package io.phasetwo.service.auth;

import com.google.auto.service.AutoService;
import io.phasetwo.service.Orgs;
import io.phasetwo.service.model.InvitationModel;
import io.phasetwo.service.model.OrganizationModel;
import io.phasetwo.service.model.OrganizationProvider;
import io.phasetwo.service.model.OrganizationRoleModel;
import io.phasetwo.service.util.Domains;
import io.phasetwo.service.util.IdentityProviders;
import java.util.Map;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.Authenticator;
import org.keycloak.authentication.AuthenticatorFactory;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

@AutoService({AuthenticatorFactory.class})
/* loaded from: input_file:io/phasetwo/service/auth/OrgAddUserAuthenticatorFactory.class */
public class OrgAddUserAuthenticatorFactory extends BaseAuthenticatorFactory implements DefaultAuthenticator {
    private static final Logger log = Logger.getLogger(OrgAddUserAuthenticatorFactory.class);
    public static final String PROVIDER_ID = "ext-auth-org-add-user";

    public OrgAddUserAuthenticatorFactory() {
        super(PROVIDER_ID);
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        log.info("OrgAddUserAuthenticatorFactory.authenticate");
        addUser(authenticationFlowContext);
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        log.info("OrgAddUserAuthenticatorFactory.authenticate");
    }

    private void addUser(AuthenticationFlowContext authenticationFlowContext) {
        PostOrgAuthFlow.setStatus(authenticationFlowContext);
        BrokeredIdentityContext brokeredIdentityContext = PostOrgAuthFlow.getBrokeredIdentityContext(authenticationFlowContext);
        if (PostOrgAuthFlow.brokeredIdpEnabled(authenticationFlowContext, brokeredIdentityContext)) {
            Map config = brokeredIdentityContext.getIdpConfig().getConfig();
            boolean parseBoolean = Boolean.parseBoolean((String) config.getOrDefault(Orgs.ORG_SHARED_IDP_KEY, "false"));
            if (!config.containsKey(Orgs.ORG_OWNER_CONFIG_KEY)) {
                log.infof("No organization owns IdP %s", brokeredIdentityContext.getIdpConfig().getAlias());
            } else {
                OrganizationProvider organizationProvider = (OrganizationProvider) authenticationFlowContext.getSession().getProvider(OrganizationProvider.class);
                IdentityProviders.getAttributeMultivalued(config, Orgs.ORG_OWNER_CONFIG_KEY).forEach(str -> {
                    OrganizationModel organizationById = organizationProvider.getOrganizationById(authenticationFlowContext.getRealm(), str);
                    if (organizationById == null) {
                        log.infof("idpConfig  %s contained %s, but org not found", Orgs.ORG_OWNER_CONFIG_KEY, str);
                        return;
                    }
                    handleOrganizationMembership(authenticationFlowContext, organizationById, parseBoolean);
                    if (organizationById.hasMembership(authenticationFlowContext.getUser())) {
                        organizationProvider.getUserInvitationsStream(authenticationFlowContext.getRealm(), authenticationFlowContext.getUser()).filter(invitationModel -> {
                            return invitationModel.getOrganization().getId().equals(organizationById.getId());
                        }).forEach(invitationModel2 -> {
                            addRolesFromInvitation(invitationModel2, authenticationFlowContext.getUser());
                            invitationModel2.getOrganization().revokeInvitation(invitationModel2.getId());
                            authenticationFlowContext.getEvent().clone().event(EventType.IDENTITY_PROVIDER_POST_LOGIN).detail(Orgs.FIELD_ORG_ID, invitationModel2.getOrganization().getId()).detail("invitation_id", invitationModel2.getId()).user(authenticationFlowContext.getUser()).error("User invitation revoked.");
                        });
                    }
                });
            }
        }
    }

    private static void handleOrganizationMembership(AuthenticationFlowContext authenticationFlowContext, OrganizationModel organizationModel, boolean z) {
        if (!organizationModel.hasMembership(authenticationFlowContext.getUser()) && !z) {
            log.infof("granting membership to %s for user %s", organizationModel.getName(), authenticationFlowContext.getUser().getUsername());
            organizationModel.grantMembership(authenticationFlowContext.getUser());
            authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).detail("joined_organization", organizationModel.getId()).success();
        }
        if (organizationModel.hasMembership(authenticationFlowContext.getUser()) || !z) {
            return;
        }
        Optional<String> extract = Domains.extract(authenticationFlowContext.getUser().getEmail());
        if (extract.isPresent() && Domains.supportsDomain(organizationModel.getDomains(), extract.get())) {
            log.infof("granting membership to %s for user %s", organizationModel.getName(), authenticationFlowContext.getUser().getUsername());
            organizationModel.grantMembership(authenticationFlowContext.getUser());
            authenticationFlowContext.getEvent().user(authenticationFlowContext.getUser()).detail("joined_organization", organizationModel.getId()).success();
        }
    }

    void addRolesFromInvitation(InvitationModel invitationModel, UserModel userModel) {
        invitationModel.getRoles().forEach(str -> {
            OrganizationRoleModel roleByName = invitationModel.getOrganization().getRoleByName(str);
            if (roleByName == null) {
                log.debugf("No org role found for invitation role %s. Skipping...", str);
            } else {
                roleByName.grantRole(userModel);
            }
        });
    }

    @Override // io.phasetwo.service.auth.DefaultAuthenticator
    public boolean requiresUser() {
        return true;
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    /* renamed from: create */
    public Authenticator mo5create(KeycloakSession keycloakSession) {
        return this;
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    public boolean isUserSetupAllowed() {
        return false;
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    public String getHelpText() {
        return "Adds a user to an organization if an organization-owned IdP was used to log in. Use only in Post Login Flows.";
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    public String getDisplayType() {
        return "Add User to Org";
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    public String getReferenceCategory() {
        return "Post Broker";
    }

    @Override // io.phasetwo.service.auth.BaseAuthenticatorFactory
    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
        keycloakSessionFactory.register(providerEvent -> {
            if (providerEvent instanceof RealmModel.RealmPostCreateEvent) {
                PostOrgAuthFlow.realmPostCreate((RealmModel.RealmPostCreateEvent) providerEvent, PROVIDER_ID);
            }
        });
    }
}
