package org.keycloak.protocol.oidc.mappers;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.oidc.utils.WebOriginsUtils;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:org/keycloak/protocol/oidc/mappers/AllowedWebOriginsProtocolMapper.class */
public class AllowedWebOriginsProtocolMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, TokenIntrospectionTokenMapper {
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    public static final String PROVIDER_ID = "oidc-allowed-origins-mapper";

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String getDisplayType() {
        return "Allowed Web Origins";
    }

    public String getDisplayCategory() {
        return AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY;
    }

    public String getHelpText() {
        return "Adds all allowed web origins to the 'allowed-origins' claim in the token";
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper
    public AccessToken transformAccessToken(AccessToken accessToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        if (!(getShouldUseLightweightToken(keycloakSession) ? OIDCAttributeMapperHelper.includeInLightweightAccessToken(protocolMapperModel) : includeInAccessToken(protocolMapperModel))) {
            return accessToken;
        }
        setWebOrigin(accessToken, keycloakSession, clientSessionContext);
        return accessToken;
    }

    private boolean includeInAccessToken(ProtocolMapperModel protocolMapperModel) {
        String str = (String) protocolMapperModel.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN);
        if (str == null) {
            return true;
        }
        return "true".equals(str);
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper, org.keycloak.protocol.oidc.mappers.TokenIntrospectionTokenMapper
    public AccessToken transformIntrospectionToken(AccessToken accessToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        if (!includeInIntrospection(protocolMapperModel)) {
            return accessToken;
        }
        setWebOrigin(accessToken, keycloakSession, clientSessionContext);
        return accessToken;
    }

    private boolean includeInIntrospection(ProtocolMapperModel protocolMapperModel) {
        String str = (String) protocolMapperModel.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION);
        if (str == null) {
            return true;
        }
        return "true".equals(str);
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper
    public ProtocolMapperModel getEffectiveModel(KeycloakSession keycloakSession, RealmModel realmModel, ProtocolMapperModel protocolMapperModel) {
        ProtocolMapperModel model = RepresentationToModel.toModel(ModelToRepresentation.toRepresentation(protocolMapperModel));
        model.getConfig().put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, String.valueOf(includeInAccessToken(model)));
        model.getConfig().put(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION, String.valueOf(includeInIntrospection(model)));
        return model;
    }

    private void setWebOrigin(AccessToken accessToken, KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        ClientModel client = clientSessionContext.getClientSession().getClient();
        Set webOrigins = client.getWebOrigins();
        if (webOrigins == null || webOrigins.isEmpty()) {
            return;
        }
        accessToken.setAllowedOrigins(WebOriginsUtils.resolveValidWebOrigins(keycloakSession, client));
    }

    public static ProtocolMapperModel createClaimMapper(String str, boolean z, boolean z2) {
        ProtocolMapperModel protocolMapperModel = new ProtocolMapperModel();
        protocolMapperModel.setName(str);
        protocolMapperModel.setProtocolMapper(PROVIDER_ID);
        protocolMapperModel.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        if (z) {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
        } else {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, SamlProtocol.ATTRIBUTE_FALSE_VALUE);
        }
        if (z2) {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION, "true");
        } else {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION, SamlProtocol.ATTRIBUTE_FALSE_VALUE);
        }
        protocolMapperModel.setConfig(hashMap);
        return protocolMapperModel;
    }

    static {
        OIDCAttributeMapperHelper.addIncludeInTokensConfig(configProperties, AllowedWebOriginsProtocolMapper.class);
    }
}
