package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientAuthenticatorExecutor.class */
public class SecureClientAuthenticatorExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(SecureClientAuthenticatorExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientAuthenticatorExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SERVICE_ACCOUNT_TOKEN_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REFRESH.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REVOKE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_INTROSPECT.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.LOGOUT_REQUEST.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureClientAuthenticatorExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(SecureClientAuthenticatorExecutorFactory.ALLOWED_CLIENT_AUTHENTICATORS)
        protected List<String> allowedClientAuthenticators;

        @JsonProperty(SecureClientAuthenticatorExecutorFactory.DEFAULT_CLIENT_AUTHENTICATOR)
        protected String defaultClientAuthenticator;

        public List<String> getAllowedClientAuthenticators() {
            return this.allowedClientAuthenticators;
        }

        public void setAllowedClientAuthenticators(List<String> list) {
            this.allowedClientAuthenticators = list;
        }

        public String getDefaultClientAuthenticator() {
            return this.defaultClientAuthenticator;
        }

        public void setDefaultClientAuthenticator(String str) {
            this.defaultClientAuthenticator = str;
        }
    }

    public SecureClientAuthenticatorExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return SecureClientAuthenticatorExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case 2:
                ClientCRUDContext clientCRUDContext = (ClientCRUDContext) clientPolicyContext;
                autoConfigure(clientCRUDContext.getProposedClientRepresentation());
                validateDuringClientCRUD(clientCRUDContext.getProposedClientRepresentation());
                return;
            case 3:
            case 4:
            case 5:
            case 6:
            case 7:
            case 8:
                validateDuringClientRequest();
                return;
            default:
                return;
        }
    }

    private void autoConfigure(ClientRepresentation clientRepresentation) {
        String defaultClientAuthenticator = this.configuration.getDefaultClientAuthenticator();
        if (defaultClientAuthenticator != null) {
            if (clientRepresentation.getClientAuthenticatorType() != null) {
                logger.tracef("Skip setting default client authenticator on client %s. Client authenticator already set to %s", clientRepresentation.getClientId(), clientRepresentation.getClientAuthenticatorType());
            } else {
                logger.tracef("Set default client authenticator %s on client %s", defaultClientAuthenticator, clientRepresentation.getClientId());
                clientRepresentation.setClientAuthenticatorType(defaultClientAuthenticator);
            }
        }
    }

    private void validateDuringClientCRUD(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        if ((clientRepresentation.isPublicClient() == null || !clientRepresentation.isPublicClient().booleanValue()) && !isValidClientAuthenticator(clientRepresentation.getClientAuthenticatorType())) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: token_endpoint_auth_method");
        }
    }

    private void validateDuringClientRequest() throws ClientPolicyException {
        ClientModel client = this.session.getContext().getClient();
        if (client.isPublicClient() || isValidClientAuthenticator(client.getClientAuthenticatorType())) {
            return;
        }
        logger.warnf("Client authentication method not allowed for client: %s", client.getClientId());
        throw new ClientPolicyException("invalid_request", "Configured client authentication method not allowed for client");
    }

    private boolean isValidClientAuthenticator(String str) {
        List<String> allowedClientAuthenticators = this.configuration.getAllowedClientAuthenticators();
        return allowedClientAuthenticators != null && allowedClientAuthenticators.stream().anyMatch(str2 -> {
            return str2.equals(str);
        });
    }
}
