package org.keycloak.userprofile;

import java.io.IOException;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.keycloak.Config;
import org.keycloak.authentication.requiredactions.TermsAndConditions;
import org.keycloak.common.Profile;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.component.AmphibianProviderFactory;
import org.keycloak.component.ComponentModel;
import org.keycloak.component.ComponentValidationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderConfigurationBuilder;
import org.keycloak.representations.userprofile.config.UPConfig;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.config.UPConfigUtils;
import org.keycloak.userprofile.validator.BlankAttributeValidator;
import org.keycloak.userprofile.validator.BrokeringFederatedUsernameHasValueValidator;
import org.keycloak.userprofile.validator.DuplicateEmailValidator;
import org.keycloak.userprofile.validator.DuplicateUsernameValidator;
import org.keycloak.userprofile.validator.EmailExistsAsUsernameValidator;
import org.keycloak.userprofile.validator.ReadOnlyAttributeUnchangedValidator;
import org.keycloak.userprofile.validator.RegistrationEmailAsUsernameEmailValueValidator;
import org.keycloak.userprofile.validator.RegistrationEmailAsUsernameUsernameValueValidator;
import org.keycloak.userprofile.validator.RegistrationUsernameExistsValidator;
import org.keycloak.userprofile.validator.UsernameHasValueValidator;
import org.keycloak.userprofile.validator.UsernameMutationValidator;
import org.keycloak.validate.ValidatorConfig;

/* loaded from: input_file:org/keycloak/userprofile/DeclarativeUserProfileProviderFactory.class */
public class DeclarativeUserProfileProviderFactory implements UserProfileProviderFactory, AmphibianProviderFactory<UserProfileProvider> {
    public static final String CONFIG_ADMIN_READ_ONLY_ATTRIBUTES = "admin-read-only-attributes";
    public static final String CONFIG_READ_ONLY_ATTRIBUTES = "read-only-attributes";
    public static final String MAX_EMAIL_LOCAL_PART_LENGTH = "max-email-local-part-length";
    public static final String ID = "declarative-user-profile";
    public static final int PROVIDER_PRIORITY = 1;
    private static final String[] DEFAULT_READ_ONLY_ATTRIBUTES = {"KERBEROS_PRINCIPAL", "LDAP_ID", "LDAP_ENTRY_DN", "CREATED_TIMESTAMP", "createTimestamp", "modifyTimestamp", "userCertificate", "saml.persistent.name.id.for.*", "ENABLED", "EMAIL_VERIFIED", "disabledReason"};
    private static final String[] DEFAULT_ADMIN_READ_ONLY_ATTRIBUTES = {"KERBEROS_PRINCIPAL", "LDAP_ID", "LDAP_ENTRY_DN", "CREATED_TIMESTAMP", "createTimestamp", "modifyTimestamp"};
    private static final Pattern readOnlyAttributesPattern = getRegexPatternString(DEFAULT_READ_ONLY_ATTRIBUTES);
    private static final Pattern adminReadOnlyAttributesPattern = getRegexPatternString(DEFAULT_ADMIN_READ_ONLY_ATTRIBUTES);
    private static volatile UPConfig PARSED_DEFAULT_RAW_CONFIG;
    private final Map<UserProfileContext, UserProfileMetadata> contextualMetadataRegistry = new HashMap();

    /* renamed from: org.keycloak.userprofile.DeclarativeUserProfileProviderFactory$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/userprofile/DeclarativeUserProfileProviderFactory$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$userprofile$UserProfileContext = new int[UserProfileContext.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$userprofile$UserProfileContext[UserProfileContext.REGISTRATION.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$userprofile$UserProfileContext[UserProfileContext.IDP_REVIEW.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$userprofile$UserProfileContext[UserProfileContext.UPDATE_PROFILE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$userprofile$UserProfileContext[UserProfileContext.UPDATE_EMAIL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public static void setDefaultConfig(UPConfig uPConfig) {
        if (PARSED_DEFAULT_RAW_CONFIG == null) {
            PARSED_DEFAULT_RAW_CONFIG = uPConfig;
        }
    }

    private static boolean editUsernameCondition(AttributeContext attributeContext) {
        RealmModel realm = attributeContext.getSession().getContext().getRealm();
        if (UserProfileContext.REGISTRATION.equals(attributeContext.getContext()) || UserProfileContext.IDP_REVIEW.equals(attributeContext.getContext()) || isNewUser(attributeContext)) {
            return !realm.isRegistrationEmailAsUsername();
        }
        if (realm.isRegistrationEmailAsUsername()) {
            return false;
        }
        return realm.isEditUsernameAllowed();
    }

    private static boolean readUsernameCondition(AttributeContext attributeContext) {
        RealmModel realm = attributeContext.getSession().getContext().getRealm();
        switch (AnonymousClass1.$SwitchMap$org$keycloak$userprofile$UserProfileContext[attributeContext.getContext().ordinal()]) {
            case PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                return !realm.isRegistrationEmailAsUsername();
            case 3:
                if (realm.isRegistrationEmailAsUsername()) {
                    return false;
                }
                return realm.isEditUsernameAllowed();
            case 4:
                return false;
            default:
                return true;
        }
    }

    private static boolean editEmailCondition(AttributeContext attributeContext) {
        RealmModel realm = attributeContext.getSession().getContext().getRealm();
        if (UserProfileContext.REGISTRATION.equals(attributeContext.getContext()) || UserProfileContext.USER_API.equals(attributeContext.getContext())) {
            return true;
        }
        return Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL) ? (UserProfileContext.UPDATE_PROFILE.equals(attributeContext.getContext()) || UserProfileContext.ACCOUNT.equals(attributeContext.getContext())) ? false : true : isNewUser(attributeContext) || !realm.isRegistrationEmailAsUsername() || realm.isEditUsernameAllowed();
    }

    private static boolean readEmailCondition(AttributeContext attributeContext) {
        UserProfileContext context = attributeContext.getContext();
        if (UserProfileContext.REGISTRATION.equals(context) || UserProfileContext.USER_API.equals(attributeContext.getContext())) {
            return true;
        }
        if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
            return !UserProfileContext.UPDATE_PROFILE.equals(context);
        }
        if (!UserProfileContext.UPDATE_PROFILE.equals(context)) {
            return true;
        }
        RealmModel realm = attributeContext.getSession().getContext().getRealm();
        if (realm.isRegistrationEmailAsUsername()) {
            return realm.isEditUsernameAllowed();
        }
        return true;
    }

    private static boolean isInternationalizationEnabled(AttributeContext attributeContext) {
        return attributeContext.getSession().getContext().getRealm().isInternationalizationEnabled();
    }

    private static boolean isTermAndConditionsEnabled(AttributeContext attributeContext) {
        RequiredActionProviderModel requiredActionProviderByAlias = attributeContext.getSession().getContext().getRealm().getRequiredActionProviderByAlias(UserModel.RequiredAction.TERMS_AND_CONDITIONS.name());
        return requiredActionProviderByAlias != null && requiredActionProviderByAlias.isEnabled();
    }

    private static boolean isNewUser(AttributeContext attributeContext) {
        return attributeContext.getUser() == null;
    }

    public static Pattern getRegexPatternString(String[] strArr) {
        if (strArr != null) {
            return Pattern.compile("(?i:" + ((String) new ArrayList(Arrays.asList(strArr)).stream().map(str -> {
                return str.endsWith("*") ? "^" + Pattern.quote(str.substring(0, str.length() - 1)) + ".*$" : "^" + Pattern.quote(str) + "$";
            }).collect(Collectors.joining("|"))) + ")");
        }
        return null;
    }

    public void init(Config.Scope scope) {
        initDefaultConfiguration(scope);
        this.contextualMetadataRegistry.clear();
        Pattern regexPatternString = getRegexPatternString(scope.getArray(CONFIG_READ_ONLY_ATTRIBUTES));
        AttributeValidatorMetadata attributeValidatorMetadata = null;
        if (regexPatternString != null) {
            attributeValidatorMetadata = createReadOnlyAttributeUnchangedValidator(regexPatternString);
        }
        addContextualProfileMetadata(configureUserProfile(createBrokeringProfile(attributeValidatorMetadata)));
        addContextualProfileMetadata(configureUserProfile(createAccountProfile(UserProfileContext.ACCOUNT, attributeValidatorMetadata)));
        addContextualProfileMetadata(configureUserProfile(createDefaultProfile(UserProfileContext.UPDATE_PROFILE, attributeValidatorMetadata)));
        if (Profile.isFeatureEnabled(Profile.Feature.UPDATE_EMAIL)) {
            addContextualProfileMetadata(configureUserProfile(createUpdateEmailProfile(UserProfileContext.UPDATE_EMAIL, attributeValidatorMetadata)));
        }
        addContextualProfileMetadata(configureUserProfile(createRegistrationUserCreationProfile(attributeValidatorMetadata)));
        addContextualProfileMetadata(configureUserProfile(createUserResourceValidation(scope)));
    }

    public List<ProviderConfigProperty> getConfigMetadata() {
        return ProviderConfigurationBuilder.create().property().name(CONFIG_READ_ONLY_ATTRIBUTES).type("MultivaluedString").helpText("Array of regular expressions to identify fields that should be treated read-only so users can't change them.").add().property().name(CONFIG_ADMIN_READ_ONLY_ATTRIBUTES).type("MultivaluedString").helpText("Array of regular expressions to identify fields that should be treated read-only so administrators can't change them.").add().property().name(MAX_EMAIL_LOCAL_PART_LENGTH).type("String").helpText("To set user profile max email local part length").add().build();
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return ProviderConfigurationBuilder.create().property().name(DeclarativeUserProfileProvider.UP_COMPONENT_CONFIG_KEY).type("String").add().build();
    }

    public void validateConfiguration(KeycloakSession keycloakSession, RealmModel realmModel, ComponentModel componentModel) throws ComponentValidationException {
        String str = componentModel == null ? null : componentModel.get(DeclarativeUserProfileProvider.UP_COMPONENT_CONFIG_KEY);
        if (!ObjectUtil.isBlank(str)) {
            try {
                List<String> validate = UPConfigUtils.validate(keycloakSession, UPConfigUtils.parseConfig(str));
                if (!validate.isEmpty()) {
                    throw new ComponentValidationException(validate.toString(), new Object[0]);
                }
            } catch (IOException e) {
                throw new ComponentValidationException(e.getMessage(), e);
            }
        }
        if (componentModel != null) {
            componentModel.removeNote("kc.user.profile.metadata");
        }
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public String getId() {
        return ID;
    }

    public int order() {
        return 1;
    }

    public String getHelpText() {
        return null;
    }

    public void close() {
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public DeclarativeUserProfileProvider m800create(KeycloakSession keycloakSession) {
        return new DeclarativeUserProfileProvider(keycloakSession, this);
    }

    protected UserProfileMetadata configureUserProfile(UserProfileMetadata userProfileMetadata) {
        return new DeclarativeUserProfileProvider(null, this).decorateUserProfileForCache(userProfileMetadata, PARSED_DEFAULT_RAW_CONFIG);
    }

    private AttributeValidatorMetadata createReadOnlyAttributeUnchangedValidator(Pattern pattern) {
        return new AttributeValidatorMetadata(ReadOnlyAttributeUnchangedValidator.ID, ValidatorConfig.builder().config(ReadOnlyAttributeUnchangedValidator.CFG_PATTERN, pattern).build());
    }

    private void addContextualProfileMetadata(UserProfileMetadata userProfileMetadata) {
        if (this.contextualMetadataRegistry.putIfAbsent(userProfileMetadata.getContext(), userProfileMetadata) != null) {
            throw new IllegalStateException("Multiple profile metadata found for context " + userProfileMetadata.getContext());
        }
    }

    private UserProfileMetadata createBrokeringProfile(AttributeValidatorMetadata attributeValidatorMetadata) {
        UserProfileMetadata userProfileMetadata = new UserProfileMetadata(UserProfileContext.IDP_REVIEW);
        userProfileMetadata.addAttribute("username", -2, DeclarativeUserProfileProviderFactory::editUsernameCondition, DeclarativeUserProfileProviderFactory::readUsernameCondition, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(BrokeringFederatedUsernameHasValueValidator.ID)}).setAttributeDisplayName("${username}");
        userProfileMetadata.addAttribute("email", -1, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(BlankAttributeValidator.ID, BlankAttributeValidator.createConfig(Messages.MISSING_EMAIL, true))}).setAttributeDisplayName("${email}");
        ArrayList arrayList = new ArrayList();
        arrayList.add(createReadOnlyAttributeUnchangedValidator(readOnlyAttributesPattern));
        if (attributeValidatorMetadata != null) {
            arrayList.add(attributeValidatorMetadata);
        }
        userProfileMetadata.addAttribute("kc.read.only", 1000, arrayList);
        return userProfileMetadata;
    }

    private UserProfileMetadata createRegistrationUserCreationProfile(AttributeValidatorMetadata attributeValidatorMetadata) {
        UserProfileMetadata createDefaultProfile = createDefaultProfile(UserProfileContext.REGISTRATION, attributeValidatorMetadata);
        ((AttributeMetadata) createDefaultProfile.getAttribute("username").get(0)).addValidators(Arrays.asList(new AttributeValidatorMetadata(RegistrationEmailAsUsernameUsernameValueValidator.ID), new AttributeValidatorMetadata(RegistrationUsernameExistsValidator.ID), new AttributeValidatorMetadata(UsernameHasValueValidator.ID)));
        ((AttributeMetadata) createDefaultProfile.getAttribute("email").get(0)).addValidators(Collections.singletonList(new AttributeValidatorMetadata(RegistrationEmailAsUsernameEmailValueValidator.ID)));
        return createDefaultProfile;
    }

    private UserProfileMetadata createDefaultProfile(UserProfileContext userProfileContext, AttributeValidatorMetadata attributeValidatorMetadata) {
        UserProfileMetadata userProfileMetadata = new UserProfileMetadata(userProfileContext);
        userProfileMetadata.addAttribute("username", -2, DeclarativeUserProfileProviderFactory::editUsernameCondition, DeclarativeUserProfileProviderFactory::readUsernameCondition, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(UsernameHasValueValidator.ID), new AttributeValidatorMetadata(DuplicateUsernameValidator.ID), new AttributeValidatorMetadata(UsernameMutationValidator.ID)}).setAttributeDisplayName("${username}");
        userProfileMetadata.addAttribute("email", -1, DeclarativeUserProfileProviderFactory::editEmailCondition, DeclarativeUserProfileProviderFactory::readEmailCondition, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(BlankAttributeValidator.ID, BlankAttributeValidator.createConfig(Messages.MISSING_EMAIL, false)), new AttributeValidatorMetadata(DuplicateEmailValidator.ID), new AttributeValidatorMetadata(EmailExistsAsUsernameValidator.ID), new AttributeValidatorMetadata("email", ValidatorConfig.builder().config("ignore.empty.value", true).build())}).setAttributeDisplayName("${email}");
        ArrayList arrayList = new ArrayList();
        arrayList.add(createReadOnlyAttributeUnchangedValidator(readOnlyAttributesPattern));
        if (attributeValidatorMetadata != null) {
            arrayList.add(attributeValidatorMetadata);
        }
        userProfileMetadata.addAttribute("kc.read.only", 1000, arrayList);
        return userProfileMetadata;
    }

    private UserProfileMetadata createUpdateEmailProfile(UserProfileContext userProfileContext, AttributeValidatorMetadata attributeValidatorMetadata) {
        UserProfileMetadata userProfileMetadata = new UserProfileMetadata(userProfileContext);
        userProfileMetadata.addAttribute("email", -1, DeclarativeUserProfileProviderFactory::editEmailCondition, DeclarativeUserProfileProviderFactory::readEmailCondition, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(BlankAttributeValidator.ID, BlankAttributeValidator.createConfig(Messages.MISSING_EMAIL, false)), new AttributeValidatorMetadata(DuplicateEmailValidator.ID), new AttributeValidatorMetadata(EmailExistsAsUsernameValidator.ID), new AttributeValidatorMetadata("email", ValidatorConfig.builder().config("ignore.empty.value", true).build())}).setAttributeDisplayName("${email}");
        ArrayList arrayList = new ArrayList();
        arrayList.add(createReadOnlyAttributeUnchangedValidator(readOnlyAttributesPattern));
        if (attributeValidatorMetadata != null) {
            arrayList.add(attributeValidatorMetadata);
        }
        userProfileMetadata.addAttribute("kc.read.only", 1000, arrayList);
        return userProfileMetadata;
    }

    private UserProfileMetadata createUserResourceValidation(Config.Scope scope) {
        Pattern regexPatternString = getRegexPatternString(scope.getArray(CONFIG_ADMIN_READ_ONLY_ATTRIBUTES));
        UserProfileMetadata userProfileMetadata = new UserProfileMetadata(UserProfileContext.USER_API);
        userProfileMetadata.addAttribute("username", -2, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(UsernameHasValueValidator.ID), new AttributeValidatorMetadata(DuplicateUsernameValidator.ID)}).addWriteCondition(DeclarativeUserProfileProviderFactory::editUsernameCondition);
        userProfileMetadata.addAttribute("email", -1, new AttributeValidatorMetadata[]{new AttributeValidatorMetadata(DuplicateEmailValidator.ID), new AttributeValidatorMetadata(EmailExistsAsUsernameValidator.ID), new AttributeValidatorMetadata("email", ValidatorConfig.builder().config("ignore.empty.value", true).build())}).addWriteCondition(DeclarativeUserProfileProviderFactory::editEmailCondition);
        ArrayList arrayList = new ArrayList();
        if (regexPatternString != null) {
            arrayList.add(createReadOnlyAttributeUnchangedValidator(regexPatternString));
        }
        arrayList.add(createReadOnlyAttributeUnchangedValidator(adminReadOnlyAttributesPattern));
        userProfileMetadata.addAttribute("kc.read.only", 1000, arrayList);
        userProfileMetadata.addAttribute(OIDCLoginProtocolFactory.LOCALE, -1, DeclarativeUserProfileProviderFactory::isInternationalizationEnabled, DeclarativeUserProfileProviderFactory::isInternationalizationEnabled, new AttributeValidatorMetadata[0]).setRequired(AttributeMetadata.ALWAYS_FALSE);
        userProfileMetadata.addAttribute(TermsAndConditions.USER_ATTRIBUTE, -1, AttributeMetadata.ALWAYS_FALSE, DeclarativeUserProfileProviderFactory::isTermAndConditionsEnabled, new AttributeValidatorMetadata[0]).setAttributeDisplayName("${termsAndConditionsUserAttribute}").setRequired(AttributeMetadata.ALWAYS_FALSE);
        return userProfileMetadata;
    }

    private UserProfileMetadata createAccountProfile(UserProfileContext userProfileContext, AttributeValidatorMetadata attributeValidatorMetadata) {
        UserProfileMetadata createDefaultProfile = createDefaultProfile(userProfileContext, attributeValidatorMetadata);
        createDefaultProfile.addAttribute(OIDCLoginProtocolFactory.LOCALE, -1, DeclarativeUserProfileProviderFactory::isInternationalizationEnabled, DeclarativeUserProfileProviderFactory::isInternationalizationEnabled, new AttributeValidatorMetadata[0]).setRequired(AttributeMetadata.ALWAYS_FALSE);
        return createDefaultProfile;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UPConfig getParsedDefaultRawConfig() {
        return PARSED_DEFAULT_RAW_CONFIG;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<UserProfileContext, UserProfileMetadata> getContextualMetadataRegistry() {
        return this.contextualMetadataRegistry;
    }

    private void initDefaultConfiguration(Config.Scope scope) {
        UPConfig uPConfig = (UPConfig) Optional.ofNullable(scope.get("configFile")).map(str -> {
            return Paths.get(str, new String[0]);
        }).map(UPConfigUtils::parseConfig).orElse(PARSED_DEFAULT_RAW_CONFIG);
        if (uPConfig == null) {
            uPConfig = UPConfigUtils.parseSystemDefaultConfig();
        }
        PARSED_DEFAULT_RAW_CONFIG = null;
        setDefaultConfig(uPConfig);
    }
}
