package org.keycloak.validation;

import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayDeque;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.keycloak.authentication.authenticators.util.LoAUtil;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.models.ClientModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.protocol.ProtocolMapperConfigException;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.grants.ciba.CibaClientValidation;
import org.keycloak.protocol.oidc.mappers.PairwiseSubMapperHelper;
import org.keycloak.protocol.oidc.utils.AcrUtils;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperUtils;
import org.keycloak.protocol.oidc.utils.PairwiseSubMapperValidator;
import org.keycloak.protocol.oidc.utils.SubjectType;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.validation.ClientValidationContext;

/* loaded from: input_file:org/keycloak/validation/DefaultClientValidationProvider.class */
public class DefaultClientValidationProvider implements ClientValidationProvider {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/validation/DefaultClientValidationProvider$FieldMessages.class */
    public enum FieldMessages {
        ROOT_URL("rootUrl", "Root URL is not a valid URL", "clientRootURLInvalid", "Root URL must not contain an URL fragment", "clientRootURLFragmentError", "Root URL uses an illegal scheme", "clientRootURLIllegalSchemeError"),
        BASE_URL("baseUrl", "Base URL is not a valid URL", "clientBaseURLInvalid", null, null, "Base URL uses an illegal scheme", "clientBaseURLIllegalSchemeError"),
        REDIRECT_URIS("redirectUris", "A redirect URI is not a valid URI", "clientRedirectURIsInvalid", "Redirect URIs must not contain an URI fragment", "clientRedirectURIsFragmentError", "A redirect URI uses an illegal scheme", "clientRedirectURIsIllegalSchemeError"),
        BACKCHANNEL_LOGOUT_URL("backchannelLogoutUrl", "Backchannel logout URL is not a valid URL", "backchannelLogoutUrlIsInvalid", null, null, "Backchannel logout URL uses an illegal scheme", "backchannelLogoutUrlIllegalSchemeError"),
        LOGO_URI("logoUri", "Logo URL is not a valid URL", "logoURLInvalid", null, null, "Logo URL uses an illegal scheme", "logoURLIllegalSchemeError"),
        POLICY_URI("policyUri", "Policy URL is not a valid URL", "policyURLInvalid", null, null, "Policy URL uses an illegal scheme", "policyURLIllegalSchemeError"),
        TOS_URI("tosUri", "Terms of service URL is not a valid URL", "tosURLInvalid", null, null, "Terms of service URL uses an illegal scheme", "tosURLIllegalSchemeError"),
        ADMIN_URL("masterSamlProcessingUrl", "Master SAML Processing URL is not a valid URL", "adminUrlURLInvalid", null, null, "Master SAML Processing URL uses an illegal scheme", "adminUrlURLIllegalSchemeError"),
        SAML_ASSERTION_CONSUMER_URL_POST_URI(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, "Assertion Consumer Service POST Binding URL is not a valid URL", "samlAssertionConsumerUrlPostURLInvalid", null, null, "Assertion Consumer Service POST Binding URL uses an illegal scheme", "samlAssertionConsumerUrlPostURLIllegalSchemeError"),
        SAML_ASSERTION_CONSUMER_URL_REDIRECT_URI(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE, "Assertion Consumer Service Redirect Binding URL is not a valid URL", "samlAssertionConsumerUrlRedirectURLInvalid", null, null, "Assertion Consumer Service Redirect Binding URL uses an illegal scheme", "samlAssertionConsumerUrlRedirectURLIllegalSchemeError"),
        SAML_ASSERTION_CONSUMER_URL_ARTIFACT_URI(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE, "Artifact Binding URL is not a valid URL", "samlAssertionConsumerUrlArtifactURLInvalid", null, null, "Artifact Binding URL uses an illegal scheme", "samlAssertionConsumerUrlArtifactURLIllegalSchemeError"),
        SAML_SINGLE_LOGOUT_SERVICE_URL_POST_URI(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, "Logout Service POST Binding URL is not a valid URL", "samlLogoutServiceUrlPostURLInvalid", null, null, "Logout Service POST Binding URL uses an illegal scheme", "samlLogoutServiceUrlPostURLIllegalSchemeError"),
        SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_URI(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "Logout Service ARTIFACT Binding URL is not a valid URL", "samlLogoutServiceUrlArtifactURLInvalid", null, null, "Logout Service ARTIFACT Binding URL uses an illegal scheme", "samlLogoutServiceUrlArtifactURLIllegalSchemeError"),
        SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_URI(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE, "Logout Service Redirect Binding URL is not a valid URL", "samlLogoutServiceUrlRedirectURLInvalid", null, null, "Logout Service Redirect Binding URL uses an illegal scheme", "samlLogoutServiceUrlRedirectURLIllegalSchemeError"),
        SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_URI(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE, "Logout Service SOAP Binding URL is not a valid URL", "samlLogoutServiceUrlSoapURLInvalid", null, null, "Logout Service SOAP Binding URL uses an illegal scheme", "samlAssertionConsumerUrlPostURLIllegalSchemeError"),
        SAML_ARTIFACT_RESOLUTION_SERVICE_URL_URI(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE, "Artifact Resolution Service is not a valid URL", "samlAssertionConsumerUrlPostURLInvalid", null, null, "Artifact Resolution Service uses an illegal scheme", "samlAssertionConsumerUrlPostURLIllegalSchemeError");

        private String fieldId;
        private String invalid;
        private String invalidKey;
        private String fragment;
        private String fragmentKey;
        private String scheme;
        private String schemeKey;

        FieldMessages(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
            this.fieldId = str;
            this.invalid = str2;
            this.invalidKey = str3;
            this.fragment = str4;
            this.fragmentKey = str5;
            this.scheme = str6;
            this.schemeKey = str7;
        }

        public String getFieldId() {
            return this.fieldId;
        }

        public String getInvalid() {
            return this.invalid;
        }

        public String getInvalidKey() {
            return this.invalidKey;
        }

        public String getFragment() {
            return this.fragment;
        }

        public String getFragmentKey() {
            return this.fragmentKey;
        }

        public String getScheme() {
            return this.scheme;
        }

        public String getSchemeKey() {
            return this.schemeKey;
        }
    }

    public ValidationResult validate(ValidationContext<ClientModel> validationContext) {
        validateUrls(validationContext);
        validatePairwiseInClientModel(validationContext);
        new CibaClientValidation(validationContext).validate();
        validateJwks(validationContext);
        validateDefaultAcrValues(validationContext);
        validateMinimumAcrValue(validationContext);
        return validationContext.toResult();
    }

    public ValidationResult validate(ClientValidationContext.OIDCContext oIDCContext) {
        validateUrls(oIDCContext);
        validatePairwiseInOIDCClient(oIDCContext);
        new CibaClientValidation(oIDCContext).validate();
        validateDefaultAcrValues(oIDCContext);
        validateMinimumAcrValue(oIDCContext);
        return oIDCContext.toResult();
    }

    private void validateUrls(ValidationContext<ClientModel> validationContext) {
        ClientModel clientModel = (ClientModel) validationContext.getObjectToValidate();
        String str = "https://localhost/auth";
        String resolveRootUrl = ResolveRelative.resolveRootUrl("https://localhost/auth", "https://localhost/auth", clientModel.getRootUrl());
        String resolveRelativeUri = ResolveRelative.resolveRelativeUri("https://localhost/auth", "https://localhost/auth", "https://localhost/auth", clientModel.getBaseUrl());
        String resolveRelativeUri2 = ResolveRelative.resolveRelativeUri("https://localhost/auth", "https://localhost/auth", "https://localhost/auth", OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getBackchannelLogoutUrl());
        checkUri(FieldMessages.ROOT_URL, resolveRootUrl, validationContext, true, true);
        checkUri(FieldMessages.BASE_URL, resolveRelativeUri, validationContext, true, false);
        checkUri(FieldMessages.BACKCHANNEL_LOGOUT_URL, resolveRelativeUri2, validationContext, true, false);
        clientModel.getRedirectUris().stream().map(str2 -> {
            return ResolveRelative.resolveRelativeUri(str, str, resolveRootUrl, str2);
        }).forEach(str3 -> {
            checkUri(FieldMessages.REDIRECT_URIS, str3, validationContext, false, true);
        });
        checkUriLogo(FieldMessages.LOGO_URI, clientModel.getAttribute("logoUri"), validationContext);
        checkUri(FieldMessages.POLICY_URI, clientModel.getAttribute("policyUri"), validationContext, true, false);
        checkUri(FieldMessages.TOS_URI, clientModel.getAttribute("tosUri"), validationContext, true, false);
        if ("saml".equals(clientModel.getProtocol())) {
            checkUri(FieldMessages.ADMIN_URL, clientModel.getManagementUrl(), validationContext, true, false);
            checkUri(FieldMessages.SAML_ASSERTION_CONSUMER_URL_POST_URI, clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_ASSERTION_CONSUMER_URL_REDIRECT_URI, clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_URI, clientModel.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_URI, clientModel.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_URI, clientModel.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_URI, clientModel.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_URI, clientModel.getAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE), validationContext, true, false);
            checkUri(FieldMessages.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_URI, clientModel.getAttribute(SamlProtocol.SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE), validationContext, true, false);
        }
    }

    private void checkUri(FieldMessages fieldMessages, String str, ValidationContext<ClientModel> validationContext, boolean z, boolean z2) {
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            String str2 = str;
            if (fieldMessages == FieldMessages.BACKCHANNEL_LOGOUT_URL) {
                if (!checkCurlyBracketsBalanced(str)) {
                    throw new MalformedURLException();
                }
                str2 = str.replace("{", "%7B").replace("}", "%7D");
            }
            URI uri = new URI(str2);
            boolean z3 = true;
            if (uri.getScheme() != null && (uri.getScheme().equals("data") || uri.getScheme().equals("javascript"))) {
                validationContext.addError(fieldMessages.getFieldId(), fieldMessages.getScheme(), fieldMessages.getSchemeKey(), new Object[0]);
                z3 = false;
            }
            if (z2 && uri.getFragment() != null) {
                validationContext.addError(fieldMessages.getFieldId(), fieldMessages.getFragment(), fieldMessages.getFragmentKey(), new Object[0]);
                z3 = false;
            }
            if (z && z3) {
                uri.toURL();
            }
        } catch (IllegalArgumentException | MalformedURLException | URISyntaxException e) {
            validationContext.addError(fieldMessages.getFieldId(), fieldMessages.getInvalid(), fieldMessages.getInvalidKey(), new Object[0]);
        }
    }

    public static boolean checkCurlyBracketsBalanced(String str) {
        ArrayDeque arrayDeque = new ArrayDeque();
        for (char c : str.toCharArray()) {
            if (c == '{') {
                arrayDeque.push(Character.valueOf(c));
            } else {
                if (arrayDeque.isEmpty() && c == '}') {
                    return false;
                }
                if (c == '}' && ((Character) arrayDeque.pop()).charValue() != '{') {
                    return false;
                }
            }
        }
        return arrayDeque.isEmpty();
    }

    private void checkUriLogo(FieldMessages fieldMessages, String str, ValidationContext<ClientModel> validationContext) {
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            URI uri = new URI(str);
            if (uri.getScheme() != null && uri.getScheme().equals("javascript")) {
                validationContext.addError(fieldMessages.getFieldId(), fieldMessages.getScheme(), fieldMessages.getSchemeKey(), new Object[0]);
            }
        } catch (URISyntaxException e) {
            validationContext.addError(fieldMessages.getFieldId(), fieldMessages.getInvalid(), fieldMessages.getInvalidKey(), new Object[0]);
        }
    }

    private void validatePairwiseInClientModel(ValidationContext<ClientModel> validationContext) {
        Iterator<ProtocolMapperRepresentation> it = PairwiseSubMapperUtils.getPairwiseSubMappers(ModelToRepresentation.toRepresentation((ClientModel) validationContext.getObjectToValidate(), validationContext.getSession())).iterator();
        while (it.hasNext()) {
            validatePairwise(validationContext, PairwiseSubMapperHelper.getSectorIdentifierUri(it.next()));
        }
    }

    private void validatePairwiseInOIDCClient(ClientValidationContext.OIDCContext oIDCContext) {
        OIDCClientRepresentation oIDCClient = oIDCContext.getOIDCClient();
        SubjectType parse = SubjectType.parse(oIDCClient.getSubjectType());
        String sectorIdentifierUri = oIDCClient.getSectorIdentifierUri();
        if (SubjectType.PAIRWISE == parse || !(sectorIdentifierUri == null || sectorIdentifierUri.isEmpty())) {
            validatePairwise(oIDCContext, oIDCClient.getSectorIdentifierUri());
        }
    }

    private void validatePairwise(ValidationContext<ClientModel> validationContext, String str) {
        ClientModel clientModel = (ClientModel) validationContext.getObjectToValidate();
        String rootUrl = clientModel.getRootUrl();
        HashSet hashSet = new HashSet();
        if (clientModel.getRedirectUris() != null) {
            hashSet.addAll(clientModel.getRedirectUris());
        }
        try {
            PairwiseSubMapperValidator.validate(validationContext.getSession(), rootUrl, hashSet, str);
        } catch (ProtocolMapperConfigException e) {
            validationContext.addError("pairWise", e.getMessage(), e.getMessageKey(), new Object[0]);
        }
    }

    private void validateJwks(ValidationContext<ClientModel> validationContext) {
        ClientModel clientModel = (ClientModel) validationContext.getObjectToValidate();
        if (Boolean.parseBoolean(clientModel.getAttribute("use.jwks.url")) && Boolean.parseBoolean(clientModel.getAttribute("use.jwks.string"))) {
            validationContext.addError(OIDCIdentityProviderConfig.JWKS_URL, "Illegal to use both jwks_uri and jwks_string", "duplicatedJwksSettings", new Object[0]);
        }
    }

    private void validateDefaultAcrValues(ValidationContext<ClientModel> validationContext) {
        ClientModel clientModel = (ClientModel) validationContext.getObjectToValidate();
        List<String> defaultAcrValues = AcrUtils.getDefaultAcrValues(clientModel);
        Map<String, Integer> acrLoaMap = AcrUtils.getAcrLoaMap(clientModel);
        if (acrLoaMap.isEmpty()) {
            acrLoaMap = AcrUtils.getAcrLoaMap(clientModel.getRealm());
        }
        for (String str : defaultAcrValues) {
            if (!acrLoaMap.containsKey(str) && LoAUtil.getLoAConfiguredInRealmBrowserFlow(clientModel.getRealm()).noneMatch(num -> {
                return str.equals(String.valueOf(num));
            })) {
                validationContext.addError("defaultAcrValues", "Default ACR values need to contain values specified in the ACR-To-Loa mapping or number levels from set realm browser flow");
            }
        }
    }

    private void validateMinimumAcrValue(ValidationContext<ClientModel> validationContext) {
        ClientModel clientModel = (ClientModel) validationContext.getObjectToValidate();
        String minimumAcrValue = AcrUtils.getMinimumAcrValue(clientModel);
        if (minimumAcrValue != null) {
            Map<String, Integer> acrLoaMap = AcrUtils.getAcrLoaMap(clientModel);
            if (acrLoaMap.isEmpty()) {
                acrLoaMap = AcrUtils.getAcrLoaMap(clientModel.getRealm());
            }
            if (acrLoaMap.containsKey(minimumAcrValue) || !LoAUtil.getLoAConfiguredInRealmBrowserFlow(clientModel.getRealm()).noneMatch(num -> {
                return minimumAcrValue.equals(String.valueOf(num));
            })) {
                return;
            }
            validationContext.addError("minimumAcrValue", "Minimum ACR value needs to be value specified in the ACR-To-Loa mapping or number level from set realm browser flow");
        }
    }
}
