package org.keycloak.federation.ldap;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.federation.ldap.idm.model.LDAPObject;
import org.keycloak.federation.ldap.idm.query.QueryParameter;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.federation.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore;
import org.keycloak.federation.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.federation.ldap.mappers.LDAPFederationMapper;
import org.keycloak.mappers.UserFederationMapper;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationMapperModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:org/keycloak/federation/ldap/LDAPFederationProvider.class */
public class LDAPFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger(LDAPFederationProvider.class);
    protected LDAPFederationProviderFactory factory;
    protected KeycloakSession session;
    protected UserFederationProviderModel model;
    protected LDAPIdentityStore ldapIdentityStore;
    protected UserFederationProvider.EditMode editMode;
    protected LDAPProviderKerberosConfig kerberosConfig;
    protected final Set<String> supportedCredentialTypes = new HashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.federation.ldap.LDAPFederationProvider$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/federation/ldap/LDAPFederationProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode = new int[UserFederationProvider.EditMode.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.READ_ONLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.WRITABLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[UserFederationProvider.EditMode.UNSYNCED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public LDAPFederationProvider(LDAPFederationProviderFactory lDAPFederationProviderFactory, KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, LDAPIdentityStore lDAPIdentityStore) {
        this.factory = lDAPFederationProviderFactory;
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.ldapIdentityStore = lDAPIdentityStore;
        this.kerberosConfig = new LDAPProviderKerberosConfig(userFederationProviderModel);
        this.editMode = lDAPIdentityStore.getConfig().getEditMode();
        this.supportedCredentialTypes.add("password");
        if (this.kerberosConfig.isAllowKerberosAuthentication()) {
            this.supportedCredentialTypes.add("kerberos");
        }
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public UserFederationProviderModel getModel() {
        return this.model;
    }

    public LDAPIdentityStore getLdapIdentityStore() {
        return this.ldapIdentityStore;
    }

    public UserFederationProvider.EditMode getEditMode() {
        return this.editMode;
    }

    public UserModel validateAndProxy(RealmModel realmModel, UserModel userModel) {
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            return null;
        }
        return proxy(realmModel, userModel, loadAndValidateUser);
    }

    protected UserModel proxy(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
        UserModel userModel2 = userModel;
        switch (AnonymousClass1.$SwitchMap$org$keycloak$models$UserFederationProvider$EditMode[this.editMode.ordinal()]) {
            case 1:
                userModel2 = new ReadonlyLDAPUserModelDelegate(userModel, this);
                break;
            case 2:
                userModel2 = new WritableLDAPUserModelDelegate(userModel, this, lDAPObject);
                break;
            case 3:
                userModel2 = new UnsyncedLDAPUserModelDelegate(userModel, this);
                break;
        }
        for (UserFederationMapperModel userFederationMapperModel : realmModel.getUserFederationMappersByFederationProvider(this.model.getId())) {
            userModel2 = getMapper(userFederationMapperModel).proxy(userFederationMapperModel, this, lDAPObject, userModel2, realmModel);
        }
        return userModel2;
    }

    public Set<String> getSupportedCredentialTypes(UserModel userModel) {
        HashSet hashSet = new HashSet(this.supportedCredentialTypes);
        if (this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            Iterator it = userModel.getCredentialsDirectly().iterator();
            while (it.hasNext()) {
                if (((UserCredentialValueModel) it.next()).getType().equals("password")) {
                    hashSet.remove("password");
                }
            }
        }
        return hashSet;
    }

    public Set<String> getSupportedCredentialTypes() {
        return new HashSet(this.supportedCredentialTypes);
    }

    public boolean synchronizeRegistrations() {
        return "true".equalsIgnoreCase((String) this.model.getConfig().get("syncRegistrations")) && this.editMode == UserFederationProvider.EditMode.WRITABLE;
    }

    public UserModel register(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserFederationProvider.EditMode.READ_ONLY || this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        if (!synchronizeRegistrations()) {
            throw new IllegalStateException("Registration is not supported by this ldap server");
        }
        LDAPObject addUserToLDAP = LDAPUtils.addUserToLDAP(this, realmModel, userModel);
        LDAPUtils.checkUuid(addUserToLDAP, this.ldapIdentityStore.getConfig());
        userModel.setSingleAttribute("LDAP_ID", addUserToLDAP.getUuid());
        userModel.setSingleAttribute("LDAP_ENTRY_DN", addUserToLDAP.getDn().toString());
        return proxy(realmModel, userModel, addUserToLDAP);
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserFederationProvider.EditMode.READ_ONLY || this.editMode == UserFederationProvider.EditMode.UNSYNCED) {
            logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'", userModel.getUsername(), this.editMode.toString());
            return false;
        }
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            logger.warnf("User '%s' can't be deleted from LDAP as it doesn't exist here", userModel.getUsername());
            return false;
        }
        this.ldapIdentityStore.remove(loadAndValidateUser);
        return true;
    }

    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        LinkedList linkedList = new LinkedList();
        for (LDAPObject lDAPObject : searchLDAP(realmModel, map, i)) {
            if (this.session.userStorage().getUserByUsername(LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig()), realmModel) == null) {
                linkedList.add(importUserFromLDAP(this.session, realmModel, lDAPObject));
            }
        }
        return linkedList;
    }

    protected List<LDAPObject> searchLDAP(RealmModel realmModel, Map<String, String> map, int i) {
        LDAPObject queryByEmail;
        LDAPObject loadLDAPUserByUsername;
        ArrayList arrayList = new ArrayList();
        if (map.containsKey("username") && (loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, map.get("username"))) != null) {
            arrayList.add(loadLDAPUserByUsername);
        }
        if (map.containsKey("email") && (queryByEmail = queryByEmail(realmModel, map.get("email"))) != null) {
            arrayList.add(queryByEmail);
        }
        if (map.containsKey("firstName") || map.containsKey("lastName")) {
            LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            if (map.containsKey("firstName")) {
                createQueryForUserSearch.where(lDAPQueryConditionsBuilder.equal(new QueryParameter("firstName"), map.get("firstName")));
            }
            if (map.containsKey("lastName")) {
                createQueryForUserSearch.where(lDAPQueryConditionsBuilder.equal(new QueryParameter("lastName"), map.get("lastName")));
            }
            arrayList.addAll(createQueryForUserSearch.getResultList());
        }
        return arrayList;
    }

    protected LDAPObject loadAndValidateUser(RealmModel realmModel, UserModel userModel) {
        LDAPObject loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, userModel.getUsername());
        if (loadLDAPUserByUsername == null) {
            return null;
        }
        LDAPUtils.checkUuid(loadLDAPUserByUsername, this.ldapIdentityStore.getConfig());
        if (loadLDAPUserByUsername.getUuid().equals(userModel.getFirstAttribute("LDAP_ID"))) {
            return loadLDAPUserByUsername;
        }
        logger.warnf("LDAP User invalid. ID doesn't match. ID from LDAP [%s], LDAP ID from local DB: [%s]", loadLDAPUserByUsername.getUuid(), userModel.getFirstAttribute("LDAP_ID"));
        return null;
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel) {
        return loadAndValidateUser(realmModel, userModel) != null;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        LDAPObject loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, str);
        if (loadLDAPUserByUsername == null) {
            return null;
        }
        return importUserFromLDAP(this.session, realmModel, loadLDAPUserByUsername);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UserModel importUserFromLDAP(KeycloakSession keycloakSession, RealmModel realmModel, LDAPObject lDAPObject) {
        String username = LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig());
        LDAPUtils.checkUuid(lDAPObject, this.ldapIdentityStore.getConfig());
        UserModel addUser = keycloakSession.userStorage().addUser(realmModel, username);
        addUser.setEnabled(true);
        for (UserFederationMapperModel userFederationMapperModel : realmModel.getUserFederationMappersByFederationProvider(getModel().getId())) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Using mapper %s during import user from LDAP", userFederationMapperModel);
            }
            getMapper(userFederationMapperModel).onImportUserFromLDAP(userFederationMapperModel, this, lDAPObject, addUser, realmModel, true);
        }
        String lDAPDn = lDAPObject.getDn().toString();
        addUser.setFederationLink(this.model.getId());
        addUser.setSingleAttribute("LDAP_ID", lDAPObject.getUuid());
        addUser.setSingleAttribute("LDAP_ENTRY_DN", lDAPDn);
        logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", new Object[]{addUser.getUsername(), addUser.getEmail(), lDAPObject.getUuid(), lDAPDn});
        return proxy(realmModel, addUser, lDAPObject);
    }

    protected LDAPObject queryByEmail(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        createQueryForUserSearch.where(new LDAPQueryConditionsBuilder().equal(new QueryParameter("email"), str));
        return createQueryForUserSearch.getFirstResult();
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        LDAPObject queryByEmail = queryByEmail(realmModel, str);
        if (queryByEmail == null) {
            return null;
        }
        String username = LDAPUtils.getUsername(queryByEmail, this.ldapIdentityStore.getConfig());
        if (this.session.userStorage().getUserByUsername(username, realmModel) != null) {
            throw new ModelDuplicateException("User with username '" + username + "' already exists in Keycloak. It conflicts with LDAP user with email '" + str + "'");
        }
        return importUserFromLDAP(this.session, realmModel, queryByEmail);
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean validPassword(RealmModel realmModel, UserModel userModel, String str) {
        if (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.isUseKerberosForPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(userModel.getUsername(), str);
        }
        return this.ldapIdentityStore.validatePassword(loadAndValidateUser(realmModel, userModel), str);
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        if (!it.hasNext()) {
            return true;
        }
        UserCredentialModel next = it.next();
        if (next.getType().equals("password")) {
            return validPassword(realmModel, userModel, next.getValue());
        }
        return false;
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.getType().equals("kerberos") || !this.kerberosConfig.isAllowKerberosAuthentication()) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getValue(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put("SpnegoResponseToken", createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        String authenticatedUsername = createSPNEGOAuthenticator.getAuthenticatedUsername();
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, authenticatedUsername);
        if (findOrCreateAuthenticatedUser == null) {
            logger.warnf("Kerberos/SPNEGO authentication succeeded with username [%s], but couldn't find or create user with federation provider [%s]", authenticatedUsername, this.model.getDisplayName());
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", str);
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warnf("User with username [%s] already exists, but is not linked to provider [%s]", str, this.model.getDisplayName());
                return null;
            }
            LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userByUsername);
            if (loadAndValidateUser != null) {
                return proxy(realmModel, userByUsername, loadAndValidateUser);
            }
            logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", str, this.model.getDisplayName(), userByUsername.getFirstAttribute("LDAP_ID"));
            logger.warn("Will re-create user");
            this.session.userStorage().removeUser(realmModel, userByUsername);
        }
        logger.debugf("Kerberos authenticated user [%s] not in Keycloak storage. Creating him", str);
        return getUserByUsername(realmModel, str);
    }

    public LDAPObject loadLDAPUserByUsername(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        createQueryForUserSearch.where(new LDAPQueryConditionsBuilder().equal(new QueryParameter(this.ldapIdentityStore.getConfig().getUsernameLdapAttribute()), str));
        LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
        if (firstResult == null) {
            return null;
        }
        return firstResult;
    }

    public LDAPFederationMapper getMapper(UserFederationMapperModel userFederationMapperModel) {
        LDAPFederationMapper provider = getSession().getProvider(UserFederationMapper.class, userFederationMapperModel.getFederationMapperType());
        if (provider == null) {
            throw new ModelException("Can't find mapper type with ID: " + userFederationMapperModel.getFederationMapperType());
        }
        return provider;
    }
}
