package org.keycloak.protocol.saml.mappers;

import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
import org.keycloak.dom.saml.v2.assertion.ConditionAbstractType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.provider.ProviderConfigProperty;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/saml/mappers/SAMLAudienceProtocolMapper.class */
public class SAMLAudienceProtocolMapper extends AbstractSAMLProtocolMapper implements SAMLLoginResponseMapper {
    public static final String PROVIDER_ID = "saml-audience-mapper";
    public static final String AUDIENCE_CATEGORY = "Audience mapper";
    public static final String INCLUDED_CLIENT_AUDIENCE = "included.client.audience";
    private static final String INCLUDED_CLIENT_AUDIENCE_LABEL = "included.client.audience.label";
    private static final String INCLUDED_CLIENT_AUDIENCE_HELP_TEXT = "included.client.audience.tooltip";
    public static final String INCLUDED_CUSTOM_AUDIENCE = "included.custom.audience";
    private static final String INCLUDED_CUSTOM_AUDIENCE_LABEL = "included.custom.audience.label";
    private static final String INCLUDED_CUSTOM_AUDIENCE_HELP_TEXT = "included.custom.audience.tooltip";
    protected static final Logger logger = Logger.getLogger((Class<?>) SAMLAudienceProtocolMapper.class);
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();

    @Override // org.keycloak.provider.ConfiguredProvider
    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    @Override // org.keycloak.provider.ProviderFactory
    public String getId() {
        return PROVIDER_ID;
    }

    @Override // org.keycloak.protocol.ProtocolMapper
    public String getDisplayType() {
        return "Audience";
    }

    @Override // org.keycloak.protocol.ProtocolMapper
    public String getDisplayCategory() {
        return AUDIENCE_CATEGORY;
    }

    @Override // org.keycloak.provider.ConfiguredProvider
    public String getHelpText() {
        return "Add specified audience to the audience conditions in the assertion.";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static AudienceRestrictionType locateAudienceRestriction(ResponseType responseType) {
        try {
            Stream<ConditionAbstractType> stream = responseType.getAssertions().get(0).getAssertion().getConditions().getConditions().stream();
            Class<AudienceRestrictionType> cls = AudienceRestrictionType.class;
            AudienceRestrictionType.class.getClass();
            Stream<ConditionAbstractType> filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<AudienceRestrictionType> cls2 = AudienceRestrictionType.class;
            AudienceRestrictionType.class.getClass();
            return (AudienceRestrictionType) filter.map((v1) -> {
                return r1.cast(v1);
            }).findFirst().orElse(null);
        } catch (IndexOutOfBoundsException | NullPointerException e) {
            logger.warn("Invalid SAML ResponseType to add the audience restriction", e);
            return null;
        }
    }

    @Override // org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper
    public ResponseType transformLoginResponse(ResponseType responseType, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        AudienceRestrictionType locateAudienceRestriction;
        String str = protocolMapperModel.getConfig().get("included.client.audience");
        if (str == null || str.isEmpty()) {
            str = protocolMapperModel.getConfig().get(INCLUDED_CUSTOM_AUDIENCE);
        }
        if (str != null && !str.isEmpty() && (locateAudienceRestriction = locateAudienceRestriction(responseType)) != null) {
            logger.debugf("adding audience: %s", str);
            try {
                locateAudienceRestriction.addAudience(URI.create(str));
            } catch (IllegalArgumentException e) {
                logger.warnf(e, "Invalid URI syntax for audience: %s", str);
            }
        }
        return responseType;
    }

    static {
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setName("included.client.audience");
        providerConfigProperty.setLabel(INCLUDED_CLIENT_AUDIENCE_LABEL);
        providerConfigProperty.setHelpText(INCLUDED_CLIENT_AUDIENCE_HELP_TEXT);
        providerConfigProperty.setType(ProviderConfigProperty.CLIENT_LIST_TYPE);
        configProperties.add(providerConfigProperty);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName(INCLUDED_CUSTOM_AUDIENCE);
        providerConfigProperty2.setLabel(INCLUDED_CUSTOM_AUDIENCE_LABEL);
        providerConfigProperty2.setHelpText(INCLUDED_CUSTOM_AUDIENCE_HELP_TEXT);
        providerConfigProperty2.setType("String");
        configProperties.add(providerConfigProperty2);
    }
}
