package org.keycloak.services.resources.admin;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.RolePermissionEvaluator;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/ClientScopeEvaluateScopeMappingsResource.class */
public class ClientScopeEvaluateScopeMappingsResource {
    private final RoleContainerModel roleContainer;
    private final AdminPermissionEvaluator auth;
    private final ClientModel client;
    private final String scopeParam;

    public ClientScopeEvaluateScopeMappingsResource(RoleContainerModel roleContainerModel, AdminPermissionEvaluator adminPermissionEvaluator, ClientModel clientModel, String str) {
        this.roleContainer = roleContainerModel;
        this.auth = adminPermissionEvaluator;
        this.client = clientModel;
        this.scopeParam = str;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENTS)
    @Operation(summary = "Get effective scope mapping of all roles of particular role container, which this client is defacto allowed to have in the accessToken issued for him.", description = "This contains scope mappings, which this client has directly, as well as scope mappings, which are granted to all client scopes, which are linked with this client.")
    @Path("/granted")
    @GET
    public Stream<RoleRepresentation> getGrantedScopeMappings() {
        return getGrantedRoles().map(ModelToRepresentation::toBriefRepresentation);
    }

    @Produces({MediaType.APPLICATION_JSON})
    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENTS)
    @Operation(summary = "Get roles, which this client doesn't have scope for and can't have them in the accessToken issued for him.", description = "Defacto all the other roles of particular role container, which are not in {@link #getGrantedScopeMappings()}")
    @Path("/not-granted")
    @GET
    public Stream<RoleRepresentation> getNotGrantedScopeMappings() {
        Set set = (Set) getGrantedRoles().collect(Collectors.toSet());
        Stream rolesStream = this.roleContainer.getRolesStream();
        Objects.requireNonNull(set);
        Predicate predicate = (v1) -> {
            return r1.contains(v1);
        };
        return rolesStream.filter(predicate.negate()).map(ModelToRepresentation::toBriefRepresentation);
    }

    private Stream<RoleModel> getGrantedRoles() {
        if (this.client.isFullScopeAllowed()) {
            return this.roleContainer.getRolesStream();
        }
        Set set = (Set) TokenManager.getRequestedClientScopes(this.scopeParam, this.client).collect(Collectors.toSet());
        Predicate predicate = roleModel -> {
            return set.stream().anyMatch(clientScopeModel -> {
                return clientScopeModel.hasScope(roleModel);
            });
        };
        Stream rolesStream = this.roleContainer.getRolesStream();
        RolePermissionEvaluator roles = this.auth.roles();
        Objects.requireNonNull(roles);
        return rolesStream.filter(roles::canView).filter(predicate);
    }
}
