package org.xdi.oxauth.session.ws.rs;

import com.google.common.collect.Sets;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Path;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.xdi.model.security.Identity;
import org.xdi.oxauth.audit.ApplicationAuditLogger;
import org.xdi.oxauth.model.audit.Action;
import org.xdi.oxauth.model.audit.OAuth2AuditLog;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.session.EndSessionErrorResponseType;
import org.xdi.oxauth.model.util.URLPatternList;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.GrantService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.external.ExternalApplicationSessionService;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.Pair;
import org.xdi.util.StringHelper;

@Path("/")
/* loaded from: input_file:org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.class */
public class EndSessionRestWebServiceImpl implements EndSessionRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ExternalApplicationSessionService externalApplicationSessionService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private ClientService clientService;

    @Inject
    private GrantService grantService;

    @Inject
    private Identity identity;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private AppConfiguration appConfiguration;

    @Override // org.xdi.oxauth.session.ws.rs.EndSessionRestWebService
    public Response requestEndSession(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.log.debug("Attempting to end session, idTokenHint: {}, postLogoutRedirectUri: {}, sessionId: {}, Is Secure = {}", new Object[]{str, str2, str4, Boolean.valueOf(securityContext.isSecure())});
        validateIdTokenHint(str, str2);
        validateSessionIdRequestParameter(str4, str2);
        Pair<SessionId, AuthorizationGrant> endSession = endSession(str, str4, httpServletRequest, httpServletResponse, str2);
        auditLogging(httpServletRequest, endSession);
        if (endSession.getFirst() == null && endSession.getSecond() == null && StringUtils.isNotBlank(str2) && allowPostLogoutRedirect(str2)) {
            try {
                return Response.temporaryRedirect(new URI(str2)).entity(this.errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION)).build();
            } catch (URISyntaxException e) {
                this.log.error("Can't perform redirect", e);
            }
        }
        return httpBased(str2, str3, endSession);
    }

    private Response createErrorResponse(String str, EndSessionErrorResponseType endSessionErrorResponseType, String str2) {
        this.log.debug(str2);
        try {
            if (allowPostLogoutRedirect(str)) {
                return Response.status(Response.Status.FOUND).location(new URI(str + (str.contains("?") ? "&" : "?") + this.errorResponseFactory.getErrorAsQueryString(endSessionErrorResponseType, ""))).build();
            }
        } catch (URISyntaxException e) {
            this.log.error("Can't perform redirect", e);
        }
        return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(endSessionErrorResponseType, str2)).build();
    }

    private boolean allowPostLogoutRedirect(String str) {
        Boolean allowPostLogoutRedirectWithoutValidation = this.appConfiguration.getAllowPostLogoutRedirectWithoutValidation();
        return allowPostLogoutRedirectWithoutValidation != null && allowPostLogoutRedirectWithoutValidation.booleanValue() && new URLPatternList(this.appConfiguration.getClientWhiteList()).isUrlListed(str);
    }

    private void validateSessionIdRequestParameter(String str, String str2) {
        if (StringUtils.isNotBlank(str) && this.sessionIdService.getSessionId(str) == null) {
            this.log.error("session_id parameter in request is not valid. Logout is rejected. session_id parameter in request can be skipped or otherwise valid value must be provided.");
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "session_id parameter in request is not valid. Logout is rejected. session_id parameter in request can be skipped or otherwise valid value must be provided."));
        }
    }

    private void validateIdTokenHint(String str, String str2) {
        if (StringUtils.isNotBlank(str) && this.authorizationGrantList.getAuthorizationGrantByIdToken(str) == null) {
            this.log.error("id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided.");
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided."));
        }
    }

    private String validatePostLogoutRedirectUri(String str, Pair<SessionId, AuthorizationGrant> pair) {
        try {
            return pair.getSecond() == null ? this.redirectionUriService.validatePostLogoutRedirectUri((SessionId) pair.getFirst(), str) : this.redirectionUriService.validatePostLogoutRedirectUri(((AuthorizationGrant) pair.getSecond()).getClient().getClientId(), str);
        } catch (WebApplicationException e) {
            if (pair.getFirst() == null) {
                throw e;
            }
            this.log.error("Session was removed successfully but redirect to post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which was just removed).", e);
            throw new WebApplicationException(Response.status(Response.Status.OK).entity(this.errorResponseFactory.errorAsJson(EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, "Session was removed successfully but redirect to post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which was just removed).")).build());
        }
    }

    public Response httpBased(String str, String str2, Pair<SessionId, AuthorizationGrant> pair) {
        String constructPage = constructPage(getRpFrontchannelLogoutUris(pair), validatePostLogoutRedirectUri(str, pair), str2);
        this.log.debug("Constructed http logout page: " + constructPage);
        return Response.ok().cacheControl(ServerUtil.cacheControl(true, true)).header("Pragma", "no-cache").type(MediaType.TEXT_HTML_TYPE).entity(constructPage).build();
    }

    private Pair<SessionId, AuthorizationGrant> endSession(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str3) {
        Boolean endSessionWithAccessToken;
        AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(str);
        if (authorizationGrantByIdToken == null && (endSessionWithAccessToken = this.appConfiguration.getEndSessionWithAccessToken()) != null && endSessionWithAccessToken.booleanValue()) {
            authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        }
        removeConsentSessionId(httpServletRequest, httpServletResponse);
        SessionId removeSessionId = removeSessionId(str2, httpServletRequest, httpServletResponse);
        if (removeSessionId == null) {
            this.log.debug("Failed to identify session by session_id query parameter or by session_id cookie.");
            throw new WebApplicationException(createErrorResponse(str3, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "Failed to identify session by session_id query parameter or by session_id cookie."));
        }
        boolean z = false;
        boolean isEnabled = this.externalApplicationSessionService.isEnabled();
        if (isEnabled && removeSessionId != null) {
            String str4 = removeSessionId.getSessionAttributes().get(Constants.AUTHENTICATED_USER);
            z = this.externalApplicationSessionService.executeExternalEndSessionMethods(httpServletRequest, removeSessionId);
            this.log.info("End session result for '{}': '{}'", new Object[]{str4, Constants.RESULT_LOGOUT, Boolean.valueOf(z)});
        }
        boolean z2 = isEnabled && z;
        if (isEnabled && !z2) {
            throw new WebApplicationException(createErrorResponse(str3, EndSessionErrorResponseType.INVALID_GRANT, "External logout script returned false."));
        }
        if (removeSessionId != null) {
            this.grantService.removeAllTokensBySession(removeSessionId.getDn());
        }
        if (this.identity != null) {
            this.identity.logout();
        }
        return new Pair<>(removeSessionId, authorizationGrantByIdToken);
    }

    private Set<String> getRpFrontchannelLogoutUris(Pair<SessionId, AuthorizationGrant> pair) {
        HashSet newHashSet = Sets.newHashSet();
        SessionId sessionId = (SessionId) pair.getFirst();
        AuthorizationGrant authorizationGrant = (AuthorizationGrant) pair.getSecond();
        if (sessionId == null) {
            this.log.error("session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id.Http based html will contain no iframes.");
            return newHashSet;
        }
        Set<Client> client = sessionId.getPermissionGrantedMap() != null ? this.clientService.getClient((Collection<String>) sessionId.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
        if (authorizationGrant != null) {
            client.add(authorizationGrant.getClient());
        }
        for (Client client2 : client) {
            String[] frontChannelLogoutUri = client2.getFrontChannelLogoutUri();
            if (frontChannelLogoutUri != null) {
                for (String str : frontChannelLogoutUri) {
                    if (!Util.isNullOrEmpty(str)) {
                        if (client2.getFrontChannelLogoutSessionRequired() != null && client2.getFrontChannelLogoutSessionRequired().booleanValue()) {
                            str = str.contains("?") ? str + "&sid=" + sessionId.getId() : str + "?sid=" + sessionId.getId();
                        }
                        newHashSet.add(str);
                    }
                }
            }
        }
        return newHashSet;
    }

    private SessionId removeSessionId(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SessionId sessionId = null;
        try {
            try {
                String str2 = str;
                if (StringHelper.isEmpty(str2)) {
                    str2 = this.sessionIdService.getSessionIdFromCookie(httpServletRequest);
                }
                if (StringHelper.isNotEmpty(str2)) {
                    sessionId = this.sessionIdService.getSessionId(str2);
                    if (sessionId == null) {
                        this.log.error("Failed to load session by session_id: '{}'", str2);
                    } else if (!this.sessionIdService.remove(sessionId)) {
                        this.log.error("Failed to remove session_id '{}'", str2);
                    }
                }
                this.sessionIdService.removeSessionIdCookie(httpServletResponse);
                this.sessionIdService.removeOPBrowserStateCookie(httpServletResponse);
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                this.sessionIdService.removeSessionIdCookie(httpServletResponse);
                this.sessionIdService.removeOPBrowserStateCookie(httpServletResponse);
            }
            return sessionId;
        } catch (Throwable th) {
            this.sessionIdService.removeSessionIdCookie(httpServletResponse);
            this.sessionIdService.removeOPBrowserStateCookie(httpServletResponse);
            throw th;
        }
    }

    private SessionId removeConsentSessionId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SessionId sessionId = null;
        try {
            try {
                String consentSessionIdFromCookie = this.sessionIdService.getConsentSessionIdFromCookie(httpServletRequest);
                if (StringHelper.isNotEmpty(consentSessionIdFromCookie)) {
                    sessionId = this.sessionIdService.getSessionId(consentSessionIdFromCookie);
                    if (sessionId == null) {
                        this.log.error("Failed to load session by consent_session_id: '{}'", consentSessionIdFromCookie);
                    } else if (!this.sessionIdService.remove(sessionId)) {
                        this.log.error("Failed to remove consent_session_id '{}'", consentSessionIdFromCookie);
                    }
                }
                this.sessionIdService.removeConsentSessionIdCookie(httpServletResponse);
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                this.sessionIdService.removeConsentSessionIdCookie(httpServletResponse);
            }
            return sessionId;
        } catch (Throwable th) {
            this.sessionIdService.removeConsentSessionIdCookie(httpServletResponse);
            throw th;
        }
    }

    private String constructPage(Set<String> set, String str, String str2) {
        String str3 = "";
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            str3 = str3 + String.format("<iframe height=\"0\" width=\"0\" src=\"%s\"></iframe>", it.next());
        }
        String str4 = "<!DOCTYPE html><html><head>";
        if (!Util.isNullOrEmpty(str)) {
            if (!Util.isNullOrEmpty(str2)) {
                str = str.contains("?") ? str + "&state=" + str2 : str + "?state=" + str2;
            }
            str4 = str4 + "<script>window.onload=function() {window.location='" + str + "'}</script>";
        }
        return str4 + "<title>Gluu Generated logout page</title></head><body>Logout requests sent.<br/>" + str3 + "</body></html>";
    }

    private void auditLogging(HttpServletRequest httpServletRequest, Pair<SessionId, AuthorizationGrant> pair) {
        SessionId sessionId = (SessionId) pair.getFirst();
        AuthorizationGrant authorizationGrant = (AuthorizationGrant) pair.getSecond();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.SESSION_DESTROYED);
        oAuth2AuditLog.setSuccess(true);
        if (authorizationGrant != null) {
            oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
            oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
            oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
        } else if (sessionId != null) {
            oAuth2AuditLog.setClientId(sessionId.getPermissionGrantedMap().getClientIds(true).toString());
            oAuth2AuditLog.setScope(sessionId.getSessionAttributes().get("scope"));
            oAuth2AuditLog.setUsername(sessionId.getUserDn());
        }
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
    }
}
