package org.keycloak.services.clientpolicy.executor;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.Optional;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.services.clientpolicy.ClientPolicyContext;
import org.keycloak.services.clientpolicy.ClientPolicyEvent;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.ClientCRUDContext;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureLogoutExecutor.class */
public class SecureLogoutExecutor implements ClientPolicyExecutorProvider<Configuration> {
    private final KeycloakSession session;
    private Configuration configuration;

    /* renamed from: org.keycloak.services.clientpolicy.executor.SecureLogoutExecutor$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureLogoutExecutor$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent = new int[ClientPolicyEvent.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.REGISTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[ClientPolicyEvent.LOGOUT_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/services/clientpolicy/executor/SecureLogoutExecutor$Configuration.class */
    public static class Configuration extends ClientPolicyExecutorConfigurationRepresentation {

        @JsonProperty(SecureLogoutExecutorFactory.ALLOW_FRONT_CHANNEL_LOGOUT)
        protected Boolean allowFrontChannelLogout = Boolean.FALSE;

        public Boolean isAllowFrontChannelLogout() {
            return this.allowFrontChannelLogout;
        }

        public void setAllowFrontChannelLogout(Boolean bool) {
            this.allowFrontChannelLogout = bool;
        }
    }

    public SecureLogoutExecutor(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public void setupConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public Class<Configuration> getExecutorConfigurationClass() {
        return Configuration.class;
    }

    public String getProviderId() {
        return SecureLogoutExecutorFactory.PROVIDER_ID;
    }

    public void executeOnEvent(ClientPolicyContext clientPolicyContext) throws ClientPolicyException {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$services$clientpolicy$ClientPolicyEvent[clientPolicyContext.getEvent().ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                ClientRepresentation proposedClientRepresentation = ((ClientCRUDContext) clientPolicyContext).getProposedClientRepresentation();
                OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(proposedClientRepresentation);
                if (this.configuration.isAllowFrontChannelLogout().booleanValue()) {
                    return;
                }
                if (((Boolean) Optional.ofNullable(proposedClientRepresentation.isFrontchannelLogout()).orElse(false)).booleanValue() || StringUtil.isNotBlank(fromClientRepresentation.getFrontChannelLogoutUrl())) {
                    throwFrontChannelLogoutNotAllowed();
                    return;
                }
                return;
            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                if (!"GET".equalsIgnoreCase(this.session.getContext().getHttpRequest().getHttpMethod()) || this.configuration.isAllowFrontChannelLogout().booleanValue()) {
                    return;
                }
                throwFrontChannelLogoutNotAllowed();
                return;
            default:
                return;
        }
    }

    private void throwFrontChannelLogoutNotAllowed() throws ClientPolicyException {
        throw new ClientPolicyException("invalid_registration", "Front-channel logout is not allowed for this client");
    }
}
