package org.keycloak.services.resources.admin;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.Profile;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.utils.GroupUtils;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.ProfileHelper;
import org.keycloak.utils.StreamsUtil;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/GroupResource.class */
public class GroupResource {
    private final RealmModel realm;
    private final KeycloakSession session;
    private final AdminPermissionEvaluator auth;
    private final AdminEventBuilder adminEvent;
    private final GroupModel group;

    public GroupResource(RealmModel realmModel, GroupModel groupModel, KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.realm = realmModel;
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
        this.adminEvent = adminEventBuilder.resource(ResourceType.GROUP);
        this.group = groupModel;
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation
    @GET
    public GroupRepresentation getGroup() {
        this.auth.groups().requireView(this.group);
        GroupRepresentation representation = GroupUtils.toRepresentation(this.auth.groups(), this.group, true);
        representation.setAccess(this.auth.groups().getAccess(this.group));
        return GroupUtils.populateSubGroupCount(this.group, representation);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Update group, ignores subgroups.")
    @PUT
    @Consumes({MediaType.APPLICATION_JSON})
    public Response updateGroup(GroupRepresentation groupRepresentation) {
        this.auth.groups().requireManage(this.group);
        String name = groupRepresentation.getName();
        if (ObjectUtil.isBlank(name)) {
            throw ErrorResponse.error("Group name is missing", Response.Status.BAD_REQUEST);
        }
        if (groupRepresentation.getId() != null && !this.group.getId().equals(groupRepresentation.getId())) {
            throw ErrorResponse.error("Invalid group id", Response.Status.BAD_REQUEST);
        }
        if (!Objects.equals(name, this.group.getName()) && siblings().filter(groupModel -> {
            return !Objects.equals(groupModel.getId(), this.group.getId());
        }).anyMatch(groupModel2 -> {
            return Objects.equals(groupModel2.getName(), name);
        })) {
            throw ErrorResponse.exists("Sibling group named '" + name + "' already exists.");
        }
        updateGroup(groupRepresentation, this.group, this.realm, this.session);
        this.adminEvent.operation(OperationType.UPDATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(groupRepresentation).success();
        return Response.noContent().build();
    }

    private Stream<GroupModel> siblings() {
        return this.group.getParentId() == null ? this.session.groups().getTopLevelGroupsStream(this.realm) : this.group.getParent().getSubGroupsStream();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @DELETE
    @Operation
    public void deleteGroup() {
        this.auth.groups().requireManage(this.group);
        this.realm.removeGroup(this.group);
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Return a paginated list of subgroups that have a parent group corresponding to the group on the URL")
    @GET
    @Path("children")
    public Stream<GroupRepresentation> getSubGroups(@Parameter(description = "A String representing either an exact group name or a partial name") @QueryParam("search") String str, @Parameter(description = "Boolean which defines whether the params \"search\" must match exactly or not") @QueryParam("exact") Boolean bool, @Parameter(description = "The position of the first result to be returned (pagination offset).") @QueryParam("first") @DefaultValue("0") Integer num, @Parameter(description = "The maximum number of results that are to be returned. Defaults to 10") @QueryParam("max") @DefaultValue("10") Integer num2, @Parameter(description = "Boolean which defines whether brief groups representations are returned or not (default: false)") @QueryParam("briefRepresentation") @DefaultValue("false") Boolean bool2) {
        this.auth.groups().requireView(this.group);
        boolean canView = this.auth.groups().canView();
        return StreamsUtil.paginatedStream(this.group.getSubGroupsStream(str, bool, -1, -1).filter(groupModel -> {
            return canView || this.auth.groups().canView(groupModel);
        }), num, num2).map(groupModel2 -> {
            return GroupUtils.populateSubGroupCount(groupModel2, GroupUtils.toRepresentation(this.auth.groups(), groupModel2, !bool2.booleanValue()));
        });
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Path("children")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Set or create child.", description = "This will just set the parent if it exists. Create it and set the parent if the group doesn’t exist.")
    @POST
    public Response addChild(GroupRepresentation groupRepresentation) {
        GroupModel createGroup;
        this.auth.groups().requireManage(this.group);
        String name = groupRepresentation.getName();
        if (ObjectUtil.isBlank(name)) {
            throw ErrorResponse.error("Group name is missing", Response.Status.BAD_REQUEST);
        }
        try {
            Response.ResponseBuilder status = Response.status(204);
            if (groupRepresentation.getId() != null) {
                createGroup = this.realm.getGroupById(groupRepresentation.getId());
                if (createGroup == null) {
                    throw new NotFoundException("Could not find child by id");
                }
                if (!Objects.equals(createGroup.getParentId(), this.group.getId())) {
                    this.realm.moveGroup(createGroup, this.group);
                }
                this.adminEvent.operation(OperationType.UPDATE);
            } else {
                createGroup = this.realm.createGroup(name, this.group);
                updateGroup(groupRepresentation, createGroup, this.realm, this.session);
                status.status(201).location(this.session.getContext().getUri().getBaseUriBuilder().path(AdminRoot.class).path(AdminRoot.class, "getRealmsAdmin").path(RealmsAdminResource.class, "getRealmAdmin").path(RealmAdminResource.class, "getGroups").path(GroupsResource.class, "getGroupById").build(new Object[]{this.realm.getName(), createGroup.getId()}));
                groupRepresentation.setId(createGroup.getId());
                this.adminEvent.operation(OperationType.CREATE);
            }
            this.adminEvent.resourcePath((UriInfo) this.session.getContext().getUri()).representation(groupRepresentation).success();
            return status.type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE).entity(GroupUtils.toRepresentation(this.auth.groups(), createGroup, true)).build();
        } catch (ModelDuplicateException e) {
            throw ErrorResponse.exists("Sibling group named '" + name + "' already exists.");
        }
    }

    public static void updateGroup(GroupRepresentation groupRepresentation, GroupModel groupModel, RealmModel realmModel, KeycloakSession keycloakSession) {
        String name = groupRepresentation.getName();
        if (name != null && !name.equals(groupModel.getName())) {
            String buildGroupPath = KeycloakModelUtils.buildGroupPath(groupModel);
            groupModel.setName(name);
            GroupModel.GroupPathChangeEvent.fire(groupModel, KeycloakModelUtils.buildGroupPath(groupModel), buildGroupPath, keycloakSession);
        }
        if (groupRepresentation.getAttributes() != null) {
            HashSet hashSet = new HashSet(groupModel.getAttributes().keySet());
            hashSet.removeAll(groupRepresentation.getAttributes().keySet());
            for (Map.Entry entry : groupRepresentation.getAttributes().entrySet()) {
                groupModel.setAttribute((String) entry.getKey(), (List) entry.getValue());
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                groupModel.removeAttribute((String) it.next());
            }
        }
    }

    @Path("role-mappings")
    public RoleMapperResource getRoleMappings() {
        return new RoleMapperResource(this.session, this.auth, this.group, this.adminEvent, () -> {
            this.auth.groups().requireManage(this.group);
        }, () -> {
            this.auth.groups().requireView(this.group);
        });
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Get users Returns a stream of users, filtered according to query parameters")
    @GET
    @Path("members")
    public Stream<UserRepresentation> getMembers(@Parameter(description = "Pagination offset") @QueryParam("first") Integer num, @Parameter(description = "Maximum results size (defaults to 100)") @QueryParam("max") Integer num2, @Parameter(description = "Only return basic information (only guaranteed to return id, username, created, first and last name, email, enabled state, email verification state, federation link, and access. Note that it means that namely user attributes, required actions, and not before are not returned.)") @QueryParam("briefRepresentation") Boolean bool) {
        this.auth.groups().requireViewMembers(this.group);
        Integer valueOf = Integer.valueOf(num != null ? num.intValue() : 0);
        Integer valueOf2 = Integer.valueOf(num2 != null ? num2.intValue() : 100);
        boolean z = bool != null && bool.booleanValue();
        return this.session.users().getGroupMembersStream(this.realm, this.group, valueOf, valueOf2).map(userModel -> {
            return z ? ModelToRepresentation.toBriefRepresentation(userModel) : ModelToRepresentation.toRepresentation(this.session, this.realm, userModel);
        });
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Return object stating whether client Authorization permissions have been initialized or not and a reference")
    @Path("management/permissions")
    @GET
    public ManagementPermissionReference getManagementPermissions() {
        ProfileHelper.requireFeature(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ);
        this.auth.groups().requireView(this.group);
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        return !management.groups().isPermissionsEnabled(this.group) ? new ManagementPermissionReference() : toMgmtRef(this.group, management);
    }

    private ManagementPermissionReference toMgmtRef(GroupModel groupModel, AdminPermissionManagement adminPermissionManagement) {
        ManagementPermissionReference managementPermissionReference = new ManagementPermissionReference();
        managementPermissionReference.setEnabled(true);
        managementPermissionReference.setResource(adminPermissionManagement.groups().resource(groupModel).getId());
        managementPermissionReference.setScopePermissions(adminPermissionManagement.groups().getPermissions(groupModel));
        return managementPermissionReference;
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Path("management/permissions")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({MediaType.APPLICATION_JSON})
    @Operation(summary = "Return object stating whether client Authorization permissions have been initialized or not and a reference")
    @PUT
    public ManagementPermissionReference setManagementPermissionsEnabled(ManagementPermissionReference managementPermissionReference) {
        ProfileHelper.requireFeature(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ);
        this.auth.groups().requireManage(this.group);
        AdminPermissionManagement management = AdminPermissions.management(this.session, this.realm);
        management.groups().setPermissionsEnabled(this.group, managementPermissionReference.isEnabled());
        return managementPermissionReference.isEnabled() ? toMgmtRef(this.group, management) : new ManagementPermissionReference();
    }
}
