package org.keycloak.services.clientpolicy.executor;

import java.util.Arrays;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.ClientPolicyLogger;
import org.keycloak.services.clientpolicy.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.DynamicClientUpdateContext;
import org.keycloak.services.managers.AuthenticationSessionManager;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureSigningAlgorithmEnforceExecutor.class */
public class SecureSigningAlgorithmEnforceExecutor implements ClientPolicyExecutorProvider {
    private final KeycloakSession session;
    private final ComponentModel componentModel;
    private static final Logger logger = Logger.getLogger(SecureSigningAlgorithmEnforceExecutor.class);
    private static final List<String> sigTargets = Arrays.asList(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
    private static final List<String> sigTargetsAdminRestApiOnly = Arrays.asList(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmEnforceExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureSigningAlgorithmEnforceExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public SecureSigningAlgorithmEnforceExecutor(KeycloakSession keycloakSession, ComponentModel componentModel) {
        this.session = keycloakSession;
        this.componentModel = componentModel;
    }

    public String getName() {
        return this.componentModel.getName();
    }

    public String getProviderId() {
        return this.componentModel.getProviderId();
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case 1:
                if (clientPolicyContext instanceof AdminClientRegisterContext) {
                    verifySecureSigningAlgorithm(((AdminClientRegisterContext) clientPolicyContext).getProposedClientRepresentation(), true, false);
                    return;
                } else {
                    if (!(clientPolicyContext instanceof DynamicClientRegisterContext)) {
                        throw new ClientPolicyException("invalid_request", "not allowed input format.");
                    }
                    verifySecureSigningAlgorithm(((DynamicClientRegisterContext) clientPolicyContext).getProposedClientRepresentation(), false, false);
                    return;
                }
            case 2:
                if (clientPolicyContext instanceof AdminClientUpdateContext) {
                    verifySecureSigningAlgorithm(((AdminClientUpdateContext) clientPolicyContext).getProposedClientRepresentation(), true, true);
                    return;
                } else {
                    if (!(clientPolicyContext instanceof DynamicClientUpdateContext)) {
                        throw new ClientPolicyException("invalid_request", "not allowed input format.");
                    }
                    verifySecureSigningAlgorithm(((DynamicClientUpdateContext) clientPolicyContext).getProposedClientRepresentation(), false, true);
                    return;
                }
            default:
                return;
        }
    }

    private void verifySecureSigningAlgorithm(ClientRepresentation clientRepresentation, boolean z, boolean z2) throws ClientPolicyException {
        if (clientRepresentation.getAttributes() == null) {
            throw new ClientPolicyException("invalid_request", "no signature algorithm was specified.");
        }
        for (String str : sigTargets) {
            verifySecureSigningAlgorithm(str, (String) clientRepresentation.getAttributes().get(str));
        }
        if (z) {
            for (String str2 : sigTargetsAdminRestApiOnly) {
                verifySecureSigningAlgorithm(str2, (String) clientRepresentation.getAttributes().get(str2));
            }
        }
    }

    private void verifySecureSigningAlgorithm(String str, String str2) throws ClientPolicyException {
        if (str2 == null) {
            ClientPolicyLogger.logv(logger, "Signing algorithm not specified explicitly. signature target = {0}", str);
            return;
        }
        boolean z = -1;
        switch (str2.hashCode()) {
            case 66245349:
                if (str2.equals("ES256")) {
                    z = 3;
                    break;
                }
                break;
            case 66246401:
                if (str2.equals("ES384")) {
                    z = 4;
                    break;
                }
                break;
            case 66248104:
                if (str2.equals("ES512")) {
                    z = 5;
                    break;
                }
                break;
            case 76404080:
                if (str2.equals("PS256")) {
                    z = false;
                    break;
                }
                break;
            case 76405132:
                if (str2.equals("PS384")) {
                    z = true;
                    break;
                }
                break;
            case 76406835:
                if (str2.equals("PS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
            case true:
            case AuthzEndpointRequestParser.ADDITIONAL_REQ_PARAMS_MAX_MUMBER /* 5 */:
                ClientPolicyLogger.logv(logger, "Passed. signature target = {0}, signature algorithm = {1}", str, str2);
                return;
            default:
                ClientPolicyLogger.logv(logger, "NOT allowed signatureAlgorithm. signature target = {0}, signature algorithm = {1}", str, str2);
                throw new ClientPolicyException("invalid_request", "not allowed signature algorithm.");
        }
    }
}
