package org.keycloak.storage.ldap.mappers;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.UserModelDelegate;
import org.keycloak.models.utils.reflection.Property;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.LDAPUtils;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.Condition;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;

/* loaded from: input_file:BOOT-INF/lib/keycloak-ldap-federation-11.0.2.jar:org/keycloak/storage/ldap/mappers/UserAttributeLDAPStorageMapper.class */
public class UserAttributeLDAPStorageMapper extends AbstractLDAPStorageMapper {
    private static final Logger logger = Logger.getLogger((Class<?>) UserAttributeLDAPStorageMapper.class);
    private static final Map<String, Property<Object>> userModelProperties = LDAPUtils.getUserModelProperties();
    public static final String USER_MODEL_ATTRIBUTE = "user.model.attribute";
    public static final String LDAP_ATTRIBUTE = "ldap.attribute";
    public static final String READ_ONLY = "read.only";
    public static final String ALWAYS_READ_VALUE_FROM_LDAP = "always.read.value.from.ldap";
    public static final String IS_MANDATORY_IN_LDAP = "is.mandatory.in.ldap";
    public static final String IS_BINARY_ATTRIBUTE = "is.binary.attribute";

    public UserAttributeLDAPStorageMapper(ComponentModel componentModel, LDAPStorageProvider lDAPStorageProvider) {
        super(componentModel, lDAPStorageProvider);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onImportUserFromLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
        String userModelAttribute = getUserModelAttribute();
        String ldapAttributeName = getLdapAttributeName();
        if (isBinaryAttribute()) {
            return;
        }
        Property<Object> property = userModelProperties.get(userModelAttribute.toLowerCase());
        if (property != null) {
            String attributeAsString = lDAPObject.getAttributeAsString(ldapAttributeName);
            checkDuplicateEmail(userModelAttribute, attributeAsString, realmModel, this.ldapProvider.getSession(), userModel);
            setPropertyOnUserModel(property, userModel, attributeAsString);
        } else {
            Set<String> attributeAsSet = lDAPObject.getAttributeAsSet(ldapAttributeName);
            if (attributeAsSet != null) {
                userModel.setAttribute(userModelAttribute, new ArrayList(attributeAsSet));
            } else {
                userModel.removeAttribute(userModelAttribute);
            }
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onRegisterUserToLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        String userModelAttribute = getUserModelAttribute();
        String ldapAttributeName = getLdapAttributeName();
        boolean parseBooleanParameter = parseBooleanParameter(this.mapperModel, IS_MANDATORY_IN_LDAP);
        Property<Object> property = userModelProperties.get(userModelAttribute.toLowerCase());
        if (property != null) {
            Object value = property.getValue(userModel);
            if (value != null) {
                lDAPObject.setSingleAttribute(ldapAttributeName, value.toString());
            } else if (parseBooleanParameter) {
                lDAPObject.setSingleAttribute(ldapAttributeName, " ");
            } else {
                lDAPObject.setAttribute(ldapAttributeName, new LinkedHashSet());
            }
        } else {
            List<String> attribute = userModel.getAttribute(userModelAttribute);
            if (attribute.size() != 0) {
                lDAPObject.setAttribute(ldapAttributeName, new LinkedHashSet(attribute));
            } else if (parseBooleanParameter) {
                lDAPObject.setSingleAttribute(ldapAttributeName, " ");
            } else {
                lDAPObject.setAttribute(ldapAttributeName, new LinkedHashSet());
            }
        }
        if (isReadOnly()) {
            lDAPObject.addReadOnlyAttributeName(ldapAttributeName);
        }
    }

    protected void checkDuplicateEmail(String str, String str2, RealmModel realmModel, KeycloakSession keycloakSession, UserModel userModel) {
        String lowerCaseSafe;
        UserModel userByEmail;
        if (str2 == null || realmModel.isDuplicateEmailsAllowed() || !"email".equalsIgnoreCase(str) || (userByEmail = keycloakSession.userLocalStorage().getUserByEmail((lowerCaseSafe = KeycloakModelUtils.toLowerCaseSafe(str2)), realmModel)) == null || userByEmail.getId().equals(userModel.getId())) {
            return;
        }
        keycloakSession.getTransactionManager().setRollbackOnly();
        throw new ModelDuplicateException(String.format("Can't import user '%s' from LDAP because email '%s' already exists in Keycloak. Existing user with this email is '%s'", userModel.getUsername(), lowerCaseSafe, userByEmail.getUsername()), "email");
    }

    protected void checkDuplicateUsername(String str, String str2, RealmModel realmModel, KeycloakSession keycloakSession, UserModel userModel) {
        if ("username".equalsIgnoreCase(str)) {
            if (str2 == null || str2.isEmpty()) {
                throw new ModelException("Cannot set an empty username");
            }
            boolean z = !str2.equals(userModel.getUsername());
            if (!realmModel.isEditUsernameAllowed() || !z) {
                if (z) {
                    throw new ModelException("Cannot change username if the realm is not configured to allow edit the usernames");
                }
            } else {
                UserModel userByUsername = keycloakSession.users().getUserByUsername(str2, realmModel);
                if (userByUsername != null && !userByUsername.getId().equals(userModel.getId())) {
                    throw new ModelDuplicateException(String.format("Cannot change the username to '%s' because the username already exists in keycloak", str2), "username");
                }
            }
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public UserModel proxy(final LDAPObject lDAPObject, UserModel userModel, final RealmModel realmModel) {
        final String userModelAttribute = getUserModelAttribute();
        final String ldapAttributeName = getLdapAttributeName();
        boolean parseBooleanParameter = parseBooleanParameter(this.mapperModel, ALWAYS_READ_VALUE_FROM_LDAP);
        final boolean parseBooleanParameter2 = parseBooleanParameter(this.mapperModel, IS_MANDATORY_IN_LDAP);
        final boolean parseBooleanParameter3 = parseBooleanParameter(this.mapperModel, IS_BINARY_ATTRIBUTE);
        if (this.ldapProvider.getEditMode() == UserStorageProvider.EditMode.WRITABLE && !isReadOnly()) {
            userModel = new TxAwareLDAPUserModelDelegate(userModel, this.ldapProvider, lDAPObject) { // from class: org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapper.1
                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setSingleAttribute(String str, String str2) {
                    if ("username".equals(str)) {
                        setUsername(str2);
                    } else if ("email".equals(str)) {
                        setEmail(str2);
                    } else if (setLDAPAttribute(str, str2)) {
                        super.setSingleAttribute(str, str2);
                    }
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setAttribute(String str, List<String> list) {
                    if ("username".equals(str)) {
                        setUsername((list == null || list.size() <= 0) ? null : list.get(0));
                    } else if ("email".equals(str)) {
                        setEmail((list == null || list.size() <= 0) ? null : list.get(0));
                    } else if (setLDAPAttribute(str, list)) {
                        super.setAttribute(str, list);
                    }
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void removeAttribute(String str) {
                    if (setLDAPAttribute(str, null)) {
                        super.removeAttribute(str);
                    }
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setUsername(String str) {
                    String lowerCaseSafe = KeycloakModelUtils.toLowerCaseSafe(str);
                    UserAttributeLDAPStorageMapper.this.checkDuplicateUsername(userModelAttribute, lowerCaseSafe, realmModel, UserAttributeLDAPStorageMapper.this.ldapProvider.getSession(), this);
                    setLDAPAttribute("username", lowerCaseSafe);
                    super.setUsername(lowerCaseSafe);
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setEmail(String str) {
                    String lowerCaseSafe = KeycloakModelUtils.toLowerCaseSafe(str);
                    UserAttributeLDAPStorageMapper.this.checkDuplicateEmail(userModelAttribute, str, realmModel, UserAttributeLDAPStorageMapper.this.ldapProvider.getSession(), this);
                    setLDAPAttribute("email", str);
                    super.setEmail(lowerCaseSafe);
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setLastName(String str) {
                    setLDAPAttribute("lastName", str);
                    super.setLastName(str);
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setFirstName(String str) {
                    setLDAPAttribute("firstName", str);
                    super.setFirstName(str);
                }

                protected boolean setLDAPAttribute(String str, Object obj) {
                    if (!str.equalsIgnoreCase(userModelAttribute)) {
                        return true;
                    }
                    if (UserAttributeLDAPStorageMapper.logger.isTraceEnabled()) {
                        UserAttributeLDAPStorageMapper.logger.tracef("Pushing user attribute to LDAP. username: %s, Model attribute name: %s, LDAP attribute name: %s, Attribute value: %s", getUsername(), str, ldapAttributeName, obj);
                    }
                    markUpdatedAttributeInTransaction(str);
                    if (obj == null) {
                        if (parseBooleanParameter2) {
                            this.ldapUser.setSingleAttribute(ldapAttributeName, " ");
                        } else {
                            this.ldapUser.setAttribute(ldapAttributeName, new LinkedHashSet());
                        }
                    } else if (obj instanceof String) {
                        this.ldapUser.setSingleAttribute(ldapAttributeName, (String) obj);
                    } else {
                        List list = (List) obj;
                        if (list.isEmpty() && parseBooleanParameter2) {
                            this.ldapUser.setSingleAttribute(ldapAttributeName, " ");
                        } else {
                            this.ldapUser.setAttribute(ldapAttributeName, new LinkedHashSet(list));
                        }
                    }
                    if (!parseBooleanParameter3) {
                        return true;
                    }
                    UserAttributeLDAPStorageMapper.logger.debugf("Skip writing model attribute '%s' to DB for user '%s' as it is mapped to binary LDAP attribute.", userModelAttribute, getUsername());
                    return false;
                }
            };
        } else if (parseBooleanParameter3) {
            userModel = new UserModelDelegate(userModel) { // from class: org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapper.2
                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setSingleAttribute(String str, String str2) {
                    if (str.equalsIgnoreCase(userModelAttribute)) {
                        logSkipDBWrite();
                    } else {
                        super.setSingleAttribute(str, str2);
                    }
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void setAttribute(String str, List<String> list) {
                    if (str.equalsIgnoreCase(userModelAttribute)) {
                        logSkipDBWrite();
                    } else {
                        super.setAttribute(str, list);
                    }
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public void removeAttribute(String str) {
                    if (str.equalsIgnoreCase(userModelAttribute)) {
                        logSkipDBWrite();
                    } else {
                        super.removeAttribute(str);
                    }
                }

                private void logSkipDBWrite() {
                    UserAttributeLDAPStorageMapper.logger.debugf("Skip writing model attribute '%s' to DB for user '%s' as it is mapped to binary LDAP attribute", userModelAttribute, getUsername());
                }
            };
        }
        if (parseBooleanParameter) {
            userModel = new UserModelDelegate(userModel) { // from class: org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapper.3
                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public String getFirstAttribute(String str) {
                    return str.equalsIgnoreCase(userModelAttribute) ? lDAPObject.getAttributeAsString(ldapAttributeName) : super.getFirstAttribute(str);
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public List<String> getAttribute(String str) {
                    if (!str.equalsIgnoreCase(userModelAttribute)) {
                        return super.getAttribute(str);
                    }
                    Set<String> attributeAsSet = lDAPObject.getAttributeAsSet(ldapAttributeName);
                    return attributeAsSet == null ? Collections.emptyList() : new ArrayList(attributeAsSet);
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public Map<String, List<String>> getAttributes() {
                    HashMap hashMap = new HashMap(super.getAttributes());
                    if (UserAttributeLDAPStorageMapper.userModelProperties.get(userModelAttribute.toLowerCase()) != null) {
                        return hashMap;
                    }
                    Set<String> attributeAsSet = lDAPObject.getAttributeAsSet(ldapAttributeName);
                    if (attributeAsSet != null) {
                        hashMap.put(userModelAttribute, new ArrayList(attributeAsSet));
                    }
                    return hashMap;
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public String getEmail() {
                    return "email".equalsIgnoreCase(userModelAttribute) ? lDAPObject.getAttributeAsString(ldapAttributeName) : super.getEmail();
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public String getLastName() {
                    return "lastName".equalsIgnoreCase(userModelAttribute) ? lDAPObject.getAttributeAsString(ldapAttributeName) : super.getLastName();
                }

                @Override // org.keycloak.models.utils.UserModelDelegate, org.keycloak.models.UserModel
                public String getFirstName() {
                    return "firstName".equalsIgnoreCase(userModelAttribute) ? lDAPObject.getAttributeAsString(ldapAttributeName) : super.getFirstName();
                }
            };
        }
        return userModel;
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void beforeLDAPQuery(LDAPQuery lDAPQuery) {
        String userModelAttribute = getUserModelAttribute();
        String ldapAttributeName = getLdapAttributeName();
        lDAPQuery.addReturningLdapAttribute(ldapAttributeName);
        if (isReadOnly()) {
            lDAPQuery.addReturningReadOnlyLdapAttribute(ldapAttributeName);
        }
        for (Condition condition : lDAPQuery.getConditions()) {
            condition.updateParameterName(userModelAttribute, ldapAttributeName);
            String parameterName = condition.getParameterName();
            if (parameterName != null && (parameterName.equalsIgnoreCase(userModelAttribute) || parameterName.equalsIgnoreCase(ldapAttributeName))) {
                condition.setBinary(isBinaryAttribute());
            }
        }
    }

    private String getUserModelAttribute() {
        return this.mapperModel.getConfig().getFirst("user.model.attribute");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getLdapAttributeName() {
        return this.mapperModel.getConfig().getFirst(LDAP_ATTRIBUTE);
    }

    private boolean isBinaryAttribute() {
        return this.mapperModel.get(IS_BINARY_ATTRIBUTE, false);
    }

    private boolean isReadOnly() {
        return parseBooleanParameter(this.mapperModel, "read.only");
    }

    protected void setPropertyOnUserModel(Property<Object> property, UserModel userModel, String str) {
        if (str == null) {
            property.setValue(userModel, null);
            return;
        }
        Class<Object> javaClass = property.getJavaClass();
        if (String.class.equals(javaClass)) {
            property.setValue(userModel, str);
        } else if (Boolean.class.equals(javaClass) || Boolean.TYPE.equals(javaClass)) {
            property.setValue(userModel, Boolean.valueOf(str));
        } else {
            logger.warnf("Don't know how to set the property '%s' on user '%s' . Value of LDAP attribute is '%s' ", property.getName(), userModel.getUsername(), str.toString());
        }
    }
}
