package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.databind.JsonNode;
import java.util.ArrayList;
import java.util.Iterator;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.AuthorizationRequestContext;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyLogger;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor.class */
public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider {
    private static final Logger logger = Logger.getLogger(SecureRequestObjectExecutor.class);
    private final KeycloakSession session;
    private final ComponentModel componentModel;
    public static final String INVALID_REQUEST_OBJECT = "invalid_request_object";

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureRequestObjectExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    public SecureRequestObjectExecutor(KeycloakSession keycloakSession, ComponentModel componentModel) {
        this.session = keycloakSession;
        this.componentModel = componentModel;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case 1:
                AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) clientPolicyContext;
                executeOnAuthorizationRequest(authorizationRequestContext.getparsedResponseType(), authorizationRequestContext.getAuthorizationEndpointRequest(), authorizationRequestContext.getRedirectUri(), authorizationRequestContext.getRequestParameters());
                return;
            default:
                return;
        }
    }

    private void executeOnAuthorizationRequest(OIDCResponseType oIDCResponseType, AuthorizationEndpointRequest authorizationEndpointRequest, String str, MultivaluedMap<String, String> multivaluedMap) throws ClientPolicyException {
        ClientPolicyLogger.log(logger, "Authz Endpoint - authz request");
        if (multivaluedMap == null) {
            ClientPolicyLogger.log(logger, "request parameter not exist.");
            throw new ClientPolicyException("invalid_request", "Missing parameters");
        }
        String str2 = (String) multivaluedMap.getFirst(OIDCLoginProtocol.REQUEST_PARAM);
        String str3 = (String) multivaluedMap.getFirst(OIDCLoginProtocol.REQUEST_URI_PARAM);
        if (str2 == null && str3 == null) {
            ClientPolicyLogger.log(logger, "request object not exist.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter");
        }
        JsonNode jsonNode = (JsonNode) this.session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT);
        if (jsonNode == null || jsonNode.isEmpty()) {
            ClientPolicyLogger.log(logger, "request object not exist.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter");
        }
        if (multivaluedMap.getFirst("scope") == null || jsonNode.get("scope") == null) {
            ClientPolicyLogger.log(logger, "scope does not exists.");
            throw new ClientPolicyException("invalid_request", "Missing parameter : scope");
        }
        if (jsonNode.get("exp") == null) {
            ClientPolicyLogger.log(logger, "exp claim not incuded.");
            throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter : exp");
        }
        if (Time.currentTime() > jsonNode.get("exp").asLong()) {
            ClientPolicyLogger.log(logger, "request object expired.");
            throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Request Expired");
        }
        ArrayList arrayList = new ArrayList();
        JsonNode jsonNode2 = jsonNode.get("aud");
        if (jsonNode2 == null) {
            ClientPolicyLogger.log(logger, "aud claim not incuded.");
            throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter : aud");
        }
        if (jsonNode2.isArray()) {
            Iterator it = jsonNode2.iterator();
            while (it.hasNext()) {
                arrayList.add(((JsonNode) it.next()).asText());
            }
        } else {
            arrayList.add(jsonNode2.asText());
        }
        if (arrayList.isEmpty()) {
            ClientPolicyLogger.log(logger, "aud claim not incuded.");
            throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Missing parameter : aud");
        }
        if (!arrayList.contains(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.session.getContext().getRealm().getName()))) {
            ClientPolicyLogger.log(logger, "aud not points to the intended realm.");
            throw new ClientPolicyException(INVALID_REQUEST_OBJECT, "Invalid parameter : aud");
        }
        if (AuthzEndpointRequestParser.KNOWN_REQ_PARAMS.stream().filter(str4 -> {
            return multivaluedMap.containsKey(str4);
        }).anyMatch(str5 -> {
            return !isSameParameterIncluded(str5, (String) multivaluedMap.getFirst(str5), jsonNode);
        })) {
            ClientPolicyLogger.log(logger, "not all parameters in query string are included in the request object, and have the same values.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter");
        }
        ClientPolicyLogger.log(logger, "Passed.");
    }

    private boolean isSameParameterIncluded(String str, String str2, JsonNode jsonNode) {
        if (str.equals(OIDCLoginProtocol.REQUEST_PARAM) || str.equals(OIDCLoginProtocol.REQUEST_URI_PARAM)) {
            return true;
        }
        if (jsonNode.hasNonNull(str)) {
            return jsonNode.get(str).asText().equals(str2);
        }
        return false;
    }

    public String getName() {
        return this.componentModel.getName();
    }

    public String getProviderId() {
        return this.componentModel.getProviderId();
    }
}
