package org.keycloak.protocol.oidc.endpoints.request;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.io.InputStream;
import java.util.HashSet;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.par.endpoints.request.AuthzEndpointParParser;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.util.AuthorizationContextUtil;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor.class */
public class AuthorizationEndpointRequestParserProcessor {
    private static final Logger logger = Logger.getLogger(AuthorizationEndpointRequestParserProcessor.class);

    /* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/request/AuthorizationEndpointRequestParserProcessor$EndpointType.class */
    public enum EndpointType {
        OIDC_AUTH_ENDPOINT,
        OAUTH2_DEVICE_ENDPOINT,
        DOCKER_ENDPOINT
    }

    public static AuthorizationEndpointRequest parseRequest(EventBuilder eventBuilder, KeycloakSession keycloakSession, ClientModel clientModel, MultivaluedMap<String, String> multivaluedMap, EndpointType endpointType) {
        try {
            AuthorizationEndpointRequest authorizationEndpointRequest = new AuthorizationEndpointRequest();
            AuthzEndpointQueryStringParser authzEndpointQueryStringParser = new AuthzEndpointQueryStringParser(multivaluedMap, isResponseTypeParameterRequired(multivaluedMap, endpointType));
            authzEndpointQueryStringParser.parseRequest(authorizationEndpointRequest);
            if (authzEndpointQueryStringParser.getInvalidRequestMessage() != null) {
                authorizationEndpointRequest.invalidRequestMessage = authzEndpointQueryStringParser.getInvalidRequestMessage();
            }
            if (authorizationEndpointRequest.getInvalidRequestMessage() != null) {
                return authorizationEndpointRequest;
            }
            String str = (String) multivaluedMap.getFirst("request");
            String str2 = (String) multivaluedMap.getFirst("request_uri");
            if (str != null && str2 != null) {
                throw new RuntimeException("Illegal to use both 'request' and 'request_uri' parameters together");
            }
            String requestObjectRequired = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectRequired();
            if ("request or request_uri".equals(requestObjectRequired) && str == null && str2 == null) {
                throw new RuntimeException("Client is required to use 'request' or 'request_uri' parameter.");
            }
            if ("request only".equals(requestObjectRequired) && str == null) {
                throw new RuntimeException("Client is required to use 'request' parameter.");
            }
            if ("request_uri only".equals(requestObjectRequired) && str2 == null) {
                throw new RuntimeException("Client is required to use 'request_uri' parameter.");
            }
            if (str != null) {
                new AuthzEndpointRequestObjectParser(keycloakSession, str, clientModel).parseRequest(authorizationEndpointRequest);
            } else if (str2 != null) {
                if (getRequestUriType(str2) == RequestUriType.PAR) {
                    new AuthzEndpointParParser(keycloakSession, clientModel, str2).parseRequest(authorizationEndpointRequest);
                } else {
                    String verifyRedirectUri = RedirectUtils.verifyRedirectUri(keycloakSession, clientModel.getRootUrl(), str2, new HashSet(OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestUris()), false);
                    if (verifyRedirectUri == null) {
                        throw new RuntimeException("Specified 'request_uri' not allowed for this client.");
                    }
                    InputStream inputStream = keycloakSession.getProvider(HttpClientProvider.class).get(verifyRedirectUri);
                    try {
                        new AuthzEndpointRequestObjectParser(keycloakSession, StreamUtil.readString(inputStream), clientModel).parseRequest(authorizationEndpointRequest);
                        if (inputStream != null) {
                            inputStream.close();
                        }
                    } finally {
                    }
                }
            }
            if (Profile.isFeatureEnabled(Profile.Feature.DYNAMIC_SCOPES)) {
                authorizationEndpointRequest.authorizationRequestContext = AuthorizationContextUtil.getAuthorizationRequestContextFromScopes(keycloakSession, authorizationEndpointRequest.getScope());
            }
            return authorizationEndpointRequest;
        } catch (Exception e) {
            ServicesLogger.LOGGER.invalidRequest(e);
            eventBuilder.error("invalid_request");
            throw new ErrorPageException(keycloakSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
        }
    }

    public static String getClientId(EventBuilder eventBuilder, KeycloakSession keycloakSession, MultivaluedMap<String, String> multivaluedMap) {
        List list = (List) multivaluedMap.get("client_id");
        if (list != null && list.size() == 1) {
            return (String) list.get(0);
        }
        logger.warnf("Parameter 'client_id' not present or present multiple times in the HTTP request parameters", new Object[0]);
        eventBuilder.error("invalid_request");
        throw new ErrorPageException(keycloakSession, Response.Status.BAD_REQUEST, Messages.INVALID_REQUEST, new Object[0]);
    }

    public static RequestUriType getRequestUriType(String str) {
        if (str == null) {
            throw new RuntimeException("'request_uri' parameter is null");
        }
        return str.toLowerCase().startsWith("urn:ietf:params:oauth:request_uri:") ? RequestUriType.PAR : RequestUriType.REQUEST_OBJECT;
    }

    private static boolean isResponseTypeParameterRequired(MultivaluedMap<String, String> multivaluedMap, EndpointType endpointType) {
        if (endpointType != EndpointType.OIDC_AUTH_ENDPOINT || !TokenUtil.isOIDCRequest((String) multivaluedMap.getFirst("scope"))) {
            return false;
        }
        String str = (String) multivaluedMap.getFirst("request_uri");
        return str == null || getRequestUriType(str) != RequestUriType.PAR;
    }
}
