package org.keycloak.broker.saml.mappers;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.saml.SAMLEndpoint;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.saml.mappers.AttributeStatementHelper;
import org.keycloak.provider.ProviderConfigProperty;

/* loaded from: input_file:org/keycloak/broker/saml/mappers/AttributeToRoleMapper.class */
public class AttributeToRoleMapper extends AbstractIdentityProviderMapper {
    public static final String ATTRIBUTE_NAME = "attribute.name";
    public static final String ATTRIBUTE_FRIENDLY_NAME = "attribute.friendly.name";
    public static final String ATTRIBUTE_VALUE = "attribute.value";
    public static final String PROVIDER_ID = "saml-role-idp-mapper";
    public static final String[] COMPATIBLE_PROVIDERS = {"saml"};
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    private static final Set<IdentityProviderSyncMode> IDENTITY_PROVIDER_SYNC_MODES = new HashSet(Arrays.asList(IdentityProviderSyncMode.values()));

    public boolean supportsSyncMode(IdentityProviderSyncMode identityProviderSyncMode) {
        return IDENTITY_PROVIDER_SYNC_MODES.contains(identityProviderSyncMode);
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String[] getCompatibleProviders() {
        return COMPATIBLE_PROVIDERS;
    }

    public String getDisplayCategory() {
        return "Role Mapper";
    }

    public String getDisplayType() {
        return "SAML Attribute to Role";
    }

    public void importNewUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) identityProviderMapperModel.getConfig().get("role");
        if (isAttributePresent(identityProviderMapperModel, brokeredIdentityContext)) {
            RoleModel roleFromString = KeycloakModelUtils.getRoleFromString(realmModel, str);
            if (roleFromString == null) {
                throw new IdentityBrokerException("Unable to find role: " + str);
            }
            userModel.grantRole(roleFromString);
        }
    }

    protected boolean isAttributePresent(IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) identityProviderMapperModel.getConfig().get("attribute.name");
        if (str != null && str.trim().equals("")) {
            str = null;
        }
        String str2 = (String) identityProviderMapperModel.getConfig().get("attribute.friendly.name");
        if (str2 != null && str2.trim().equals("")) {
            str2 = null;
        }
        String str3 = (String) Optional.ofNullable(identityProviderMapperModel.getConfig().get("attribute.value")).orElse("");
        Iterator it = ((AssertionType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_ASSERTION)).getAttributeStatements().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((AttributeStatementType) it.next()).getAttributes().iterator();
            while (it2.hasNext()) {
                AttributeType attribute = ((AttributeStatementType.ASTChoiceType) it2.next()).getAttribute();
                if (str == null || str.equals(attribute.getName())) {
                    if (str2 == null || str2.equals(attribute.getFriendlyName())) {
                        Iterator it3 = attribute.getAttributeValue().iterator();
                        while (it3.hasNext()) {
                            if (Optional.ofNullable(it3.next()).orElse("").equals(str3)) {
                                return true;
                            }
                        }
                    }
                }
            }
        }
        return false;
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) identityProviderMapperModel.getConfig().get("role");
        RoleModel roleFromString = KeycloakModelUtils.getRoleFromString(realmModel, str);
        if (roleFromString == null) {
            throw new IdentityBrokerException("Unable to find role: " + str);
        }
        if (isAttributePresent(identityProviderMapperModel, brokeredIdentityContext)) {
            userModel.grantRole(roleFromString);
        } else {
            userModel.deleteRoleMapping(roleFromString);
        }
    }

    public String getHelpText() {
        return "If an attribute exists, grant the user the specified realm or application role.";
    }

    static {
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setName("attribute.name");
        providerConfigProperty.setLabel("Attribute Name");
        providerConfigProperty.setHelpText("Name of attribute to search for in assertion.  You can leave this blank and specify a friendly name instead.");
        providerConfigProperty.setType("String");
        configProperties.add(providerConfigProperty);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName("attribute.friendly.name");
        providerConfigProperty2.setLabel(AttributeStatementHelper.FRIENDLY_NAME_LABEL);
        providerConfigProperty2.setHelpText("Friendly name of attribute to search for in assertion.  You can leave this blank and specify a name instead.");
        providerConfigProperty2.setType("String");
        configProperties.add(providerConfigProperty2);
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setName("attribute.value");
        providerConfigProperty3.setLabel("Attribute Value");
        providerConfigProperty3.setHelpText("Value the attribute must have.  If the attribute is a list, then the value must be contained in the list.");
        providerConfigProperty3.setType("String");
        configProperties.add(providerConfigProperty3);
        ProviderConfigProperty providerConfigProperty4 = new ProviderConfigProperty();
        providerConfigProperty4.setName("role");
        providerConfigProperty4.setLabel("Role");
        providerConfigProperty4.setHelpText("Role to grant to user.  Click 'Select Role' button to browse roles, or just type it in the textbox.  To reference an application role the syntax is appname.approle, i.e. myapp.myrole");
        providerConfigProperty4.setType("Role");
        configProperties.add(providerConfigProperty4);
    }
}
