package org.keycloak.protocol.oidc.utils;

import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.protocol.ProtocolMapperConfigException;
import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/protocol/oidc/utils/PairwiseSubMapperValidator.class */
public class PairwiseSubMapperValidator {
    public static final String PAIRWISE_MALFORMED_CLIENT_REDIRECT_URI = "pairwiseMalformedClientRedirectURI";
    public static final String PAIRWISE_CLIENT_REDIRECT_URIS_MISSING_HOST = "pairwiseClientRedirectURIsMissingHost";
    public static final String PAIRWISE_CLIENT_REDIRECT_URIS_MULTIPLE_HOSTS = "pairwiseClientRedirectURIsMultipleHosts";
    public static final String PAIRWISE_MALFORMED_SECTOR_IDENTIFIER_URI = "pairwiseMalformedSectorIdentifierURI";
    public static final String PAIRWISE_FAILED_TO_GET_REDIRECT_URIS = "pairwiseFailedToGetRedirectURIs";
    public static final String PAIRWISE_REDIRECT_URIS_MISMATCH = "pairwiseRedirectURIsMismatch";

    /* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/protocol/oidc/utils/PairwiseSubMapperValidator$TypedList.class */
    public static class TypedList extends ArrayList<String> {
    }

    public static void validate(KeycloakSession keycloakSession, ClientModel clientModel, ProtocolMapperModel protocolMapperModel) throws ProtocolMapperConfigException {
        validate(keycloakSession, clientModel.getRootUrl(), clientModel.getRedirectUris(), PairwiseSubMapperHelper.getSectorIdentifierUri(protocolMapperModel));
    }

    public static void validate(KeycloakSession keycloakSession, String str, Set<String> set, String str2) throws ProtocolMapperConfigException {
        if (str2 == null || str2.isEmpty()) {
            validateClientRedirectUris(str, set);
        } else {
            validateSectorIdentifierUri(str2);
            validateSectorIdentifierUri(keycloakSession, str, set, str2);
        }
    }

    private static void validateClientRedirectUris(String str, Set<String> set) throws ProtocolMapperConfigException {
        HashSet hashSet = new HashSet();
        Iterator<String> it = PairwiseSubMapperUtils.resolveValidRedirectUris(str, set).iterator();
        while (it.hasNext()) {
            try {
                hashSet.add(new URI(it.next()).getHost());
            } catch (URISyntaxException e) {
                throw new ProtocolMapperConfigException("Client contained an invalid redirect URI.", PAIRWISE_MALFORMED_CLIENT_REDIRECT_URI, e);
            }
        }
        if (hashSet.isEmpty()) {
            throw new ProtocolMapperConfigException("Client redirect URIs must contain a valid host component.", PAIRWISE_CLIENT_REDIRECT_URIS_MISSING_HOST);
        }
        if (hashSet.size() > 1) {
            throw new ProtocolMapperConfigException("Without a configured Sector Identifier URI, client redirect URIs must not contain multiple host components.", PAIRWISE_CLIENT_REDIRECT_URIS_MULTIPLE_HOSTS);
        }
    }

    private static void validateSectorIdentifierUri(String str) throws ProtocolMapperConfigException {
        try {
            URI uri = new URI(str);
            if (uri.getScheme() == null || uri.getHost() == null) {
                throw new ProtocolMapperConfigException("Invalid Sector Identifier URI.", PAIRWISE_MALFORMED_SECTOR_IDENTIFIER_URI);
            }
        } catch (URISyntaxException e) {
            throw new ProtocolMapperConfigException("Invalid Sector Identifier URI.", PAIRWISE_MALFORMED_SECTOR_IDENTIFIER_URI, e);
        }
    }

    private static void validateSectorIdentifierUri(KeycloakSession keycloakSession, String str, Set<String> set, String str2) throws ProtocolMapperConfigException {
        if (!PairwiseSubMapperUtils.matchesRedirects(str, set, getSectorRedirects(keycloakSession, str2))) {
            throw new ProtocolMapperConfigException("Client redirect URIs does not match redirect URIs fetched from the Sector Identifier URI.", PAIRWISE_REDIRECT_URIS_MISMATCH);
        }
    }

    private static Set<String> getSectorRedirects(KeycloakSession keycloakSession, String str) throws ProtocolMapperConfigException {
        InputStream inputStream = null;
        try {
            try {
                inputStream = ((HttpClientProvider) keycloakSession.getProvider(HttpClientProvider.class)).get(str);
                HashSet hashSet = new HashSet((List) JsonSerialization.readValue(inputStream, TypedList.class));
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e) {
                    }
                }
                return hashSet;
            } catch (IOException e2) {
                throw new ProtocolMapperConfigException("Failed to get redirect URIs from the Sector Identifier URI.", PAIRWISE_FAILED_TO_GET_REDIRECT_URIS, e2);
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e3) {
                }
            }
            throw th;
        }
    }
}
