package org.keycloak.federation.kerberos;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserCredentialValueModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.UserManager;

/* loaded from: input_file:org/keycloak/federation/kerberos/KerberosFederationProvider.class */
public class KerberosFederationProvider implements UserFederationProvider {
    private static final Logger logger = Logger.getLogger(KerberosFederationProvider.class);
    public static final String KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL";
    protected KeycloakSession session;
    protected UserFederationProviderModel model;
    protected KerberosConfig kerberosConfig;
    protected KerberosFederationProviderFactory factory;

    public KerberosFederationProvider(KeycloakSession keycloakSession, UserFederationProviderModel userFederationProviderModel, KerberosFederationProviderFactory kerberosFederationProviderFactory) {
        this.session = keycloakSession;
        this.model = userFederationProviderModel;
        this.kerberosConfig = new KerberosConfig(userFederationProviderModel);
        this.factory = kerberosFederationProviderFactory;
    }

    public UserModel validateAndProxy(RealmModel realmModel, UserModel userModel) {
        if (isValid(realmModel, userModel)) {
            return this.kerberosConfig.getEditMode() == UserFederationProvider.EditMode.READ_ONLY ? new ReadOnlyKerberosUserModelDelegate(userModel, this) : userModel;
        }
        return null;
    }

    public boolean synchronizeRegistrations() {
        return false;
    }

    public UserModel register(RealmModel realmModel, UserModel userModel) {
        return null;
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        if (!this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).isUserAvailable(str)) {
            return null;
        }
        if (str.contains("@")) {
            str = str.split("@")[0];
        }
        return findOrCreateAuthenticatedUser(realmModel, str);
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        return null;
    }

    public List<UserModel> searchByAttributes(Map<String, String> map, RealmModel realmModel, int i) {
        return Collections.emptyList();
    }

    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel, int i, int i2) {
        return Collections.emptyList();
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel) {
        return (userModel.getUsername() + "@" + this.kerberosConfig.getKerberosRealm()).equalsIgnoreCase(userModel.getFirstAttribute(KERBEROS_PRINCIPAL));
    }

    public Set<String> getSupportedCredentialTypes(UserModel userModel) {
        HashSet hashSet = new HashSet();
        hashSet.add(KerberosFederationProviderFactory.PROVIDER_NAME);
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            boolean z = true;
            if (this.kerberosConfig.getEditMode() == UserFederationProvider.EditMode.UNSYNCED) {
                Iterator it = userModel.getCredentialsDirectly().iterator();
                while (it.hasNext()) {
                    if (((UserCredentialValueModel) it.next()).getType().equals("password")) {
                        z = false;
                    }
                }
            }
            if (z) {
                hashSet.add("password");
            }
        }
        return hashSet;
    }

    public Set<String> getSupportedCredentialTypes() {
        HashSet hashSet = new HashSet();
        hashSet.add(KerberosFederationProviderFactory.PROVIDER_NAME);
        return hashSet;
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, List<UserCredentialModel> list) {
        Iterator<UserCredentialModel> it = list.iterator();
        if (!it.hasNext()) {
            return true;
        }
        UserCredentialModel next = it.next();
        if (next.getType().equals("password")) {
            return validPassword(userModel.getUsername(), next.getValue());
        }
        return false;
    }

    protected boolean validPassword(String str, String str2) {
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(str, str2);
        }
        return false;
    }

    public boolean validCredentials(RealmModel realmModel, UserModel userModel, UserCredentialModel... userCredentialModelArr) {
        return validCredentials(realmModel, userModel, Arrays.asList(userCredentialModelArr));
    }

    public CredentialValidationOutput validCredentials(RealmModel realmModel, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.getType().equals(KerberosFederationProviderFactory.PROVIDER_NAME)) {
            return CredentialValidationOutput.failed();
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getValue(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            hashMap.put("SpnegoResponseToken", createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, createSPNEGOAuthenticator.getAuthenticatedUsername());
        if (findOrCreateAuthenticatedUser == null) {
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = this.session.userStorage().getUserByUsername(str, realmModel);
        if (userByUsername != null) {
            logger.debug("Kerberos authenticated user " + str + " found in Keycloak storage");
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warn("User with username " + str + " already exists, but is not linked to provider [" + this.model.getDisplayName() + "]");
                return null;
            }
            UserModel validateAndProxy = validateAndProxy(realmModel, userByUsername);
            if (validateAndProxy != null) {
                return validateAndProxy;
            }
            logger.warn("User with username " + str + " already exists and is linked to provider [" + this.model.getDisplayName() + "] but kerberos principal is not correct. Kerberos principal on user is: " + userByUsername.getFirstAttribute(KERBEROS_PRINCIPAL));
            logger.warn("Will re-create user");
            new UserManager(this.session).removeUser(realmModel, userByUsername, this.session.userStorage());
        }
        logger.debug("Kerberos authenticated user " + str + " not in Keycloak storage. Creating him");
        return importUserToKeycloak(realmModel, str);
    }

    protected UserModel importUserToKeycloak(RealmModel realmModel, String str) {
        String str2 = str + "@" + this.kerberosConfig.getKerberosRealm().toLowerCase();
        logger.debugf("Creating kerberos user: %s, email: %s to local Keycloak storage", str, str2);
        UserModel addUser = this.session.userStorage().addUser(realmModel, str);
        addUser.setEnabled(true);
        addUser.setEmail(str2);
        addUser.setFederationLink(this.model.getId());
        addUser.setSingleAttribute(KERBEROS_PRINCIPAL, str + "@" + this.kerberosConfig.getKerberosRealm());
        if (this.kerberosConfig.isUpdateProfileFirstLogin()) {
            addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        return validateAndProxy(realmModel, addUser);
    }
}
