package org.keycloak.services.clientregistration.policy.impl;

import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.UnknownHostException;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.clientregistration.ClientRegistrationContext;
import org.keycloak.services.clientregistration.ClientRegistrationProvider;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyException;

/* loaded from: input_file:org/keycloak/services/clientregistration/policy/impl/TrustedHostClientRegistrationPolicy.class */
public class TrustedHostClientRegistrationPolicy implements ClientRegistrationPolicy {
    private static final Logger logger = Logger.getLogger(TrustedHostClientRegistrationPolicy.class);
    private final KeycloakSession session;
    private final ComponentModel componentModel;

    public TrustedHostClientRegistrationPolicy(KeycloakSession keycloakSession, ComponentModel componentModel) {
        this.session = keycloakSession;
        this.componentModel = componentModel;
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeRegister(ClientRegistrationContext clientRegistrationContext) throws ClientRegistrationPolicyException {
        verifyHost();
        verifyClientUrls(clientRegistrationContext);
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void afterRegister(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) {
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeUpdate(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) throws ClientRegistrationPolicyException {
        verifyHost();
        verifyClientUrls(clientRegistrationContext);
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void afterUpdate(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) {
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeView(ClientRegistrationProvider clientRegistrationProvider, ClientModel clientModel) throws ClientRegistrationPolicyException {
        verifyHost();
    }

    @Override // org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy
    public void beforeDelete(ClientRegistrationProvider clientRegistrationProvider, ClientModel clientModel) throws ClientRegistrationPolicyException {
        verifyHost();
    }

    protected void verifyHost() throws ClientRegistrationPolicyException {
        if (isHostMustMatch()) {
            String remoteAddr = this.session.getContext().getConnection().getRemoteAddr();
            logger.debugf("Verifying remote host : %s", remoteAddr);
            List<String> trustedHosts = getTrustedHosts();
            List<String> trustedDomains = getTrustedDomains();
            if (verifyHostInTrustedHosts(remoteAddr, trustedHosts) == null && verifyHostInTrustedDomains(remoteAddr, trustedDomains) == null) {
                ServicesLogger.LOGGER.failedToVerifyRemoteHost(remoteAddr);
                throw new ClientRegistrationPolicyException("Host not trusted.");
            }
        }
    }

    protected List<String> getTrustedHosts() {
        return (List) this.componentModel.getConfig().getList("trusted-hosts").stream().filter(str -> {
            return !str.startsWith("*.");
        }).collect(Collectors.toList());
    }

    protected List<String> getTrustedDomains() {
        List<String> list = this.componentModel.getConfig().getList("trusted-hosts");
        LinkedList linkedList = new LinkedList();
        for (String str : list) {
            if (str.startsWith("*.")) {
                linkedList.add(str.substring(2));
            }
        }
        return linkedList;
    }

    protected String verifyHostInTrustedHosts(String str, List<String> list) {
        String hostAddress;
        for (String str2 : list) {
            try {
                hostAddress = InetAddress.getByName(str2).getHostAddress();
                logger.tracef("Trying host '%s' of address '%s'", str2, hostAddress);
            } catch (UnknownHostException e) {
                logger.debugf(e, "Unknown host from realm configuration: %s", str2);
            }
            if (hostAddress.equals(str)) {
                logger.debugf("Successfully verified host : %s", str2);
                return str2;
            }
            continue;
        }
        return null;
    }

    protected String verifyHostInTrustedDomains(String str, List<String> list) {
        if (list.isEmpty()) {
            return null;
        }
        try {
            String hostName = InetAddress.getByName(str).getHostName();
            logger.debugf("Trying verify request from address '%s' of host '%s' by domains", str, hostName);
            for (String str2 : list) {
                if (hostName.endsWith(str2)) {
                    logger.debugf("Successfully verified host '%s' by trusted domain '%s'", hostName, str2);
                    return hostName;
                }
            }
            return null;
        } catch (UnknownHostException e) {
            logger.debugf(e, "Request of address '%s' came from unknown host. Skip verification by domains", str);
            return null;
        }
    }

    protected void verifyClientUrls(ClientRegistrationContext clientRegistrationContext) throws ClientRegistrationPolicyException {
        if (isClientUrisMustMatch()) {
            List<String> trustedHosts = getTrustedHosts();
            List<String> trustedDomains = getTrustedDomains();
            ClientRepresentation client = clientRegistrationContext.getClient();
            String rootUrl = client.getRootUrl();
            String baseUrl = client.getBaseUrl();
            String adminUrl = client.getAdminUrl();
            List redirectUris = client.getRedirectUris();
            String relativeToAbsoluteURI = relativeToAbsoluteURI(rootUrl, baseUrl);
            String relativeToAbsoluteURI2 = relativeToAbsoluteURI(rootUrl, adminUrl);
            Set<String> resolveValidRedirectUris = PairwiseSubMapperUtils.resolveValidRedirectUris(rootUrl, redirectUris);
            if (rootUrl != null) {
                checkURLTrusted(rootUrl, trustedHosts, trustedDomains);
            }
            if (relativeToAbsoluteURI != null) {
                checkURLTrusted(relativeToAbsoluteURI, trustedHosts, trustedDomains);
            }
            if (relativeToAbsoluteURI2 != null) {
                checkURLTrusted(relativeToAbsoluteURI2, trustedHosts, trustedDomains);
            }
            Iterator<String> it = resolveValidRedirectUris.iterator();
            while (it.hasNext()) {
                checkURITrusted(it.next(), trustedHosts, trustedDomains);
            }
        }
    }

    protected void checkURLTrusted(String str, List<String> list, List<String> list2) throws ClientRegistrationPolicyException {
        try {
            if (checkHostTrusted(new URL(str).getHost(), list, list2)) {
                return;
            }
            ServicesLogger.LOGGER.urlDoesntMatch(str);
            throw new ClientRegistrationPolicyException("URL doesn't match any trusted host or trusted domain");
        } catch (MalformedURLException e) {
            logger.debugf(e, "URL '%s' is malformed", str);
            throw new ClientRegistrationPolicyException("URL is malformed");
        }
    }

    protected void checkURITrusted(String str, List<String> list, List<String> list2) throws ClientRegistrationPolicyException {
        try {
            if (checkHostTrusted(new URI(str).getHost(), list, list2)) {
                return;
            }
            ServicesLogger.LOGGER.uriDoesntMatch(str);
            throw new ClientRegistrationPolicyException("URI doesn't match any trusted host or trusted domain");
        } catch (URISyntaxException e) {
            logger.debugf(e, "URI '%s' is malformed", str);
            throw new ClientRegistrationPolicyException("URI is malformed");
        }
    }

    private boolean checkHostTrusted(String str, List<String> list, List<String> list2) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (str.equals(it.next())) {
                return true;
            }
        }
        Iterator<String> it2 = list2.iterator();
        while (it2.hasNext()) {
            if (str.endsWith(it2.next())) {
                return true;
            }
        }
        return false;
    }

    private static String relativeToAbsoluteURI(String str, String str2) {
        if (str2 == null) {
            return null;
        }
        if (!str2.startsWith("/")) {
            return str2;
        }
        if (str == null || str.isEmpty()) {
            return null;
        }
        return str + str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isHostMustMatch() {
        return parseBoolean(TrustedHostClientRegistrationPolicyFactory.HOST_SENDING_REGISTRATION_REQUEST_MUST_MATCH);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isClientUrisMustMatch() {
        return parseBoolean(TrustedHostClientRegistrationPolicyFactory.CLIENT_URIS_MUST_MATCH);
    }

    private boolean parseBoolean(String str) {
        String str2 = (String) this.componentModel.getConfig().getFirst(str);
        return str2 == null || Boolean.parseBoolean(str2);
    }
}
