package org.keycloak.storage.ldap.mappers.membership.role;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.models.utils.UserModelDelegate;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.LDAPUtils;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapperConfig;
import org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode;
import org.keycloak.storage.user.SynchronizationResult;

/* loaded from: input_file:org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapper.class */
public class RoleLDAPStorageMapper extends AbstractLDAPStorageMapper implements CommonLDAPGroupMapper {
    private static final Logger logger = Logger.getLogger(RoleLDAPStorageMapper.class);
    private final RoleMapperConfig config;
    private final RoleLDAPStorageMapperFactory factory;

    /* loaded from: input_file:org/keycloak/storage/ldap/mappers/membership/role/RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.class */
    public class LDAPRoleMappingsUserDelegate extends UserModelDelegate {
        private final RealmModel realm;
        private final LDAPObject ldapUser;
        private final RoleContainerModel roleContainer;
        private Set<RoleModel> cachedLDAPRoleMappings;

        public LDAPRoleMappingsUserDelegate(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject, RoleContainerModel roleContainerModel) {
            super(userModel);
            this.realm = realmModel;
            this.ldapUser = lDAPObject;
            this.roleContainer = roleContainerModel;
        }

        public Stream<RoleModel> getRealmRoleMappingsStream() {
            if (!this.roleContainer.equals(this.realm)) {
                return super.getRealmRoleMappingsStream();
            }
            Stream<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            return RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY ? lDAPRoleMappingsConverted : Stream.concat(lDAPRoleMappingsConverted, super.getRealmRoleMappingsStream());
        }

        public Stream<RoleModel> getClientRoleMappingsStream(ClientModel clientModel) {
            if (!this.roleContainer.equals(clientModel)) {
                return super.getClientRoleMappingsStream(clientModel);
            }
            Stream<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            return RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY ? lDAPRoleMappingsConverted : Stream.concat(lDAPRoleMappingsConverted, super.getClientRoleMappingsStream(clientModel));
        }

        public boolean hasRole(RoleModel roleModel) {
            return RoleUtils.hasRole(getRoleMappingsStream(), roleModel) || RoleUtils.hasRoleFromGroup(getGroupsStream(), roleModel, true);
        }

        public void grantRole(RoleModel roleModel) {
            if (RoleLDAPStorageMapper.this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
                super.grantRole(roleModel);
            } else if (!roleModel.getContainer().equals(this.roleContainer)) {
                super.grantRole(roleModel);
            } else {
                this.cachedLDAPRoleMappings = null;
                RoleLDAPStorageMapper.this.addRoleMappingInLDAP(roleModel.getName(), this.ldapUser);
            }
        }

        public Stream<RoleModel> getRoleMappingsStream() {
            Stream roleMappingsStream = super.getRoleMappingsStream();
            Stream<RoleModel> lDAPRoleMappingsConverted = getLDAPRoleMappingsConverted();
            if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) {
                roleMappingsStream = roleMappingsStream.filter(roleModel -> {
                    return !Objects.equals(roleModel.getContainer(), this.roleContainer);
                });
            }
            return Stream.concat(roleMappingsStream, lDAPRoleMappingsConverted);
        }

        protected Stream<RoleModel> getLDAPRoleMappingsConverted() {
            if (this.cachedLDAPRoleMappings != null) {
                return this.cachedLDAPRoleMappings.stream();
            }
            List<LDAPObject> lDAPRoleMappings = RoleLDAPStorageMapper.this.getLDAPRoleMappings(this.ldapUser);
            String roleNameLdapAttribute = RoleLDAPStorageMapper.this.config.getRoleNameLdapAttribute();
            this.cachedLDAPRoleMappings = (Set) lDAPRoleMappings.stream().map(lDAPObject -> {
                String attributeAsString = lDAPObject.getAttributeAsString(roleNameLdapAttribute);
                RoleModel role = this.roleContainer.getRole(attributeAsString);
                if (role == null) {
                    role = this.roleContainer.addRole(attributeAsString);
                }
                return role;
            }).collect(Collectors.toSet());
            return this.cachedLDAPRoleMappings.stream();
        }

        public void deleteRoleMapping(RoleModel roleModel) {
            if (!roleModel.getContainer().equals(this.roleContainer)) {
                super.deleteRoleMapping(roleModel);
                return;
            }
            LDAPQuery createRoleQuery = RoleLDAPStorageMapper.this.createRoleQuery(true);
            try {
                LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
                createRoleQuery.addWhereCondition(lDAPQueryConditionsBuilder.equal(RoleLDAPStorageMapper.this.config.getRoleNameLdapAttribute(), roleModel.getName())).addWhereCondition(lDAPQueryConditionsBuilder.equal(RoleLDAPStorageMapper.this.config.getMembershipLdapAttribute(), LDAPUtils.getMemberValueOfChildObject(this.ldapUser, RoleLDAPStorageMapper.this.config.getMembershipTypeLdapAttribute(), RoleLDAPStorageMapper.this.getMembershipUserLdapAttribute())));
                LDAPObject firstResult = createRoleQuery.getFirstResult();
                if (firstResult == null) {
                    if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                        super.deleteRoleMapping(roleModel);
                    }
                } else {
                    if (RoleLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                        throw new ModelException("Not possible to delete LDAP role mappings as mapper mode is READ_ONLY");
                    }
                    this.cachedLDAPRoleMappings = null;
                    RoleLDAPStorageMapper.this.deleteRoleMappingInLDAP(this.ldapUser, firstResult);
                }
                if (createRoleQuery != null) {
                    createRoleQuery.close();
                }
            } catch (Throwable th) {
                if (createRoleQuery != null) {
                    try {
                        createRoleQuery.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    public RoleLDAPStorageMapper(ComponentModel componentModel, LDAPStorageProvider lDAPStorageProvider, RoleLDAPStorageMapperFactory roleLDAPStorageMapperFactory) {
        super(componentModel, lDAPStorageProvider);
        this.config = new RoleMapperConfig(componentModel);
        this.factory = roleLDAPStorageMapperFactory;
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public LDAPQuery createLDAPGroupQuery() {
        return createRoleQuery(false);
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public CommonLDAPGroupMapperConfig getConfig() {
        return this.config;
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onImportUserFromLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
        if (this.config.getMode() == LDAPGroupMapperMode.IMPORT && z) {
            List<LDAPObject> lDAPRoleMappings = getLDAPRoleMappings(lDAPObject);
            String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
            RoleContainerModel targetRoleContainer = getTargetRoleContainer(realmModel);
            if (targetRoleContainer == null) {
                logger.warnf("Ignored client role grant for federation mapper '%s' as client not found: '%s'", this.mapperModel.getName(), this.config.getClientId());
                return;
            }
            Iterator<LDAPObject> it = lDAPRoleMappings.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                RoleModel role = targetRoleContainer.getRole(attributeAsString);
                if (role == null) {
                    role = targetRoleContainer.addRole(attributeAsString);
                }
                logger.debugf("Granting role [%s] to user [%s] during import from LDAP", attributeAsString, userModel.getUsername());
                userModel.grantRole(role);
            }
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onRegisterUserToLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.1
            public String getStatus() {
                return String.format("%d imported roles, %d roles already exists in Keycloak", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()));
            }
        };
        logger.debugf("Syncing roles from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        RoleContainerModel targetRoleContainer = getTargetRoleContainer(realmModel);
        if (targetRoleContainer == null) {
            logger.warnf("Ignored sync for federation mapper '%s' as client not found: '%s'", this.mapperModel.getName(), this.config.getClientId());
            return synchronizationResult;
        }
        LDAPQuery createRoleQuery = createRoleQuery(false);
        try {
            List<LDAPObject> loadAllLDAPObjects = LDAPUtils.loadAllLDAPObjects(createRoleQuery, this.ldapProvider);
            String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
            Iterator<LDAPObject> it = loadAllLDAPObjects.iterator();
            while (it.hasNext()) {
                String attributeAsString = it.next().getAttributeAsString(roleNameLdapAttribute);
                if (targetRoleContainer.getRole(attributeAsString) == null) {
                    logger.debugf("Syncing role [%s] from LDAP to keycloak DB", attributeAsString);
                    targetRoleContainer.addRole(attributeAsString);
                    synchronizationResult.increaseAdded();
                } else {
                    synchronizationResult.increaseUpdated();
                }
            }
            if (createRoleQuery != null) {
                createRoleQuery.close();
            }
            return synchronizationResult;
        } catch (Throwable th) {
            if (createRoleQuery != null) {
                try {
                    createRoleQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.2
            public String getStatus() {
                return String.format("%d roles imported to LDAP, %d roles already existed in LDAP", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()));
            }
        };
        if (this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
            logger.warnf("Ignored sync for federation mapper '%s' as it's mode is '%s'", this.mapperModel.getName(), this.config.getMode().toString());
            return synchronizationResult;
        }
        logger.debugf("Syncing roles from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        RoleContainerModel targetRoleContainer = getTargetRoleContainer(realmModel);
        if (targetRoleContainer == null) {
            logger.warnf("Ignored sync for federation mapper '%s' as client not found: '%s'", this.mapperModel.getName(), this.config.getClientId());
            return synchronizationResult;
        }
        LDAPQuery createRoleQuery = createRoleQuery(false);
        try {
            List<LDAPObject> loadAllLDAPObjects = LDAPUtils.loadAllLDAPObjects(createRoleQuery, this.ldapProvider);
            HashSet hashSet = new HashSet();
            String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
            Iterator<LDAPObject> it = loadAllLDAPObjects.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getAttributeAsString(roleNameLdapAttribute));
            }
            Stream rolesStream = targetRoleContainer.getRolesStream();
            rolesStream.map((v0) -> {
                return v0.getName();
            }).forEach(str -> {
                if (hashSet.contains(str)) {
                    synchronizationResult.increaseUpdated();
                    return;
                }
                logger.debugf("Syncing role [%s] from Keycloak to LDAP", str);
                createLDAPRole(str);
                synchronizationResult.increaseAdded();
            });
            if (createRoleQuery != null) {
                createRoleQuery.close();
            }
            return synchronizationResult;
        } catch (Throwable th) {
            if (createRoleQuery != null) {
                try {
                    createRoleQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public LDAPQuery createRoleQuery(boolean z) {
        LDAPQuery lDAPQuery = new LDAPQuery(this.ldapProvider);
        lDAPQuery.setSearchScope(this.ldapProvider.getLdapIdentityStore().getConfig().getSearchScope());
        lDAPQuery.setSearchDn(this.config.getRolesDn());
        lDAPQuery.addObjectClasses(this.config.getRoleObjectClasses(this.ldapProvider));
        String roleNameLdapAttribute = this.config.getRoleNameLdapAttribute();
        String customLdapFilter = this.config.getCustomLdapFilter();
        if (customLdapFilter != null && customLdapFilter.trim().length() > 0) {
            lDAPQuery.addWhereCondition(new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customLdapFilter));
        }
        lDAPQuery.addReturningLdapAttribute(roleNameLdapAttribute);
        if (z) {
            lDAPQuery.addReturningLdapAttribute(this.config.getMembershipLdapAttribute());
        }
        return lDAPQuery;
    }

    protected RoleContainerModel getTargetRoleContainer(RealmModel realmModel) {
        if (this.config.isRealmRolesMapping()) {
            return realmModel;
        }
        String clientId = this.config.getClientId();
        if (clientId == null) {
            throw new ModelException("Using client roles mapping is requested, but parameter client.id not found!");
        }
        ClientModel clientByClientId = realmModel.getClientByClientId(clientId);
        if (clientByClientId == null) {
            logger.warnf("Cannot find requested client with clientId '%s' in federation mapper '%s'", clientId, this.mapperModel.getName());
        }
        return clientByClientId;
    }

    public LDAPObject createLDAPRole(String str) {
        LDAPObject createLDAPGroup = LDAPUtils.createLDAPGroup(this.ldapProvider, str, this.config.getRoleNameLdapAttribute(), this.config.getRoleObjectClasses(this.ldapProvider), this.config.getRelativeCreateDn() + this.config.getRolesDn(), Collections.emptyMap(), this.config.getMembershipLdapAttribute());
        logger.debugf("Creating role [%s] to LDAP with DN [%s]", str, createLDAPGroup.getDn().toString());
        return createLDAPGroup;
    }

    public void addRoleMappingInLDAP(String str, LDAPObject lDAPObject) {
        LDAPObject loadLDAPRoleByName = loadLDAPRoleByName(str);
        if (loadLDAPRoleByName == null) {
            loadLDAPRoleByName = createLDAPRole(str);
        }
        LDAPUtils.addMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), loadLDAPRoleByName, lDAPObject);
    }

    public void deleteRoleMappingInLDAP(LDAPObject lDAPObject, LDAPObject lDAPObject2) {
        LDAPUtils.deleteMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), lDAPObject2, lDAPObject);
    }

    public LDAPObject loadLDAPRoleByName(String str) {
        LDAPQuery createRoleQuery = createRoleQuery(true);
        try {
            createRoleQuery.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.config.getRoleNameLdapAttribute(), str));
            LDAPObject firstResult = createRoleQuery.getFirstResult();
            if (createRoleQuery != null) {
                createRoleQuery.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createRoleQuery != null) {
                try {
                    createRoleQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected List<LDAPObject> getLDAPRoleMappings(LDAPObject lDAPObject) {
        return this.factory.getUserRolesRetrieveStrategy(this.config.getUserRolesRetrieveStrategy()).getLDAPRoleMappings(this, lDAPObject, this.ldapProvider.getLdapIdentityStore().getConfig());
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public UserModel proxy(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        RoleContainerModel targetRoleContainer;
        if (this.config.getMode() != LDAPGroupMapperMode.IMPORT && (targetRoleContainer = getTargetRoleContainer(realmModel)) != null) {
            return new LDAPRoleMappingsUserDelegate(realmModel, userModel, lDAPObject, targetRoleContainer);
        }
        return userModel;
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void beforeLDAPQuery(LDAPQuery lDAPQuery) {
        this.factory.getUserRolesRetrieveStrategy(this.config.getUserRolesRetrieveStrategy()).beforeUserLDAPQuery(this, lDAPQuery);
    }

    protected String getMembershipUserLdapAttribute() {
        return this.config.getMembershipUserLdapAttribute(this.ldapProvider.getLdapIdentityStore().getConfig());
    }

    public LDAPObject loadRoleGroupByName(String str) {
        LDAPQuery createRoleQuery = createRoleQuery(true);
        try {
            createRoleQuery.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.config.getRoleNameLdapAttribute(), str));
            LDAPObject firstResult = createRoleQuery.getFirstResult();
            if (createRoleQuery != null) {
                createRoleQuery.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createRoleQuery != null) {
                try {
                    createRoleQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public List<UserModel> getRoleMembers(RealmModel realmModel, RoleModel roleModel, int i, int i2) {
        LDAPObject loadRoleGroupByName;
        if (this.config.getMode() != LDAPGroupMapperMode.IMPORT && (loadRoleGroupByName = loadRoleGroupByName(roleModel.getName())) != null) {
            return this.factory.getUserRolesRetrieveStrategy(this.config.getUserRolesRetrieveStrategy()).getLDAPRoleMembers(realmModel, this, loadRoleGroupByName, i, i2);
        }
        return Collections.emptyList();
    }
}
