package org.keycloak.storage.ldap;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.AuthenticationException;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialAuthentication;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.UserCache;
import org.keycloak.models.utils.DefaultRoles;
import org.keycloak.models.utils.ReadOnlyUserModelDelegate;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.storage.StorageId;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.adapter.InMemoryUserAdapter;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.EscapeStrategy;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore;
import org.keycloak.storage.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
import org.keycloak.storage.ldap.mappers.LDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.LDAPStorageMapperManager;
import org.keycloak.storage.ldap.mappers.PasswordUpdateCallback;
import org.keycloak.storage.user.ImportedUserValidation;
import org.keycloak.storage.user.UserLookupProvider;
import org.keycloak.storage.user.UserQueryProvider;
import org.keycloak.storage.user.UserRegistrationProvider;

/* loaded from: input_file:org/keycloak/storage/ldap/LDAPStorageProvider.class */
public class LDAPStorageProvider implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryProvider, ImportedUserValidation {
    private static final Logger logger = Logger.getLogger(LDAPStorageProvider.class);
    protected LDAPStorageProviderFactory factory;
    protected KeycloakSession session;
    protected UserStorageProviderModel model;
    protected LDAPIdentityStore ldapIdentityStore;
    protected UserStorageProvider.EditMode editMode;
    protected LDAPProviderKerberosConfig kerberosConfig;
    protected PasswordUpdateCallback updater;
    protected final Set<String> supportedCredentialTypes = new HashSet();
    protected LDAPStorageMapperManager mapperManager = new LDAPStorageMapperManager(this);
    protected LDAPStorageUserManager userManager = new LDAPStorageUserManager(this);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.storage.ldap.LDAPStorageProvider$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/storage/ldap/LDAPStorageProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode = new int[UserStorageProvider.EditMode.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.READ_ONLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.WRITABLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.UNSYNCED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public LDAPStorageProvider(LDAPStorageProviderFactory lDAPStorageProviderFactory, KeycloakSession keycloakSession, ComponentModel componentModel, LDAPIdentityStore lDAPIdentityStore) {
        this.factory = lDAPStorageProviderFactory;
        this.session = keycloakSession;
        this.model = new UserStorageProviderModel(componentModel);
        this.ldapIdentityStore = lDAPIdentityStore;
        this.kerberosConfig = new LDAPProviderKerberosConfig(componentModel);
        this.editMode = lDAPIdentityStore.getConfig().getEditMode();
        this.supportedCredentialTypes.add("password");
        if (this.kerberosConfig.isAllowKerberosAuthentication()) {
            this.supportedCredentialTypes.add("kerberos");
        }
    }

    public void setUpdater(PasswordUpdateCallback passwordUpdateCallback) {
        this.updater = passwordUpdateCallback;
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public LDAPIdentityStore getLdapIdentityStore() {
        return this.ldapIdentityStore;
    }

    public UserStorageProvider.EditMode getEditMode() {
        return this.editMode;
    }

    public UserStorageProviderModel getModel() {
        return this.model;
    }

    public LDAPStorageMapperManager getMapperManager() {
        return this.mapperManager;
    }

    public LDAPStorageUserManager getUserManager() {
        return this.userManager;
    }

    public UserModel validate(RealmModel realmModel, UserModel userModel) {
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            return null;
        }
        return proxy(realmModel, userModel, loadAndValidateUser);
    }

    protected UserModel proxy(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
        UserModel managedProxiedUser = this.userManager.getManagedProxiedUser(userModel.getId());
        if (managedProxiedUser != null) {
            return managedProxiedUser;
        }
        if (userModel instanceof CachedUserModel) {
            userModel = this.session.userStorageManager().getUserById(userModel.getId(), realmModel);
            UserModel managedProxiedUser2 = this.userManager.getManagedProxiedUser(userModel.getId());
            if (managedProxiedUser2 != null) {
                return managedProxiedUser2;
            }
        }
        UserModel userModel2 = userModel;
        checkDNChanged(realmModel, userModel, lDAPObject);
        switch (AnonymousClass1.$SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[this.editMode.ordinal()]) {
            case 1:
                if (!this.model.isImportEnabled()) {
                    userModel2 = new ReadOnlyUserModelDelegate(userModel);
                    break;
                } else {
                    userModel2 = new ReadonlyLDAPUserModelDelegate(userModel, this);
                    break;
                }
            case 2:
                userModel2 = new WritableLDAPUserModelDelegate(userModel, this, lDAPObject);
                break;
            case 3:
                userModel2 = new UnsyncedLDAPUserModelDelegate(userModel, this);
                break;
        }
        Iterator<ComponentModel> it = this.mapperManager.sortMappersAsc(realmModel.getComponents(this.model.getId(), LDAPStorageMapper.class.getName())).iterator();
        while (it.hasNext()) {
            userModel2 = this.mapperManager.getMapper(it.next()).proxy(lDAPObject, userModel2, realmModel);
        }
        this.userManager.setManagedProxiedUser(userModel2, lDAPObject);
        return userModel2;
    }

    private void checkDNChanged(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
        String firstAttribute = userModel.getFirstAttribute("LDAP_ENTRY_DN");
        String lDAPDn = lDAPObject.getDn().toString();
        if (lDAPDn.equals(firstAttribute)) {
            return;
        }
        logger.debugf("Updated LDAP DN of user '%s' to '%s'", userModel.getUsername(), lDAPDn);
        userModel.setSingleAttribute("LDAP_ENTRY_DN", lDAPDn);
        UserCache userCache = this.session.userCache();
        if (userCache != null) {
            userCache.evict(realmModel, userModel);
        }
    }

    public boolean supportsCredentialAuthenticationFor(String str) {
        return str.equals("kerberos") && this.kerberosConfig.isAllowKerberosAuthentication();
    }

    public List<UserModel> searchForUserByUserAttribute(String str, String str2, RealmModel realmModel) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        Throwable th = null;
        try {
            createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(str, str2, EscapeStrategy.DEFAULT));
            List<LDAPObject> resultList = createQueryForUserSearch.getResultList();
            if (resultList != null && !resultList.isEmpty()) {
                LinkedList linkedList = new LinkedList();
                for (LDAPObject lDAPObject : resultList) {
                    if (this.session.userLocalStorage().getUserByUsername(LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig()), realmModel) == null) {
                        linkedList.add(importUserFromLDAP(this.session, realmModel, lDAPObject));
                    }
                }
                return linkedList;
            }
            List<UserModel> emptyList = Collections.emptyList();
            if (createQueryForUserSearch != null) {
                if (0 != 0) {
                    try {
                        createQueryForUserSearch.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    createQueryForUserSearch.close();
                }
            }
            return emptyList;
        } finally {
            if (createQueryForUserSearch != null) {
                if (0 != 0) {
                    try {
                        createQueryForUserSearch.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    createQueryForUserSearch.close();
                }
            }
        }
    }

    public boolean synchronizeRegistrations() {
        return "true".equalsIgnoreCase((String) this.model.getConfig().getFirst("syncRegistrations")) && this.editMode == UserStorageProvider.EditMode.WRITABLE;
    }

    public UserModel addUser(RealmModel realmModel, String str) {
        UserModel inMemoryUserAdapter;
        if (!synchronizeRegistrations()) {
            return null;
        }
        if (this.model.isImportEnabled()) {
            inMemoryUserAdapter = this.session.userLocalStorage().addUser(realmModel, str);
            inMemoryUserAdapter.setFederationLink(this.model.getId());
        } else {
            inMemoryUserAdapter = new InMemoryUserAdapter(this.session, realmModel, new StorageId(this.model.getId(), str).getId());
            inMemoryUserAdapter.setUsername(str);
        }
        LDAPObject addUserToLDAP = LDAPUtils.addUserToLDAP(this, realmModel, inMemoryUserAdapter);
        LDAPUtils.checkUuid(addUserToLDAP, this.ldapIdentityStore.getConfig());
        inMemoryUserAdapter.setSingleAttribute("LDAP_ID", addUserToLDAP.getUuid());
        inMemoryUserAdapter.setSingleAttribute("LDAP_ENTRY_DN", addUserToLDAP.getDn().toString());
        UserModel proxy = proxy(realmModel, inMemoryUserAdapter, addUserToLDAP);
        DefaultRoles.addDefaultRoles(realmModel, proxy);
        Iterator it = realmModel.getDefaultGroups().iterator();
        while (it.hasNext()) {
            proxy.joinGroup((GroupModel) it.next());
        }
        for (RequiredActionProviderModel requiredActionProviderModel : realmModel.getRequiredActionProviders()) {
            if (requiredActionProviderModel.isEnabled() && requiredActionProviderModel.isDefaultAction()) {
                proxy.addRequiredAction(requiredActionProviderModel.getAlias());
            }
        }
        return proxy;
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserStorageProvider.EditMode.READ_ONLY || this.editMode == UserStorageProvider.EditMode.UNSYNCED) {
            logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'. Deleting user just from Keycloak DB, but he will be re-imported from LDAP again once searched in Keycloak", userModel.getUsername(), this.editMode.toString());
            return true;
        }
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            logger.warnf("User '%s' can't be deleted from LDAP as it doesn't exist here", userModel.getUsername());
            return false;
        }
        this.ldapIdentityStore.remove(loadAndValidateUser);
        this.userManager.removeManagedUserEntry(userModel.getId());
        return true;
    }

    public UserModel getUserById(String str, RealmModel realmModel) {
        UserModel managedProxiedUser = this.userManager.getManagedProxiedUser(str);
        return managedProxiedUser != null ? managedProxiedUser : getUserByUsername(new StorageId(str).getExternalId(), realmModel);
    }

    public int getUsersCount(RealmModel realmModel) {
        return 0;
    }

    public List<UserModel> getUsers(RealmModel realmModel) {
        return Collections.EMPTY_LIST;
    }

    public List<UserModel> getUsers(RealmModel realmModel, int i, int i2) {
        return Collections.EMPTY_LIST;
    }

    public List<UserModel> searchForUser(String str, RealmModel realmModel) {
        return searchForUser(str, realmModel, 0, 2147483646);
    }

    public List<UserModel> searchForUser(String str, RealmModel realmModel, int i, int i2) {
        HashMap hashMap = new HashMap();
        int lastIndexOf = str.lastIndexOf(32);
        if (lastIndexOf > -1) {
            String trim = str.substring(0, lastIndexOf).trim();
            String trim2 = str.substring(lastIndexOf).trim();
            hashMap.put("firstName", trim);
            hashMap.put("lastName", trim2);
        } else if (str.indexOf(64) > -1) {
            hashMap.put("username", str.trim().toLowerCase());
            hashMap.put("email", str.trim().toLowerCase());
        } else {
            hashMap.put("lastName", str.trim());
            hashMap.put("username", str.trim().toLowerCase());
        }
        return searchForUser(hashMap, realmModel, i, i2);
    }

    public List<UserModel> searchForUser(Map<String, String> map, RealmModel realmModel) {
        return searchForUser(map, realmModel, 0, 2147483646);
    }

    public List<UserModel> searchForUser(Map<String, String> map, RealmModel realmModel, int i, int i2) {
        LinkedList linkedList = new LinkedList();
        int i3 = 0;
        for (LDAPObject lDAPObject : searchLDAP(realmModel, map, i2 + i)) {
            int i4 = i3;
            i3++;
            if (i4 >= i) {
                if (this.session.userLocalStorage().getUserByUsername(LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig()), realmModel) == null) {
                    linkedList.add(importUserFromLDAP(this.session, realmModel, lDAPObject));
                }
            }
        }
        return linkedList;
    }

    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel) {
        return getGroupMembers(realmModel, groupModel, 0, 2147483646);
    }

    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel, int i, int i2) {
        Iterator<ComponentModel> it = this.mapperManager.sortMappersAsc(realmModel.getComponents(this.model.getId(), LDAPStorageMapper.class.getName())).iterator();
        while (it.hasNext()) {
            List<UserModel> groupMembers = this.mapperManager.getMapper(it.next()).getGroupMembers(realmModel, groupModel, i, i2);
            if (groupMembers.size() > 0) {
                return groupMembers;
            }
        }
        return Collections.emptyList();
    }

    public List<UserModel> loadUsersByUsernames(List<String> list, RealmModel realmModel) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            UserModel userByUsername = this.session.users().getUserByUsername(str, realmModel);
            if (userByUsername == null) {
                logger.warnf("User '%s' referenced by membership wasn't found in LDAP", str);
            } else if (!this.model.isImportEnabled() || this.model.getId().equals(userByUsername.getFederationLink())) {
                arrayList.add(userByUsername);
            } else {
                logger.warnf("Incorrect federation provider of user '%s'", userByUsername.getUsername());
            }
        }
        return arrayList;
    }

    protected List<LDAPObject> searchLDAP(RealmModel realmModel, Map<String, String> map, int i) {
        LDAPQuery createQueryForUserSearch;
        ArrayList arrayList = new ArrayList();
        if (map.containsKey("username")) {
            createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
            Throwable th = null;
            try {
                try {
                    createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal("username", map.get("username"), EscapeStrategy.NON_ASCII_CHARS_ONLY));
                    arrayList.addAll(createQueryForUserSearch.getResultList());
                    if (createQueryForUserSearch != null) {
                        if (0 != 0) {
                            try {
                                createQueryForUserSearch.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createQueryForUserSearch.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        }
        if (map.containsKey("email")) {
            createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
            Throwable th3 = null;
            try {
                try {
                    createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal("email", map.get("email"), EscapeStrategy.NON_ASCII_CHARS_ONLY));
                    arrayList.addAll(createQueryForUserSearch.getResultList());
                    if (createQueryForUserSearch != null) {
                        if (0 != 0) {
                            try {
                                createQueryForUserSearch.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            createQueryForUserSearch.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        }
        if (map.containsKey("firstName") || map.containsKey("lastName")) {
            createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
            Throwable th5 = null;
            try {
                try {
                    LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
                    if (map.containsKey("firstName")) {
                        createQueryForUserSearch.addWhereCondition(lDAPQueryConditionsBuilder.equal("firstName", map.get("firstName"), EscapeStrategy.NON_ASCII_CHARS_ONLY));
                    }
                    if (map.containsKey("lastName")) {
                        createQueryForUserSearch.addWhereCondition(lDAPQueryConditionsBuilder.equal("lastName", map.get("lastName"), EscapeStrategy.NON_ASCII_CHARS_ONLY));
                    }
                    arrayList.addAll(createQueryForUserSearch.getResultList());
                    if (createQueryForUserSearch != null) {
                        if (0 != 0) {
                            try {
                                createQueryForUserSearch.close();
                            } catch (Throwable th6) {
                                th5.addSuppressed(th6);
                            }
                        } else {
                            createQueryForUserSearch.close();
                        }
                    }
                } finally {
                }
            } finally {
                if (createQueryForUserSearch != null) {
                    if (th5 != null) {
                        try {
                            createQueryForUserSearch.close();
                        } catch (Throwable th7) {
                            th5.addSuppressed(th7);
                        }
                    } else {
                        createQueryForUserSearch.close();
                    }
                }
            }
        }
        return arrayList;
    }

    protected LDAPObject loadAndValidateUser(RealmModel realmModel, UserModel userModel) {
        LDAPObject managedLDAPUser = this.userManager.getManagedLDAPUser(userModel.getId());
        if (managedLDAPUser != null) {
            return managedLDAPUser;
        }
        LDAPObject loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, userModel.getUsername());
        if (loadLDAPUserByUsername == null) {
            return null;
        }
        LDAPUtils.checkUuid(loadLDAPUserByUsername, this.ldapIdentityStore.getConfig());
        if (loadLDAPUserByUsername.getUuid().equals(userModel.getFirstAttribute("LDAP_ID"))) {
            return loadLDAPUserByUsername;
        }
        logger.warnf("LDAP User invalid. ID doesn't match. ID from LDAP [%s], LDAP ID from local DB: [%s]", loadLDAPUserByUsername.getUuid(), userModel.getFirstAttribute("LDAP_ID"));
        return null;
    }

    public UserModel getUserByUsername(String str, RealmModel realmModel) {
        LDAPObject loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, str);
        if (loadLDAPUserByUsername == null) {
            return null;
        }
        return importUserFromLDAP(this.session, realmModel, loadLDAPUserByUsername);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UserModel importUserFromLDAP(KeycloakSession keycloakSession, RealmModel realmModel, LDAPObject lDAPObject) {
        UserModel userModel;
        String username = LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig());
        LDAPUtils.checkUuid(lDAPObject, this.ldapIdentityStore.getConfig());
        if (this.model.isImportEnabled()) {
            userModel = keycloakSession.userLocalStorage().addUser(realmModel, username);
        } else {
            UserModel inMemoryUserAdapter = new InMemoryUserAdapter(keycloakSession, realmModel, new StorageId(this.model.getId(), username).getId());
            inMemoryUserAdapter.addDefaults();
            userModel = inMemoryUserAdapter;
        }
        userModel.setEnabled(true);
        for (ComponentModel componentModel : this.mapperManager.sortMappersDesc(realmModel.getComponents(this.model.getId(), LDAPStorageMapper.class.getName()))) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Using mapper %s during import user from LDAP", componentModel);
            }
            this.mapperManager.getMapper(componentModel).onImportUserFromLDAP(lDAPObject, userModel, realmModel, true);
        }
        String lDAPDn = lDAPObject.getDn().toString();
        if (this.model.isImportEnabled()) {
            userModel.setFederationLink(this.model.getId());
        }
        userModel.setSingleAttribute("LDAP_ID", lDAPObject.getUuid());
        userModel.setSingleAttribute("LDAP_ENTRY_DN", lDAPDn);
        if (getLdapIdentityStore().getConfig().isTrustEmail()) {
            userModel.setEmailVerified(true);
        }
        logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", new Object[]{userModel.getUsername(), userModel.getEmail(), lDAPObject.getUuid(), lDAPDn});
        return proxy(realmModel, userModel, lDAPObject);
    }

    protected LDAPObject queryByEmail(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        Throwable th = null;
        try {
            try {
                createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal("email", str, EscapeStrategy.DEFAULT));
                LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
                if (createQueryForUserSearch != null) {
                    if (0 != 0) {
                        try {
                            createQueryForUserSearch.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createQueryForUserSearch.close();
                    }
                }
                return firstResult;
            } finally {
            }
        } catch (Throwable th3) {
            if (createQueryForUserSearch != null) {
                if (th != null) {
                    try {
                        createQueryForUserSearch.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createQueryForUserSearch.close();
                }
            }
            throw th3;
        }
    }

    public UserModel getUserByEmail(String str, RealmModel realmModel) {
        LDAPObject queryByEmail = queryByEmail(realmModel, str);
        if (queryByEmail == null) {
            return null;
        }
        String username = LDAPUtils.getUsername(queryByEmail, this.ldapIdentityStore.getConfig());
        UserModel userByUsername = this.session.userLocalStorage().getUserByUsername(username, realmModel);
        if (userByUsername == null) {
            return importUserFromLDAP(this.session, realmModel, queryByEmail);
        }
        LDAPUtils.checkUuid(queryByEmail, this.ldapIdentityStore.getConfig());
        if (queryByEmail.getUuid().equals(userByUsername.getFirstAttribute("LDAP_ID"))) {
            return userByUsername;
        }
        throw new ModelDuplicateException("User with username '" + username + "' already exists in Keycloak. It conflicts with LDAP user with email '" + str + "'");
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean validPassword(RealmModel realmModel, UserModel userModel, String str) {
        if (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.isUseKerberosForPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(userModel.getUsername(), str);
        }
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        try {
            this.ldapIdentityStore.validatePassword(loadAndValidateUser, str);
            return true;
        } catch (AuthenticationException e) {
            boolean z = false;
            for (ComponentModel componentModel : this.mapperManager.sortMappersDesc(realmModel.getComponents(this.model.getId(), LDAPStorageMapper.class.getName()))) {
                if (logger.isTraceEnabled()) {
                    logger.tracef("Using mapper %s during import user from LDAP", componentModel);
                }
                z = z || this.mapperManager.getMapper(componentModel).onAuthenticationFailure(loadAndValidateUser, userModel, e, realmModel);
            }
            return z;
        }
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        PolicyError validate;
        if (!"password".equals(credentialInput.getType()) || !(credentialInput instanceof UserCredentialModel)) {
            return false;
        }
        if (this.editMode == UserStorageProvider.EditMode.READ_ONLY) {
            throw new ReadOnlyException("Federated storage is not writable");
        }
        if (this.editMode != UserStorageProvider.EditMode.WRITABLE) {
            return false;
        }
        LDAPIdentityStore ldapIdentityStore = getLdapIdentityStore();
        String challengeResponse = credentialInput.getChallengeResponse();
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (ldapIdentityStore.getConfig().isValidatePasswordPolicy() && (validate = this.session.getProvider(PasswordPolicyManagerProvider.class).validate(realmModel, userModel, challengeResponse)) != null) {
            throw new ModelException(validate.getMessage(), validate.getParameters());
        }
        try {
            LDAPOperationDecorator lDAPOperationDecorator = null;
            if (this.updater != null) {
                lDAPOperationDecorator = this.updater.beforePasswordUpdate(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput);
            }
            ldapIdentityStore.updatePassword(loadAndValidateUser, challengeResponse, lDAPOperationDecorator);
            if (this.updater == null) {
                return true;
            }
            this.updater.passwordUpdated(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput);
            return true;
        } catch (ModelException e) {
            if (this.updater == null) {
                throw e;
            }
            this.updater.passwordUpdateFailed(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput, e);
            return false;
        }
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Set<String> getDisableableCredentialTypes(RealmModel realmModel, UserModel userModel) {
        return Collections.EMPTY_SET;
    }

    public Set<String> getSupportedCredentialTypes() {
        return new HashSet(this.supportedCredentialTypes);
    }

    public boolean supportsCredentialType(String str) {
        return getSupportedCredentialTypes().contains(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return getSupportedCredentialTypes().contains(str);
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && credentialInput.getType().equals("password") && !this.session.userCredentialManager().isConfiguredLocally(realmModel, userModel, "password")) {
            return validPassword(realmModel, userModel, credentialInput.getChallengeResponse());
        }
        return false;
    }

    public CredentialValidationOutput authenticate(RealmModel realmModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            CredentialValidationOutput.failed();
        }
        UserCredentialModel userCredentialModel = (UserCredentialModel) credentialInput;
        if (!userCredentialModel.getType().equals("kerberos") || !this.kerberosConfig.isAllowKerberosAuthentication()) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getChallengeResponse(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put("SpnegoResponseToken", createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        String authenticatedUsername = createSPNEGOAuthenticator.getAuthenticatedUsername();
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, authenticatedUsername);
        if (findOrCreateAuthenticatedUser == null) {
            logger.warnf("Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]", authenticatedUsername, this.model.getName());
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userLocalStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", str);
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warnf("User with username [%s] already exists, but is not linked to provider [%s]", str, this.model.getName());
                return null;
            }
            LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userByUsername);
            if (loadAndValidateUser != null) {
                return proxy(realmModel, userByUsername, loadAndValidateUser);
            }
            logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", str, this.model.getName(), userByUsername.getFirstAttribute("LDAP_ID"));
            logger.warn("Will re-create user");
            UserCache userCache = this.session.userCache();
            if (userCache != null) {
                userCache.evict(realmModel, userByUsername);
            }
            new UserManager(this.session).removeUser(realmModel, userByUsername, this.session.userLocalStorage());
        }
        logger.debugf("Kerberos authenticated user [%s] not in Keycloak storage. Creating him", str);
        return getUserByUsername(str, realmModel);
    }

    public LDAPObject loadLDAPUserByUsername(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        Throwable th = null;
        try {
            try {
                createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.ldapIdentityStore.getConfig().getUsernameLdapAttribute(), str, EscapeStrategy.DEFAULT));
                LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
                if (firstResult == null) {
                    if (createQueryForUserSearch != null) {
                        if (0 != 0) {
                            try {
                                createQueryForUserSearch.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createQueryForUserSearch.close();
                        }
                    }
                    return null;
                }
                if (createQueryForUserSearch != null) {
                    if (0 != 0) {
                        try {
                            createQueryForUserSearch.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        createQueryForUserSearch.close();
                    }
                }
                return firstResult;
            } finally {
            }
        } catch (Throwable th4) {
            if (createQueryForUserSearch != null) {
                if (th != null) {
                    try {
                        createQueryForUserSearch.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createQueryForUserSearch.close();
                }
            }
            throw th4;
        }
    }
}
