package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import org.jboss.logging.Logger;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.dpop.DPoP;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.TokenRevokeContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/DPoPBindEnforcerExecutor.class */
public class DPoPBindEnforcerExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(DPoPBindEnforcerExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.DPoPBindEnforcerExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/DPoPBindEnforcerExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REFRESH.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.USERINFO_REQUEST.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.BACKCHANNEL_TOKEN_REQUEST.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REVOKE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/DPoPBindEnforcerExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("auto-configure")
        protected Boolean autoConfigure;

        public Boolean isAutoConfigure() {
            return this.autoConfigure;
        }

        public void setAutoConfigure(Boolean bool) {
            this.autoConfigure = bool;
        }
    }

    public DPoPBindEnforcerExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return DPoPBindEnforcerExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        if (!Profile.isFeatureEnabled(Profile.Feature.DPOP)) {
            logger.warnf("DPoP executor is used, but DPOP feature is disabled. So DPOP is not enforced for the clients. Please enable DPOP feature in order to be able to have DPOP checks applied.", new Object[0]);
            return;
        }
        HttpRequest httpRequest = this.session.getContext().getHttpRequest();
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case 2:
                ClientCRUDContext clientCRUDContext = (ClientCRUDContext) clientPolicyContext;
                autoConfigure(clientCRUDContext.getProposedClientRepresentation());
                validate(clientCRUDContext.getProposedClientRepresentation());
                return;
            case 3:
            case 4:
            case 5:
            case 6:
                if (httpRequest.getHttpHeaders().getHeaderString("DPoP") == null) {
                    throw new ClientPolicyException("invalid_dpop_proof", "DPoP proof is missing");
                }
                return;
            case 7:
                checkTokenRevoke((TokenRevokeContext) clientPolicyContext, httpRequest);
                return;
            default:
                return;
        }
    }

    private void autoConfigure(ClientRepresentation clientRepresentation) {
        if (this.configuration.isAutoConfigure().booleanValue()) {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setUseDPoP(true);
        }
    }

    private void validate(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        if (!OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).isUseDPoP()) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: DPoP token in disabled");
        }
    }

    private void checkTokenRevoke(TokenRevokeContext tokenRevokeContext, HttpRequest httpRequest) throws ClientPolicyException {
        DPoP retrieveAndVerifyDPoP = retrieveAndVerifyDPoP(httpRequest);
        AccessToken accessToken = (AccessToken) this.session.tokens().decode((String) tokenRevokeContext.getParams().getFirst("token"), AccessToken.class);
        if (accessToken == null) {
            return;
        }
        validateBinding(accessToken, retrieveAndVerifyDPoP);
    }

    private DPoP retrieveAndVerifyDPoP(HttpRequest httpRequest) throws ClientPolicyException {
        try {
            return new DPoPUtil.Validator(this.session).request(httpRequest).uriInfo(this.session.getContext().getUri()).validate();
        } catch (VerificationException e) {
            logger.tracev("dpop verification error = {0}", e.getMessage());
            throw new ClientPolicyException("invalid_dpop_proof", e.getMessage());
        }
    }

    private void validateBinding(AccessToken accessToken, DPoP dPoP) throws ClientPolicyException {
        try {
            DPoPUtil.validateBinding(accessToken, dPoP);
        } catch (VerificationException e) {
            logger.tracev("dpop bind refresh token verification error = {0}", e.getMessage());
            throw new ClientPolicyException("invalid_token", "DPoP proof and token binding verification failed");
        }
    }
}
