package org.keycloak.protocol.oidc.grants.ciba;

import org.keycloak.common.util.UriUtils;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.CibaConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.validation.ValidationContext;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/CibaClientValidation.class */
public class CibaClientValidation {
    private final ValidationContext<ClientModel> context;

    public CibaClientValidation(ValidationContext<ClientModel> validationContext) {
        this.context = validationContext;
    }

    public void validate() {
        ClientModel clientModel = (ClientModel) this.context.getObjectToValidate();
        CibaConfig cibaPolicy = clientModel.getRealm().getCibaPolicy();
        String backchannelTokenDeliveryMode = cibaPolicy.getBackchannelTokenDeliveryMode(clientModel);
        if (!CibaConfig.CIBA_SUPPORTED_MODES.contains(backchannelTokenDeliveryMode)) {
            this.context.addError("cibaBackchannelTokenDeliveryMode", "Unsupported requested CIBA Backchannel Token Delivery Mode", "invalidCibaBackchannelTokenDeliveryMode", new Object[0]);
        }
        if ("ping".equals(backchannelTokenDeliveryMode) && cibaPolicy.getBackchannelClientNotificationEndpoint(clientModel) == null) {
            this.context.addError("cibaBackchannelClientNotificationEndpoint", "CIBA Backchannel Client Notification Endpoint must be set for the CIBA ping mode", "missingCibaBackchannelClientNotificationEndpoint", new Object[0]);
        }
        try {
            UriUtils.checkUrl(clientModel.getRealm().getSslRequired(), cibaPolicy.getBackchannelClientNotificationEndpoint(clientModel), "backchannel_client_notification_endpoint");
        } catch (RuntimeException e) {
            this.context.addError("cibaBackchannelClientNotificationEndpoint", e.getMessage(), "invalidBackchannelClientNotificationEndpoint", new Object[0]);
        }
        Algorithm backchannelAuthRequestSigningAlg = cibaPolicy.getBackchannelAuthRequestSigningAlg(clientModel);
        if (backchannelAuthRequestSigningAlg == null || isSupportedBackchannelAuthenticationRequestSigningAlg(this.context.getSession(), backchannelAuthRequestSigningAlg.name())) {
            return;
        }
        this.context.addError("cibaBackchannelAuthRequestSigningAlg", "Unsupported requested CIBA Backchannel Authentication Request Signing Algorithm", "invalidCibaBackchannelAuthRequestSigningAlg", new Object[0]);
    }

    private static boolean isSupportedBackchannelAuthenticationRequestSigningAlg(KeycloakSession keycloakSession, String str) {
        if (Algorithm.none.name().equals(str)) {
            return true;
        }
        return keycloakSession.getProvider(SignatureProvider.class, str).isAsymmetricAlgorithm();
    }
}
