package org.keycloak.protocol.saml.mappers;

import java.net.URI;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.provider.ProviderConfigProperty;

/* loaded from: input_file:org/keycloak/protocol/saml/mappers/SAMLAudienceResolveProtocolMapper.class */
public class SAMLAudienceResolveProtocolMapper extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
    public static final String PROVIDER_ID = "saml-audience-resolve-mapper";
    protected static final Logger logger = Logger.getLogger(SAMLAudienceResolveProtocolMapper.class);
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String getDisplayType() {
        return "Audience Resolve";
    }

    public String getDisplayCategory() {
        return SAMLAudienceProtocolMapper.AUDIENCE_CATEGORY;
    }

    public String getHelpText() {
        return "Adds all client_ids of \"allowed\" clients to the audience conditions in the assertion. Allowed client means any SAML client for which user has at least one client role";
    }

    @Override // org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper
    public ResponseType transformLoginResponse(ResponseType responseType, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        AudienceRestrictionType locateAudienceRestriction = SAMLAudienceProtocolMapper.locateAudienceRestriction(responseType);
        if (locateAudienceRestriction != null) {
            Set<RoleModel> roles = clientSessionContext.getRoles();
            HashSet<String> hashSet = new HashSet();
            for (RoleModel roleModel : roles) {
                logger.tracef("Managing role: %s", roleModel.getName());
                if (roleModel.isClientRole()) {
                    ClientModel container = roleModel.getContainer();
                    if ("saml".equals(container.getProtocol()) && !container.getClientId().equals(clientSessionContext.getClientSession().getClient().getClientId())) {
                        hashSet.add(container.getClientId());
                    }
                }
            }
            logger.debugf("Calculated audiences to add: %s", hashSet);
            for (String str : hashSet) {
                try {
                    locateAudienceRestriction.addAudience(URI.create(str));
                } catch (IllegalArgumentException e) {
                    logger.warnf(e, "Invalid URI syntax for audience: %s", str);
                }
            }
        }
        return responseType;
    }
}
