package org.keycloak.protocol.oidc.endpoints.request;

import jakarta.ws.rs.core.Response;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.OIDCProviderConfig;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestParser.class */
public abstract class AuthzEndpointRequestParser {
    protected final int additionalReqParamsMaxNumber;
    protected final int additionalReqParamsMaxSize;
    protected final boolean additionalReqParamsFailFast;
    protected final int additionalReqParamsMaxOverallSize;
    public static final String AUTHZ_REQUEST_OBJECT = "ParsedRequestObject";
    public static final String AUTHZ_REQUEST_OBJECT_ENCRYPTED = "EncryptedRequestObject";
    private static final Logger logger = Logger.getLogger(AuthzEndpointRequestParser.class);
    public static final Set<String> KNOWN_REQ_PARAMS = new HashSet();

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthzEndpointRequestParser(KeycloakSession keycloakSession) {
        OIDCProviderConfig config = keycloakSession.getProvider(LoginProtocol.class, "openid-connect").getConfig();
        this.additionalReqParamsMaxNumber = config.getAdditionalReqParamsMaxNumber();
        this.additionalReqParamsMaxSize = config.getAdditionalReqParamsMaxSize();
        this.additionalReqParamsFailFast = config.isAdditionalReqParamsFailFast();
        this.additionalReqParamsMaxOverallSize = config.getAdditionalReqParamsMaxOverallSize();
    }

    public void parseRequest(AuthorizationEndpointRequest authorizationEndpointRequest) {
        String parameter = getParameter("client_id");
        if (parameter != null && authorizationEndpointRequest.clientId != null && !authorizationEndpointRequest.clientId.equals(parameter)) {
            throw new IllegalArgumentException("The client_id parameter doesn't match the one from OIDC 'request' or 'request_uri'");
        }
        if (parameter != null) {
            authorizationEndpointRequest.clientId = parameter;
        }
        String parameter2 = getParameter("response_type");
        validateResponseTypeParameter(parameter2, authorizationEndpointRequest);
        if (parameter2 != null) {
            authorizationEndpointRequest.responseType = parameter2;
        }
        authorizationEndpointRequest.responseMode = (String) replaceIfNotNull(authorizationEndpointRequest.responseMode, getParameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM));
        authorizationEndpointRequest.redirectUriParam = (String) replaceIfNotNull(authorizationEndpointRequest.redirectUriParam, getParameter("redirect_uri"));
        authorizationEndpointRequest.state = (String) replaceIfNotNull(authorizationEndpointRequest.state, getParameter("state"));
        authorizationEndpointRequest.scope = (String) replaceIfNotNull(authorizationEndpointRequest.scope, getParameter("scope"));
        authorizationEndpointRequest.loginHint = (String) replaceIfNotNull(authorizationEndpointRequest.loginHint, getParameter("login_hint"));
        authorizationEndpointRequest.prompt = (String) replaceIfNotNull(authorizationEndpointRequest.prompt, getParameter(OIDCLoginProtocol.PROMPT_PARAM));
        authorizationEndpointRequest.idpHint = (String) replaceIfNotNull(authorizationEndpointRequest.idpHint, getParameter("kc_idp_hint"));
        authorizationEndpointRequest.action = (String) replaceIfNotNull(authorizationEndpointRequest.action, getParameter("kc_action"));
        authorizationEndpointRequest.nonce = (String) replaceIfNotNull(authorizationEndpointRequest.nonce, getParameter(OIDCLoginProtocol.NONCE_PARAM));
        authorizationEndpointRequest.maxAge = (Integer) replaceIfNotNull(authorizationEndpointRequest.maxAge, getIntParameter(OIDCLoginProtocol.MAX_AGE_PARAM));
        authorizationEndpointRequest.claims = (String) replaceIfNotNull(authorizationEndpointRequest.claims, getParameter("claims"));
        authorizationEndpointRequest.acr = (String) replaceIfNotNull(authorizationEndpointRequest.acr, getParameter(OIDCLoginProtocol.ACR_PARAM));
        authorizationEndpointRequest.display = (String) replaceIfNotNull(authorizationEndpointRequest.display, getParameter("display"));
        authorizationEndpointRequest.uiLocales = (String) replaceIfNotNull(authorizationEndpointRequest.uiLocales, getParameter(OIDCLoginProtocol.UI_LOCALES_PARAM));
        authorizationEndpointRequest.codeChallenge = (String) replaceIfNotNull(authorizationEndpointRequest.codeChallenge, getParameter(OIDCLoginProtocol.CODE_CHALLENGE_PARAM));
        authorizationEndpointRequest.codeChallengeMethod = (String) replaceIfNotNull(authorizationEndpointRequest.codeChallengeMethod, getParameter(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM));
        authorizationEndpointRequest.dpopJkt = (String) replaceIfNotNull(authorizationEndpointRequest.dpopJkt, getParameter(OIDCLoginProtocol.DPOP_JKT));
        extractAdditionalReqParams(authorizationEndpointRequest.additionalReqParams);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateResponseTypeParameter(String str, AuthorizationEndpointRequest authorizationEndpointRequest) {
        if (str == null || authorizationEndpointRequest.responseType == null || authorizationEndpointRequest.responseType.equals(str)) {
            return;
        }
        logger.warnf("The response_type parameter doesn't match the one from OIDC 'request' or 'request_uri'", new Object[0]);
        authorizationEndpointRequest.setInvalidRequestMessage("Parameter response_type does not match");
    }

    protected void extractAdditionalReqParams(Map<String, String> map) {
        int i = 0;
        for (String str : keySet()) {
            if (KNOWN_REQ_PARAMS.contains(str)) {
                logger.debugv("The additional OIDC param ''{0}'' is well known. Continue with the other additional parameters.", str);
            } else {
                String parameter = getParameter(str);
                if (parameter == null || parameter.trim().isEmpty()) {
                    logger.debugv("The additional OIDC param ''{0}'' ignored because it's value is null or blank.", str);
                } else {
                    if (map.size() >= this.additionalReqParamsMaxNumber) {
                        if (this.additionalReqParamsFailFast) {
                            logger.debugv("The maximum number of allowed parameters ({0}) is exceeded.", Integer.valueOf(this.additionalReqParamsMaxNumber));
                            throw new ErrorResponseException("invalid_request", "The maximum number of allowed parameters (" + this.additionalReqParamsMaxNumber + ") is exceeded.", Response.Status.BAD_REQUEST);
                        }
                        logger.debugv("The maximum number of allowed parameters ({0}) is exceeded.", Integer.valueOf(this.additionalReqParamsMaxNumber));
                        return;
                    }
                    if (parameter.length() + i > this.additionalReqParamsMaxOverallSize) {
                        if (this.additionalReqParamsFailFast) {
                            logger.debugv("The OIDC additional parameter '{0}''s size ({1}) exceeds the maximum allowed size of all parameters ({2}).", str, Integer.valueOf(parameter.length()), Integer.valueOf(this.additionalReqParamsMaxOverallSize));
                            throw new ErrorResponseException("invalid_request", "The OIDC additional parameter '" + str + "'s size (" + parameter.length() + ") exceeds the maximum allowed size of all parameters (" + this.additionalReqParamsMaxOverallSize + ").", Response.Status.BAD_REQUEST);
                        }
                        logger.debugv("The OIDC additional parameter '{0}''s size exceeds ({1}) the maximum allowed size of all parameters ({2}).", str, Integer.valueOf(parameter.length()), Integer.valueOf(this.additionalReqParamsMaxOverallSize));
                        return;
                    }
                    if (parameter.length() > this.additionalReqParamsMaxSize) {
                        if (this.additionalReqParamsFailFast) {
                            logger.debugv("The OIDC additional parameter '{0}''s size is longer ({1}) than allowed ({2}).", str, Integer.valueOf(parameter.length()), Integer.valueOf(this.additionalReqParamsMaxSize));
                            throw new ErrorResponseException("invalid_request", "The OIDC additional parameter '" + str + "'s size is longer (" + parameter.length() + ") than allowed (" + this.additionalReqParamsMaxSize + ").", Response.Status.BAD_REQUEST);
                        }
                        logger.debugv("The OIDC additional parameter '{0}''s size is longer ({1}) than allowed ({2}).", str, Integer.valueOf(parameter.length()), Integer.valueOf(this.additionalReqParamsMaxSize));
                        return;
                    }
                    logger.debugv("Adding OIDC additional parameter ''{0}'' as additional parameter.", str);
                    i += parameter.length();
                    map.put(str, parameter);
                }
            }
        }
    }

    protected <T> T replaceIfNotNull(T t, T t2) {
        return t2 == null ? t : t2;
    }

    protected abstract String getParameter(String str);

    protected abstract Integer getIntParameter(String str);

    protected abstract Set<String> keySet();

    static {
        KNOWN_REQ_PARAMS.add("client_id");
        KNOWN_REQ_PARAMS.add("response_type");
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
        KNOWN_REQ_PARAMS.add("redirect_uri");
        KNOWN_REQ_PARAMS.add("state");
        KNOWN_REQ_PARAMS.add("scope");
        KNOWN_REQ_PARAMS.add("login_hint");
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.PROMPT_PARAM);
        KNOWN_REQ_PARAMS.add("kc_idp_hint");
        KNOWN_REQ_PARAMS.add("kc_action");
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.NONCE_PARAM);
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.MAX_AGE_PARAM);
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.UI_LOCALES_PARAM);
        KNOWN_REQ_PARAMS.add("request");
        KNOWN_REQ_PARAMS.add("request_uri");
        KNOWN_REQ_PARAMS.add("claims");
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.ACR_PARAM);
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.CODE_CHALLENGE_PARAM);
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.CODE_CHALLENGE_METHOD_PARAM);
        KNOWN_REQ_PARAMS.add(OIDCLoginProtocol.DPOP_JKT);
        KNOWN_REQ_PARAMS.add("client_assertion_type");
        KNOWN_REQ_PARAMS.add("client_assertion");
        KNOWN_REQ_PARAMS.add(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET);
    }
}
