package org.keycloak.protocol.oidc.installation;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.net.URI;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import org.keycloak.Config;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.authorization.admin.AuthorizationService;
import org.keycloak.common.Profile;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.protocol.ClientInstallationProvider;
import org.keycloak.protocol.oidc.mappers.AudienceProtocolMapper;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.services.managers.ClientManager;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/protocol/oidc/installation/KeycloakOIDCClientInstallation.class */
public class KeycloakOIDCClientInstallation implements ClientInstallationProvider {
    public Response generateInstallation(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, URI uri) {
        ClientManager.InstallationAdapterConfig installationAdapterConfig = new ClientManager.InstallationAdapterConfig();
        installationAdapterConfig.setAuthServerUrl(uri.toString());
        installationAdapterConfig.setRealm(realmModel.getName());
        installationAdapterConfig.setSslRequired(realmModel.getSslRequired().name().toLowerCase());
        if (clientModel.isPublicClient() && !clientModel.isBearerOnly()) {
            installationAdapterConfig.setPublicClient(true);
        }
        if (clientModel.isBearerOnly()) {
            installationAdapterConfig.setBearerOnly(true);
        }
        if (clientModel.getRolesStream().count() > 0) {
            installationAdapterConfig.setUseResourceRoleMappings(true);
        }
        installationAdapterConfig.setResource(clientModel.getClientId());
        if (showClientCredentialsAdapterConfig(clientModel)) {
            installationAdapterConfig.setCredentials(getClientCredentialsAdapterConfig(keycloakSession, clientModel));
        }
        if (showVerifyTokenAudience(clientModel)) {
            installationAdapterConfig.setVerifyTokenAudience(true);
        }
        configureAuthorizationSettings(keycloakSession, clientModel, installationAdapterConfig);
        try {
            return Response.ok(JsonSerialization.writeValueAsPrettyString(installationAdapterConfig), MediaType.TEXT_PLAIN_TYPE).build();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static Map<String, Object> getClientCredentialsAdapterConfig(KeycloakSession keycloakSession, ClientModel clientModel) {
        return keycloakSession.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, clientModel.getClientAuthenticatorType()).getAdapterConfiguration(clientModel);
    }

    public static boolean showClientCredentialsAdapterConfig(ClientModel clientModel) {
        if (clientModel.isPublicClient()) {
            return false;
        }
        return !clientModel.isBearerOnly() || clientModel.isServiceAccountsEnabled() || clientModel.getNodeReRegistrationTimeout() > 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean showVerifyTokenAudience(ClientModel clientModel) {
        if (clientModel.getRolesStream().count() > 0) {
            return true;
        }
        String clientId = clientModel.getClientId();
        return clientModel.getRealm().getClientScopesStream().anyMatch(clientScopeModel -> {
            return clientScopeModel.getProtocolMappersStream().anyMatch(protocolMapperModel -> {
                return Objects.equals(protocolMapperModel.getProtocolMapper(), AudienceProtocolMapper.PROVIDER_ID) && Objects.equals(clientId, protocolMapperModel.getConfig().get("included.client.audience"));
            });
        });
    }

    public String getProtocol() {
        return "openid-connect";
    }

    public String getDisplayType() {
        return "Keycloak OIDC JSON";
    }

    public String getHelpText() {
        return "keycloak.json file used by the Keycloak OIDC client adapter to configure clients.  This must be saved to a keycloak.json file and put in your WEB-INF directory of your WAR file.  You may also want to tweak this file after you download it.";
    }

    public void close() {
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public ClientInstallationProvider m437create(KeycloakSession keycloakSession) {
        return this;
    }

    public void init(Config.Scope scope) {
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public String getId() {
        return "keycloak-oidc-keycloak-json";
    }

    public boolean isDownloadOnly() {
        return false;
    }

    public String getFilename() {
        return "keycloak.json";
    }

    public String getMediaType() {
        return org.keycloak.utils.MediaType.APPLICATION_JSON;
    }

    private void configureAuthorizationSettings(KeycloakSession keycloakSession, ClientModel clientModel, ClientManager.InstallationAdapterConfig installationAdapterConfig) {
        if (Profile.isFeatureEnabled(Profile.Feature.AUTHORIZATION) && new AuthorizationService(keycloakSession, clientModel, null, null).isEnabled()) {
            PolicyEnforcerConfig policyEnforcerConfig = new PolicyEnforcerConfig();
            policyEnforcerConfig.setEnforcementMode((PolicyEnforcerConfig.EnforcementMode) null);
            policyEnforcerConfig.setLazyLoadPaths((Boolean) null);
            installationAdapterConfig.setEnforcerConfig(policyEnforcerConfig);
            RoleModel hasOnlyOne = hasOnlyOne(clientModel.getRolesStream().iterator());
            if (hasOnlyOne == null || !hasOnlyOne.getName().equals("uma_protection")) {
                return;
            }
            installationAdapterConfig.setUseResourceRoleMappings(null);
        }
    }

    private RoleModel hasOnlyOne(Iterator<RoleModel> it) {
        if (!it.hasNext()) {
            return null;
        }
        RoleModel next = it.next();
        if (it.hasNext()) {
            return null;
        }
        return next;
    }
}
