package dev.dsf.common.auth;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import jakarta.servlet.http.HttpSessionAttributeListener;
import jakarta.servlet.http.HttpSessionBindingEvent;
import jakarta.servlet.http.HttpSessionEvent;
import jakarta.servlet.http.HttpSessionListener;
import java.io.IOException;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.server.Authentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/common/auth/BackChannelLogoutAuthenticator.class */
public class BackChannelLogoutAuthenticator implements Authenticator, HttpSessionListener, HttpSessionAttributeListener {
    private static final Logger logger = LoggerFactory.getLogger(BackChannelLogoutAuthenticator.class);
    private final DsfOpenIdConfiguration openIdConfiguration;
    private final String ssoLogoutPath;
    private final ConcurrentMap<String, HttpSession> sessionsBySub = new ConcurrentHashMap();
    private final ConcurrentMap<String, HttpSession> sessionsBySid = new ConcurrentHashMap();

    public BackChannelLogoutAuthenticator(DsfOpenIdConfiguration dsfOpenIdConfiguration, String str) {
        Objects.requireNonNull(dsfOpenIdConfiguration, "openIdConfiguration");
        this.openIdConfiguration = dsfOpenIdConfiguration;
        Objects.requireNonNull(str, "ssoLogoutPath");
        if (str.startsWith("/")) {
            this.ssoLogoutPath = str;
        } else {
            this.ssoLogoutPath = "/" + str;
        }
    }

    public void setConfiguration(Authenticator.AuthConfiguration authConfiguration) {
    }

    public String getAuthMethod() {
        return "BACK_CHANNEL_LOGOUT";
    }

    public boolean isBackChannelLogoutRequest(ServletRequest servletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        return HttpMethod.POST.is(httpServletRequest.getMethod()) && this.ssoLogoutPath.equals(httpServletRequest.getPathInfo()) && MimeTypes.Type.FORM_ENCODED.is(httpServletRequest.getContentType());
    }

    public void prepareRequest(ServletRequest servletRequest) {
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            String[] parameterValues = servletRequest.getParameterValues("logout_token");
            if (parameterValues == null || parameterValues.length != 1) {
                httpServletResponse.sendError(403);
                return Authentication.SEND_FAILURE;
            }
            try {
                DecodedJWT verify = JWT.require(Algorithm.RSA256(this.openIdConfiguration.getRsaKeyProvider())).withIssuer(this.openIdConfiguration.getIssuer()).withAudience(new String[]{this.openIdConfiguration.getClientId()}).acceptLeeway(1L).withClaim("events", (claim, decodedJWT) -> {
                    return claim.asMap().containsKey("http://schemas.openid.net/event/backchannel-logout");
                }).build().verify(parameterValues[0]);
                if (!verify.getClaims().containsKey("sub") && !verify.getClaims().containsKey("sid")) {
                    logger.warn("Logout Token has no sub and no sid claim");
                    httpServletResponse.sendError(400);
                    return Authentication.SEND_FAILURE;
                }
                logger.debug("logout token claims: {}", verify.getClaims());
                String asString = verify.getClaim("sub").asString();
                String asString2 = verify.getClaim("sid").asString();
                logger.debug("Invalidating session for sub/sid {}/{}", asString, asString2);
                HttpSession httpSession = this.sessionsBySub.get(asString);
                if (httpSession != null) {
                    httpSession.invalidate();
                }
                HttpSession httpSession2 = this.sessionsBySid.get(asString2);
                if (httpSession2 != null) {
                    httpSession2.invalidate();
                }
                return Authentication.SEND_SUCCESS;
            } catch (JWTVerificationException e) {
                httpServletResponse.sendError(400);
                return Authentication.SEND_FAILURE;
            }
        } catch (IOException e2) {
            throw new ServerAuthException(e2);
        }
    }

    public void sessionCreated(HttpSessionEvent httpSessionEvent) {
        if (this.openIdConfiguration.isBackChannelLogoutEnabled()) {
            logger.debug("Session created, id: {}", httpSessionEvent.getSession().getId());
            logger.debug("Session created, claims: {}", httpSessionEvent.getSession().getAttribute("org.eclipse.jetty.security.openid.claims"));
            Object attribute = httpSessionEvent.getSession().getAttribute("org.eclipse.jetty.security.openid.claims");
            if (attribute != null) {
                Map map = (Map) attribute;
                String str = (String) map.get("sub");
                if (str != null) {
                    this.sessionsBySub.put(str, httpSessionEvent.getSession());
                }
                String str2 = (String) map.get("sid");
                if (str2 != null) {
                    this.sessionsBySid.put(str2, httpSessionEvent.getSession());
                }
            }
        }
    }

    public void sessionDestroyed(HttpSessionEvent httpSessionEvent) {
        if (this.openIdConfiguration.isBackChannelLogoutEnabled()) {
            logger.debug("Session destroyed, id: {}", httpSessionEvent.getSession().getId());
            logger.debug("Session destroyed, claims: {}", httpSessionEvent.getSession().getAttribute("org.eclipse.jetty.security.openid.claims"));
            Object attribute = httpSessionEvent.getSession().getAttribute("org.eclipse.jetty.security.openid.claims");
            if (attribute != null) {
                Map map = (Map) attribute;
                String str = (String) map.get("sub");
                if (str != null) {
                    this.sessionsBySub.remove(str, httpSessionEvent.getSession());
                }
                String str2 = (String) map.get("sid");
                if (str2 != null) {
                    this.sessionsBySid.remove(str2, httpSessionEvent.getSession());
                }
            }
        }
    }

    public void attributeAdded(HttpSessionBindingEvent httpSessionBindingEvent) {
        if (this.openIdConfiguration.isBackChannelLogoutEnabled() && "org.eclipse.jetty.security.openid.claims".equals(httpSessionBindingEvent.getName())) {
            logger.debug("Attribute added, Session id: {}", httpSessionBindingEvent.getSession().getId());
            logger.debug("Attribute added, claims: {}", httpSessionBindingEvent.getValue());
            Map map = (Map) httpSessionBindingEvent.getValue();
            String str = (String) map.get("sub");
            if (str != null) {
                this.sessionsBySub.put(str, httpSessionBindingEvent.getSession());
            }
            String str2 = (String) map.get("sid");
            if (str2 != null) {
                this.sessionsBySid.put(str2, httpSessionBindingEvent.getSession());
            }
        }
    }

    public void attributeRemoved(HttpSessionBindingEvent httpSessionBindingEvent) {
        if (this.openIdConfiguration.isBackChannelLogoutEnabled() && "org.eclipse.jetty.security.openid.claims".equals(httpSessionBindingEvent.getName())) {
            logger.debug("Attribute removed, Session id: {}", httpSessionBindingEvent.getSession().getId());
            logger.debug("Attribute removed, claims: {}", httpSessionBindingEvent.getValue());
            Map map = (Map) httpSessionBindingEvent.getValue();
            String str = (String) map.get("sub");
            if (str != null) {
                this.sessionsBySub.remove(str, httpSessionBindingEvent.getSession());
            }
            String str2 = (String) map.get("sid");
            if (str2 != null) {
                this.sessionsBySid.remove(str2, httpSessionBindingEvent.getSession());
            }
        }
    }

    public void attributeReplaced(HttpSessionBindingEvent httpSessionBindingEvent) {
        if (this.openIdConfiguration.isBackChannelLogoutEnabled() && "org.eclipse.jetty.security.openid.claims".equals(httpSessionBindingEvent.getName())) {
            logger.debug("Attribute replaced, Session id: {}", httpSessionBindingEvent.getSession().getId());
            logger.debug("Attribute replaced, claims: {}", httpSessionBindingEvent.getValue());
            Map map = (Map) httpSessionBindingEvent.getValue();
            String str = (String) map.get("sub");
            if (str != null) {
                this.sessionsBySub.put(str, httpSessionBindingEvent.getSession());
            }
            String str2 = (String) map.get("sid");
            if (str2 != null) {
                this.sessionsBySid.put(str2, httpSessionBindingEvent.getSession());
            }
        }
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return servletRequest.isSecure();
    }
}
