package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.io.IOException;
import java.io.Serializable;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.endpoints.request.AuthorizationEndpointRequest;
import org.keycloak.representations.ClaimsRepresentation;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AuthorizationRequestContext;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/IntentClientBindCheckExecutor.class */
public class IntentClientBindCheckExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(IntentClientBindCheckExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.IntentClientBindCheckExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/IntentClientBindCheckExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.AUTHORIZATION_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/IntentClientBindCheckExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(IntentClientBindCheckExecutorFactory.INTENT_CLIENT_BIND_CHECK_ENDPOINT)
        protected String intentClientBindCheckEndpoint;

        @JsonProperty("intent-name")
        protected String intentName;

        public String getIntentClientBindCheckEndpoint() {
            return this.intentClientBindCheckEndpoint;
        }

        public void setIntentClientBindCheckEndpoint(String str) {
            this.intentClientBindCheckEndpoint = str;
        }

        public String getIntentName() {
            return this.intentName;
        }

        public void setIntentName(String str) {
            this.intentName = str;
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/IntentClientBindCheckExecutor$IntentBindCheckRequest.class */
    public static class IntentBindCheckRequest implements Serializable {

        @JsonProperty("intent_id")
        private String intentId;

        @JsonProperty("client_id")
        private String clientId;

        public String getIntentId() {
            return this.intentId;
        }

        public void setIntentId(String str) {
            this.intentId = str;
        }

        public String getClientId() {
            return this.clientId;
        }

        public void setClientId(String str) {
            this.clientId = str;
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/IntentClientBindCheckExecutor$IntentBindCheckResponse.class */
    public static class IntentBindCheckResponse implements Serializable {

        @JsonProperty("is_bound")
        private Boolean isBound;

        public Boolean getIsBound() {
            return this.isBound;
        }

        public void setIsBound(Boolean bool) {
            this.isBound = bool;
        }
    }

    public IntentClientBindCheckExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return IntentClientBindCheckExecutorFactory.PROVIDER_ID;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = (Configuration) Optional.ofNullable(configuration).orElse(createDefaultConfiguration());
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                checkIntentClientBind((AuthorizationRequestContext) clientPolicyContext);
                return;
            default:
                return;
        }
    }

    private Configuration createDefaultConfiguration() {
        return new Configuration();
    }

    private void checkIntentClientBind(AuthorizationRequestContext authorizationRequestContext) throws ClientPolicyException {
        if (!isValidIntentClientBindCheckEndpoint()) {
            throw new ClientPolicyException("server_error", "invalid Intent Client Bind Check Endpoint setting");
        }
        String clientId = this.session.getContext().getClient().getClientId();
        String retrieveIntentId = retrieveIntentId(authorizationRequestContext.getAuthorizationEndpointRequest());
        IntentBindCheckRequest intentBindCheckRequest = new IntentBindCheckRequest();
        intentBindCheckRequest.setClientId(clientId);
        intentBindCheckRequest.setIntentId(retrieveIntentId);
        try {
            if (((IntentBindCheckResponse) SimpleHttp.doPost(this.configuration.getIntentClientBindCheckEndpoint(), this.session).header("Content-Type", MediaType.APPLICATION_JSON).json(intentBindCheckRequest).asJson(IntentBindCheckResponse.class)).isBound.booleanValue()) {
                logger.tracev("Bound: intentName = {0}, intentId = {1}, clientId = {2}", this.configuration.getIntentName(), retrieveIntentId, clientId);
            } else {
                logger.tracev("Not Bound: intentName = {0}, intentId = {1}, clientId = {2}", this.configuration.getIntentName(), retrieveIntentId, clientId);
                throw new ClientPolicyException("invalid_request", "The intent is not bound with the client");
            }
        } catch (IOException e) {
            logger.warnv("HTTP connection failure: {0}", e);
            throw new ClientPolicyException("invalid_request", "checking intent bound with client failed");
        }
    }

    private String retrieveIntentId(AuthorizationEndpointRequest authorizationEndpointRequest) throws ClientPolicyException {
        String claims = authorizationEndpointRequest.getClaims();
        if (claims == null || claims.isEmpty()) {
            throw new ClientPolicyException("invalid_request", "no claim for an intent value in an authorization request");
        }
        String intentName = this.configuration.getIntentName();
        if (intentName == null || intentName.isEmpty()) {
            throw new ClientPolicyException("invalid_request", "invalid intent name setting");
        }
        try {
            ClaimsRepresentation claimsRepresentation = (ClaimsRepresentation) JsonSerialization.readValue(claims, ClaimsRepresentation.class);
            if (!claimsRepresentation.isPresent(intentName, ClaimsRepresentation.ClaimContext.ID_TOKEN) || claimsRepresentation.isPresentAsNullClaim(intentName, ClaimsRepresentation.ClaimContext.ID_TOKEN)) {
                throw new ClientPolicyException("invalid_request", "no claim for an intent value for ID token");
            }
            ClaimsRepresentation.ClaimValue claimValue = claimsRepresentation.getClaimValue(intentName, ClaimsRepresentation.ClaimContext.ID_TOKEN, String.class);
            if (!claimValue.isEssential()) {
                throw new ClientPolicyException("invalid_request", "not specifying a claim for an intent as essential claim");
            }
            String str = (String) claimValue.getValue();
            if (str == null) {
                throw new ClientPolicyException("invalid_request", "invalid intent value");
            }
            return str;
        } catch (IOException e) {
            throw new ClientPolicyException("invalid_request", "invalid claim for an intent value");
        }
    }

    private boolean isValidIntentClientBindCheckEndpoint() {
        String intentClientBindCheckEndpoint = this.configuration.getIntentClientBindCheckEndpoint();
        if (intentClientBindCheckEndpoint == null) {
            return false;
        }
        return intentClientBindCheckEndpoint.startsWith("http://") || intentClientBindCheckEndpoint.startsWith("https://");
    }
}
