package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.net.URI;
import java.util.Collection;
import java.util.Map;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisteredContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdatedContext;
import org.keycloak.services.clientpolicy.context.SamlAuthnRequestContext;
import org.keycloak.services.clientpolicy.context.SamlLogoutRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SamlSecureClientUrisExecutor.class */
public class SamlSecureClientUrisExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private final KeycloakSession session;
    private Configuration config;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SamlSecureClientUrisExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SamlSecureClientUrisExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTERED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SAML_AUTHN_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SAML_LOGOUT_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SamlSecureClientUrisExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("allow-wildcard-redirects")
        protected boolean allowWildcardRedirects;

        public Configuration() {
            this(false);
        }

        public Configuration(boolean z) {
            this.allowWildcardRedirects = z;
        }

        public boolean isAllowWildcardResirects() {
            return this.allowWildcardRedirects;
        }

        public void setAllowWildcardResirects(boolean z) {
            this.allowWildcardRedirects = z;
        }
    }

    public SamlSecureClientUrisExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public void setupConfiguration(Configuration configuration) {
        this.config = configuration;
    }

    public String getProviderId() {
        return SamlSecureClientUrisExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                confirmSecureUris(((AdminClientRegisteredContext) clientPolicyContext).getTargetClient());
                return;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                confirmSecureUris(((AdminClientUpdatedContext) clientPolicyContext).getTargetClient());
                return;
            case 3:
                confirmLoginRedirectUri((SamlAuthnRequestContext) clientPolicyContext);
                return;
            case 4:
                confirmLogoutRedirectUri((SamlLogoutRequestContext) clientPolicyContext);
                return;
            default:
                return;
        }
    }

    private void confirmLoginRedirectUri(SamlAuthnRequestContext samlAuthnRequestContext) throws ClientPolicyException {
        URI assertionConsumerServiceURL = samlAuthnRequestContext.getRequest().getAssertionConsumerServiceURL();
        if (assertionConsumerServiceURL != null) {
            confirmSecureUri(assertionConsumerServiceURL.toString(), "AssertionConsumerServiceURL", "invalid_request");
            return;
        }
        ClientModel client = samlAuthnRequestContext.getClient();
        confirmSecureUri(client.getManagementUrl(), "Master SAML Processing URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE), "Assertion Consumer Service POST Binding URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE), "Assertion Consumer Service Redirect Binding URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE), "Artifact Binding URL", "invalid_request");
    }

    private void confirmLogoutRedirectUri(SamlLogoutRequestContext samlLogoutRequestContext) throws ClientPolicyException {
        ClientModel client = samlLogoutRequestContext.getClient();
        confirmSecureUri(client.getManagementUrl(), "Master SAML Processing URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE), "Logout Service POST Binding URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE), "Logout Service ARTIFACT Binding URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE), "Logout Service Redirect Binding URL", "invalid_request");
        confirmSecureUri(client.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE), "Logout Service SOAP Binding URL", "invalid_request");
    }

    private void confirmSecureUri(String str, String str2) throws ClientPolicyException {
        confirmSecureUri(str, str2, ErrorCodes.INVALID_CLIENT_METADATA);
    }

    private void confirmSecureUri(String str, String str2, String str3) throws ClientPolicyException {
        if (!StringUtil.isBlank(str) && !str.startsWith("https:")) {
            throw new ClientPolicyException(str3, "Non secure scheme for " + str2);
        }
    }

    private void confirmNoWildcard(String str, String str2) throws ClientPolicyException {
        if (str.endsWith("*") && !str.contains("?") && !str.contains("#")) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Unsecure wildcard redirect " + str + " for " + str2);
        }
    }

    private void confirmRedirectUris(Collection<String> collection, String str) throws ClientPolicyException {
        if (collection == null) {
            return;
        }
        for (String str2 : collection) {
            confirmSecureUri(str2, str);
            if (!this.config.isAllowWildcardResirects()) {
                confirmNoWildcard(str2, str);
            }
        }
    }

    private void confirmSecureUris(ClientModel clientModel) throws ClientPolicyException {
        if ("saml".equals(clientModel.getProtocol())) {
            confirmSecureUri(clientModel.getRootUrl(), "Root URL");
            confirmSecureUri(clientModel.getManagementUrl(), "Master SAML Processing URL");
            confirmSecureUri(clientModel.getBaseUrl(), "Home URL");
            confirmRedirectUris(RedirectUtils.resolveValidRedirects(this.session, clientModel.getRootUrl(), clientModel.getRedirectUris()), "Valid redirect URIs");
            Map of = Map.of(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, "Assertion Consumer Service POST Binding URL", SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE, "Assertion Consumer Service Redirect Binding URL", SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE, "Artifact Binding URL", SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, "Logout Service POST Binding URL", SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "Logout Service ARTIFACT Binding URL", SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "Logout Service Redirect Binding URL", SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE, "Logout Service SOAP Binding URL", SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE, "Artifact Resolution Service");
            if (clientModel.getAttributes() != null) {
                for (Map.Entry entry : of.entrySet()) {
                    confirmSecureUri(clientModel.getAttribute((String) entry.getKey()), (String) entry.getValue());
                }
            }
        }
    }
}
