package org.keycloak.models;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;
import org.keycloak.services.managers.UserManager;

/* loaded from: input_file:org/keycloak/models/UserFederationManager.class */
public class UserFederationManager implements UserProvider {
    private static final Logger logger = Logger.getLogger(UserFederationManager.class);
    protected KeycloakSession session;
    private Map<String, UserModel> managedUsers = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/models/UserFederationManager$PaginatedQuery.class */
    public interface PaginatedQuery {
        List<UserModel> query(RealmModel realmModel, int i, int i2);
    }

    public UserFederationManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.models.UserProvider
    public UserModel addUser(RealmModel realmModel, String str, String str2, boolean z, boolean z2) {
        return registerWithFederation(realmModel, this.session.userStorage().addUser(realmModel, str, str2.toLowerCase(), z, z2));
    }

    protected UserFederationProvider getFederationProvider(UserFederationProviderModel userFederationProviderModel) {
        return KeycloakModelUtils.getFederationProviderInstance(this.session, userFederationProviderModel);
    }

    @Override // org.keycloak.storage.user.UserRegistrationProvider
    public UserModel addUser(RealmModel realmModel, String str) {
        return registerWithFederation(realmModel, this.session.userStorage().addUser(realmModel, str.toLowerCase()));
    }

    protected UserModel registerWithFederation(RealmModel realmModel, UserModel userModel) {
        for (UserFederationProviderModel userFederationProviderModel : realmModel.getUserFederationProviders()) {
            UserFederationProvider federationProvider = getFederationProvider(userFederationProviderModel);
            if (federationProvider.synchronizeRegistrations()) {
                userModel.setFederationLink(userFederationProviderModel.getId());
                UserModel register = federationProvider.register(realmModel, userModel);
                this.managedUsers.put(register.getId(), register);
                return register;
            }
        }
        return userModel;
    }

    protected UserFederationProvider getFederationLink(RealmModel realmModel, UserModel userModel) {
        if (userModel.getFederationLink() == null) {
            return null;
        }
        for (UserFederationProviderModel userFederationProviderModel : realmModel.getUserFederationProviders()) {
            if (userFederationProviderModel.getId().equals(userModel.getFederationLink())) {
                return getFederationProvider(userFederationProviderModel);
            }
        }
        return null;
    }

    @Override // org.keycloak.storage.user.UserRegistrationProvider
    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        UserFederationProvider federationLink = getFederationLink(realmModel, userModel);
        if (federationLink == null) {
            return this.session.userStorage().removeUser(realmModel, userModel);
        }
        if (!federationLink.removeUser(realmModel, userModel)) {
            logger.warn("Failed to remove user from federation provider");
            return false;
        }
        boolean removeUser = this.session.userStorage().removeUser(realmModel, userModel);
        this.managedUsers.remove(userModel.getId());
        if (!removeUser) {
            logger.warn("User possibly removed from federation provider, but failed to remove him from keycloak model");
        }
        return removeUser;
    }

    protected void validateUser(RealmModel realmModel, UserModel userModel) {
        UserFederationProvider federationLink;
        if (this.managedUsers.containsKey(userModel.getId()) || (federationLink = getFederationLink(realmModel, userModel)) == null || federationLink.isValid(realmModel, userModel)) {
            return;
        }
        deleteInvalidUser(realmModel, userModel);
        throw new IllegalStateException("Federated user no longer valid");
    }

    protected void deleteInvalidUser(final RealmModel realmModel, final UserModel userModel) {
        KeycloakModelUtils.runJobInTransaction(this.session.getKeycloakSessionFactory(), new KeycloakSessionTask() { // from class: org.keycloak.models.UserFederationManager.1
            @Override // org.keycloak.models.KeycloakSessionTask
            public void run(KeycloakSession keycloakSession) {
                RealmModel realm = keycloakSession.realms().getRealm(realmModel.getId());
                if (realm == null) {
                    return;
                }
                new UserManager(keycloakSession).removeUser(realm, keycloakSession.userStorage().getUserById(userModel.getId(), realm), keycloakSession.userStorage());
                UserFederationManager.logger.debugf("Removed invalid user '%s'", userModel.getUsername());
            }
        });
    }

    protected UserModel validateAndProxyUser(RealmModel realmModel, UserModel userModel) {
        UserModel userModel2 = this.managedUsers.get(userModel.getId());
        if (userModel2 != null) {
            return userModel2;
        }
        UserFederationProvider federationLink = getFederationLink(realmModel, userModel);
        if (federationLink == null) {
            return userModel;
        }
        UserModel validateAndProxy = federationLink.validateAndProxy(realmModel, userModel);
        if (validateAndProxy != null) {
            this.managedUsers.put(userModel.getId(), validateAndProxy);
            return validateAndProxy;
        }
        deleteInvalidUser(realmModel, userModel);
        return null;
    }

    @Override // org.keycloak.models.UserProvider
    public void addFederatedIdentity(RealmModel realmModel, UserModel userModel, FederatedIdentityModel federatedIdentityModel) {
        validateUser(realmModel, userModel);
        this.session.userStorage().addFederatedIdentity(realmModel, userModel, federatedIdentityModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void updateFederatedIdentity(RealmModel realmModel, UserModel userModel, FederatedIdentityModel federatedIdentityModel) {
        this.session.userStorage().updateFederatedIdentity(realmModel, userModel, federatedIdentityModel);
    }

    @Override // org.keycloak.models.UserProvider
    public boolean removeFederatedIdentity(RealmModel realmModel, UserModel userModel, String str) {
        validateUser(realmModel, userModel);
        if (userModel == null) {
            throw new IllegalStateException("Federated user no longer valid");
        }
        return this.session.userStorage().removeFederatedIdentity(realmModel, userModel, str);
    }

    @Override // org.keycloak.models.UserProvider
    public void addConsent(RealmModel realmModel, UserModel userModel, UserConsentModel userConsentModel) {
        validateUser(realmModel, userModel);
        this.session.userStorage().addConsent(realmModel, userModel, userConsentModel);
    }

    @Override // org.keycloak.models.UserProvider
    public UserConsentModel getConsentByClient(RealmModel realmModel, UserModel userModel, String str) {
        validateUser(realmModel, userModel);
        return this.session.userStorage().getConsentByClient(realmModel, userModel, str);
    }

    @Override // org.keycloak.models.UserProvider
    public List<UserConsentModel> getConsents(RealmModel realmModel, UserModel userModel) {
        validateUser(realmModel, userModel);
        return this.session.userStorage().getConsents(realmModel, userModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void updateConsent(RealmModel realmModel, UserModel userModel, UserConsentModel userConsentModel) {
        validateUser(realmModel, userModel);
        this.session.userStorage().updateConsent(realmModel, userModel, userConsentModel);
    }

    @Override // org.keycloak.models.UserProvider
    public boolean revokeConsentForClient(RealmModel realmModel, UserModel userModel, String str) {
        validateUser(realmModel, userModel);
        return this.session.userStorage().revokeConsentForClient(realmModel, userModel, str);
    }

    @Override // org.keycloak.storage.user.UserLookupProvider
    public UserModel getUserById(String str, RealmModel realmModel) {
        UserModel userById = this.session.userStorage().getUserById(str, realmModel);
        if (userById != null) {
            userById = validateAndProxyUser(realmModel, userById);
        }
        return userById;
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> getGroupMembers(RealmModel realmModel, final GroupModel groupModel, int i, int i2) {
        int i3 = i + i2;
        LinkedHashSet linkedHashSet = new LinkedHashSet(query(new PaginatedQuery() { // from class: org.keycloak.models.UserFederationManager.2
            @Override // org.keycloak.models.UserFederationManager.PaginatedQuery
            public List<UserModel> query(RealmModel realmModel2, int i4, int i5) {
                return UserFederationManager.this.session.userStorage().getGroupMembers(realmModel2, groupModel, i4, i5);
            }
        }, realmModel, 0, i3));
        for (UserFederationProviderModel userFederationProviderModel : realmModel.getUserFederationProviders()) {
            if (linkedHashSet.size() >= i3) {
                break;
            }
            List<UserModel> groupMembers = getFederationProvider(userFederationProviderModel).getGroupMembers(realmModel, groupModel, 0, i3 - linkedHashSet.size());
            if (groupMembers != null) {
                linkedHashSet.addAll(groupMembers);
            }
        }
        if (linkedHashSet.size() <= i) {
            return Collections.emptyList();
        }
        return new ArrayList(linkedHashSet).subList(i, Math.min(i3, linkedHashSet.size()));
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel) {
        return getGroupMembers(realmModel, groupModel, -1, -1);
    }

    @Override // org.keycloak.storage.user.UserLookupProvider
    public UserModel getUserByUsername(String str, RealmModel realmModel) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str.toLowerCase(), realmModel);
        if (userByUsername != null) {
            userByUsername = validateAndProxyUser(realmModel, userByUsername);
            if (userByUsername != null) {
                return userByUsername;
            }
        }
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            userByUsername = getFederationProvider(it.next()).getUserByUsername(realmModel, str);
            if (userByUsername != null) {
                return userByUsername;
            }
        }
        return userByUsername;
    }

    @Override // org.keycloak.storage.user.UserLookupProvider
    public UserModel getUserByEmail(String str, RealmModel realmModel) {
        UserModel userByEmail = this.session.userStorage().getUserByEmail(str.toLowerCase(), realmModel);
        if (userByEmail != null) {
            userByEmail = validateAndProxyUser(realmModel, userByEmail);
            if (userByEmail != null) {
                return userByEmail;
            }
        }
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            userByEmail = getFederationProvider(it.next()).getUserByEmail(realmModel, str);
            if (userByEmail != null) {
                return userByEmail;
            }
        }
        return userByEmail;
    }

    @Override // org.keycloak.models.UserProvider
    public UserModel getUserByFederatedIdentity(FederatedIdentityModel federatedIdentityModel, RealmModel realmModel) {
        UserModel userByFederatedIdentity = this.session.userStorage().getUserByFederatedIdentity(federatedIdentityModel, realmModel);
        if (userByFederatedIdentity != null) {
            userByFederatedIdentity = validateAndProxyUser(realmModel, userByFederatedIdentity);
        }
        return userByFederatedIdentity;
    }

    @Override // org.keycloak.models.UserProvider
    public UserModel getServiceAccount(ClientModel clientModel) {
        UserModel serviceAccount = this.session.userStorage().getServiceAccount(clientModel);
        if (serviceAccount != null) {
            serviceAccount = validateAndProxyUser(clientModel.getRealm(), serviceAccount);
        }
        return serviceAccount;
    }

    @Override // org.keycloak.models.UserProvider
    public List<UserModel> getUsers(RealmModel realmModel, boolean z) {
        return getUsers(realmModel, 0, 2147483646, z);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> getUsers(RealmModel realmModel) {
        return getUsers(realmModel, false);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> getUsers(RealmModel realmModel, int i, int i2) {
        return getUsers(realmModel, i, i2, false);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public int getUsersCount(RealmModel realmModel) {
        return this.session.userStorage().getUsersCount(realmModel);
    }

    protected List<UserModel> query(PaginatedQuery paginatedQuery, RealmModel realmModel, int i, int i2) {
        LinkedList linkedList = new LinkedList();
        if (i2 == 0) {
            return linkedList;
        }
        int i3 = i;
        int i4 = i2;
        do {
            List<UserModel> query = paginatedQuery.query(realmModel, i3, i4);
            if (query == null || query.size() == 0) {
                return linkedList;
            }
            int i5 = 0;
            Iterator<UserModel> it = query.iterator();
            while (it.hasNext()) {
                UserModel validateAndProxyUser = validateAndProxyUser(realmModel, it.next());
                if (validateAndProxyUser != null) {
                    linkedList.add(validateAndProxyUser);
                    i5++;
                }
            }
            if (linkedList.size() != i2 && query.size() >= i4) {
                i3 = query.size();
                i4 -= i5;
            }
            return linkedList;
        } while (i4 > 0);
        return linkedList;
    }

    @Override // org.keycloak.models.UserProvider
    public List<UserModel> getUsers(RealmModel realmModel, int i, int i2, final boolean z) {
        return query(new PaginatedQuery() { // from class: org.keycloak.models.UserFederationManager.3
            @Override // org.keycloak.models.UserFederationManager.PaginatedQuery
            public List<UserModel> query(RealmModel realmModel2, int i3, int i4) {
                return UserFederationManager.this.session.userStorage().getUsers(realmModel2, i3, i4, z);
            }
        }, realmModel, i, i2);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> searchForUser(String str, RealmModel realmModel) {
        return searchForUser(str, realmModel, 0, 2147483646);
    }

    void federationLoad(RealmModel realmModel, Map<String, String> map) {
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            getFederationProvider(it.next()).searchByAttributes(map, realmModel, 30);
        }
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> searchForUser(final String str, RealmModel realmModel, int i, int i2) {
        HashMap hashMap = new HashMap();
        int lastIndexOf = str.lastIndexOf(32);
        if (lastIndexOf > -1) {
            String trim = str.substring(0, lastIndexOf).trim();
            String trim2 = str.substring(lastIndexOf).trim();
            hashMap.put("firstName", trim);
            hashMap.put("lastName", trim2);
        } else if (str.indexOf(64) > -1) {
            hashMap.put("username", str.trim().toLowerCase());
            hashMap.put("email", str.trim().toLowerCase());
        } else {
            hashMap.put("lastName", str.trim());
            hashMap.put("username", str.trim().toLowerCase());
        }
        federationLoad(realmModel, hashMap);
        return query(new PaginatedQuery() { // from class: org.keycloak.models.UserFederationManager.4
            @Override // org.keycloak.models.UserFederationManager.PaginatedQuery
            public List<UserModel> query(RealmModel realmModel2, int i3, int i4) {
                return UserFederationManager.this.session.userStorage().searchForUser(str, realmModel2, i3, i4);
            }
        }, realmModel, i, i2);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> searchForUser(Map<String, String> map, RealmModel realmModel) {
        return searchForUser(map, realmModel, 0, 2147483646);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> searchForUser(final Map<String, String> map, RealmModel realmModel, int i, int i2) {
        federationLoad(realmModel, map);
        return query(new PaginatedQuery() { // from class: org.keycloak.models.UserFederationManager.5
            @Override // org.keycloak.models.UserFederationManager.PaginatedQuery
            public List<UserModel> query(RealmModel realmModel2, int i3, int i4) {
                return UserFederationManager.this.session.userStorage().searchForUser(map, realmModel2, i3, i4);
            }
        }, realmModel, i, i2);
    }

    @Override // org.keycloak.storage.user.UserQueryProvider
    public List<UserModel> searchForUserByUserAttribute(String str, String str2, RealmModel realmModel) {
        return this.session.userStorage().searchForUserByUserAttribute(str, str2, realmModel);
    }

    @Override // org.keycloak.models.UserProvider
    public Set<FederatedIdentityModel> getFederatedIdentities(UserModel userModel, RealmModel realmModel) {
        validateUser(realmModel, userModel);
        if (userModel == null) {
            throw new IllegalStateException("Federated user no longer valid");
        }
        return this.session.userStorage().getFederatedIdentities(userModel, realmModel);
    }

    @Override // org.keycloak.models.UserProvider
    public FederatedIdentityModel getFederatedIdentity(UserModel userModel, String str, RealmModel realmModel) {
        validateUser(realmModel, userModel);
        if (userModel == null) {
            throw new IllegalStateException("Federated user no longer valid");
        }
        return this.session.userStorage().getFederatedIdentity(userModel, str, realmModel);
    }

    @Override // org.keycloak.storage.user.UserRegistrationProvider
    public void grantToAllUsers(RealmModel realmModel, RoleModel roleModel) {
        this.session.userStorage().grantToAllUsers(realmModel, roleModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel) {
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            getFederationProvider(it.next()).preRemove(realmModel);
        }
        this.session.userStorage().preRemove(realmModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel, UserFederationProviderModel userFederationProviderModel) {
        this.session.userStorage().preRemove(realmModel, userFederationProviderModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            getFederationProvider(it.next()).preRemove(realmModel, groupModel);
        }
        this.session.userStorage().preRemove(realmModel, groupModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
        Iterator<UserFederationProviderModel> it = realmModel.getUserFederationProviders().iterator();
        while (it.hasNext()) {
            getFederationProvider(it.next()).preRemove(realmModel, roleModel);
        }
        this.session.userStorage().preRemove(realmModel, roleModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel, ClientModel clientModel) {
        this.session.userStorage().preRemove(realmModel, clientModel);
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(ProtocolMapperModel protocolMapperModel) {
        this.session.userStorage().preRemove(protocolMapperModel);
    }

    public void updateCredential(RealmModel realmModel, UserModel userModel, UserCredentialModel userCredentialModel) {
        PolicyError validate;
        if (userCredentialModel.getType().equals("password") && realmModel.getPasswordPolicy() != null && (validate = ((PasswordPolicyManagerProvider) this.session.getProvider(PasswordPolicyManagerProvider.class)).validate(userModel, userCredentialModel.getValue())) != null) {
            throw new ModelException(validate.getMessage(), validate.getParameters());
        }
        userModel.updateCredential(userCredentialModel);
    }

    @Override // org.keycloak.storage.user.UserCredentialValidatorProvider
    public boolean validCredentials(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        UserFederationProvider federationLink = getFederationLink(realmModel, userModel);
        if (federationLink != null) {
            validateUser(realmModel, userModel);
            Set<String> supportedCredentialTypes = federationLink.getSupportedCredentialTypes(userModel);
            if (supportedCredentialTypes.size() > 0) {
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                for (UserCredentialModel userCredentialModel : list) {
                    if (supportedCredentialTypes.contains(userCredentialModel.getType())) {
                        arrayList.add(userCredentialModel);
                    } else {
                        arrayList2.add(userCredentialModel);
                    }
                }
                if (federationLink.validCredentials(realmModel, userModel, arrayList)) {
                    return keycloakSession.userStorage().validCredentials(keycloakSession, realmModel, userModel, arrayList2);
                }
                return false;
            }
        }
        return keycloakSession.userStorage().validCredentials(keycloakSession, realmModel, userModel, list);
    }

    public boolean configuredForCredentialType(String str, RealmModel realmModel, UserModel userModel) {
        UserFederationProvider federationLink = getFederationLink(realmModel, userModel);
        if (federationLink != null && federationLink.getSupportedCredentialTypes(userModel).contains(str)) {
            return true;
        }
        if (UserCredentialModel.isOtp(str) && !userModel.isOtpEnabled()) {
            return false;
        }
        for (UserCredentialValueModel userCredentialValueModel : userModel.getCredentialsDirectly()) {
            if (userCredentialValueModel.getType().equals(str)) {
                if (!UserCredentialModel.isOtp(str)) {
                    return true;
                }
                OTPPolicy oTPPolicy = realmModel.getOTPPolicy();
                if (userCredentialValueModel.getAlgorithm().equals(oTPPolicy.getAlgorithm()) && userCredentialValueModel.getDigits() == oTPPolicy.getDigits()) {
                    return !str.equals("totp") || userCredentialValueModel.getPeriod() == oTPPolicy.getPeriod();
                }
                return false;
            }
        }
        return false;
    }

    @Override // org.keycloak.models.UserProvider
    public boolean validCredentials(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(keycloakSession, realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    @Override // org.keycloak.models.UserProvider
    public CredentialValidationOutput validCredentials(KeycloakSession keycloakSession, RealmModel realmModel, UserCredentialModel... userCredentialModelArr) {
        List<UserFederationProviderModel> userFederationProviders = realmModel.getUserFederationProviders();
        ArrayList arrayList = new ArrayList();
        Iterator<UserFederationProviderModel> it = userFederationProviders.iterator();
        while (it.hasNext()) {
            arrayList.add(getFederationProvider(it.next()));
        }
        CredentialValidationOutput credentialValidationOutput = null;
        for (UserCredentialModel userCredentialModel : userCredentialModelArr) {
            UserFederationProvider userFederationProvider = null;
            Iterator it2 = arrayList.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                UserFederationProvider userFederationProvider2 = (UserFederationProvider) it2.next();
                if (userFederationProvider2.getSupportedCredentialTypes().contains(userCredentialModel.getType())) {
                    userFederationProvider = userFederationProvider2;
                    break;
                }
            }
            if (userFederationProvider == null) {
                logger.warn("Don't have provider supporting credentials of type " + userCredentialModel.getType());
                return CredentialValidationOutput.failed();
            }
            logger.debug("Found provider [" + userFederationProvider + "] supporting credentials of type " + userCredentialModel.getType());
            CredentialValidationOutput validCredentials = userFederationProvider.validCredentials(realmModel, userCredentialModel);
            credentialValidationOutput = credentialValidationOutput == null ? validCredentials : credentialValidationOutput.merge(validCredentials);
        }
        return credentialValidationOutput != null ? credentialValidationOutput : CredentialValidationOutput.failed();
    }

    @Override // org.keycloak.models.UserProvider
    public void preRemove(RealmModel realmModel, ComponentModel componentModel) {
    }

    @Override // org.keycloak.models.UserProvider, org.keycloak.provider.Provider
    public void close() {
    }
}
