package org.keycloak.federation.kerberos;

import java.util.HashMap;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialAuthentication;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.storage.UserStoragePrivateUtil;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.user.ImportedUserValidation;
import org.keycloak.storage.user.UserLookupProvider;

/* loaded from: input_file:org/keycloak/federation/kerberos/KerberosFederationProvider.class */
public class KerberosFederationProvider implements UserStorageProvider, UserLookupProvider.Streams, CredentialInputValidator, CredentialInputUpdater.Streams, CredentialAuthentication, ImportedUserValidation {
    private static final Logger logger = Logger.getLogger(KerberosFederationProvider.class);
    public static final String KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL";
    protected KeycloakSession session;
    protected UserStorageProviderModel model;
    protected KerberosConfig kerberosConfig;
    protected KerberosFederationProviderFactory factory;

    public KerberosFederationProvider(KeycloakSession keycloakSession, UserStorageProviderModel userStorageProviderModel, KerberosFederationProviderFactory kerberosFederationProviderFactory) {
        this.session = keycloakSession;
        this.model = userStorageProviderModel;
        this.kerberosConfig = new KerberosConfig((ComponentModel) userStorageProviderModel);
        this.factory = kerberosFederationProviderFactory;
    }

    public UserModel validate(RealmModel realmModel, UserModel userModel) {
        if (isValid(realmModel, userModel)) {
            return this.kerberosConfig.getEditMode() == UserStorageProvider.EditMode.READ_ONLY ? new ReadOnlyKerberosUserModelDelegate(userModel, this) : userModel;
        }
        return null;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        if (!this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).isUserAvailable(str)) {
            return null;
        }
        if (str.contains("@")) {
            str = str.split("@")[0];
        }
        return findOrCreateAuthenticatedUser(realmModel, str);
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        return null;
    }

    public UserModel getUserById(RealmModel realmModel, String str) {
        return null;
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel) {
        return (userModel.getUsername() + "@" + this.kerberosConfig.getKerberosRealm()).equalsIgnoreCase(userModel.getFirstAttribute(KERBEROS_PRINCIPAL));
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && "password".equals(credentialInput.getType()) && this.kerberosConfig.getEditMode() == UserStorageProvider.EditMode.READ_ONLY) {
            throw new ReadOnlyException("Can't change password in Keycloak database. Change password with your Kerberos server");
        }
        return false;
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
        return Stream.empty();
    }

    public boolean supportsCredentialType(String str) {
        return str.equals(KerberosFederationProviderFactory.PROVIDER_NAME) || (this.kerberosConfig.isAllowPasswordAuthentication() && str.equals("password"));
    }

    public boolean supportsCredentialAuthenticationFor(String str) {
        return KerberosFederationProviderFactory.PROVIDER_NAME.equals(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return supportsCredentialType(str);
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && credentialInput.getType().equals("password") && !userModel.credentialManager().isConfiguredLocally("password")) {
            return validPassword(userModel.getUsername(), credentialInput.getChallengeResponse());
        }
        return false;
    }

    protected boolean validPassword(String str, String str2) {
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(str, str2);
        }
        return false;
    }

    public CredentialValidationOutput authenticate(RealmModel realmModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            return null;
        }
        UserCredentialModel userCredentialModel = (UserCredentialModel) credentialInput;
        if (!userCredentialModel.getType().equals(KerberosFederationProviderFactory.PROVIDER_NAME)) {
            return null;
        }
        SPNEGOAuthenticator createSPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getChallengeResponse(), this.kerberosConfig);
        createSPNEGOAuthenticator.authenticate();
        HashMap hashMap = new HashMap();
        if (!createSPNEGOAuthenticator.isAuthenticated()) {
            if (createSPNEGOAuthenticator.getResponseToken() == null) {
                logger.tracef("SPNEGO Handshake not successful", new Object[0]);
                return CredentialValidationOutput.failed();
            }
            logger.tracef("SPNEGO Handshake will continue", new Object[0]);
            hashMap.put("SpnegoResponseToken", createSPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, createSPNEGOAuthenticator.getAuthenticatedUsername());
        if (findOrCreateAuthenticatedUser == null) {
            return CredentialValidationOutput.failed();
        }
        String serializedDelegationCredential = createSPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, String str) {
        UserModel userByUsername = UserStoragePrivateUtil.userLocalStorage(this.session).getUserByUsername(realmModel, str);
        if (userByUsername != null) {
            UserModel userById = this.session.users().getUserById(realmModel, userByUsername.getId());
            logger.debug("Kerberos authenticated user " + str + " found in Keycloak storage");
            if (!this.model.getId().equals(userById.getFederationLink())) {
                logger.warn("User with username " + str + " already exists, but is not linked to provider [" + this.model.getName() + "]");
                return null;
            }
            UserModel validate = validate(realmModel, userById);
            if (validate != null) {
                return validate;
            }
            logger.warn("User with username " + str + " already exists and is linked to provider [" + this.model.getName() + "] but kerberos principal is not correct. Kerberos principal on user is: " + userById.getFirstAttribute(KERBEROS_PRINCIPAL));
            logger.warn("Will re-create user");
            new UserManager(this.session).removeUser(realmModel, userById, UserStoragePrivateUtil.userLocalStorage(this.session));
        }
        logger.debug("Kerberos authenticated user " + str + " not in Keycloak storage. Creating him");
        return importUserToKeycloak(realmModel, str);
    }

    protected UserModel importUserToKeycloak(RealmModel realmModel, String str) {
        String str2 = str + "@" + this.kerberosConfig.getKerberosRealm().toLowerCase();
        logger.debugf("Creating kerberos user: %s, email: %s to local Keycloak storage", str, str2);
        UserModel addUser = UserStoragePrivateUtil.userLocalStorage(this.session).addUser(realmModel, str);
        addUser.setEnabled(true);
        addUser.setEmail(str2);
        addUser.setFederationLink(this.model.getId());
        addUser.setSingleAttribute(KERBEROS_PRINCIPAL, str + "@" + this.kerberosConfig.getKerberosRealm());
        if (this.kerberosConfig.isUpdateProfileFirstLogin()) {
            if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
                addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
            }
            addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        return validate(realmModel, addUser);
    }
}
