package io.phasetwo.service.resource;

import com.google.common.collect.ImmutableMap;
import io.phasetwo.service.auth.action.PortalLinkActionToken;
import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.representation.Organization;
import jakarta.validation.Valid;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.FormParam;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.io.IOException;
import java.net.URI;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.events.admin.OperationType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.Urls;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.theme.Theme;

/* loaded from: input_file:io/phasetwo/service/resource/OrganizationResource.class */
public class OrganizationResource extends OrganizationAdminResource {
    private static final Logger log = Logger.getLogger(OrganizationResource.class);
    protected final OrganizationModel organization;
    protected final String orgId;
    private static final String IDP_WIZARD_CLIENT = "idp-wizard";
    private static final String WIZARD_THEME = "wizard";

    public OrganizationResource(OrganizationAdminResource organizationAdminResource, OrganizationModel organizationModel) {
        super(organizationAdminResource);
        this.organization = organizationModel;
        this.orgId = organizationModel.getId();
    }

    @Path("idps")
    public IdentityProvidersResource identityProviders() {
        if (((OrganizationAdminAuth) this.auth).hasViewOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgViewIdentityProviders(this.organization)) {
            return new IdentityProvidersResource(this, this.organization);
        }
        throw new NotAuthorizedException(String.format("Insufficient permission to access identity providers for %s", this.organization.getId()), new Object[0]);
    }

    @Path("roles")
    public RolesResource roles() {
        if (((OrganizationAdminAuth) this.auth).hasViewOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgViewRoles(this.organization)) {
            return new RolesResource(this, this.organization);
        }
        throw new NotAuthorizedException(String.format("Insufficient permission to access role for %s", this.organization.getId()), new Object[0]);
    }

    @Path("invitations")
    public InvitationsResource invitations() {
        if (((OrganizationAdminAuth) this.auth).hasViewOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgViewInvitations(this.organization)) {
            return new InvitationsResource(this, this.organization);
        }
        throw new NotAuthorizedException(String.format("Insufficient permission to access invitation for %s", this.organization.getId()), new Object[0]);
    }

    @Path("members")
    public MembersResource members() {
        if (((OrganizationAdminAuth) this.auth).hasViewOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgViewMembers(this.organization)) {
            return new MembersResource(this, this.organization);
        }
        throw new NotAuthorizedException(String.format("Insufficient permission to access members for %s", this.organization.getId()), new Object[0]);
    }

    @Path("domains")
    public DomainsResource domains() {
        if (((OrganizationAdminAuth) this.auth).hasViewOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgViewOrg(this.organization)) {
            return new DomainsResource(this, this.organization);
        }
        throw new NotAuthorizedException(String.format("Insufficient permission to access domains for %s", this.organization.getId()), new Object[0]);
    }

    @Produces({"application/json"})
    @GET
    @Path("")
    public Response getOrg() {
        log.debugf("Get org for %s %s", this.realm.getName(), this.orgId);
        return Response.ok().entity(Converters.convertOrganizationModelToOrganization(this.organization)).build();
    }

    @Produces({"application/json"})
    @DELETE
    @Path("")
    public Response deleteOrg() {
        log.debugf("Delete org for %s %s", this.realm.getName(), this.orgId);
        ((OrganizationAdminAuth) this.auth).requireManageOrgs();
        if (this.orgs.removeOrganization(this.realm, this.orgId)) {
            this.adminEvent.resource(OrganizationResourceType.ORGANIZATION.name()).operation(OperationType.DELETE).resourcePath(this.session.getContext().getUri()).representation(this.orgId).success();
        }
        return Response.status(204).build();
    }

    @Produces({"application/json"})
    @PUT
    @Path("")
    @Consumes({"application/json"})
    public Response updateOrg(@Valid Organization organization) {
        log.debugf("Update org for %s", this.realm.getName());
        if (!((OrganizationAdminAuth) this.auth).hasManageOrgs() && !((OrganizationAdminAuth) this.auth).hasOrgManageOrg(this.organization)) {
            throw new NotAuthorizedException(String.format("Insufficient permission to modify %s", this.organization.getId()), new Object[0]);
        }
        this.organization.setName(organization.getName());
        this.organization.setDisplayName(organization.getDisplayName());
        this.organization.setUrl(organization.getUrl());
        this.organization.removeAttributes();
        if (organization.getAttributes() != null) {
            organization.getAttributes().forEach((str, list) -> {
                this.organization.setAttribute(str, list);
            });
        }
        if (organization.getDomains() != null) {
            this.organization.setDomains(organization.getDomains());
        }
        Organization convertOrganizationModelToOrganization = Converters.convertOrganizationModelToOrganization(this.organization);
        this.adminEvent.resource(OrganizationResourceType.ORGANIZATION.name()).operation(OperationType.UPDATE).resourcePath(this.session.getContext().getUri(), convertOrganizationModelToOrganization.getId()).representation(convertOrganizationModelToOrganization).success();
        return Response.noContent().build();
    }

    private Theme getTheme(String str) {
        try {
            return this.session.theme().getTheme(str, Theme.Type.LOGIN);
        } catch (IOException e) {
            return null;
        }
    }

    @Produces({"application/json"})
    @POST
    @Path("portal-link")
    @Consumes({"application/x-www-form-urlencoded"})
    public Response getPortalLink(@DefaultValue("") @FormParam("userId") String str, @DefaultValue("") @FormParam("baseUri") String str2) {
        log.infof("requesting portal-link for user %s, org %s", str, this.organization.getId());
        ClientModel clientByClientId = this.session.clients().getClientByClientId(this.realm, IDP_WIZARD_CLIENT);
        Theme theme = getTheme(WIZARD_THEME);
        if (clientByClientId == null || theme == null) {
            throw new BadRequestException("portal-link is only supported in paid Phase Two distributions");
        }
        if (!((OrganizationAdminAuth) this.auth).hasManageOrgs() && !((OrganizationAdminAuth) this.auth).hasOrgManageOrg(this.organization)) {
            throw new NotAuthorizedException(String.format("Insufficient permission to create portal link for %s", this.organization.getId()), new Object[0]);
        }
        try {
            UriInfo uri = this.session.getContext().getUri();
            String uri2 = Urls.realmBase("".equals(str2) ? uri.getBaseUri() : newUri(str2)).path(this.realm.getName()).path(WIZARD_THEME).build(new Object[0]).toString();
            log.debugf("%s redirectUri %s", IDP_WIZARD_CLIENT, uri2);
            UserModel userModel = null;
            if (str != null && !"".equals(str)) {
                userModel = this.session.users().getUserById(this.realm, str);
            }
            if (userModel == null) {
                if (!((OrganizationAdminAuth) this.auth).hasManageOrgs() && !((OrganizationAdminAuth) this.auth).hasOrgAll(this.organization)) {
                    throw new NotAuthorizedException(String.format("Insufficient permission to create portal link for %s", this.organization.getId()), new Object[0]);
                }
                userModel = this.session.users().getUserByUsername(this.realm, String.format("org-admin-%s", this.organization.getId()));
            }
            if (userModel == null) {
                throw new BadRequestException(String.format("User %s not found", str));
            }
            log.debugf("Using user %s (%s) for portal-link", userModel.getUsername(), userModel.getId());
            if (!this.organization.hasMembership(userModel)) {
                throw new BadRequestException(String.format("User %s is not a member of this organization", str));
            }
            for (String str3 : OrganizationAdminAuth.DEFAULT_ORG_ROLES) {
                if (!this.organization.getRoleByName(str3).hasRole(userModel)) {
                    throw new BadRequestException(String.format("User has insufficient permissions. Needs %s.", str3));
                }
            }
            String uri3 = actionTokenBuilder(uri.getBaseUri(), new PortalLinkActionToken(userModel.getId(), Time.currentTime() + 86400, this.organization.getId(), IDP_WIZARD_CLIENT, uri2).serialize(this.session, this.realm, uri), IDP_WIZARD_CLIENT).build(new Object[]{this.realm.getName()}).toString();
            log.debugf("Created portal link for %s: %s", userModel.getUsername(), uri3);
            return Response.ok().entity(ImmutableMap.of("user", userModel.getId(), "link", uri3, "redirect", uri2)).build();
        } catch (Exception e) {
            if (e instanceof WebApplicationException) {
                throw e;
            }
            log.warn("Error creating portal link", e);
            return Response.serverError().build();
        }
    }

    private UriBuilder actionTokenBuilder(URI uri, String str, String str2) {
        log.debugf("baseUri: %s, tokenString: %s, clientId: %s", uri, str, str2);
        return Urls.realmBase(uri).path(RealmsResource.class, "getLoginActionsService").path(LoginActionsService.class, "executeActionToken").queryParam("key", new Object[]{str}).queryParam("client_id", new Object[]{str2});
    }

    private URI newUri(String str) {
        try {
            return new URI(str);
        } catch (Exception e) {
            log.warnf(e, "Error creating URI from %s", str);
            return null;
        }
    }
}
