package org.keycloak.federation.ldap;

import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.constants.KerberosConstants;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.federation.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.saml.SamlProtocol;
import org.picketlink.idm.IdentityManagementException;
import org.picketlink.idm.IdentityManager;
import org.picketlink.idm.PartitionManager;
import org.picketlink.idm.model.basic.BasicModel;
import org.picketlink.idm.model.basic.User;
import org.picketlink.idm.query.IdentityQuery;

/* loaded from: input_file:WEB-INF/lib/keycloak-ldap-federation-1.2.0.Beta1.jar:org/keycloak/federation/ldap/LDAPFederationProvider.class */
public class LDAPFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger((Class<?>) LDAPFederationProvider.class);
    public static final String LDAP_ID = "LDAP_ID";
    public static final String SYNC_REGISTRATIONS = "syncRegistrations";
    protected LDAPFederationProviderFactory factory;
    protected KeycloakSession session;
    protected UserFederationProviderModel model;
    protected PartitionManager partitionManager;
    protected UserFederationProvider.EditMode editMode;
    protected LDAPProviderKerberosConfig kerberosConfig;
    protected final Set<String> supportedCredentialTypes = new HashSet();

    public LDAPFederationProvider(LDAPFederationProviderFactory lDAPFederationProviderFactory, KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, PartitionManager partitionManager) {
        this.factory = lDAPFederationProviderFactory;
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.partitionManager = partitionManager;
        this.kerberosConfig = new LDAPProviderKerberosConfig(userFederationProviderModel);
        String str = userFederationProviderModel.getConfig().get(LDAPConstants.EDIT_MODE);
        if (str == null) {
            this.editMode = UserFederationProvider.EditMode.READ_ONLY;
        } else {
            this.editMode = UserFederationProvider.EditMode.valueOf(str);
        }
        this.supportedCredentialTypes.add("password");
        if (this.kerberosConfig.isAllowKerberosAuthentication()) {
            this.supportedCredentialTypes.add("kerberos");
        }
    }

    private ModelException convertIDMException(IdentityManagementException identityManagementException) {
        Throwable th = identityManagementException;
        while (true) {
            Throwable th2 = th;
            if (th2.getCause() == null) {
                return new ModelException(th2.getMessage(), identityManagementException);
            }
            th = th2.getCause();
        }
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public UserFederationProviderModel getModel() {
        return this.model;
    }

    public PartitionManager getPartitionManager() {
        return this.partitionManager;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel proxy(UserModel userModel) {
        switch (this.editMode) {
            case READ_ONLY:
                return new ReadonlyLDAPUserModelDelegate(userModel, this);
            case WRITABLE:
                return new WritableLDAPUserModelDelegate(userModel, this);
            case UNSYNCED:
                return new UnsyncedLDAPUserModelDelegate(userModel, this);
            default:
                return userModel;
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public Set<String> getSupportedCredentialTypes(UserModel userModel) {
        HashSet hashSet = new HashSet(this.supportedCredentialTypes);
        if (this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            Iterator<UserCredentialValueModel> it = userModel.getCredentialsDirectly().iterator();
            while (it.hasNext()) {
                if (it.next().getType().equals("password")) {
                    hashSet.remove("password");
                }
            }
        }
        return hashSet;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public Set<String> getSupportedCredentialTypes() {
        return new HashSet(this.supportedCredentialTypes);
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean synchronizeRegistrations() {
        return SamlProtocol.ATTRIBUTE_TRUE_VALUE.equalsIgnoreCase(this.model.getConfig().get(SYNC_REGISTRATIONS)) && this.editMode == UserFederationProvider.EditMode.WRITABLE;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel register(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserFederationProvider.EditMode.READ_ONLY || this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        if (!synchronizeRegistrations()) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        try {
            userModel.setAttribute(LDAP_ID, LDAPUtils.addUser(this.partitionManager, userModel.getUsername(), userModel.getFirstName(), userModel.getLastName(), userModel.getEmail()).getId());
            return proxy(userModel);
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserFederationProvider.EditMode.READ_ONLY || this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'", userModel.getUsername(), this.editMode.toString());
            return false;
        }
        try {
            return LDAPUtils.removeUser(this.partitionManager, userModel.getUsername());
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        LinkedList linkedList = new LinkedList();
        try {
            for (User user : searchPicketlink(map, i).values()) {
                if (this.session.userStorage().getUserByUsername(user.getLoginName(), realmModel) == null) {
                    linkedList.add(importUserFromPicketlink(realmModel, user));
                }
            }
            return linkedList;
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    protected Map<String, User> searchPicketlink(Map<String, String> map, int i) {
        User queryByEmail;
        User user;
        IdentityManager identityManager = getIdentityManager();
        HashMap hashMap = new HashMap();
        if (map.containsKey("username") && (user = BasicModel.getUser(identityManager, map.get("username"))) != null) {
            hashMap.put(user.getLoginName(), user);
        }
        if (map.containsKey("email") && (queryByEmail = queryByEmail(identityManager, map.get("email"))) != null) {
            hashMap.put(queryByEmail.getLoginName(), queryByEmail);
        }
        if (map.containsKey("firstName") || map.containsKey("lastName")) {
            IdentityQuery createIdentityQuery = identityManager.createIdentityQuery(User.class);
            if (map.containsKey("firstName")) {
                createIdentityQuery.setParameter(User.FIRST_NAME, map.get("firstName"));
            }
            if (map.containsKey("lastName")) {
                createIdentityQuery.setParameter(User.LAST_NAME, map.get("lastName"));
            }
            createIdentityQuery.setLimit(i);
            for (User user2 : createIdentityQuery.getResultList()) {
                hashMap.put(user2.getLoginName(), user2);
            }
        }
        return hashMap;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean isValid(UserModel userModel) {
        try {
            User user = LDAPUtils.getUser(this.partitionManager, userModel.getUsername());
            if (user == null) {
                return false;
            }
            return user.getId().equals(userModel.getAttribute(LDAP_ID));
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        try {
            User user = LDAPUtils.getUser(this.partitionManager, str);
            if (user == null) {
                return null;
            }
            if (str.equals(user.getLoginName())) {
                return importUserFromPicketlink(realmModel, user);
            }
            logger.warnf("User found in LDAP but with different username. LDAP username: %s, Searched username: %s", str, user.getLoginName());
            return null;
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    public IdentityManager getIdentityManager() {
        return this.partitionManager.createIdentityManager();
    }

    protected UserModel importUserFromPicketlink(RealmModel realmModel, User user) {
        String email = (user.getEmail() == null || user.getEmail().trim().length() <= 0) ? null : user.getEmail();
        if (user.getLoginName() == null) {
            throw new ModelException("User returned from LDAP has null username! Check configuration of your LDAP mappings. ID of user from LDAP: " + user.getId());
        }
        UserModel addUser = this.session.userStorage().addUser(realmModel, user.getLoginName());
        addUser.setEnabled(true);
        addUser.setEmail(email);
        addUser.setFirstName(user.getFirstName());
        addUser.setLastName(user.getLastName());
        addUser.setFederationLink(this.model.getId());
        addUser.setAttribute(LDAP_ID, user.getId());
        logger.debugf("Added new user from LDAP. Username: " + addUser.getUsername() + ", Email: ", addUser.getEmail() + ", LDAP_ID: " + user.getId());
        return proxy(addUser);
    }

    protected User queryByEmail(IdentityManager identityManager, String str) throws IdentityManagementException {
        return LDAPUtils.getUserByEmail(identityManager, str);
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        try {
            User queryByEmail = queryByEmail(getIdentityManager(), str);
            if (queryByEmail == null) {
                return null;
            }
            if (str.equals(queryByEmail.getEmail())) {
                return importUserFromPicketlink(realmModel, queryByEmail);
            }
            logger.warnf("User found in LDAP but with different email. LDAP email: %s, Searched email: %s", str, queryByEmail.getEmail());
            return null;
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public void preRemove(RealmModel realmModel) {
    }

    @Override // org.keycloak.models.UserFederationProvider
    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public boolean validPassword(String str, String str2) {
        if (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.isUseKerberosForPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(str, str2);
        }
        try {
            return LDAPUtils.validatePassword(this.partitionManager, str, str2);
        } catch (IdentityManagementException e) {
            throw convertIDMException(e);
        }
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        if (!it.hasNext()) {
            return true;
        }
        UserCredentialModel next = it.next();
        if (next.getType().equals("password")) {
            return validPassword(userModel.getUsername(), next.getValue());
        }
        return false;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    @Override // org.keycloak.models.UserFederationProvider
    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.getType().equals("kerberos") || !this.kerberosConfig.isAllowKerberosAuthentication()) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getValue(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put(KerberosConstants.RESPONSE_TOKEN, createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        String authenticatedUsername = createSPNEGOAuthenticator.getAuthenticatedUsername();
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, authenticatedUsername);
        if (findOrCreateAuthenticatedUser == null) {
            logger.warn("Kerberos/SPNEGO authentication succeeded with username [" + authenticatedUsername + "], but couldn't find or create user with federation provider [" + this.model.getDisplayName() + "]");
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    @Override // org.keycloak.models.UserFederationProvider, org.keycloak.provider.Provider
    public void close() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void importPicketlinkUsers(RealmModel realmModel, List<User> list, UserFederationProviderModel userFederationProviderModel) {
        for (User user : list) {
            String loginName = user.getLoginName();
            UserModel userByUsername = this.session.userStorage().getUserByUsername(loginName, realmModel);
            if (userByUsername == null) {
                importUserFromPicketlink(realmModel, user);
            } else if (userFederationProviderModel.getId().equals(userByUsername.getFederationLink()) && user.getId().equals(userByUsername.getAttribute(LDAP_ID))) {
                userByUsername.setEmail((user.getEmail() == null || user.getEmail().trim().length() <= 0) ? null : user.getEmail());
                userByUsername.setFirstName(user.getFirstName());
                userByUsername.setLastName(user.getLastName());
                logger.debugf("Updated user from LDAP: %s", userByUsername.getUsername());
            } else {
                logger.warnf("User '%s' is not updated during sync as he is not linked to federation provider '%s'", loginName, userFederationProviderModel.getDisplayName());
            }
        }
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debug("Kerberos authenticated user " + str + " found in Keycloak storage");
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warn("User with username " + str + " already exists, but is not linked to provider [" + this.model.getDisplayName() + "]");
                return null;
            }
            if (isValid(userByUsername)) {
                return proxy(userByUsername);
            }
            logger.warn("User with username " + str + " already exists and is linked to provider [" + this.model.getDisplayName() + "] but is not valid. Stale LDAP_ID on local user is: " + userByUsername.getAttribute(LDAP_ID));
            logger.warn("Will re-create user");
            this.session.userStorage().removeUser(realmModel, userByUsername);
        }
        logger.debug("Kerberos authenticated user " + str + " not in Keycloak storage. Creating him");
        return getUserByUsername(realmModel, str);
    }
}
