package org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.JsonNode;
import jakarta.ws.rs.core.MultivaluedMap;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Time;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.grants.ciba.clientpolicy.context.BackchannelAuthenticationRequestContext;
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequest;
import org.keycloak.protocol.oidc.grants.ciba.endpoints.request.BackchannelAuthenticationEndpointRequestParser;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.Urls;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaSignedAuthenticationRequestExecutor.class */
public class SecureCibaSignedAuthenticationRequestExecutor implements ClientPolicyExecutorProvider<Configuration> {
    public static final String INVALID_REQUEST_OBJECT = "invalid_request_object";
    private final KeycloakSession session;
    private Configuration configuration;
    private static final Logger logger = Logger.getLogger(SecureCibaSignedAuthenticationRequestExecutor.class);
    public static final Integer DEFAULT_AVAILABLE_PERIOD = 3600;

    /* renamed from: org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor.SecureCibaSignedAuthenticationRequestExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaSignedAuthenticationRequestExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.BACKCHANNEL_AUTHENTICATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaSignedAuthenticationRequestExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("available-period")
        protected Integer availablePeriod;

        public Integer getAvailablePeriod() {
            return this.availablePeriod;
        }

        public void setAvailablePeriod(Integer num) {
            this.availablePeriod = num;
        }
    }

    public SecureCibaSignedAuthenticationRequestExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        if (configuration == null) {
            this.configuration = new Configuration();
            this.configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
        } else {
            this.configuration = configuration;
            if (configuration.getAvailablePeriod() == null) {
                this.configuration.setAvailablePeriod(DEFAULT_AVAILABLE_PERIOD);
            }
        }
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return SecureCibaSignedAuthenticationRequestExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                BackchannelAuthenticationRequestContext backchannelAuthenticationRequestContext = (BackchannelAuthenticationRequestContext) clientPolicyContext;
                executeOnBackchannelAuthenticationRequest(backchannelAuthenticationRequestContext.getRequest(), backchannelAuthenticationRequestContext.getRequestParameters());
                return;
            default:
                return;
        }
    }

    private void executeOnBackchannelAuthenticationRequest(BackchannelAuthenticationEndpointRequest backchannelAuthenticationEndpointRequest, MultivaluedMap<String, String> multivaluedMap) throws ClientPolicyException {
        logger.trace("Backchannel Authentication Endpoint - authn request");
        if (multivaluedMap == null) {
            logger.trace("request parameter not exist.");
            throw new ClientPolicyException("invalid_request", "Missing parameters");
        }
        String str = (String) multivaluedMap.getFirst("request");
        String str2 = (String) multivaluedMap.getFirst("request_uri");
        if (str == null && str2 == null) {
            logger.trace("signed authentication request not exist.");
            throw new ClientPolicyException("invalid_request", "Missing parameter: 'request' or 'request_uri'");
        }
        JsonNode jsonNode = (JsonNode) this.session.getAttribute(BackchannelAuthenticationEndpointRequestParser.CIBA_SIGNED_AUTHENTICATION_REQUEST);
        if (jsonNode == null || jsonNode.isEmpty()) {
            logger.trace("signed authentication request not exist.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter: : 'request' or 'request_uri'");
        }
        if (jsonNode.get("exp") == null) {
            logger.trace("exp claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the signed authentication request: exp");
        }
        long asLong = jsonNode.get("exp").asLong();
        if (Time.currentTime() > asLong) {
            logger.trace("request object expired.");
            throw new ClientPolicyException("invalid_request", "Request Expired");
        }
        if (jsonNode.get("nbf") == null) {
            logger.trace("nbf claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the signed authentication request: nbf");
        }
        long asLong2 = jsonNode.get("nbf").asLong();
        if (Time.currentTime() < asLong2) {
            logger.trace("request object not yet being processed.");
            throw new ClientPolicyException("invalid_request", "Request not yet being processed");
        }
        if (asLong - asLong2 > ((Integer) Optional.ofNullable(this.configuration.getAvailablePeriod()).orElse(DEFAULT_AVAILABLE_PERIOD)).intValue()) {
            logger.trace("signed authentication request's available period is long.");
            throw new ClientPolicyException("invalid_request", "signed authentication request's available period is long");
        }
        ArrayList arrayList = new ArrayList();
        JsonNode jsonNode2 = jsonNode.get("aud");
        if (jsonNode2 == null) {
            logger.trace("aud claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the 'request' object: aud");
        }
        if (jsonNode2.isArray()) {
            Iterator it = jsonNode2.iterator();
            while (it.hasNext()) {
                arrayList.add(((JsonNode) it.next()).asText());
            }
        } else {
            arrayList.add(jsonNode2.asText());
        }
        if (arrayList.isEmpty()) {
            logger.trace("aud claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter value in the 'request' object: aud");
        }
        if (!arrayList.contains(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.session.getContext().getRealm().getName()))) {
            logger.trace("aud not points to the intended realm.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter in the 'request' object: aud");
        }
        if (jsonNode.get(OIDCLoginProtocol.ISSUER) == null) {
            logger.trace("iss claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the 'request' object: iss");
        }
        if (!jsonNode.get(OIDCLoginProtocol.ISSUER).asText().equals(this.session.getContext().getClient().getClientId())) {
            logger.trace("iss claim not match client's identity.");
            throw new ClientPolicyException("invalid_request", "Invalid parameter in the 'request' object: iss");
        }
        if (jsonNode.get("iat") == null) {
            logger.trace("iat claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the signed authentication request: iat");
        }
        if (jsonNode.get("jti") == null) {
            logger.trace("jti claim not incuded.");
            throw new ClientPolicyException("invalid_request", "Missing parameter in the signed authentication request: jti");
        }
        logger.trace("Passed.");
    }
}
