package io.phasetwo.service.resource;

import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.model.OrganizationRoleModel;
import io.phasetwo.service.representation.OrganizationRole;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.events.admin.OperationType;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.UserRepresentation;

/* loaded from: input_file:io/phasetwo/service/resource/RoleResource.class */
public class RoleResource extends OrganizationAdminResource {
    private static final Logger log = Logger.getLogger(RoleResource.class);
    private final OrganizationModel organization;
    private final OrganizationRoleModel role;
    private final String name;
    private Consumer<String> deleteOrganizationRole;

    public RoleResource(OrganizationAdminResource organizationAdminResource, OrganizationModel organizationModel, String str, Consumer<String> consumer) {
        super(organizationAdminResource);
        this.organization = organizationModel;
        this.role = organizationModel.getRoleByName(str);
        this.name = str;
        this.deleteOrganizationRole = consumer;
    }

    @Produces({"application/json"})
    @GET
    public OrganizationRole getRole() {
        return Converters.convertOrganizationRole(this.role);
    }

    @PUT
    @Consumes({"application/json"})
    public Response updateRole(OrganizationRole organizationRole) {
        canManage();
        if (!Objects.equals(this.role.getDescription(), organizationRole.getDescription())) {
            this.role.setDescription(organizationRole.getDescription());
            OrganizationRole convertOrganizationRole = Converters.convertOrganizationRole(this.role);
            this.adminEvent.resource(OrganizationResourceType.ORGANIZATION_ROLE.name()).operation(OperationType.UPDATE).resourcePath(this.session.getContext().getUri(), convertOrganizationRole.getName()).representation(convertOrganizationRole).success();
        }
        return Response.noContent().build();
    }

    @DELETE
    public Response deleteRole() {
        canManage();
        this.deleteOrganizationRole.accept(this.name);
        return Response.noContent().build();
    }

    @Produces({"application/json"})
    @GET
    @Path("users")
    public Stream<UserRepresentation> users() {
        return this.role.getUserMappingsStream().map(userModel -> {
            return ModelToRepresentation.toRepresentation(this.session, this.realm, userModel);
        });
    }

    @Produces({"application/json"})
    @GET
    @Path("users/{userId}")
    public Response userHasRole(@PathParam("userId") String str) {
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById == null || !this.role.hasRole(userById)) {
            throw new NotFoundException(String.format("User %s doesn't have role %s", str, this.name));
        }
        return Response.noContent().build();
    }

    @PUT
    @Produces({"application/json"})
    @Path("users/{userId}")
    public Response grantUserRole(@PathParam("userId") String str) {
        canManage();
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById == null) {
            throw new NotFoundException(String.format("User %s doesn't exist", str));
        }
        if (!this.organization.hasMembership(userById)) {
            throw new BadRequestException(String.format("User %s must be a member of %s to be granted role.", str, this.organization.getName()));
        }
        if (!this.role.hasRole(userById)) {
            this.role.grantRole(userById);
            this.adminEvent.resource(OrganizationResourceType.ORGANIZATION_ROLE_MAPPING.name()).operation(OperationType.CREATE).resourcePath(this.session.getContext().getUri()).representation(str).success();
        }
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().build(new Object[0])).build();
    }

    @Produces({"application/json"})
    @DELETE
    @Path("users/{userId}")
    public Response revokeUserRole(@PathParam("userId") String str) {
        canManage();
        UserModel userById = this.session.users().getUserById(this.realm, str);
        if (userById == null || !this.role.hasRole(userById)) {
            throw new NotFoundException(String.format("User %s doesn't have role %s", str, this.name));
        }
        this.role.revokeRole(userById);
        this.adminEvent.resource(OrganizationResourceType.ORGANIZATION_ROLE_MAPPING.name()).operation(OperationType.DELETE).resourcePath(this.session.getContext().getUri()).representation(str).success();
        return Response.noContent().build();
    }

    private void canManage() {
        if (!((OrganizationAdminAuth) this.auth).hasManageOrgs() && !((OrganizationAdminAuth) this.auth).hasOrgManageRoles(this.organization)) {
            throw new NotAuthorizedException(String.format("User %s doesn't have permission to manage roles in org %s", ((OrganizationAdminAuth) this.auth).getUser().getId(), this.organization.getName()), new Object[0]);
        }
    }
}
