package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.text.SimpleDateFormat;
import java.util.Objects;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCClientSecretConfigWrapper;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.ClientSecretRotationContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdatedContext;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/ClientSecretRotationExecutor.class */
public class ClientSecretRotationExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(ClientSecretRotationExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.ClientSecretRotationExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/ClientSecretRotationExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTERED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/ClientSecretRotationExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(ClientSecretRotationExecutorFactory.SECRET_EXPIRATION_PERIOD)
        protected Integer expirationPeriod;

        @JsonProperty(ClientSecretRotationExecutorFactory.SECRET_REMAINING_ROTATION_PERIOD)
        protected Integer remainExpirationPeriod;

        @JsonProperty(ClientSecretRotationExecutorFactory.SECRET_ROTATED_EXPIRATION_PERIOD)
        private Integer rotatedExpirationPeriod;

        public boolean validateConfig() {
            ClientSecretRotationExecutor.logger.debugv("Validating configuration: [ expirationPeriod: {0}, rotatedExpirationPeriod: {1}, remainExpirationPeriod: {2} ]", this.expirationPeriod, this.rotatedExpirationPeriod, this.remainExpirationPeriod);
            return this.expirationPeriod.intValue() > 0 && this.rotatedExpirationPeriod.intValue() <= this.expirationPeriod.intValue() && this.remainExpirationPeriod.intValue() <= this.expirationPeriod.intValue();
        }

        public Integer getExpirationPeriod() {
            return this.expirationPeriod;
        }

        public void setExpirationPeriod(Integer num) {
            this.expirationPeriod = num;
        }

        public Integer getRemainExpirationPeriod() {
            return this.remainExpirationPeriod;
        }

        public void setRemainExpirationPeriod(Integer num) {
            this.remainExpirationPeriod = num;
        }

        public Integer getRotatedExpirationPeriod() {
            return this.rotatedExpirationPeriod;
        }

        public void setRotatedExpirationPeriod(Integer num) {
            this.rotatedExpirationPeriod = num;
        }

        public Configuration parseWithDefaultValues() {
            if (getExpirationPeriod() == null) {
                setExpirationPeriod(ClientSecretRotationExecutorFactory.DEFAULT_SECRET_EXPIRATION_PERIOD);
            }
            if (getRemainExpirationPeriod() == null) {
                setRemainExpirationPeriod(ClientSecretRotationExecutorFactory.DEFAULT_SECRET_REMAINING_ROTATION_PERIOD);
            }
            if (getRotatedExpirationPeriod() == null) {
                setRotatedExpirationPeriod(ClientSecretRotationExecutorFactory.DEFAULT_SECRET_ROTATED_EXPIRATION_PERIOD);
            }
            return this;
        }
    }

    public ClientSecretRotationExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return ClientSecretRotationExecutorFactory.PROVIDER_ID;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                if (isClientWithSecret(this.session.getContext().getClient())) {
                    this.session.setAttribute("client.secret.rotation.enabled", Boolean.TRUE);
                    executeOnClientCreateOrUpdate((ClientCRUDContext) clientPolicyContext);
                    return;
                }
                return;
            case 3:
            case 4:
                if (isClientWithSecret(this.session.getContext().getClient())) {
                    this.session.setAttribute("client.secret.rotation.enabled", Boolean.TRUE);
                    executeOnAuthRequest();
                    return;
                }
                return;
            default:
                return;
        }
    }

    public void setupConfiguration(Configuration configuration) {
        if (configuration == null) {
            this.configuration = new Configuration().parseWithDefaultValues();
        } else {
            this.configuration = configuration.parseWithDefaultValues();
        }
    }

    private boolean isClientWithSecret(ClientModel clientModel) {
        return (clientModel == null || clientModel.isPublicClient() || clientModel.isBearerOnly()) ? false : true;
    }

    private void executeOnAuthRequest() {
        OIDCClientSecretConfigWrapper fromClientModel = OIDCClientSecretConfigWrapper.fromClientModel(this.session.getContext().getClient());
        if (fromClientModel.hasClientSecretExpirationTime()) {
            return;
        }
        updatedSecretExpiration(fromClientModel);
    }

    private void executeOnClientCreateOrUpdate(ClientCRUDContext clientCRUDContext) {
        OIDCClientSecretConfigWrapper fromClientModel = OIDCClientSecretConfigWrapper.fromClientModel(clientCRUDContext.getTargetClient());
        logger.debugv("Executing policy {0} for client {1}-{2} with configuration [ expirationPeriod: {3}, rotatedExpirationPeriod: {4}, remainExpirationPeriod: {5} ]", new Object[]{getName(), fromClientModel.getId(), fromClientModel.getName(), this.configuration.getExpirationPeriod(), this.configuration.getRotatedExpirationPeriod(), this.configuration.getRemainExpirationPeriod()});
        if ((clientCRUDContext instanceof ClientSecretRotationContext) || fromClientModel.isClientSecretExpired() || !fromClientModel.hasClientSecretExpirationTime()) {
            rotateSecret(clientCRUDContext, fromClientModel);
            return;
        }
        if (clientCRUDContext instanceof DynamicClientUpdatedContext) {
            int clientSecretExpirationTime = fromClientModel.getClientSecretExpirationTime() - this.configuration.remainExpirationPeriod.intValue();
            debugDynamicInfo(fromClientModel, clientSecretExpirationTime);
            if (Time.currentTime() >= clientSecretExpirationTime) {
                logger.debugv("Executing rotation for the dynamic client {0} due to remaining expiration time that starts at {1}", clientCRUDContext.getTargetClient().getClientId(), Time.toDate(clientSecretExpirationTime));
                rotateSecret(clientCRUDContext, fromClientModel);
            }
        }
    }

    private void debugDynamicInfo(OIDCClientSecretConfigWrapper oIDCClientSecretConfigWrapper, int i) {
        if (logger.isDebugEnabled()) {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
            logger.debugv("client expiration time: {0}, remaining time: {1}, current time: {2}, Time offset: {3}", new Object[]{Integer.valueOf(oIDCClientSecretConfigWrapper.getClientSecretExpirationTime()), Integer.valueOf(i), Integer.valueOf(Time.currentTime()), Integer.valueOf(Time.getOffset())});
            logger.debugv("client expiration date: {0}, window remaining date: {1}, current date: {2}", simpleDateFormat.format(Time.toDate(oIDCClientSecretConfigWrapper.getClientSecretExpirationTime())), simpleDateFormat.format(Time.toDate(i)), simpleDateFormat.format(Time.toDate(Time.currentTime())));
        }
    }

    private void rotateSecret(ClientCRUDContext clientCRUDContext, OIDCClientSecretConfigWrapper oIDCClientSecretConfigWrapper) {
        if (clientCRUDContext instanceof ClientSecretRotationContext) {
            ClientSecretRotationContext clientSecretRotationContext = (ClientSecretRotationContext) clientCRUDContext;
            if (clientSecretRotationContext.isForceRotation()) {
                logger.debugv("Force rotation for client {0}", oIDCClientSecretConfigWrapper.getId());
                updateRotateSecret(oIDCClientSecretConfigWrapper, clientSecretRotationContext.getCurrentSecret());
                updateClientConfigProperties(oIDCClientSecretConfigWrapper);
            }
        } else if (oIDCClientSecretConfigWrapper.hasClientSecretExpirationTime()) {
            logger.debugv("Execute typical secret rotation for client {0}", oIDCClientSecretConfigWrapper.getId());
            updatedSecretExpiration(oIDCClientSecretConfigWrapper);
            updateRotateSecret(oIDCClientSecretConfigWrapper, oIDCClientSecretConfigWrapper.getSecret());
            KeycloakModelUtils.generateSecret(clientCRUDContext.getTargetClient());
            updateClientConfigProperties(oIDCClientSecretConfigWrapper);
        } else {
            logger.debugv("client {0} has no secret rotation expiration time configured", oIDCClientSecretConfigWrapper.getId());
            updatedSecretExpiration(oIDCClientSecretConfigWrapper);
        }
        if (Objects.nonNull(clientCRUDContext.getProposedClientRepresentation())) {
            oIDCClientSecretConfigWrapper.updateClientRepresentationAttributes(clientCRUDContext.getProposedClientRepresentation());
        }
        logger.debugv("Client configured: {0}", oIDCClientSecretConfigWrapper.toJson());
    }

    private void updatedSecretExpiration(OIDCClientSecretConfigWrapper oIDCClientSecretConfigWrapper) {
        oIDCClientSecretConfigWrapper.setClientSecretExpirationTime(Integer.valueOf(Time.currentTime() + this.configuration.getExpirationPeriod().intValue()));
        logger.debugv("A new secret expiration is configured for client {0}. Expires at {1}", oIDCClientSecretConfigWrapper.getId(), Time.toDate(oIDCClientSecretConfigWrapper.getClientSecretExpirationTime()));
    }

    private void updateClientConfigProperties(OIDCClientSecretConfigWrapper oIDCClientSecretConfigWrapper) {
        oIDCClientSecretConfigWrapper.setClientSecretCreationTime(Time.currentTime());
        updatedSecretExpiration(oIDCClientSecretConfigWrapper);
    }

    private void updateRotateSecret(OIDCClientSecretConfigWrapper oIDCClientSecretConfigWrapper, String str) {
        if (this.configuration.rotatedExpirationPeriod.intValue() > 0) {
            oIDCClientSecretConfigWrapper.setClientRotatedSecret(str);
            oIDCClientSecretConfigWrapper.setClientRotatedSecretCreationTime();
            oIDCClientSecretConfigWrapper.setClientRotatedSecretExpirationTime(Integer.valueOf(Time.currentTime() + this.configuration.getRotatedExpirationPeriod().intValue()));
            logger.debugv("Rotating the secret for client {0}. Secret creation at {1}. Secret expiration at {2}", oIDCClientSecretConfigWrapper.getId(), Time.toDate(oIDCClientSecretConfigWrapper.getClientRotatedSecretCreationTime()), Time.toDate(oIDCClientSecretConfigWrapper.getClientRotatedSecretExpirationTime()));
            return;
        }
        logger.debugv("Removing rotation for client {0}", oIDCClientSecretConfigWrapper.getId());
        oIDCClientSecretConfigWrapper.setClientRotatedSecret(null);
        oIDCClientSecretConfigWrapper.setClientRotatedSecretCreationTime(null);
        oIDCClientSecretConfigWrapper.setClientRotatedSecretExpirationTime(null);
    }
}
