package org.keycloak.services.resources.admin;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.responses.APIResponse;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authentication.actiontoken.execactions.ExecuteActionsActionToken;
import org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionToken;
import org.keycloak.authentication.authenticators.resetcred.ResetPassword;
import org.keycloak.authentication.requiredactions.util.RequiredActionsValidator;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.util.CollectionUtil;
import org.keycloak.common.util.Time;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailTemplateProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.ModelIllegalStateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserConsentModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.models.utils.SystemClientUtil;
import org.keycloak.policy.PasswordPolicyNotMetException;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCTargetRoleMapper;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.UserConsentRepresentation;
import org.keycloak.representations.idm.UserProfileMetadata;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.BruteForceProtector;
import org.keycloak.services.managers.UserConsentManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.LoginActionsService;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.services.validation.Validation;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.userprofile.AttributeChangeListener;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.userprofile.UserProfile;
import org.keycloak.userprofile.UserProfileContext;
import org.keycloak.userprofile.UserProfileProvider;
import org.keycloak.userprofile.ValidationException;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.ProfileHelper;
import org.keycloak.utils.StringUtil;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/UserResource.class */
public class UserResource {
    private static final Logger logger = Logger.getLogger(UserResource.class);
    protected final RealmModel realm;
    private final AdminPermissionEvaluator auth;
    private final AdminEventBuilder adminEvent;
    private final UserModel user;
    protected final ClientConnection clientConnection;
    protected final KeycloakSession session;
    protected final HttpHeaders headers;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/resources/admin/UserResource$SendEmailParams.class */
    public static class SendEmailParams {
        final String redirectUri;
        final String clientId;
        final int lifespan;

        public SendEmailParams(String str, String str2, Integer num) {
            this.redirectUri = str;
            this.clientId = str2;
            this.lifespan = num.intValue();
        }
    }

    public UserResource(KeycloakSession keycloakSession, UserModel userModel, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
        this.realm = keycloakSession.getContext().getRealm();
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.user = userModel;
        this.adminEvent = adminEventBuilder.resource(ResourceType.USER);
        this.headers = keycloakSession.getContext().getRequestHeaders();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Update the user")
    @PUT
    @Consumes({MediaType.APPLICATION_JSON})
    public Response updateUser(UserRepresentation userRepresentation) {
        this.auth.users().requireManage(this.user);
        try {
            try {
                boolean z = false;
                if (userRepresentation.isEnabled() != null && userRepresentation.isEnabled().booleanValue()) {
                    if ((!this.user.isEnabled() || this.session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(this.session, this.realm, this.user)) && this.session.loginFailures().getUserLoginFailure(this.realm, this.user.getId()) != null) {
                        this.session.loginFailures().removeUserLoginFailure(this.realm, this.user.getId());
                        this.adminEvent.clone(this.session).resource(ResourceType.USER_LOGIN_FAILURE).resourcePath((UriInfo) this.session.getContext().getUri()).operation(OperationType.DELETE).success();
                    }
                    z = this.session.getProvider(BruteForceProtector.class).isPermanentlyLockedOut(this.session, this.realm, this.user);
                }
                HashMap hashMap = new HashMap(userRepresentation.getRawAttributes());
                if (userRepresentation.getAttributes() == null) {
                    for (Map.Entry entry : this.user.getAttributes().entrySet()) {
                        hashMap.putIfAbsent((String) entry.getKey(), (List) entry.getValue());
                    }
                }
                UserProfile create = this.session.getProvider(UserProfileProvider.class).create(UserProfileContext.USER_API, hashMap, this.user);
                Response validateUserProfile = validateUserProfile(create, this.session, this.auth.adminAuth());
                if (validateUserProfile != null) {
                    return validateUserProfile;
                }
                create.update(userRepresentation.getAttributes() != null, new AttributeChangeListener[0]);
                updateUserFromRep(create, this.user, userRepresentation, this.session, true);
                RepresentationToModel.createCredentials(userRepresentation, this.session, this.realm, this.user, true);
                if (z) {
                    this.session.getProvider(BruteForceProtector.class).cleanUpPermanentLockout(this.session, this.realm, this.user);
                }
                this.adminEvent.operation(OperationType.UPDATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(userRepresentation).success();
                if (this.session.getTransactionManager().isActive()) {
                    this.session.getTransactionManager().commit();
                }
                return Response.noContent().build();
            } catch (ForbiddenException | ErrorResponseException e) {
                this.session.getTransactionManager().setRollbackOnly();
                throw e;
            }
        } catch (ModelIllegalStateException e2) {
            logger.error(e2.getMessage(), e2);
            throw ErrorResponse.error(e2.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        } catch (ModelDuplicateException e3) {
            this.session.getTransactionManager().setRollbackOnly();
            throw ErrorResponse.exists("User exists with same username or email");
        } catch (ReadOnlyException e4) {
            this.session.getTransactionManager().setRollbackOnly();
            throw ErrorResponse.error("User is read only!", Response.Status.BAD_REQUEST);
        } catch (PasswordPolicyNotMetException e5) {
            logger.warn("Password policy not met for user " + e5.getUsername(), e5);
            this.session.getTransactionManager().setRollbackOnly();
            throw new ErrorResponseException(e5.getMessage(), MessageFormat.format(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale()).getProperty(e5.getMessage(), e5.getMessage()), e5.getParameters()), Response.Status.BAD_REQUEST);
        } catch (Exception e6) {
            this.session.getTransactionManager().setRollbackOnly();
            logger.warn("Could not update user!", e6);
            throw ErrorResponse.error("Could not update user!", Response.Status.BAD_REQUEST);
        } catch (ModelException e7) {
            logger.warn("Could not update user!", e7);
            this.session.getTransactionManager().setRollbackOnly();
            throw ErrorResponse.error("Could not update user!", Response.Status.BAD_REQUEST);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:11:0x0043. Please report as an issue. */
    public static Response validateUserProfile(UserProfile userProfile, KeycloakSession keycloakSession, AdminAuth adminAuth) {
        try {
            userProfile.validate();
            return null;
        } catch (ValidationException e) {
            ArrayList arrayList = new ArrayList();
            for (ValidationException.Error error : e.getErrors()) {
                String message = error.getMessage();
                boolean z = -1;
                switch (message.hashCode()) {
                    case -1419450929:
                        if (message.equals(Messages.EMAIL_EXISTS)) {
                            z = 2;
                            break;
                        }
                        break;
                    case 65867787:
                        if (message.equals(Messages.MISSING_USERNAME)) {
                            z = false;
                            break;
                        }
                        break;
                    case 631797461:
                        if (message.equals(Messages.USERNAME_EXISTS)) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        throw ErrorResponse.error("User name is missing", Response.Status.BAD_REQUEST);
                    case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                        throw ErrorResponse.exists("User exists with same username");
                    case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                        throw ErrorResponse.exists("User exists with same email");
                    default:
                        arrayList.add(new ErrorRepresentation(error.getAttribute(), error.getMessage(), error.getMessageParameters()));
                }
            }
            throw ErrorResponse.errors(arrayList, Response.Status.BAD_REQUEST);
        }
    }

    public static void updateUserFromRep(UserProfile userProfile, UserModel userModel, UserRepresentation userRepresentation, KeycloakSession keycloakSession, boolean z) {
        if (userRepresentation.isEnabled() != null) {
            userModel.setEnabled(userRepresentation.isEnabled().booleanValue());
        }
        if (userRepresentation.isEmailVerified() != null) {
            userModel.setEmailVerified(userRepresentation.isEmailVerified().booleanValue());
        }
        if (userRepresentation.getCreatedTimestamp() != null && !z) {
            userModel.setCreatedTimestamp(userRepresentation.getCreatedTimestamp());
        }
        if (userRepresentation.getFederationLink() != null) {
            userModel.setFederationLink(userRepresentation.getFederationLink());
        }
        List requiredActions = userRepresentation.getRequiredActions();
        if (requiredActions != null) {
            keycloakSession.getKeycloakSessionFactory().getProviderFactoriesStream(RequiredActionProvider.class).map((v0) -> {
                return v0.getId();
            }).distinct().forEach(str -> {
                if (requiredActions.contains(str)) {
                    userModel.addRequiredAction(str);
                } else if (z) {
                    userModel.removeRequiredAction(str);
                }
            });
        }
        List<CredentialRepresentation> credentials = userRepresentation.getCredentials();
        if (credentials != null) {
            for (CredentialRepresentation credentialRepresentation : credentials) {
                if ("password".equals(credentialRepresentation.getType()) && credentialRepresentation.isTemporary() != null && credentialRepresentation.isTemporary().booleanValue()) {
                    userModel.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
                }
            }
        }
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get representation of the user")
    @GET
    public UserRepresentation getUser(@Parameter(description = "Indicates if the user profile metadata should be added to the response") @QueryParam("userProfileMetadata") boolean z) {
        this.auth.users().requireView(this.user);
        UserRepresentation representation = this.session.getProvider(UserProfileProvider.class).create(UserProfileContext.USER_API, this.user).toRepresentation();
        if (this.realm.isIdentityFederationEnabled()) {
            representation.setFederatedIdentities((List) getFederatedIdentities(this.user).collect(Collectors.toList()));
        }
        if (this.session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(this.session, this.realm, this.user)) {
            representation.setEnabled(false);
        }
        representation.setAccess(this.auth.users().getAccess(this.user));
        if (!z) {
            representation.setUserProfileMetadata((UserProfileMetadata) null);
        }
        return representation;
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Impersonate the user")
    @POST
    @Path("impersonation")
    public Map<String, Object> impersonate() {
        ProfileHelper.requireFeature(Profile.Feature.IMPERSONATION);
        this.auth.users().requireImpersonate(this.user);
        if (!this.user.isEnabled()) {
            throw ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST);
        }
        if (this.user.getServiceAccountClientLink() != null) {
            throw ErrorResponse.error("Service accounts cannot be impersonated", Response.Status.BAD_REQUEST);
        }
        RealmModel realm = this.auth.adminAuth().getRealm();
        boolean z = false;
        String sessionState = this.auth.adminAuth().getToken().getSessionState();
        if (realm.getId().equals(this.realm.getId()) && sessionState != null) {
            z = true;
            UserSessionModel userSession = this.session.sessions().getUserSession(realm, sessionState);
            AuthenticationManager.expireIdentityCookie(this.session);
            AuthenticationManager.expireRememberMeCookie(this.session);
            AuthenticationManager.expireAuthSessionCookie(this.session);
            AuthenticationManager.backchannelLogout(this.session, realm, userSession, this.session.getContext().getUri(), this.clientConnection, this.headers, true);
        }
        EventBuilder eventBuilder = new EventBuilder(this.realm, this.session, this.clientConnection);
        UserSessionModel createUserSession = new UserSessionManager(this.session).createUserSession(this.realm, this.user, this.user.getUsername(), this.clientConnection.getRemoteAddr(), "impersonate", false, null, null);
        UserModel user = this.auth.adminAuth().getUser();
        String id = user.getId();
        String username = user.getUsername();
        createUserSession.setNote(ImpersonationSessionNote.IMPERSONATOR_ID.toString(), id);
        createUserSession.setNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString(), username);
        AuthenticationManager.createLoginCookie(this.session, this.realm, createUserSession.getUser(), createUserSession, this.session.getContext().getUri(), this.clientConnection);
        URI build = Urls.accountBase(this.session.getContext().getUri().getBaseUri()).build(new Object[]{this.realm.getName()});
        HashMap hashMap = new HashMap();
        hashMap.put("sameRealm", Boolean.valueOf(z));
        hashMap.put("redirect", build.toString());
        eventBuilder.event(EventType.IMPERSONATE).session(createUserSession).user(this.user).detail("impersonator_realm", realm.getName()).detail("impersonator", username).success();
        return hashMap;
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get sessions associated with the user")
    @Path("sessions")
    @GET
    public Stream<UserSessionRepresentation> getSessions() {
        this.auth.users().requireView(this.user);
        return this.session.sessions().getUserSessionsStream(this.realm, this.user).map(ModelToRepresentation::toRepresentation);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get offline sessions associated with the user and client")
    @Path("offline-sessions/{clientUuid}")
    @GET
    public Stream<UserSessionRepresentation> getOfflineSessions(@PathParam("clientUuid") String str) {
        this.auth.users().requireView(this.user);
        if (this.realm.getClientById(str) == null) {
            throw new NotFoundException("Client not found");
        }
        return new UserSessionManager(this.session).findOfflineSessionsStream(this.realm, this.user).map(userSessionModel -> {
            return toUserSessionRepresentation(userSessionModel, str);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        });
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get social logins associated with the user")
    @Path("federated-identity")
    @GET
    public Stream<FederatedIdentityRepresentation> getFederatedIdentity() {
        this.auth.users().requireView(this.user);
        return getFederatedIdentities(this.user);
    }

    private Stream<FederatedIdentityRepresentation> getFederatedIdentities(UserModel userModel) {
        return this.session.users().getFederatedIdentitiesStream(this.realm, userModel).filter(federatedIdentityModel -> {
            return this.session.identityProviders().getByAlias(federatedIdentityModel.getIdentityProvider()) != null;
        }).map(ModelToRepresentation::toRepresentation);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Add a social login provider to the user")
    @POST
    @Path("federated-identity/{provider}")
    public Response addFederatedIdentity(@Parameter(description = "Social login provider id") @PathParam("provider") String str, FederatedIdentityRepresentation federatedIdentityRepresentation) {
        this.auth.users().requireManage(this.user);
        if (this.session.users().getFederatedIdentity(this.realm, this.user, str) != null) {
            throw ErrorResponse.exists("User is already linked with provider");
        }
        this.session.users().addFederatedIdentity(this.realm, this.user, new FederatedIdentityModel(str, federatedIdentityRepresentation.getUserId(), federatedIdentityRepresentation.getUserName()));
        this.adminEvent.operation(OperationType.CREATE).resourcePath((UriInfo) this.session.getContext().getUri()).representation(federatedIdentityRepresentation).success();
        return Response.noContent().build();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Remove a social login provider from user")
    @Path("federated-identity/{provider}")
    @DELETE
    public void removeFederatedIdentity(@Parameter(description = "Social login provider id") @PathParam("provider") String str) {
        this.auth.users().requireManage(this.user);
        if (!this.session.users().removeFederatedIdentity(this.realm, this.user, str)) {
            throw new NotFoundException("Link not found");
        }
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Get consents granted by the user")
    @Path("consents")
    @GET
    public Stream<Map<String, Object>> getConsents() {
        this.auth.users().requireView(this.user);
        Set<ClientModel> findClientsWithOfflineToken = new UserSessionManager(this.session).findClientsWithOfflineToken(this.realm, this.user);
        HashSet hashSet = new HashSet();
        return Stream.concat(((List) UserConsentManager.getConsentsStream(this.session, this.realm, this.user).peek(userConsentModel -> {
            hashSet.add(userConsentModel.getClient());
        }).collect(Collectors.toList())).stream().map(userConsentModel2 -> {
            return toConsent(userConsentModel2, findClientsWithOfflineToken);
        }), findClientsWithOfflineToken.stream().filter(clientModel -> {
            return !hashSet.contains(clientModel);
        }).map(this::toConsent));
    }

    private Map<String, Object> toConsent(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(OID4VCTargetRoleMapper.CLIENT_CONFIG_KEY, clientModel.getClientId());
        hashMap.put("grantedClientScopes", Collections.emptyList());
        hashMap.put("createdDate", null);
        hashMap.put("lastUpdatedDate", null);
        LinkedList linkedList = new LinkedList();
        HashMap hashMap2 = new HashMap();
        hashMap2.put("client", clientModel.getId());
        hashMap2.put("key", "Offline Token");
        linkedList.add(hashMap2);
        hashMap.put("additionalGrants", linkedList);
        return hashMap;
    }

    private Map<String, Object> toConsent(UserConsentModel userConsentModel, Set<ClientModel> set) {
        UserConsentRepresentation representation = ModelToRepresentation.toRepresentation(userConsentModel);
        HashMap hashMap = new HashMap();
        hashMap.put(OID4VCTargetRoleMapper.CLIENT_CONFIG_KEY, userConsentModel.getClient().getClientId());
        hashMap.put("grantedClientScopes", representation.getGrantedClientScopes());
        hashMap.put("createdDate", representation.getCreatedDate());
        hashMap.put("lastUpdatedDate", representation.getLastUpdatedDate());
        LinkedList linkedList = new LinkedList();
        if (set.contains(userConsentModel.getClient())) {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("client", userConsentModel.getClient().getId());
            hashMap2.put("key", "Offline Token");
            linkedList.add(hashMap2);
        }
        hashMap.put("additionalGrants", linkedList);
        return hashMap;
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Revoke consent and offline tokens for particular client from user")
    @Path("consents/{client}")
    @DELETE
    public void revokeConsent(@Parameter(description = "Client id") @PathParam("client") String str) {
        this.auth.users().requireManage(this.user);
        ClientModel clientByClientId = this.realm.getClientByClientId(str);
        if (clientByClientId == null) {
            throw new NotFoundException("Client not found");
        }
        if (!UserConsentManager.revokeConsentToClient(this.session, clientByClientId, this.user)) {
            throw new NotFoundException("Consent nor offline token not found");
        }
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Remove all user sessions associated with the user Also send notification to all clients that have an admin URL to invalidate the sessions for the particular user.")
    @APIResponse(responseCode = "204", description = "No Content")
    @POST
    @Path("logout")
    public void logout() {
        this.auth.users().requireManage(this.user);
        if (!LightweightUserAdapter.isLightweightUser(this.user)) {
            this.session.users().setNotBeforeForUser(this.realm, this.user, Time.currentTime());
        }
        ((List) this.session.sessions().getUserSessionsStream(this.realm, this.user).collect(Collectors.toList())).forEach(userSessionModel -> {
            AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true);
        });
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Delete the user")
    @DELETE
    public Response deleteUser() {
        this.auth.users().requireManage(this.user);
        if (!new UserManager(this.session).removeUser(this.realm, this.user)) {
            throw ErrorResponse.error("User couldn't be deleted", Response.Status.BAD_REQUEST);
        }
        this.adminEvent.operation(OperationType.DELETE).resourcePath((UriInfo) this.session.getContext().getUri()).success();
        return Response.noContent().build();
    }

    @Path("role-mappings")
    public RoleMapperResource getRoleMappings() {
        return new RoleMapperResource(this.session, this.auth, this.user, this.adminEvent, () -> {
            this.auth.users().requireMapRoles(this.user);
        }, () -> {
            this.auth.users().requireView(this.user);
        });
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Disable all credentials for a user of a specific type")
    @PUT
    @Path("disable-credential-types")
    @Consumes({MediaType.APPLICATION_JSON})
    public void disableCredentialType(List<String> list) {
        this.auth.users().requireManage(this.user);
        if (list == null) {
            return;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            this.user.credentialManager().disableCredentialType(it.next());
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Set up a new password for the user.")
    @PUT
    @Path(ResetPassword.PROVIDER_ID)
    @Consumes({MediaType.APPLICATION_JSON})
    public void resetPassword(@Parameter(description = "The representation must contain a rawPassword with the plain-text password") CredentialRepresentation credentialRepresentation) {
        this.auth.users().requireManage(this.user);
        if (credentialRepresentation == null || credentialRepresentation.getValue() == null) {
            throw new BadRequestException("No password provided");
        }
        if (Validation.isBlank(credentialRepresentation.getValue())) {
            throw new BadRequestException("Empty password not allowed");
        }
        try {
            this.user.credentialManager().updateCredential(UserCredentialModel.password(credentialRepresentation.getValue(), false));
            if (credentialRepresentation.isTemporary() == null || !credentialRepresentation.isTemporary().booleanValue()) {
                this.user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            } else {
                this.user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            }
            this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
        } catch (ModelException e) {
            logger.warn("Could not update user password.", e);
            throw new ErrorResponseException(e.getMessage(), MessageFormat.format(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale()).getProperty(e.getMessage(), e.getMessage()), e.getParameters()), Response.Status.BAD_REQUEST);
        } catch (ModelIllegalStateException e2) {
            logger.error(e2.getMessage(), e2);
            throw ErrorResponse.error(e2.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        } catch (ReadOnlyException e3) {
            throw new BadRequestException("Can't reset password as account is read only");
        } catch (PasswordPolicyNotMetException e4) {
            logger.warn("Password policy not met for user " + e4.getUsername(), e4);
            throw new ErrorResponseException(e4.getMessage(), MessageFormat.format(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale()).getProperty(e4.getMessage(), e4.getMessage()), e4.getParameters()), Response.Status.BAD_REQUEST);
        } catch (IllegalStateException e5) {
            throw new BadRequestException("Resetting to N old passwords is not allowed.");
        }
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @GET
    @Path("credentials")
    public Stream<CredentialRepresentation> credentials() {
        this.auth.users().requireView(this.user);
        return this.user.credentialManager().getStoredCredentialsStream().map(ModelToRepresentation::toRepresentation).peek(credentialRepresentation -> {
            credentialRepresentation.setSecretData((String) null);
        });
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Return credential types, which are provided by the user storage where user is stored.", description = "Returned values can contain for example \"password\", \"otp\" etc. This will always return empty list for \"local\" users, which are not backed by any user storage")
    @GET
    @Path("configured-user-storage-credential-types")
    public Stream<String> getConfiguredUserStorageCredentialTypes() {
        this.auth.users().requireView(this.user);
        return this.user.credentialManager().getConfiguredUserStorageCredentialTypesStream();
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Remove a credential for a user")
    @Path("credentials/{credentialId}")
    @DELETE
    public void removeCredential(@PathParam("credentialId") String str) {
        this.auth.users().requireManage(this.user);
        if (this.user.credentialManager().getStoredCredentialById(str) == null) {
            if (!this.auth.users().canQuery()) {
                throw new ForbiddenException();
            }
            throw new NotFoundException("Credential not found");
        }
        this.user.credentialManager().removeStoredCredentialById(str);
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Update a credential label for a user")
    @PUT
    @Path("credentials/{credentialId}/userLabel")
    @Consumes({"text/plain"})
    public void setCredentialUserLabel(@PathParam("credentialId") String str, String str2) {
        this.auth.users().requireManage(this.user);
        if (this.user.credentialManager().getStoredCredentialById(str) != null) {
            this.user.credentialManager().updateCredentialLabel(str, str2);
        } else {
            if (!this.auth.users().canQuery()) {
                throw new ForbiddenException();
            }
            throw new NotFoundException("Credential not found");
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Move a credential to a first position in the credentials list of the user")
    @APIResponse(responseCode = "204", description = "No Content")
    @POST
    @Path("credentials/{credentialId}/moveToFirst")
    public void moveCredentialToFirst(@Parameter(description = "The credential to move") @PathParam("credentialId") String str) {
        moveCredentialAfter(str, null);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Move a credential to a position behind another credential")
    @APIResponse(responseCode = "204", description = "No Content")
    @POST
    @Path("credentials/{credentialId}/moveAfter/{newPreviousCredentialId}")
    public void moveCredentialAfter(@Parameter(description = "The credential to move") @PathParam("credentialId") String str, @Parameter(description = "The credential that will be the previous element in the list. If set to null, the moved credential will be the first element in the list.") @PathParam("newPreviousCredentialId") String str2) {
        this.auth.users().requireManage(this.user);
        if (this.user.credentialManager().getStoredCredentialById(str) != null) {
            this.user.credentialManager().moveStoredCredentialTo(str, str2);
        } else {
            if (!this.auth.users().canQuery()) {
                throw new ForbiddenException();
            }
            throw new NotFoundException("Credential not found");
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Send an email to the user with a link they can click to reset their password.", description = "The redirectUri and clientId parameters are optional. The default for the redirect is the account client. This endpoint has been deprecated.  Please use the execute-actions-email passing a list with UPDATE_PASSWORD within it.", deprecated = true)
    @Deprecated
    @PUT
    @Path("reset-password-email")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response resetPasswordEmail(@Parameter(description = "redirect uri") @QueryParam("redirect_uri") String str, @Parameter(description = "client id") @QueryParam("client_id") String str2) {
        LinkedList linkedList = new LinkedList();
        linkedList.add(UserModel.RequiredAction.UPDATE_PASSWORD.name());
        return executeActionsEmail(str, str2, null, linkedList);
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Send an email to the user with a link they can click to execute particular actions.", description = "An email contains a link the user can click to perform a set of required actions. The redirectUri and clientId parameters are optional. If no redirect is given, then there will be no link back to click after actions have completed. Redirect uri must be a valid uri for the particular clientId.")
    @PUT
    @Path("execute-actions-email")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response executeActionsEmail(@Parameter(description = "Redirect uri") @QueryParam("redirect_uri") String str, @Parameter(description = "Client id") @QueryParam("client_id") String str2, @Parameter(description = "Number of seconds after which the generated token expires") @QueryParam("lifespan") Integer num, @Parameter(description = "Required actions the user needs to complete") List<String> list) {
        this.auth.users().requireManage(this.user);
        SendEmailParams verifySendEmailParams = verifySendEmailParams(str, str2, num);
        if (CollectionUtil.isNotEmpty(list) && !RequiredActionsValidator.validRequiredActions(this.session, list)) {
            throw ErrorResponse.error("Provided invalid required actions", Response.Status.BAD_REQUEST);
        }
        ExecuteActionsActionToken executeActionsActionToken = new ExecuteActionsActionToken(this.user.getId(), this.user.getEmail(), Time.currentTime() + verifySendEmailParams.lifespan, list, verifySendEmailParams.redirectUri, verifySendEmailParams.clientId);
        try {
            UriBuilder actionTokenProcessor = LoginActionsService.actionTokenProcessor(this.session.getContext().getUri());
            actionTokenProcessor.queryParam("key", new Object[]{executeActionsActionToken.serialize(this.session, this.realm, this.session.getContext().getUri())});
            this.session.getProvider(EmailTemplateProvider.class).setAttribute("requiredActions", executeActionsActionToken.getRequiredActions()).setRealm(this.realm).setUser(this.user).sendExecuteActions(actionTokenProcessor.build(new Object[]{this.realm.getName()}).toString(), TimeUnit.SECONDS.toMinutes(verifySendEmailParams.lifespan));
            this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
            return Response.noContent().build();
        } catch (EmailException e) {
            ServicesLogger.LOGGER.failedToSendActionsEmail(e);
            throw ErrorResponse.error("Failed to send execute actions email", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation(summary = "Send an email-verification email to the user An email contains a link the user can click to verify their email address.", description = "The redirectUri, clientId and lifespan parameters are optional. The default for the redirect is the account client. The default for the lifespan is 12 hours")
    @PUT
    @Path("send-verify-email")
    @Consumes({MediaType.APPLICATION_JSON})
    public Response sendVerifyEmail(@Parameter(description = "Redirect uri") @QueryParam("redirect_uri") String str, @Parameter(description = "Client id") @QueryParam("client_id") String str2, @Parameter(description = "Number of seconds after which the generated token expires") @QueryParam("lifespan") Integer num) {
        this.auth.users().requireManage(this.user);
        SendEmailParams verifySendEmailParams = verifySendEmailParams(str, str2, num);
        VerifyEmailActionToken verifyEmailActionToken = new VerifyEmailActionToken(this.user.getId(), Time.currentTime() + verifySendEmailParams.lifespan, null, this.user.getEmail(), verifySendEmailParams.clientId);
        verifyEmailActionToken.setRedirectUri(verifySendEmailParams.redirectUri);
        try {
            this.session.getProvider(EmailTemplateProvider.class).setRealm(this.realm).setUser(this.user).sendVerifyEmail(LoginActionsService.actionTokenProcessor(this.session.getContext().getUri()).queryParam("key", new Object[]{verifyEmailActionToken.serialize(this.session, this.realm, this.session.getContext().getUri())}).build(new Object[]{this.realm.getName()}).toString(), TimeUnit.SECONDS.toMinutes(verifySendEmailParams.lifespan));
            this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).success();
            return Response.noContent().build();
        } catch (EmailException e) {
            ServicesLogger.LOGGER.failedToSendEmail(e);
            throw ErrorResponse.error("Failed to send verify email", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @GET
    @Path("groups")
    public Stream<GroupRepresentation> groupMembership(@QueryParam("search") String str, @QueryParam("first") Integer num, @QueryParam("max") Integer num2, @QueryParam("briefRepresentation") @DefaultValue("true") boolean z) {
        this.auth.users().requireView(this.user);
        return this.user.getGroupsStream(str, num, num2).map(groupModel -> {
            return ModelToRepresentation.toRepresentation(groupModel, !z);
        });
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @GET
    @Path("groups/count")
    public Map<String, Long> getGroupMembershipCount(@QueryParam("search") String str) {
        this.auth.users().requireView(this.user);
        Long valueOf = Objects.nonNull(str) ? Long.valueOf(this.user.getGroupsCountByNameContaining(str)) : Long.valueOf(this.user.getGroupsCount());
        HashMap hashMap = new HashMap();
        hashMap.put("count", valueOf);
        return hashMap;
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @DELETE
    @Path("groups/{groupId}")
    public void removeMembership(@PathParam("groupId") String str) {
        this.auth.users().requireManageGroupMembership(this.user);
        GroupModel groupById = this.session.groups().getGroupById(this.realm, str);
        if (groupById == null) {
            throw new NotFoundException("Group not found");
        }
        this.auth.groups().requireManageMembership(groupById);
        try {
            if (this.user.isMemberOf(groupById)) {
                this.user.leaveGroup(groupById);
                this.adminEvent.operation(OperationType.DELETE).resource(ResourceType.GROUP_MEMBERSHIP).representation(ModelToRepresentation.toRepresentation(groupById, true)).resourcePath((UriInfo) this.session.getContext().getUri()).success();
            }
        } catch (ModelException e) {
            throw new ErrorResponseException(e.getMessage(), MessageFormat.format(AdminRoot.getMessages(this.session, this.realm, this.auth.adminAuth().getToken().getLocale()).getProperty(e.getMessage(), e.getMessage()), e.getParameters()), Response.Status.BAD_REQUEST);
        } catch (ModelIllegalStateException e2) {
            logger.error(e2.getMessage(), e2);
            throw ErrorResponse.error(e2.getMessage(), Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @PUT
    @Path("groups/{groupId}")
    public void joinGroup(@PathParam("groupId") String str) {
        this.auth.users().requireManageGroupMembership(this.user);
        GroupModel groupById = this.session.groups().getGroupById(this.realm, str);
        if (groupById == null) {
            throw new NotFoundException("Group not found");
        }
        this.auth.groups().requireManageMembership(groupById);
        if (RoleUtils.isDirectMember(this.user.getGroupsStream(), groupById)) {
            return;
        }
        this.user.joinGroup(groupById);
        this.adminEvent.operation(OperationType.CREATE).resource(ResourceType.GROUP_MEMBERSHIP).representation(ModelToRepresentation.toRepresentation(groupById, true)).resourcePath((UriInfo) this.session.getContext().getUri()).success();
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
    @Operation
    @GET
    @Path("unmanagedAttributes")
    public Map<String, List<String>> getUnmanagedAttributes() {
        this.auth.users().requireView(this.user);
        UserProfile create = this.session.getProvider(UserProfileProvider.class).create(UserProfileContext.USER_API, this.user);
        Map readable = create.getAttributes().getReadable();
        readable.entrySet().removeAll(create.getAttributes().getUnmanagedAttributes().entrySet());
        HashMap hashMap = new HashMap(this.user.getAttributes());
        hashMap.entrySet().removeAll(readable.entrySet());
        hashMap.remove("username");
        hashMap.remove("email");
        return (Map) hashMap.entrySet().stream().filter(entry -> {
            return ((List) Optional.ofNullable((List) entry.getValue()).orElse(Collections.emptyList())).stream().anyMatch(StringUtil::isNotBlank);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private UserSessionRepresentation toUserSessionRepresentation(UserSessionModel userSessionModel, String str) {
        UserSessionRepresentation representation = ModelToRepresentation.toRepresentation(userSessionModel);
        if (userSessionModel.getAuthenticatedClientSessionByClient(str) == null) {
            return null;
        }
        representation.setLastAccess(Time.toMillis(r0.getTimestamp()));
        return representation;
    }

    private SendEmailParams verifySendEmailParams(String str, String str2, Integer num) {
        if (this.user.getEmail() == null) {
            throw ErrorResponse.error("User email missing", Response.Status.BAD_REQUEST);
        }
        if (!this.user.isEnabled()) {
            throw ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST);
        }
        if (str != null && str2 == null) {
            throw ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST);
        }
        ClientModel clientByClientId = str2 != null ? this.realm.getClientByClientId(str2) : SystemClientUtil.getSystemClient(this.realm);
        if (clientByClientId == null) {
            logger.debugf("Client %s doesn't exist", str2);
            throw ErrorResponse.error("Client doesn't exist", Response.Status.BAD_REQUEST);
        }
        if (!clientByClientId.isEnabled()) {
            logger.debugf("Client %s is not enabled", str2);
            throw ErrorResponse.error("Client is not enabled", Response.Status.BAD_REQUEST);
        }
        if (str != null) {
            str = RedirectUtils.verifyRedirectUri(this.session, str, clientByClientId);
            if (str == null) {
                throw ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST);
            }
        }
        if (num == null) {
            num = Integer.valueOf(this.realm.getActionTokenGeneratedByAdminLifespan());
        }
        return new SendEmailParams(str, str2, num);
    }
}
