package org.keycloak.services.clientpolicy.executor;

import jakarta.ws.rs.core.MultivaluedMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.SingleUseObjectProvider;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequestParserProcessor;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestObjectParser;
import org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser;
import org.keycloak.protocol.oidc.endpoints.request.RequestUriType;
import org.keycloak.protocol.oidc.par.endpoints.ParEndpoint;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.PreAuthorizationRequestContext;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureParContentsExecutor.class */
public class SecureParContentsExecutor implements ClientPolicyExecutorProvider<ClientPolicyExecutorConfigurationRepresentation> {
    protected final KeycloakSession session;
    private static final Logger logger = Logger.getLogger(SecureParContentsExecutor.class);

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureParContentsExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureParContentsExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.PRE_AUTHORIZATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    public SecureParContentsExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return SecureParContentsExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                checkValidParContents((PreAuthorizationRequestContext) clientPolicyContext);
                return;
            default:
                return;
        }
    }

    private void checkValidParContents(PreAuthorizationRequestContext preAuthorizationRequestContext) throws ClientPolicyException {
        MultivaluedMap<String, String> requestParameters = preAuthorizationRequestContext.getRequestParameters();
        String str = (String) requestParameters.getFirst("request_uri");
        if (str == null) {
            throw new ClientPolicyException("invalid_request", "request_uri not included.");
        }
        if (str != null && AuthorizationEndpointRequestParserProcessor.getRequestUriType(str) != RequestUriType.PAR) {
            throw new ClientPolicyException("invalid_request", "PAR request_uri not included.");
        }
        String substring = str.substring(ParEndpoint.REQUEST_URI_PREFIX_LENGTH);
        SingleUseObjectProvider singleUseObjects = this.session.singleUseObjects();
        Map<String, String> map = singleUseObjects.get(substring);
        if (map == null) {
            throw new ClientPolicyException("invalid_request", "PAR not found. not issued or used multiple times.");
        }
        new HashSet();
        Set<String> parRetrievedRequestParameters = map.containsKey("request") ? getParRetrievedRequestParameters(map, preAuthorizationRequestContext.getClientId()) : map.keySet();
        for (String str2 : requestParameters.keySet()) {
            if (!parRetrievedRequestParameters.contains(str2) && !"request_uri".equals(str2)) {
                singleUseObjects.remove(substring);
                throw new ClientPolicyException("invalid_request", "PAR request did not include necessary parameters");
            }
        }
    }

    private Set<String> getParRetrievedRequestParameters(Map<String, String> map, String str) {
        AuthorizationEndpointRequest authorizationEndpointRequest = new AuthorizationEndpointRequest();
        HashSet hashSet = new HashSet();
        new AuthzEndpointRequestObjectParser(this.session, map.get("request"), this.session.getContext().getRealm().getClientByClientId(str)).parseRequest(authorizationEndpointRequest);
        for (String str2 : map.keySet()) {
            if (!"request".equals(str2)) {
                hashSet.add(str2);
            }
        }
        AuthorizationEndpoint.performActionOnParameters(authorizationEndpointRequest, (str3, str4) -> {
            if (str4 != null) {
                hashSet.add(str3);
            }
        });
        if (authorizationEndpointRequest.getClientId() != null) {
            hashSet.add("client_id");
        }
        if (authorizationEndpointRequest.getResponseType() != null) {
            hashSet.add("response_type");
        }
        if (authorizationEndpointRequest.getRedirectUriParam() != null) {
            hashSet.add("redirect_uri");
        }
        if (authorizationEndpointRequest.getMaxAge() != null) {
            hashSet.add(OIDCLoginProtocol.MAX_AGE_PARAM);
        }
        if (authorizationEndpointRequest.getUiLocales() != null) {
            hashSet.add(OIDCLoginProtocol.UI_LOCALES_PARAM);
        }
        for (String str5 : authorizationEndpointRequest.getAdditionalReqParams().keySet()) {
            if (!AuthzEndpointRequestParser.KNOWN_REQ_PARAMS.contains(str5)) {
                hashSet.add(str5);
            }
        }
        return hashSet;
    }
}
