package net.cst.keycloak.resources;

import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.HttpHeaders;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import jodd.bean.BeanCopy;
import jodd.net.MimeTypes;
import lombok.Generated;
import net.cst.keycloak.audit.model.AuditedClientRepresentation;
import net.cst.keycloak.audit.model.AuditedUserRepresentation;
import net.cst.keycloak.audit.model.ConfigConstants;
import net.cst.keycloak.audit.model.Constants;
import net.cst.keycloak.utils.ConfigHelper;
import org.keycloak.authorization.util.Tokens;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.RealmManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/cst/keycloak/resources/AuditEndpoint.class */
public class AuditEndpoint {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuditEndpoint.class);
    private final boolean disableExternalAccess;
    private final boolean disableRoleCheck;
    private final boolean globalMasterAccess;
    private final String roleName;
    private final KeycloakSession keycloakSession;
    private final AccessToken auth;

    public AuditEndpoint(KeycloakSession keycloakSession) {
        this.keycloakSession = keycloakSession;
        this.auth = Tokens.getAccessToken(this.keycloakSession);
        authenticate();
        this.disableExternalAccess = ConfigHelper.getConfigToggle(ConfigConstants.DISABLE_EXTERNAL_ACCESS);
        this.disableRoleCheck = ConfigHelper.getConfigToggle(ConfigConstants.DISABLE_ROLE_CHECK);
        this.globalMasterAccess = ConfigHelper.getConfigToggle(ConfigConstants.GLOBAL_MASTER_ACCESS);
        this.roleName = ConfigHelper.getConfigValue(ConfigConstants.DEFAULT_ROLE);
    }

    public static AuditedUserRepresentation toBriefRepresentation(UserModel userModel, String str) {
        AuditedUserRepresentation auditedUserRepresentation = new AuditedUserRepresentation();
        BeanCopy.from(ModelToRepresentation.toBriefRepresentation(userModel)).to(auditedUserRepresentation).copy();
        auditedUserRepresentation.setRealm(str);
        String str2 = Constants.USER_EVENT_PREFIX.value() + "_" + Constants.LAST_LOGIN_INFIX.value();
        if (userModel.getAttributes() == null || userModel.getAttributes().get(str2) == null) {
            auditedUserRepresentation.setLastLogin(null);
            auditedUserRepresentation.setClientLogins(null);
        } else {
            auditedUserRepresentation.setLastLogin((String) ((List) userModel.getAttributes().get(str2)).get(0));
            List<String> list = userModel.getAttributes().keySet().stream().filter(str3 -> {
                return str3.startsWith(str2 + "_");
            }).toList();
            for (String str4 : list) {
                auditedUserRepresentation.getClientLogins().put(str4.split(str2 + "_")[1], (String) ((List) userModel.getAttributes().get(str4)).get(0));
            }
            log.debug("Got {} clients for user {}", Integer.valueOf(list.size()), userModel.getId());
        }
        return auditedUserRepresentation;
    }

    public static AuditedClientRepresentation toBriefRepresentation(ClientModel clientModel, String str, KeycloakSession keycloakSession) {
        AuditedClientRepresentation auditedClientRepresentation = new AuditedClientRepresentation();
        BeanCopy.from(ModelToRepresentation.toRepresentation(clientModel, keycloakSession)).to(auditedClientRepresentation).copy();
        auditedClientRepresentation.setRealm(str);
        String str2 = Constants.USER_EVENT_PREFIX.value() + "_" + Constants.LAST_LOGIN_INFIX.value();
        if (clientModel.getAttributes() == null || clientModel.getAttributes().get(str2) == null) {
            auditedClientRepresentation.setLastLogin(null);
        } else {
            auditedClientRepresentation.setLastLogin((String) clientModel.getAttributes().get(str2));
        }
        return auditedClientRepresentation;
    }

    public void authenticate() {
        new AppAuthManager.BearerTokenAuthenticator(this.keycloakSession).authenticate();
    }

    @Produces({MimeTypes.MIME_APPLICATION_JSON})
    @Path("users")
    @GET
    public List<AuditedUserRepresentation> listUsers(@Context HttpHeaders httpHeaders) {
        checkAccessRights(httpHeaders);
        String substring = this.auth.getIssuer().substring(this.auth.getIssuer().lastIndexOf(47) + 1);
        RealmManager realmManager = new RealmManager(this.keycloakSession);
        ArrayList arrayList = new ArrayList();
        if (this.globalMasterAccess) {
            realmManager.getSession().realms().getRealmsStream().forEach(realmModel -> {
                arrayList.addAll(readUsers(realmModel).stream().map(userModel -> {
                    return toBriefRepresentation(userModel, realmModel.getName());
                }).toList());
            });
            log.debug("Adding user info for all realms");
        } else {
            arrayList.addAll(readUsers(realmManager.getRealmByName(substring)).stream().map(userModel -> {
                return toBriefRepresentation(userModel, substring);
            }).toList());
            log.debug("Adding user info in realm {}", substring);
        }
        return arrayList;
    }

    private List<UserModel> readUsers(RealmModel realmModel) {
        log.debug("Checking for users in realm {}", realmModel.getName());
        List<UserModel> list = this.keycloakSession.users().searchForUserStream(realmModel, Map.of("keycloak.session.realm.users.query.search", "*")).toList();
        log.debug("Got {} users", Long.valueOf(list.size()));
        return list;
    }

    @Produces({MimeTypes.MIME_APPLICATION_JSON})
    @Path("clients")
    @GET
    public List<AuditedClientRepresentation> listClients(@Context HttpHeaders httpHeaders) {
        checkAccessRights(httpHeaders);
        String substring = this.auth.getIssuer().substring(this.auth.getIssuer().lastIndexOf(47) + 1);
        RealmManager realmManager = new RealmManager(this.keycloakSession);
        ArrayList arrayList = new ArrayList();
        if (this.globalMasterAccess) {
            realmManager.getSession().realms().getRealmsStream().forEach(realmModel -> {
                arrayList.addAll(readClients(realmModel).stream().map(clientModel -> {
                    return toBriefRepresentation(clientModel, substring, this.keycloakSession);
                }).toList());
            });
            log.debug("Adding client info for all realms");
        } else {
            arrayList.addAll(readClients(realmManager.getRealmByName(substring)).stream().map(clientModel -> {
                return toBriefRepresentation(clientModel, substring, this.keycloakSession);
            }).toList());
            log.debug("Adding client info in realm {}", substring);
        }
        return arrayList;
    }

    private List<ClientModel> readClients(RealmModel realmModel) {
        log.debug("Checking for clients in realm {}", realmModel.getName());
        List<ClientModel> list = this.keycloakSession.clients().getClientsStream(realmModel).toList();
        log.debug("Got {} clients", Long.valueOf(list.size()));
        return list;
    }

    protected void checkAccessRights(HttpHeaders httpHeaders) {
        if (this.disableExternalAccess && !httpHeaders.getRequestHeader("x-forwarded-host").isEmpty()) {
            log.error("No external access allowed");
            throw new ForbiddenException();
        }
        if (this.auth == null) {
            log.error("Empty authentication details");
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        if (this.disableRoleCheck || (this.auth.getRealmAccess() != null && this.auth.getRealmAccess().isUserInRole(this.roleName))) {
            log.debug("Got user with id {}", this.auth.getId());
        } else {
            log.error("No access to realm with auth {}", this.auth);
            throw new ForbiddenException("Don't have realm access");
        }
    }

    @Generated
    protected KeycloakSession getKeycloakSession() {
        return this.keycloakSession;
    }
}
