package org.keycloak.services.clientpolicy.executor;

import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientregistration.ErrorCodes;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientAuthEnforceExecutor.class */
public class SecureClientAuthEnforceExecutor extends AbstractAugumentingClientRegistrationPolicyExecutor {
    private static final Logger logger = Logger.getLogger(SecureClientAuthEnforceExecutor.class);

    public SecureClientAuthEnforceExecutor(KeycloakSession keycloakSession, ComponentModel componentModel) {
        super(keycloakSession, componentModel);
    }

    @Override // org.keycloak.services.clientpolicy.executor.AbstractAugumentingClientRegistrationPolicyExecutor
    protected void augment(ClientRepresentation clientRepresentation) {
        if (Boolean.valueOf((String) this.componentModel.getConfig().getFirst("is-augment")).booleanValue()) {
            clientRepresentation.setClientAuthenticatorType(enforcedClientAuthenticatorType());
        }
    }

    @Override // org.keycloak.services.clientpolicy.executor.AbstractAugumentingClientRegistrationPolicyExecutor
    protected void validate(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        verifyClientAuthenticationMethod(clientRepresentation.getClientAuthenticatorType());
    }

    private String enforcedClientAuthenticatorType() {
        return (String) this.componentModel.getConfig().getFirst(SecureClientAuthEnforceExecutorFactory.CLIENT_AUTHNS_AUGMENT);
    }

    private void verifyClientAuthenticationMethod(String str) throws ClientPolicyException {
        List list = this.componentModel.getConfig().getList(SecureClientAuthEnforceExecutorFactory.CLIENT_AUTHNS);
        if (list == null || !list.stream().anyMatch(str2 -> {
            return str2.equals(str);
        })) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: token_endpoint_auth_method");
        }
    }
}
