package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.LogoutRequestContext;
import org.keycloak.services.clientpolicy.context.TokenRefreshContext;
import org.keycloak.services.clientpolicy.context.TokenRevokeContext;
import org.keycloak.services.clientpolicy.context.UserInfoRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.MtlsHoKTokenUtil;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/HolderOfKeyEnforcerExecutor.class */
public class HolderOfKeyEnforcerExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.HolderOfKeyEnforcerExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/HolderOfKeyEnforcerExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REFRESH.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REVOKE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.USERINFO_REQUEST.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.LOGOUT_REQUEST.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/HolderOfKeyEnforcerExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("auto-configure")
        protected Boolean autoConfigure;

        public Boolean isAutoConfigure() {
            return this.autoConfigure;
        }

        public void setAutoConfigure(Boolean bool) {
            this.autoConfigure = bool;
        }
    }

    public HolderOfKeyEnforcerExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        HttpRequest httpRequest = (HttpRequest) this.session.getContext().getContextObject(HttpRequest.class);
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case 1:
            case 2:
                ClientCRUDContext clientCRUDContext = (ClientCRUDContext) clientPolicyContext;
                autoConfigure(clientCRUDContext.getProposedClientRepresentation());
                validate(clientCRUDContext.getProposedClientRepresentation());
                return;
            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                if (MtlsHoKTokenUtil.bindTokenWithClientCertificate(httpRequest, this.session) == null) {
                    throw new ClientPolicyException("invalid_request", "Client Certification missing for MTLS HoK Token Binding");
                }
                return;
            case 4:
                checkTokenRefresh((TokenRefreshContext) clientPolicyContext, httpRequest);
                return;
            case AuthzEndpointRequestParser.ADDITIONAL_REQ_PARAMS_MAX_MUMBER /* 5 */:
                checkTokenRevoke((TokenRevokeContext) clientPolicyContext, httpRequest);
                return;
            case 6:
                checkUserInfo((UserInfoRequestContext) clientPolicyContext, httpRequest);
                return;
            case 7:
                checkLogout((LogoutRequestContext) clientPolicyContext, httpRequest);
                return;
            default:
                return;
        }
    }

    private void autoConfigure(ClientRepresentation clientRepresentation) {
        if (this.configuration.isAutoConfigure().booleanValue()) {
            OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).setUseMtlsHoKToken(true);
        }
    }

    private void validate(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        if (!OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).isUseMtlsHokToken()) {
            throw new ClientPolicyException(ErrorCodes.INVALID_CLIENT_METADATA, "Invalid client metadata: MTLS token in disabled");
        }
    }

    private void checkLogout(LogoutRequestContext logoutRequestContext, HttpRequest httpRequest) throws ClientPolicyException {
        RefreshToken decode = this.session.tokens().decode((String) logoutRequestContext.getParams().getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN), RefreshToken.class);
        if (decode != null && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(decode, httpRequest, this.session)) {
            throw new ClientPolicyException("not_allowed", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
        }
    }

    private void checkUserInfo(UserInfoRequestContext userInfoRequestContext, HttpRequest httpRequest) throws ClientPolicyException {
        AccessToken decode = this.session.tokens().decode(userInfoRequestContext.getTokenString(), AccessToken.class);
        if (decode != null && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(decode, httpRequest, this.session)) {
            throw new ClientPolicyException("not_allowed", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
        }
    }

    private void checkTokenRevoke(TokenRevokeContext tokenRevokeContext, HttpRequest httpRequest) throws ClientPolicyException {
        RefreshToken decode = this.session.tokens().decode((String) tokenRevokeContext.getParams().getFirst(OIDCResponseType.TOKEN), RefreshToken.class);
        if (decode != null && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(decode, httpRequest, this.session)) {
            throw new ClientPolicyException("not_allowed", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.UNAUTHORIZED);
        }
    }

    private void checkTokenRefresh(TokenRefreshContext tokenRefreshContext, HttpRequest httpRequest) throws ClientPolicyException {
        RefreshToken decode = this.session.tokens().decode((String) tokenRefreshContext.getParams().getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN), RefreshToken.class);
        if (decode != null && !MtlsHoKTokenUtil.verifyTokenBindingWithClientCertificate(decode, httpRequest, this.session)) {
            throw new ClientPolicyException("invalid_grant", MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC, Response.Status.BAD_REQUEST);
        }
    }
}
