package org.xdi.oxauth.session.ws.rs;

import com.google.common.collect.Sets;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.SessionState;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.session.EndSessionErrorResponseType;
import org.xdi.oxauth.model.session.EndSessionParamsValidator;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.SessionStateService;
import org.xdi.oxauth.service.external.ExternalApplicationSessionService;
import org.xdi.oxauth.util.RedirectUri;
import org.xdi.oxauth.util.RedirectUtil;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.Pair;
import org.xdi.util.StringHelper;

@Name("endSessionRestWebService")
/* loaded from: input_file:org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.class */
public class EndSessionRestWebServiceImpl implements EndSessionRestWebService {
    private static final boolean HTTP_BASED = true;

    @Logger
    private Log log;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private RedirectionUriService redirectionUriService;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private ExternalApplicationSessionService externalApplicationSessionService;

    @In
    private SessionStateService sessionStateService;

    @In
    private ClientService clientService;

    @In(required = false)
    private Identity identity;

    @Override // org.xdi.oxauth.session.ws.rs.EndSessionRestWebService
    public Response requestEndSession(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.log.debug("Attempting to end session, idTokenHint: {0}, postLogoutRedirectUri: {1}, sessionState: {2}, Is Secure = {3}", new Object[]{str, str2, str4, Boolean.valueOf(securityContext.isSecure())});
        EndSessionParamsValidator.validateParams(str, this.errorResponseFactory);
        return httpBased(str2, str3, endSession(str, str4, httpServletRequest, httpServletResponse, securityContext));
    }

    public Response httpBased(String str, String str2, Pair<SessionState, AuthorizationGrant> pair) {
        String constructPage = constructPage(getRpLogoutUris(pair), this.redirectionUriService.validatePostLogoutRedirectUri(((AuthorizationGrant) pair.getSecond()).getClient().getClientId(), str), str2);
        this.log.debug("Constructed http logout page: " + constructPage, new Object[0]);
        return Response.ok().cacheControl(ServerUtil.cacheControl(true, true)).header("Pragma", "no-cache").type(MediaType.TEXT_HTML_TYPE).entity(constructPage).build();
    }

    private Response simpleLogout(String str, String str2, HttpServletRequest httpServletRequest, Pair<SessionState, AuthorizationGrant> pair) {
        if (!Util.isNullOrEmpty(str)) {
            String validatePostLogoutRedirectUri = this.redirectionUriService.validatePostLogoutRedirectUri(((AuthorizationGrant) pair.getSecond()).getClient().getClientId(), str);
            if (StringUtils.isNotBlank(validatePostLogoutRedirectUri)) {
                RedirectUri redirectUri = new RedirectUri(validatePostLogoutRedirectUri);
                if (StringUtils.isNotBlank(str2)) {
                    redirectUri.addResponseParameter("state", str2);
                }
                return RedirectUtil.getRedirectResponseBuilder(redirectUri, httpServletRequest).build();
            }
            this.errorResponseFactory.throwBadRequestException(EndSessionErrorResponseType.INVALID_REQUEST);
        }
        return Response.ok().cacheControl(ServerUtil.cacheControl(true, true)).header("Pragma", "no-cache").build();
    }

    private Pair<SessionState, AuthorizationGrant> endSession(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        EndSessionParamsValidator.validateParams(str, this.errorResponseFactory);
        AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(str);
        if (authorizationGrantByIdToken == null) {
            this.log.info("Failed to find out authorization grant for id_token_hint '{0}'", new Object[]{str});
            this.errorResponseFactory.throwUnauthorizedException(EndSessionErrorResponseType.INVALID_GRANT);
        }
        boolean z = false;
        SessionState removeSessionState = removeSessionState(str2, httpServletRequest, httpServletResponse);
        boolean isEnabled = this.externalApplicationSessionService.isEnabled();
        if (isEnabled) {
            z = this.externalApplicationSessionService.executeExternalEndSessionMethods(httpServletRequest, authorizationGrantByIdToken);
            this.log.info("End session result for '{0}': '{1}'", new Object[]{authorizationGrantByIdToken.getUser().getUserId(), Constants.RESULT_LOGOUT, Boolean.valueOf(z)});
        }
        boolean z2 = isEnabled && z;
        if (isEnabled && !z2) {
            this.errorResponseFactory.throwUnauthorizedException(EndSessionErrorResponseType.INVALID_GRANT);
        }
        authorizationGrantByIdToken.revokeAllTokens();
        if (this.identity != null) {
            this.identity.logout();
        }
        return new Pair<>(removeSessionState, authorizationGrantByIdToken);
    }

    private Set<String> getRpLogoutUris(Pair<SessionState, AuthorizationGrant> pair) {
        HashSet newHashSet = Sets.newHashSet();
        SessionState sessionState = (SessionState) pair.getFirst();
        if (sessionState == null) {
            this.log.error("session_state is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_state.Http based html will contain no iframes.", new Object[0]);
            return newHashSet;
        }
        Set<Client> client = sessionState.getPermissionGrantedMap() != null ? this.clientService.getClient((Collection<String>) sessionState.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
        client.add(((AuthorizationGrant) pair.getSecond()).getClient());
        for (Client client2 : client) {
            String logoutUri = client2.getLogoutUri();
            if (!Util.isNullOrEmpty(logoutUri)) {
                if (client2.getLogoutSessionRequired() != null && client2.getLogoutSessionRequired().booleanValue()) {
                    logoutUri = logoutUri.contains("?") ? logoutUri + "&sid=" + sessionState.getId() : logoutUri + "?sid=" + sessionState.getId();
                }
                newHashSet.add(logoutUri);
            }
        }
        return newHashSet;
    }

    private SessionState removeSessionState(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SessionState sessionState = null;
        try {
            try {
                String str2 = str;
                if (StringHelper.isEmpty(str2)) {
                    str2 = this.sessionStateService.getSessionStateFromCookie(httpServletRequest);
                }
                if (StringHelper.isNotEmpty(str2)) {
                    sessionState = this.sessionStateService.getSessionState(str2);
                    if (sessionState == null) {
                        this.log.error("Failed to load session from LDAP by session_state: '{0}'", new Object[]{str2});
                    } else if (!this.sessionStateService.remove(sessionState)) {
                        this.log.error("Failed to remove session_state '{0}' from LDAP", new Object[]{str2});
                    }
                }
                this.sessionStateService.removeSessionStateCookie(httpServletResponse);
            } catch (Exception e) {
                this.log.error(e.getMessage(), e, new Object[0]);
                this.sessionStateService.removeSessionStateCookie(httpServletResponse);
            }
            return sessionState;
        } catch (Throwable th) {
            this.sessionStateService.removeSessionStateCookie(httpServletResponse);
            throw th;
        }
    }

    private String constructPage(Set<String> set, String str, String str2) {
        String str3 = "";
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            str3 = str3 + String.format("<iframe height=\"0\" width=\"0\" src=\"%s\"></iframe>", it.next());
        }
        String str4 = "<!DOCTYPE html><html><head>";
        if (!Util.isNullOrEmpty(str)) {
            if (!Util.isNullOrEmpty(str2)) {
                str = str.contains("?") ? str + "&state=" + str2 : str + "?state=" + str2;
            }
            str4 = str4 + "<script>window.onload=function() {window.location='" + str + "'}</script>";
        }
        return str4 + "<title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/>" + str3 + "</body></html>";
    }
}
