package org.keycloak.protocol.oidc.utils;

import java.net.URI;
import java.util.Collection;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
import org.jboss.logging.Logger;
import org.keycloak.common.util.Encode;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.UriUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.services.Urls;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.ResolveRelative;

/* loaded from: input_file:org/keycloak/protocol/oidc/utils/RedirectUtils.class */
public class RedirectUtils {
    private static final Logger logger = Logger.getLogger(RedirectUtils.class);

    @Deprecated
    public static String verifyRealmRedirectUri(KeycloakSession keycloakSession, String str) {
        return verifyRedirectUri(keycloakSession, null, str, getValidateRedirectUris(keycloakSession), true);
    }

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, ClientModel clientModel) {
        return verifyRedirectUri(keycloakSession, str, clientModel, true);
    }

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, ClientModel clientModel, boolean z) {
        if (clientModel != null) {
            return verifyRedirectUri(keycloakSession, clientModel.getRootUrl(), str, clientModel.getRedirectUris(), z);
        }
        return null;
    }

    public static Set<String> resolveValidRedirects(KeycloakSession keycloakSession, String str, Set<String> set) {
        TreeSet treeSet = new TreeSet((str2, str3) -> {
            return str2.length() == str3.length() ? str2.compareTo(str3) : str2.length() < str3.length() ? 1 : -1;
        });
        for (String str4 : set) {
            if (str4.startsWith("/")) {
                str4 = relativeToAbsoluteURI(keycloakSession, str, str4);
                logger.debugv("replacing relative valid redirect with: {0}", str4);
            }
            treeSet.add(str4);
        }
        return treeSet;
    }

    @Deprecated
    private static Set<String> getValidateRedirectUris(KeycloakSession keycloakSession) {
        return (Set) keycloakSession.clients().getAllRedirectUrisOfEnabledClients(keycloakSession.getContext().getRealm()).entrySet().stream().filter(entry -> {
            return ((ClientModel) entry.getKey()).isEnabled() && "openid-connect".equals(((ClientModel) entry.getKey()).getProtocol()) && !((ClientModel) entry.getKey()).isBearerOnly() && (((ClientModel) entry.getKey()).isStandardFlowEnabled() || ((ClientModel) entry.getKey()).isImplicitFlowEnabled());
        }).map(entry2 -> {
            return resolveValidRedirects(keycloakSession, ((ClientModel) entry2.getKey()).getRootUrl(), (Set) entry2.getValue());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
    }

    public static String verifyRedirectUri(KeycloakSession keycloakSession, String str, String str2, Set<String> set, boolean z) {
        URI uri;
        String normalizedRedirectUri;
        KeycloakUriInfo uri2 = keycloakSession.getContext().getUri();
        RealmModel realm = keycloakSession.getContext().getRealm();
        if (str2 == null) {
            if (!z) {
                str2 = getSingleValidRedirectUri(set);
            }
            if (str2 == null) {
                logger.debug("No Redirect URI parameter specified");
                return null;
            }
        } else if (set.isEmpty()) {
            logger.debug("No Redirect URIs supplied");
            str2 = null;
        } else {
            URI uri3 = toUri(str2);
            if (uri3 == null || (normalizedRedirectUri = getNormalizedRedirectUri((uri = toUri(decodeRedirectUri(str2))))) == null) {
                return null;
            }
            Set<String> resolveValidRedirects = resolveValidRedirects(keycloakSession, str, set);
            String matchesRedirects = matchesRedirects(resolveValidRedirects, normalizedRedirectUri, true);
            if (matchesRedirects == null && ((normalizedRedirectUri.startsWith("http://localhost") || normalizedRedirectUri.startsWith("http://127.0.0.1")) && normalizedRedirectUri.indexOf(58, "http://localhost".length()) >= 0)) {
                int indexOf = normalizedRedirectUri.indexOf(58, "http://localhost".length());
                StringBuilder sb = new StringBuilder();
                sb.append(normalizedRedirectUri.substring(0, indexOf));
                int indexOf2 = normalizedRedirectUri.indexOf(47, indexOf);
                if (indexOf2 >= 0) {
                    sb.append(normalizedRedirectUri.substring(indexOf2));
                }
                matchesRedirects = matchesRedirects(resolveValidRedirects, sb.toString(), true);
            }
            String normalizedRedirectUri2 = getNormalizedRedirectUri(uri3);
            if (matchesRedirects == null) {
                matchesRedirects = matchesRedirects(resolveValidRedirects, normalizedRedirectUri2, false);
            }
            if (matchesRedirects != null && !uri3.isAbsolute()) {
                if (!normalizedRedirectUri2.startsWith("/")) {
                    normalizedRedirectUri2 = "/" + normalizedRedirectUri2;
                }
                normalizedRedirectUri2 = relativeToAbsoluteURI(keycloakSession, str, normalizedRedirectUri2);
            }
            String scheme = uri.getScheme();
            if (matchesRedirects != null && scheme != null && !matchesRedirects.startsWith(scheme + ":") && !"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme)) {
                logger.debugf("Invalid URI because scheme is not allowed: %s", normalizedRedirectUri2);
                matchesRedirects = null;
            }
            str2 = matchesRedirects != null ? normalizedRedirectUri2 : null;
        }
        return "urn:ietf:wg:oauth:2.0:oob".equals(str2) ? Urls.realmInstalledAppUrnCallback(uri2.getBaseUri(), realm.getName()).toString() : str2;
    }

    private static URI toUri(String str) {
        URI uri = null;
        if (str != null) {
            try {
                uri = URI.create(str);
            } catch (IllegalArgumentException e) {
                logger.debug("Invalid redirect uri", e);
            } catch (Exception e2) {
                logger.debug("Unexpected error when parsing redirect uri", e2);
            }
        }
        return uri;
    }

    private static String getNormalizedRedirectUri(URI uri) {
        String str = null;
        if (uri != null) {
            str = uri.normalize().toString();
        }
        return str;
    }

    private static String decodeRedirectUri(String str) {
        if (str == null) {
            return null;
        }
        try {
            KeycloakUriBuilder preserveDefaultPort = KeycloakUriBuilder.fromUri(str, false).preserveDefaultPort();
            String query = preserveDefaultPort.getQuery();
            String fragment = preserveDefaultPort.getFragment();
            String userInfo = preserveDefaultPort.getUserInfo();
            String buildAsString = preserveDefaultPort.replaceQuery((String) null).fragment((String) null).userInfo((String) null).buildAsString(new Object[0]);
            for (int i = 0; i < 5; i++) {
                String decode = Encode.decode(buildAsString);
                if (decode.equals(buildAsString)) {
                    return KeycloakUriBuilder.fromUri(decode, false).preserveDefaultPort().replaceQuery(query).fragment(fragment).userInfo(userInfo).buildAsString(new Object[0]);
                }
                buildAsString = decode;
            }
        } catch (IllegalArgumentException e) {
            logger.debugf("Illegal redirect URI used: %s, Details: %s", str, e.getMessage());
        }
        logger.debugf("Was not able to decode redirect URI: %s", str);
        return null;
    }

    private static String relativeToAbsoluteURI(KeycloakSession keycloakSession, String str, String str2) {
        if (str != null) {
            str = ResolveRelative.resolveRootUrl(keycloakSession, str);
        }
        if (str == null || str.isEmpty()) {
            str = UriUtils.getOrigin(keycloakSession.getContext().getUri().getBaseUri());
        }
        return str + str2;
    }

    private static String stripOffRedirectForWildcard(String str) {
        return KeycloakUriBuilder.fromUri(str, false).preserveDefaultPort().userInfo((String) null).replaceQuery((String) null).fragment((String) null).buildAsString(new Object[0]);
    }

    private static String matchesRedirects(Set<String> set, String str, boolean z) {
        logger.tracef("matchesRedirects: redirect URL to check: %s, allow wildcards: %b, Configured valid redirect URLs: %s", str, Boolean.valueOf(z), set);
        for (String str2 : set) {
            if (str2.endsWith(Cors.ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD) && !str2.contains("?") && z) {
                String stripOffRedirectForWildcard = stripOffRedirectForWildcard(str);
                int length = str2.length() - 1;
                String substring = str2.substring(0, length);
                if (stripOffRedirectForWildcard.startsWith(substring)) {
                    return substring;
                }
                if (length - 1 > 0 && substring.charAt(length - 1) == '/') {
                    length--;
                }
                String substring2 = substring.substring(0, length);
                if (substring2.equals(stripOffRedirectForWildcard)) {
                    return substring2;
                }
            } else if (str2.equals(str)) {
                return str2;
            }
        }
        return null;
    }

    private static String getSingleValidRedirectUri(Collection<String> collection) {
        if (collection.size() != 1) {
            return null;
        }
        return validateRedirectUriWildcard(collection.iterator().next());
    }

    public static String validateRedirectUriWildcard(String str) {
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf("/*");
        if (indexOf > -1) {
            str = str.substring(0, indexOf);
        }
        return str;
    }

    private static String getFirstValidRedirectUri(Collection<String> collection) {
        String orElse = collection.stream().findFirst().orElse(null);
        if (orElse != null) {
            return validateRedirectUriWildcard(orElse);
        }
        return null;
    }

    public static String getFirstValidRedirectUri(KeycloakSession keycloakSession, String str, Set<String> set) {
        return getFirstValidRedirectUri(resolveValidRedirects(keycloakSession, str, set));
    }
}
