package org.keycloak.protocol.oidc.par.endpoints;

import java.util.HashMap;
import java.util.UUID;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.Profile;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.PushedAuthzRequestStoreProvider;
import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor.SecureCibaSignedAuthenticationRequestExecutor;
import org.keycloak.protocol.oidc.par.ParResponse;
import org.keycloak.protocol.oidc.par.clientpolicy.context.PushedAuthorizationRequestContext;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.resources.Cors;
import org.keycloak.utils.MediaType;
import org.keycloak.utils.ProfileHelper;

/* loaded from: input_file:org/keycloak/protocol/oidc/par/endpoints/ParEndpoint.class */
public class ParEndpoint extends AbstractParEndpoint {
    public static final String PAR_CREATED_TIME = "par.created.time";
    private static final String REQUEST_URI_PREFIX = "urn:ietf:params:oauth:request_uri:";
    public static final int REQUEST_URI_PREFIX_LENGTH = REQUEST_URI_PREFIX.length();

    @Context
    private HttpRequest httpRequest;
    private AuthorizationEndpointRequest authorizationRequest;

    public static UriBuilder parUrl(UriBuilder uriBuilder) {
        return OIDCLoginProtocolService.tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "resolveExtension").resolveTemplate("extension", ParRootEndpoint.PROVIDER_ID, false).path(ParRootEndpoint.class, "request");
    }

    public ParEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        super(keycloakSession, eventBuilder);
    }

    @Path("/")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response request() {
        ProfileHelper.requireFeature(Profile.Feature.PAR);
        this.cors = Cors.add(this.httpRequest).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
        this.event.event(EventType.PUSHED_AUTHORIZATION_REQUEST);
        checkSsl();
        checkRealm();
        authorizeClient();
        if (this.httpRequest.getDecodedFormParameters().containsKey("request_uri")) {
            throw throwErrorResponseException("invalid_request", "It is not allowed to include request_uri to PAR.", Response.Status.BAD_REQUEST);
        }
        try {
            this.authorizationRequest = AuthorizationEndpointRequestParserProcessor.parseRequest(this.event, this.session, this.client, this.httpRequest.getDecodedFormParameters());
            AuthorizationEndpointChecker session = new AuthorizationEndpointChecker().event(this.event).client(this.client).realm(this.realm).request(this.authorizationRequest).session(this.session);
            try {
                session.checkRedirectUri();
                try {
                    session.checkResponseType();
                } catch (AuthorizationEndpointChecker.AuthorizationCheckException e) {
                    if (e.getError().equals("unsupported_response_type")) {
                        throw throwErrorResponseException("invalid_request", "Unsupported response type", Response.Status.BAD_REQUEST);
                    }
                    e.throwAsCorsErrorResponseException(this.cors);
                }
                try {
                    session.checkValidScope();
                    try {
                        session.checkInvalidRequestMessage();
                        session.checkOIDCRequest();
                        session.checkOIDCParams();
                        session.checkPKCEParams();
                    } catch (AuthorizationEndpointChecker.AuthorizationCheckException e2) {
                        e2.throwAsCorsErrorResponseException(this.cors);
                    }
                    try {
                        this.session.clientPolicy().triggerOnEvent(new PushedAuthorizationRequestContext(this.authorizationRequest, this.httpRequest.getDecodedFormParameters()));
                        HashMap hashMap = new HashMap();
                        UUID randomUUID = UUID.randomUUID();
                        String str = REQUEST_URI_PREFIX + randomUUID.toString();
                        int requestUriLifespan = this.realm.getParPolicy().getRequestUriLifespan();
                        this.httpRequest.getDecodedFormParameters().forEach((str2, list) -> {
                            hashMap.put(str2, String.valueOf(list).replace("[", "").replace("]", ""));
                        });
                        hashMap.put(PAR_CREATED_TIME, String.valueOf(System.currentTimeMillis()));
                        this.session.getProvider(PushedAuthzRequestStoreProvider.class).put(randomUUID, requestUriLifespan, hashMap);
                        ParResponse parResponse = new ParResponse(str, requestUriLifespan);
                        this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
                        return this.cors.builder(Response.status(Response.Status.CREATED).entity(parResponse).type(javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build();
                    } catch (ClientPolicyException e3) {
                        throw throwErrorResponseException(e3.getError(), e3.getErrorDetail(), Response.Status.BAD_REQUEST);
                    }
                } catch (AuthorizationEndpointChecker.AuthorizationCheckException e4) {
                    throw throwErrorResponseException("invalid_request", e4.getErrorDescription(), Response.Status.BAD_REQUEST);
                }
            } catch (AuthorizationEndpointChecker.AuthorizationCheckException e5) {
                throw throwErrorResponseException("invalid_request", "Invalid parameter: redirect_uri", Response.Status.BAD_REQUEST);
            }
        } catch (Exception e6) {
            throw throwErrorResponseException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, e6.getMessage(), Response.Status.BAD_REQUEST);
        }
    }
}
