package pl.edu.icm.unity.oauth.as.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.client.ClientType;
import jakarta.ws.rs.FormParam;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.authn.AuthenticationRealm;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.WrongArgumentException;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.token.access.OAuthAccessTokenRepository;
import pl.edu.icm.unity.oauth.as.token.access.OAuthRefreshTokenRepository;
import pl.edu.icm.unity.store.api.TokenDAO;

@Produces({"application/json"})
@Path(OAuthTokenEndpoint.TOKEN_REVOCATION_PATH)
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/RevocationResource.class */
public class RevocationResource extends BaseOAuthResource {
    private static final Logger log = Log.getLogger("unity.server.oauth", RevocationResource.class);
    public static final String TOKEN_TYPE = "token_type_hint";
    public static final String TOKEN_TYPE_ACCESS = "access_token";
    public static final String TOKEN_TYPE_REFRESH = "refresh_token";
    public static final String UNSUPPORTED_TOKEN_TYPE_ERROR = "unsupported_token_type";
    public static final String TOKEN = "token";
    public static final String CLIENT = "client_id";
    public static final String LOGOUT = "logout";
    public static final String LOGOUT_SCOPE = "single-logout";
    private final SessionManagement sessionManagement;
    private final AuthenticationRealm realm;
    private final OAuthAccessTokenRepository accessTokenRepository;
    private final boolean allowUnauthenticatedRevocation;
    private final OAuthRefreshTokenRepository refreshTokenRepository;

    public RevocationResource(OAuthAccessTokenRepository oAuthAccessTokenRepository, OAuthRefreshTokenRepository oAuthRefreshTokenRepository, SessionManagement sessionManagement, AuthenticationRealm authenticationRealm, boolean z) {
        this.accessTokenRepository = oAuthAccessTokenRepository;
        this.refreshTokenRepository = oAuthRefreshTokenRepository;
        this.sessionManagement = sessionManagement;
        this.realm = authenticationRealm;
        this.allowUnauthenticatedRevocation = z;
    }

    @POST
    @Path("/")
    public Response revoke(@FormParam("token") String str, @FormParam("client_id") String str2, @FormParam("token_type_hint") String str3, @FormParam("logout") String str4) throws EngineException, JsonProcessingException {
        Response killSession;
        if (str == null) {
            return makeError(OAuth2Error.INVALID_REQUEST, "To access the token revocation endpoint a token must be provided");
        }
        if (str3 != null && !TOKEN_TYPE_ACCESS.equals(str3) && !TOKEN_TYPE_REFRESH.equals(str3)) {
            return makeError(new ErrorObject(UNSUPPORTED_TOKEN_TYPE_ERROR, "Invalid request", 400), "Token type '" + str3 + "' is not supported");
        }
        try {
            Token loadToken = loadToken(str, str3);
            OAuthToken parseInternalToken = parseInternalToken(loadToken);
            if (str2 != null && !str2.equals(parseInternalToken.getClientUsername())) {
                return makeError(OAuth2Error.INVALID_CLIENT, "Wrong client/token");
            }
            if (getEffectiveClientType(parseInternalToken) != ClientType.PUBLIC) {
                LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
                if (loginSession == null) {
                    log.info("Blocking a try to revoke OAuth token owned by confidential client {} wihtout authentication", Long.valueOf(parseInternalToken.getClientId()));
                    return makeError(OAuth2Error.INVALID_REQUEST, "Authentication is required");
                }
                if (parseInternalToken.getClientId() != loginSession.getEntityId()) {
                    log.warn("OAuth client authenticated with id {} tried to revoke token associated with other client {}", Long.valueOf(loginSession.getEntityId()), Long.valueOf(parseInternalToken.getClientId()));
                    return makeError(OAuth2Error.INVALID_REQUEST, "Authentication error");
                }
            } else if (str2 == null) {
                return makeError(OAuth2Error.INVALID_REQUEST, "To access the token revocation endpoint a client_id must be provided");
            }
            if ("true".equals(str4) && (killSession = killSession(parseInternalToken, loadToken.getOwner().longValue())) != null) {
                return killSession;
            }
            try {
                removeToken(str, parseInternalToken, str3, loadToken.getOwner().longValue());
            } catch (TokenDAO.TokenNotFoundException e) {
            }
            return toResponse(Response.ok());
        } catch (TokenDAO.TokenNotFoundException e2) {
            return toResponse(Response.ok());
        }
    }

    private ClientType getEffectiveClientType(OAuthToken oAuthToken) {
        return this.allowUnauthenticatedRevocation ? ClientType.PUBLIC : oAuthToken.getClientType() == null ? ClientType.CONFIDENTIAL : oAuthToken.getClientType();
    }

    /* JADX WARN: Code restructure failed: missing block: B:16:0x0036, code lost:
    
        return r3.refreshTokenRepository.readRefreshToken(r4);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private pl.edu.icm.unity.base.token.Token loadToken(java.lang.String r4, java.lang.String r5) {
        /*
            r3 = this;
            java.lang.String r0 = "access_token"
            r1 = r5
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto L12
            r0 = r3
            pl.edu.icm.unity.oauth.as.token.access.OAuthAccessTokenRepository r0 = r0.accessTokenRepository
            r1 = r4
            pl.edu.icm.unity.base.token.Token r0 = r0.readAccessToken(r1)
            return r0
        L12:
            java.lang.String r0 = "refresh_token"
            r1 = r5
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto L24
            r0 = r3
            pl.edu.icm.unity.oauth.as.token.access.OAuthRefreshTokenRepository r0 = r0.refreshTokenRepository
            r1 = r4
            pl.edu.icm.unity.base.token.Token r0 = r0.readRefreshToken(r1)
            return r0
        L24:
            r0 = r3
            pl.edu.icm.unity.oauth.as.token.access.OAuthAccessTokenRepository r0 = r0.accessTokenRepository     // Catch: pl.edu.icm.unity.store.api.TokenDAO.TokenNotFoundException -> L2d
            r1 = r4
            pl.edu.icm.unity.base.token.Token r0 = r0.readAccessToken(r1)     // Catch: pl.edu.icm.unity.store.api.TokenDAO.TokenNotFoundException -> L2d
            return r0
        L2d:
            r6 = move-exception
            r0 = r3
            pl.edu.icm.unity.oauth.as.token.access.OAuthRefreshTokenRepository r0 = r0.refreshTokenRepository
            r1 = r4
            pl.edu.icm.unity.base.token.Token r0 = r0.readRefreshToken(r1)
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: pl.edu.icm.unity.oauth.as.token.RevocationResource.loadToken(java.lang.String, java.lang.String):pl.edu.icm.unity.base.token.Token");
    }

    private void removeToken(String str, OAuthToken oAuthToken, String str2, long j) {
        if (TOKEN_TYPE_ACCESS.equals(str2)) {
            this.accessTokenRepository.removeAccessToken(str);
        } else {
            if (TOKEN_TYPE_REFRESH.equals(str2)) {
                this.refreshTokenRepository.removeRefreshToken(str, oAuthToken, j);
                return;
            }
            try {
                this.accessTokenRepository.removeAccessToken(str);
            } catch (TokenDAO.TokenNotFoundException e) {
                this.refreshTokenRepository.removeRefreshToken(str, oAuthToken, j);
            }
        }
    }

    private Response killSession(OAuthToken oAuthToken, long j) throws EngineException {
        if (oAuthToken.getEffectiveScope() != null && Arrays.stream(oAuthToken.getEffectiveScope()).filter(str -> {
            return LOGOUT_SCOPE.equals(str);
        }).findAny().isPresent()) {
            try {
                this.sessionManagement.removeSession(this.sessionManagement.getOwnedSession(new EntityParam(Long.valueOf(j)), this.realm.getName()).getId(), true);
                return null;
            } catch (WrongArgumentException e) {
                return null;
            }
        }
        return makeError(OAuth2Error.INVALID_SCOPE, "Insufficent scope to perform full logout.");
    }
}
