package de.governikus.autent.eudiwallet.keycloak.provider.listener;

import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.AuthenticationFlowRepository;
import de.governikus.autent.eudiwallet.keycloak.provider.granttypes.PreAuthCodeFlowGrantTypeFactory;
import jakarta.persistence.EntityManager;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.AuthenticationFlowModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.jpa.RealmAdapter;
import org.keycloak.models.jpa.entities.RealmEntity;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.PostMigrationEvent;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/listener/KeycloakEventListener.class */
public class KeycloakEventListener {
    public static void registerEventListener(KeycloakSessionFactory keycloakSessionFactory) {
        keycloakSessionFactory.register(providerEvent -> {
            if (!(providerEvent instanceof RealmModel.RealmPostCreateEvent)) {
                if (providerEvent instanceof PostMigrationEvent) {
                    KeycloakModelUtils.runJobInTransaction(keycloakSessionFactory, keycloakSession -> {
                        createSeedCredentialAuthenticationFlow(keycloakSession);
                        createPreAuthCodeAuthenticationFlow(keycloakSession);
                        createCustomRealmRoles(keycloakSession);
                    });
                    return;
                }
                return;
            }
            RealmModel.RealmPostCreateEvent realmPostCreateEvent = (RealmModel.RealmPostCreateEvent) providerEvent;
            EntityManager entityManager = UtilityMethods.getEntityManager(realmPostCreateEvent.getKeycloakSession());
            RealmModel createdRealm = realmPostCreateEvent.getCreatedRealm();
            if (AuthenticationFlowRepository.getAuthFlowByAlias(entityManager, createdRealm, "credential-authentication-flow").orElse(null) == null) {
                createSeedCredentialAuthenticationFlow(createdRealm);
                createPreAuthCodeAuthenticationFlow(createdRealm);
            }
            createCustomRealmRoles(createdRealm);
        });
    }

    private static void createCustomRealmRoles(KeycloakSession keycloakSession) {
        EntityManager entityManager = UtilityMethods.getEntityManager(keycloakSession);
        entityManager.createQuery("select R from RealmEntity R\nwhere R.id not in (select R2.id from RealmEntity R2\n                   inner join RoleEntity ROLE on R2.id = ROLE.realmId\n                   where ROLE.name = :roleName)\n", RealmEntity.class).setParameter("roleName", "push-credential").getResultStream().map(realmEntity -> {
            return new RealmAdapter(keycloakSession, entityManager, realmEntity);
        }).forEach((v0) -> {
            createCustomRealmRoles(v0);
        });
    }

    private static void createPreAuthCodeAuthenticationFlow(KeycloakSession keycloakSession) {
        EntityManager entityManager = UtilityMethods.getEntityManager(keycloakSession);
        entityManager.createQuery("select R from RealmEntity R\nwhere R.id not in (select R2.id from RealmEntity R2\n                   inner join AuthenticationFlowEntity AF on R2.id = AF.realm.id\n                   where AF.alias = :alias)\n", RealmEntity.class).setParameter("alias", "pre-auth-code-flow").getResultStream().map(realmEntity -> {
            return new RealmAdapter(keycloakSession, entityManager, realmEntity);
        }).forEach((v0) -> {
            createPreAuthCodeAuthenticationFlow(v0);
        });
    }

    private static void createPreAuthCodeAuthenticationFlow(RealmModel realmModel) {
        AuthenticationFlowModel authenticationFlowModel = new AuthenticationFlowModel();
        authenticationFlowModel.setAlias("pre-auth-code-flow");
        authenticationFlowModel.setDescription(String.format("Elster-User-authentication flow that is used for the grant_type '%s' during credential issuance.", PreAuthCodeFlowGrantTypeFactory.PROVIDER_ID));
        authenticationFlowModel.setBuiltIn(false);
        authenticationFlowModel.setTopLevel(true);
        authenticationFlowModel.setProviderId("basic-flow");
        AuthenticationFlowModel addAuthenticationFlow = realmModel.addAuthenticationFlow(authenticationFlowModel);
        AuthenticationExecutionModel authenticationExecutionModel = new AuthenticationExecutionModel();
        authenticationExecutionModel.setParentFlow(addAuthenticationFlow.getId());
        authenticationExecutionModel.setAuthenticator("credential-authentication-flow");
        authenticationExecutionModel.setAuthenticatorFlow(false);
        authenticationExecutionModel.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
        authenticationExecutionModel.setPriority(0);
        realmModel.addAuthenticatorExecution(authenticationExecutionModel);
    }

    private static void createSeedCredentialAuthenticationFlow(KeycloakSession keycloakSession) {
        EntityManager entityManager = UtilityMethods.getEntityManager(keycloakSession);
        entityManager.createQuery("select R from RealmEntity R\nwhere R.id not in (select R2.id from RealmEntity R2\n                   inner join AuthenticationFlowEntity AF on R2.id = AF.realm.id\n                   where AF.alias = :alias)\n", RealmEntity.class).setParameter("alias", "credential-authentication-flow").getResultStream().map(realmEntity -> {
            return new RealmAdapter(keycloakSession, entityManager, realmEntity);
        }).forEach((v0) -> {
            createSeedCredentialAuthenticationFlow(v0);
        });
    }

    private static void createSeedCredentialAuthenticationFlow(RealmModel realmModel) {
        AuthenticationFlowModel authenticationFlowModel = new AuthenticationFlowModel();
        authenticationFlowModel.setAlias("credential-authentication-flow");
        authenticationFlowModel.setDescription(String.format("User-authentication flow for the grant_type '%s' when authenticating with wallet-credential.", "urn:ietf:params:oauth:grant-type:seed_credential"));
        authenticationFlowModel.setBuiltIn(false);
        authenticationFlowModel.setTopLevel(true);
        authenticationFlowModel.setProviderId("basic-flow");
        AuthenticationFlowModel addAuthenticationFlow = realmModel.addAuthenticationFlow(authenticationFlowModel);
        AuthenticationExecutionModel authenticationExecutionModel = new AuthenticationExecutionModel();
        authenticationExecutionModel.setParentFlow(addAuthenticationFlow.getId());
        authenticationExecutionModel.setAuthenticator("credential-authentication-flow");
        authenticationExecutionModel.setAuthenticatorFlow(false);
        authenticationExecutionModel.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED);
        authenticationExecutionModel.setPriority(0);
        realmModel.addAuthenticatorExecution(authenticationExecutionModel);
    }

    private static void createCustomRealmRoles(RealmModel realmModel) {
        if (realmModel.getRole("push-credential") == null) {
            realmModel.addRole("push-credential").setDescription("Role required by a service account client in order to access the push-credentials endpoint");
        }
    }
}
