package org.keycloak.protocol.oidc.endpoints;

import java.util.regex.Pattern;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.endpoints.request.RequestUriType;
import org.keycloak.protocol.oidc.utils.OIDCResponseMode;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.TokenUtil;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpointChecker.class */
public class AuthorizationEndpointChecker {
    private EventBuilder event;
    private AuthorizationEndpointRequest request;
    private KeycloakSession session;
    private ClientModel client;
    private RealmModel realm;
    private String redirectUri;
    private OIDCResponseType parsedResponseType;
    private OIDCResponseMode parsedResponseMode;
    private MultivaluedMap<String, String> params;
    private static final Logger logger = Logger.getLogger(AuthorizationEndpointChecker.class);
    private static final Pattern VALID_CODE_CHALLENGE_PATTERN = Pattern.compile("^[0-9a-zA-Z\\-\\.~_]+$");

    /* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/AuthorizationEndpointChecker$AuthorizationCheckException.class */
    public class AuthorizationCheckException extends Exception {
        private final Response.Status status;
        private final String error;
        private final String errorDescription;

        public AuthorizationCheckException(Response.Status status, String str, String str2) {
            this.status = status;
            this.error = str;
            this.errorDescription = str2;
        }

        public void throwAsErrorPageException(AuthenticationSessionModel authenticationSessionModel) {
            throw new ErrorPageException(AuthorizationEndpointChecker.this.session, authenticationSessionModel, this.status, this.error, this.errorDescription);
        }

        public void throwAsCorsErrorResponseException(Cors cors) {
            AuthorizationEndpointChecker.this.event.detail("detail", this.errorDescription).error(this.error);
            throw new CorsErrorResponseException(cors, this.error, this.errorDescription, this.status);
        }

        public String getError() {
            return this.error;
        }

        public String getErrorDescription() {
            return this.errorDescription;
        }
    }

    public AuthorizationEndpointChecker event(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public AuthorizationEndpointChecker request(AuthorizationEndpointRequest authorizationEndpointRequest) {
        this.request = authorizationEndpointRequest;
        return this;
    }

    public AuthorizationEndpointChecker session(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    public AuthorizationEndpointChecker client(ClientModel clientModel) {
        this.client = clientModel;
        return this;
    }

    public AuthorizationEndpointChecker realm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    public AuthorizationEndpointChecker params(MultivaluedMap<String, String> multivaluedMap) {
        this.params = multivaluedMap;
        return this;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public OIDCResponseType getParsedResponseType() {
        return this.parsedResponseType;
    }

    public OIDCResponseMode getParsedResponseMode() {
        return this.parsedResponseMode;
    }

    public void checkRedirectUri() throws AuthorizationCheckException {
        String redirectUriParam = this.request.getRedirectUriParam();
        boolean isOIDCRequest = TokenUtil.isOIDCRequest(this.request.getScope());
        this.event.detail("redirect_uri", redirectUriParam);
        this.redirectUri = RedirectUtils.verifyRedirectUri(this.session, redirectUriParam, this.client, isOIDCRequest);
        if (this.redirectUri == null) {
            this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, Messages.INVALID_PARAMETER, "redirect_uri");
        }
    }

    public void checkResponseType() throws AuthorizationCheckException {
        String responseType = this.request.getResponseType();
        if (responseType == null) {
            ServicesLogger.LOGGER.missingParameter("response_type");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Missing parameter: response_type");
        }
        this.event.detail("response_type", responseType);
        try {
            this.parsedResponseType = OIDCResponseType.parse(responseType);
            try {
                OIDCResponseMode parse = OIDCResponseMode.parse(this.request.getResponseMode(), this.parsedResponseType);
                this.event.detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, parse.toString().toLowerCase());
                if (this.parsedResponseType.isImplicitOrHybridFlow() && parse == OIDCResponseMode.QUERY) {
                    ServicesLogger.LOGGER.responseModeQueryNotAllowed();
                    this.event.error("invalid_request");
                    throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Response_mode 'query' not allowed for implicit or hybrid flow");
                }
                this.parsedResponseMode = parse;
                if (this.parsedResponseType.isImplicitOrHybridFlow() && parse == OIDCResponseMode.QUERY_JWT && (!StringUtil.isNotBlank(this.client.getAttribute(OIDCConfigAttributes.AUTHORIZATION_ENCRYPTED_RESPONSE_ALG)) || !StringUtil.isNotBlank(this.client.getAttribute(OIDCConfigAttributes.AUTHORIZATION_ENCRYPTED_RESPONSE_ENC)))) {
                    ServicesLogger.LOGGER.responseModeQueryJwtNotAllowed();
                    this.event.error("invalid_request");
                    throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Response_mode 'query.jwt' is allowed only when the authorization response token is encrypted");
                }
                if ((this.parsedResponseType.hasResponseType("code") || this.parsedResponseType.hasResponseType("none")) && !this.client.isStandardFlowEnabled()) {
                    ServicesLogger.LOGGER.flowNotAllowed("Standard");
                    this.event.error("not_allowed");
                    throw new AuthorizationCheckException(Response.Status.UNAUTHORIZED, "unauthorized_client", "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.");
                }
                if (!this.parsedResponseType.isImplicitOrHybridFlow() || this.client.isImplicitFlowEnabled()) {
                    return;
                }
                ServicesLogger.LOGGER.flowNotAllowed("Implicit");
                this.event.error("not_allowed");
                throw new AuthorizationCheckException(Response.Status.UNAUTHORIZED, "unauthorized_client", "Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.");
            } catch (IllegalArgumentException e) {
                ServicesLogger.LOGGER.invalidParameter(OIDCLoginProtocol.RESPONSE_MODE_PARAM);
                this.event.error("invalid_request");
                throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Invalid parameter: response_mode");
            }
        } catch (IllegalArgumentException e2) {
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "unsupported_response_type", null);
        }
    }

    public void checkInvalidRequestMessage() throws AuthorizationCheckException {
        if (this.request.getInvalidRequestMessage() != null) {
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", this.request.getInvalidRequestMessage());
        }
    }

    public void checkOIDCRequest() {
        if (TokenUtil.isOIDCRequest(this.request.getScope())) {
            return;
        }
        ServicesLogger.LOGGER.oidcScopeMissing();
    }

    public void checkValidScope() throws AuthorizationCheckException {
        if (TokenManager.isValidScope(this.request.getScope(), this.client)) {
            return;
        }
        ServicesLogger.LOGGER.invalidParameter("scope");
        this.event.error("invalid_request");
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_scope", "Invalid scopes: " + this.request.getScope());
    }

    public void checkOIDCParams() throws AuthorizationCheckException {
        if ((TokenUtil.isOIDCRequest(this.request.getScope()) || !this.parsedResponseType.toString().equals(OIDCResponseType.TOKEN)) && this.parsedResponseType.isImplicitOrHybridFlow() && this.request.getNonce() == null) {
            ServicesLogger.LOGGER.missingParameter("nonce");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Missing parameter: nonce");
        }
    }

    public void checkPKCEParams() throws AuthorizationCheckException {
        String codeChallenge = this.request.getCodeChallenge();
        String codeChallengeMethod = this.request.getCodeChallengeMethod();
        if (this.parsedResponseType.isImplicitFlow()) {
            return;
        }
        String pkceCodeChallengeMethod = OIDCAdvancedConfigWrapper.fromClientModel(this.client).getPkceCodeChallengeMethod();
        if (pkceCodeChallengeMethod == null || pkceCodeChallengeMethod.isEmpty()) {
            checkParamsForPkceNotEnforcedClient(codeChallengeMethod, pkceCodeChallengeMethod, codeChallenge);
        } else {
            checkParamsForPkceEnforcedClient(codeChallengeMethod, pkceCodeChallengeMethod, codeChallenge);
        }
    }

    public void checkParRequired() throws AuthorizationCheckException {
        if (this.realm.getParPolicy().isRequirePushedAuthorizationRequests(this.client)) {
            String str = (String) this.params.getFirst("request_uri");
            if (str == null || AuthorizationEndpointRequestParserProcessor.getRequestUriType(str) != RequestUriType.PAR) {
                ServicesLogger.LOGGER.missingParameter("request_uri");
                this.event.error("invalid_request");
                throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Pushed Authorization Request is only allowed.");
            }
        }
    }

    private boolean isValidPkceCodeChallenge(String str) {
        if (str.length() < 43) {
            logger.debugf("PKCE codeChallenge length under lower limit , codeChallenge = %s", str);
            return false;
        }
        if (str.length() <= 128) {
            return VALID_CODE_CHALLENGE_PATTERN.matcher(str).matches();
        }
        logger.debugf("PKCE codeChallenge length over upper limit , codeChallenge = %s", str);
        return false;
    }

    private void checkParamsForPkceEnforcedClient(String str, String str2, String str3) throws AuthorizationCheckException {
        if (str == null) {
            logger.info("PKCE enforced Client without code challenge method.");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Missing parameter: code_challenge_method");
        }
        if (!str.equals(str2)) {
            logger.info("PKCE enforced Client code challenge method is not configured one.");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Invalid parameter: code challenge method is not configured one");
        }
        if (str3 == null) {
            logger.info("PKCE supporting Client without code challenge");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Missing parameter: code_challenge");
        }
        if (isValidPkceCodeChallenge(str3)) {
            return;
        }
        logger.infof("PKCE supporting Client with invalid code challenge specified in PKCE, codeChallenge = %s", str3);
        this.event.error("invalid_request");
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Invalid parameter: code_challenge");
    }

    private void checkParamsForPkceNotEnforcedClient(String str, String str2, String str3) throws AuthorizationCheckException {
        if (str3 == null && str != null) {
            logger.info("PKCE supporting Client without code challenge");
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Missing parameter: code_challenge");
        }
        if (str3 == null) {
            logger.debug("PKCE non-supporting Client");
            return;
        }
        if (str != null && !str.equals(OIDCLoginProtocol.PKCE_METHOD_S256) && !str.equals(OIDCLoginProtocol.PKCE_METHOD_PLAIN)) {
            logger.infof("PKCE supporting Client with invalid code challenge method not specified in PKCE, codeChallengeMethod = %s", str);
            this.event.error("invalid_request");
            throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Invalid parameter: code_challenge_method");
        }
        if (isValidPkceCodeChallenge(str3)) {
            return;
        }
        logger.infof("PKCE supporting Client with invalid code challenge specified in PKCE, codeChallenge = %s", str3);
        this.event.error("invalid_request");
        throw new AuthorizationCheckException(Response.Status.BAD_REQUEST, "invalid_request", "Invalid parameter: code_challenge");
    }
}
