package org.keycloak.services.clientregistration.oidc;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.util.Time;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper;
import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
import org.keycloak.protocol.oidc.mappers.SHA256PairwiseSubMapper;
import org.keycloak.protocol.oidc.utils.SubjectType;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.AbstractClientRegistrationProvider;
import org.keycloak.services.clientregistration.ClientRegistrationException;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.urls.UrlType;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/clientregistration/oidc/OIDCClientRegistrationProvider.class */
public class OIDCClientRegistrationProvider extends AbstractClientRegistrationProvider {
    private static final Logger logger = Logger.getLogger(OIDCClientRegistrationProvider.class);

    public OIDCClientRegistrationProvider(KeycloakSession keycloakSession) {
        super(keycloakSession);
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_JSON})
    public Response createOIDC(OIDCClientRepresentation oIDCClientRepresentation) {
        if (oIDCClientRepresentation.getClientId() != null) {
            throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client Identifier included", Response.Status.BAD_REQUEST);
        }
        try {
            ClientRepresentation internal = DescriptionConverter.toInternal(this.session, oIDCClientRepresentation);
            List grantTypes = oIDCClientRepresentation.getGrantTypes();
            if (grantTypes != null && grantTypes.contains("urn:ietf:params:oauth:grant-type:uma-ticket")) {
                internal.setAuthorizationServicesEnabled(true);
            }
            if (grantTypes != null && !grantTypes.contains(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN)) {
                OIDCAdvancedConfigWrapper.fromClientRepresentation(internal).setUseRefreshToken(false);
            }
            ClientRepresentation create = create(new OIDCClientRegistrationContext(this.session, internal, this, oIDCClientRepresentation));
            ClientModel clientByClientId = this.session.getContext().getRealm().getClientByClientId(create.getClientId());
            updatePairwiseSubMappers(clientByClientId, SubjectType.parse(oIDCClientRepresentation.getSubjectType()), oIDCClientRepresentation.getSectorIdentifierUri());
            updateClientRepWithProtocolMappers(clientByClientId, create);
            validateClient(clientByClientId, oIDCClientRepresentation, true);
            URI registrationClientUri = getRegistrationClientUri(clientByClientId);
            OIDCClientRepresentation externalResponse = DescriptionConverter.toExternalResponse(this.session, create, registrationClientUri);
            externalResponse.setClientIdIssuedAt(Integer.valueOf(Time.currentTime()));
            return Response.created(registrationClientUri).entity(externalResponse).build();
        } catch (ClientRegistrationException e) {
            ServicesLogger.LOGGER.clientRegistrationException(e.getMessage());
            throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client metadata invalid", Response.Status.BAD_REQUEST);
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    @Path("{clientId}")
    public Response getOIDC(@PathParam("clientId") String str) {
        ClientModel clientByClientId = this.session.getContext().getRealm().getClientByClientId(str);
        return Response.ok(DescriptionConverter.toExternalResponse(this.session, get(clientByClientId), getRegistrationClientUri(clientByClientId))).build();
    }

    @Produces({MediaType.APPLICATION_JSON})
    @PUT
    @Path("{clientId}")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response updateOIDC(@PathParam("clientId") String str, OIDCClientRepresentation oIDCClientRepresentation) {
        try {
            ClientRepresentation internal = DescriptionConverter.toInternal(this.session, oIDCClientRepresentation);
            if (oIDCClientRepresentation.getScope() != null) {
                internal.setDefaultClientScopes(new ArrayList(this.session.getContext().getRealm().getClientById(oIDCClientRepresentation.getClientId()).getClientScopes(true).keySet()));
            }
            ClientRepresentation update = update(str, new OIDCClientRegistrationContext(this.session, internal, this, oIDCClientRepresentation));
            ClientModel clientByClientId = this.session.getContext().getRealm().getClientByClientId(update.getClientId());
            updatePairwiseSubMappers(clientByClientId, SubjectType.parse(oIDCClientRepresentation.getSubjectType()), oIDCClientRepresentation.getSectorIdentifierUri());
            updateClientRepWithProtocolMappers(clientByClientId, update);
            update.setSecret(clientByClientId.getSecret());
            update.getAttributes().put("client.secret.expiration.time", clientByClientId.getAttribute("client.secret.expiration.time"));
            update.getAttributes().put("client.secret.creation.time", clientByClientId.getAttribute("client.secret.creation.time"));
            validateClient(clientByClientId, oIDCClientRepresentation, false);
            return Response.ok(DescriptionConverter.toExternalResponse(this.session, update, getRegistrationClientUri(clientByClientId))).build();
        } catch (ClientRegistrationException e) {
            ServicesLogger.LOGGER.clientRegistrationException(e.getMessage());
            throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client metadata invalid", Response.Status.BAD_REQUEST);
        }
    }

    @DELETE
    @Path("{clientId}")
    public void deleteOIDC(@PathParam("clientId") String str) {
        delete(str);
    }

    private void updatePairwiseSubMappers(ClientModel clientModel, SubjectType subjectType, String str) {
        if (subjectType != SubjectType.PAIRWISE) {
            List list = (List) clientModel.getProtocolMappersStream().filter(protocolMapperModel -> {
                return protocolMapperModel.getProtocolMapper().endsWith(AbstractPairwiseSubMapper.PROVIDER_ID_SUFFIX);
            }).collect(Collectors.toList());
            Objects.requireNonNull(clientModel);
            list.forEach(clientModel::removeProtocolMapper);
        } else {
            AtomicBoolean atomicBoolean = new AtomicBoolean(false);
            ((List) clientModel.getProtocolMappersStream().filter(protocolMapperModel2 -> {
                if (!protocolMapperModel2.getProtocolMapper().endsWith(AbstractPairwiseSubMapper.PROVIDER_ID_SUFFIX)) {
                    return false;
                }
                atomicBoolean.set(true);
                return true;
            }).collect(Collectors.toList())).forEach(protocolMapperModel3 -> {
                PairwiseSubMapperHelper.setSectorIdentifierUri(protocolMapperModel3, str);
                clientModel.updateProtocolMapper(protocolMapperModel3);
            });
            if (atomicBoolean.get()) {
                return;
            }
            clientModel.addProtocolMapper(RepresentationToModel.toModel(SHA256PairwiseSubMapper.createPairwiseMapper(str, null)));
        }
    }

    private void updateClientRepWithProtocolMappers(ClientModel clientModel, ClientRepresentation clientRepresentation) {
        clientRepresentation.setProtocolMappers((List) clientModel.getProtocolMappersStream().map(ModelToRepresentation::toRepresentation).collect(Collectors.toList()));
    }

    private URI getRegistrationClientUri(ClientModel clientModel) {
        KeycloakContext context = this.session.getContext();
        return Urls.clientRegistration(context.getUri(UrlType.BACKEND).getBaseUri(), context.getRealm().getName(), "openid-connect", clientModel.getClientId());
    }
}
