package org.keycloak.broker.oidc.mappers;

import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.models.IdentityProviderMapperModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;

/* loaded from: input_file:org/keycloak/broker/oidc/mappers/AbstractClaimToRoleMapper.class */
public abstract class AbstractClaimToRoleMapper extends AbstractClaimMapper {
    public void importNewUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel role = getRole(realmModel, identityProviderMapperModel);
        if (applies(identityProviderMapperModel, brokeredIdentityContext)) {
            userModel.grantRole(role);
        }
    }

    public void updateBrokeredUserLegacy(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel role = getRole(realmModel, identityProviderMapperModel);
        if (applies(identityProviderMapperModel, brokeredIdentityContext)) {
            return;
        }
        userModel.deleteRoleMapping(role);
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext) {
        RoleModel role = getRole(realmModel, identityProviderMapperModel);
        String str = (String) identityProviderMapperModel.getConfig().get("role");
        if (brokeredIdentityContext.hasMapperGrantedRole(str)) {
            return;
        }
        if (!applies(identityProviderMapperModel, brokeredIdentityContext)) {
            userModel.deleteRoleMapping(role);
        } else {
            brokeredIdentityContext.addMapperGrantedRole(str);
            userModel.grantRole(role);
        }
    }

    protected abstract boolean applies(IdentityProviderMapperModel identityProviderMapperModel, BrokeredIdentityContext brokeredIdentityContext);

    private RoleModel getRole(RealmModel realmModel, IdentityProviderMapperModel identityProviderMapperModel) {
        String str = (String) identityProviderMapperModel.getConfig().get("role");
        RoleModel roleFromString = KeycloakModelUtils.getRoleFromString(realmModel, str);
        if (roleFromString == null) {
            throw new IdentityBrokerException("Unable to find role: " + str);
        }
        return roleFromString;
    }
}
