package org.keycloak.protocol.oidc.utils;

import java.net.URI;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Pattern;
import org.jboss.logging.Logger;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.UriUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.services.Urls;
import org.keycloak.services.util.ResolveRelative;

/* loaded from: input_file:org/keycloak/protocol/oidc/utils/RedirectUtils.class */
public class RedirectUtils {
    public static final Set<String> LOOPBACK_INTERFACES = new HashSet(Arrays.asList("localhost", "127.0.0.1", "[::1]"));
    private static final Logger logger = Logger.getLogger(RedirectUtils.class);
    private static final Pattern UNSAFE_PATH_PATTERN = Pattern.compile("(/|%2[fF]|%5[cC]|\\\\)(%2[eE]|\\.){2}(/|%2[fF]|%5[cC]|\\\\)|(/|%2[fF]|%5[cC]|\\\\)(%2[eE]|\\.){2}$");

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, ClientModel clientModel) {
        return verifyRedirectUri(keycloakSession, str, clientModel, true);
    }

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, ClientModel clientModel, boolean z) {
        if (clientModel != null) {
            return verifyRedirectUri(keycloakSession, clientModel.getRootUrl(), str, clientModel.getRedirectUris(), z);
        }
        return null;
    }

    public static Set<String> resolveValidRedirects(KeycloakSession keycloakSession, String str, Set<String> set) {
        TreeSet treeSet = new TreeSet((str2, str3) -> {
            return str2.length() == str3.length() ? str2.compareTo(str3) : str2.length() < str3.length() ? 1 : -1;
        });
        for (String str4 : set) {
            if (str4.startsWith("/")) {
                str4 = relativeToAbsoluteURI(keycloakSession, str, str4);
                logger.debugv("replacing relative valid redirect with: {0}", str4);
            }
            treeSet.add(str4);
        }
        return treeSet;
    }

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, String str2, Set<String> set, boolean z) {
        KeycloakUriInfo uri = keycloakSession.getContext().getUri();
        RealmModel realm = keycloakSession.getContext().getRealm();
        if (str2 == null) {
            if (!z) {
                str2 = getSingleValidRedirectUri(set);
            }
            if (str2 == null) {
                logger.debug("No Redirect URI parameter specified");
                return null;
            }
        } else if (set.isEmpty()) {
            logger.debug("No Redirect URIs supplied");
            str2 = null;
        } else {
            URI uri2 = toUri(str2);
            if (uri2 == null) {
                return null;
            }
            boolean areWildcardsAllowed = areWildcardsAllowed(uri2);
            Set<String> resolveValidRedirects = resolveValidRedirects(keycloakSession, str, set);
            String matchesRedirects = matchesRedirects(resolveValidRedirects, str2, areWildcardsAllowed);
            if (matchesRedirects == null && "http".equals(uri2.getScheme()) && LOOPBACK_INTERFACES.contains(uri2.getHost())) {
                matchesRedirects = matchesRedirects(resolveValidRedirects, KeycloakUriBuilder.fromUri(uri2).port(80).buildAsString(new Object[0]), areWildcardsAllowed);
            }
            if (matchesRedirects != null && !uri2.isAbsolute()) {
                if (!str2.startsWith("/")) {
                    str2 = "/" + str2;
                }
                str2 = relativeToAbsoluteURI(keycloakSession, str, str2);
            }
            String scheme = uri2.getScheme();
            if (matchesRedirects != null && scheme != null && !matchesRedirects.startsWith(scheme + ":") && !"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme)) {
                logger.debugf("Invalid URI because scheme is not allowed: %s", str2);
                matchesRedirects = null;
            }
            str2 = matchesRedirects != null ? str2 : null;
        }
        return "urn:ietf:wg:oauth:2.0:oob".equals(str2) ? Urls.realmInstalledAppUrnCallback(uri.getBaseUri(), realm.getName()).toString() : str2;
    }

    private static URI toUri(String str) {
        URI uri = null;
        if (str != null) {
            try {
                uri = URI.create(str);
            } catch (IllegalArgumentException e) {
                logger.debugf(e, "Invalid redirect uri %s", str);
            } catch (Exception e2) {
                logger.debugf(e2, "Unexpected error when parsing redirect uri %s", str);
            }
        }
        return uri;
    }

    private static boolean areWildcardsAllowed(URI uri) {
        return uri.getRawUserInfo() == null && (uri.getRawPath() == null || !UNSAFE_PATH_PATTERN.matcher(uri.getRawPath()).find());
    }

    private static String relativeToAbsoluteURI(KeycloakSession keycloakSession, String str, String str2) {
        if (str != null) {
            str = ResolveRelative.resolveRootUrl(keycloakSession, str);
        }
        if (str == null || str.isEmpty()) {
            str = UriUtils.getOrigin(keycloakSession.getContext().getUri().getBaseUri());
        }
        return str + str2;
    }

    private static String matchesRedirects(Set<String> set, String str, boolean z) {
        logger.tracef("matchesRedirects: redirect URL to check: %s, allow wildcards: %b, Configured valid redirect URLs: %s", str, Boolean.valueOf(z), set);
        for (String str2 : set) {
            if ("*".equals(str2)) {
                return str2;
            }
            if (str2.endsWith("*") && !str2.contains("?") && z) {
                int indexOf = str.indexOf(63);
                if (indexOf == -1) {
                    indexOf = str.indexOf(35);
                }
                String substring = indexOf == -1 ? str : str.substring(0, indexOf);
                int length = str2.length() - 1;
                String substring2 = str2.substring(0, length);
                if (substring.startsWith(substring2)) {
                    return substring2;
                }
                if (length - 1 > 0 && substring2.charAt(length - 1) == '/') {
                    length--;
                }
                String substring3 = substring2.substring(0, length);
                if (substring3.equals(substring)) {
                    return substring3;
                }
            } else if (str2.equals(str)) {
                return str2;
            }
        }
        return null;
    }

    private static String getSingleValidRedirectUri(Collection<String> collection) {
        if (collection.size() != 1) {
            return null;
        }
        return validateRedirectUriWildcard(collection.iterator().next());
    }

    public static String validateRedirectUriWildcard(String str) {
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf("/*");
        if (indexOf > -1) {
            str = str.substring(0, indexOf);
        }
        return str;
    }
}
