package org.openremote.manager.security;

import jakarta.persistence.Query;
import jakarta.validation.constraints.NotNull;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotAllowedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiFunction;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.utils.URIBuilder;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.admin.client.resource.RealmsResource;
import org.keycloak.admin.client.resource.RoleMappingResource;
import org.keycloak.admin.client.resource.RolesResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.openremote.container.message.MessageBrokerService;
import org.openremote.container.persistence.PersistenceService;
import org.openremote.container.security.AuthContext;
import org.openremote.container.security.keycloak.KeycloakIdentityProvider;
import org.openremote.container.timer.TimerService;
import org.openremote.container.util.MapAccess;
import org.openremote.container.web.WebService;
import org.openremote.manager.apps.ConsoleAppService;
import org.openremote.manager.asset.AssetStorageService;
import org.openremote.manager.event.ClientEventService;
import org.openremote.manager.map.MapService;
import org.openremote.manager.mqtt.Topic;
import org.openremote.manager.system.SslHealthStatusProvider;
import org.openremote.model.Container;
import org.openremote.model.PersistenceEvent;
import org.openremote.model.auth.OAuthGrant;
import org.openremote.model.auth.OAuthPasswordGrant;
import org.openremote.model.event.shared.RealmFilter;
import org.openremote.model.gateway.GatewayConnection;
import org.openremote.model.provisioning.ProvisioningConfig;
import org.openremote.model.query.AssetQuery;
import org.openremote.model.query.UserQuery;
import org.openremote.model.query.filter.RealmPredicate;
import org.openremote.model.rules.RealmRuleset;
import org.openremote.model.security.ClientRole;
import org.openremote.model.security.Credential;
import org.openremote.model.security.Realm;
import org.openremote.model.security.RealmRole;
import org.openremote.model.security.Role;
import org.openremote.model.security.User;
import org.openremote.model.util.TextUtil;
import org.openremote.model.util.UniqueIdentifierGenerator;
import org.openremote.model.util.ValueUtil;

/* loaded from: input_file:org/openremote/manager/security/ManagerKeycloakIdentityProvider.class */
public class ManagerKeycloakIdentityProvider extends KeycloakIdentityProvider implements ManagerIdentityProvider {
    public static final String REALM_KEYCLOAK_THEME_SUFFIX = "_REALM_KEYCLOAK_THEME";
    public static final String DEFAULT_REALM_KEYCLOAK_THEME = "DEFAULT_REALM_KEYCLOAK_THEME";
    public static final String DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT = "openremote";
    public static final String OR_KEYCLOAK_GRANT_FILE = "OR_KEYCLOAK_GRANT_FILE";
    public static final String OR_KEYCLOAK_GRANT_FILE_DEFAULT = "manager/keycloak-credentials.json";
    public static final String OR_KEYCLOAK_PUBLIC_URI = "OR_KEYCLOAK_PUBLIC_URI";
    public static final String OR_KEYCLOAK_PUBLIC_URI_DEFAULT = "/auth";
    public static final String OR_KEYCLOAK_ENABLE_DIRECT_ACCESS_GRANT = "OR_KEYCLOAK_ENABLE_DIRECT_ACCESS_GRANT";
    protected PersistenceService persistenceService;
    protected AssetStorageService assetStorageService;
    protected TimerService timerService;
    protected MessageBrokerService messageBrokerService;
    protected ClientEventService clientEventService;
    protected ConsoleAppService consoleAppService;
    protected String keycloakAdminPassword;
    protected Container container;
    protected String frontendURI;
    protected List<String> validRedirectUris;
    protected Map<String, Realm> realmCache = new ConcurrentHashMap();
    private static final Logger LOG = Logger.getLogger(ManagerKeycloakIdentityProvider.class.getName());
    public static final List<String> BUILT_IN_REALM_ROLES = List.of("admin", "create-realm", "offline_access", "uma_authorization");

    public void init(Container container) {
        super.init(container);
        this.container = container;
        try {
            this.frontendURI = new URIBuilder(MapAccess.getString(container.getConfig(), OR_KEYCLOAK_PUBLIC_URI, OR_KEYCLOAK_PUBLIC_URI_DEFAULT)).build().toString();
            this.keycloakAdminPassword = (String) container.getConfig().getOrDefault("OR_ADMIN_PASSWORD", "secret");
            this.timerService = container.getService(TimerService.class);
            this.persistenceService = container.getService(PersistenceService.class);
            this.messageBrokerService = container.getService(MessageBrokerService.class);
            this.clientEventService = (ClientEventService) container.getService(ClientEventService.class);
            this.consoleAppService = (ConsoleAppService) container.getService(ConsoleAppService.class);
            this.assetStorageService = (AssetStorageService) container.getService(AssetStorageService.class);
            this.validRedirectUris = new ArrayList();
            this.validRedirectUris.add("/*");
            this.validRedirectUris.addAll(WebService.getExternalHostnames(container).stream().map(str -> {
                return "https://" + str + "/*";
            }).toList());
        } catch (URISyntaxException e) {
            LOG.log(Level.SEVERE, "Failed to build Keycloak public URI", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public void start(Container container) {
        super.start(container);
        if (container.isDevMode()) {
            enableAuthProxy((WebService) container.getService(WebService.class), MapAccess.getString(container.getConfig(), "OR_KEYCLOAK_PATH", "auth"));
        }
    }

    protected OAuthGrant getStoredCredentials(Container container) {
        String string = MapAccess.getString(container.getConfig(), OR_KEYCLOAK_GRANT_FILE, OR_KEYCLOAK_GRANT_FILE_DEFAULT);
        Path resolvePath = TextUtil.isNullOrEmpty(string) ? null : this.persistenceService.resolvePath(string);
        OAuthGrant oAuthGrant = null;
        if (resolvePath != null && Files.isReadable(resolvePath)) {
            LOG.info("Loading OR_KEYCLOAK_GRANT_FILE: " + String.valueOf(resolvePath));
            try {
                InputStream newInputStream = Files.newInputStream(resolvePath, new OpenOption[0]);
                try {
                    oAuthGrant = (OAuthGrant) ValueUtil.parse(IOUtils.toString(newInputStream, StandardCharsets.UTF_8), OAuthGrant.class).orElseGet(() -> {
                        LOG.warning("Failed to load OR_KEYCLOAK_GRANT_FILE: " + String.valueOf(resolvePath));
                        return null;
                    });
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                throw new ExceptionInInitializerError(e);
            }
        }
        return oAuthGrant;
    }

    protected OAuthGrant generateStoredCredentials(Container container) {
        String string = MapAccess.getString(container.getConfig(), OR_KEYCLOAK_GRANT_FILE, OR_KEYCLOAK_GRANT_FILE_DEFAULT);
        if (TextUtil.isNullOrEmpty(string)) {
            return null;
        }
        Path resolvePath = this.persistenceService.resolvePath(string);
        User systemAccount = new User().setUsername("manager-keycloak").setEnabled(true).setSystemAccount(true);
        String str = UniqueIdentifierGenerator.generateId() + "$*#@$";
        try {
            User createUpdateUser = createUpdateUser("master", systemAccount, str, true);
            updateUserRealmRoles("master", createUpdateUser.getId(), addUserRealmRoles("master", createUpdateUser.getId(), "admin"));
            OAuthPasswordGrant defaultKeycloakGrant = getDefaultKeycloakGrant(container);
            defaultKeycloakGrant.setUsername(createUpdateUser.getUsername()).setPassword(str);
            resolvePath.getParent().toFile().mkdirs();
            Files.write(resolvePath, ((String) ValueUtil.asJSON(defaultKeycloakGrant).orElse("null")).getBytes(), StandardOpenOption.CREATE, StandardOpenOption.WRITE, StandardOpenOption.TRUNCATE_EXISTING);
            return defaultKeycloakGrant;
        } catch (Exception e) {
            LOG.info("Failed to write OR_KEYCLOAK_GRANT_FILE: " + String.valueOf(resolvePath));
            return null;
        }
    }

    protected void addClientRedirectUris(String str, List<String> list, boolean z) {
        list.add(UriBuilder.fromUri(Topic.SEPARATOR).path(str).path("*").build(new Object[0]).toString());
    }

    protected <T> T withClientResource(String str, String str2, RealmsResource realmsResource, BiFunction<ClientRepresentation, ClientResource, T> biFunction, Supplier<T> supplier) {
        ClientRepresentation clientRepresentation = null;
        ClientResource clientResource = null;
        try {
            ClientsResource clients = realmsResource.realm(str).clients();
            List findByClientId = clients.findByClientId(str2);
            if (findByClientId != null && !findByClientId.isEmpty()) {
                if (findByClientId.size() > 1) {
                    throw new IllegalStateException("More than one matching client found realm=" + str + ", client=" + str2);
                }
                clientRepresentation = (ClientRepresentation) findByClientId.get(0);
                clientResource = clients.get(clientRepresentation.getId());
            }
        } catch (Exception e) {
            LOG.log(Level.INFO, "withClientResource failed", (Throwable) e);
        }
        if (clientResource != null) {
            return biFunction.apply(clientRepresentation, clientResource);
        }
        if (supplier != null) {
            return supplier.get();
        }
        return null;
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public User[] queryUsers(UserQuery userQuery) {
        return ManagerIdentityProvider.getUsersFromDb(this.persistenceService, userQuery);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public User getUser(String str) {
        return ManagerIdentityProvider.getUserByIdFromDb(this.persistenceService, str);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public User getUserByUsername(String str, String str2) {
        if (str2.length() > 255) {
            str2 = str2.substring(0, 254);
        }
        return ManagerIdentityProvider.getUserByUsernameFromDb(this.persistenceService, str, str2.toLowerCase());
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public User createUpdateUser(String str, User user, String str2, boolean z) throws WebApplicationException {
        return (User) getRealms(realmsResource -> {
            UserRepresentation representation;
            UserRepresentation userRepresentation;
            if (user.getUsername() != null) {
                user.setUsername(user.getUsername().toLowerCase(Locale.ROOT));
            }
            if (user.getUsername().length() > 255) {
                user.setUsername(user.getUsername().substring(0, 254));
            }
            if (!user.isServiceAccount() && z && (!getRealm(str).getRegistrationEmailAsUsername().booleanValue() ? user.getUsername() != null : user.getEmail() != null)) {
                throw new BadRequestException("Attempt to create/update user but no username or email provided: User=" + String.valueOf(user));
            }
            boolean z2 = false;
            User user2 = user.getId() != null ? getUser(user.getId()) : getUserByUsername(str, user.getUsername());
            if (user2 != null && !z) {
                String str3 = "Attempt to create user but it already exists: User=" + String.valueOf(user);
                LOG.warning(str3);
                throw new ForbiddenException(str3);
            }
            if (user2 == null && user.isServiceAccount() && (userRepresentation = (UserRepresentation) withClientResource(str, user.getUsername(), realmsResource, (clientRepresentation, clientResource) -> {
                UserRepresentation serviceAccountUser = clientResource.getServiceAccountUser();
                if (serviceAccountUser != null) {
                    return serviceAccountUser;
                }
                String str4 = "Attempt to update/create service user but a regular client with same client ID as this username already exists: User=" + String.valueOf(user);
                LOG.warning(str4);
                throw new NotAllowedException(str4, new String[0]);
            }, null)) != null) {
                user2 = (User) ValueUtil.convert(userRepresentation, User.class);
            }
            if (user2 != null && user.getId() != null && !user2.getId().equals(user.getId())) {
                String str4 = "Attempt to update user but retrieved user ID doesn't match supplied so ignoring: User=" + String.valueOf(user);
                LOG.warning(str4);
                throw new BadRequestException(str4);
            }
            if (user2 != null) {
                z2 = true;
                if (user2.isServiceAccount() != user.isServiceAccount()) {
                    String str5 = "Attempt to update user service account flag not allowed: User=" + String.valueOf(user);
                    LOG.warning(str5);
                    throw new NotAllowedException(str5, new String[0]);
                }
                if (user2.isServiceAccount() && !user2.getUsername().equals(user.getUsername())) {
                    String str6 = "Attempt to update username of service user not allowed: User=" + String.valueOf(user);
                    LOG.warning(str6);
                    throw new NotAllowedException(str6, new String[0]);
                }
            }
            if (z2) {
                UserResource userResource = realmsResource.realm(str).users().get(user2.getId());
                representation = userResource.toRepresentation();
                representation.setFirstName(user.getFirstName());
                representation.setLastName(user.getLastName());
                representation.setEmail(user.getEmail());
                representation.setEnabled(user.getEnabled());
                representation.setAttributes(user.getAttributeMap());
                userResource.update(representation);
            } else if (user.isServiceAccount()) {
                ClientRepresentation clientRepresentation2 = new ClientRepresentation();
                clientRepresentation2.setStandardFlowEnabled(false);
                clientRepresentation2.setImplicitFlowEnabled(false);
                clientRepresentation2.setDirectAccessGrantsEnabled(false);
                clientRepresentation2.setServiceAccountsEnabled(true);
                clientRepresentation2.setClientAuthenticatorType("client-secret");
                clientRepresentation2.setClientId(user.getUsername());
                clientRepresentation2.setSecret(str2);
                representation = realmsResource.realm(str).clients().get(createUpdateClient(str, clientRepresentation2).getId()).getServiceAccountUser();
                representation.setEnabled(user.getEnabled());
                realmsResource.realm(str).users().get(representation.getId()).update(representation);
            } else {
                UserRepresentation userRepresentation2 = (UserRepresentation) ValueUtil.convert(user, UserRepresentation.class);
                RealmResource realm = realmsResource.realm(str);
                Response create = realm.users().create(userRepresentation2);
                String headerString = create.getHeaderString("Location");
                create.close();
                if (!create.getStatusInfo().equals(Response.Status.CREATED) || TextUtil.isNullOrEmpty(headerString)) {
                    throw new BadRequestException("Failed to create user: User=" + String.valueOf(user));
                }
                String[] split = headerString.split(Topic.SEPARATOR);
                representation = realm.users().get(split.length > 0 ? split[split.length - 1] : null).toRepresentation();
            }
            if (str2 != null || (!z2 && user.isServiceAccount())) {
                if (user.isServiceAccount()) {
                    resetSecret(str, representation.getId(), str2);
                } else {
                    resetPassword(str, representation.getId(), new Credential(str2, false));
                }
            }
            User user3 = (User) ValueUtil.convert(representation, User.class);
            if (user3 != null) {
                user3.setRealm(str);
                if (user3.isServiceAccount()) {
                    user3.setSecret(str2);
                }
                if (user2 != null) {
                    user3.setRealmId(user2.getRealmId());
                }
            }
            this.persistenceService.publishPersistenceEvent(z2 ? PersistenceEvent.Cause.UPDATE : PersistenceEvent.Cause.CREATE, user3, user2, User.class, Collections.singletonList("attributes"), (List) null);
            return user3;
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void deleteUser(String str, String str2) {
        User user = getUser(str2);
        if (user == null) {
            return;
        }
        if (user.getUsername().equals("admin") && user.getRealm().equals("master")) {
            throw new IllegalStateException("Cannot delete master realm admin user");
        }
        getRealms(realmsResource -> {
            if (user.isServiceAccount()) {
                deleteClient(str, user.getUsername());
                return null;
            }
            Response delete = realmsResource.realm(str).users().delete(str2);
            delete.close();
            if (delete.getStatusInfo().equals(Response.Status.NO_CONTENT)) {
                return null;
            }
            throw new IllegalStateException("Failed to delete user: " + str2);
        });
        this.persistenceService.publishPersistenceEvent(PersistenceEvent.Cause.DELETE, (Object) null, user, User.class, Collections.singletonList("attributes"), (List) null);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void resetPassword(String str, String str2, Credential credential) {
        getRealms(realmsResource -> {
            realmsResource.realm(str).users().get(str2).resetPassword((CredentialRepresentation) ValueUtil.convert(credential, CredentialRepresentation.class));
            return null;
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public String resetSecret(String str, String str2, String str3) {
        return (String) getRealms(realmsResource -> {
            UserRepresentation userRepresentation = null;
            try {
                userRepresentation = realmsResource.realm(str).users().get(str2).toRepresentation();
            } catch (Exception e) {
            }
            if (userRepresentation == null) {
                return null;
            }
            return (String) withClientResource(str, userRepresentation.getUsername().substring("service-account-".length()), realmsResource, (clientRepresentation, clientResource) -> {
                if (TextUtil.isNullOrEmpty(str3)) {
                    return clientResource.generateNewSecret().getValue();
                }
                clientRepresentation.setSecret(str3);
                clientResource.update(clientRepresentation);
                return str3;
            }, null);
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public Role[] getClientRoles(String str, String str2) {
        return (Role[]) getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            ClientsResource clients = realm.clients();
            ClientResource clientResource = null;
            if (str2 != null) {
                ClientRepresentation client = getClient(str, str2);
                if (client == null) {
                    throw new IllegalStateException("Cannot find specified client: " + str2);
                }
                clientResource = clients.get(client.getId());
            }
            List<RoleRepresentation> list = clientResource != null ? clientResource.roles().list() : realm.roles().list();
            ArrayList arrayList = new ArrayList();
            for (RoleRepresentation roleRepresentation : list) {
                arrayList.add(new Role(roleRepresentation.getId(), roleRepresentation.getName(), roleRepresentation.isComposite(), (Boolean) null, roleRepresentation.isComposite() ? (String[]) realm.rolesById().getRoleComposites(roleRepresentation.getId()).stream().map((v0) -> {
                    return v0.getId();
                }).toArray(i -> {
                    return new String[i];
                }) : null).setDescription(roleRepresentation.getDescription()));
            }
            return (Role[]) arrayList.toArray(new Role[0]);
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void updateClientRoles(String str, String str2, Role[] roleArr) {
        getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            ClientsResource clients = realm.clients();
            ClientRepresentation client = getClient(str, str2);
            if (client == null) {
                throw new IllegalStateException("Cannot find specified client: " + str2);
            }
            ClientResource clientResource = clients.get(client.getId());
            ArrayList arrayList = new ArrayList(clientResource.roles().list());
            ((List) arrayList.stream().filter(roleRepresentation -> {
                return Arrays.stream(roleArr).noneMatch(role -> {
                    return roleRepresentation.getId().equals(role.getId());
                });
            }).collect(Collectors.toList())).forEach(roleRepresentation2 -> {
                realm.rolesById().deleteRole(roleRepresentation2.getId());
                arrayList.remove(roleRepresentation2);
            });
            Arrays.stream(roleArr).forEach(role -> {
                RoleRepresentation roleRepresentation3;
                boolean z = false;
                HashSet hashSet = new HashSet();
                HashSet hashSet2 = new HashSet();
                if (role.getId() == null) {
                    roleRepresentation3 = saveClientRole(realm, clientResource, role, null);
                    arrayList.add(roleRepresentation3);
                    z = role.getCompositeRoleIds() != null && role.getCompositeRoleIds().length > 0;
                    if (z) {
                        hashSet2.addAll((Collection) Arrays.stream(role.getCompositeRoleIds()).map(str3 -> {
                            return (RoleRepresentation) arrayList.stream().filter(roleRepresentation4 -> {
                                return roleRepresentation4.getId().equals(str3);
                            }).findFirst().orElse(null);
                        }).filter((v0) -> {
                            return Objects.nonNull(v0);
                        }).collect(Collectors.toSet()));
                    }
                } else {
                    roleRepresentation3 = (RoleRepresentation) arrayList.stream().filter(roleRepresentation4 -> {
                        return roleRepresentation4.getId().equals(role.getId());
                    }).findFirst().orElseThrow(() -> {
                        return new IllegalStateException("One or more supplied roles have an ID that doesn't exist");
                    });
                    boolean z2 = role.isComposite() && role.getCompositeRoleIds() != null && role.getCompositeRoleIds().length > 0;
                    boolean z3 = (Objects.equals(roleRepresentation3.getName(), role.getName()) && Objects.equals(roleRepresentation3.getDescription(), role.getDescription())) ? false : true;
                    if (z2 || roleRepresentation3.isComposite()) {
                        hashSet.addAll((Collection) Optional.ofNullable(realm.rolesById().getClientRoleComposites(roleRepresentation3.getId(), client.getId())).orElse(new HashSet()));
                        hashSet2.addAll((Collection) Arrays.stream(role.getCompositeRoleIds()).map(str4 -> {
                            return (RoleRepresentation) arrayList.stream().filter(roleRepresentation5 -> {
                                return roleRepresentation5.getId().equals(str4);
                            }).findFirst().orElse(null);
                        }).filter((v0) -> {
                            return Objects.nonNull(v0);
                        }).collect(Collectors.toSet()));
                        if (hashSet2.size() != role.getCompositeRoleIds().length) {
                            throw new IllegalStateException("One or more composite roles contain an invalid role ID");
                        }
                        z = !Objects.equals(hashSet, hashSet2);
                    }
                    if (z3) {
                        saveClientRole(realm, clientResource, role, roleRepresentation3);
                    }
                }
                if (z) {
                    List list = (List) hashSet.stream().filter(roleRepresentation5 -> {
                        return !hashSet2.contains(roleRepresentation5);
                    }).collect(Collectors.toList());
                    List list2 = (List) hashSet2.stream().filter(roleRepresentation6 -> {
                        return !hashSet.contains(roleRepresentation6);
                    }).collect(Collectors.toList());
                    if (!list.isEmpty()) {
                        realm.rolesById().deleteComposites(roleRepresentation3.getId(), list);
                    }
                    if (list2.isEmpty()) {
                        return;
                    }
                    realm.rolesById().addComposites(roleRepresentation3.getId(), list2);
                }
            });
            return null;
        });
    }

    protected RoleRepresentation saveClientRole(RealmResource realmResource, ClientResource clientResource, Role role, RoleRepresentation roleRepresentation) {
        if (roleRepresentation == null) {
            roleRepresentation = new RoleRepresentation();
        }
        roleRepresentation.setName(role.getName());
        roleRepresentation.setDescription(role.getDescription());
        roleRepresentation.setClientRole(true);
        if (roleRepresentation.getId() == null) {
            clientResource.roles().create(roleRepresentation);
        } else {
            realmResource.rolesById().updateRole(roleRepresentation.getId(), roleRepresentation);
        }
        return clientResource.roles().get(roleRepresentation.getName()).toRepresentation();
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public String[] getUserClientRoles(String str, String str2, String str3) {
        return (String[]) getRealms(realmsResource -> {
            RoleMappingResource roles = realmsResource.realm(str).users().get(str2).roles();
            return (String[]) withClientResource(str, str3, realmsResource, (clientRepresentation, clientResource) -> {
                return (String[]) roles.clientLevel(clientRepresentation.getId()).listEffective().stream().map((v0) -> {
                    return v0.getName();
                }).toArray(i -> {
                    return new String[i];
                });
            }, () -> {
                return new String[0];
            });
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public String[] getUserRealmRoles(String str, String str2) {
        return (String[]) getRealms(realmsResource -> {
            return (String[]) realmsResource.realm(str).users().get(str2).roles().realmLevel().listEffective().stream().filter(roleRepresentation -> {
                return ("master".equals(str) && "admin".equals(roleRepresentation.getName())) || !isBuiltInRealmRole(roleRepresentation.getName());
            }).map((v0) -> {
                return v0.getName();
            }).toArray(i -> {
                return new String[i];
            });
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void updateUserClientRoles(@NotNull String str, @NotNull String str2, @NotNull String str3, String... strArr) {
        getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            UserRepresentation representation = realm.users().get(str2).toRepresentation();
            if (representation == null) {
                throw new IllegalStateException("Multiple users with the same username found");
            }
            RoleMappingResource roles = realm.users().get(representation.getId()).roles();
            ClientRepresentation client = getClient(str, str3);
            if (client == null) {
                throw new IllegalStateException("Invalid client: " + str3);
            }
            ClientResource clientResource = realm.clients().get(client.getId());
            List asList = strArr != null ? Arrays.asList(strArr) : Collections.emptyList();
            ((Map) clientResource.roles().list().stream().collect(Collectors.partitioningBy(roleRepresentation -> {
                return asList.contains(roleRepresentation.getName());
            }))).forEach((bool, list) -> {
                if (bool.booleanValue()) {
                    if (list.isEmpty()) {
                        return;
                    }
                    roles.clientLevel(client.getId()).add(list.stream().map(roleRepresentation2 -> {
                        RoleRepresentation roleRepresentation2 = new RoleRepresentation();
                        roleRepresentation2.setId(roleRepresentation2.getId());
                        roleRepresentation2.setName(roleRepresentation2.getName());
                        return roleRepresentation2;
                    }).toList());
                } else {
                    if (list.isEmpty()) {
                        return;
                    }
                    roles.clientLevel(client.getId()).remove(list.stream().map(roleRepresentation3 -> {
                        RoleRepresentation roleRepresentation3 = new RoleRepresentation();
                        roleRepresentation3.setId(roleRepresentation3.getId());
                        roleRepresentation3.setName(roleRepresentation3.getName());
                        return roleRepresentation3;
                    }).toList());
                }
            });
            return null;
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void updateUserRealmRoles(String str, String str2, String... strArr) {
        getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            UserRepresentation representation = realm.users().get(str2).toRepresentation();
            if (representation == null) {
                throw new IllegalStateException("Multiple users with the same username found");
            }
            RoleMappingResource roles = realm.users().get(representation.getId()).roles();
            List asList = strArr != null ? Arrays.asList(strArr) : Collections.emptyList();
            ((Map) getRealm(str).getRealmRoles().stream().collect(Collectors.partitioningBy(realmRole -> {
                return asList.contains(realmRole.getName());
            }))).forEach((bool, list) -> {
                if (bool.booleanValue()) {
                    if (list.isEmpty()) {
                        return;
                    }
                    roles.realmLevel().add(list.stream().map(realmRole2 -> {
                        RoleRepresentation roleRepresentation = new RoleRepresentation();
                        roleRepresentation.setId(realmRole2.getId());
                        roleRepresentation.setName(realmRole2.getName());
                        return roleRepresentation;
                    }).toList());
                } else {
                    if (list.isEmpty()) {
                        return;
                    }
                    roles.realmLevel().remove(list.stream().map(realmRole3 -> {
                        RoleRepresentation roleRepresentation = new RoleRepresentation();
                        roleRepresentation.setId(realmRole3.getId());
                        roleRepresentation.setName(realmRole3.getName());
                        return roleRepresentation;
                    }).toList());
                }
            });
            return null;
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean isMasterRealmAdmin(String str) {
        Optional findFirst = ((List) getRealms(realmsResource -> {
            return realmsResource.realm("master").users().search("admin", (Integer) null, (Integer) null);
        })).stream().filter(userRepresentation -> {
            return userRepresentation.getUsername().equals("admin");
        }).findFirst();
        if (findFirst.isEmpty()) {
            throw new IllegalStateException("Can't load master realm admin user");
        }
        return ((Boolean) findFirst.map((v0) -> {
            return v0.getId();
        }).map(str2 -> {
            return Boolean.valueOf(str2.equals(str));
        }).orElse(false)).booleanValue();
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public Realm[] getRealms() {
        return ManagerIdentityProvider.getRealmsFromDb(this.persistenceService);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public Realm getRealm(String str) {
        return this.realmCache.computeIfAbsent(str, str2 -> {
            try {
                Realm realmFromDb = ManagerIdentityProvider.getRealmFromDb(this.persistenceService, str);
                realmFromDb.setRealmRoles((Set) realmFromDb.getRealmRoles().stream().filter(realmRole -> {
                    return ("master".equals(str) && "admin".equals(realmRole.getName())) || !isBuiltInRealmRole(realmRole.getName());
                }).collect(Collectors.toSet()));
                return realmFromDb;
            } catch (Exception e) {
                LOG.log(Level.INFO, "Failed to get realm by name: " + str, (Throwable) e);
                return null;
            }
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void updateRealm(Realm realm) {
        LOG.fine("Update realm: " + String.valueOf(realm));
        this.realmCache.remove(realm.getName());
        getRealms(realmsResource -> {
            if (TextUtil.isNullOrEmpty(realm.getId())) {
                throw new IllegalStateException("Realm must already exist, ID does not match an existing realm");
            }
            RealmResource realm2 = realmsResource.realm(realm.getName());
            RealmRepresentation representation = realm2.toRepresentation();
            Set set = (Set) realm2.roles().list().stream().filter(roleRepresentation -> {
                return !isBuiltInRealmRole(roleRepresentation.getName());
            }).collect(Collectors.toSet());
            if (representation == null) {
                throw new IllegalStateException("Realm does not exist: " + realm.getName());
            }
            Realm realm3 = (Realm) ValueUtil.convert(representation, Realm.class);
            realm3.setName(representation.getRealm());
            realm3.setRealmRoles((Set) set.stream().map(roleRepresentation2 -> {
                return new RealmRole(roleRepresentation2.getId(), roleRepresentation2.getName(), roleRepresentation2.getDescription());
            }).collect(Collectors.toSet()));
            representation.setDisplayName(realm.getDisplayName());
            representation.setAccountTheme(realm.getAccountTheme());
            representation.setAdminTheme(realm.getAdminTheme());
            representation.setEmailTheme(realm.getEmailTheme());
            representation.setLoginTheme(realm.getLoginTheme());
            representation.setRememberMe(realm.getRememberMe());
            representation.setVerifyEmail(realm.getVerifyEmail());
            representation.setLoginWithEmailAllowed(realm.getLoginWithEmail());
            representation.setRegistrationAllowed(realm.getRegistrationAllowed());
            representation.setRegistrationEmailAsUsername(realm.getRegistrationEmailAsUsername());
            representation.setEnabled(realm.getEnabled());
            representation.setDuplicateEmailsAllowed(realm.getDuplicateEmailsAllowed());
            representation.setResetPasswordAllowed(realm.getResetPasswordAllowed());
            representation.setPasswordPolicy(realm.getPasswordPolicyString());
            representation.setNotBefore(realm.getNotBefore() != null ? Integer.valueOf(realm.getNotBefore().intValue()) : null);
            configureRealm(representation);
            realm2.update(representation);
            HashSet hashSet = new HashSet((Set) (realm.getRealmRoles() != null ? realm.getRealmRoles() : new HashSet()).stream().filter(realmRole -> {
                return !isBuiltInRealmRole(realmRole.getName());
            }).collect(Collectors.toSet()));
            hashSet.addAll(Realm.DEFAULT_REALM_ROLES);
            set.forEach(roleRepresentation3 -> {
                if (hashSet.stream().noneMatch(realmRole2 -> {
                    return realmRole2.getName().equals(roleRepresentation3.getName());
                })) {
                    realm2.roles().deleteRole(roleRepresentation3.getName());
                }
            });
            hashSet.forEach(realmRole2 -> {
                if (set.stream().noneMatch(roleRepresentation4 -> {
                    return roleRepresentation4.getName().equals(realmRole2.getName());
                })) {
                    realm2.roles().create(new RoleRepresentation(realmRole2.getName(), realmRole2.getDescription(), false));
                }
            });
            Realm realm4 = (Realm) ValueUtil.convert(representation, Realm.class);
            realm4.setName(representation.getRealm());
            realm4.setRealmRoles(hashSet);
            this.persistenceService.publishPersistenceEvent(PersistenceEvent.Cause.UPDATE, realm4, realm3, Realm.class, (List) null, (List) null);
            return null;
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public Realm createRealm(Realm realm) {
        LOG.fine("Create realm: " + String.valueOf(realm));
        return (Realm) getRealms(realmsResource -> {
            RealmRepresentation realmRepresentation = (RealmRepresentation) ValueUtil.convert(realm, RealmRepresentation.class);
            realmRepresentation.setRealm(realm.getName());
            try {
                realmsResource.create(realmRepresentation);
                RealmResource realm2 = realmsResource.realm(realm.getName());
                RealmRepresentation representation = realm2.toRepresentation();
                configureRealm(representation);
                realm2.update(representation);
                HashSet hashSet = new HashSet((Set) (realm.getRealmRoles() != null ? realm.getRealmRoles() : new HashSet()).stream().filter(realmRole -> {
                    return !isBuiltInRealmRole(realmRole.getName());
                }).collect(Collectors.toSet()));
                hashSet.addAll(Realm.DEFAULT_REALM_ROLES);
                hashSet.forEach(realmRole2 -> {
                    LOG.finest("Adding realm role + " + String.valueOf(realmRole2));
                    realm2.roles().create(new RoleRepresentation(realmRole2.getName(), realmRole2.getDescription(), false));
                });
                createUpdateClient(realm.getName(), generateOpenRemoteClientRepresentation());
                Realm realm3 = (Realm) ValueUtil.convert(representation, Realm.class);
                realm3.setName(representation.getRealm());
                realm3.setRealmRoles(realm.getRealmRoles());
                this.persistenceService.publishPersistenceEvent(PersistenceEvent.Cause.CREATE, realm, (Object) null, Realm.class, (List) null, (List) null);
                return realm3;
            } catch (Exception e) {
                LOG.log(Level.INFO, "Failed to create realm: " + String.valueOf(realm), (Throwable) e);
                throw e;
            }
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public void deleteRealm(String str) {
        Realm realm = getRealm(str);
        if (realm == null) {
            throw new NotFoundException("Realm does not exist: " + str);
        }
        this.realmCache.remove(str);
        this.persistenceService.doTransaction(entityManager -> {
            Query createQuery = entityManager.createQuery("delete from " + GatewayConnection.class.getSimpleName() + " gc where gc.localRealm = ?1");
            createQuery.setParameter(1, str);
            createQuery.executeUpdate();
            Query createQuery2 = entityManager.createQuery("delete from " + ProvisioningConfig.class.getSimpleName() + " pc where pc.realm = ?1");
            createQuery2.setParameter(1, str);
            createQuery2.executeUpdate();
            Query createQuery3 = entityManager.createQuery("delete from " + RealmRuleset.class.getSimpleName() + " rs where rs.realm = ?1");
            createQuery3.setParameter(1, str);
            createQuery3.executeUpdate();
            this.assetStorageService.delete(this.assetStorageService.findAll(new AssetQuery().select(new AssetQuery.Select().excludeAttributes()).realm(new RealmPredicate(str))).stream().map((v0) -> {
                return v0.getId();
            }).toList());
        });
        LOG.fine("Deleting realm: " + str);
        getRealms(realmsResource -> {
            realmsResource.realm(str).remove();
            return null;
        });
        this.persistenceService.publishPersistenceEvent(PersistenceEvent.Cause.DELETE, (Object) null, realm, Realm.class, (List) null, (List) null);
    }

    public ClientRepresentation generateOpenRemoteClientRepresentation() {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
        clientRepresentation.setName("OpenRemote");
        clientRepresentation.setPublicClient(true);
        if (MapAccess.getBoolean(this.container.getConfig(), OR_KEYCLOAK_ENABLE_DIRECT_ACCESS_GRANT, this.container.isDevMode())) {
            LOG.info("### Allowing direct access grants for client id '" + clientRepresentation.getClientId() + "', this must NOT be used in production! ###");
            clientRepresentation.setDirectAccessGrantsEnabled(true);
        }
        if (this.container.isDevMode()) {
            clientRepresentation.setWebOrigins(Collections.singletonList("*"));
            clientRepresentation.setRedirectUris(Collections.singletonList("*"));
        } else {
            clientRepresentation.setWebOrigins(Collections.singletonList("+"));
            clientRepresentation.setRedirectUris(this.validRedirectUris);
        }
        return clientRepresentation;
    }

    public ClientRepresentation getClient(String str, String str2) {
        return (ClientRepresentation) getRealms(realmsResource -> {
            return (ClientRepresentation) withClientResource(str, str2, realmsResource, (clientRepresentation, clientResource) -> {
                return clientRepresentation;
            }, null);
        });
    }

    public ClientRepresentation[] getClients(String str) {
        return (ClientRepresentation[]) getRealms(realmsResource -> {
            return (ClientRepresentation[]) realmsResource.realm(str).clients().findAll().toArray(new ClientRepresentation[0]);
        });
    }

    public ClientRepresentation createUpdateClient(String str, ClientRepresentation clientRepresentation) {
        if (clientRepresentation == null || clientRepresentation.getClientId() == null) {
            throw new IllegalArgumentException("Client is null or clientId is missing");
        }
        return (ClientRepresentation) getRealms(realmsResource -> {
            return (ClientRepresentation) withClientResource(str, clientRepresentation.getClientId(), realmsResource, (clientRepresentation2, clientResource) -> {
                clientResource.update(clientRepresentation);
                return clientRepresentation;
            }, () -> {
                ClientsResource clients = realmsResource.realm(str).clients();
                Response create = clients.create(clientRepresentation);
                create.close();
                if (create.getStatusInfo().getFamily() != Response.Status.Family.SUCCESSFUL) {
                    LOG.fine("Failed to create client response=" + create.getStatusInfo().getStatusCode() + ": " + String.valueOf(clientRepresentation));
                    return null;
                }
                ClientRepresentation clientRepresentation3 = (ClientRepresentation) clients.findByClientId(clientRepresentation.getClientId()).get(0);
                addDefaultRoles(clients.get(clientRepresentation3.getId()).roles());
                return clientRepresentation3;
            });
        });
    }

    public void deleteClient(String str, String str2) {
        if (TextUtil.isNullOrEmpty(str) || TextUtil.isNullOrEmpty(str2)) {
            throw new IllegalArgumentException("Invalid client credentials realm and client ID must be specified");
        }
        getRealms(realmsResource -> {
            if (realmsResource.realm(str) == null) {
                LOG.fine("Invalid realm provided for deleteClient call: " + str);
                return null;
            }
            LOG.fine("Deleting client: realm=" + str + ", client ID=" + str2);
            return withClientResource(str, str2, realmsResource, (clientRepresentation, clientResource) -> {
                clientResource.remove();
                return null;
            }, () -> {
                return null;
            });
        });
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean isRealmActiveAndAccessible(AuthContext authContext, Realm realm) {
        if (realm == null) {
            return false;
        }
        boolean z = authContext != null && authContext.isSuperUser();
        return z || ((z || authContext == null || authContext.isRealmAccessibleByUser(realm.getName())) && realm.isActive((double) this.timerService.getCurrentTimeMillis()));
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean isRealmActiveAndAccessible(AuthContext authContext, String str) {
        return isRealmActiveAndAccessible(authContext, getRealm(str));
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean realmExists(String str) {
        return ManagerIdentityProvider.realmExistsFromDb(this.persistenceService, str);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean isRestrictedUser(AuthContext authContext) {
        return authContext != null && authContext.hasRealmRole("restricted_user");
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean isUserInRealm(String str, String str2) {
        return ManagerIdentityProvider.userInRealmFromDb(this.persistenceService, str, str2);
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public boolean canSubscribeWith(AuthContext authContext, RealmFilter<?> realmFilter, ClientRole... clientRoleArr) {
        if (authContext.isSuperUser()) {
            return true;
        }
        if (isRestrictedUser(authContext)) {
            return false;
        }
        if (clientRoleArr != null) {
            for (ClientRole clientRole : clientRoleArr) {
                if (!authContext.hasResourceRole(clientRole.getValue(), DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT)) {
                    return false;
                }
            }
        }
        if (realmFilter == null) {
            return false;
        }
        String authenticatedRealmName = authContext.getAuthenticatedRealmName();
        return !TextUtil.isNullOrEmpty(authenticatedRealmName) && authenticatedRealmName.equals(realmFilter.getName());
    }

    @Override // org.openremote.manager.security.ManagerIdentityProvider
    public String getFrontendURI() {
        return this.frontendURI;
    }

    protected void configureRealm(RealmRepresentation realmRepresentation) {
        realmRepresentation.setAccessTokenLifespan(60);
        String string = MapAccess.getString(this.container.getConfig(), realmRepresentation.getRealm().toUpperCase(Locale.ROOT) + "_REALM_KEYCLOAK_THEME", MapAccess.getString(this.container.getConfig(), DEFAULT_REALM_KEYCLOAK_THEME, DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT));
        if (TextUtil.isNullOrEmpty(realmRepresentation.getLoginTheme())) {
            realmRepresentation.setLoginTheme(string);
        }
        if (TextUtil.isNullOrEmpty(realmRepresentation.getAccountTheme())) {
            realmRepresentation.setAccountTheme(string);
        }
        if (TextUtil.isNullOrEmpty(realmRepresentation.getEmailTheme())) {
            realmRepresentation.setEmailTheme(string);
        }
        realmRepresentation.setDisplayNameHtml(realmRepresentation.getDisplayName().replaceAll("[^A-Za-z0-9]", MapService.OR_PATH_PREFIX_DEFAULT));
        realmRepresentation.setSsoSessionIdleTimeout(Integer.valueOf(this.sessionTimeoutSeconds));
        realmRepresentation.setSsoSessionMaxLifespan(Integer.valueOf(this.sessionMaxSeconds));
        realmRepresentation.setOfflineSessionIdleTimeout(Integer.valueOf(this.sessionOfflineTimeoutSeconds));
        realmRepresentation.setSslRequired(SslRequired.NONE.toString());
        String str = (String) this.container.getConfig().getOrDefault("OR_EMAIL_HOST", null);
        if (!TextUtil.isNullOrEmpty(str) && (realmRepresentation.getSmtpServer() == null || realmRepresentation.getSmtpServer().isEmpty())) {
            LOG.info("Configuring Keycloak SMTP settings for realm: " + realmRepresentation.getRealm());
            HashMap hashMap = new HashMap();
            hashMap.put("host", str);
            hashMap.put("port", (String) this.container.getConfig().getOrDefault("OR_EMAIL_PORT", Integer.toString(587)));
            hashMap.put("user", (String) this.container.getConfig().getOrDefault("OR_EMAIL_USER", null));
            hashMap.put("password", (String) this.container.getConfig().getOrDefault("OR_EMAIL_PASSWORD", null));
            hashMap.put("auth", this.container.getConfig().containsKey("OR_EMAIL_USER") ? "true" : "false");
            hashMap.put("starttls", Boolean.toString(MapAccess.getBoolean(this.container.getConfig(), "OR_EMAIL_TLS", true)));
            hashMap.put(SslHealthStatusProvider.NAME, Boolean.toString(!MapAccess.getBoolean(this.container.getConfig(), "OR_EMAIL_TLS", true) && MapAccess.getString(this.container.getConfig(), "OR_EMAIL_PROTOCOL", "smtp").equals("smtps")));
            hashMap.put("from", MapAccess.getString(this.container.getConfig(), "OR_EMAIL_FROM", "no-reply@localhost"));
            realmRepresentation.setSmtpServer(hashMap);
        }
        Map browserSecurityHeaders = realmRepresentation.getBrowserSecurityHeaders();
        if (browserSecurityHeaders == null) {
            browserSecurityHeaders = new HashMap();
            realmRepresentation.setBrowserSecurityHeaders(browserSecurityHeaders);
        }
        if (this.container.isDevMode()) {
            browserSecurityHeaders.computeIfPresent("contentSecurityPolicy", (str2, str3) -> {
                return "frame-src *; frame-ancestors *; object-src 'none'";
            });
            return;
        }
        String join = String.join(" ", WebService.getAllowedOrigins(this.container));
        if (TextUtil.isNullOrEmpty(join)) {
            return;
        }
        browserSecurityHeaders.compute("contentSecurityPolicy", (str4, str5) -> {
            return "frame-src 'self' " + join.replace(';', ' ') + "; frame-ancestors 'self' " + join.replace(';', ' ') + "; object-src 'none'";
        });
    }

    protected void addDefaultRoles(RolesResource rolesResource) {
        for (ClientRole clientRole : ClientRole.values()) {
            rolesResource.create(clientRole.getRepresentation());
        }
        for (ClientRole clientRole2 : ClientRole.values()) {
            if (clientRole2.getComposites() != null) {
                ArrayList arrayList = new ArrayList();
                for (ClientRole clientRole3 : clientRole2.getComposites()) {
                    arrayList.add(rolesResource.get(clientRole3.getValue()).toRepresentation());
                }
                rolesResource.get(clientRole2.getValue()).addComposites(arrayList);
            }
        }
    }

    public String addLDAPConfiguration(String str, ComponentRepresentation componentRepresentation) {
        return (String) getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            Response add = realm.components().add(componentRepresentation);
            add.close();
            if (!add.getStatusInfo().equals(Response.Status.CREATED)) {
                throw new IllegalStateException("Failed to add LDAP configuration");
            }
            ComponentRepresentation componentRepresentation2 = (ComponentRepresentation) realm.components().query(componentRepresentation.getParentId(), componentRepresentation.getProviderType(), componentRepresentation.getName()).get(0);
            syncUsers(componentRepresentation2.getId(), str, "triggerFullSync");
            return componentRepresentation2.getId();
        });
    }

    public String addLDAPMapper(String str, ComponentRepresentation componentRepresentation) {
        return (String) getRealms(realmsResource -> {
            RealmResource realm = realmsResource.realm(str);
            Response add = realm.components().add(componentRepresentation);
            add.close();
            if (!add.getStatusInfo().equals(Response.Status.CREATED)) {
                throw new IllegalStateException("Failed to add LDAP mapper");
            }
            ComponentRepresentation componentRepresentation2 = (ComponentRepresentation) realm.components().query(componentRepresentation.getParentId(), componentRepresentation.getProviderType(), componentRepresentation.getName()).get(0);
            realm.userStorage().syncMapperData(componentRepresentation2.getParentId(), componentRepresentation2.getId(), "fedToKeycloak");
            return componentRepresentation2.getId();
        });
    }

    public static boolean isBuiltInRealmRole(String str) {
        return str.startsWith("default-roles-") || BUILT_IN_REALM_ROLES.contains(str);
    }

    public String toString() {
        return getClass().getSimpleName() + "{}";
    }
}
