package org.keycloak.federation.ldap.mappers;

import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.federation.ldap.LDAPFederationProvider;
import org.keycloak.federation.ldap.mappers.RoleLDAPFederationMapper;
import org.keycloak.mappers.MapperConfigValidationException;
import org.keycloak.mappers.UserFederationMapper;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserFederationMapperModel;
import org.keycloak.models.UserFederationProvider;
import org.keycloak.models.UserFederationProviderModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.provider.ProviderEvent;
import org.keycloak.provider.ProviderEventListener;

/* loaded from: input_file:org/keycloak/federation/ldap/mappers/RoleLDAPFederationMapperFactory.class */
public class RoleLDAPFederationMapperFactory extends AbstractLDAPFederationMapperFactory {
    public static final String PROVIDER_ID = "role-ldap-mapper";
    private static final Logger logger = Logger.getLogger(RoleLDAPFederationMapperFactory.class);
    protected static final List<ProviderConfigProperty> configProperties = new ArrayList();

    public String getHelpText() {
        return "Used to map role mappings of roles from some LDAP DN to Keycloak role mappings of either realm roles or client roles of particular client";
    }

    public String getDisplayCategory() {
        return AbstractLDAPFederationMapperFactory.ROLE_MAPPER_CATEGORY;
    }

    public String getDisplayType() {
        return "Role mappings";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    @Override // org.keycloak.federation.ldap.mappers.AbstractLDAPFederationMapperFactory
    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
        keycloakSessionFactory.register(new ProviderEventListener() { // from class: org.keycloak.federation.ldap.mappers.RoleLDAPFederationMapperFactory.1
            public void onEvent(ProviderEvent providerEvent) {
                if (providerEvent instanceof RealmModel.UserFederationMapperEvent) {
                    RealmModel.UserFederationMapperEvent userFederationMapperEvent = (RealmModel.UserFederationMapperEvent) providerEvent;
                    UserFederationMapperModel federationMapper = userFederationMapperEvent.getFederationMapper();
                    RealmModel realm = userFederationMapperEvent.getRealm();
                    KeycloakSession session = userFederationMapperEvent.getSession();
                    if (federationMapper.getFederationMapperType().equals(RoleLDAPFederationMapperFactory.PROVIDER_ID)) {
                        try {
                            String federationProviderId = federationMapper.getFederationProviderId();
                            UserFederationProviderModel findUserFederationProviderById = KeycloakModelUtils.findUserFederationProviderById(federationProviderId, realm);
                            if (findUserFederationProviderById == null) {
                                throw new IllegalStateException("Can't find federation provider with ID [" + federationProviderId + "] in realm " + realm.getName());
                            }
                            new RoleLDAPFederationMapper().syncRolesFromLDAP(federationMapper, (LDAPFederationProvider) session.getKeycloakSessionFactory().getProviderFactory(UserFederationProvider.class, findUserFederationProviderById.getProviderName()).getInstance(session, findUserFederationProviderById), realm);
                        } catch (Exception e) {
                            RoleLDAPFederationMapperFactory.logger.warn("Exception during initial sync of roles from LDAP.", e);
                        }
                    }
                }
            }
        });
    }

    public void validateConfig(UserFederationMapperModel userFederationMapperModel) throws MapperConfigValidationException {
        checkMandatoryConfigAttribute(RoleLDAPFederationMapper.ROLES_DN, "LDAP Roles DN", userFederationMapperModel);
        checkMandatoryConfigAttribute(RoleLDAPFederationMapper.MODE, "Mode", userFederationMapperModel);
        if (Boolean.parseBoolean((String) userFederationMapperModel.getConfig().get(RoleLDAPFederationMapper.USE_REALM_ROLES_MAPPING))) {
            return;
        }
        String str = (String) userFederationMapperModel.getConfig().get(RoleLDAPFederationMapper.CLIENT_ID);
        if (str == null || str.trim().isEmpty()) {
            throw new MapperConfigValidationException("Client ID needs to be provided in config when Realm Roles Mapping is not used");
        }
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public UserFederationMapper m16create(KeycloakSession keycloakSession) {
        return new RoleLDAPFederationMapper();
    }

    static {
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.ROLES_DN, "LDAP Roles DN", "LDAP DN where are roles of this tree saved. For example 'ou=finance,dc=example,dc=org' ", "String", null));
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.ROLE_NAME_LDAP_ATTRIBUTE, "Role Name LDAP Attribute", "Name of LDAP attribute, which is used in role objects for name and RDN of role. Usually it will be 'cn' . In this case typical group/role object may have DN like 'cn=role1,ou=finance,dc=example,dc=org' ", "String", "cn"));
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.MEMBERSHIP_LDAP_ATTRIBUTE, "Membership LDAP Attribute", "Name of LDAP attribute on role, which is used for membership mappings. Usually it will be 'member' ", "String", "member"));
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.ROLE_OBJECT_CLASSES, "Role Object Classes", "Object class (or classes) of the role object. It's divided by comma if more classes needed. In typical LDAP deployment it could be 'groupOfNames' . In Active Directory it's usually 'group' ", "String", null));
        LinkedList linkedList = new LinkedList();
        for (RoleLDAPFederationMapper.Mode mode : RoleLDAPFederationMapper.Mode.values()) {
            linkedList.add(mode.toString());
        }
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.MODE, "Mode", "LDAP_ONLY means that all role mappings are retrieved from LDAP and saved into LDAP. READ_ONLY is Read-only LDAP mode where role mappings are retrieved from both LDAP and DB and merged together. New role grants are not saved to LDAP but to DB. IMPORT is Read-only LDAP mode where role mappings are retrieved from LDAP just at the time when user is imported from LDAP and then they are saved to local keycloak DB.", "List", linkedList));
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.USE_REALM_ROLES_MAPPING, "Use Realm Roles Mapping", "If true, then LDAP role mappings will be mapped to realm role mappings in Keycloak. Otherwise it will be mapped to client role mappings", "boolean", "true"));
        configProperties.add(createConfigProperty(RoleLDAPFederationMapper.CLIENT_ID, "Client ID", "Client ID of client to which LDAP role mappings will be mapped. Applicable just if 'Use Realm Roles Mapping' is false", "ClientList", null));
    }
}
