package org.keycloak.storage.ldap.mappers.msad;

import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.naming.AuthenticationException;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
import org.keycloak.storage.ldap.mappers.PasswordUpdateCallback;
import org.keycloak.storage.ldap.mappers.TxAwareLDAPUserModelDelegate;

/* loaded from: input_file:org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper.class */
public class MSADUserAccountControlStorageMapper extends AbstractLDAPStorageMapper implements PasswordUpdateCallback {
    public static final String LDAP_PASSWORD_POLICY_HINTS_ENABLED = "ldap.password.policy.hints.enabled";
    private static final Logger logger = Logger.getLogger(MSADUserAccountControlStorageMapper.class);
    private static final Pattern AUTH_EXCEPTION_REGEX = Pattern.compile(".*AcceptSecurityContext error, data ([0-9a-f]*), v.*");
    private static final Pattern AUTH_INVALID_NEW_PASSWORD = Pattern.compile(".*ERROR CODE ([0-9A-F]+) - ([0-9A-F]+): .*WILL_NOT_PERFORM.*");

    /* loaded from: input_file:org/keycloak/storage/ldap/mappers/msad/MSADUserAccountControlStorageMapper$MSADUserModelDelegate.class */
    public class MSADUserModelDelegate extends TxAwareLDAPUserModelDelegate {
        private final LDAPObject ldapUser;

        public MSADUserModelDelegate(UserModel userModel, LDAPObject lDAPObject) {
            super(userModel, MSADUserAccountControlStorageMapper.this.ldapProvider, lDAPObject);
            this.ldapUser = lDAPObject;
        }

        public boolean isEnabled() {
            boolean isEnabled = super.isEnabled();
            return getPwdLastSet() > 0 ? isEnabled && !MSADUserAccountControlStorageMapper.this.getUserAccountControl(this.ldapUser).has(2L) : isEnabled;
        }

        public void setEnabled(boolean z) {
            super.setEnabled(z);
            if (MSADUserAccountControlStorageMapper.this.ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE || getPwdLastSet() <= 0) {
                return;
            }
            MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate enabled=%s for ldapUser '%s' to MSAD", Boolean.valueOf(z), this.ldapUser.getDn().toString());
            UserAccountControl userAccountControl = MSADUserAccountControlStorageMapper.this.getUserAccountControl(this.ldapUser);
            if (z) {
                userAccountControl.remove(2L);
            } else {
                userAccountControl.add(2L);
            }
            markUpdatedAttributeInTransaction("enabled");
            MSADUserAccountControlStorageMapper.this.updateUserAccountControl(false, this.ldapUser, userAccountControl);
        }

        public void addRequiredAction(UserModel.RequiredAction requiredAction) {
            addRequiredAction(requiredAction.name());
        }

        public void addRequiredAction(String str) {
            if (MSADUserAccountControlStorageMapper.this.ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE || !UserModel.RequiredAction.UPDATE_PASSWORD.toString().equals(str)) {
                MSADUserAccountControlStorageMapper.logger.debugf("Going to add required action '%s' of user '%s' in realm '%s' to the DB", str, getUsername(), MSADUserAccountControlStorageMapper.this.getRealmName());
                super.addRequiredAction(str);
            } else {
                MSADUserAccountControlStorageMapper.logger.debugf("Going to propagate required action UPDATE_PASSWORD to MSAD for ldap user '%s'. Keycloak user '%s' in realm '%s'", this.ldapUser.getDn().toString(), getUsername(), MSADUserAccountControlStorageMapper.this.getRealmName());
                this.ldapUser.removeReadOnlyAttributeName("pwdLastSet");
                this.ldapUser.setSingleAttribute("pwdLastSet", "0");
                markUpdatedRequiredActionInTransaction(str);
            }
        }

        public void removeRequiredAction(UserModel.RequiredAction requiredAction) {
            removeRequiredAction(requiredAction.name());
        }

        public void removeRequiredAction(String str) {
            super.removeRequiredAction(str);
            if (MSADUserAccountControlStorageMapper.this.ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && UserModel.RequiredAction.UPDATE_PASSWORD.toString().equals(str)) {
                UserAccountControl userAccountControl = MSADUserAccountControlStorageMapper.this.getUserAccountControl(this.ldapUser);
                if (userAccountControl.getValue() == 0 || userAccountControl.has(32L)) {
                    MSADUserAccountControlStorageMapper.logger.tracef("It was not required action to remove UPDATE_PASSWORD from MSAD for ldap user '%s' as it was not set on the user. Account control: %s, Keycloak user '%s' in realm '%s'", new Object[]{this.ldapUser.getDn().toString(), Long.valueOf(userAccountControl.getValue()), getUsername(), MSADUserAccountControlStorageMapper.this.getRealmName()});
                    return;
                }
                MSADUserAccountControlStorageMapper.logger.debugf("Going to remove required action UPDATE_PASSWORD from MSAD for ldap user '%s'. Account control: %s, Keycloak user '%s' in realm '%s'", new Object[]{this.ldapUser.getDn().toString(), Long.valueOf(userAccountControl.getValue()), getUsername(), MSADUserAccountControlStorageMapper.this.getRealmName()});
                this.ldapUser.removeReadOnlyAttributeName("pwdLastSet");
                this.ldapUser.setSingleAttribute("pwdLastSet", "-1");
                markUpdatedRequiredActionInTransaction(str);
            }
        }

        public Stream<String> getRequiredActionsStream() {
            if (MSADUserAccountControlStorageMapper.this.ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE || (getPwdLastSet() != 0 && !MSADUserAccountControlStorageMapper.this.getUserAccountControl(this.ldapUser).has(UserAccountControl.PASSWORD_EXPIRED))) {
                return super.getRequiredActionsStream();
            }
            MSADUserAccountControlStorageMapper.logger.tracef("Required action UPDATE_PASSWORD is set in LDAP for user '%s' in realm '%s'", getUsername(), MSADUserAccountControlStorageMapper.this.getRealmName());
            return Stream.concat(super.getRequiredActionsStream(), Stream.of(UserModel.RequiredAction.UPDATE_PASSWORD.toString())).distinct();
        }

        protected long getPwdLastSet() {
            String attributeAsString = this.ldapUser.getAttributeAsString("pwdLastSet");
            if (attributeAsString == null) {
                return 0L;
            }
            return Long.parseLong(attributeAsString);
        }
    }

    public MSADUserAccountControlStorageMapper(ComponentModel componentModel, LDAPStorageProvider lDAPStorageProvider) {
        super(componentModel, lDAPStorageProvider);
        lDAPStorageProvider.setUpdater(this);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void beforeLDAPQuery(LDAPQuery lDAPQuery) {
        lDAPQuery.addReturningLdapAttribute("pwdLastSet");
        lDAPQuery.addReturningLdapAttribute("userAccountControl");
        lDAPQuery.addReturningReadOnlyLdapAttribute("pwdLastSet");
        if (this.ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE) {
            lDAPQuery.addReturningReadOnlyLdapAttribute("userAccountControl");
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.PasswordUpdateCallback
    public LDAPOperationDecorator beforePasswordUpdate(UserModel userModel, LDAPObject lDAPObject, UserCredentialModel userCredentialModel) {
        if (!userCredentialModel.isAdminRequest() && this.mapperModel.get(LDAP_PASSWORD_POLICY_HINTS_ENABLED, false)) {
            return new LDAPServerPolicyHintsDecorator();
        }
        return null;
    }

    @Override // org.keycloak.storage.ldap.mappers.PasswordUpdateCallback
    public void passwordUpdated(UserModel userModel, LDAPObject lDAPObject, UserCredentialModel userCredentialModel) {
        logger.debugf("Going to update userAccountControl for ldap user '%s' after successful password update. Keycloak user '%s' in realm '%s'", lDAPObject.getDn().toString(), userModel.getUsername(), getRealmName());
        lDAPObject.removeReadOnlyAttributeName("pwdLastSet");
        lDAPObject.setSingleAttribute("pwdLastSet", "-1");
        UserAccountControl userAccountControl = getUserAccountControl(lDAPObject);
        userAccountControl.remove(32L);
        userAccountControl.remove(UserAccountControl.PASSWORD_EXPIRED);
        if (userModel.isEnabled()) {
            userAccountControl.remove(2L);
        }
        updateUserAccountControl(true, lDAPObject, userAccountControl);
    }

    @Override // org.keycloak.storage.ldap.mappers.PasswordUpdateCallback
    public void passwordUpdateFailed(UserModel userModel, LDAPObject lDAPObject, UserCredentialModel userCredentialModel, ModelException modelException) {
        throw processFailedPasswordUpdateException(modelException);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public UserModel proxy(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        return new MSADUserModelDelegate(userModel, lDAPObject);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onRegisterUserToLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onImportUserFromLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public boolean onAuthenticationFailure(LDAPObject lDAPObject, UserModel userModel, AuthenticationException authenticationException, RealmModel realmModel) {
        Matcher matcher = AUTH_EXCEPTION_REGEX.matcher(authenticationException.getMessage());
        if (matcher.matches()) {
            return processAuthErrorCode(matcher.group(1), userModel);
        }
        return false;
    }

    protected boolean processAuthErrorCode(String str, UserModel userModel) {
        logger.debugf("MSAD Error code is '%s' after failed LDAP login of user '%s'. Realm is '%s'", str, userModel.getUsername(), getRealmName());
        if (this.ldapProvider.getEditMode() != UserStorageProvider.EditMode.WRITABLE) {
            return false;
        }
        if (!str.equals("532") && !str.equals("773")) {
            if (str.equals("533")) {
                if (!userModel.isEnabled()) {
                    return true;
                }
                userModel.setEnabled(false);
                return true;
            }
            if (!str.equals("775")) {
                return false;
            }
            logger.warnf("Locked user '%s' attempt to login. Realm is '%s'", userModel.getUsername(), getRealmName());
            return false;
        }
        if (!userModel.getRequiredActionsStream().noneMatch(str2 -> {
            return Objects.equals(str2, UserModel.RequiredAction.UPDATE_PASSWORD.name());
        })) {
            logger.tracef("Skip adding required action UPDATE_PASSWORD. It was already set on user '%s' in realm '%s'", userModel.getUsername(), getRealmName());
            return true;
        }
        AuthenticationSessionModel authenticationSession = this.session.getContext().getAuthenticationSession();
        if (authenticationSession == null) {
            logger.debugf("Adding requiredAction UPDATE_PASSWORD to the user %s", userModel.getUsername());
            userModel.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
            return true;
        }
        if (!authenticationSession.getRequiredActions().stream().noneMatch(str3 -> {
            return Objects.equals(str3, UserModel.RequiredAction.UPDATE_PASSWORD.name());
        })) {
            return true;
        }
        logger.debugf("Adding requiredAction UPDATE_PASSWORD to the authenticationSession of user %s", userModel.getUsername());
        authenticationSession.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        return true;
    }

    protected ModelException processFailedPasswordUpdateException(ModelException modelException) {
        if (modelException.getCause() == null || modelException.getCause().getMessage() == null) {
            return modelException;
        }
        String replace = modelException.getCause().getMessage().replace('\n', ' ');
        logger.debugf("Failed to update password in Active Directory. Exception message: %s", replace);
        Matcher matcher = AUTH_INVALID_NEW_PASSWORD.matcher(replace.toUpperCase());
        if (matcher.matches()) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (group.equals("53") && group2.endsWith("52D")) {
                return new ModelException("invalidPasswordGenericMessage", modelException);
            }
        }
        return modelException;
    }

    protected UserAccountControl getUserAccountControl(LDAPObject lDAPObject) {
        String attributeAsString = lDAPObject.getAttributeAsString("userAccountControl");
        return new UserAccountControl(attributeAsString == null ? 0L : Long.parseLong(attributeAsString));
    }

    protected void updateUserAccountControl(boolean z, LDAPObject lDAPObject, UserAccountControl userAccountControl) {
        String valueOf = String.valueOf(userAccountControl.getValue());
        logger.debugf("Updating userAccountControl of user '%s' to value '%s'. Realm is '%s'", lDAPObject.getDn().toString(), valueOf, getRealmName());
        lDAPObject.setSingleAttribute("userAccountControl", valueOf);
        if (z) {
            this.ldapProvider.getLdapIdentityStore().update(lDAPObject);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getRealmName() {
        RealmModel realm = this.session.getContext().getRealm();
        return realm != null ? realm.getName() : "null";
    }
}
