package org.keycloak.federation.kerberos;

import java.util.HashMap;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialAuthentication;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.storage.UserStoragePrivateUtil;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.user.ImportedUserValidation;
import org.keycloak.storage.user.UserLookupProvider;
import org.keycloak.userprofile.UserProfileDecorator;
import org.keycloak.userprofile.UserProfileMetadata;
import org.keycloak.userprofile.UserProfileUtil;

/* loaded from: input_file:org/keycloak/federation/kerberos/KerberosFederationProvider.class */
public class KerberosFederationProvider implements UserStorageProvider, UserLookupProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, ImportedUserValidation, UserProfileDecorator {
    private static final Logger logger = Logger.getLogger(KerberosFederationProvider.class);
    public static final String KERBEROS_PRINCIPAL = "KERBEROS_PRINCIPAL";
    protected KeycloakSession session;
    protected UserStorageProviderModel model;
    protected KerberosConfig kerberosConfig;
    protected KerberosFederationProviderFactory factory;

    public KerberosFederationProvider(KeycloakSession keycloakSession, UserStorageProviderModel userStorageProviderModel, KerberosFederationProviderFactory kerberosFederationProviderFactory) {
        this.session = keycloakSession;
        this.model = userStorageProviderModel;
        this.kerberosConfig = new KerberosConfig((ComponentModel) userStorageProviderModel);
        this.factory = kerberosFederationProviderFactory;
    }

    public UserModel validate(RealmModel realmModel, UserModel userModel) {
        return this.kerberosConfig.getEditMode() == UserStorageProvider.EditMode.READ_ONLY ? new ReadOnlyKerberosUserModelDelegate(userModel, this) : userModel;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator = this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig);
        if (!createKerberosUsernamePasswordAuthenticator.isUserAvailable(str)) {
            return null;
        }
        try {
            return findOrCreateAuthenticatedUser(realmModel, new KerberosPrincipal(createKerberosUsernamePasswordAuthenticator.getKerberosPrincipal(str)));
        } catch (LoginException e) {
            throw new IllegalStateException("Should not happen", e);
        }
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        return null;
    }

    public UserModel getUserById(RealmModel realmModel, String str) {
        return null;
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && "password".equals(credentialInput.getType()) && this.kerberosConfig.getEditMode() == UserStorageProvider.EditMode.READ_ONLY) {
            throw new ReadOnlyException("Can't change password in Keycloak database. Change password with your Kerberos server");
        }
        return false;
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
        return Stream.empty();
    }

    public boolean supportsCredentialType(String str) {
        return str.equals(KerberosFederationProviderFactory.PROVIDER_NAME) || (this.kerberosConfig.isAllowPasswordAuthentication() && str.equals("password"));
    }

    public boolean supportsCredentialAuthenticationFor(String str) {
        return KerberosFederationProviderFactory.PROVIDER_NAME.equals(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return supportsCredentialType(str);
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && credentialInput.getType().equals("password") && !userModel.credentialManager().isConfiguredLocally("password")) {
            return validPassword(userModel.getFirstAttribute(KERBEROS_PRINCIPAL), credentialInput.getChallengeResponse());
        }
        return false;
    }

    protected boolean validPassword(String str, String str2) {
        if (this.kerberosConfig.isAllowPasswordAuthentication()) {
            return this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig).validUser(str, str2);
        }
        return false;
    }

    public CredentialValidationOutput authenticate(RealmModel realmModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            return null;
        }
        UserCredentialModel userCredentialModel = (UserCredentialModel) credentialInput;
        if (!userCredentialModel.getType().equals(KerberosFederationProviderFactory.PROVIDER_NAME)) {
            return null;
        }
        SPNEGOAuthenticator sPNEGOAuthenticator = (SPNEGOAuthenticator) userCredentialModel.getNote("authenticatedSpnegoContext");
        if (sPNEGOAuthenticator != null) {
            logger.debugf("SPNEGO authentication already performed by previous provider. Provider '%s' will try to lookup user with kerberos principal '%s'", this, sPNEGOAuthenticator.getAuthenticatedKerberosPrincipal());
        } else {
            sPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getChallengeResponse(), this.kerberosConfig);
            sPNEGOAuthenticator.authenticate();
        }
        HashMap hashMap = new HashMap();
        if (!sPNEGOAuthenticator.isAuthenticated()) {
            if (sPNEGOAuthenticator.getResponseToken() == null) {
                logger.tracef("SPNEGO Handshake not successful", new Object[0]);
                return CredentialValidationOutput.fallback();
            }
            logger.tracef("SPNEGO Handshake will continue", new Object[0]);
            hashMap.put("SpnegoResponseToken", sPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, sPNEGOAuthenticator.getAuthenticatedKerberosPrincipal());
        if (findOrCreateAuthenticatedUser == null) {
            userCredentialModel.setNote("authenticatedSpnegoContext", sPNEGOAuthenticator);
            return CredentialValidationOutput.fallback();
        }
        String serializedDelegationCredential = sPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, KerberosPrincipal kerberosPrincipal) {
        UserModel userModel = (UserModel) UserStoragePrivateUtil.userLocalStorage(this.session).searchForUserByUserAttributeStream(realmModel, KERBEROS_PRINCIPAL, kerberosPrincipal.toString()).findFirst().orElse(null);
        if (userModel != null) {
            UserModel userById = this.session.users().getUserById(realmModel, userModel.getId());
            logger.debug("Kerberos authenticated user " + kerberosPrincipal + " found in Keycloak storage");
            if (!this.model.getId().equals(userById.getFederationLink())) {
                logger.warn("User with username " + kerberosPrincipal + " already exists, but is not linked to provider [" + this.model.getName() + "]");
                return null;
            }
            UserModel validate = validate(realmModel, userById);
            if (validate != null) {
                return validate;
            }
            logger.warn("User with username " + kerberosPrincipal.getPrefix() + " already exists and is linked to provider [" + this.model.getName() + "] but kerberos principal is not correct. Kerberos principal on user is: " + userById.getFirstAttribute(KERBEROS_PRINCIPAL));
            logger.warn("Will re-create user");
            new UserManager(this.session).removeUser(realmModel, userById, UserStoragePrivateUtil.userLocalStorage(this.session));
        }
        logger.debug("Kerberos authenticated user " + kerberosPrincipal + " not in Keycloak storage. Creating him");
        return importUserToKeycloak(realmModel, kerberosPrincipal);
    }

    protected UserModel importUserToKeycloak(RealmModel realmModel, KerberosPrincipal kerberosPrincipal) {
        String str = kerberosPrincipal.getPrefix() + "@" + kerberosPrincipal.getRealm().toLowerCase();
        String prefix = kerberosPrincipal.getRealm().equalsIgnoreCase(this.kerberosConfig.getKerberosRealm()) ? kerberosPrincipal.getPrefix() : str;
        logger.debugf("Creating kerberos user %s with username: %s, email: %s to local Keycloak storage", kerberosPrincipal, prefix, str);
        UserModel addUser = UserStoragePrivateUtil.userLocalStorage(this.session).addUser(realmModel, prefix);
        addUser.setEnabled(true);
        addUser.setEmail(str);
        addUser.setFederationLink(this.model.getId());
        addUser.setSingleAttribute(KERBEROS_PRINCIPAL, kerberosPrincipal.toString());
        if (this.kerberosConfig.isUpdateProfileFirstLogin()) {
            if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
                addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
            }
            addUser.addRequiredAction(UserModel.RequiredAction.UPDATE_PROFILE);
        }
        return validate(realmModel, addUser);
    }

    public String toString() {
        return "KerberosFederationProvider - " + this.model.getName();
    }

    public void decorateUserProfile(RealmModel realmModel, UserProfileMetadata userProfileMetadata) {
        Predicate predicate = attributeContext -> {
            UserModel user = attributeContext.getUser();
            if (user == null) {
                return false;
            }
            return this.model.getId().equals(user.getFederationLink());
        };
        int count = (int) userProfileMetadata.getAttributes().stream().map((v0) -> {
            return v0.getName();
        }).distinct().count();
        int i = count + 1;
        UserProfileUtil.addMetadataAttributeToUserProfile(KERBEROS_PRINCIPAL, userProfileMetadata, UserProfileUtil.lookupUserMetadataGroup(this.session), predicate, count, this.model.getName());
    }
}
