package org.keycloak.broker.saml.mappers;

import java.io.StringReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.xml.namespace.NamespaceContext;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.jboss.logging.Logger;
import org.keycloak.broker.provider.AbstractIdentityProviderMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.saml.SAMLEndpoint;
import org.keycloak.dom.saml.v2.assertion.AssertionType;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.assertion.AttributeType;
import org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType;
import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
import org.keycloak.dom.saml.v2.metadata.RequestedAttributeType;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.saml.mappers.AttributeStatementHelper;
import org.keycloak.protocol.saml.mappers.SamlMetadataDescriptorUpdater;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.util.DocumentUtil;
import org.keycloak.saml.common.util.StringUtil;

/* loaded from: input_file:org/keycloak/broker/saml/mappers/XPathAttributeMapper.class */
public class XPathAttributeMapper extends AbstractIdentityProviderMapper implements SamlMetadataDescriptorUpdater {
    public static final String ATTRIBUTE_XPATH = "attribute.xpath";
    public static final String ATTRIBUTE_NAME = "attribute.name";
    public static final String ATTRIBUTE_FRIENDLY_NAME = "attribute.friendly.name";
    public static final String USER_ATTRIBUTE = "user.attribute";
    public static final String PROVIDER_ID = "saml-xpath-attribute-idp-mapper";
    public static final String[] COMPATIBLE_PROVIDERS = {"saml"};
    private static final Logger LOGGER = Logger.getLogger(XPathAttributeMapper.class);
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    private static final Set<IdentityProviderSyncMode> IDENTITY_PROVIDER_SYNC_MODES = new HashSet(Arrays.asList(IdentityProviderSyncMode.values()));
    private static final Pattern NAMESPACE_PATTERN = Pattern.compile("xmlns:(\\w+)=\"(.+?)\"");
    private static final ThreadLocal<XPathFactory> XPATH_FACTORY = ThreadLocal.withInitial(() -> {
        XPathFactory newInstance = XPathFactory.newInstance();
        newInstance.setXPathVariableResolver(qName -> {
            throw new RuntimeException("resolveVariable for variable " + qName + " not supported");
        });
        newInstance.setXPathFunctionResolver((qName2, i) -> {
            throw new RuntimeException("resolveFunction for function " + qName2 + " not supported");
        });
        return newInstance;
    });

    public boolean supportsSyncMode(IdentityProviderSyncMode identityProviderSyncMode) {
        return IDENTITY_PROVIDER_SYNC_MODES.contains(identityProviderSyncMode);
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String[] getCompatibleProviders() {
        return COMPATIBLE_PROVIDERS;
    }

    public String getDisplayCategory() {
        return "Attribute Importer";
    }

    public String getDisplayType() {
        return "XPath Attribute Importer";
    }

    public void preprocessFederatedIdentity(KeycloakSession keycloakSession, RealmModel realmModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) identityProviderMapperModel.getConfig().get("user.attribute");
        if (StringUtil.isNullOrEmpty(str)) {
            return;
        }
        List<String> findAttributeValuesInContext = findAttributeValuesInContext(getAttributeNameFromMapperModel(identityProviderMapperModel), (String) identityProviderMapperModel.getConfig().get(ATTRIBUTE_XPATH), brokeredIdentityContext);
        if (findAttributeValuesInContext.isEmpty()) {
            return;
        }
        brokeredIdentityContext.setUserAttribute(str, findAttributeValuesInContext);
    }

    private String getAttributeNameFromMapperModel(IdentityProviderMapperModel identityProviderMapperModel) {
        String str = (String) identityProviderMapperModel.getConfig().get("attribute.name");
        if (str == null) {
            str = (String) identityProviderMapperModel.getConfig().get("attribute.friendly.name");
        }
        return str;
    }

    private Predicate<AttributeStatementType.ASTChoiceType> elementWith(String str) {
        return aSTChoiceType -> {
            AttributeType attribute = aSTChoiceType.getAttribute();
            return str == null || Objects.equals(attribute.getName(), str) || Objects.equals(attribute.getFriendlyName(), str);
        };
    }

    private static Function<String, Object> applyXPath(String str) {
        return str2 -> {
            try {
                LOGGER.tracef("Trying to parse: %s", str2);
                Matcher matcher = NAMESPACE_PATTERN.matcher(str2);
                final HashMap hashMap = new HashMap();
                final HashMap hashMap2 = new HashMap();
                while (matcher.find()) {
                    hashMap.put(matcher.group(1), matcher.group(2));
                    hashMap2.put(matcher.group(2), matcher.group(1));
                }
                XPath newXPath = XPATH_FACTORY.get().newXPath();
                newXPath.setNamespaceContext(new NamespaceContext() { // from class: org.keycloak.broker.saml.mappers.XPathAttributeMapper.1
                    @Override // javax.xml.namespace.NamespaceContext
                    public String getNamespaceURI(String str2) {
                        return hashMap.containsKey(str2) ? (String) hashMap.get(str2) : "";
                    }

                    @Override // javax.xml.namespace.NamespaceContext
                    public String getPrefix(String str2) {
                        if (hashMap2.containsKey(str2)) {
                            return (String) hashMap2.get(str2);
                        }
                        return null;
                    }

                    @Override // javax.xml.namespace.NamespaceContext
                    public Iterator<String> getPrefixes(String str2) {
                        ArrayList arrayList = new ArrayList();
                        if (hashMap2.containsKey(str2)) {
                            arrayList.add((String) hashMap2.get(str2));
                        }
                        return arrayList.iterator();
                    }
                });
                return newXPath.compile(str).evaluate(DocumentUtil.getDocument(new StringReader(str2)), XPathConstants.STRING);
            } catch (XPathExpressionException e) {
                LOGGER.warn("Unparsable element will be ignored", e);
                return "";
            } catch (Exception e2) {
                throw new RuntimeException("Could not parse xml element", e2);
            }
        };
    }

    private List<String> findAttributeValuesInContext(String str, String str2, BrokeredIdentityContext brokeredIdentityContext) {
        Stream flatMap = ((AssertionType) brokeredIdentityContext.getContextData().get(SAMLEndpoint.SAML_ASSERTION)).getAttributeStatements().stream().map((v0) -> {
            return v0.getAttributes();
        }).flatMap((v0) -> {
            return v0.stream();
        }).filter(elementWith(str)).map((v0) -> {
            return v0.getAttribute();
        }).map((v0) -> {
            return v0.getAttributeValue();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Class<String> cls = String.class;
        Objects.requireNonNull(String.class);
        return (List) flatMap.filter(cls::isInstance).map((v0) -> {
            return v0.toString();
        }).map(str3 -> {
            return "<root>" + str3 + "</root>";
        }).map(applyXPath(str2)).filter(Objects::nonNull).map((v0) -> {
            return v0.toString();
        }).filter(str4 -> {
            return !str4.isEmpty();
        }).collect(Collectors.toList());
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        String str = (String) identityProviderMapperModel.getConfig().get("user.attribute");
        if (StringUtil.isNullOrEmpty(str)) {
            return;
        }
        List<String> findAttributeValuesInContext = findAttributeValuesInContext(getAttributeNameFromMapperModel(identityProviderMapperModel), (String) identityProviderMapperModel.getConfig().get(ATTRIBUTE_XPATH), brokeredIdentityContext);
        if (findAttributeValuesInContext.isEmpty()) {
            return;
        }
        userModel.setAttribute(str, findAttributeValuesInContext);
    }

    public String getHelpText() {
        return "Extract text of a saml attribute via XPath expression and import into the specified user property or attribute.";
    }

    @Override // org.keycloak.protocol.saml.mappers.SamlMetadataDescriptorUpdater
    public void updateMetadata(IdentityProviderMapperModel identityProviderMapperModel, EntityDescriptorType entityDescriptorType) {
        RequestedAttributeType requestedAttributeType = new RequestedAttributeType((String) identityProviderMapperModel.getConfig().get("attribute.name"));
        requestedAttributeType.setIsRequired((Boolean) null);
        requestedAttributeType.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get());
        String str = (String) identityProviderMapperModel.getConfig().get("attribute.friendly.name");
        if (str != null && str.length() > 0) {
            requestedAttributeType.setFriendlyName(str);
        }
        Iterator it = entityDescriptorType.getChoiceType().iterator();
        while (it.hasNext()) {
            List<EntityDescriptorType.EDTDescriptorChoiceType> descriptors = ((EntityDescriptorType.EDTChoiceType) it.next()).getDescriptors();
            if (descriptors != null) {
                for (EntityDescriptorType.EDTDescriptorChoiceType eDTDescriptorChoiceType : descriptors) {
                    if (eDTDescriptorChoiceType.getSpDescriptor() != null && eDTDescriptorChoiceType.getSpDescriptor().getAttributeConsumingService() != null) {
                        Iterator it2 = eDTDescriptorChoiceType.getSpDescriptor().getAttributeConsumingService().iterator();
                        while (it2.hasNext()) {
                            ((AttributeConsumingServiceType) it2.next()).addRequestedAttribute(requestedAttributeType);
                        }
                    }
                }
            }
        }
    }

    static {
        ProviderConfigProperty providerConfigProperty = new ProviderConfigProperty();
        providerConfigProperty.setName(ATTRIBUTE_XPATH);
        providerConfigProperty.setLabel("Attribute XPath");
        providerConfigProperty.setHelpText("XPath expression to search for. All attributes are surrounded with a <root> element. Given prefixes and namespaces are preserved. Example: <root><myPrefix:Person xmlns:myPrefix=\"http://my.namespace/schema\"><myPrefix:FirstName>John</myPrefix:FirstName>...</myPrefix:Person></root> or <root>Some attribute value of anyType</root>");
        providerConfigProperty.setType("String");
        configProperties.add(providerConfigProperty);
        ProviderConfigProperty providerConfigProperty2 = new ProviderConfigProperty();
        providerConfigProperty2.setName("attribute.name");
        providerConfigProperty2.setLabel("Attribute Name");
        providerConfigProperty2.setHelpText("Name of attribute to search for in assertion and apply XPath. You can leave this blank to try to apply XPath to all attributes or specify a friendly name instead.");
        providerConfigProperty2.setType("String");
        configProperties.add(providerConfigProperty2);
        ProviderConfigProperty providerConfigProperty3 = new ProviderConfigProperty();
        providerConfigProperty3.setName("attribute.friendly.name");
        providerConfigProperty3.setLabel(AttributeStatementHelper.FRIENDLY_NAME_LABEL);
        providerConfigProperty3.setHelpText("Friendly name of attribute to search for in assertion. You can leave this blank to try to apply XPath to all attributes or specify a name instead.");
        providerConfigProperty3.setType("String");
        configProperties.add(providerConfigProperty3);
        ProviderConfigProperty providerConfigProperty4 = new ProviderConfigProperty();
        providerConfigProperty4.setName("user.attribute");
        providerConfigProperty4.setLabel("User Attribute Name");
        providerConfigProperty4.setHelpText("User attribute name to store XPath value. Use email, firstName, and lastName for e-mail, first and last name, respectively.");
        providerConfigProperty4.setType("UserProfileAttributeList");
        configProperties.add(providerConfigProperty4);
    }
}
