package org.keycloak.protocol.oidc.mappers;

import java.util.LinkedList;
import java.util.List;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperContainerModel;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ProtocolMapperConfigException;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperUtils;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperValidator;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.IDToken;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/protocol/oidc/mappers/AbstractPairwiseSubMapper.class */
public abstract class AbstractPairwiseSubMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper {
    public static final String PROVIDER_ID_SUFFIX = "-pairwise-sub-mapper";

    public abstract String getIdPrefix();

    public abstract String generateSub(ProtocolMapperModel protocolMapperModel, String str, String str2);

    public List<ProviderConfigProperty> getAdditionalConfigProperties() {
        return new LinkedList();
    }

    public void validateAdditionalConfig(KeycloakSession keycloakSession, RealmModel realmModel, ProtocolMapperContainerModel protocolMapperContainerModel, ProtocolMapperModel protocolMapperModel) throws ProtocolMapperConfigException {
    }

    @Override // org.keycloak.protocol.ProtocolMapper
    public final String getDisplayCategory() {
        return AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY;
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper
    public IDToken transformIDToken(IDToken iDToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        setIDTokenSubject(iDToken, generateSub(protocolMapperModel, getSectorIdentifier(clientSessionContext.getClientSession().getClient(), protocolMapperModel), userSessionModel.getUser().getId()));
        return iDToken;
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper
    public AccessToken transformAccessToken(AccessToken accessToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        setAccessTokenSubject(accessToken, generateSub(protocolMapperModel, getSectorIdentifier(clientSessionContext.getClientSession().getClient(), protocolMapperModel), userSessionModel.getUser().getId()));
        return accessToken;
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.UserInfoTokenMapper
    public AccessToken transformUserInfoToken(AccessToken accessToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        setUserInfoTokenSubject(accessToken, generateSub(protocolMapperModel, getSectorIdentifier(clientSessionContext.getClientSession().getClient(), protocolMapperModel), userSessionModel.getUser().getId()));
        return accessToken;
    }

    protected void setIDTokenSubject(IDToken iDToken, String str) {
        iDToken.setSubject(str);
    }

    protected void setAccessTokenSubject(IDToken iDToken, String str) {
        iDToken.setSubject(str);
    }

    protected void setUserInfoTokenSubject(IDToken iDToken, String str) {
        iDToken.getOtherClaims().put("sub", str);
    }

    @Override // org.keycloak.provider.ConfiguredProvider
    public final List<ProviderConfigProperty> getConfigProperties() {
        LinkedList linkedList = new LinkedList();
        linkedList.add(PairwiseSubMapperHelper.createSectorIdentifierConfig());
        linkedList.addAll(getAdditionalConfigProperties());
        return linkedList;
    }

    private String getSectorIdentifier(ClientModel clientModel, ProtocolMapperModel protocolMapperModel) {
        String sectorIdentifierUri = PairwiseSubMapperHelper.getSectorIdentifierUri(protocolMapperModel);
        return (sectorIdentifierUri == null || sectorIdentifierUri.isEmpty()) ? PairwiseSubMapperUtils.resolveValidSectorIdentifier(clientModel.getRootUrl(), clientModel.getRedirectUris()) : PairwiseSubMapperUtils.resolveValidSectorIdentifier(sectorIdentifierUri);
    }

    @Override // org.keycloak.protocol.ProtocolMapper
    public final void validateConfig(KeycloakSession keycloakSession, RealmModel realmModel, ProtocolMapperContainerModel protocolMapperContainerModel, ProtocolMapperModel protocolMapperModel) throws ProtocolMapperConfigException {
        if (protocolMapperContainerModel instanceof ClientModel) {
            PairwiseSubMapperValidator.validate(keycloakSession, (ClientModel) protocolMapperContainerModel, protocolMapperModel);
        }
        validateAdditionalConfig(keycloakSession, realmModel, protocolMapperContainerModel, protocolMapperModel);
    }

    @Override // org.keycloak.provider.ProviderFactory
    public final String getId() {
        return "oidc-" + getIdPrefix() + PROVIDER_ID_SUFFIX;
    }
}
