package org.keycloak.storage.ldap.mappers.membership.group;

import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RoleUtils;
import org.keycloak.models.utils.UserModelDelegate;
import org.keycloak.storage.ldap.LDAPStorageProvider;
import org.keycloak.storage.ldap.LDAPUtils;
import org.keycloak.storage.ldap.idm.model.LDAPDn;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper;
import org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapperConfig;
import org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode;
import org.keycloak.storage.ldap.mappers.membership.MembershipType;
import org.keycloak.storage.ldap.mappers.membership.group.GroupTreeResolver;
import org.keycloak.storage.user.SynchronizationResult;

/* loaded from: input_file:org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper.class */
public class GroupLDAPStorageMapper extends AbstractLDAPStorageMapper implements CommonLDAPGroupMapper {
    private static final Logger logger = Logger.getLogger(GroupLDAPStorageMapper.class);
    private final GroupMapperConfig config;
    private final GroupLDAPStorageMapperFactory factory;
    private boolean syncFromLDAPPerformedInThisTransaction;

    /* loaded from: input_file:org/keycloak/storage/ldap/mappers/membership/group/GroupLDAPStorageMapper$LDAPGroupMappingsUserDelegate.class */
    public class LDAPGroupMappingsUserDelegate extends UserModelDelegate {
        private final RealmModel realm;
        private final LDAPObject ldapUser;
        private Set<GroupModel> cachedLDAPGroupMappings;

        public LDAPGroupMappingsUserDelegate(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
            super(userModel);
            this.realm = realmModel;
            this.ldapUser = lDAPObject;
        }

        public boolean hasRole(RoleModel roleModel) {
            return super.hasRole(roleModel) || RoleUtils.hasRoleFromGroup(getGroupsStream(), roleModel, true);
        }

        public Stream<GroupModel> getGroupsStream() {
            Stream<GroupModel> lDAPGroupMappingsConverted = getLDAPGroupMappingsConverted();
            return (GroupLDAPStorageMapper.this.config.isTopLevelGroupsPath() && GroupLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.LDAP_ONLY) ? lDAPGroupMappingsConverted : Stream.concat(lDAPGroupMappingsConverted, super.getGroupsStream());
        }

        public void joinGroup(GroupModel groupModel) {
            if (GroupLDAPStorageMapper.this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY || !GroupLDAPStorageMapper.this.isGroupInGroupPath(this.realm, groupModel)) {
                super.joinGroup(groupModel);
            } else {
                this.cachedLDAPGroupMappings = null;
                GroupLDAPStorageMapper.this.addGroupMappingInLDAP(this.realm, groupModel, this.ldapUser);
            }
        }

        public void leaveGroup(GroupModel groupModel) {
            if (!GroupLDAPStorageMapper.this.isGroupInGroupPath(this.realm, groupModel)) {
                super.leaveGroup(groupModel);
            }
            LDAPQuery createGroupQuery = GroupLDAPStorageMapper.this.createGroupQuery(true);
            try {
                LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
                createGroupQuery.addWhereCondition(lDAPQueryConditionsBuilder.equal(GroupLDAPStorageMapper.this.config.getGroupNameLdapAttribute(), groupModel.getName())).addWhereCondition(lDAPQueryConditionsBuilder.equal(GroupLDAPStorageMapper.this.config.getMembershipLdapAttribute(), LDAPUtils.getMemberValueOfChildObject(this.ldapUser, GroupLDAPStorageMapper.this.config.getMembershipTypeLdapAttribute(), GroupLDAPStorageMapper.this.getMembershipUserLdapAttribute())));
                LDAPObject firstResult = createGroupQuery.getFirstResult();
                if (firstResult == null) {
                    if (GroupLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                        super.leaveGroup(groupModel);
                    }
                } else {
                    if (GroupLDAPStorageMapper.this.config.getMode() == LDAPGroupMapperMode.READ_ONLY) {
                        throw new ModelException("Not possible to delete LDAP group mappings as mapper mode is READ_ONLY");
                    }
                    this.cachedLDAPGroupMappings = null;
                    GroupLDAPStorageMapper.this.deleteGroupMappingInLDAP(this.ldapUser, firstResult);
                }
                if (createGroupQuery != null) {
                    createGroupQuery.close();
                }
            } catch (Throwable th) {
                if (createGroupQuery != null) {
                    try {
                        createGroupQuery.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        public boolean isMemberOf(GroupModel groupModel) {
            return GroupLDAPStorageMapper.this.isGroupInGroupPath(this.realm, groupModel) && RoleUtils.isDirectMember(getGroupsStream(), groupModel);
        }

        protected Stream<GroupModel> getLDAPGroupMappingsConverted() {
            if (this.cachedLDAPGroupMappings != null) {
                return this.cachedLDAPGroupMappings.stream();
            }
            List<LDAPObject> lDAPGroupMappings = GroupLDAPStorageMapper.this.getLDAPGroupMappings(this.ldapUser);
            if (lDAPGroupMappings.isEmpty()) {
                return Stream.empty();
            }
            GroupModel kcGroupsPathGroup = GroupLDAPStorageMapper.this.getKcGroupsPathGroup(this.realm);
            this.cachedLDAPGroupMappings = (Set) lDAPGroupMappings.stream().map(lDAPObject -> {
                return GroupLDAPStorageMapper.this.findKcGroupOrSyncFromLDAP(this.realm, kcGroupsPathGroup, lDAPObject, this);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toSet());
            return this.cachedLDAPGroupMappings.stream();
        }
    }

    public GroupLDAPStorageMapper(ComponentModel componentModel, LDAPStorageProvider lDAPStorageProvider, GroupLDAPStorageMapperFactory groupLDAPStorageMapperFactory) {
        super(componentModel, lDAPStorageProvider);
        this.syncFromLDAPPerformedInThisTransaction = false;
        this.config = new GroupMapperConfig(componentModel);
        this.factory = groupLDAPStorageMapperFactory;
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public LDAPQuery createLDAPGroupQuery() {
        return createGroupQuery(false);
    }

    @Override // org.keycloak.storage.ldap.mappers.membership.CommonLDAPGroupMapper
    public CommonLDAPGroupMapperConfig getConfig() {
        return this.config;
    }

    public LDAPQuery createGroupQuery(boolean z) {
        LDAPQuery lDAPQuery = new LDAPQuery(this.ldapProvider);
        lDAPQuery.setSearchScope(this.ldapProvider.getLdapIdentityStore().getConfig().getSearchScope());
        lDAPQuery.setSearchDn(this.config.getGroupsDn());
        lDAPQuery.addObjectClasses(this.config.getGroupObjectClasses(this.ldapProvider));
        String customLdapFilter = this.config.getCustomLdapFilter();
        if (customLdapFilter != null && customLdapFilter.trim().length() > 0) {
            lDAPQuery.addWhereCondition(new LDAPQueryConditionsBuilder().addCustomLDAPFilter(customLdapFilter));
        }
        lDAPQuery.addReturningLdapAttribute(this.config.getGroupNameLdapAttribute());
        if (z) {
            lDAPQuery.addReturningLdapAttribute(this.config.getMembershipLdapAttribute());
        }
        Iterator<String> it = this.config.getGroupAttributes().iterator();
        while (it.hasNext()) {
            lDAPQuery.addReturningLdapAttribute(it.next());
        }
        return lDAPQuery;
    }

    public LDAPObject createLDAPGroup(String str, Map<String, Set<String>> map) {
        LDAPObject createLDAPGroup = LDAPUtils.createLDAPGroup(this.ldapProvider, str, this.config.getGroupNameLdapAttribute(), this.config.getGroupObjectClasses(this.ldapProvider), this.config.getGroupsDn(), map, this.config.getMembershipLdapAttribute());
        logger.debugf("Creating group [%s] to LDAP with DN [%s]", str, createLDAPGroup.getDn().toString());
        return createLDAPGroup;
    }

    public LDAPObject loadLDAPGroupByName(String str) {
        LDAPQuery createGroupQuery = createGroupQuery(true);
        try {
            createGroupQuery.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.config.getGroupNameLdapAttribute(), str));
            LDAPObject firstResult = createGroupQuery.getFirstResult();
            if (createGroupQuery != null) {
                createGroupQuery.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createGroupQuery != null) {
                try {
                    createGroupQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public LDAPObject updateLDAPGroup(LDAPObject lDAPObject) {
        return LDAPUtils.updateLDAPGroup(this.ldapProvider, lDAPObject);
    }

    protected Set<LDAPDn> getLDAPSubgroups(LDAPObject lDAPObject) {
        return this.config.getMembershipTypeLdapAttribute().getLDAPSubgroups(this, lDAPObject);
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromFederationProviderToKeycloak(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.1
            public String getStatus() {
                return String.format("%d imported groups, %d updated groups, %d removed groups", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()), Integer.valueOf(getRemoved()));
            }
        };
        logger.debugf("Syncing groups from LDAP into Keycloak DB. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        List<LDAPObject> allLDAPGroups = getAllLDAPGroups(this.config.isPreserveGroupsInheritance());
        HashMap hashMap = new HashMap();
        LinkedList linkedList = new LinkedList();
        convertGroupsToInternalRep(allLDAPGroups, hashMap, linkedList);
        if (this.config.isPreserveGroupsInheritance()) {
            try {
                updateKeycloakGroupTree(realmModel, new GroupTreeResolver().resolveGroupTree(linkedList, this.config.isIgnoreMissingGroups()), hashMap, synchronizationResult);
            } catch (GroupTreeResolver.GroupTreeResolveException e) {
                throw new ModelException("Couldn't resolve groups from LDAP. Fix LDAP or skip preserve inheritance. Details: " + e.getMessage(), e);
            }
        } else {
            syncFlatGroupStructure(realmModel, synchronizationResult, hashMap);
        }
        this.syncFromLDAPPerformedInThisTransaction = true;
        return synchronizationResult;
    }

    private void syncExistingGroup(RealmModel realmModel, GroupModel groupModel, Map.Entry<String, LDAPObject> entry, SynchronizationResult synchronizationResult, Set<String> set, String str) {
        try {
            KeycloakModelUtils.runJobInTransaction(this.ldapProvider.getSession().getKeycloakSessionFactory(), keycloakSession -> {
                updateAttributesOfKCGroup(keycloakSession.groups().getGroupById(keycloakSession.realms().getRealm(realmModel.getId()), groupModel.getId()), (LDAPObject) entry.getValue());
                synchronizationResult.increaseUpdated();
                set.add(groupModel.getId());
            });
        } catch (ModelException e) {
            logger.error(String.format("Failed to update attributes of LDAP group %s: ", str), e);
            synchronizationResult.increaseFailed();
        }
    }

    private void syncNonExistingGroup(RealmModel realmModel, Map.Entry<String, LDAPObject> entry, SynchronizationResult synchronizationResult, Set<String> set, String str) {
        try {
            KeycloakModelUtils.runJobInTransaction(this.ldapProvider.getSession().getKeycloakSessionFactory(), keycloakSession -> {
                GroupModel createKcGroup = createKcGroup(keycloakSession.realms().getRealm(realmModel.getId()), str, null);
                updateAttributesOfKCGroup(createKcGroup, (LDAPObject) entry.getValue());
                synchronizationResult.increaseAdded();
                set.add(createKcGroup.getId());
            });
        } catch (ModelException e) {
            logger.error(String.format("Failed to sync group %s from LDAP: ", str), e);
            synchronizationResult.increaseFailed();
        }
    }

    private void convertGroupsToInternalRep(List<LDAPObject> list, Map<String, LDAPObject> map, List<GroupTreeResolver.Group> list2) {
        String groupNameLdapAttribute = this.config.getGroupNameLdapAttribute();
        for (LDAPObject lDAPObject : list) {
            String attributeAsString = lDAPObject.getAttributeAsString(groupNameLdapAttribute);
            if (this.config.isPreserveGroupsInheritance()) {
                HashSet hashSet = new HashSet();
                Iterator<LDAPDn> it = getLDAPSubgroups(lDAPObject).iterator();
                while (it.hasNext()) {
                    hashSet.add(it.next().getFirstRdn().getAttrValue(groupNameLdapAttribute));
                }
                list2.add(new GroupTreeResolver.Group(attributeAsString, hashSet));
            }
            map.put(attributeAsString, lDAPObject);
        }
    }

    private void syncFlatGroupStructure(RealmModel realmModel, SynchronizationResult synchronizationResult, Map<String, LDAPObject> map) {
        HashSet hashSet = new HashSet();
        int batchSizeForSync = this.ldapProvider.getLdapIdentityStore().getConfig().getBatchSizeForSync();
        Iterator<Map.Entry<String, LDAPObject>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            KeycloakModelUtils.runJobInTransaction(this.ldapProvider.getSession().getKeycloakSessionFactory(), keycloakSession -> {
                RealmModel realm = keycloakSession.realms().getRealm(realmModel.getId());
                Map map2 = (Map) getKcSubGroups(realm, null).collect(Collectors.toMap((v0) -> {
                    return v0.getName();
                }, Function.identity()));
                for (int i = 0; i < batchSizeForSync && it.hasNext(); i++) {
                    Map.Entry<String, LDAPObject> entry = (Map.Entry) it.next();
                    String key = entry.getKey();
                    GroupModel groupModel = (GroupModel) map2.get(key);
                    if (groupModel != null) {
                        syncExistingGroup(realm, groupModel, entry, synchronizationResult, hashSet, key);
                    } else {
                        syncNonExistingGroup(realm, entry, synchronizationResult, hashSet, key);
                    }
                }
            });
        }
        if (this.config.isDropNonExistingGroupsDuringSync()) {
            dropNonExistingKcGroups(realmModel, synchronizationResult, hashSet);
        }
    }

    private void updateKeycloakGroupTree(RealmModel realmModel, List<GroupTreeResolver.GroupTreeEntry> list, Map<String, LDAPObject> map, SynchronizationResult synchronizationResult) {
        HashSet hashSet = new HashSet();
        Iterator<GroupTreeResolver.GroupTreeEntry> it = list.iterator();
        while (it.hasNext()) {
            updateKeycloakGroupTreeEntry(realmModel, it.next(), map, null, synchronizationResult, hashSet);
        }
        if (this.config.isDropNonExistingGroupsDuringSync()) {
            dropNonExistingKcGroups(realmModel, synchronizationResult, hashSet);
        }
    }

    private void updateKeycloakGroupTreeEntry(RealmModel realmModel, GroupTreeResolver.GroupTreeEntry groupTreeEntry, Map<String, LDAPObject> map, GroupModel groupModel, SynchronizationResult synchronizationResult, Set<String> set) {
        String groupName = groupTreeEntry.getGroupName();
        GroupModel orElse = getKcSubGroups(realmModel, groupModel).filter(groupModel2 -> {
            return Objects.equals(groupModel2.getName(), groupName);
        }).findFirst().orElse(null);
        if (orElse != null) {
            logger.debugf("Updated Keycloak group '%s' from LDAP", orElse.getName());
            updateAttributesOfKCGroup(orElse, map.get(orElse.getName()));
            synchronizationResult.increaseUpdated();
        } else {
            orElse = createKcGroup(realmModel, groupTreeEntry.getGroupName(), groupModel);
            if (orElse.getParent() == null) {
                logger.debugf("Imported top-level group '%s' from LDAP", orElse.getName());
            } else {
                logger.debugf("Imported group '%s' from LDAP as child of group '%s'", orElse.getName(), orElse.getParent().getName());
            }
            updateAttributesOfKCGroup(orElse, map.get(orElse.getName()));
            synchronizationResult.increaseAdded();
        }
        set.add(orElse.getId());
        Iterator<GroupTreeResolver.GroupTreeEntry> it = groupTreeEntry.getChildren().iterator();
        while (it.hasNext()) {
            updateKeycloakGroupTreeEntry(realmModel, it.next(), map, orElse, synchronizationResult, set);
        }
    }

    private void dropNonExistingKcGroups(RealmModel realmModel, SynchronizationResult synchronizationResult, Set<String> set) {
        getAllKcGroups(realmModel, getKcGroupsPathGroup(realmModel)).filter(groupModel -> {
            return !set.contains(groupModel.getId());
        }).forEach(groupModel2 -> {
            logger.debugf("Removing Keycloak group '%s', which doesn't exist in LDAP", groupModel2.getName());
            realmModel.removeGroup(groupModel2);
            synchronizationResult.increaseRemoved();
        });
    }

    private void updateAttributesOfKCGroup(GroupModel groupModel, LDAPObject lDAPObject) {
        for (String str : this.config.getGroupAttributes()) {
            Set<String> attributeAsSet = lDAPObject.getAttributeAsSet(str);
            if (attributeAsSet == null) {
                groupModel.removeAttribute(str);
            } else {
                groupModel.setAttribute(str, new LinkedList(attributeAsSet));
            }
        }
    }

    protected GroupModel findKcGroupByLDAPGroup(RealmModel realmModel, GroupModel groupModel, LDAPObject lDAPObject) {
        String attributeAsString = lDAPObject.getAttributeAsString(this.config.getGroupNameLdapAttribute());
        return this.config.isPreserveGroupsInheritance() ? getAllKcGroups(realmModel, groupModel).filter(groupModel2 -> {
            return Objects.equals(groupModel2.getName(), attributeAsString);
        }).findFirst().orElse(null) : this.session.groups().getGroupByName(realmModel, groupModel, attributeAsString);
    }

    protected GroupModel findKcGroupOrSyncFromLDAP(RealmModel realmModel, GroupModel groupModel, LDAPObject lDAPObject, UserModel userModel) {
        GroupModel findKcGroupByLDAPGroup = findKcGroupByLDAPGroup(realmModel, groupModel, lDAPObject);
        if (findKcGroupByLDAPGroup == null) {
            if (!this.config.isPreserveGroupsInheritance()) {
                findKcGroupByLDAPGroup = createKcGroup(realmModel, lDAPObject.getAttributeAsString(this.config.getGroupNameLdapAttribute()), null);
                updateAttributesOfKCGroup(findKcGroupByLDAPGroup, lDAPObject);
            } else if (!this.syncFromLDAPPerformedInThisTransaction) {
                syncDataFromFederationProviderToKeycloak(realmModel);
                findKcGroupByLDAPGroup = findKcGroupByLDAPGroup(realmModel, groupModel, lDAPObject);
            }
            if (findKcGroupByLDAPGroup == null) {
                logger.warnf("User '%s' is member of group '%s', which doesn't exist in LDAP", userModel.getUsername(), lDAPObject.getAttributeAsString(this.config.getGroupNameLdapAttribute()));
            }
        }
        return findKcGroupByLDAPGroup;
    }

    protected List<LDAPObject> getAllLDAPGroups(boolean z) {
        LDAPQuery createGroupQuery = createGroupQuery(z);
        try {
            List<LDAPObject> loadAllLDAPObjects = LDAPUtils.loadAllLDAPObjects(createGroupQuery, this.ldapProvider);
            if (createGroupQuery != null) {
                createGroupQuery.close();
            }
            return loadAllLDAPObjects;
        } catch (Throwable th) {
            if (createGroupQuery != null) {
                try {
                    createGroupQuery.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public SynchronizationResult syncDataFromKeycloakToFederationProvider(RealmModel realmModel) {
        SynchronizationResult synchronizationResult = new SynchronizationResult() { // from class: org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper.2
            public String getStatus() {
                return String.format("%d groups imported to LDAP, %d groups updated to LDAP, %d groups removed from LDAP", Integer.valueOf(getAdded()), Integer.valueOf(getUpdated()), Integer.valueOf(getRemoved()));
            }
        };
        if (this.config.getMode() != LDAPGroupMapperMode.LDAP_ONLY) {
            logger.warnf("Ignored sync for federation mapper '%s' as it's mode is '%s'", this.mapperModel.getName(), this.config.getMode().toString());
            return synchronizationResult;
        }
        logger.debugf("Syncing groups from Keycloak into LDAP. Mapper is [%s], LDAP provider is [%s]", this.mapperModel.getName(), this.ldapProvider.getModel().getName());
        List<LDAPObject> allLDAPGroups = getAllLDAPGroups(this.config.isPreserveGroupsInheritance());
        HashMap hashMap = new HashMap();
        String groupNameLdapAttribute = this.config.getGroupNameLdapAttribute();
        for (LDAPObject lDAPObject : allLDAPGroups) {
            hashMap.put(lDAPObject.getAttributeAsString(groupNameLdapAttribute), lDAPObject);
        }
        HashSet hashSet = new HashSet();
        getKcSubGroups(realmModel, null).forEach(groupModel -> {
            processKeycloakGroupSyncToLDAP(groupModel, hashMap, hashSet, synchronizationResult);
        });
        if (this.config.isDropNonExistingGroupsDuringSync()) {
            for (String str : new HashSet(hashMap.keySet())) {
                if (!hashSet.contains(str)) {
                    this.ldapProvider.getLdapIdentityStore().remove((LDAPObject) hashMap.remove(str));
                    synchronizationResult.increaseRemoved();
                }
            }
        }
        if (this.config.isPreserveGroupsInheritance()) {
            getKcSubGroups(realmModel, null).forEach(groupModel2 -> {
                processKeycloakGroupMembershipsSyncToLDAP(groupModel2, hashMap);
            });
        }
        return synchronizationResult;
    }

    private void processKeycloakGroupSyncToLDAP(GroupModel groupModel, Map<String, LDAPObject> map, Set<String> set, SynchronizationResult synchronizationResult) {
        String name = groupModel.getName();
        HashMap hashMap = new HashMap();
        for (String str : this.config.getGroupAttributes()) {
            Set<String> set2 = (Set) groupModel.getAttributeStream(str).collect(Collectors.toSet());
            hashMap.put(str, set2.isEmpty() ? null : set2);
        }
        LDAPObject lDAPObject = map.get(name);
        if (lDAPObject == null) {
            lDAPObject = createLDAPGroup(name, hashMap);
            synchronizationResult.increaseAdded();
        } else {
            for (Map.Entry<String, Set<String>> entry : hashMap.entrySet()) {
                lDAPObject.setAttribute(entry.getKey(), entry.getValue());
            }
            this.ldapProvider.getLdapIdentityStore().update(lDAPObject);
            synchronizationResult.increaseUpdated();
        }
        map.put(name, lDAPObject);
        set.add(name);
        groupModel.getSubGroupsStream().forEach(groupModel2 -> {
            processKeycloakGroupSyncToLDAP(groupModel2, map, set, synchronizationResult);
        });
    }

    private void processKeycloakGroupMembershipsSyncToLDAP(GroupModel groupModel, Map<String, LDAPObject> map) {
        LDAPObject lDAPObject = map.get(groupModel.getName());
        Set<LDAPDn> lDAPSubgroups = getLDAPSubgroups(lDAPObject);
        String membershipUserLdapAttribute = getMembershipUserLdapAttribute();
        Set set = (Set) groupModel.getSubGroupsStream().collect(Collectors.toSet());
        Iterator it = set.iterator();
        while (it.hasNext()) {
            LDAPObject lDAPObject2 = map.get(((GroupModel) it.next()).getName());
            if (!lDAPSubgroups.remove(lDAPObject2.getDn())) {
                LDAPUtils.addMember(this.ldapProvider, MembershipType.DN, this.config.getMembershipLdapAttribute(), membershipUserLdapAttribute, lDAPObject, lDAPObject2);
            }
        }
        for (LDAPDn lDAPDn : lDAPSubgroups) {
            LDAPObject lDAPObject3 = new LDAPObject();
            lDAPObject3.setDn(lDAPDn);
            LDAPUtils.deleteMember(this.ldapProvider, MembershipType.DN, this.config.getMembershipLdapAttribute(), membershipUserLdapAttribute, lDAPObject, lDAPObject3);
        }
        Iterator it2 = set.iterator();
        while (it2.hasNext()) {
            processKeycloakGroupMembershipsSyncToLDAP((GroupModel) it2.next(), map);
        }
    }

    private GroupModel getHighestPredecessorNotExistentInLdap(GroupModel groupModel, GroupModel groupModel2) {
        GroupModel parent = groupModel2.getParent();
        if (parent != groupModel && loadLDAPGroupByName(parent.getName()) == null) {
            return getHighestPredecessorNotExistentInLdap(groupModel, parent);
        }
        return groupModel2;
    }

    @Override // org.keycloak.storage.ldap.mappers.AbstractLDAPStorageMapper, org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public List<UserModel> getGroupMembers(RealmModel realmModel, GroupModel groupModel, int i, int i2) {
        LDAPObject loadLDAPGroupByName;
        if (this.config.getMode() != LDAPGroupMapperMode.IMPORT && isGroupInGroupPath(realmModel, groupModel) && (loadLDAPGroupByName = loadLDAPGroupByName(groupModel.getName())) != null) {
            return this.config.getMembershipTypeLdapAttribute().getGroupMembers(realmModel, this, loadLDAPGroupByName, i, i2);
        }
        return Collections.emptyList();
    }

    public void addGroupMappingInLDAP(RealmModel realmModel, GroupModel groupModel, LDAPObject lDAPObject) {
        String name = groupModel.getName();
        LDAPObject loadLDAPGroupByName = loadLDAPGroupByName(name);
        if (loadLDAPGroupByName == null) {
            if (this.config.isPreserveGroupsInheritance()) {
                GroupModel kcGroupsPathGroup = getKcGroupsPathGroup(realmModel);
                GroupModel highestPredecessorNotExistentInLdap = getHighestPredecessorNotExistentInLdap(kcGroupsPathGroup, groupModel);
                logger.debugf("Will sync group '%s' and it's subgroups from DB to LDAP", highestPredecessorNotExistentInLdap.getName());
                HashMap hashMap = new HashMap();
                processKeycloakGroupSyncToLDAP(highestPredecessorNotExistentInLdap, hashMap, new HashSet(), new SynchronizationResult());
                processKeycloakGroupMembershipsSyncToLDAP(highestPredecessorNotExistentInLdap, hashMap);
                loadLDAPGroupByName = loadLDAPGroupByName(name);
                if (highestPredecessorNotExistentInLdap.getParent() != kcGroupsPathGroup) {
                    LDAPUtils.addMember(this.ldapProvider, MembershipType.DN, this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), loadLDAPGroupByName(highestPredecessorNotExistentInLdap.getParent().getName()), loadLDAPGroupByName);
                }
            } else {
                logger.debugf("Will sync group '%s' from DB to LDAP", name);
                processKeycloakGroupSyncToLDAP(groupModel, new HashMap(), new HashSet(), new SynchronizationResult());
                loadLDAPGroupByName = loadLDAPGroupByName(name);
            }
        }
        LDAPUtils.addMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), loadLDAPGroupByName, lDAPObject);
    }

    public void deleteGroupMappingInLDAP(LDAPObject lDAPObject, LDAPObject lDAPObject2) {
        LDAPUtils.deleteMember(this.ldapProvider, this.config.getMembershipTypeLdapAttribute(), this.config.getMembershipLdapAttribute(), getMembershipUserLdapAttribute(), lDAPObject2, lDAPObject);
    }

    protected List<LDAPObject> getLDAPGroupMappings(LDAPObject lDAPObject) {
        return this.factory.getUserGroupsRetrieveStrategy(this.config.getUserGroupsRetrieveStrategy()).getLDAPRoleMappings(this, lDAPObject, this.ldapProvider.getLdapIdentityStore().getConfig());
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void beforeLDAPQuery(LDAPQuery lDAPQuery) {
        this.factory.getUserGroupsRetrieveStrategy(this.config.getUserGroupsRetrieveStrategy()).beforeUserLDAPQuery(this, lDAPQuery);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public UserModel proxy(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
        return this.config.getMode() == LDAPGroupMapperMode.IMPORT ? userModel : new LDAPGroupMappingsUserDelegate(realmModel, userModel, lDAPObject);
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onRegisterUserToLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel) {
    }

    @Override // org.keycloak.storage.ldap.mappers.LDAPStorageMapper
    public void onImportUserFromLDAP(LDAPObject lDAPObject, UserModel userModel, RealmModel realmModel, boolean z) {
        if (this.config.getMode() == LDAPGroupMapperMode.IMPORT && z) {
            List<LDAPObject> lDAPGroupMappings = getLDAPGroupMappings(lDAPObject);
            if (lDAPGroupMappings.isEmpty()) {
                return;
            }
            GroupModel kcGroupsPathGroup = getKcGroupsPathGroup(realmModel);
            Iterator<LDAPObject> it = lDAPGroupMappings.iterator();
            while (it.hasNext()) {
                GroupModel findKcGroupOrSyncFromLDAP = findKcGroupOrSyncFromLDAP(realmModel, kcGroupsPathGroup, it.next(), userModel);
                if (findKcGroupOrSyncFromLDAP != null) {
                    logger.debugf("User '%s' joins group '%s' during import from LDAP", userModel.getUsername(), findKcGroupOrSyncFromLDAP.getName());
                    userModel.joinGroup(findKcGroupOrSyncFromLDAP);
                }
            }
        }
    }

    protected String getMembershipUserLdapAttribute() {
        return this.config.getMembershipUserLdapAttribute(this.ldapProvider.getLdapIdentityStore().getConfig());
    }

    protected String getKcGroupPathFromLDAPGroupName(String str) {
        return this.config.getGroupsPathWithTrailingSlash() + str;
    }

    protected GroupModel getKcGroupsPathGroup(RealmModel realmModel) {
        if (this.config.isTopLevelGroupsPath()) {
            return null;
        }
        return KeycloakModelUtils.findGroupByPath(this.session, realmModel, this.config.getGroupsPath());
    }

    protected boolean isGroupInGroupPath(RealmModel realmModel, GroupModel groupModel) {
        if (this.config.isTopLevelGroupsPath()) {
            return true;
        }
        GroupModel findGroupByPath = KeycloakModelUtils.findGroupByPath(this.session, realmModel, this.config.getGroupsPath());
        if (findGroupByPath == null) {
            return false;
        }
        while (!findGroupByPath.getId().equals(groupModel.getId())) {
            groupModel = groupModel.getParent();
            if (groupModel == null) {
                return false;
            }
        }
        return true;
    }

    protected GroupModel createKcGroup(RealmModel realmModel, String str, GroupModel groupModel) {
        if (groupModel == null) {
            groupModel = getKcGroupsPathGroup(realmModel);
        }
        return realmModel.createGroup(str, groupModel);
    }

    protected Stream<GroupModel> getKcSubGroups(RealmModel realmModel, GroupModel groupModel) {
        if (groupModel == null) {
            groupModel = getKcGroupsPathGroup(realmModel);
        }
        return groupModel == null ? this.session.groups().getTopLevelGroupsStream(realmModel) : groupModel.getSubGroupsStream();
    }

    protected Stream<GroupModel> getAllKcGroups(RealmModel realmModel, GroupModel groupModel) {
        Stream<GroupModel> groupsStream = realmModel.getGroupsStream();
        return groupModel == null ? groupsStream : groupsStream.filter(groupModel2 -> {
            GroupModel parent = groupModel2.getParent();
            while (true) {
                GroupModel groupModel2 = parent;
                if (groupModel2 == null) {
                    return false;
                }
                if (groupModel2.getId().equals(groupModel.getId())) {
                    return true;
                }
                parent = groupModel2.getParent();
            }
        });
    }
}
