package org.keycloak.federation.sssd;

import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.freedesktop.dbus.Variant;
import org.jboss.logging.Logger;
import org.keycloak.credential.CredentialInput;
import org.keycloak.federation.sssd.api.Sssd;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelReadOnlyException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;

/* loaded from: input_file:org/keycloak/federation/sssd/SSSDFederationProvider.class */
public class SSSDFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger(SSSDFederationProvider.class);
    protected static final Set<String> supportedCredentialTypes = new HashSet();
    private final SSSDFederationProviderFactory factory;
    protected KeycloakSession session;
    protected UserFederationProviderModel model;

    public SSSDFederationProvider(KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, SSSDFederationProviderFactory sSSDFederationProviderFactory) {
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.factory = sSSDFederationProviderFactory;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        return findOrCreateAuthenticatedUser(realmModel, str);
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debug("SSSD authenticated user " + str + " found in Keycloak storage");
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warn("User with username " + str + " already exists, but is not linked to provider [" + this.model.getDisplayName() + "]");
                return null;
            }
            UserModel validateAndProxy = validateAndProxy(realmModel, userByUsername);
            if (validateAndProxy != null) {
                return validateAndProxy;
            }
            logger.warn("User with username " + str + " already exists and is linked to provider [" + this.model.getDisplayName() + "] but principal is not correct.");
            logger.warn("Will re-create user");
            new UserManager(this.session).removeUser(realmModel, userByUsername, this.session.userStorage());
        }
        logger.debug("SSSD authenticated user " + str + " not in Keycloak storage. Creating...");
        return importUserToKeycloak(realmModel, str);
    }

    protected UserModel importUserToKeycloak(RealmModel realmModel, String str) {
        Sssd sssd = new Sssd(str);
        Map<String, Variant> userAttributes = sssd.getUserAttributes();
        logger.debugf("Creating SSSD user: %s to local Keycloak storage", str);
        UserModel addUser = this.session.userStorage().addUser(realmModel, str);
        addUser.setEnabled(true);
        addUser.setEmail(Sssd.getRawAttribute(userAttributes.get("mail")));
        addUser.setFirstName(Sssd.getRawAttribute(userAttributes.get("givenname")));
        addUser.setLastName(Sssd.getRawAttribute(userAttributes.get("sn")));
        for (String str2 : sssd.getUserGroups()) {
            GroupModel findGroupByPath = KeycloakModelUtils.findGroupByPath(realmModel, "/" + str2);
            if (findGroupByPath == null) {
                findGroupByPath = this.session.realms().createGroup(realmModel, str2);
            }
            addUser.joinGroup(findGroupByPath);
        }
        addUser.setFederationLink(this.model.getId());
        return validateAndProxy(realmModel, addUser);
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        return null;
    }

    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        return Collections.emptyList();
    }

    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel, int i, int i2) {
        return Collections.emptyList();
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel) {
        return Sssd.getRawAttribute(new Sssd(userModel.getUsername()).getUserAttributes().get("mail")).equalsIgnoreCase(userModel.getEmail());
    }

    public Set<String> getSupportedCredentialTypes() {
        return supportedCredentialTypes;
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && "password".equals(credentialInput.getType())) {
            throw new ModelReadOnlyException("Federated storage is not writable");
        }
        return false;
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Set<String> getDisableableCredentialTypes(RealmModel realmModel, UserModel userModel) {
        return Collections.EMPTY_SET;
    }

    public boolean supportsCredentialType(String str) {
        return "password".equals(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return "password".equals(str);
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        return supportsCredentialType(credentialInput.getType()) && (credentialInput instanceof UserCredentialModel) && this.factory.createPAMAuthenticator(userModel.getUsername(), ((UserCredentialModel) credentialInput).getValue()).authenticate() != null;
    }

    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        return CredentialValidationOutput.failed();
    }

    public UserModel validateAndProxy(RealmModel realmModel, UserModel userModel) {
        if (isValid(realmModel, userModel)) {
            return new ReadonlySSSDUserModelDelegate(userModel, this);
        }
        return null;
    }

    public boolean synchronizeRegistrations() {
        return false;
    }

    public UserModel register(RealmModel realmModel, UserModel userModel) {
        throw new IllegalStateException("Registration not supported");
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void close() {
        Sssd.disconnect();
    }

    static {
        supportedCredentialTypes.add("password");
    }
}
