package org.keycloak.services.resources.admin;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.GroupPermissionEvaluator;
import org.keycloak.utils.GroupUtils;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.SearchQueryUtils;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/GroupsResource.class */
public class GroupsResource {
    private final RealmModel realm;
    private final KeycloakSession session;
    private final AdminPermissionEvaluator auth;
    private final AdminEventBuilder adminEvent;

    public GroupsResource(RealmModel realmModel, KeycloakSession keycloakSession, AdminPermissionEvaluator adminPermissionEvaluator, AdminEventBuilder adminEventBuilder) {
        this.realm = realmModel;
        this.session = keycloakSession;
        this.auth = adminPermissionEvaluator;
        this.adminEvent = adminEventBuilder.resource(ResourceType.GROUP);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Get group hierarchy.  Only `name` and `id` are returned.  `subGroups` are only returned when using the `search` or `q` parameter. If none of these parameters is provided, the top-level groups are returned without `subGroups` being filled.")
    @GET
    public Stream<GroupRepresentation> getGroups(@QueryParam("search") String str, @QueryParam("q") String str2, @QueryParam("exact") @DefaultValue("false") Boolean bool, @QueryParam("first") Integer num, @QueryParam("max") Integer num2, @QueryParam("briefRepresentation") @DefaultValue("true") boolean z, @QueryParam("populateHierarchy") @DefaultValue("true") boolean z2) {
        GroupPermissionEvaluator groups = this.auth.groups();
        groups.requireList();
        Stream searchGroupModelsByAttributes = Objects.nonNull(str2) ? ModelToRepresentation.searchGroupModelsByAttributes(this.session, this.realm, SearchQueryUtils.getFields(str2), num, num2) : Objects.nonNull(str) ? this.session.groups().searchForGroupByNameStream(this.realm, str.trim(), bool, num, num2) : this.session.groups().getTopLevelGroupsStream(this.realm, num, num2);
        if (z2) {
            return GroupUtils.populateGroupHierarchyFromSubGroups(this.session, this.realm, searchGroupModelsByAttributes, !z, groups);
        }
        boolean canView = groups.canView();
        return searchGroupModelsByAttributes.filter(groupModel -> {
            return canView || groups.canView(groupModel);
        }).map(groupModel2 -> {
            return GroupUtils.populateSubGroupCount(groupModel2, GroupUtils.toRepresentation(groups, groupModel2, !z));
        });
    }

    @Path("{group-id}")
    @Operation(summary = "Get group details. Does not expand hierarchy.  Subgroups will not be set.")
    public GroupResource getGroupById(@PathParam("group-id") String str) {
        GroupModel groupById = this.realm.getGroupById(str);
        if (groupById == null) {
            throw new NotFoundException("Could not find group by id");
        }
        if (Organizations.canManageOrganizationGroup(this.session, groupById)) {
            return new GroupResource(this.realm, groupById, this.session, this.auth, this.adminEvent);
        }
        throw ErrorResponse.error("Cannot manage organization related group via non Organization API.", Response.Status.BAD_REQUEST);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "Returns the groups counts.")
    @GET
    @Path("count")
    public Map<String, Long> getGroupCount(@QueryParam("search") String str, @QueryParam("top") @DefaultValue("false") boolean z) {
        this.auth.groups().requireList();
        HashMap hashMap = new HashMap();
        hashMap.put("count", Objects.nonNull(str) ? this.realm.getGroupsCountByNameContaining(str) : this.realm.getGroupsCount(Boolean.valueOf(z)));
        return hashMap;
    }

    @Tag(name = KeycloakOpenAPI.Admin.Tags.GROUPS)
    @Operation(summary = "create or add a top level realm groupSet or create child.", description = "This will update the group and set the parent if it exists. Create it and set the parent if the group doesn’t exist.")
    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    public Response addTopLevelGroup(GroupRepresentation groupRepresentation) {
        this.auth.groups().requireManage();
        Response.ResponseBuilder status = Response.status(204);
        String name = groupRepresentation.getName();
        if (ObjectUtil.isBlank(name)) {
            throw ErrorResponse.error("Group name is missing", Response.Status.BAD_REQUEST);
        }
        try {
            if (groupRepresentation.getId() != null) {
                GroupModel groupById = this.realm.getGroupById(groupRepresentation.getId());
                if (groupById == null) {
                    throw new NotFoundException("Could not find child by id");
                }
                if (groupById.getParentId() != null) {
                    this.realm.moveGroup(groupById, (GroupModel) null);
                }
                this.adminEvent.operation(OperationType.UPDATE).resourcePath((UriInfo) this.session.getContext().getUri());
            } else {
                GroupModel createGroup = this.realm.createGroup(name);
                GroupResource.updateGroup(groupRepresentation, createGroup, this.realm, this.session);
                status.status(201).location(this.session.getContext().getUri().getAbsolutePathBuilder().path(createGroup.getId()).build(new Object[0]));
                groupRepresentation.setId(createGroup.getId());
                this.adminEvent.operation(OperationType.CREATE).resourcePath(this.session.getContext().getUri(), createGroup.getId());
            }
            this.adminEvent.representation(groupRepresentation).success();
            return status.build();
        } catch (ModelDuplicateException e) {
            throw ErrorResponse.exists("Top level group named '" + name + "' already exists.");
        }
    }
}
