package org.gluu.oxauth.revoke;

import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Path;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.audit.ApplicationAuditLogger;
import org.gluu.oxauth.model.audit.Action;
import org.gluu.oxauth.model.audit.OAuth2AuditLog;
import org.gluu.oxauth.model.common.AuthorizationGrant;
import org.gluu.oxauth.model.common.AuthorizationGrantList;
import org.gluu.oxauth.model.common.TokenTypeHint;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.session.SessionClient;
import org.gluu.oxauth.model.token.TokenRevocationErrorResponseType;
import org.gluu.oxauth.security.Identity;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.GrantService;
import org.gluu.oxauth.service.external.ExternalRevokeTokenService;
import org.gluu.oxauth.service.external.context.RevokeTokenContext;
import org.gluu.oxauth.util.ServerUtil;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:org/gluu/oxauth/revoke/RevokeRestWebServiceImpl.class */
public class RevokeRestWebServiceImpl implements RevokeRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private Identity identity;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private GrantService grantService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ClientService clientService;

    @Inject
    private ExternalRevokeTokenService externalRevokeTokenService;

    @Override // org.gluu.oxauth.revoke.RevokeRestWebService
    public Response requestAccessToken(String str, String str2, String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        AuthorizationGrant authorizationGrantByAccessToken;
        this.log.debug("Attempting to revoke token: token = {}, tokenTypeHint = {}, isSecure = {}", new Object[]{str, str2, Boolean.valueOf(securityContext.isSecure())});
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.TOKEN_REVOCATION);
        validateToken(str);
        Response.ResponseBuilder ok = Response.ok();
        SessionClient sessionClient = this.identity.getSessionClient();
        Client client = sessionClient != null ? sessionClient.getClient() : null;
        if (client == null) {
            client = this.clientService.getClient(str3);
            if (!this.clientService.isPublic(client)) {
                this.log.trace("Client is not public and not authenticated. Skip revoking.");
                return response(ok, oAuth2AuditLog);
            }
        }
        if (client == null) {
            this.log.trace("Client is not unknown. Skip revoking.");
            return response(ok, oAuth2AuditLog);
        }
        oAuth2AuditLog.setClientId(client.getClientId());
        TokenTypeHint byValue = TokenTypeHint.getByValue(str2);
        if (byValue == TokenTypeHint.ACCESS_TOKEN) {
            authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        } else if (byValue == TokenTypeHint.REFRESH_TOKEN) {
            authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), str);
        } else {
            authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
            if (authorizationGrantByAccessToken == null) {
                authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), str);
            }
        }
        if (authorizationGrantByAccessToken == null) {
            this.log.trace("Unable to find token.");
            return response(ok, oAuth2AuditLog);
        }
        if (!authorizationGrantByAccessToken.getClientId().equals(client.getClientId())) {
            this.log.trace("Token was issued with client {} but revoke is requested with client {}. Skip revoking.", authorizationGrantByAccessToken.getClientId(), client.getClientId());
            return response(ok, oAuth2AuditLog);
        }
        if (!this.externalRevokeTokenService.revokeTokenMethods(new RevokeTokenContext(httpServletRequest, client, authorizationGrantByAccessToken, ok))) {
            this.log.trace("Revoke is forbidden by 'Revoke Token' custom script (method returned false). Exit without revoking.");
            return response(ok, oAuth2AuditLog);
        }
        this.grantService.removeAllByGrantId(authorizationGrantByAccessToken.getGrantId());
        this.log.trace("Revoked successfully.");
        return response(ok, oAuth2AuditLog);
    }

    private void validateToken(String str) {
        if (StringUtils.isBlank(str)) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(TokenRevocationErrorResponseType.INVALID_REQUEST, "Failed to validate token.")).build());
        }
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header("Pragma", "no-cache");
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }
}
