package org.keycloak.protocol.oidc.mappers;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jboss.logging.Logger;
import org.keycloak.authentication.authenticators.util.LoAUtil;
import org.keycloak.common.Profile;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.AcrUtils;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.IDToken;
import org.keycloak.services.managers.AuthenticationManager;

/* loaded from: input_file:org/keycloak/protocol/oidc/mappers/AcrProtocolMapper.class */
public class AcrProtocolMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, TokenIntrospectionTokenMapper, EnvironmentDependentProviderFactory {
    private static final Logger logger = Logger.getLogger(AcrProtocolMapper.class);
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    public static final String PROVIDER_ID = "oidc-acr-mapper";

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public String getDisplayType() {
        return "Authentication Context Class Reference (ACR)";
    }

    public String getDisplayCategory() {
        return AbstractOIDCProtocolMapper.TOKEN_MAPPER_CATEGORY;
    }

    public String getHelpText() {
        return "Maps the achieved LoA (Level of Authentication) to the 'acr' claim of the token";
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper
    protected void setClaim(IDToken iDToken, ProtocolMapperModel protocolMapperModel, UserSessionModel userSessionModel, KeycloakSession keycloakSession, ClientSessionContext clientSessionContext) {
        iDToken.setAcr(getAcr(clientSessionContext.getClientSession()));
    }

    public static ProtocolMapperModel create(String str, boolean z, boolean z2, boolean z3) {
        ProtocolMapperModel protocolMapperModel = new ProtocolMapperModel();
        protocolMapperModel.setName(str);
        protocolMapperModel.setProtocolMapper(PROVIDER_ID);
        protocolMapperModel.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        if (z) {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "true");
        }
        if (z2) {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "true");
        }
        if (z3) {
            hashMap.put(OIDCAttributeMapperHelper.INCLUDE_IN_INTROSPECTION, "true");
        }
        protocolMapperModel.setConfig(hashMap);
        return protocolMapperModel;
    }

    protected String getAcr(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        int currentLevelOfAuthentication = LoAUtil.getCurrentLevelOfAuthentication(authenticatedClientSessionModel);
        logger.tracef("Loa level when authenticated to client %s: %d", authenticatedClientSessionModel.getClient().getClientId(), Integer.valueOf(currentLevelOfAuthentication));
        if (currentLevelOfAuthentication < 0) {
            currentLevelOfAuthentication = AuthenticationManager.isSSOAuthentication(authenticatedClientSessionModel) ? 0 : 1;
        }
        Map<String, Integer> acrLoaMap = AcrUtils.getAcrLoaMap(authenticatedClientSessionModel.getClient());
        String mapLoaToAcr = AcrUtils.mapLoaToAcr(currentLevelOfAuthentication, acrLoaMap, AcrUtils.getRequiredAcrValues(authenticatedClientSessionModel.getNote("claims")));
        if (mapLoaToAcr == null) {
            mapLoaToAcr = AcrUtils.mapLoaToAcr(currentLevelOfAuthentication, acrLoaMap, AcrUtils.getAcrValues(authenticatedClientSessionModel.getNote("claims"), authenticatedClientSessionModel.getNote(OIDCLoginProtocol.ACR_PARAM), authenticatedClientSessionModel.getClient()));
            if (mapLoaToAcr == null) {
                mapLoaToAcr = AcrUtils.mapLoaToAcr(currentLevelOfAuthentication, acrLoaMap, acrLoaMap.keySet());
                if (mapLoaToAcr == null) {
                    mapLoaToAcr = String.valueOf(currentLevelOfAuthentication);
                }
            }
        }
        logger.tracef("Level sent in the token to client %s: %s. Original loa from the authentication: %d", authenticatedClientSessionModel.getClient().getClientId(), mapLoaToAcr, Integer.valueOf(currentLevelOfAuthentication));
        return mapLoaToAcr;
    }

    public boolean isSupported() {
        return Profile.isFeatureEnabled(Profile.Feature.STEP_UP_AUTHENTICATION);
    }

    static {
        OIDCAttributeMapperHelper.addIncludeInTokensConfig(configProperties, AcrProtocolMapper.class);
    }
}
