package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import jakarta.ws.rs.core.MultivaluedMap;
import java.security.MessageDigest;
import java.util.regex.Pattern;
import org.keycloak.common.util.Base64Url;
import org.keycloak.crypto.SHA256HashProviderFactory;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.utils.OAuth2Code;
import org.keycloak.protocol.oidc.utils.OAuth2CodeParser;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.TokenRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/PKCEEnforcerExecutor.class */
public class PKCEEnforcerExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Pattern VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$");
    private static final Pattern VALID_CODE_VERIFIER_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$");
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/PKCEEnforcerExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/PKCEEnforcerExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("auto-configure")
        protected Boolean autoConfigure;

        public Boolean isAutoConfigure() {
            return this.autoConfigure;
        }

        public void setAutoConfigure(Boolean bool) {
            this.autoConfigure = bool;
        }
    }

    public PKCEEnforcerExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return PKCEEnforcerExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                ClientCRUDContext clientCRUDContext = (ClientCRUDContext) clientPolicyContext;
                autoConfigure(clientCRUDContext.getProposedClientRepresentation());
                validate(clientCRUDContext.getProposedClientRepresentation());
                return;
            case 3:
                AuthorizationRequestContext authorizationRequestContext = (AuthorizationRequestContext) clientPolicyContext;
                executeOnAuthorizationRequest(authorizationRequestContext.getparsedResponseType(), authorizationRequestContext.getAuthorizationEndpointRequest(), authorizationRequestContext.getRedirectUri());
                return;
            case 4:
                TokenRequestContext tokenRequestContext = (TokenRequestContext) clientPolicyContext;
                executeOnTokenRequest(tokenRequestContext.getParams(), tokenRequestContext.getParseResult());
                return;
            default:
                return;
        }
    }

    private void autoConfigure(ClientRepresentation clientRepresentation) {
        if (this.configuration.isAutoConfigure().booleanValue()) {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setPkceCodeChallengeMethod(OIDCLoginProtocol.PKCE_METHOD_S256);
        }
    }

    private void validate(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        String pkceCodeChallengeMethod = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).getPkceCodeChallengeMethod();
        if (pkceCodeChallengeMethod == null || !pkceCodeChallengeMethod.equals(OIDCLoginProtocol.PKCE_METHOD_S256)) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: code_challenge_method");
        }
    }

    private void executeOnAuthorizationRequest(OIDCResponseType oIDCResponseType, AuthorizationEndpointRequest authorizationEndpointRequest, String str) throws ClientPolicyException {
        ClientModel client = this.session.getContext().getClient();
        String codeChallenge = authorizationEndpointRequest.getCodeChallenge();
        String codeChallengeMethod = authorizationEndpointRequest.getCodeChallengeMethod();
        String pkceCodeChallengeMethod = OIDCAdvancedConfigWrapper.fromClientModel(client).getPkceCodeChallengeMethod();
        if (codeChallengeMethod == null) {
            throw new ClientPolicyException("invalid_request", "Missing parameter: code_challenge_method");
        }
        if (!isAcceptableCodeChallengeMethod(codeChallengeMethod)) {
            throw new ClientPolicyException("invalid_request", "Invalid parameter: invalid code_challenge_method");
        }
        if (pkceCodeChallengeMethod != null && !codeChallengeMethod.equals(pkceCodeChallengeMethod)) {
            throw new ClientPolicyException("invalid_request", "Invalid parameter: code challenge method is not configured one");
        }
        if (codeChallenge == null) {
            throw new ClientPolicyException("invalid_request", "Missing parameter: code_challenge");
        }
        if (!isValidPkceCodeChallenge(codeChallenge)) {
            throw new ClientPolicyException("invalid_request", "Invalid parameter: code_challenge");
        }
    }

    private boolean isAcceptableCodeChallengeMethod(String str) {
        return OIDCLoginProtocol.PKCE_METHOD_S256.equals(str);
    }

    private boolean isValidPkceCodeChallenge(String str) {
        if (str.length() >= 43 && str.length() <= 128) {
            return VALID_CODE_CHALLENGE_PATTERN.matcher(str).matches();
        }
        return false;
    }

    private void executeOnTokenRequest(MultivaluedMap<String, String> multivaluedMap, OAuth2CodeParser.ParseResult parseResult) throws ClientPolicyException {
        String str = (String) multivaluedMap.getFirst("code_verifier");
        OAuth2Code codeData = parseResult.getCodeData();
        checkParamsForPkceEnforcedClient(str, codeData.getCodeChallenge(), codeData.getCodeChallengeMethod());
    }

    private void checkParamsForPkceEnforcedClient(String str, String str2, String str3) throws ClientPolicyException {
        if (str == null) {
            throw new ClientPolicyException("code_verifier_missing", "PKCE code verifier not specified");
        }
        verifyCodeVerifier(str, str2, str3);
    }

    /* JADX WARN: Removed duplicated region for block: B:13:0x004b  */
    /* JADX WARN: Removed duplicated region for block: B:15:0x0057 A[RETURN] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void verifyCodeVerifier(java.lang.String r6, java.lang.String r7, java.lang.String r8) throws org.keycloak.services.clientpolicy.ClientPolicyException {
        /*
            r5 = this;
            r0 = r5
            r1 = r6
            boolean r0 = r0.isValidFormattedCodeVerifier(r1)
            if (r0 != 0) goto L14
            org.keycloak.services.clientpolicy.ClientPolicyException r0 = new org.keycloak.services.clientpolicy.ClientPolicyException
            r1 = r0
            java.lang.String r2 = "invalid_code_verifier"
            java.lang.String r3 = "PKCE invalid code verifier"
            r1.<init>(r2, r3)
            throw r0
        L14:
            r0 = r6
            r9 = r0
            r0 = r8
            if (r0 == 0) goto L2e
            r0 = r8
            java.lang.String r1 = "S256"
            boolean r0 = r0.equals(r1)     // Catch: java.lang.Exception -> L34
            if (r0 == 0) goto L2e
            r0 = r5
            r1 = r6
            java.lang.String r0 = r0.generateS256CodeChallenge(r1)     // Catch: java.lang.Exception -> L34
            r9 = r0
            goto L31
        L2e:
            r0 = r6
            r9 = r0
        L31:
            goto L42
        L34:
            r10 = move-exception
            org.keycloak.services.clientpolicy.ClientPolicyException r0 = new org.keycloak.services.clientpolicy.ClientPolicyException
            r1 = r0
            java.lang.String r2 = "pkce_verification_failed"
            java.lang.String r3 = "PKCE code verification failed, not supported algorithm specified"
            r1.<init>(r2, r3)
            throw r0
        L42:
            r0 = r7
            r1 = r9
            boolean r0 = r0.equals(r1)
            if (r0 != 0) goto L57
            org.keycloak.services.clientpolicy.ClientPolicyException r0 = new org.keycloak.services.clientpolicy.ClientPolicyException
            r1 = r0
            java.lang.String r2 = "pkce_verification_failed"
            java.lang.String r3 = "PKCE verification failed"
            r1.<init>(r2, r3)
            throw r0
        L57:
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: org.keycloak.services.clientpolicy.executor.PKCEEnforcerExecutor.verifyCodeVerifier(java.lang.String, java.lang.String, java.lang.String):void");
    }

    private boolean isValidFormattedCodeVerifier(String str) {
        if (str.length() >= 43 && str.length() <= 128) {
            return VALID_CODE_VERIFIER_PATTERN.matcher(str).matches();
        }
        return false;
    }

    private String generateS256CodeChallenge(String str) throws Exception {
        MessageDigest messageDigest = MessageDigest.getInstance(SHA256HashProviderFactory.ID);
        messageDigest.update(str.getBytes("ISO_8859_1"));
        return Base64Url.encode(messageDigest.digest());
    }
}
