package org.keycloak.federation.ldap;

import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.federation.ldap.idm.model.LDAPUser;
import org.keycloak.federation.ldap.idm.query.IdentityQuery;
import org.keycloak.federation.ldap.idm.query.IdentityQueryBuilder;
import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore;
import org.keycloak.federation.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:org/keycloak/federation/ldap/LDAPFederationProvider.class */
public class LDAPFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger(LDAPFederationProvider.class);
    protected LDAPFederationProviderFactory factory;
    protected KeycloakSession session;
    protected UserFederationProviderModel model;
    protected LDAPIdentityStore ldapIdentityStore;
    protected UserFederationProvider.EditMode editMode;
    protected LDAPProviderKerberosConfig kerberosConfig;
    protected final Set<String> supportedCredentialTypes = new HashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.federation.ldap.LDAPFederationProvider$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/federation/ldap/LDAPFederationProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode = new int[UserFederationProvider.EditMode.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.READ_ONLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.WRITABLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.UNSYNCED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public LDAPFederationProvider(LDAPFederationProviderFactory lDAPFederationProviderFactory, KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, LDAPIdentityStore lDAPIdentityStore) {
        this.factory = lDAPFederationProviderFactory;
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.ldapIdentityStore = lDAPIdentityStore;
        this.kerberosConfig = new LDAPProviderKerberosConfig(userFederationProviderModel);
        String str = (String) userFederationProviderModel.getConfig().get("editMode");
        if (str == null) {
            this.editMode = UserFederationProvider.EditMode.READ_ONLY;
        } else {
            this.editMode = UserFederationProvider.EditMode.valueOf(str);
        }
        this.supportedCredentialTypes.add("password");
        if (this.kerberosConfig.isAllowKerberosAuthentication()) {
            this.supportedCredentialTypes.add("kerberos");
        }
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public UserFederationProviderModel getModel() {
        return this.model;
    }

    public LDAPIdentityStore getLdapIdentityStore() {
        return this.ldapIdentityStore;
    }

    public UserModel proxy(UserModel userModel) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[this.editMode.ordinal()]) {
            case 1:
                return new ReadonlyLDAPUserModelDelegate(userModel, this);
            case 2:
                return new WritableLDAPUserModelDelegate(userModel, this);
            case 3:
                return new UnsyncedLDAPUserModelDelegate(userModel, this);
            default:
                return userModel;
        }
    }

    public Set<String> getSupportedCredentialTypes(UserModel userModel) {
        HashSet hashSet = new HashSet(this.supportedCredentialTypes);
        if (this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            Iterator it = userModel.getCredentialsDirectly().iterator();
            while (it.hasNext()) {
                if (((UserCredentialValueModel) it.next()).getType().equals("password")) {
                    hashSet.remove("password");
                }
            }
        }
        return hashSet;
    }

    public Set<String> getSupportedCredentialTypes() {
        return new HashSet(this.supportedCredentialTypes);
    }

    public boolean synchronizeRegistrations() {
        return "true".equalsIgnoreCase((String) this.model.getConfig().get("syncRegistrations")) && this.editMode == UserFederationProvider.EditMode.WRITABLE;
    }

    public UserModel register(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserFederationProvider.EditMode.READ_ONLY || this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        if (!synchronizeRegistrations()) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        LDAPUser addUser = LDAPUtils.addUser(this.ldapIdentityStore, userModel.getUsername(), userModel.getFirstName(), userModel.getLastName(), userModel.getEmail());
        userModel.setAttribute("LDAP_ID", addUser.getId());
        userModel.setAttribute("LDAP_ENTRY_DN", addUser.getEntryDN());
        return proxy(userModel);
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        if (this.editMode != UserFederationProvider.EditMode.READ_ONLY && this.editMode != UserFederationProvider.EditMode.UNSYNCED) {
            return LDAPUtils.removeUser(this.ldapIdentityStore, userModel.getUsername());
        }
        logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'", userModel.getUsername(), this.editMode.toString());
        return false;
    }

    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        LinkedList linkedList = new LinkedList();
        for (LDAPUser lDAPUser : searchLDAP(map, i).values()) {
            if (this.session.userStorage().getUserByUsername(lDAPUser.getLoginName(), realmModel) == null) {
                linkedList.add(importUserFromLDAP(realmModel, lDAPUser));
            }
        }
        return linkedList;
    }

    protected Map<String, LDAPUser> searchLDAP(Map<String, String> map, int i) {
        LDAPUser queryByEmail;
        LDAPUser user;
        HashMap hashMap = new HashMap();
        if (map.containsKey("username") && (user = LDAPUtils.getUser(this.ldapIdentityStore, map.get("username"))) != null) {
            hashMap.put(user.getLoginName(), user);
        }
        if (map.containsKey("email") && (queryByEmail = queryByEmail(map.get("email"))) != null) {
            hashMap.put(queryByEmail.getLoginName(), queryByEmail);
        }
        if (map.containsKey("firstName") || map.containsKey("lastName")) {
            IdentityQueryBuilder createQueryBuilder = this.ldapIdentityStore.createQueryBuilder();
            IdentityQuery createIdentityQuery = createQueryBuilder.createIdentityQuery(LDAPUser.class);
            if (map.containsKey("firstName")) {
                createIdentityQuery.where(createQueryBuilder.equal(LDAPUser.FIRST_NAME, map.get("firstName")));
            }
            if (map.containsKey("lastName")) {
                createIdentityQuery.where(createQueryBuilder.equal(LDAPUser.LAST_NAME, map.get("lastName")));
            }
            createIdentityQuery.setLimit(i);
            for (LDAPUser lDAPUser : createIdentityQuery.getResultList()) {
                hashMap.put(lDAPUser.getLoginName(), lDAPUser);
            }
        }
        return hashMap;
    }

    public boolean isValid(UserModel userModel) {
        LDAPUser user = LDAPUtils.getUser(this.ldapIdentityStore, userModel.getUsername());
        if (user == null) {
            return false;
        }
        return user.getId().equals(userModel.getAttribute("LDAP_ID"));
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        LDAPUser user = LDAPUtils.getUser(this.ldapIdentityStore, str);
        if (user == null) {
            return null;
        }
        if (str.equals(user.getLoginName())) {
            return importUserFromLDAP(realmModel, user);
        }
        logger.warnf("User found in LDAP but with different username. LDAP username: %s, Searched username: %s", str, user.getLoginName());
        return null;
    }

    protected UserModel importUserFromLDAP(RealmModel realmModel, LDAPUser lDAPUser) {
        String email = (lDAPUser.getEmail() == null || lDAPUser.getEmail().trim().length() <= 0) ? null : lDAPUser.getEmail();
        if (lDAPUser.getLoginName() == null) {
            throw new ModelException("User returned from LDAP has null username! Check configuration of your LDAP mappings. ID of user from LDAP: " + lDAPUser.getId());
        }
        UserModel addUser = this.session.userStorage().addUser(realmModel, lDAPUser.getLoginName());
        addUser.setEnabled(true);
        addUser.setEmail(email);
        addUser.setFirstName(lDAPUser.getFirstName());
        addUser.setLastName(lDAPUser.getLastName());
        addUser.setFederationLink(this.model.getId());
        addUser.setAttribute("LDAP_ID", lDAPUser.getId());
        addUser.setAttribute("LDAP_ENTRY_DN", lDAPUser.getEntryDN());
        logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", new Object[]{addUser.getUsername(), addUser.getEmail(), lDAPUser.getId(), lDAPUser.getEntryDN()});
        return proxy(addUser);
    }

    protected LDAPUser queryByEmail(String str) {
        return LDAPUtils.getUserByEmail(this.ldapIdentityStore, str);
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        LDAPUser queryByEmail = queryByEmail(str);
        if (queryByEmail == null) {
            return null;
        }
        if (str.equals(queryByEmail.getEmail())) {
            return importUserFromLDAP(realmModel, queryByEmail);
        }
        logger.warnf("User found in LDAP but with different email. LDAP email: %s, Searched email: %s", str, queryByEmail.getEmail());
        return null;
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public boolean validPassword(UserModel userModel, String str) {
        return (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.isUseKerberosForPasswordAuthentication()) ? this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(userModel.getUsername(), str) : LDAPUtils.validatePassword(this.ldapIdentityStore, userModel, str);
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        if (!it.hasNext()) {
            return true;
        }
        UserCredentialModel next = it.next();
        if (next.getType().equals("password")) {
            return validPassword(userModel, next.getValue());
        }
        return false;
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.getType().equals("kerberos") || !this.kerberosConfig.isAllowKerberosAuthentication()) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getValue(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put("SpnegoResponseToken", createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        String authenticatedUsername = createSPNEGOAuthenticator.getAuthenticatedUsername();
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, authenticatedUsername);
        if (findOrCreateAuthenticatedUser == null) {
            logger.warnf("Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]", authenticatedUsername, this.model.getDisplayName());
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void importLDAPUsers(RealmModel realmModel, List<LDAPUser> list, UserFederationProviderModel userFederationProviderModel) {
        for (LDAPUser lDAPUser : list) {
            String loginName = lDAPUser.getLoginName();
            UserModel userByUsername = this.session.userStorage().getUserByUsername(loginName, realmModel);
            if (userByUsername == null) {
                importUserFromLDAP(realmModel, lDAPUser);
            } else if (userFederationProviderModel.getId().equals(userByUsername.getFederationLink()) && lDAPUser.getId().equals(userByUsername.getAttribute("LDAP_ID"))) {
                userByUsername.setEmail((lDAPUser.getEmail() == null || lDAPUser.getEmail().trim().length() <= 0) ? null : lDAPUser.getEmail());
                userByUsername.setFirstName(lDAPUser.getFirstName());
                userByUsername.setLastName(lDAPUser.getLastName());
                logger.debugf("Updated user from LDAP: %s", userByUsername.getUsername());
            } else {
                logger.warnf("User '%s' is not updated during sync as he is not linked to federation provider '%s'", loginName, userFederationProviderModel.getDisplayName());
            }
        }
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", str);
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warnf("User with username [%s] already exists, but is not linked to provider [%s]", str, this.model.getDisplayName());
                return null;
            }
            if (isValid(userByUsername)) {
                return proxy(userByUsername);
            }
            logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", str, this.model.getDisplayName(), userByUsername.getAttribute("LDAP_ID"));
            logger.warn("Will re-create user");
            this.session.userStorage().removeUser(realmModel, userByUsername);
        }
        logger.debugf("Kerberos authenticated user [%s] not in Keycloak storage. Creating him", str);
        return getUserByUsername(realmModel, str);
    }
}
