package org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.AdminClientRegisterContext;
import org.keycloak.services.clientpolicy.context.AdminClientUpdateContext;
import org.keycloak.services.clientpolicy.context.DynamicClientRegisterContext;
import org.keycloak.services.clientpolicy.context.DynamicClientUpdateContext;
import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
import org.keycloak.services.clientpolicy.executor.FapiConstant;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;

/* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaAuthenticationRequestSigningAlgorithmExecutor.class */
public class SecureCibaAuthenticationRequestSigningAlgorithmExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private static final Logger logger = Logger.getLogger(SecureCibaAuthenticationRequestSigningAlgorithmExecutor.class);
    private final KeycloakSession session;
    private Configuration configuration;
    private static final String sigTarget = "ciba.backchannel.auth.request.signing.alg";
    private static final String DEFAULT_ALGORITHM_VALUE = "PS256";

    /* renamed from: org.keycloak.protocol.oidc.grants.ciba.clientpolicy.executor.SecureCibaAuthenticationRequestSigningAlgorithmExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaAuthenticationRequestSigningAlgorithmExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/oidc/grants/ciba/clientpolicy/executor/SecureCibaAuthenticationRequestSigningAlgorithmExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty("default-algorithm")
        protected String defaultAlgorithm;

        public String getDefaultAlgorithm() {
            return this.defaultAlgorithm;
        }

        public void setDefaultAlgorithm(String str) {
            if (SecureCibaAuthenticationRequestSigningAlgorithmExecutor.isSecureAlgorithm(str)) {
                this.defaultAlgorithm = str;
            } else {
                SecureCibaAuthenticationRequestSigningAlgorithmExecutor.logger.tracev("defaultAlgorithm = {0}, fall back to {1}.", str, "PS256");
                this.defaultAlgorithm = "PS256";
            }
        }
    }

    public SecureCibaAuthenticationRequestSigningAlgorithmExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String getProviderId() {
        return SecureCibaAuthenticationRequestSigningAlgorithmExecutorFactory.PROVIDER_ID;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = (Configuration) Optional.ofNullable(configuration).orElse(createDefaultConfiguration());
        if (configuration.getDefaultAlgorithm() == null || !isSecureAlgorithm(configuration.getDefaultAlgorithm())) {
            configuration.setDefaultAlgorithm("PS256");
        }
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                if (clientPolicyContext instanceof AdminClientRegisterContext) {
                    verifyAndEnforceSecureSigningAlgorithm(((AdminClientRegisterContext) clientPolicyContext).getProposedClientRepresentation());
                    return;
                } else {
                    if (!(clientPolicyContext instanceof DynamicClientRegisterContext)) {
                        throw new ClientPolicyException("invalid_request", "not allowed input format.");
                    }
                    verifyAndEnforceSecureSigningAlgorithm(((DynamicClientRegisterContext) clientPolicyContext).getProposedClientRepresentation());
                    return;
                }
            case 2:
                if (clientPolicyContext instanceof AdminClientUpdateContext) {
                    verifyAndEnforceSecureSigningAlgorithm(((AdminClientUpdateContext) clientPolicyContext).getProposedClientRepresentation());
                    return;
                } else {
                    if (!(clientPolicyContext instanceof DynamicClientUpdateContext)) {
                        throw new ClientPolicyException("invalid_request", "not allowed input format.");
                    }
                    verifyAndEnforceSecureSigningAlgorithm(((DynamicClientUpdateContext) clientPolicyContext).getProposedClientRepresentation());
                    return;
                }
            default:
                return;
        }
    }

    private Configuration createDefaultConfiguration() {
        Configuration configuration = new Configuration();
        configuration.setDefaultAlgorithm("PS256");
        return configuration;
    }

    private void verifyAndEnforceSecureSigningAlgorithm(ClientRepresentation clientRepresentation) throws ClientPolicyException {
        Map map = (Map) Optional.ofNullable(clientRepresentation.getAttributes()).orElse(new HashMap());
        String str = (String) map.get(sigTarget);
        if (str == null) {
            logger.tracev("Signing algorithm not specified explicitly, signature target = {0}. set default algorithm = {1}.", sigTarget, this.configuration.getDefaultAlgorithm());
            map.put(sigTarget, this.configuration.getDefaultAlgorithm());
            clientRepresentation.setAttributes(map);
        } else if (isSecureAlgorithm(str)) {
            logger.tracev("Passed. signature target = {0}, signature algorithm = {1}", sigTarget, str);
        } else {
            logger.tracev("NOT allowed signatureAlgorithm. signature target = {0}, signature algorithm = {1}", sigTarget, str);
            throw new ClientPolicyException("invalid_request", "not allowed signature algorithm.");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isSecureAlgorithm(String str) {
        return FapiConstant.ALLOWED_ALGORITHMS.contains(str);
    }
}
