package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.JsonNode;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Optional;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor.SecureCibaSignedAuthenticationRequestExecutor;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor.class */
public class SecureRequestObjectExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(SecureRequestObjectExecutor.class);
    public static final Integer DEFAULT_AVAILABLE_PERIOD = 3600;
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureRequestObjectExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRequestObjectExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("available-period")
        protected Integer availablePeriod;

        @JsonProperty(SecureRequestObjectExecutorFactory.VERIFY_NBF)
        protected Boolean verifyNbf;

        @JsonProperty(SecureRequestObjectExecutorFactory.ENCRYPTION_REQUIRED)
        private Boolean encryptionRequired;

        public Integer getAvailablePeriod() {
            return this.availablePeriod;
        }

        public void setAvailablePeriod(Integer num) {
            this.availablePeriod = num;
        }

        public Boolean isVerifyNbf() {
            return this.verifyNbf;
        }

        public void setVerifyNbf(Boolean bool) {
            this.verifyNbf = bool;
        }

        public void setEncryptionRequired(Boolean bool) {
            this.encryptionRequired = bool;
        }

        public Boolean isEncryptionRequired() {
            return this.encryptionRequired;
        }
    }

    public SecureRequestObjectExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        if (configuration == null) {
            this.configuration = new Configuration();
            this.configuration.setVerifyNbf(Boolean.TRUE);
            this.configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
            this.configuration.setEncryptionRequired(Boolean.FALSE);
            return;
        }
        this.configuration = configuration;
        if (configuration.isVerifyNbf() == null) {
            this.configuration.setVerifyNbf(Boolean.TRUE);
        }
        if (configuration.getAvailablePeriod() == null) {
            this.configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
        }
        if (configuration.isEncryptionRequired() == null) {
            this.configuration.setEncryptionRequired(Boolean.FALSE);
        }
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return SecureRequestObjectExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                executeOnAuthorizationRequest((AuthorizationRequestContext) clientPolicyContext);
                return;
            default:
                return;
        }
    }

    private void executeOnAuthorizationRequest(AuthorizationRequestContext authorizationRequestContext) throws ClientPolicyException {
        logger.trace("Authz Endpoint - authz request");
        MultivaluedMap<String, String> requestParameters = authorizationRequestContext.getRequestParameters();
        if (requestParameters == null) {
            logger.trace("request parameter not exist.");
            throwClientPolicyException("invalid_request", "Missing parameters", authorizationRequestContext);
        }
        String str = (String) requestParameters.getFirst("request");
        String str2 = (String) requestParameters.getFirst("request_uri");
        if (str == null && str2 == null) {
            logger.trace("request object not exist.");
            throwClientPolicyException("invalid_request", "Missing parameter: 'request' or 'request_uri'", authorizationRequestContext);
        }
        JsonNode jsonNode = (JsonNode) this.session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT);
        if (jsonNode == null || jsonNode.isEmpty()) {
            logger.trace("request object not exist.");
            throwClientPolicyException("invalid_request", "Invalid parameter: : 'request' or 'request_uri'", authorizationRequestContext);
        }
        if (requestParameters.getFirst("scope") == null && jsonNode.get("scope") == null) {
            logger.trace("scope object not exist.");
            throwClientPolicyException("invalid_request", "Parameter 'scope' missing in the request parameters or in 'request' object", authorizationRequestContext);
        }
        if (jsonNode.get("exp") == null) {
            logger.trace("exp claim not incuded.");
            throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: exp", authorizationRequestContext);
        }
        long asLong = jsonNode.get("exp").asLong();
        if (Time.currentTime() > asLong) {
            logger.trace("request object expired.");
            throw new ClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Request Expired");
        }
        if (((Boolean) Optional.ofNullable(this.configuration.isVerifyNbf()).orElse(Boolean.FALSE)).booleanValue()) {
            if (jsonNode.get("nbf") == null) {
                logger.trace("nbf claim not incuded.");
                throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: nbf", authorizationRequestContext);
            }
            long asLong2 = jsonNode.get("nbf").asLong();
            if (Time.currentTime() < asLong2) {
                logger.trace("request object not yet being processed.");
                throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Request not yet being processed", authorizationRequestContext);
            }
            if (asLong - asLong2 > ((Integer) Optional.ofNullable(this.configuration.getAvailablePeriod()).orElse(DEFAULT_AVAILABLE_PERIOD)).intValue()) {
                logger.trace("request object's available period is long.");
                throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Request's available period is long", authorizationRequestContext);
            }
        }
        ArrayList arrayList = new ArrayList();
        JsonNode jsonNode2 = jsonNode.get("aud");
        if (jsonNode2 == null) {
            logger.trace("aud claim not incuded.");
            throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Missing parameter in the 'request' object: aud", authorizationRequestContext);
        }
        if (jsonNode2.isArray()) {
            Iterator it = jsonNode2.iterator();
            while (it.hasNext()) {
                arrayList.add(((JsonNode) it.next()).asText());
            }
        } else {
            arrayList.add(jsonNode2.asText());
        }
        if (arrayList.isEmpty()) {
            logger.trace("aud claim not incuded.");
            throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Missing parameter value in the 'request' object: aud", authorizationRequestContext);
        }
        if (!arrayList.contains(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.session.getContext().getRealm().getName()))) {
            logger.trace("aud not points to the intended realm.");
            throwClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Invalid parameter in the 'request' object: aud", authorizationRequestContext);
        }
        Optional<String> findFirst = AuthzEndpointRequestParser.KNOWN_REQ_PARAMS.stream().filter(str3 -> {
            return requestParameters.containsKey(str3);
        }).filter(str4 -> {
            return !isSameParameterIncluded(str4, (String) requestParameters.getFirst(str4), jsonNode);
        }).findFirst();
        if (findFirst.isPresent()) {
            logger.warnf("Parameter '%s' does not have same value in 'request' object and in request parameters", findFirst.get());
            throwClientPolicyException("invalid_request", "Invalid parameter. Parameters in 'request' object not matching with request parameters", authorizationRequestContext);
        }
        if (((Boolean) Optional.ofNullable(this.configuration.isEncryptionRequired()).orElse(Boolean.FALSE)).booleanValue() && this.session.getAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT_ENCRYPTED) == null) {
            logger.trace("request object's not encrypted.");
            throw new ClientPolicyException(SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT, "Request object not encrypted");
        }
        logger.trace("Passed.");
    }

    private boolean isSameParameterIncluded(String str, String str2, JsonNode jsonNode) {
        if (str.equals("request") || str.equals("request_uri")) {
            return true;
        }
        if (jsonNode.hasNonNull(str)) {
            return jsonNode.get(str).asText().equals(str2);
        }
        return false;
    }

    private void throwClientPolicyException(String str, String str2, AuthorizationRequestContext authorizationRequestContext) throws ClientPolicyException {
        if (!authorizationRequestContext.isParRequest() || !SecureCibaSignedAuthenticationRequestExecutor.INVALID_REQUEST_OBJECT.equals(str)) {
            throw new ClientPolicyException(str, str2);
        }
        throw new ClientPolicyException("invalid_request_uri", str2);
    }
}
