package org.keycloak.storage.ldap;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.naming.AuthenticationException;
import javax.naming.NamingException;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.credential.CredentialAuthentication;
import org.keycloak.credential.CredentialInput;
import org.keycloak.credential.CredentialInputUpdater;
import org.keycloak.credential.CredentialInputValidator;
import org.keycloak.federation.kerberos.KerberosPrincipal;
import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.models.cache.CachedUserModel;
import org.keycloak.models.cache.UserCache;
import org.keycloak.models.utils.ReadOnlyUserModelDelegate;
import org.keycloak.policy.PasswordPolicyManagerProvider;
import org.keycloak.policy.PolicyError;
import org.keycloak.storage.DatastoreProvider;
import org.keycloak.storage.ReadOnlyException;
import org.keycloak.storage.StorageId;
import org.keycloak.storage.UserStoragePrivateUtil;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.UserStorageUtil;
import org.keycloak.storage.adapter.InMemoryUserAdapter;
import org.keycloak.storage.adapter.UpdateOnlyChangeUserModelDelegate;
import org.keycloak.storage.ldap.idm.model.LDAPDn;
import org.keycloak.storage.ldap.idm.model.LDAPObject;
import org.keycloak.storage.ldap.idm.query.Condition;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQuery;
import org.keycloak.storage.ldap.idm.query.internal.LDAPQueryConditionsBuilder;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore;
import org.keycloak.storage.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.storage.ldap.mappers.LDAPMappersComparator;
import org.keycloak.storage.ldap.mappers.LDAPOperationDecorator;
import org.keycloak.storage.ldap.mappers.LDAPStorageMapper;
import org.keycloak.storage.ldap.mappers.LDAPStorageMapperManager;
import org.keycloak.storage.ldap.mappers.PasswordUpdateCallback;
import org.keycloak.storage.user.ImportedUserValidation;
import org.keycloak.storage.user.UserLookupProvider;
import org.keycloak.storage.user.UserQueryMethodsProvider;
import org.keycloak.storage.user.UserRegistrationProvider;
import org.keycloak.userprofile.AttributeGroupMetadata;
import org.keycloak.userprofile.AttributeMetadata;
import org.keycloak.userprofile.UserProfileDecorator;
import org.keycloak.userprofile.UserProfileMetadata;
import org.keycloak.userprofile.UserProfileUtil;
import org.keycloak.utils.StreamsUtil;

/* loaded from: input_file:org/keycloak/storage/ldap/LDAPStorageProvider.class */
public class LDAPStorageProvider implements UserStorageProvider, CredentialInputValidator, CredentialInputUpdater, CredentialAuthentication, UserLookupProvider, UserRegistrationProvider, UserQueryMethodsProvider, ImportedUserValidation, UserProfileDecorator {
    private static final Logger logger = Logger.getLogger(LDAPStorageProvider.class);
    private static final int DEFAULT_MAX_RESULTS = 1073741823;
    protected LDAPStorageProviderFactory factory;
    protected KeycloakSession session;
    protected UserStorageProviderModel model;
    protected LDAPIdentityStore ldapIdentityStore;
    protected UserStorageProvider.EditMode editMode;
    protected LDAPProviderKerberosConfig kerberosConfig;
    protected PasswordUpdateCallback updater;
    private LDAPMappersComparator ldapMappersComparator;
    protected final Set<String> supportedCredentialTypes = new HashSet();
    protected LDAPStorageMapperManager mapperManager = new LDAPStorageMapperManager(this);
    protected LDAPStorageUserManager userManager = new LDAPStorageUserManager(this);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.storage.ldap.LDAPStorageProvider$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/storage/ldap/LDAPStorageProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode = new int[UserStorageProvider.EditMode.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.READ_ONLY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.WRITABLE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[UserStorageProvider.EditMode.UNSYNCED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/keycloak/storage/ldap/LDAPStorageProvider$ImportType.class */
    public enum ImportType {
        FORCED,
        NOT_FORCED_RETURN_NULL,
        NOT_FORCED_RETURN_EXISTING
    }

    public LDAPStorageProvider(LDAPStorageProviderFactory lDAPStorageProviderFactory, KeycloakSession keycloakSession, ComponentModel componentModel, LDAPIdentityStore lDAPIdentityStore) {
        this.factory = lDAPStorageProviderFactory;
        this.session = keycloakSession;
        this.model = new UserStorageProviderModel(componentModel);
        this.ldapIdentityStore = lDAPIdentityStore;
        this.kerberosConfig = new LDAPProviderKerberosConfig(componentModel);
        this.editMode = lDAPIdentityStore.getConfig().getEditMode();
        this.supportedCredentialTypes.add("password");
        if (this.kerberosConfig.isAllowKerberosAuthentication()) {
            this.supportedCredentialTypes.add("kerberos");
        }
        this.ldapMappersComparator = new LDAPMappersComparator(getLdapIdentityStore().getConfig());
    }

    public void setUpdater(PasswordUpdateCallback passwordUpdateCallback) {
        this.updater = passwordUpdateCallback;
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    public LDAPIdentityStore getLdapIdentityStore() {
        return this.ldapIdentityStore;
    }

    public UserStorageProvider.EditMode getEditMode() {
        return this.editMode;
    }

    public UserStorageProviderModel getModel() {
        return this.model;
    }

    public LDAPProviderKerberosConfig getKerberosConfig() {
        return this.kerberosConfig;
    }

    public LDAPStorageMapperManager getMapperManager() {
        return this.mapperManager;
    }

    public LDAPStorageUserManager getUserManager() {
        return this.userManager;
    }

    public UserModel validate(RealmModel realmModel, UserModel userModel) {
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            return null;
        }
        return proxy(realmModel, userModel, loadAndValidateUser, false);
    }

    protected UserModel proxy(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject, boolean z) {
        UserModel managedProxiedUser = this.userManager.getManagedProxiedUser(userModel.getId());
        if (managedProxiedUser != null) {
            return managedProxiedUser;
        }
        if (userModel instanceof CachedUserModel) {
            userModel = this.session.getProvider(DatastoreProvider.class).userStorageManager().getUserById(realmModel, userModel.getId());
            UserModel managedProxiedUser2 = this.userManager.getManagedProxiedUser(userModel.getId());
            if (managedProxiedUser2 != null) {
                return managedProxiedUser2;
            }
        }
        UserModel userModel2 = userModel;
        checkDNChanged(realmModel, userModel, lDAPObject);
        switch (AnonymousClass1.$SwitchMap$org$keycloak$storage$UserStorageProvider$EditMode[this.editMode.ordinal()]) {
            case 1:
                if (!this.model.isImportEnabled()) {
                    userModel2 = new ReadOnlyUserModelDelegate(userModel);
                    break;
                } else {
                    userModel2 = new ReadonlyLDAPUserModelDelegate(userModel);
                    break;
                }
            case 2:
            case 3:
                if (!this.model.isImportEnabled() && !z) {
                    userModel2 = new LDAPWritesOnlyUserModelDelegate(new ReadOnlyUserModelDelegate(userModel, ReadOnlyException::new), this);
                    break;
                }
                break;
        }
        AtomicReference atomicReference = new AtomicReference(userModel2);
        realmModel.getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortAsc()).forEachOrdered(componentModel -> {
            atomicReference.set(this.mapperManager.getMapper(componentModel).proxy(lDAPObject, (UserModel) atomicReference.get(), realmModel));
        });
        UserModel userModel3 = (UserModel) atomicReference.get();
        if (!this.model.isImportEnabled()) {
            userModel3 = new UpdateOnlyChangeUserModelDelegate(userModel3);
        }
        this.userManager.setManagedProxiedUser(userModel3, lDAPObject);
        return userModel3;
    }

    private void checkDNChanged(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
        String firstAttribute = userModel.getFirstAttribute("LDAP_ENTRY_DN");
        String lDAPDn = lDAPObject.getDn() == null ? null : lDAPObject.getDn().toString();
        if (lDAPDn == null || lDAPDn.equals(firstAttribute)) {
            return;
        }
        logger.debugf("Updated LDAP DN of user '%s' to '%s'", userModel.getUsername(), lDAPDn);
        userModel.setSingleAttribute("LDAP_ENTRY_DN", lDAPDn);
        UserCache userCache = UserStorageUtil.userCache(this.session);
        if (userCache != null) {
            userCache.evict(realmModel, userModel);
        }
    }

    public boolean supportsCredentialAuthenticationFor(String str) {
        return str.equals("kerberos") && this.kerberosConfig.isAllowKerberosAuthentication();
    }

    public Stream<UserModel> searchForUserByUserAttributeStream(RealmModel realmModel, String str, String str2) {
        List<LDAPObject> resultList;
        if ("LDAP_ID".equals(str)) {
            LDAPObject loadLDAPUserByUuid = loadLDAPUserByUuid(realmModel, str2);
            resultList = loadLDAPUserByUuid == null ? Collections.emptyList() : Collections.singletonList(loadLDAPUserByUuid);
        } else if ("LDAP_ENTRY_DN".equals(str)) {
            LDAPObject loadLDAPUserByDN = loadLDAPUserByDN(realmModel, LDAPDn.fromString(str2));
            resultList = loadLDAPUserByDN == null ? Collections.emptyList() : Collections.singletonList(loadLDAPUserByDN);
        } else {
            LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
            try {
                createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(str, str2));
                resultList = createQueryForUserSearch.getResultList();
                if (createQueryForUserSearch != null) {
                    createQueryForUserSearch.close();
                }
            } catch (Throwable th) {
                if (createQueryForUserSearch != null) {
                    try {
                        createQueryForUserSearch.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return resultList.stream().map(lDAPObject -> {
            UserModel userByUsername = UserStoragePrivateUtil.userLocalStorage(this.session).getUserByUsername(realmModel, LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig()));
            return userByUsername == null ? importUserFromLDAP(this.session, realmModel, lDAPObject) : proxy(realmModel, userByUsername, lDAPObject, false);
        });
    }

    public boolean synchronizeRegistrations() {
        return "true".equalsIgnoreCase((String) this.model.getConfig().getFirst("syncRegistrations")) && this.editMode == UserStorageProvider.EditMode.WRITABLE;
    }

    public UserModel addUser(RealmModel realmModel, String str) {
        UserModel inMemoryUserAdapter;
        if (!synchronizeRegistrations()) {
            return null;
        }
        if (this.model.isImportEnabled()) {
            inMemoryUserAdapter = UserStoragePrivateUtil.userLocalStorage(this.session).addUser(realmModel, str);
            inMemoryUserAdapter.setFederationLink(this.model.getId());
        } else {
            inMemoryUserAdapter = new InMemoryUserAdapter(this.session, realmModel, new StorageId(this.model.getId(), str).getId());
            inMemoryUserAdapter.setUsername(str);
        }
        UserModel userModel = inMemoryUserAdapter;
        UserModel proxy = proxy(realmModel, inMemoryUserAdapter, LDAPUtils.addUserToLDAP(this, realmModel, inMemoryUserAdapter, lDAPObject -> {
            LDAPUtils.checkUuid(lDAPObject, this.ldapIdentityStore.getConfig());
            userModel.setSingleAttribute("LDAP_ID", lDAPObject.getUuid());
            userModel.setSingleAttribute("LDAP_ENTRY_DN", lDAPObject.getDn().toString());
        }), true);
        proxy.grantRole(realmModel.getDefaultRole());
        Stream defaultGroupsStream = realmModel.getDefaultGroupsStream();
        Objects.requireNonNull(proxy);
        defaultGroupsStream.forEach(proxy::joinGroup);
        Stream map = realmModel.getRequiredActionProvidersStream().filter((v0) -> {
            return v0.isEnabled();
        }).filter((v0) -> {
            return v0.isDefaultAction();
        }).map((v0) -> {
            return v0.getAlias();
        });
        Objects.requireNonNull(proxy);
        map.forEachOrdered(proxy::addRequiredAction);
        return proxy;
    }

    public boolean removeUser(RealmModel realmModel, UserModel userModel) {
        if (this.editMode == UserStorageProvider.EditMode.READ_ONLY || this.editMode == UserStorageProvider.EditMode.UNSYNCED) {
            logger.warnf("User '%s' can't be deleted in LDAP as editMode is '%s'. Deleting user just from Keycloak DB, but he will be re-imported from LDAP again once searched in Keycloak", userModel.getUsername(), this.editMode.toString());
            return true;
        }
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            logger.warnf("User '%s' can't be deleted from LDAP as it doesn't exist here", userModel.getUsername());
            return false;
        }
        this.ldapIdentityStore.remove(loadAndValidateUser);
        this.userManager.removeManagedUserEntry(userModel.getId());
        return true;
    }

    public UserModel getUserById(RealmModel realmModel, String str) {
        UserModel managedProxiedUser = this.userManager.getManagedProxiedUser(str);
        return managedProxiedUser != null ? managedProxiedUser : getUserByUsername(realmModel, new StorageId(str).getExternalId());
    }

    public Stream<UserModel> searchForUserStream(RealmModel realmModel, Map<String, String> map, Integer num, Integer num2) {
        String str = map.get("keycloak.session.realm.users.query.search");
        Stream<LDAPObject> searchLDAP = str != null ? searchLDAP(realmModel, str, num, num2) : searchLDAPByAttributes(realmModel, map, num, num2);
        if (this.model.isImportEnabled()) {
            searchLDAP = searchLDAP.filter(filterLocalUsers(realmModel));
        }
        return StreamsUtil.paginatedStream(searchLDAP.map(lDAPObject -> {
            return importUserFromLDAP(this.session, realmModel, lDAPObject, ImportType.NOT_FORCED_RETURN_NULL);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }), num, num2);
    }

    public Stream<UserModel> getGroupMembersStream(RealmModel realmModel, GroupModel groupModel, Integer num, Integer num2) {
        int intValue = num == null ? 0 : num.intValue();
        int intValue2 = num2 == null ? DEFAULT_MAX_RESULTS : num2.intValue();
        Stream map = realmModel.getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortAsc()).map(componentModel -> {
            return this.mapperManager.getMapper(componentModel).getGroupMembers(realmModel, groupModel, intValue, intValue2);
        });
        Predicate predicate = (v0) -> {
            return v0.isEmpty();
        };
        return (Stream) map.filter(predicate.negate()).map((v0) -> {
            return v0.stream();
        }).findFirst().orElse(Stream.empty());
    }

    public Stream<UserModel> getRoleMembersStream(RealmModel realmModel, RoleModel roleModel, Integer num, Integer num2) {
        int intValue = num == null ? 0 : num.intValue();
        int intValue2 = num2 == null ? DEFAULT_MAX_RESULTS : num2.intValue();
        Stream map = realmModel.getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortAsc()).map(componentModel -> {
            return this.mapperManager.getMapper(componentModel).getRoleMembers(realmModel, roleModel, intValue, intValue2);
        });
        Predicate predicate = (v0) -> {
            return v0.isEmpty();
        };
        return (Stream) map.filter(predicate.negate()).map((v0) -> {
            return v0.stream();
        }).findFirst().orElse(Stream.empty());
    }

    public List<UserModel> loadUsersByUsernames(List<String> list, RealmModel realmModel) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            UserModel userByUsername = this.session.users().getUserByUsername(realmModel, str);
            if (userByUsername == null) {
                logger.warnf("User '%s' referenced by membership wasn't found in LDAP", str);
            } else if (!this.model.isImportEnabled() || this.model.getId().equals(userByUsername.getFederationLink())) {
                arrayList.add(userByUsername);
            } else {
                logger.warnf("Incorrect federation provider of user '%s'", userByUsername.getUsername());
            }
        }
        return arrayList;
    }

    private Stream<LDAPObject> loadUsersByDNsChunk(RealmModel realmModel, String str, Collection<LDAPDn> collection) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            HashSet hashSet = new HashSet(collection);
            createQueryForUserSearch.addWhereCondition(lDAPQueryConditionsBuilder.orCondition((Condition[]) collection.stream().map(lDAPDn -> {
                return lDAPQueryConditionsBuilder.equal(str, lDAPDn.getFirstRdn().getAttrValue(str));
            }).toArray(i -> {
                return new Condition[i];
            })));
            Stream<LDAPObject> filter = createQueryForUserSearch.getResultList().stream().filter(lDAPObject -> {
                return hashSet.contains(lDAPObject.getDn());
            });
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return filter;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Stream<UserModel> loadUsersByDNs(RealmModel realmModel, Collection<LDAPDn> collection, int i, int i2) {
        String rdnLdapAttribute = this.ldapIdentityStore.getConfig().getRdnLdapAttribute();
        LDAPDn fromString = LDAPDn.fromString(this.ldapIdentityStore.getConfig().getUsersDn());
        return StreamsUtil.chunkedStream(collection.stream().filter(lDAPDn -> {
            return lDAPDn.getFirstRdn().getAttrValue(rdnLdapAttribute) != null && lDAPDn.isDescendantOf(fromString);
        }), this.ldapIdentityStore.getConfig().getMaxConditions()).map(collection2 -> {
            return loadUsersByDNsChunk(realmModel, rdnLdapAttribute, collection2);
        }).flatMap(Function.identity()).skip(i).limit(i2).map(lDAPObject -> {
            return importUserFromLDAP(this.session, realmModel, lDAPObject, ImportType.NOT_FORCED_RETURN_EXISTING);
        });
    }

    private Stream<LDAPObject> loadUsersByUniqueAttributeChunk(RealmModel realmModel, String str, Collection<String> collection) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            createQueryForUserSearch.addWhereCondition(lDAPQueryConditionsBuilder.orCondition((Condition[]) collection.stream().map(str2 -> {
                return lDAPQueryConditionsBuilder.equal(str, str2);
            }).toArray(i -> {
                return new Condition[i];
            })));
            Stream<LDAPObject> stream = createQueryForUserSearch.getResultList().stream();
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return stream;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Stream<UserModel> loadUsersByUniqueAttribute(RealmModel realmModel, String str, Collection<String> collection, int i, int i2) {
        return StreamsUtil.chunkedStream(collection.stream(), this.ldapIdentityStore.getConfig().getMaxConditions()).map(collection2 -> {
            return loadUsersByUniqueAttributeChunk(realmModel, str, collection2);
        }).flatMap(Function.identity()).skip(i).limit(i2).map(lDAPObject -> {
            return importUserFromLDAP(this.session, realmModel, lDAPObject, ImportType.NOT_FORCED_RETURN_EXISTING);
        });
    }

    private Condition createSearchCondition(LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder, String str, boolean z, String str2) {
        if (z) {
            return lDAPQueryConditionsBuilder.equal(str, str2);
        }
        String[] split = str2.split("\\Q*\\E+", -1);
        String str3 = null;
        String str4 = null;
        String[] strArr = null;
        if (!split[0].isEmpty()) {
            str3 = split[0];
        }
        if (split.length > 1 && !split[split.length - 1].isEmpty()) {
            str4 = split[split.length - 1];
        }
        if (split.length > 2) {
            strArr = (String[]) Arrays.copyOfRange(split, 1, split.length - 1);
        }
        return (str3 == null && strArr == null && str4 == null) ? lDAPQueryConditionsBuilder.present(str) : lDAPQueryConditionsBuilder.substring(str, str3, strArr, str4);
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Code restructure failed: missing block: B:32:0x0177, code lost:
    
        switch(r25) {
            case 0: goto L30;
            case 1: goto L30;
            case 2: goto L30;
            case 3: goto L30;
            default: goto L34;
        };
     */
    /* JADX WARN: Code restructure failed: missing block: B:34:0x0196, code lost:
    
        if (r0 == false) goto L33;
     */
    /* JADX WARN: Code restructure failed: missing block: B:35:0x0199, code lost:
    
        r0.addWhereCondition(r0.equal(r0, r0.getValue()));
     */
    /* JADX WARN: Code restructure failed: missing block: B:38:0x01b7, code lost:
    
        r0.addWhereCondition(r0.substring(r0, null, new java.lang.String[]{r0.getValue()}, null));
     */
    /* JADX WARN: Code restructure failed: missing block: B:39:0x01e1, code lost:
    
        r0.addWhereCondition(r0.equal(r0, r0.getValue()));
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.util.stream.Stream<org.keycloak.storage.ldap.idm.model.LDAPObject> searchLDAPByAttributes(org.keycloak.models.RealmModel r13, java.util.Map<java.lang.String, java.lang.String> r14, java.lang.Integer r15, java.lang.Integer r16) {
        /*
            Method dump skipped, instructions count: 643
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.keycloak.storage.ldap.LDAPStorageProvider.searchLDAPByAttributes(org.keycloak.models.RealmModel, java.util.Map, java.lang.Integer, java.lang.Integer):java.util.stream.Stream");
    }

    private Stream<LDAPObject> searchLDAP(RealmModel realmModel, String str, Integer num, Integer num2) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            LDAPQueryConditionsBuilder lDAPQueryConditionsBuilder = new LDAPQueryConditionsBuilder();
            for (String str2 : str.split("\\s+")) {
                boolean z = false;
                LinkedList linkedList = new LinkedList();
                if (str2.startsWith("\"") && str2.endsWith("\"")) {
                    str2 = str2.substring(1, str2.length() - 1);
                    z = true;
                } else if (!str2.endsWith("*")) {
                    str2 = str2 + "*";
                }
                linkedList.add(createSearchCondition(lDAPQueryConditionsBuilder, "username", z, str2));
                linkedList.add(createSearchCondition(lDAPQueryConditionsBuilder, "email", z, str2));
                linkedList.add(createSearchCondition(lDAPQueryConditionsBuilder, "firstName", z, str2));
                linkedList.add(createSearchCondition(lDAPQueryConditionsBuilder, "lastName", z, str2));
                createQueryForUserSearch.addWhereCondition(lDAPQueryConditionsBuilder.orCondition((Condition[]) linkedList.toArray(i -> {
                    return new Condition[i];
                })));
            }
            Stream<LDAPObject> paginatedSearchLDAP = paginatedSearchLDAP(createQueryForUserSearch, num, num2);
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return paginatedSearchLDAP;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected LDAPObject loadAndValidateUser(RealmModel realmModel, UserModel userModel) {
        String firstAttribute = userModel.getFirstAttribute("LDAP_ID");
        LDAPObject managedLDAPObject = this.userManager.getManagedLDAPObject(userModel.getId());
        if (managedLDAPObject != null) {
            return managedLDAPObject;
        }
        LDAPObject loadLDAPUserByUuid = loadLDAPUserByUuid(realmModel, firstAttribute);
        if (loadLDAPUserByUuid == null) {
            return null;
        }
        this.userManager.setManagedLDAPObject(userModel.getId(), loadLDAPUserByUuid);
        LDAPUtils.checkUuid(loadLDAPUserByUuid, this.ldapIdentityStore.getConfig());
        if (loadLDAPUserByUuid.getUuid().equals(userModel.getFirstAttribute("LDAP_ID"))) {
            return loadLDAPUserByUuid;
        }
        logger.warnf("LDAP User invalid. ID doesn't match. ID from LDAP [%s], LDAP ID from local DB: [%s]", loadLDAPUserByUuid.getUuid(), userModel.getFirstAttribute("LDAP_ID"));
        return null;
    }

    public UserModel getUserByUsername(RealmModel realmModel, String str) {
        LDAPObject loadLDAPUserByUsername = loadLDAPUserByUsername(realmModel, str);
        if (loadLDAPUserByUsername == null) {
            return null;
        }
        return importUserFromLDAP(this.session, realmModel, loadLDAPUserByUsername);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UserModel importUserFromLDAP(KeycloakSession keycloakSession, RealmModel realmModel, LDAPObject lDAPObject) {
        return importUserFromLDAP(keycloakSession, realmModel, lDAPObject, ImportType.FORCED);
    }

    private void doImportUser(RealmModel realmModel, UserModel userModel, LDAPObject lDAPObject) {
        userModel.setEnabled(true);
        realmModel.getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortDesc()).forEachOrdered(componentModel -> {
            if (logger.isTraceEnabled()) {
                logger.tracef("Using mapper %s during import user from LDAP", componentModel);
            }
            this.mapperManager.getMapper(componentModel).onImportUserFromLDAP(lDAPObject, userModel, realmModel, true);
        });
        String lDAPDn = lDAPObject.getDn().toString();
        if (this.model.isImportEnabled()) {
            userModel.setFederationLink(this.model.getId());
        }
        userModel.setSingleAttribute("LDAP_ID", lDAPObject.getUuid());
        userModel.setSingleAttribute("LDAP_ENTRY_DN", lDAPDn);
        if (getLdapIdentityStore().getConfig().isTrustEmail()) {
            userModel.setEmailVerified(true);
        }
        if (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.getKerberosPrincipalAttribute() != null) {
            String attributeAsString = lDAPObject.getAttributeAsString(this.kerberosConfig.getKerberosPrincipalAttribute());
            if (attributeAsString == null) {
                logger.warnf("Kerberos principal attribute not found on LDAP user [%s]. Configured kerberos principal attribute name is [%s]", lDAPObject.getDn(), this.kerberosConfig.getKerberosPrincipalAttribute());
            } else {
                userModel.setSingleAttribute("KERBEROS_PRINCIPAL", new KerberosPrincipal(attributeAsString).toString());
            }
        }
        logger.debugf("Imported new user from LDAP to Keycloak DB. Username: [%s], Email: [%s], LDAP_ID: [%s], LDAP Entry DN: [%s]", new Object[]{userModel.getUsername(), userModel.getEmail(), lDAPObject.getUuid(), lDAPDn});
    }

    protected UserModel importUserFromLDAP(KeycloakSession keycloakSession, RealmModel realmModel, LDAPObject lDAPObject, ImportType importType) {
        UserModel userModel;
        String username = LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig());
        LDAPUtils.checkUuid(lDAPObject, this.ldapIdentityStore.getConfig());
        if (importType == null) {
            importType = ImportType.FORCED;
        }
        UserProvider userLocalStorage = UserStoragePrivateUtil.userLocalStorage(keycloakSession);
        try {
            if (this.model.isImportEnabled()) {
                UserModel userModel2 = (UserModel) userLocalStorage.searchForUserByUserAttributeStream(realmModel, "LDAP_ID", lDAPObject.getUuid()).findFirst().orElse(null);
                if (userModel2 != null) {
                    userModel = userModel2;
                    if (importType == ImportType.NOT_FORCED_RETURN_NULL) {
                        return null;
                    }
                    if (importType == ImportType.NOT_FORCED_RETURN_EXISTING) {
                        return proxy(realmModel, userModel, lDAPObject, false);
                    }
                    if (UserStorageUtil.userCache(keycloakSession) != null) {
                        UserStorageUtil.userCache(keycloakSession).evict(realmModel, userModel2);
                    }
                } else {
                    userModel = userLocalStorage.addUser(realmModel, username);
                }
            } else {
                UserModel inMemoryUserAdapter = new InMemoryUserAdapter(keycloakSession, realmModel, new StorageId(this.model.getId(), username).getId());
                inMemoryUserAdapter.addDefaults();
                userModel = inMemoryUserAdapter;
            }
            doImportUser(realmModel, userModel, lDAPObject);
            return proxy(realmModel, userModel, lDAPObject, false);
        } catch (ModelDuplicateException e) {
            logger.warnf(e, "Duplicated user importing from LDAP. LDAP Entry DN: [%s], LDAP_ID: [%s]", lDAPObject.getDn(), lDAPObject.getUuid());
            if (importType == ImportType.FORCED || 0 != 0) {
                throw e;
            }
            if (!this.model.isImportEnabled() || 0 == 0) {
                return null;
            }
            userLocalStorage.removeUser(realmModel, (UserModel) null);
            return null;
        }
    }

    protected LDAPObject queryByEmail(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal("email", str));
            LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public UserModel getUserByEmail(RealmModel realmModel, String str) {
        LDAPObject queryByEmail = queryByEmail(realmModel, str);
        if (queryByEmail == null) {
            return null;
        }
        String username = LDAPUtils.getUsername(queryByEmail, this.ldapIdentityStore.getConfig());
        UserModel userByUsername = UserStoragePrivateUtil.userLocalStorage(this.session).getUserByUsername(realmModel, username);
        if (userByUsername == null) {
            return importUserFromLDAP(this.session, realmModel, queryByEmail);
        }
        LDAPUtils.checkUuid(queryByEmail, this.ldapIdentityStore.getConfig());
        if (queryByEmail.getUuid().equals(userByUsername.getFirstAttribute("LDAP_ID"))) {
            return proxy(realmModel, userByUsername, queryByEmail, false);
        }
        throw new ModelDuplicateException("User with username '" + username + "' already exists in Keycloak. It conflicts with LDAP user with email '" + str + "'");
    }

    public void preRemove(RealmModel realmModel) {
    }

    public void preRemove(RealmModel realmModel, RoleModel roleModel) {
    }

    public void preRemove(RealmModel realmModel, GroupModel groupModel) {
    }

    public boolean validPassword(RealmModel realmModel, UserModel userModel, String str) {
        if (this.kerberosConfig.isAllowKerberosAuthentication() && this.kerberosConfig.isUseKerberosForPasswordAuthentication()) {
            KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator = this.factory.createKerberosUsernamePasswordAuthenticator(this.kerberosConfig);
            String firstAttribute = userModel.getFirstAttribute("KERBEROS_PRINCIPAL");
            if (firstAttribute == null) {
                firstAttribute = userModel.getUsername();
            }
            return createKerberosUsernamePasswordAuthenticator.validUser(firstAttribute, str);
        }
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            return false;
        }
        try {
            this.ldapIdentityStore.validatePassword(loadAndValidateUser, str);
            return true;
        } catch (AuthenticationException e) {
            AtomicReference atomicReference = new AtomicReference(false);
            realmModel.getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortDesc()).forEachOrdered(componentModel -> {
                if (logger.isTraceEnabled()) {
                    logger.tracef("Using mapper %s during import user from LDAP", componentModel);
                }
                atomicReference.set(Boolean.valueOf(((Boolean) atomicReference.get()).booleanValue() || this.mapperManager.getMapper(componentModel).onAuthenticationFailure(loadAndValidateUser, userModel, e, realmModel)));
            });
            return ((Boolean) atomicReference.get()).booleanValue();
        }
    }

    public boolean updateCredential(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        PolicyError validate;
        if (!"password".equals(credentialInput.getType()) || !(credentialInput instanceof UserCredentialModel)) {
            return false;
        }
        if (this.editMode == UserStorageProvider.EditMode.READ_ONLY) {
            throw new ReadOnlyException("Federated storage is not writable");
        }
        if (this.editMode != UserStorageProvider.EditMode.WRITABLE) {
            return false;
        }
        LDAPIdentityStore ldapIdentityStore = getLdapIdentityStore();
        String challengeResponse = credentialInput.getChallengeResponse();
        LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userModel);
        if (loadAndValidateUser == null) {
            logger.warnf("User '%s' can't be updated in LDAP as it doesn't exist there", userModel.getUsername());
            return false;
        }
        if (ldapIdentityStore.getConfig().isValidatePasswordPolicy() && (validate = this.session.getProvider(PasswordPolicyManagerProvider.class).validate(realmModel, userModel, challengeResponse)) != null) {
            throw new ModelException(validate.getMessage(), validate.getParameters());
        }
        try {
            LDAPOperationDecorator lDAPOperationDecorator = null;
            if (this.updater != null) {
                lDAPOperationDecorator = this.updater.beforePasswordUpdate(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput);
            }
            ldapIdentityStore.updatePassword(loadAndValidateUser, challengeResponse, lDAPOperationDecorator);
            if (this.updater == null) {
                return true;
            }
            this.updater.passwordUpdated(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput);
            return true;
        } catch (ModelException e) {
            if (this.updater == null) {
                throw e;
            }
            this.updater.passwordUpdateFailed(userModel, loadAndValidateUser, (UserCredentialModel) credentialInput, e);
            return false;
        }
    }

    public void disableCredentialType(RealmModel realmModel, UserModel userModel, String str) {
    }

    public Stream<String> getDisableableCredentialTypesStream(RealmModel realmModel, UserModel userModel) {
        return Stream.empty();
    }

    public Set<String> getSupportedCredentialTypes() {
        return new HashSet(this.supportedCredentialTypes);
    }

    public boolean supportsCredentialType(String str) {
        return getSupportedCredentialTypes().contains(str);
    }

    public boolean isConfiguredFor(RealmModel realmModel, UserModel userModel, String str) {
        return getSupportedCredentialTypes().contains(str);
    }

    public boolean isValid(RealmModel realmModel, UserModel userModel, CredentialInput credentialInput) {
        if ((credentialInput instanceof UserCredentialModel) && credentialInput.getType().equals("password") && !userModel.credentialManager().isConfiguredLocally("password")) {
            return validPassword(realmModel, userModel, credentialInput.getChallengeResponse());
        }
        return false;
    }

    public CredentialValidationOutput authenticate(RealmModel realmModel, CredentialInput credentialInput) {
        if (!(credentialInput instanceof UserCredentialModel)) {
            return CredentialValidationOutput.fallback();
        }
        UserCredentialModel userCredentialModel = (UserCredentialModel) credentialInput;
        if (!userCredentialModel.getType().equals("kerberos") || !this.kerberosConfig.isAllowKerberosAuthentication()) {
            return CredentialValidationOutput.fallback();
        }
        SPNEGOAuthenticator sPNEGOAuthenticator = (SPNEGOAuthenticator) userCredentialModel.getNote("authenticatedSpnegoContext");
        if (sPNEGOAuthenticator != null) {
            logger.debugf("SPNEGO authentication already performed by previous provider. Provider '%s' will try to lookup user with principal kerberos principal '%s'", this, sPNEGOAuthenticator.getAuthenticatedKerberosPrincipal());
        } else {
            sPNEGOAuthenticator = this.factory.createSPNEGOAuthenticator(userCredentialModel.getChallengeResponse(), this.kerberosConfig);
            sPNEGOAuthenticator.authenticate();
        }
        HashMap hashMap = new HashMap();
        if (!sPNEGOAuthenticator.isAuthenticated()) {
            if (sPNEGOAuthenticator.getResponseToken() == null) {
                logger.tracef("SPNEGO Handshake not successful", new Object[0]);
                return CredentialValidationOutput.fallback();
            }
            logger.tracef("SPNEGO Handshake will continue", new Object[0]);
            hashMap.put("SpnegoResponseToken", sPNEGOAuthenticator.getResponseToken());
            return new CredentialValidationOutput((UserModel) null, CredentialValidationOutput.Status.CONTINUE, hashMap);
        }
        KerberosPrincipal authenticatedKerberosPrincipal = sPNEGOAuthenticator.getAuthenticatedKerberosPrincipal();
        UserModel findOrCreateAuthenticatedUser = findOrCreateAuthenticatedUser(realmModel, authenticatedKerberosPrincipal);
        if (findOrCreateAuthenticatedUser == null) {
            logger.debugf("Kerberos/SPNEGO authentication succeeded with kerberos principal [%s], but couldn't find or create user with federation provider [%s]", authenticatedKerberosPrincipal.toString(), this.model.getName());
            userCredentialModel.setNote("authenticatedSpnegoContext", sPNEGOAuthenticator);
            return CredentialValidationOutput.fallback();
        }
        String serializedDelegationCredential = sPNEGOAuthenticator.getSerializedDelegationCredential();
        if (serializedDelegationCredential != null) {
            hashMap.put("gss_delegation_credential", serializedDelegationCredential);
        }
        return new CredentialValidationOutput(findOrCreateAuthenticatedUser, CredentialValidationOutput.Status.AUTHENTICATED, hashMap);
    }

    public void close() {
    }

    protected UserModel findOrCreateAuthenticatedUser(RealmModel realmModel, KerberosPrincipal kerberosPrincipal) {
        UserModel userByUsername;
        String kerberosPrincipalAttribute = this.kerberosConfig.getKerberosPrincipalAttribute();
        if (kerberosPrincipalAttribute != null) {
            logger.tracef("Trying to find user with kerberos principal [%s] in local storage.", kerberosPrincipal.toString());
            userByUsername = (UserModel) UserStoragePrivateUtil.userLocalStorage(this.session).searchForUserByUserAttributeStream(realmModel, "KERBEROS_PRINCIPAL", kerberosPrincipal.toString()).findFirst().orElse(null);
        } else {
            logger.tracef("Trying to find user in local storage based on username [%s]. Full kerberos principal [%s]", kerberosPrincipal.getPrefix(), kerberosPrincipal);
            userByUsername = UserStoragePrivateUtil.userLocalStorage(this.session).getUserByUsername(realmModel, kerberosPrincipal.getPrefix());
        }
        if (userByUsername != null) {
            logger.debugf("Kerberos authenticated user [%s] found in Keycloak storage", userByUsername.getUsername());
            if (!this.model.getId().equals(userByUsername.getFederationLink())) {
                logger.warnf("User with username [%s] already exists, but is not linked to provider [%s]. Kerberos principal is [%s]", userByUsername.getUsername(), this.model.getName(), kerberosPrincipal);
                return null;
            }
            LDAPObject loadAndValidateUser = loadAndValidateUser(realmModel, userByUsername);
            if (kerberosPrincipalAttribute != null && loadAndValidateUser != null && !kerberosPrincipal.toString().equalsIgnoreCase(loadAndValidateUser.getAttributeAsString(kerberosPrincipalAttribute))) {
                logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Authenticated kerberos principal is [%s], but LDAP user has different kerberos principal [%s]", new Object[]{userByUsername.getUsername(), this.model.getName(), kerberosPrincipal, loadAndValidateUser.getAttributeAsString(kerberosPrincipalAttribute)});
                loadAndValidateUser = null;
            }
            if (loadAndValidateUser != null) {
                return proxy(realmModel, userByUsername, loadAndValidateUser, false);
            }
            logger.warnf("User with username [%s] aready exists and is linked to provider [%s] but is not valid. Stale LDAP_ID on local user is: %s", userByUsername.getUsername(), this.model.getName(), userByUsername.getFirstAttribute("LDAP_ID"));
            logger.warn("Will re-create user");
            UserCache userCache = UserStorageUtil.userCache(this.session);
            if (userCache != null) {
                userCache.evict(realmModel, userByUsername);
            }
            new UserManager(this.session).removeUser(realmModel, userByUsername, UserStoragePrivateUtil.userLocalStorage(this.session));
        }
        if (kerberosPrincipalAttribute == null) {
            logger.debugf("Kerberos authenticated user [%s] not in Keycloak storage. Creating him", kerberosPrincipal.toString());
            return getUserByUsername(realmModel, kerberosPrincipal.getPrefix());
        }
        logger.debugf("Trying to find kerberos authenticated user [%s] in LDAP. Kerberos principal attribute is [%s]", kerberosPrincipal.toString(), kerberosPrincipalAttribute);
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(kerberosPrincipalAttribute, kerberosPrincipal.toString()));
            LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
            if (firstResult == null) {
                logger.warnf("Not found LDAP user with kerberos principal [%s]. Kerberos principal attribute is [%s].", kerberosPrincipal.toString(), kerberosPrincipalAttribute);
                if (createQueryForUserSearch != null) {
                    createQueryForUserSearch.close();
                }
                return null;
            }
            UserModel importUserFromLDAP = importUserFromLDAP(this.session, realmModel, firstResult);
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return importUserFromLDAP;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public LDAPObject loadLDAPUserByUsername(RealmModel realmModel, String str) {
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.ldapIdentityStore.getConfig().getUsernameLdapAttribute(), str));
            LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
            if (firstResult == null) {
                if (createQueryForUserSearch != null) {
                    createQueryForUserSearch.close();
                }
                return null;
            }
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public LDAPObject loadLDAPUserByUuid(RealmModel realmModel, String str) {
        if (str == null) {
            return null;
        }
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            createQueryForUserSearch.addWhereCondition(new LDAPQueryConditionsBuilder().equal(this.ldapIdentityStore.getConfig().getUuidLDAPAttributeName(), str));
            LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public LDAPObject loadLDAPUserByDN(RealmModel realmModel, LDAPDn lDAPDn) {
        if (lDAPDn == null || !lDAPDn.isDescendantOf(LDAPDn.fromString(this.ldapIdentityStore.getConfig().getUsersDn()))) {
            return null;
        }
        LDAPQuery createQueryForUserSearch = LDAPUtils.createQueryForUserSearch(this, realmModel);
        try {
            createQueryForUserSearch.setSearchDn(lDAPDn.getLdapName());
            createQueryForUserSearch.setSearchScope(0);
            LDAPObject firstResult = createQueryForUserSearch.getFirstResult();
            if (createQueryForUserSearch != null) {
                createQueryForUserSearch.close();
            }
            return firstResult;
        } catch (Throwable th) {
            if (createQueryForUserSearch != null) {
                try {
                    createQueryForUserSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private Predicate<LDAPObject> filterLocalUsers(RealmModel realmModel) {
        return lDAPObject -> {
            return UserStoragePrivateUtil.userLocalStorage(this.session).getUserByUsername(realmModel, LDAPUtils.getUsername(lDAPObject, this.ldapIdentityStore.getConfig())) == null;
        };
    }

    private Stream<LDAPObject> paginatedSearchLDAP(LDAPQuery lDAPQuery, Integer num, Integer num2) {
        LDAPConfig config = lDAPQuery.getLdapProvider().getLdapIdentityStore().getConfig();
        if (!config.isPagination()) {
            return lDAPQuery.getResultList().stream();
        }
        int batchSizeForSync = (num2 == null || num2.intValue() < 0) ? (num == null || num.intValue() <= 0) ? config.getBatchSizeForSync() : Integer.min(config.getBatchSizeForSync(), num.intValue()) : (num == null || num.intValue() <= 0) ? Integer.min(config.getBatchSizeForSync(), num2.intValue()) : Integer.min(config.getBatchSizeForSync(), Integer.sum(num.intValue(), num2.intValue()));
        return Stream.iterate(lDAPQuery, lDAPQuery2 -> {
            if (lDAPQuery2.getPaginationContext() != null) {
                return lDAPQuery2.getPaginationContext().hasNextPage();
            }
            try {
                lDAPQuery2.initPagination();
                return true;
            } catch (NamingException e) {
                throw new ModelException("Querying of LDAP failed " + String.valueOf(lDAPQuery2), e);
            }
        }, lDAPQuery3 -> {
            return lDAPQuery3;
        }).flatMap(lDAPQuery4 -> {
            lDAPQuery4.setLimit(batchSizeForSync);
            List<LDAPObject> resultList = lDAPQuery4.getResultList();
            return resultList.isEmpty() ? Stream.empty() : resultList.stream();
        });
    }

    public String toString() {
        return "LDAPStorageProvider - " + getModel().getName();
    }

    public List<AttributeMetadata> decorateUserProfile(String str, UserProfileMetadata userProfileMetadata) {
        int count = (int) userProfileMetadata.getAttributes().stream().map((v0) -> {
            return v0.getName();
        }).distinct().count();
        List list = this.session.getContext().getRealm().getComponentsStream(this.model.getId(), LDAPStorageMapper.class.getName()).sorted(this.ldapMappersComparator.sortAsc()).flatMap(componentModel -> {
            return this.mapperManager.getMapper(componentModel).getUserAttributes().stream();
        }).toList();
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            int i = count;
            count++;
            AttributeMetadata createAttributeMetadata = UserProfileUtil.createAttributeMetadata((String) it.next(), userProfileMetadata, i, getModel().getName());
            if (createAttributeMetadata != null) {
                arrayList.add(createAttributeMetadata);
            }
        }
        HashSet hashSet = new HashSet(List.of("LDAP_ID", "LDAP_ENTRY_DN"));
        if (getKerberosConfig().isAllowKerberosAuthentication()) {
            hashSet.add("KERBEROS_PRINCIPAL");
        }
        AttributeGroupMetadata lookupUserMetadataGroup = UserProfileUtil.lookupUserMetadataGroup(this.session);
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            int i2 = count;
            count++;
            AttributeMetadata createAttributeMetadata2 = UserProfileUtil.createAttributeMetadata((String) it2.next(), userProfileMetadata, lookupUserMetadataGroup, i2, getModel().getName());
            if (createAttributeMetadata2 == null) {
                count--;
            } else {
                arrayList.add(createAttributeMetadata2);
            }
        }
        if (getEditMode() == UserStorageProvider.EditMode.READ_ONLY) {
            Stream.concat(userProfileMetadata.getAttributes().stream(), arrayList.stream()).forEach(attributeMetadata -> {
                attributeMetadata.addWriteCondition(AttributeMetadata.ALWAYS_FALSE);
            });
        }
        return arrayList;
    }
}
