package io.phasetwo.service.resource;

import com.google.common.base.Strings;
import io.phasetwo.service.Orgs;
import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.representation.LinkIdp;
import io.phasetwo.service.util.IdentityProviders;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.InternalServerErrorException;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.models.utils.StripSecretsUtils;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.TestLdapConnectionRepresentation;
import org.keycloak.services.managers.LDAPServerCapabilitiesManager;

/* loaded from: input_file:io/phasetwo/service/resource/IdentityProvidersResource.class */
public class IdentityProvidersResource extends OrganizationAdminResource {
    private static final Logger log = Logger.getLogger(IdentityProvidersResource.class);
    private final OrganizationModel organization;

    public IdentityProvidersResource(OrganizationAdminResource organizationAdminResource, OrganizationModel organizationModel) {
        super(organizationAdminResource);
        this.organization = organizationModel;
    }

    @Path("{alias}")
    public IdentityProviderResource identityProvider(@PathParam("alias") String str) {
        org.keycloak.services.resources.admin.IdentityProviderResource identityProvider = getIdpResource().getIdentityProvider(str);
        if (!canManageIdp()) {
            throw new NotAuthorizedException(String.format("Insufficient permission to manage identity provider %s for %s", str, this.organization.getId()), new Object[0]);
        }
        if (IdentityProviders.getAttributeMultivalued(identityProvider.getIdentityProvider().getConfig(), Orgs.ORG_OWNER_CONFIG_KEY).contains(this.organization.getId())) {
            return new IdentityProviderResource(this, this.organization, str, identityProvider);
        }
        throw new NotFoundException(String.format("%s not found", str));
    }

    @Produces({"application/json"})
    @GET
    public Stream<IdentityProviderRepresentation> getIdentityProviders() {
        return this.realm.getIdentityProvidersStream().filter(identityProviderModel -> {
            return canViewIdp();
        }).filter(this::idpInOrg).map(identityProviderModel2 -> {
            return (IdentityProviderRepresentation) StripSecretsUtils.stripSecrets(this.session, ModelToRepresentation.toRepresentation(this.realm, identityProviderModel2));
        });
    }

    protected void idpDefaults(IdentityProviderRepresentation identityProviderRepresentation, Optional<LinkIdp> optional) {
        String str = (String) optional.map((v0) -> {
            return v0.getSyncMode();
        }).orElse((String) Optional.ofNullable(this.realm.getAttribute(Orgs.ORG_DEFAULT_SYNC_MODE_KEY)).orElse("FORCE"));
        String str2 = (String) optional.map((v0) -> {
            return v0.getPostBrokerFlow();
        }).orElse((String) Optional.ofNullable(this.realm.getAttribute(Orgs.ORG_DEFAULT_POST_BROKER_FLOW_KEY)).orElse(Orgs.ORG_AUTH_FLOW_ALIAS));
        log.debugf("using syncMode %s, postBrokerFlow %s for idp %s", str, str2, identityProviderRepresentation.getAlias());
        identityProviderRepresentation.getConfig().put("syncMode", str);
        identityProviderRepresentation.getConfig().put("hideOnLoginPage", "true");
        identityProviderRepresentation.setPostBrokerLoginFlowAlias(str2);
        if (this.realm.getAttribute(Orgs.ORG_CONFIG_SHARED_IDPS_KEY, false).booleanValue()) {
            IdentityProviders.addMultiOrganization(this.organization, identityProviderRepresentation);
        } else {
            identityProviderRepresentation.getConfig().put(Orgs.ORG_SHARED_IDP_KEY, "false");
            IdentityProviders.setAttributeMultivalued(identityProviderRepresentation.getConfig(), Orgs.ORG_OWNER_CONFIG_KEY, Set.of(this.organization.getId()));
        }
    }

    private void deactivateOtherIdps(IdentityProviderRepresentation identityProviderRepresentation, boolean z, boolean z2, String str) {
        if (identityProviderRepresentation.isEnabled()) {
            this.realm.getIdentityProvidersStream().filter(identityProviderModel -> {
                return idpInOrg(identityProviderModel);
            }).forEach(identityProviderModel2 -> {
                if (z2) {
                    identityProviderModel2.setEnabled(false);
                }
                if (z) {
                    IdentityProviders.removeOrganization(str, identityProviderModel2);
                }
                this.realm.updateIdentityProvider(identityProviderModel2);
            });
        }
    }

    private Response createdResponse(IdentityProviderRepresentation identityProviderRepresentation) {
        return Response.created(this.session.getContext().getUri().getAbsolutePathBuilder().path(identityProviderRepresentation.getAlias()).build(new Object[0])).build();
    }

    private LinkIdp linkFromRep(IdentityProviderRepresentation identityProviderRepresentation) {
        LinkIdp linkIdp = new LinkIdp();
        linkIdp.setAlias(identityProviderRepresentation.getAlias());
        linkIdp.setPostBrokerFlow(identityProviderRepresentation.getPostBrokerLoginFlowAlias());
        Map config = identityProviderRepresentation.getConfig();
        if (config != null) {
            linkIdp.setSyncMode((String) config.get("syncMode"));
        }
        return linkIdp;
    }

    @POST
    @Consumes({"application/json"})
    public Response createIdentityProvider(IdentityProviderRepresentation identityProviderRepresentation) {
        if (!((OrganizationAdminAuth) this.auth).hasManageOrgs() && !((OrganizationAdminAuth) this.auth).hasOrgManageIdentityProviders(this.organization)) {
            throw new NotAuthorizedException(String.format("Insufficient permission to create identity providers for %s", this.organization.getId()), new Object[0]);
        }
        idpDefaults(identityProviderRepresentation, Optional.of(linkFromRep(identityProviderRepresentation)));
        deactivateOtherIdps(identityProviderRepresentation, false, true, this.organization.getId());
        Response create = getIdpResource().create(identityProviderRepresentation);
        return create.getStatus() == Response.Status.CREATED.getStatusCode() ? createdResponse(identityProviderRepresentation) : create;
    }

    @Produces({"application/json"})
    @POST
    @Path("link")
    @Consumes({"application/json"})
    public Response linkIdp(LinkIdp linkIdp) {
        if (!((OrganizationAdminAuth) this.auth).hasManageOrgs()) {
            throw new NotAuthorizedException(String.format("Insufficient permission to link identity providers for %s", this.organization.getId()), new Object[0]);
        }
        IdentityProviderModel identityProviderByAlias = this.realm.getIdentityProviderByAlias(linkIdp.getAlias());
        if (identityProviderByAlias == null) {
            throw new NotFoundException(String.format("No IdP found with alias %s", linkIdp.getAlias()));
        }
        if (!identityProviderByAlias.isEnabled()) {
            throw new BadRequestException(String.format("Cannot link disabled IdP %s", linkIdp.getAlias()));
        }
        IdentityProviderRepresentation representation = ModelToRepresentation.toRepresentation(this.realm, identityProviderByAlias);
        idpDefaults(representation, Optional.of(linkIdp));
        if (!Strings.isNullOrEmpty(linkIdp.getSyncMode())) {
            representation.getConfig().put("syncMode", linkIdp.getSyncMode());
        }
        if (!Strings.isNullOrEmpty(linkIdp.getPostBrokerFlow())) {
            representation.setPostBrokerLoginFlowAlias(linkIdp.getPostBrokerFlow());
        }
        deactivateOtherIdps(representation, true, false, this.organization.getId());
        try {
            this.realm.updateIdentityProvider(RepresentationToModel.toModel(this.realm, representation, this.session));
            return createdResponse(representation);
        } catch (Exception e) {
            throw new InternalServerErrorException(String.format("Error updating IdP %s", representation.getAlias()), e);
        }
    }

    @Produces({"application/json"})
    @POST
    @Path("import-config")
    @Consumes({"application/json"})
    public Map<String, String> importConfig(Map<String, Object> map) throws IOException {
        return getIdpResource().importFrom(map);
    }

    @Produces({"application/json"})
    @POST
    @Path("import-config")
    @Consumes({"multipart/form-data"})
    public Map<String, String> importConfig() throws IOException {
        return getIdpResource().importFrom();
    }

    private boolean idpInOrg(IdentityProviderModel identityProviderModel) {
        return IdentityProviders.getAttributeMultivalued(identityProviderModel.getConfig(), Orgs.ORG_OWNER_CONFIG_KEY).contains(this.organization.getId());
    }

    private org.keycloak.services.resources.admin.IdentityProvidersResource getIdpResource() {
        return new org.keycloak.services.resources.admin.IdentityProvidersResource(this.realm, this.session, new OrganizationAdminPermissionEvaluator(this.organization, (OrganizationAdminAuth) this.auth, this.permissions), this.adminEvent);
    }

    @POST
    @Path("test-ldap-connection")
    @Consumes({"application/json"})
    public Response testLDAPConnection(TestLdapConnectionRepresentation testLdapConnectionRepresentation) {
        try {
            LDAPServerCapabilitiesManager.testLDAP(testLdapConnectionRepresentation, this.session, this.realm);
            return Response.noContent().build();
        } catch (Exception e) {
            throw new BadRequestException("LDAP test error");
        }
    }

    @POST
    @Path("ldap")
    @Consumes({"application/json"})
    public Response create(ComponentRepresentation componentRepresentation) {
        return null;
    }

    private boolean canViewIdp() {
        return !this.realm.getAttribute(Orgs.ORG_CONFIG_SHARED_IDPS_KEY, false).booleanValue() || ((OrganizationAdminAuth) this.auth).hasOrgViewIdentityProviders(this.organization) || ((OrganizationAdminAuth) this.auth).hasViewOrgs();
    }

    private boolean canManageIdp() {
        return !this.realm.getAttribute(Orgs.ORG_CONFIG_SHARED_IDPS_KEY, false).booleanValue() || ((OrganizationAdminAuth) this.auth).hasManageOrgs() || ((OrganizationAdminAuth) this.auth).hasOrgManageIdentityProviders(this.organization);
    }
}
