package org.keycloak.userprofile;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.Config;
import org.keycloak.common.Profile;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.component.AmphibianProviderFactory;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.representations.userprofile.config.UPAttribute;
import org.keycloak.representations.userprofile.config.UPAttributePermissions;
import org.keycloak.representations.userprofile.config.UPAttributeRequired;
import org.keycloak.representations.userprofile.config.UPAttributeSelector;
import org.keycloak.representations.userprofile.config.UPConfig;
import org.keycloak.representations.userprofile.config.UPGroup;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.userprofile.config.DeclarativeUserProfileModel;
import org.keycloak.userprofile.config.UPConfigUtils;
import org.keycloak.userprofile.validator.AttributeRequiredByMetadataValidator;
import org.keycloak.userprofile.validator.BlankAttributeValidator;
import org.keycloak.userprofile.validator.ImmutableAttributeValidator;
import org.keycloak.validate.ValidatorConfig;

/* loaded from: input_file:org/keycloak/userprofile/DeclarativeUserProfileProvider.class */
public class DeclarativeUserProfileProvider extends AbstractUserProfileProvider<UserProfileProvider> implements AmphibianProviderFactory<UserProfileProvider> {
    public static final String ID = "declarative-user-profile";
    public static final int PROVIDER_PRIORITY = 1;
    public static final String UP_COMPONENT_CONFIG_KEY = "kc.user.profile.config";
    public static final String REALM_USER_PROFILE_ENABLED = "userProfileEnabled";
    private static final String PARSED_CONFIG_COMPONENT_KEY = "kc.user.profile.metadata";
    private static boolean isDeclarativeConfigurationEnabled;
    protected String defaultRawConfig;
    protected UPConfig parsedDefaultRawConfig;

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean requestedScopePredicate(AttributeContext attributeContext, Set<String> set) {
        AuthenticationSessionModel authenticationSession = attributeContext.getSession().getContext().getAuthenticationSession();
        if (authenticationSession == null) {
            return false;
        }
        Stream<R> map = TokenManager.getRequestedClientScopes(authenticationSession.getClientNote("scope"), authenticationSession.getClient()).map(clientScopeModel -> {
            return clientScopeModel.getName();
        });
        Objects.requireNonNull(set);
        return map.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    public DeclarativeUserProfileProvider() {
    }

    public DeclarativeUserProfileProvider(KeycloakSession keycloakSession, Map<UserProfileContext, UserProfileMetadata> map, String str, UPConfig uPConfig) {
        super(keycloakSession, map);
        this.defaultRawConfig = str;
        this.parsedDefaultRawConfig = uPConfig;
    }

    public String getId() {
        return ID;
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    protected UserProfileProvider create(KeycloakSession keycloakSession, Map<UserProfileContext, UserProfileMetadata> map) {
        return new DeclarativeUserProfileProvider(keycloakSession, map, this.defaultRawConfig, this.parsedDefaultRawConfig);
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    protected Attributes createAttributes(UserProfileContext userProfileContext, Map<String, ?> map, UserModel userModel, UserProfileMetadata userProfileMetadata) {
        return isEnabled(this.session.getContext().getRealm()) ? (userModel == null || userModel.getServiceAccountClientLink() == null) ? new DefaultAttributes(userProfileContext, map, userModel, userProfileMetadata, this.session) : new LegacyAttributes(userProfileContext, map, userModel, userProfileMetadata, this.session) : new LegacyAttributes(userProfileContext, map, userModel, userProfileMetadata, this.session);
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    protected UserProfileMetadata configureUserProfile(UserProfileMetadata userProfileMetadata) {
        return isDeclarativeConfigurationEnabled ? decorateUserProfileForCache(userProfileMetadata, this.parsedDefaultRawConfig) : userProfileMetadata;
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    protected UserProfileMetadata configureUserProfile(UserProfileMetadata userProfileMetadata, KeycloakSession keycloakSession) {
        UserProfileContext context = userProfileMetadata.getContext();
        UserProfileMetadata clone = userProfileMetadata.clone();
        if (isEnabled(keycloakSession.getContext().getRealm())) {
            ComponentModel orElse = getComponentModel().orElse(null);
            if (orElse == null) {
                return clone;
            }
            Map map = (Map) orElse.getNote(PARSED_CONFIG_COMPONENT_KEY);
            if (map == null) {
                map = new ConcurrentHashMap();
                orElse.setNote(PARSED_CONFIG_COMPONENT_KEY, map);
            }
            return (UserProfileMetadata) map.computeIfAbsent(context, createUserDefinedProfileDecorator(keycloakSession, clone, orElse));
        }
        if (!context.equals(UserProfileContext.USER_API) && !context.equals(UserProfileContext.UPDATE_EMAIL)) {
            AttributeValidatorMetadata[] attributeValidatorMetadataArr = new AttributeValidatorMetadata[1];
            attributeValidatorMetadataArr[0] = new AttributeValidatorMetadata(BlankAttributeValidator.ID, BlankAttributeValidator.createConfig(Messages.MISSING_FIRST_NAME, userProfileMetadata.getContext() == UserProfileContext.IDP_REVIEW));
            clone.addAttribute("firstName", 1, attributeValidatorMetadataArr).setAttributeDisplayName("${firstName}");
            AttributeValidatorMetadata[] attributeValidatorMetadataArr2 = new AttributeValidatorMetadata[1];
            attributeValidatorMetadataArr2[0] = new AttributeValidatorMetadata(BlankAttributeValidator.ID, BlankAttributeValidator.createConfig(Messages.MISSING_LAST_NAME, userProfileMetadata.getContext() == UserProfileContext.IDP_REVIEW));
            clone.addAttribute("lastName", 2, attributeValidatorMetadataArr2).setAttributeDisplayName("${lastName}");
        }
        return clone;
    }

    public String getHelpText() {
        return null;
    }

    public void validateConfiguration(KeycloakSession keycloakSession, RealmModel realmModel, ComponentModel componentModel) throws ComponentValidationException {
        String configJsonFromComponentModel = getConfigJsonFromComponentModel(componentModel);
        if (!ObjectUtil.isBlank(configJsonFromComponentModel)) {
            try {
                List<String> validate = UPConfigUtils.validate(keycloakSession, parseConfig(configJsonFromComponentModel));
                if (!validate.isEmpty()) {
                    throw new ComponentValidationException(validate.toString(), new Object[0]);
                }
            } catch (IOException e) {
                throw new ComponentValidationException(e.getMessage(), e);
            }
        }
        if (componentModel != null) {
            componentModel.removeNote(PARSED_CONFIG_COMPONENT_KEY);
        }
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    public UPConfig getConfiguration() {
        if (!isEnabled(this.session.getContext().getRealm())) {
            return getParsedConfig(this.defaultRawConfig);
        }
        Optional<ComponentModel> componentModel = getComponentModel();
        if (!componentModel.isPresent()) {
            return getParsedConfig(this.defaultRawConfig);
        }
        String configJsonFromComponentModel = getConfigJsonFromComponentModel(componentModel.get());
        return ObjectUtil.isBlank(configJsonFromComponentModel) ? getParsedConfig(this.defaultRawConfig) : getParsedConfig(configJsonFromComponentModel);
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    public void setConfiguration(String str) {
        RealmModel realm = this.session.getContext().getRealm();
        Optional findAny = realm.getComponentsStream(realm.getId(), UserProfileProvider.class.getName()).findAny();
        if (findAny.isPresent() || !ObjectUtil.isBlank(str)) {
            ComponentModel createComponentModel = findAny.isPresent() ? (ComponentModel) findAny.get() : createComponentModel();
            removeConfigJsonFromComponentModel(createComponentModel);
            if (ObjectUtil.isBlank(str)) {
                realm.removeComponent(createComponentModel);
            } else {
                createComponentModel.getConfig().putSingle(UP_COMPONENT_CONFIG_KEY, str);
                realm.updateComponent(createComponentModel);
            }
        }
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return ProviderConfigurationBuilder.create().property().name(UP_COMPONENT_CONFIG_KEY).type("String").add().build();
    }

    @Override // org.keycloak.userprofile.AbstractUserProfileProvider
    public void init(Config.Scope scope) {
        isDeclarativeConfigurationEnabled = Profile.isFeatureEnabled(Profile.Feature.DECLARATIVE_USER_PROFILE);
        this.defaultRawConfig = UPConfigUtils.readDefaultConfig();
        try {
            this.parsedDefaultRawConfig = parseConfig(this.defaultRawConfig);
            super.init(scope);
        } catch (IOException e) {
            throw new RuntimeException("Failed to parse default user profile configuration", e);
        }
    }

    public int order() {
        return 1;
    }

    private Optional<ComponentModel> getComponentModel() {
        RealmModel realm = this.session.getContext().getRealm();
        return realm.getComponentsStream(realm.getId(), UserProfileProvider.class.getName()).findAny();
    }

    protected UserProfileMetadata decorateUserProfileForCache(UserProfileMetadata userProfileMetadata, UPConfig uPConfig) {
        UserProfileContext context = userProfileMetadata.getContext();
        if (uPConfig == null || context == UserProfileContext.UPDATE_EMAIL) {
            return userProfileMetadata;
        }
        Map<String, UPGroup> asHashMap = asHashMap(uPConfig.getGroups());
        int i = 0;
        for (UPAttribute uPAttribute : uPConfig.getAttributes()) {
            String name = uPAttribute.getName();
            ArrayList arrayList = new ArrayList();
            Map validations = uPAttribute.getValidations();
            if (validations != null) {
                for (Map.Entry entry : validations.entrySet()) {
                    arrayList.add(createConfiguredValidator((String) entry.getKey(), (Map) entry.getValue()));
                }
            }
            UPAttributeRequired required = uPAttribute.getRequired();
            if (required != null) {
                arrayList.add(new AttributeValidatorMetadata(AttributeRequiredByMetadataValidator.ID));
            }
            Predicate<AttributeContext> predicate = AttributeMetadata.ALWAYS_FALSE;
            if (required != null) {
                if (required.isAlways() || UPConfigUtils.isRoleForContext(context, required.getRoles())) {
                    predicate = AttributeMetadata.ALWAYS_TRUE;
                } else if (UPConfigUtils.canBeAuthFlowContext(context) && required.getScopes() != null && !required.getScopes().isEmpty()) {
                    predicate = attributeContext -> {
                        return requestedScopePredicate(attributeContext, required.getScopes());
                    };
                }
            }
            Predicate<AttributeContext> predicate2 = AttributeMetadata.ALWAYS_FALSE;
            Predicate<AttributeContext> predicate3 = AttributeMetadata.ALWAYS_FALSE;
            UPAttributePermissions permissions = uPAttribute.getPermissions();
            if (permissions != null) {
                Set edit = permissions.getEdit();
                if (!edit.isEmpty()) {
                    predicate2 = attributeContext2 -> {
                        return UPConfigUtils.isRoleForContext(attributeContext2.getContext(), edit);
                    };
                }
                Set<String> view = permissions.getView();
                predicate3 = view.isEmpty() ? predicate2 : createViewAllowedPredicate(predicate2, view);
            }
            Predicate predicate4 = AttributeMetadata.ALWAYS_TRUE;
            UPAttributeSelector selector = uPAttribute.getSelector();
            if (selector != null && !isBuiltInAttribute(name) && UPConfigUtils.canBeAuthFlowContext(context) && selector.getScopes() != null && !selector.getScopes().isEmpty()) {
                predicate4 = attributeContext3 -> {
                    return requestedScopePredicate(attributeContext3, selector.getScopes());
                };
            }
            Map annotations = uPAttribute.getAnnotations();
            AttributeGroupMetadata attributeGroupMeta = toAttributeGroupMeta(asHashMap.get(uPAttribute.getGroup()));
            i++;
            arrayList.add(new AttributeValidatorMetadata(ImmutableAttributeValidator.ID));
            if (isBuiltInAttribute(name)) {
                if (permissions == null || permissions.isEmpty()) {
                    predicate2 = AttributeMetadata.ALWAYS_TRUE;
                    predicate3 = AttributeMetadata.ALWAYS_TRUE;
                }
                if ("username".equals(name)) {
                    predicate = new Predicate<AttributeContext>() { // from class: org.keycloak.userprofile.DeclarativeUserProfileProvider.1
                        @Override // java.util.function.Predicate
                        public boolean test(AttributeContext attributeContext4) {
                            return !attributeContext4.getSession().getContext().getRealm().isRegistrationEmailAsUsername();
                        }
                    };
                }
                if ("email".equals(name) && UserProfileContext.USER_API.equals(context)) {
                    predicate = new Predicate<AttributeContext>() { // from class: org.keycloak.userprofile.DeclarativeUserProfileProvider.2
                        @Override // java.util.function.Predicate
                        public boolean test(AttributeContext attributeContext4) {
                            UserModel user = attributeContext4.getUser();
                            if (user == null || user.getServiceAccountClientLink() == null) {
                                return attributeContext4.getSession().getContext().getRealm().isRegistrationEmailAsUsername();
                            }
                            return false;
                        }
                    };
                }
                List attribute = userProfileMetadata.getAttribute(name);
                if (attribute.isEmpty()) {
                    throw new IllegalStateException("Attribute " + name + " not defined in the context.");
                }
                Iterator it = attribute.iterator();
                while (it.hasNext()) {
                    ((AttributeMetadata) it.next()).addAnnotations(annotations).setAttributeDisplayName(uPAttribute.getDisplayName()).setGuiOrder(i).setAttributeGroupMetadata(attributeGroupMeta).addReadCondition(predicate3).addWriteCondition(predicate2).addValidators(arrayList).setRequired(predicate);
                }
            } else {
                userProfileMetadata.addAttribute(name, i, arrayList, predicate4, predicate2, predicate, predicate3).addAnnotations(annotations).setAttributeDisplayName(uPAttribute.getDisplayName()).setAttributeGroupMetadata(attributeGroupMeta);
            }
        }
        return userProfileMetadata;
    }

    private Map<String, UPGroup> asHashMap(List<UPGroup> list) {
        return (Map) list.stream().collect(Collectors.toMap(uPGroup -> {
            return uPGroup.getName();
        }, uPGroup2 -> {
            return uPGroup2;
        }));
    }

    private AttributeGroupMetadata toAttributeGroupMeta(UPGroup uPGroup) {
        if (uPGroup == null) {
            return null;
        }
        return new AttributeGroupMetadata(uPGroup.getName(), uPGroup.getDisplayHeader(), uPGroup.getDisplayDescription(), uPGroup.getAnnotations());
    }

    private boolean isBuiltInAttribute(String str) {
        return "username".equals(str) || "email".equals(str);
    }

    private boolean isOptionalBuiltInAttribute(String str) {
        return "firstName".equals(str) || "lastName".equals(str);
    }

    private Predicate<AttributeContext> createViewAllowedPredicate(Predicate<AttributeContext> predicate, Set<String> set) {
        return attributeContext -> {
            return UPConfigUtils.isRoleForContext(attributeContext.getContext(), set) || predicate.test(attributeContext);
        };
    }

    protected UPConfig getParsedConfig(String str) {
        if (ObjectUtil.isBlank(str)) {
            return null;
        }
        try {
            return parseConfig(str);
        } catch (IOException e) {
            throw new RuntimeException("UserProfile configuration for realm '" + this.session.getContext().getRealm().getName() + "' is invalid:" + e.getMessage(), e);
        }
    }

    private UPConfig parseConfig(String str) throws IOException {
        return UPConfigUtils.readConfig(new ByteArrayInputStream(str.getBytes("UTF-8")));
    }

    protected ComponentModel createComponentModel() {
        return this.session.getContext().getRealm().addComponentModel(new DeclarativeUserProfileModel(getId()));
    }

    protected AttributeValidatorMetadata createConfiguredValidator(String str, Map<String, Object> map) {
        return new AttributeValidatorMetadata(str, ValidatorConfig.builder().config(map).config("ignore.empty.value", true).build());
    }

    private String getConfigJsonFromComponentModel(ComponentModel componentModel) {
        if (componentModel == null) {
            return null;
        }
        return componentModel.get(UP_COMPONENT_CONFIG_KEY);
    }

    private void removeConfigJsonFromComponentModel(ComponentModel componentModel) {
        if (componentModel == null) {
            return;
        }
        componentModel.getConfig().remove(UP_COMPONENT_CONFIG_KEY);
    }

    public boolean isEnabled(RealmModel realmModel) {
        return isDeclarativeConfigurationEnabled && realmModel.getAttribute(REALM_USER_PROFILE_ENABLED, false).booleanValue();
    }

    private Function<UserProfileContext, UserProfileMetadata> createUserDefinedProfileDecorator(KeycloakSession keycloakSession, UserProfileMetadata userProfileMetadata, ComponentModel componentModel) {
        return userProfileContext -> {
            UPConfig parsedConfig = getParsedConfig(getConfigJsonFromComponentModel(componentModel));
            List<String> validate = UPConfigUtils.validate(keycloakSession, parsedConfig);
            if (!validate.isEmpty()) {
                throw new RuntimeException("UserProfile configuration for realm '" + keycloakSession.getContext().getRealm().getName() + "' is invalid: " + validate.toString());
            }
            Iterator it = userProfileMetadata.getAttributes().iterator();
            while (it.hasNext()) {
                AttributeMetadata attributeMetadata = (AttributeMetadata) it.next();
                String name = attributeMetadata.getName();
                if (isBuiltInAttribute(name)) {
                    for (String str : ((Map) Optional.ofNullable(this.parsedDefaultRawConfig.getAttribute(name).getValidations()).orElse(Collections.emptyMap())).keySet()) {
                        attributeMetadata.getValidators().removeIf(attributeValidatorMetadata -> {
                            return attributeValidatorMetadata.getValidatorId().equals(str);
                        });
                    }
                } else if (isOptionalBuiltInAttribute(name)) {
                    it.remove();
                }
            }
            return decorateUserProfileForCache(userProfileMetadata, parsedConfig);
        };
    }
}
