package org.keycloak.authentication.authenticators.client;

import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.common.util.Time;
import org.keycloak.http.HttpRequest;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SingleUseObjectProvider;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.JsonWebToken;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/JWTClientValidator.class */
public class JWTClientValidator {
    private static final Logger logger = Logger.getLogger(JWTClientValidator.class);
    private final ClientAuthenticationFlowContext context;
    private final RealmModel realm;
    private final int currentTime = Time.currentTime();
    private MultivaluedMap<String, String> params;
    private String clientAssertion;
    private JWSInput jws;
    private JsonWebToken token;
    private ClientModel client;

    public JWTClientValidator(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        this.context = clientAuthenticationFlowContext;
        this.realm = clientAuthenticationFlowContext.getRealm();
    }

    public boolean clientAssertionParametersValidation() {
        if (!isFormDataRequest(this.context.getHttpRequest())) {
            this.context.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing"));
            return false;
        }
        this.params = this.context.getHttpRequest().getDecodedFormParameters();
        String str = (String) this.params.getFirst("client_assertion_type");
        this.clientAssertion = (String) this.params.getFirst("client_assertion");
        if (str == null) {
            this.context.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type is missing"));
            return false;
        }
        if (!str.equals("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")) {
            this.context.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Parameter client_assertion_type has value '" + str + "' but expected is 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'"));
            return false;
        }
        if (this.clientAssertion != null) {
            return true;
        }
        this.context.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "client_assertion parameter missing"));
        return false;
    }

    public void readJws() throws JWSInputException {
        if (this.clientAssertion == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'clientAssertion' is null. Need to validate clientAssertion first before read JWS");
        }
        this.jws = new JWSInput(this.clientAssertion);
        this.token = (JsonWebToken) this.jws.readJsonContent(JsonWebToken.class);
    }

    public boolean validateClient() {
        if (this.token == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'token' is null. Need to read JWS first before validateClient");
        }
        String subject = this.token.getSubject();
        if (subject == null) {
            throw new RuntimeException("Can't identify client. Subject missing on JWT token");
        }
        if (!subject.equals(this.token.getIssuer())) {
            throw new RuntimeException("Issuer mismatch. The issuer should match the subject");
        }
        String str = (String) this.params.getFirst("client_id");
        if (str != null && !str.equals(subject)) {
            throw new RuntimeException("client_id parameter not matching with client from JWT token");
        }
        this.context.getEvent().client(subject);
        this.client = this.realm.getClientByClientId(subject);
        if (this.client == null) {
            this.context.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, (Response) null);
            return false;
        }
        this.context.setClient(this.client);
        if (this.client.isEnabled()) {
            return true;
        }
        this.context.failure(AuthenticationFlowError.CLIENT_DISABLED, (Response) null);
        return false;
    }

    public boolean validateSignatureAlgorithm() {
        if (this.jws == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'jws' is null. Need to read token first before validate signature algorithm");
        }
        if (this.client == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validate signature algorithm");
        }
        String tokenEndpointAuthSigningAlg = OIDCAdvancedConfigWrapper.fromClientModel(this.client).getTokenEndpointAuthSigningAlg();
        if (this.jws.getHeader().getAlgorithm() == null || this.jws.getHeader().getAlgorithm().name() == null) {
            this.context.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "invalid signature algorithm"));
            return false;
        }
        String name = this.jws.getHeader().getAlgorithm().name();
        if (tokenEndpointAuthSigningAlg == null || tokenEndpointAuthSigningAlg.equals(name)) {
            return true;
        }
        this.context.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "invalid signature algorithm"));
        return false;
    }

    public void validateToken() {
        if (this.token == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'token' is null. Need to read token first before validateToken");
        }
        if (!this.token.isActive()) {
            throw new RuntimeException("Token is not active");
        }
        if ((this.token.getExp() == null || this.token.getExp().longValue() <= 0) && this.token.getIat().longValue() + 10 < this.currentTime) {
            throw new RuntimeException("Token is not active");
        }
        if (this.token.getId() == null) {
            throw new RuntimeException("Missing ID on the token");
        }
    }

    public void validateTokenReuse() {
        if (this.token == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'token' is null. Need to read token first before validateToken reuse");
        }
        if (this.client == null) {
            throw new IllegalStateException("Incorrect usage. Variable 'client' is null. Need to validate client first before validateToken reuse");
        }
        SingleUseObjectProvider singleUseObjects = this.context.getSession().singleUseObjects();
        long max = Math.max(((Long) Optional.ofNullable(this.token.getExp()).orElse(0L)).longValue() - this.currentTime, 10L);
        if (singleUseObjects.putIfAbsent(this.token.getId(), max)) {
            logger.tracef("Added token '%s' to single-use cache. Lifespan: %d seconds, client: %s", this.token.getId(), Long.valueOf(max), this.client.getClientId());
        } else {
            logger.warnf("Token '%s' already used when authenticating client '%s'.", this.token.getId(), this.client.getClientId());
            throw new RuntimeException("Token reuse detected");
        }
    }

    public ClientAuthenticationFlowContext getContext() {
        return this.context;
    }

    public RealmModel getRealm() {
        return this.realm;
    }

    public MultivaluedMap<String, String> getParams() {
        return this.params;
    }

    public String getClientAssertion() {
        return this.clientAssertion;
    }

    public JWSInput getJws() {
        return this.jws;
    }

    public JsonWebToken getToken() {
        return this.token;
    }

    public ClientModel getClient() {
        return this.client;
    }

    private boolean isFormDataRequest(HttpRequest httpRequest) {
        MediaType mediaType = httpRequest.getHttpHeaders().getMediaType();
        return mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
    }
}
