package org.keycloak.broker.oidc.mappers;

import java.util.ArrayList;
import java.util.List;
import org.keycloak.broker.oidc.KeycloakOIDCIdentityProvider;
import org.keycloak.broker.oidc.KeycloakOIDCIdentityProviderFactory;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.HardcodedRoleMapper;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.JsonWebToken;

/* loaded from: input_file:org/keycloak/broker/oidc/mappers/ExternalKeycloakRoleToRoleMapper.class */
public class ExternalKeycloakRoleToRoleMapper extends AbstractClaimMapper {
    public static final String[] COMPATIBLE_PROVIDERS = {KeycloakOIDCIdentityProviderFactory.PROVIDER_ID};
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    private static final String EXTERNAL_ROLE = "external.role";
    public static final String PROVIDER_ID = "keycloak-oidc-role-to-role-idp-mapper";

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String[] getCompatibleProviders() {
        return COMPATIBLE_PROVIDERS;
    }

    public String getDisplayCategory() {
        return "Role Importer";
    }

    public String getDisplayType() {
        return "External Role to Role";
    }

    public void importNewUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel hasRole = hasRole(realmModel, identityProviderMapperModel, brokeredIdentityContext);
        if (hasRole != null) {
            userModel.grantRole(hasRole);
        }
    }

    private RoleModel hasRole(RealmModel realmModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        JsonWebToken jsonWebToken = (JsonWebToken) brokeredIdentityContext.getContextData().get(KeycloakOIDCIdentityProvider.VALIDATED_ACCESS_TOKEN);
        String str = (String) identityProviderMapperModel.getConfig().get("role");
        String[] parseRole = HardcodedRoleMapper.parseRole((String) identityProviderMapperModel.getConfig().get(EXTERNAL_ROLE));
        if (!valueEquals(parseRole[1], getClaimValue(jsonWebToken, parseRole[0] == null ? "realm_access.roles" : "resource_access." + parseRole[0] + ".roles"))) {
            return null;
        }
        RoleModel roleFromString = HardcodedRoleMapper.getRoleFromString(realmModel, str);
        if (roleFromString == null) {
            throw new IdentityBrokerException("Unable to find role: " + str);
        }
        return roleFromString;
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel hasRole = hasRole(realmModel, identityProviderMapperModel, brokeredIdentityContext);
        if (hasRole == null) {
            userModel.deleteRoleMapping(hasRole);
        }
    }

    public String getHelpText() {
        return "Looks for an external role in a keycloak access token.  If external role exists, grant the user the specified realm or application role.";
    }

    static {
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setName(EXTERNAL_ROLE);
        providerConfigProperty.setLabel("External role");
        providerConfigProperty.setHelpText("External role to check for.  To reference an application role the syntax is appname.approle, i.e. myapp.myrole.");
        providerConfigProperty.setType("String");
        configProperties.add(providerConfigProperty);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName("role");
        providerConfigProperty2.setLabel("Role");
        providerConfigProperty2.setHelpText("Role to grant to user if external role is present.  To reference an application role the syntax is appname.approle, i.e. myapp.myrole");
        providerConfigProperty2.setType("String");
        configProperties.add(providerConfigProperty2);
    }
}
