package org.keycloak.storage.ldap.mappers.membership.role;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.models.utils.UserModelDelegate;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.LDAPUtils;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapperConfig;
import org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode;
import org.keycloak.storage.user.SynchronizationResult;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-ldap-federation/main/keycloak-ldap-federation-2.5.5.Final.jar:org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapper.class */
public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements CommonLDAPGroupMapper {
    private static final Logger logger = Logger.getLogger((Class<?>) RoleLDAPStorageMapper.class);
    private final RoleMapperConfig config;
    private final RoleLDAPStorageMapperFactory factory;

    /* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-ldap-federation/main/keycloak-ldap-federation-2.5.5.Final.jar:org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.class */
    public class LDAPRoleMappingsUserDelegate extends UserModelDelegate {
        private final RealmModel realm;
        private final LDAPObject ldapUser;
        private final RoleContainerModel roleContainer;
        private Set<RoleModel> cachedLDAPRoleMappings;

        public LDAPRoleMappingsUserDelegate(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
            super(userModel);
            this.realm = realmModel;
            this.ldapUser = lDAPObject;
            this.roleContainer = RoleLDAPStorageMapper.this.getTargetRoleContainer(realmModel);
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public Set<RoleModel> getRealmRoleMappings() {
            if (!this.roleContainer.equals(this.realm)) {
                return super.getRealmRoleMappings();
            }
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) {
                return lDAPRoleMappingsConverted;
            }
            lDAPRoleMappingsConverted.addAll(super.getRealmRoleMappings());
            return lDAPRoleMappingsConverted;
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public Set<RoleModel> getClientRoleMappings(ClientModel clientModel) {
            if (!this.roleContainer.equals(clientModel)) {
                return super.getClientRoleMappings(clientModel);
            }
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) {
                return lDAPRoleMappingsConverted;
            }
            lDAPRoleMappingsConverted.addAll(super.getClientRoleMappings(clientModel));
            return lDAPRoleMappingsConverted;
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public boolean hasRole(RoleModel roleModel) {
            return RoleUtils.hasRole(getRoleMappings(), roleModel) || RoleUtils.hasRoleFromGroup((Iterable<GroupModel>) getGroups(), roleModel, true);
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public void grantRole(RoleModel roleModel) {
            if (RoleLDAPStorageMapper.this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
                super.grantRole(roleModel);
            } else if (!roleModel.getContainer().equals(this.roleContainer)) {
                super.grantRole(roleModel);
            } else {
                this.cachedLDAPRoleMappings = null;
                RoleLDAPStorageMapper.this.addRoleMappingInLDAP(roleModel.getName(), this.ldapUser);
            }
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public Set<RoleModel> getRoleMappings() {
            Set<RoleModel> roleMappings = super.getRoleMappings();
            Set<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) {
                for (RoleModel roleModel : new HashSet(roleMappings)) {
                    if (roleModel.getContainer().equals(this.roleContainer)) {
                        roleMappings.remove(roleModel);
                    }
                }
            }
            roleMappings.addAll(lDAPRoleMappingsConverted);
            return roleMappings;
        }

        protected Set<RoleModel> getLDAPRoleMappingsConverted() {
            if (this.cachedLDAPRoleMappings != null) {
                return new HashSet(this.cachedLDAPRoleMappings);
            }
            List<LDAPObject> lDAPRoleMappings = RoleLDAPStorageMapper.this.getLDAPRoleMappings(this.ldapUser);
            HashSet hashSet = new HashSet();
            String roleNameLdapAttribute = RoleLDAPStorageMapper.this.config.getRoleNameLdapAttribute();
            Iterator<LDAPObject> it = lDAPRoleMappings.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                RoleModel role = this.roleContainer.getRole(attributeAsString);
                if (role == null) {
                    role = this.roleContainer.addRole(attributeAsString);
                }
                hashSet.add(role);
            }
            this.cachedLDAPRoleMappings = new HashSet(hashSet);
            return hashSet;
        }

        @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.RoleMapperModel
        public void deleteRoleMapping(RoleModel roleModel) {
            if (!roleModel.getContainer().equals(this.roleContainer)) {
                super.deleteRoleMapping(roleModel);
                return;
            }
            LDAPQuery createRoleQuery = RoleLDAPStorageMapper.this.createRoleQuery();
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            createRoleQuery.addWhereCondition(lDAPQueryConditionsBuilder.equal(RoleLDAPStorageMapper.this.config.getRoleNameLdapAttribute(), roleModel.getName())).addWhereCondition(lDAPQueryConditionsBuilder.equal(RoleLDAPStorageMapper.this.config.getMembershipLdapAttribute(), LDAPUtils.getMemberValueOfChildObject(this.ldapUser, RoleLDAPStorageMapper.this.config.getMembershipTypeLdapAttribute(), RoleLDAPStorageMapper.this.getMembershipUserLdapAttribute())));
            LDAPObject firstResult = createRoleQuery.getFirstResult();
            if (firstResult == null) {
                if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                    super.deleteRoleMapping(roleModel);
                }
            } else {
                if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                    throw new ModelException("Not possible to delete LDAP role mappings as mapper mode is READ_ONLY");
                }
                this.cachedLDAPRoleMappings = null;
                RoleLDAPStorageMapper.this.deleteRoleMappingInLDAP(this.ldapUser, firstResult);
            }
        }
    }

    public RoleLDAPStorageMapper(ComponentModel componentModel, LDAPStorageProvider lDAPStorageProvider, RoleLDAPStorageMapperFactory roleLDAPStorageMapperFactory) {
        super(componentModel, lDAPStorageProvider);
        this.config = new RoleMapperConfig(componentModel);
        this.factory = roleLDAPStorageMapperFactory;
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public LDAPQuery createLDAPGroupQuery() {
        return createRoleQuery();
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public CommonLDAPGroupMapperConfig getConfig() {
        return this.config;
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onImportUserFromLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
        if (this.config.getMode() == LDAPGroupMapperMode.IMPORT && z) {
            List<LDAPObject> lDAPRoleMappings = getLDAPRoleMappings(lDAPObject);
            String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
            Iterator<LDAPObject> it = lDAPRoleMappings.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                RoleContainerModel targetRoleContainer = getTargetRoleContainer(realmModel);
                RoleModel role = targetRoleContainer.getRole(attributeAsString);
                if (role == null) {
                    role = targetRoleContainer.addRole(attributeAsString);
                }
                logger.debugf("Granting role [%s] to user [%s] during import from LDAP", attributeAsString, userModel.getUsername());
                userModel.grantRole(role);
            }
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onRegisterUserToLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.1
            @Override // org.keycloak.storage.user.SynchronizationResult
            public String getStatus() {
                return String.format("%d imported roles, %d roles already exists in Keycloak", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()));
            }
        };
        logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        List<LDAPObject> loadAllLDAPObjects = LDAPUtils.loadAllLDAPObjects(createRoleQuery(), this.ldapProvider);
        RoleContainerModel targetRoleContainer = getTargetRoleContainer(realmModel);
        String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
        Iterator<LDAPObject> it = loadAllLDAPObjects.iterator();
        while (it.hasNext()) {
            String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
            if (targetRoleContainer.getRole(attributeAsString) == null) {
                logger.debugf("Syncing role [%s] from LDAP to keycloak DB", attributeAsString);
                targetRoleContainer.addRole(attributeAsString);
                synchronizationResult.increaseAdded();
            } else {
                synchronizationResult.increaseUpdated();
            }
        }
        return synchronizationResult;
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.2
            @Override // org.keycloak.storage.user.SynchronizationResult
            public String getStatus() {
                return String.format("%d roles imported to LDAP, %d roles already existed in LDAP", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()));
            }
        };
        if (this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
            logger.warnf("Ignored sync for federation mapper '%s' as it's mode is '%s'", this.mapperModel.getName(), this.config.getMode().toString());
            return synchronizationResult;
        }
        logger.debugf("Syncing roles from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        List<LDAPObject> resultList = createRoleQuery().getResultList();
        HashSet hashSet = new HashSet();
        String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
        Iterator<LDAPObject> it = resultList.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getAttributeAsString(roleNameLdapAttribute));
        }
        Iterator<RoleModel> it2 = getTargetRoleContainer(realmModel).getRoles().iterator();
        while (it2.hasNext()) {
            String name = it2.next().getName();
            if (hashSet.contains(name)) {
                synchronizationResult.increaseUpdated();
            } else {
                logger.debugf("Syncing role [%s] from Keycloak to LDAP", name);
                createLDAPRole(name);
                synchronizationResult.increaseAdded();
            }
        }
        return synchronizationResult;
    }

    public LDAPQuery createRoleQuery() {
        LDAPQuery lDAPQuery = new LDAPQuery(this.ldapProvider);
        lDAPQuery.setSearchScope(this.ldapProvider.getLdapIdentityStore().getConfig().getSearchScope());
        lDAPQuery.setSearchDn(this.config.getRolesDn());
        lDAPQuery.addObjectClasses(this.config.getRoleObjectClasses(this.ldapProvider));
        String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
        String customLdapFilter = this.config.getCustomLdapFilter();
        if (customLdapFilter != null && customLdapFilter.trim().length() > 0) {
            lDAPQuery.addWhereCondition(new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customLdapFilter));
        }
        String membershipLdapAttribute = this.config.getMembershipLdapAttribute();
        lDAPQuery.addReturningLdapAttribute(roleNameLdapAttribute);
        lDAPQuery.addReturningLdapAttribute(membershipLdapAttribute);
        return lDAPQuery;
    }

    protected RoleContainerModel getTargetRoleContainer(RealmModel realmModel) {
        if (this.config.isRealmRolesMapping()) {
            return realmModel;
        }
        String clientId = this.config.getClientId();
        if (clientId == null) {
            throw new ModelException("Using client roles mapping is requested, but parameter client.id not found!");
        }
        ClientModel clientByClientId = realmModel.getClientByClientId(clientId);
        if (clientByClientId == null) {
            throw new ModelException("Can't found requested client with clientId: " + clientId);
        }
        return clientByClientId;
    }

    public LDAPObject createLDAPRole(String str) {
        LDAPObject createLDAPGroup = LDAPUtils.createLDAPGroup(this.ldapProvider, str, this.config.getRoleNameLdapAttribute(), this.config.getRoleObjectClasses(this.ldapProvider), this.config.getRolesDn(), Collections.emptyMap());
        logger.debugf("Creating role [%s] to LDAP with DN [%s]", str, createLDAPGroup.getDn().toString());
        return createLDAPGroup;
    }

    public void addRoleMappingInLDAP(String str, LDAPObject lDAPObject) {
        LDAPObject loadLDAPRoleByName = loadLDAPRoleByName(str);
        if (loadLDAPRoleByName == null) {
            loadLDAPRoleByName = createLDAPRole(str);
        }
        LDAPUtils.addMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), loadLDAPRoleByName, lDAPObject, true);
    }

    public void deleteRoleMappingInLDAP(LDAPObject lDAPObject, LDAPObject lDAPObject2) {
        LDAPUtils.deleteMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), lDAPObject2, lDAPObject);
    }

    public LDAPObject loadLDAPRoleByName(String str) {
        LDAPQuery createRoleQuery = createRoleQuery();
        createRoleQuery.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.config.getRoleNameLdapAttribute(), str));
        return createRoleQuery.getFirstResult();
    }

    protected List<LDAPObject> getLDAPRoleMappings(LDAPObject lDAPObject) {
        return this.factory.getUserRolesRetrieveStrategy(this.config.getUserRolesRetrieveStrategy()).getLDAPRoleMappings(this, lDAPObject, this.ldapProvider.getLdapIdentityStore().getConfig());
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public UserModel proxy(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        return this.config.getMode() == LDAPGroupMapperMode.IMPORT ? userModel : new LDAPRoleMappingsUserDelegate(realmModel, userModel, lDAPObject);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void beforeLDAPQuery(LDAPQuery lDAPQuery) {
        this.factory.getUserRolesRetrieveStrategy(this.config.getUserRolesRetrieveStrategy()).beforeUserLDAPQuery(lDAPQuery);
    }

    protected String getMembershipUserLdapAttribute() {
        return this.config.getMembershipUserLdapAttribute(this.ldapProvider.getLdapIdentityStore().getConfig());
    }
}
