package org.keycloak.services.clientpolicy.executor;

import java.util.Arrays;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUriEnforceExecutor.class */
public class SecureRedirectUriEnforceExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfiguration> {
    private static final Logger logger = Logger.getLogger(SecureRedirectUriEnforceExecutor.class);
    private final KeycloakSession session;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureRedirectUriEnforceExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUriEnforceExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public SecureRedirectUriEnforceExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return SecureRedirectUriEnforceExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case 1:
                if (!(clientPolicyContext instanceof AdminClientRegisterContext) && !(clientPolicyContext instanceof DynamicClientRegisterContext)) {
                    throw new ClientPolicyException("invalid_request", "not allowed input format.");
                }
                confirmSecureRedirectUris(((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation().getRedirectUris());
                return;
            case 2:
                if (!(clientPolicyContext instanceof AdminClientUpdateContext) && !(clientPolicyContext instanceof DynamicClientUpdateContext)) {
                    throw new ClientPolicyException("invalid_request", "not allowed input format.");
                }
                confirmSecureRedirectUris(((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation().getRedirectUris());
                return;
            case AuthenticationSessionManager.AUTH_SESSION_LIMIT /* 3 */:
                confirmSecureRedirectUris(Arrays.asList(((AuthorizationRequestContext) clientPolicyContext).getRedirectUri()));
                return;
            default:
                return;
        }
    }

    private void confirmSecureRedirectUris(List<String> list) throws ClientPolicyException {
        if (list == null || list.isEmpty()) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: redirect_uris");
        }
        for (String str : list) {
            logger.tracev("Redirect URI = {0}", str);
            if (str.startsWith("http://") || str.contains(Cors.ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD)) {
                throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: redirect_uris");
            }
        }
    }
}
