package org.keycloak.broker.saml.mappers;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.saml.SAMLEndpoint;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.utils.RegexUtils;

/* loaded from: input_file:org/keycloak/broker/saml/mappers/AdvancedAttributeToRoleMapper.class */
public class AdvancedAttributeToRoleMapper extends AbstractIdentityProviderMapper {
    public static final String PROVIDER_ID = "saml-advanced-role-idp-mapper";
    public static final String ATTRIBUTE_PROPERTY_NAME = "attributes";
    public static final String ARE_ATTRIBUTE_VALUES_REGEX_PROPERTY_NAME = "are.attribute.values.regex";
    private static final Set<IdentityProviderSyncMode> IDENTITY_PROVIDER_SYNC_MODES = new HashSet(Arrays.asList(IdentityProviderSyncMode.values()));
    public static final String[] COMPATIBLE_PROVIDERS = {"saml"};
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();

    public boolean supportsSyncMode(IdentityProviderSyncMode identityProviderSyncMode) {
        return IDENTITY_PROVIDER_SYNC_MODES.contains(identityProviderSyncMode);
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String[] getCompatibleProviders() {
        return COMPATIBLE_PROVIDERS;
    }

    public String getDisplayCategory() {
        return "Role Importer";
    }

    public String getDisplayType() {
        return "Advanced Attribute to Role";
    }

    public void importNewUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel roleModel = getRoleModel(realmModel, (String) identityProviderMapperModel.getConfig().get("role"));
        if (hasAllValues(identityProviderMapperModel, brokeredIdentityContext)) {
            userModel.grantRole(roleModel);
        }
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel roleModel = getRoleModel(realmModel, (String) identityProviderMapperModel.getConfig().get("role"));
        if (hasAllValues(identityProviderMapperModel, brokeredIdentityContext)) {
            userModel.grantRole(roleModel);
        } else {
            userModel.deleteRoleMapping(roleModel);
        }
    }

    public String getHelpText() {
        return "If the set of attributes exists and can be matched, grant the user the specified realm or application role.";
    }

    static RoleModel getRoleModel(RealmModel realmModel, String str) {
        RoleModel roleFromString = KeycloakModelUtils.getRoleFromString(realmModel, str);
        if (roleFromString == null) {
            throw new IdentityBrokerException("Unable to find role: " + str);
        }
        return roleFromString;
    }

    boolean hasAllValues(IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        Map configMap = identityProviderMapperModel.getConfigMap(ATTRIBUTE_PROPERTY_NAME);
        boolean parseBoolean = Boolean.parseBoolean((String) identityProviderMapperModel.getConfig().get(ARE_ATTRIBUTE_VALUES_REGEX_PROPERTY_NAME));
        Set attributeStatements = ((AssertionType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_ASSERTION)).getAttributeStatements();
        if (attributeStatements == null) {
            return false;
        }
        for (Map.Entry entry : configMap.entrySet()) {
            String str = (String) entry.getKey();
            List list = (List) attributeStatements.stream().flatMap(attributeStatementType -> {
                return attributeStatementType.getAttributes().stream();
            }).filter(aSTChoiceType -> {
                return str.equals(aSTChoiceType.getAttribute().getName()) || str.equals(aSTChoiceType.getAttribute().getFriendlyName());
            }).flatMap(aSTChoiceType2 -> {
                return aSTChoiceType2.getAttribute().getAttributeValue().stream();
            }).collect(Collectors.toList());
            if (!(parseBoolean ? RegexUtils.valueMatchesRegex((String) entry.getValue(), list) : list.contains(entry.getValue()))) {
                return false;
            }
        }
        return true;
    }

    static {
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setName(ATTRIBUTE_PROPERTY_NAME);
        providerConfigProperty.setLabel("Attributes");
        providerConfigProperty.setHelpText("Name and (regex) value of the attributes to search for in token.  The configured name of an attribute is searched in SAML attribute name and attribute friendly name fields. Every given attribute description must be met to set the role. If the attribute is an array, then the value must be contained in the array. If an attribute can be found several times, then one match is sufficient.");
        providerConfigProperty.setType("Map");
        configProperties.add(providerConfigProperty);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName(ARE_ATTRIBUTE_VALUES_REGEX_PROPERTY_NAME);
        providerConfigProperty2.setLabel("Regex Attribute Values");
        providerConfigProperty2.setHelpText("If enabled attribute values are interpreted as regular expressions.");
        providerConfigProperty2.setType("boolean");
        configProperties.add(providerConfigProperty2);
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setName("role");
        providerConfigProperty3.setLabel("Role");
        providerConfigProperty3.setHelpText("Role to grant to user if all attributes are present. Click 'Select Role' button to browse roles, or just type it in the textbox. To reference an application role the syntax is appname.approle, i.e. myapp.myrole");
        providerConfigProperty3.setType("Role");
        configProperties.add(providerConfigProperty3);
    }
}
