package org.keycloak.protocol.oidc.endpoints.request;

import com.fasterxml.jackson.databind.JsonNode;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import org.keycloak.jose.JOSE;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/request/AuthzEndpointRequestObjectParser.class */
public class AuthzEndpointRequestObjectParser extends AuthzEndpointRequestParser {
    private final JsonNode requestParams;

    public AuthzEndpointRequestObjectParser(KeycloakSession keycloakSession, String str, ClientModel clientModel) {
        super(keycloakSession);
        this.requestParams = (JsonNode) keycloakSession.tokens().decodeClientJWT(str, clientModel, createRequestObjectValidator(keycloakSession), JsonNode.class);
        if (this.requestParams == null) {
            throw new RuntimeException("Failed to verify signature on 'request' object");
        }
        if (this.requestParams.has("request_uri")) {
            throw new RuntimeException("The request_uri claim should not be set in the request object");
        }
        keycloakSession.setAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT, this.requestParams);
    }

    @Override // org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser
    protected String getParameter(String str) {
        JsonNode jsonNode = this.requestParams.get(str);
        if (jsonNode == null) {
            return null;
        }
        return jsonNode.isValueNode() ? jsonNode.asText() : jsonNode.toString();
    }

    @Override // org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser
    protected Integer getIntParameter(String str) {
        if (this.requestParams.get(str) == null) {
            return null;
        }
        return Integer.valueOf(getParameter(str));
    }

    @Override // org.keycloak.protocol.oidc.endpoints.request.AuthzEndpointRequestParser
    protected Set<String> keySet() {
        HashSet hashSet = new HashSet();
        Iterator fieldNames = this.requestParams.fieldNames();
        Objects.requireNonNull(hashSet);
        fieldNames.forEachRemaining((v1) -> {
            r1.add(v1);
        });
        return hashSet;
    }

    private BiConsumer<JOSE, ClientModel> createRequestObjectValidator(KeycloakSession keycloakSession) {
        return (jose, clientModel) -> {
            if (jose instanceof JWSInput) {
                String rawAlgorithm = jose.getHeader().getRawAlgorithm();
                if (rawAlgorithm == null) {
                    throw new RuntimeException("Request object signed algorithm not specified");
                }
                String requestObjectSignatureAlg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectSignatureAlg();
                if (requestObjectSignatureAlg != null && !requestObjectSignatureAlg.equals(rawAlgorithm)) {
                    throw new RuntimeException("Request object signed with different algorithm than client requested algorithm");
                }
                return;
            }
            String requestObjectEncryptionAlg = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectEncryptionAlg();
            if (requestObjectEncryptionAlg != null && !requestObjectEncryptionAlg.equals(jose.getHeader().getRawAlgorithm())) {
                throw new RuntimeException("Request object encrypted with different algorithm than client requested algorithm");
            }
            String requestObjectEncryptionEnc = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getRequestObjectEncryptionEnc();
            if (requestObjectEncryptionEnc != null && !requestObjectEncryptionEnc.equals(((JWE) jose).getHeader().getEncryptionAlgorithm())) {
                throw new RuntimeException("Request object content encrypted with different algorithm than client requested algorithm");
            }
            keycloakSession.setAttribute(AuthzEndpointRequestParser.AUTHZ_REQUEST_OBJECT_ENCRYPTED, jose);
        };
    }
}
