package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.common.util.ObjectUtil;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.managers.AuthenticationSessionManager;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureSigningAlgorithmForSignedJwtExecutor.class */
public class SecureSigningAlgorithmForSignedJwtExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(SecureSigningAlgorithmForSignedJwtExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSignedJwtExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureSigningAlgorithmForSignedJwtExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.SERVICE_ACCOUNT_TOKEN_REQUEST.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REFRESH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_REVOKE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.TOKEN_INTROSPECT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.LOGOUT_REQUEST.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureSigningAlgorithmForSignedJwtExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(SecureSigningAlgorithmForSignedJwtExecutorFactory.REQUIRE_CLIENT_ASSERTION)
        protected Boolean requireClientAssertion;

        public Boolean isRequireClientAssertion() {
            return this.requireClientAssertion;
        }

        public void setRequireClientAssertion(Boolean bool) {
            this.requireClientAssertion = bool;
        }
    }

    public SecureSigningAlgorithmForSignedJwtExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case 1:
            case 2:
            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
            case 4:
            case 5:
            case 6:
                boolean booleanValue = ((Boolean) Optional.ofNullable(this.configuration.isRequireClientAssertion()).orElse(Boolean.FALSE)).booleanValue();
                String str = (String) ((HttpRequest) this.session.getContext().getContextObject(HttpRequest.class)).getDecodedFormParameters().getFirst("client_assertion");
                if (booleanValue || !ObjectUtil.isBlank(str)) {
                    try {
                        verifySecureSigningAlgorithm(new JWSInput(str).getHeader().getAlgorithm().name());
                        return;
                    } catch (JWSInputException e) {
                        throw new ClientPolicyException("invalid_request", "not allowed input format.");
                    }
                }
                return;
            default:
                return;
        }
    }

    private void verifySecureSigningAlgorithm(String str) throws ClientPolicyException {
        if (FapiConstant.ALLOWED_ALGORITHMS.contains(str)) {
            logger.tracev("Passed. signatureAlgorithm = {0}", str);
        } else {
            logger.tracev("NOT allowed signatureAlgorithm = {0}", str);
            throw new ClientPolicyException("invalid_request", "not allowed signature algorithm.");
        }
    }
}
