package org.keycloak.services.clientpolicy.executor;

import java.net.URI;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisteredContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdatedContext;
import org.keycloak.services.clientpolicy.context.SamlAuthnRequestContext;
import org.keycloak.services.clientpolicy.context.SamlLogoutRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SamlAvoidRedirectBindingExecutor.class */
public class SamlAvoidRedirectBindingExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfigurationRepresentation> {

    /* renamed from: org.keycloak.services.clientpolicy.executor.SamlAvoidRedirectBindingExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SamlAvoidRedirectBindingExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTERED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SAML_AUTHN_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SAML_LOGOUT_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public SamlAvoidRedirectBindingExecutor(KeycloakSession keycloakSession) {
    }

    public String getProviderId() {
        return SamlAvoidRedirectBindingExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                confirmPostBindingIsForced(((AdminClientRegisteredContext) clientPolicyContext).getTargetClient());
                return;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                confirmPostBindingIsForced(((AdminClientUpdatedContext) clientPolicyContext).getTargetClient());
                return;
            case 3:
                confirmRedirectBindingIsNotUsed((SamlAuthnRequestContext) clientPolicyContext);
                return;
            case 4:
                confirmRedirectBindingIsNotUsed((SamlLogoutRequestContext) clientPolicyContext);
                return;
            default:
                return;
        }
    }

    private void confirmPostBindingIsForced(ClientModel clientModel) throws ClientPolicyException {
        if ("saml".equals(clientModel.getProtocol()) && !new SamlClient(clientModel).forcePostBinding()) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Force POST binding is not enabled");
        }
    }

    private void confirmRedirectBindingIsNotUsed(SamlAuthnRequestContext samlAuthnRequestContext) throws ClientPolicyException {
        if (new SamlClient(samlAuthnRequestContext.getClient()).forcePostBinding()) {
            return;
        }
        URI protocolBinding = samlAuthnRequestContext.getRequest().getProtocolBinding();
        if (protocolBinding == null) {
            if (samlAuthnRequestContext.getProtocolBinding().equals(SamlProtocol.SAML_REDIRECT_BINDING)) {
                throw new ClientPolicyException("invalid_request", "REDIRECT binding is used for the login request and it is not allowed.");
            }
        } else if (JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get().equals(protocolBinding.toString()) || (JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get().equals(protocolBinding.toString()) && samlAuthnRequestContext.getProtocolBinding().equals(SamlProtocol.SAML_REDIRECT_BINDING))) {
            throw new ClientPolicyException("invalid_request", "REDIRECT binding is used for the login request and it is not allowed.");
        }
    }

    private void confirmRedirectBindingIsNotUsed(SamlLogoutRequestContext samlLogoutRequestContext) throws ClientPolicyException {
        if (!new SamlClient(samlLogoutRequestContext.getClient()).forcePostBinding() && samlLogoutRequestContext.getProtocolBinding().equals(SamlProtocol.SAML_REDIRECT_BINDING)) {
            throw new ClientPolicyException("invalid_request", "REDIRECT binding is used for the logout request and it is not allowed.");
        }
    }
}
