package org.keycloak.federation.kerberos;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.constants.KerberosConstants;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:WEB-INF/lib/keycloak-kerberos-federation-1.2.0.Beta1.jar:org/keycloak/federation/kerberos/KerberosFederationProvider.class */
public class KerberosFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger((Class<?>) KerberosFederationProvider.class);
    public static final String KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL";
    protected KeycloakSession session;
    protected UserFederationProviderModel model;
    protected KerberosConfig kerberosConfig;
    protected KerberosFederationProviderFactory factory;

    public KerberosFederationProvider(KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, KerberosFederationProviderFactory kerberosFederationProviderFactory) {
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.kerberosConfig = new KerberosConfig(userFederationProviderModel);
        this.factory = kerberosFederationProviderFactory;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel proxy(UserModel userModel) {
        return this.kerberosConfig.getEditMode() == UserFederationProvider.EditMode.READ_ONLY ? new ReadOnlyKerberosUserModelDelegate(userModel, this) : userModel;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean synchronizeRegistrations() {
        return false;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel register(RealmModel realmModel, UserModel userModel) {
        return null;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        return this.session.userStorage().removeUser(realmModel, userModel);
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        if (!this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).isUserAvailable(str)) {
            return null;
        }
        if (str.contains("@")) {
            str = str.split("@")[0];
        }
        return findOrCreateAuthenticatedUser(realmModel, str);
    }

    @Override // org.keycloak.models.UserFederationProvider
    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        return null;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        return Collections.emptyList();
    }

    @Override // org.keycloak.models.UserFederationProvider
    public void preRemove(RealmModel realmModel) {
    }

    @Override // org.keycloak.models.UserFederationProvider
    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean isValid(UserModel userModel) {
        return (userModel.getUsername() + "@" + this.kerberosConfig.getKerberosRealm()).equals(userModel.getAttribute(KERBEROS_PRINCIPAL));
    }

    @Override // org.keycloak.models.UserFederationProvider
    public Set<String> getSupportedCredentialTypes(UserModel userModel) {
        HashSet hashSet = new HashSet();
        hashSet.add("kerberos");
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            boolean z = true;
            if (this.kerberosConfig.getEditMode() == UserFederationProvider.EditMode.UNSYNCED) {
                Iterator<UserCredentialValueModel> it = userModel.getCredentialsDirectly().iterator();
                while (it.hasNext()) {
                    if (it.next().getType().equals("password")) {
                        z = false;
                    }
                }
            }
            if (z) {
                hashSet.add("password");
            }
        }
        return hashSet;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public Set<String> getSupportedCredentialTypes() {
        HashSet hashSet = new HashSet();
        hashSet.add("kerberos");
        return hashSet;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        if (!it.hasNext()) {
            return true;
        }
        UserCredentialModel next = it.next();
        if (next.getType().equals("password")) {
            return validPassword(userModel.getUsername(), next.getValue());
        }
        return false;
    }

    protected boolean validPassword(String str, String str2) {
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(str, str2);
        }
        return false;
    }

    @Override // org.keycloak.models.UserFederationProvider
    public boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    @Override // org.keycloak.models.UserFederationProvider
    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.getType().equals("kerberos")) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getValue(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put(KerberosConstants.RESPONSE_TOKEN, createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput(null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, createSPNEGOAuthenticator.getAuthenticatedUsername());
        if (findOrCreateAuthenticatedUser == null) {
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put(KerberosConstants.GSS_DELEGATION_CREDENTIAL, serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    @Override // org.keycloak.models.UserFederationProvider, org.keycloak.provider.Provider
    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debug("Kerberos authenticated user " + str + " found in Keycloak storage");
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warn("User with username " + str + " already exists, but is not linked to provider [" + this.model.getDisplayName() + "]");
                return null;
            }
            if (isValid(userByUsername)) {
                return proxy(userByUsername);
            }
            logger.warn("User with username " + str + " already exists and is linked to provider [" + this.model.getDisplayName() + "] but kerberos principal is not correct. Kerberos principal on user is: " + userByUsername.getAttribute(KERBEROS_PRINCIPAL));
            logger.warn("Will re-create user");
            this.session.userStorage().removeUser(realmModel, userByUsername);
        }
        logger.debug("Kerberos authenticated user " + str + " not in Keycloak storage. Creating him");
        return importUserToKeycloak(realmModel, str);
    }

    protected UserModel importUserToKeycloak(RealmModel realmModel, String str) {
        String str2 = str + "@" + this.kerberosConfig.getKerberosRealm().toLowerCase();
        logger.info("Creating kerberos user: " + str + ", email: " + str2 + " to local Keycloak storage");
        UserModel addUser = this.session.userStorage().addUser(realmModel, str);
        addUser.setEnabled(true);
        addUser.setEmail(str2);
        addUser.setFederationLink(this.model.getId());
        addUser.setAttribute(KERBEROS_PRINCIPAL, str + "@" + this.kerberosConfig.getKerberosRealm());
        if (this.kerberosConfig.isUpdateProfileFirstLogin()) {
            addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        return proxy(addUser);
    }
}
