package org.keycloak.services.util;

import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.codec.binary.Hex;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.exceptions.TokenVerificationException;
import org.keycloak.http.HttpRequest;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.crypto.HashUtils;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.dpop.DPoP;
import org.keycloak.util.JWKSUtils;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/services/util/DPoPUtil.class */
public class DPoPUtil {
    public static final int DEFAULT_PROOF_LIFETIME = 10;
    public static final int DEFAULT_ALLOWED_CLOCK_SKEW = 2;
    public static final String DPOP_TOKEN_TYPE = "DPoP";
    public static final String DPOP_SCHEME = "DPoP";
    public static final String DPOP_SESSION_ATTRIBUTE = "dpop";
    public static final String DPOP_PARAM = "dpop";
    public static final String DPOP_THUMBPRINT_NOTE = "dpop.thumbprint";
    public static final String DPOP_HTTP_HEADER = "DPoP";
    private static final String DPOP_JWT_HEADER_TYPE = "dpop+jwt";
    private static final String DPOP_ATH_ALG = "RS256";
    public static final Set<String> DPOP_SUPPORTED_ALGS = (Set) Stream.of((Object[]) new String[]{"ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"}).collect(Collectors.toSet());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPAccessTokenHashCheck.class */
    public static class DPoPAccessTokenHashCheck implements TokenVerifier.Predicate<DPoP> {
        private String hash;

        public DPoPAccessTokenHashCheck(String str) {
            this.hash = HashUtils.accessTokenHash("RS256", str, true);
        }

        public boolean test(DPoP dPoP) throws DPoPVerificationException {
            if (dPoP.getAccessTokenHash() == null) {
                throw new DPoPVerificationException(dPoP, "No access token hash in DPoP proof");
            }
            if (dPoP.getAccessTokenHash().equals(this.hash)) {
                return true;
            }
            throw new DPoPVerificationException(dPoP, "DPoP proof access token hash mismatch");
        }
    }

    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPBindingCheck.class */
    private static class DPoPBindingCheck implements TokenVerifier.Predicate<AccessToken> {
        private final DPoP proof;

        public DPoPBindingCheck(DPoP dPoP) {
            this.proof = dPoP;
        }

        public boolean test(AccessToken accessToken) throws VerificationException {
            String thumbprint = this.proof.getThumbprint();
            AccessToken.Confirmation confirmation = accessToken.getConfirmation();
            if (confirmation == null) {
                throw new TokenVerificationException(accessToken, "No DPoP confirmation in access token");
            }
            String keyThumbprint = confirmation.getKeyThumbprint();
            if (keyThumbprint == null) {
                throw new TokenVerificationException(accessToken, "No DPoP key thumbprint in access token");
            }
            if (keyThumbprint.equals(thumbprint)) {
                return true;
            }
            throw new TokenVerificationException(accessToken, "DPoP confirmation doesn't match DPoP proof");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPClaimsCheck.class */
    public static class DPoPClaimsCheck implements TokenVerifier.Predicate<DPoP> {
        static final TokenVerifier.Predicate<DPoP> INSTANCE = new DPoPClaimsCheck();

        private DPoPClaimsCheck() {
        }

        public boolean test(DPoP dPoP) throws DPoPVerificationException {
            Long iat = dPoP.getIat();
            String id = dPoP.getId();
            String httpUri = dPoP.getHttpUri();
            String httpMethod = dPoP.getHttpMethod();
            if (iat != null && StringUtil.isNotBlank(id) && StringUtil.isNotBlank(httpMethod) && StringUtil.isNotBlank(httpUri)) {
                return true;
            }
            throw new DPoPVerificationException(dPoP, "DPoP mandatory claims are missing");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPHTTPCheck.class */
    public static class DPoPHTTPCheck implements TokenVerifier.Predicate<DPoP> {
        private final URI uri;
        private final String method;

        DPoPHTTPCheck(URI uri, String str) {
            this.uri = uri;
            this.method = str;
        }

        public boolean test(DPoP dPoP) throws DPoPVerificationException {
            try {
                if (!DPoPUtil.normalize(new URI(dPoP.getHttpUri())).equals(DPoPUtil.normalize(this.uri))) {
                    throw new DPoPVerificationException(dPoP, "DPoP HTTP URL mismatch");
                }
                if (this.method.equals(dPoP.getHttpMethod())) {
                    return true;
                }
                throw new DPoPVerificationException(dPoP, "DPoP HTTP method mismatch");
            } catch (URISyntaxException e) {
                throw new DPoPVerificationException(dPoP, "Malformed HTTP URL in DPoP proof");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPIsActiveCheck.class */
    public static class DPoPIsActiveCheck implements TokenVerifier.Predicate<DPoP> {
        private final int lifetime;
        private final int clockSkew;

        public DPoPIsActiveCheck(KeycloakSession keycloakSession, int i, int i2) {
            this.lifetime = i;
            this.clockSkew = i2;
        }

        public boolean test(DPoP dPoP) throws DPoPVerificationException {
            long currentTime = Time.currentTime();
            Long iat = dPoP.getIat();
            if (iat.longValue() > currentTime + this.clockSkew || iat.longValue() <= currentTime - this.lifetime) {
                throw new DPoPVerificationException(dPoP, "DPoP proof is not active");
            }
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPReplayCheck.class */
    public static class DPoPReplayCheck implements TokenVerifier.Predicate<DPoP> {
        private final KeycloakSession session;
        private final int lifetime;

        public DPoPReplayCheck(KeycloakSession keycloakSession, int i) {
            this.session = keycloakSession;
            this.lifetime = i;
        }

        public boolean test(DPoP dPoP) throws DPoPVerificationException {
            if (this.session.singleUseObjects().putIfAbsent(Hex.encodeHexString(HashUtils.hash("SHA1", (dPoP.getId() + "\n" + dPoP.getHttpUri()).getBytes())), (int) ((dPoP.getIat().longValue() + this.lifetime) - Time.currentTime()))) {
                return true;
            }
            throw new DPoPVerificationException(dPoP, "DPoP proof has already been used");
        }
    }

    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$DPoPVerificationException.class */
    public static class DPoPVerificationException extends TokenVerificationException {
        public DPoPVerificationException(DPoP dPoP, String str) {
            super(dPoP, str);
        }
    }

    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$Mode.class */
    public enum Mode {
        ENABLED,
        OPTIONAL,
        DISABLED
    }

    /* loaded from: input_file:org/keycloak/services/util/DPoPUtil$Validator.class */
    public static class Validator {
        private URI uri;
        private String method;
        private String dPoP;
        private String accessToken;
        private int clockSkew = 2;
        private int lifetime = 10;
        private final KeycloakSession session;

        public Validator(KeycloakSession keycloakSession) {
            this.session = keycloakSession;
        }

        public Validator request(HttpRequest httpRequest) {
            this.uri = httpRequest.getUri().getAbsolutePath();
            this.method = httpRequest.getHttpMethod();
            this.dPoP = httpRequest.getHttpHeaders().getHeaderString("DPoP");
            return this;
        }

        public Validator dPoP(String str) {
            this.dPoP = str;
            return this;
        }

        public Validator accessToken(String str) {
            this.accessToken = str;
            return this;
        }

        public Validator uriInfo(UriInfo uriInfo) {
            this.uri = uriInfo.getAbsolutePath();
            return this;
        }

        public Validator uri(String str) throws URISyntaxException {
            this.uri = new URI(str);
            return this;
        }

        public Validator method(String str) {
            this.method = str;
            return this;
        }

        public DPoP validate() throws VerificationException {
            return DPoPUtil.validateDPoP(this.session, this.uri, this.method, this.dPoP, this.accessToken, this.lifetime, this.clockSkew);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static URI normalize(URI uri) {
        return UriBuilder.fromUri(uri).replaceQuery("").build(new Object[0]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static DPoP validateDPoP(KeycloakSession keycloakSession, URI uri, String str, String str2, String str3, int i, int i2) throws VerificationException {
        if (str2 == null || str2.trim().equals("")) {
            throw new VerificationException("DPoP proof is missing");
        }
        TokenVerifier create = TokenVerifier.create(str2, DPoP.class);
        try {
            JWSHeader header = create.getHeader();
            if (!DPOP_JWT_HEADER_TYPE.equals(header.getType())) {
                throw new VerificationException("Invalid or missing type in DPoP header: " + header.getType());
            }
            String name = header.getAlgorithm().name();
            if (!DPOP_SUPPORTED_ALGS.contains(name)) {
                throw new VerificationException("Unsupported DPoP algorithm: " + header.getAlgorithm());
            }
            JWK key = header.getKey();
            if (key == null) {
                throw new VerificationException("No JWK in DPoP header");
            }
            KeyWrapper keyWrapper = JWKSUtils.getKeyWrapper(key);
            if (keyWrapper.getPublicKey() == null) {
                throw new VerificationException("No public key in DPoP header");
            }
            if (keyWrapper.getPrivateKey() != null) {
                throw new VerificationException("Private key is present in DPoP header");
            }
            keyWrapper.setAlgorithm(header.getAlgorithm().name());
            create.verifierContext(keycloakSession.getProvider(SignatureProvider.class, name).verifier(keyWrapper));
            create.withChecks(new TokenVerifier.Predicate[]{DPoPClaimsCheck.INSTANCE, new DPoPHTTPCheck(uri, str), new DPoPIsActiveCheck(keycloakSession, i, i2), new DPoPReplayCheck(keycloakSession, i)});
            if (str3 != null) {
                create.withChecks(new TokenVerifier.Predicate[]{new DPoPAccessTokenHashCheck(str3)});
            }
            try {
                DPoP token = create.verify().getToken();
                token.setThumbprint(JWKSUtils.computeThumbprint(key));
                return token;
            } catch (DPoPVerificationException e) {
                throw e;
            } catch (VerificationException e2) {
                throw new VerificationException("DPoP verification failure", e2);
            }
        } catch (VerificationException e3) {
            throw new VerificationException("DPoP header verification failure");
        }
    }

    public static void validateBinding(AccessToken accessToken, DPoP dPoP) throws VerificationException {
        try {
            TokenVerifier.createWithoutSignature(accessToken).withChecks(new TokenVerifier.Predicate[]{new DPoPBindingCheck(dPoP)}).verify();
        } catch (VerificationException e) {
            throw new VerificationException("Token verification failure", e);
        } catch (TokenVerificationException e2) {
            throw e2;
        }
    }

    public static void bindToken(AccessToken accessToken, String str) {
        AccessToken.Confirmation confirmation = accessToken.getConfirmation();
        if (confirmation == null) {
            confirmation = new AccessToken.Confirmation();
            accessToken.setConfirmation(confirmation);
        }
        confirmation.setKeyThumbprint(str);
    }

    public static void bindToken(AccessToken accessToken, DPoP dPoP) {
        bindToken(accessToken, dPoP.getThumbprint());
    }
}
