package org.keycloak.services.clientpolicy.executor;

import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor.class */
public class SecureClientUrisExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfigurationRepresentation> {
    private static final Logger logger = Logger.getLogger(SecureClientUrisExecutor.class);
    private final KeycloakSession session;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureClientUrisExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientUrisExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public SecureClientUrisExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return SecureClientUrisExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                if (!(clientPolicyContext instanceof AdminClientRegisterContext) && !(clientPolicyContext instanceof DynamicClientRegisterContext)) {
                    throw new ClientPolicyException("invalid_request", "not allowed input format.");
                }
                ClientRepresentation proposedClientRepresentation = ((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation();
                confirmSecureUris(proposedClientRepresentation);
                if (proposedClientRepresentation.getRootUrl() != null) {
                    if (proposedClientRepresentation.getRedirectUris() == null || proposedClientRepresentation.getRedirectUris().isEmpty()) {
                        logger.debugf("Setup Redirect URI = %s for client %s", proposedClientRepresentation.getRootUrl(), proposedClientRepresentation.getClientId());
                        proposedClientRepresentation.setRedirectUris(Collections.singletonList(proposedClientRepresentation.getRootUrl()));
                        return;
                    }
                    return;
                }
                return;
            case 2:
                if (!(clientPolicyContext instanceof AdminClientUpdateContext) && !(clientPolicyContext instanceof DynamicClientUpdateContext)) {
                    throw new ClientPolicyException("invalid_request", "not allowed input format.");
                }
                confirmSecureUris(((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation());
                return;
            case 3:
                confirmSecureRedirectUri(((AuthorizationRequestContext) clientPolicyContext).getRedirectUri());
                return;
            default:
                return;
        }
    }

    private void confirmSecureUris(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        String rootUrl = clientRepresentation.getRootUrl();
        if (rootUrl != null) {
            confirmSecureUris(Arrays.asList(rootUrl), "rootUrl");
        }
        String adminUrl = clientRepresentation.getAdminUrl();
        if (adminUrl != null) {
            confirmSecureUris(Arrays.asList(adminUrl), "adminUrl");
        }
        String baseUrl = clientRepresentation.getBaseUrl();
        if (baseUrl != null) {
            confirmSecureUris(Arrays.asList(baseUrl), "baseUrl");
        }
        List<String> webOrigins = clientRepresentation.getWebOrigins();
        if (webOrigins != null) {
            confirmSecureUris(webOrigins, "webOrigins");
        }
        String str = (String) ((Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(Collections.emptyMap())).get("backchannel.logout.url");
        if (str != null) {
            confirmSecureUris(Arrays.asList(str), "logoutUrl");
        }
        List<String> redirectUris = clientRepresentation.getRedirectUris();
        if (redirectUris != null) {
            confirmSecureUris(redirectUris, "redirectUris");
        }
        String str2 = (String) ((Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(Collections.emptyMap())).get("jwks.url");
        if (str2 != null) {
            confirmSecureUris(Arrays.asList(str2), "jwksUri");
        }
        List<String> attributeMultivalued = getAttributeMultivalued(clientRepresentation, "request.uris");
        if (attributeMultivalued != null) {
            confirmSecureUris(attributeMultivalued, "requestUris");
        }
        String str3 = (String) ((Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(Collections.emptyMap())).get("ciba.backchannel.client.notification.endpoint");
        if (str3 != null) {
            confirmSecureUris(Arrays.asList(str3), "cibaClientNotificationEndpoint");
        }
    }

    private List<String> getAttributeMultivalued(ClientRepresentation clientRepresentation, String str) {
        String str2 = (String) ((Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(Collections.emptyMap())).get(str);
        return str2 == null ? Collections.emptyList() : Arrays.asList(Constants.CFG_DELIMITER_PATTERN.split(str2));
    }

    private void confirmSecureUris(List<String> list, String str) throws ClientPolicyException {
        if (list == null || list.isEmpty()) {
            return;
        }
        for (String str2 : list) {
            logger.tracev("{0} = {1}", str, str2);
            if (!str2.startsWith("https://") || str2.contains("*")) {
                throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid " + str);
            }
        }
    }

    private void confirmSecureRedirectUri(String str) throws ClientPolicyException {
        if (str == null || str.isEmpty()) {
            throw new ClientPolicyException("invalid_request", "no redirect_uri specified.");
        }
        logger.tracev("Redirect URI = {0}", str);
        if (!str.startsWith("https://") || str.contains("*")) {
            throw new ClientPolicyException("invalid_request", "Invalid redirect_uri");
        }
    }
}
