package org.keycloak.organization.validator;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.Config;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.common.Profile;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.UserModel;
import org.keycloak.organization.utils.Organizations;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.userprofile.AttributeContext;
import org.keycloak.userprofile.UserProfileAttributeValidationContext;
import org.keycloak.userprofile.UserProfileContext;
import org.keycloak.utils.StringUtil;
import org.keycloak.validate.AbstractSimpleValidator;
import org.keycloak.validate.BuiltinValidators;
import org.keycloak.validate.ValidationContext;
import org.keycloak.validate.ValidationError;
import org.keycloak.validate.ValidatorConfig;

/* loaded from: input_file:org/keycloak/organization/validator/OrganizationMemberValidator.class */
public class OrganizationMemberValidator extends AbstractSimpleValidator implements EnvironmentDependentProviderFactory {
    public static final String ID = "organization-member-validator";

    public String getId() {
        return ID;
    }

    protected void doValidate(Object obj, String str, ValidationContext validationContext, ValidatorConfig validatorConfig) {
        KeycloakSession session = validationContext.getSession();
        AttributeContext attributeContext = ((UserProfileAttributeValidationContext) validationContext).getAttributeContext();
        UserModel user = attributeContext.getUser();
        OrganizationModel resolveOrganization = Organizations.resolveOrganization(session, user);
        if (resolveOrganization != null) {
            if (user == null || UserProfileContext.IDP_REVIEW.equals(attributeContext.getContext()) || resolveOrganization.isMember(user)) {
                validateEmailDomain((String) obj, str, validationContext, resolveOrganization);
            }
        }
    }

    protected boolean skipValidation(Object obj, ValidatorConfig validatorConfig) {
        return false;
    }

    public boolean isSupported(Config.Scope scope) {
        return Profile.isFeatureEnabled(Profile.Feature.ORGANIZATION);
    }

    private void validateEmailDomain(String str, String str2, ValidationContext validationContext, OrganizationModel organizationModel) {
        Set<String> resolveExpectedDomainsForManagedUser;
        if ("email".equals(str2)) {
            if (StringUtil.isBlank(str)) {
                validationContext.addError(new ValidationError(ID, str2, "Email not set"));
                return;
            }
            if (BuiltinValidators.emailValidator().validate(str, str2, validationContext).isValid()) {
                AttributeContext attributeContext = ((UserProfileAttributeValidationContext) validationContext).getAttributeContext();
                UserModel user = attributeContext.getUser();
                String substring = str.substring(str.indexOf(64) + 1);
                if (((Set) organizationModel.getDomains().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toSet())).isEmpty()) {
                    return;
                }
                if (UserProfileContext.IDP_REVIEW.equals(attributeContext.getContext())) {
                    resolveExpectedDomainsForManagedUser = resolveExpectedDomainsWhenReviewingFederatedUserProfile(organizationModel, attributeContext);
                } else if (!organizationModel.isManaged(user)) {
                    return;
                } else {
                    resolveExpectedDomainsForManagedUser = resolveExpectedDomainsForManagedUser(organizationModel, validationContext, user);
                }
                if (resolveExpectedDomainsForManagedUser.isEmpty() || resolveExpectedDomainsForManagedUser.contains(substring)) {
                    return;
                }
                validationContext.addError(new ValidationError(ID, str2, "Email domain does not match any domain from the organization"));
            }
        }
    }

    private static Set<String> resolveExpectedDomainsForManagedUser(OrganizationModel organizationModel, ValidationContext validationContext, UserModel userModel) {
        List<IdentityProviderModel> resolveHomeBroker = Organizations.resolveHomeBroker(validationContext.getSession(), userModel);
        if (resolveHomeBroker.isEmpty()) {
            return Set.of();
        }
        HashSet hashSet = new HashSet();
        Iterator<IdentityProviderModel> it = resolveHomeBroker.iterator();
        while (it.hasNext()) {
            String str = (String) it.next().getConfig().get("kc.org.domain");
            if ("ANY".equals(str)) {
                Stream map = organizationModel.getDomains().map((v0) -> {
                    return v0.getName();
                });
                Objects.requireNonNull(hashSet);
                map.forEach((v1) -> {
                    r1.add(v1);
                });
            } else if (str != null) {
                hashSet.add(str);
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static Set<String> resolveExpectedDomainsWhenReviewingFederatedUserProfile(OrganizationModel organizationModel, AttributeContext attributeContext) {
        BrokeredIdentityContext brokeredIdentityContext = (BrokeredIdentityContext) attributeContext.getSession().getAttribute(BrokeredIdentityContext.class.getName());
        if (brokeredIdentityContext == null) {
            return Set.of();
        }
        String alias = brokeredIdentityContext.getIdpConfig().getAlias();
        IdentityProviderModel identityProviderModel = (IdentityProviderModel) organizationModel.getIdentityProviders().filter(identityProviderModel2 -> {
            return identityProviderModel2.getAlias().equals(alias);
        }).findAny().orElse(null);
        if (identityProviderModel == null) {
            return Set.of();
        }
        String str = (String) identityProviderModel.getConfig().get("kc.org.domain");
        return "ANY".equals(str) ? (Set) organizationModel.getDomains().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()) : (Set) Optional.ofNullable(str).map((v0) -> {
            return Set.of(v0);
        }).orElse(Set.of());
    }
}
