package org.keycloak.services.resources.admin;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Produces;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.stream.Collectors;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.PemUtils;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.KeysMetadataRepresentation;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/KeyResource.class */
public class KeyResource {
    private RealmModel realm;
    private KeycloakSession session;
    private AdminPermissionEvaluator auth;

    public KeyResource(RealmModel realmModel, KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator) {
        this.realm = realmModel;
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.KEY)
    @Operation
    @GET
    public KeysMetadataRepresentation getKeyMetadata() {
        this.auth.realm().requireViewRealm();
        KeysMetadataRepresentation keysMetadataRepresentation = new KeysMetadataRepresentation();
        keysMetadataRepresentation.setActive(new HashMap());
        keysMetadataRepresentation.setKeys((List) this.session.keys().getKeysStream(this.realm).map(keyWrapper -> {
            if (keyWrapper.getStatus().isActive() && !keysMetadataRepresentation.getActive().containsKey(keyWrapper.getAlgorithmOrDefault())) {
                keysMetadataRepresentation.getActive().put(keyWrapper.getAlgorithmOrDefault(), keyWrapper.getKid());
            }
            return toKeyMetadataRepresentation(keyWrapper);
        }).collect(Collectors.toList()));
        return keysMetadataRepresentation;
    }

    private KeysMetadataRepresentation.KeyMetadataRepresentation toKeyMetadataRepresentation(KeyWrapper keyWrapper) {
        KeysMetadataRepresentation.KeyMetadataRepresentation keyMetadataRepresentation = new KeysMetadataRepresentation.KeyMetadataRepresentation();
        keyMetadataRepresentation.setProviderId(keyWrapper.getProviderId());
        keyMetadataRepresentation.setProviderPriority(keyWrapper.getProviderPriority());
        keyMetadataRepresentation.setKid(keyWrapper.getKid());
        keyMetadataRepresentation.setStatus(keyWrapper.getStatus() != null ? keyWrapper.getStatus().name() : null);
        keyMetadataRepresentation.setType(keyWrapper.getType());
        keyMetadataRepresentation.setAlgorithm(keyWrapper.getAlgorithmOrDefault());
        keyMetadataRepresentation.setPublicKey(keyWrapper.getPublicKey() != null ? PemUtils.encodeKey(keyWrapper.getPublicKey()) : null);
        if (keyWrapper.getCertificate() != null || (keyWrapper.getCertificateChain() != null && !keyWrapper.getCertificateChain().isEmpty())) {
            try {
                keyMetadataRepresentation.setCertificate(keyWrapper.getCertificate() != null ? Base64.encodeBytes(keyWrapper.getCertificate().getEncoded()) : Base64.encodeBytes(((X509Certificate) keyWrapper.getCertificateChain().get(0)).getEncoded()));
            } catch (CertificateEncodingException e) {
                throw new RuntimeException(e);
            }
        }
        keyMetadataRepresentation.setUse(keyWrapper.getUse());
        X509Certificate certificate = keyWrapper.getCertificate();
        if (certificate != null) {
            keyMetadataRepresentation.setCertificate(PemUtils.encodeCertificate(certificate));
            keyMetadataRepresentation.setValidTo(certificate.getNotAfter() != null ? Long.valueOf(certificate.getNotAfter().getTime()) : null);
        }
        return keyMetadataRepresentation;
    }
}
