package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.function.Predicate;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext;
import org.keycloak.services.clientpolicy.context.PreAuthorizationRequestContext;
import org.keycloak.services.clientpolicy.executor.SecureRedirectUrisEnforcerExecutorFactory;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor.class */
public class SecureRedirectUrisEnforcerExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(SecureRedirectUrisEnforcerExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;
    public static final String ERR_GENERAL = "Invalid Redirect Uri: invalid uri";
    public static final String ERR_LOOPBACK = "Invalid Redirect Uri: invalid loopback address";
    public static final String ERR_PRIVATESCHEME = "Invalid Redirect Uri: invalid private use scheme";
    public static final String ERR_NORMALURI = "Invalid Redirect Uri: invalid uri";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureRedirectUrisEnforcerExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent;
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType = new int[SecureRedirectUrisEnforcerExecutorFactory.UriType.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType[SecureRedirectUrisEnforcerExecutorFactory.UriType.IPV4_LOOPBACK_ADDRESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType[SecureRedirectUrisEnforcerExecutorFactory.UriType.IPV6_LOOPBACK_ADDRESS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType[SecureRedirectUrisEnforcerExecutorFactory.UriType.PRIVATE_USE_URI_SCHEME.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType[SecureRedirectUrisEnforcerExecutorFactory.UriType.NORMAL_URI.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.PRE_AUTHORIZATION_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_PRIVATE_USE_URI_SCHEME)
        protected boolean allowPrivateUseUriScheme;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_IPV4_LOOPBACK_ADDRESS)
        protected boolean allowIPv4LoopbackAddress;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_IPV6_LOOPBACK_ADDRESS)
        protected boolean allowIPv6LoopbackAddress;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_HTTP_SCHEME)
        protected boolean allowHttpScheme;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_WILDCARD_CONTEXT_PATH)
        protected boolean allowWildcardContextPath;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_PERMITTED_DOMAINS)
        protected List<String> allowPermittedDomains = Collections.emptyList();

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.OAUTH_2_1_COMPLIANT)
        protected boolean oauth2_1complient;

        @JsonProperty(SecureRedirectUrisEnforcerExecutorFactory.ALLOW_OPEN_REDIRECT)
        protected boolean allowOpenRedirect;

        public boolean isAllowPrivateUseUriScheme() {
            return this.allowPrivateUseUriScheme;
        }

        public void setAllowPrivateUseUriScheme(boolean z) {
            this.allowPrivateUseUriScheme = z;
        }

        public boolean isAllowIPv4LoopbackAddress() {
            return this.allowIPv4LoopbackAddress;
        }

        public void setAllowIPv4LoopbackAddress(boolean z) {
            this.allowIPv4LoopbackAddress = z;
        }

        public boolean isAllowIPv6LoopbackAddress() {
            return this.allowIPv6LoopbackAddress;
        }

        public void setAllowIPv6LoopbackAddress(boolean z) {
            this.allowIPv6LoopbackAddress = z;
        }

        public boolean isAllowHttpScheme() {
            return this.allowHttpScheme;
        }

        public void setAllowHttpScheme(boolean z) {
            this.allowHttpScheme = z;
        }

        public boolean isAllowWildcardContextPath() {
            return this.allowWildcardContextPath;
        }

        public void setAllowWildcardContextPath(boolean z) {
            this.allowWildcardContextPath = z;
        }

        public List<String> getAllowPermittedDomains() {
            return this.allowPermittedDomains;
        }

        public void setAllowPermittedDomains(List<String> list) {
            this.allowPermittedDomains = list;
        }

        public boolean isOAuth2_1Compliant() {
            return this.oauth2_1complient;
        }

        public void setOAuth2_1Compliant(boolean z) {
            this.oauth2_1complient = z;
        }

        public boolean isAllowOpenRedirect() {
            return this.allowOpenRedirect;
        }

        public void setAllowOpenRedirect(boolean z) {
            this.allowOpenRedirect = z;
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureRedirectUrisEnforcerExecutor$UriValidation.class */
    public static class UriValidation {
        public final URI uri;
        public final boolean isRedirectUriParameter;
        public final Configuration config;

        public UriValidation(String str, boolean z, Configuration configuration) throws URISyntaxException {
            this.uri = new URI(str);
            this.isRedirectUriParameter = z;
            this.config = configuration;
        }

        public void validate() throws ClientPolicyException {
            switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$executor$SecureRedirectUrisEnforcerExecutorFactory$UriType[identifyUriType().ordinal()]) {
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    if (!this.config.isAllowIPv4LoopbackAddress() || !isValidIPv4LoopbackAddress()) {
                        throw SecureRedirectUrisEnforcerExecutor.invalidRedirectUri(SecureRedirectUrisEnforcerExecutor.ERR_LOOPBACK);
                    }
                    return;
                case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                    if (!this.config.isAllowIPv6LoopbackAddress() || !isValidIPv6LoopbackAddress()) {
                        throw SecureRedirectUrisEnforcerExecutor.invalidRedirectUri(SecureRedirectUrisEnforcerExecutor.ERR_LOOPBACK);
                    }
                    return;
                case 3:
                    if (!this.config.isAllowPrivateUseUriScheme() || !isValidPrivateUseUriScheme()) {
                        throw SecureRedirectUrisEnforcerExecutor.invalidRedirectUri(SecureRedirectUrisEnforcerExecutor.ERR_PRIVATESCHEME);
                    }
                    return;
                case 4:
                    if (!isValidNormalUri()) {
                        throw SecureRedirectUrisEnforcerExecutor.invalidRedirectUri("Invalid Redirect Uri: invalid uri");
                    }
                    return;
                default:
                    SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid URI Type - input = {0}", this.uri.toString());
                    throw SecureRedirectUrisEnforcerExecutor.invalidRedirectUri("Invalid Redirect Uri: invalid uri");
            }
        }

        SecureRedirectUrisEnforcerExecutorFactory.UriType identifyUriType() {
            return isIPv4LoopbackAddress() ? SecureRedirectUrisEnforcerExecutorFactory.UriType.IPV4_LOOPBACK_ADDRESS : isIPv6LoopbackAddress() ? SecureRedirectUrisEnforcerExecutorFactory.UriType.IPV6_LOOPBACK_ADDRESS : isPrivateUseScheme() ? SecureRedirectUrisEnforcerExecutorFactory.UriType.PRIVATE_USE_URI_SCHEME : isNormalUri() ? SecureRedirectUrisEnforcerExecutorFactory.UriType.NORMAL_URI : SecureRedirectUrisEnforcerExecutorFactory.UriType.INVALID_URI;
        }

        boolean isIPv4LoopbackAddress() {
            return isLoopbackAddressRedirectUri(inetAddress -> {
                return inetAddress instanceof Inet4Address;
            });
        }

        boolean isIPv6LoopbackAddress() {
            return isLoopbackAddressRedirectUri(inetAddress -> {
                return inetAddress instanceof Inet6Address;
            });
        }

        boolean isLoopbackAddressRedirectUri(Predicate<InetAddress> predicate) {
            if (this.uri.getHost() == null) {
                return false;
            }
            try {
                InetAddress byName = InetAddress.getByName(this.uri.getHost());
                return byName.isLoopbackAddress() && predicate.test(byName);
            } catch (UnknownHostException e) {
                return false;
            }
        }

        boolean isPrivateUseScheme() {
            return (!this.uri.isAbsolute() || isHttp() || isHttps()) ? false : true;
        }

        boolean isNormalUri() {
            return isHttp() || isHttps();
        }

        boolean isValidIPv4LoopbackAddress() {
            return isValidLoopbackAddress(uri -> {
                return true;
            });
        }

        boolean isValidIPv6LoopbackAddress() {
            return isValidLoopbackAddress(uri -> {
                if ("[::1]".equals(uri.getHost())) {
                    return true;
                }
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid IPv6LoopbackAddress: unacceptable form - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            });
        }

        boolean isValidLoopbackAddress(Predicate<URI> predicate) {
            if (!this.config.isAllowHttpScheme() && isHttp()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: HTTP not allowed - input = {0}", this.uri.toString());
                return false;
            }
            if (this.config.isAllowWildcardContextPath()) {
                if (isIncludeInvalidWildcard()) {
                    SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: invalid Wildcard - input = {0}", this.uri.toString());
                    return false;
                }
            } else if (isIncludeWildcard()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: Wildcard not allowed - input = {0}", this.uri.toString());
                return false;
            }
            if (!this.config.isOAuth2_1Compliant()) {
                return true;
            }
            if (isIncludeUriFragment()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: URI fragment not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (isIncludeWildcard()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: Wildcard not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if ("localhost".equalsIgnoreCase(this.uri.getHost())) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: localhost not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (this.isRedirectUriParameter) {
                if (this.uri.getPort() < 0 || this.uri.getPort() > 65535) {
                    SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: invalid port number - OAuth 2.1 compliant - redirect_uri parameter - input = {0}", this.uri.toString());
                    return false;
                }
            } else if (this.uri.getPort() > -1) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid LoopbackAddress: port number not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            return predicate.test(this.uri);
        }

        boolean isValidPrivateUseUriScheme() {
            if (this.config.isAllowWildcardContextPath()) {
                if (isIncludeInvalidWildcard()) {
                    SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid PrivateUseUriScheme: invalid Wildcard - input = {0}", this.uri.toString());
                    return false;
                }
            } else if (isIncludeWildcard()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid PrivateUseUriScheme: Wildcard not allowed - input = {0}", this.uri.toString());
                return false;
            }
            if (!this.config.isOAuth2_1Compliant()) {
                return true;
            }
            if (isIncludeUriFragment()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid PrivateUseUriScheme: URI fragment not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (isIncludeWildcard()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid PrivateUseUriScheme: Wildcard not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (this.uri.getScheme() != null && this.uri.getScheme().contains(".")) {
                return true;
            }
            SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid PrivateUseUriScheme: a single word scheme name is not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
            return false;
        }

        boolean isValidNormalUri() {
            if (!this.config.isAllowHttpScheme() && isHttp()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: HTTP not allowed - input = {0}", this.uri.toString());
                return false;
            }
            if (this.config.isAllowWildcardContextPath()) {
                if (isIncludeInvalidWildcard()) {
                    SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: invalid Wildcard - input = {0}", this.uri.toString());
                    return false;
                }
            } else if (isIncludeWildcard()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: Wildcard not allowed - input = {0}", this.uri.toString());
                return false;
            }
            if (this.config.getAllowPermittedDomains() != null && !this.config.getAllowPermittedDomains().isEmpty() && !matchDomains(this.config.getAllowPermittedDomains())) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: no permitted domain matched - input = {0}", this.uri.toString());
                return false;
            }
            if (!this.config.isOAuth2_1Compliant()) {
                return true;
            }
            if (!isHttps()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: HTTP not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (isIncludeUriFragment()) {
                SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: URI fragment not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
                return false;
            }
            if (!isIncludeWildcard()) {
                return true;
            }
            SecureRedirectUrisEnforcerExecutor.logger.debugv("Invalid NormalUri: Wildcard not allowed - OAuth 2.1 compliant - input = {0}", this.uri.toString());
            return false;
        }

        boolean matchDomain(String str) {
            return this.uri.getHost() != null && this.uri.getHost().matches(str);
        }

        boolean matchDomains(List<String> list) {
            return list.stream().anyMatch(this::matchDomain);
        }

        boolean isHttp() {
            return "http".equals(this.uri.getScheme());
        }

        boolean isHttps() {
            return "https".equals(this.uri.getScheme());
        }

        boolean isWildcardContextPath() {
            return this.uri.getPath() != null && (this.uri.getPath().startsWith("/*") || this.uri.getPath().startsWith("*"));
        }

        boolean isIncludeUriFragment() {
            return this.uri.toString().contains("#");
        }

        boolean isIncludeWildcard() {
            return this.uri.toString().contains("*");
        }

        boolean isIncludeInvalidWildcard() {
            return isWildcardContextPath() && this.uri.toString().length() - this.uri.toString().replace("*", "").length() != 1;
        }
    }

    public SecureRedirectUrisEnforcerExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return SecureRedirectUrisEnforcerExecutorFactory.PROVIDER_ID;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public Configuration getConfiguration() {
        return this.configuration;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                if (!(clientPolicyContext instanceof AdminClientRegisterContext) && !(clientPolicyContext instanceof DynamicClientRegisterContext)) {
                    throw invalidRedirectUri("Invalid Redirect Uri: invalid uri");
                }
                ClientRepresentation proposedClientRepresentation = ((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation();
                List<String> redirectUris = proposedClientRepresentation.getRedirectUris();
                if (redirectUris == null || redirectUris.isEmpty()) {
                    throw invalidRedirectUri("Invalid Redirect Uri: invalid uri");
                }
                verifyRedirectUris(proposedClientRepresentation.getRootUrl(), redirectUris);
                verifyPostLogoutRedirectUriUpdate(proposedClientRepresentation);
                return;
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                if (!(clientPolicyContext instanceof AdminClientUpdateContext) && !(clientPolicyContext instanceof DynamicClientUpdateContext)) {
                    throw invalidRedirectUri("Invalid Redirect Uri: invalid uri");
                }
                ClientRepresentation proposedClientRepresentation2 = ((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation();
                List<String> redirectUris2 = proposedClientRepresentation2.getRedirectUris();
                if (redirectUris2 == null || redirectUris2.isEmpty()) {
                    return;
                }
                verifyRedirectUris(proposedClientRepresentation2.getRootUrl(), redirectUris2);
                verifyPostLogoutRedirectUriUpdate(proposedClientRepresentation2);
                return;
            case 3:
                String str = (String) ((PreAuthorizationRequestContext) clientPolicyContext).getRequestParameters().getFirst("redirect_uri");
                if (this.session.getContext().getRealm().getClientByClientId(((PreAuthorizationRequestContext) clientPolicyContext).getClientId()) == null) {
                    throw invalidRedirectUri("Invalid parameter: clientId");
                }
                verifyRedirectUri(str, true);
                return;
            default:
                return;
        }
    }

    private void verifyPostLogoutRedirectUriUpdate(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        List<String> postLogoutRedirectUris = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation).getPostLogoutRedirectUris();
        if (postLogoutRedirectUris == null || postLogoutRedirectUris.isEmpty()) {
            return;
        }
        logger.tracef("Verifying post-logout redirect uris. Target client: %s, Effective post-logout uris: %s", clientRepresentation.getClientId(), postLogoutRedirectUris);
        verifyRedirectUris(clientRepresentation.getRootUrl(), postLogoutRedirectUris);
    }

    void verifyRedirectUris(String str, List<String> list) throws ClientPolicyException {
        if (this.configuration.isAllowOpenRedirect()) {
            return;
        }
        Iterator<String> it = RedirectUtils.resolveValidRedirects(this.session, str, new HashSet(list)).iterator();
        while (it.hasNext()) {
            verifyRedirectUri(it.next(), false);
        }
    }

    void verifyRedirectUri(String str, boolean z) throws ClientPolicyException {
        try {
            new UriValidation(str, z, this.configuration).validate();
        } catch (URISyntaxException e) {
            logger.debugv("URISyntaxException - input = {0}, errMessage = {1], errReason = {2}, redirectUri = {3}", new Object[]{e.getInput(), e.getMessage(), e.getReason(), str});
            throw invalidRedirectUri("Invalid Redirect Uri: invalid uri");
        }
    }

    private static ClientPolicyException invalidRedirectUri(String str) {
        return new ClientPolicyException("invalid_request", str);
    }
}
