAD_REQUEST);
        } catch (ClientPolicyException e2) {
            throw new ErrorResponseException(e2.getError(), e2.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    public ClientRepresentation get(ClientModel clientModel) {
        this.event.event(EventType.CLIENT_INFO);
        this.auth.requireView(clientModel);
        ClientRepresentation representation = ModelToRepresentation.toRepresentation(clientModel, this.session);
        if (!Boolean.TRUE.equals(representation.isBearerOnly()) && !Boolean.TRUE.equals(representation.isPublicClient())) {
            representation.setSecret(clientModel.getSecret());
        }
        if (this.auth.isRegistrationAccessToken()) {
            representation.setRegistrationAccessToken(ClientRegistrationTokenUtils.updateTokenSignature(this.session, this.auth));
        }
        Stream<String> defaultRolesStream = getDefaultRolesStream(clientModel);
        if (defaultRolesStream != null) {
            representation.setDefaultRoles((String[]) defaultRolesStream.toArray(i -> {
                return new String[i];
            }));
        }
        this.event.client(clientModel.getClientId()).success();
        return representation;
    }

    public ClientRepresentation update(String str, ClientRegistrationContext clientRegistrationContext) {
        ClientRepresentation client = clientRegistrationContext.getClient();
        this.event.event(EventType.CLIENT_UPDATE).client(str);
        ClientModel clientByClientId = this.session.getContext().getRealm().getClientByClientId(str);
        this.session.setAttribute("client.registration.access.token.enabled", true);
        RegistrationAuth requireUpdate = this.auth.requireUpdate(clientRegistrationContext, clientByClientId);
        if (!clientByClientId.getClientId().equals(client.getClientId())) {
            throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client Identifier modified", Response.Status.BAD_REQUEST);
        }
        RepresentationToModel.updateClient(client, clientByClientId, this.session);
        RepresentationToModel.updateClientProtocolMappers(client, clientByClientId);
        RepresentationToModel.updateClientScopes(client, clientByClientId);
        if (client.getDefaultRoles() != null) {
            updateDefaultRoles(clientByClientId, client.getDefaultRoles());
        }
        ClientRepresentation representation = ModelToRepresentation.toRepresentation(clientByClientId, this.session);
        representation.setSecret(clientByClientId.getSecret());
        Stream<String> defaultRolesStream = getDefaultRolesStream(clientByClientId);
        if (defaultRolesStream != null) {
            representation.setDefaultRoles((String[]) defaultRolesStream.toArray(i -> {
                return new String[i];
            }));
        }
        if (this.auth.isRegistrationAccessToken()) {
            representation.setRegistrationAccessToken(((Boolean) this.session.getAttribute("client.registration.access.token.enabled")).booleanValue() ? ClientRegistrationTokenUtils.updateRegistrationAccessToken(this.session, clientByClientId, this.auth.getRegistrationAuth()) : ClientRegistrationTokenUtils.updateTokenSignature(this.session, this.auth));
        }
        this.session.removeAttribute("client.registration.access.token.enabled");
        try {
            this.session.getContext().setClient(clientByClientId);
            this.session.clientPolicy().triggerOnEvent(new DynamicClientUpdatedContext(this.session, clientByClientId, this.auth.getJwt(), clientByClientId.getRealm()));
            ClientRegistrationPolicyManager.triggerAfterUpdate(clientRegistrationContext, requireUpdate, clientByClientId);
            this.event.client(clientByClientId.getClientId()).success();
            return representation;
        } catch (ClientPolicyException e) {
            throw new ErrorResponseException(e.getError(), e.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    public void delete(String str) {
        this.event.event(EventType.CLIENT_DELETE).client(str);
        ClientModel clientByClientId = this.session.getContext().getRealm().getClientByClientId(str);
        this.auth.requireDelete(clientByClientId);
        if (!new ClientManager(new RealmManager(this.session)).removeClient(this.session.getContext().getRealm(), clientByClientId)) {
            throw new ForbiddenException();
        }
        this.event.client(clientByClientId.getClientId()).success();
    }

    public void validateClient(ClientModel clientModel, OIDCClientRepresentation oIDCClientRepresentation, boolean z) {
        ValidationUtil.validateClient(this.session, clientModel, oIDCClientRepresentation, z, validationResult -> {
            this.session.getTransactionManager().setRollbackOnly();
            throw new ErrorResponseException(validationResult.fieldHasError("redirectUris") ? ErrorCodes.INVALID_REDIRECT_URI : ErrorCodes.INVALID_CLIENT_METADATA, validationResult.getAllErrorsAsString(), Response.Status.BAD_REQUEST);
        });
    }

    public void validateClient(ClientRepresentation clientRepresentation, boolean z) {
        validateClient(this.session.getContext().getRealm().getClientByClientId(clientRepresentation.getClientId()), null, z);
    }

    @Override // org.keycloak.services.clientregistration.ClientRegistrationProvider
    public void setAuth(ClientRegistrationAuth clientRegistrationAuth) {
        this.auth = clientRegistrationAuth;
    }

    @Override // org.keycloak.services.clientregistration.ClientRegistrationProvider
    public ClientRegistrationAuth getAuth() {
        return this.auth;
    }

    @Override // org.keycloak.services.clientregistration.ClientRegistrationProvider
    public void setEvent(EventBuilder eventBuilder) {
        this.event = eventBuilder;
    }

    @Override // org.keycloak.services.clientregistration.ClientRegistrationProvider
    public EventBuilder getEvent() {
        return this.event;
    }

    public void close() {
    }

    private void addDefaultRole(ClientModel clientModel, String str) {
        clientModel.getRealm().getDefaultRole().addCompositeRole(getOrAddRoleId(clientModel, str));
    }

    private RoleModel getOrAddRoleId(ClientModel clientModel, String str) {
        RoleModel role = clientModel.getRole(str);
        if (role == null) {
            role = clientModel.addRole(str);
        }
        return role;
    }

    private Stream<String> getDefaultRolesStream(ClientModel clientModel) {
        return clientModel.getRealm().getDefaultRole().getCompositesStream().filter(roleModel -> {
            return roleModel.isClientRole() && Objects.equals(roleModel.getContainerId(), clientModel.getId());
        }).map((v0) -> {
            return v0.getName();
        });
    }

    private void updateDefaultRoles(ClientModel clientModel, String... strArr) {
        List asList = Arrays.asList(String.valueOf(strArr));
        Collection<String> collection = (Collection) getDefaultRolesStream(clientModel).collect(Collectors.toList());
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        for (String str : collection) {
            if (asList.contains(str)) {
                hashSet.add(str);
            } else {
                arrayList.add(str);
            }
        }
        removeDefaultRoles(clientModel, (String[]) arrayList.toArray(new String[0]));
        for (String str2 : strArr) {
            if (!hashSet.contains(str2)) {
                addDefaultRole(clientModel, str2);
            }
        }
    }

    private void removeDefaultRoles(ClientModel clientModel, String... strArr) {
        for (String str : strArr) {
            clientModel.getRealm().getDefaultRole().removeCompositeRole(clientModel.getRole(str));
        }
    }
}
