package org.keycloak.protocol.oidc.endpoints;

import java.util.Iterator;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.TokenRevokeContext;
import org.keycloak.services.managers.UserSessionCrossDCManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.util.TokenUtil;
import org.wildfly.security.http.HttpConstants;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.class */
public class TokenRevocationEndpoint {
    private static final String PARAM_TOKEN = "token";

    @Context
    private KeycloakSession session;

    @Context
    private HttpRequest request;

    @Context
    private HttpHeaders headers;

    @Context
    private ClientConnection clientConnection;
    private MultivaluedMap<String, String> formParams;
    private ClientModel client;
    private RealmModel realm;
    private EventBuilder event;
    private Cors cors;
    private RefreshToken token;
    private UserModel user;

    public TokenRevocationEndpoint(RealmModel realmModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    @POST
    @Consumes({"application/x-www-form-urlencoded"})
    public Response revoke() {
        this.event.event(EventType.REVOKE_GRANT);
        this.cors = Cors.add(this.request).auth().allowedMethods("POST").auth().exposedHeaders("Access-Control-Allow-Methods");
        checkSsl();
        checkRealm();
        checkClient();
        this.formParams = this.request.getDecodedFormParameters();
        try {
            this.session.clientPolicy().triggerOnEvent(new TokenRevokeContext(this.formParams));
            checkToken();
            checkIssuedFor();
            checkUser();
            revokeClient();
            this.event.detail(Details.REVOKED_CLIENT, this.client.getClientId()).success();
            ((SecurityHeadersProvider) this.session.getProvider(SecurityHeadersProvider.class)).options().allowEmptyContentType();
            return this.cors.builder(Response.ok()).build();
        } catch (ClientPolicyException e) {
            this.event.error(e.getError());
            throw new CorsErrorResponseException(this.cors, OAuthErrorException.INVALID_GRANT, e.getErrorDetail(), Response.Status.BAD_REQUEST);
        }
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals(HttpConstants.HTTPS) && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkRealm() {
        if (!this.realm.isEnabled()) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "access_denied", "Realm not enabled", Response.Status.FORBIDDEN);
        }
    }

    private void checkClient() {
        this.client = AuthorizeClientUtil.authorizeClient(this.session, this.event).getClient();
        this.event.client(this.client);
        this.cors.allowedOrigins(this.session, this.client);
        if (this.client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
    }

    private void checkToken() {
        String first = this.formParams.getFirst("token");
        if (first == null) {
            this.event.error("invalid_request");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Token not provided", Response.Status.BAD_REQUEST);
        }
        this.token = (RefreshToken) this.session.tokens().decode(first, RefreshToken.class);
        if (this.token == null) {
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        if ("Refresh".equals(this.token.getType()) || TokenUtil.TOKEN_TYPE_OFFLINE.equals(this.token.getType())) {
            return;
        }
        this.event.error(Errors.INVALID_TOKEN_TYPE);
        throw new CorsErrorResponseException(this.cors, OAuthErrorException.UNSUPPORTED_TOKEN_TYPE, "Unsupported token type", Response.Status.BAD_REQUEST);
    }

    private void checkIssuedFor() {
        String issuedFor = this.token.getIssuedFor();
        if (issuedFor == null) {
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        if (this.client.getClientId().equals(issuedFor)) {
            return;
        }
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "Unmatching clients", Response.Status.BAD_REQUEST);
    }

    private void checkUser() {
        UserSessionModel userSessionWithClient = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, this.token.getSessionState(), false, this.client.getId());
        if (userSessionWithClient == null) {
            userSessionWithClient = new UserSessionCrossDCManager(this.session).getUserSessionWithClient(this.realm, this.token.getSessionState(), true, this.client.getId());
            if (userSessionWithClient == null) {
                this.event.error(Errors.USER_SESSION_NOT_FOUND);
                throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
            }
        }
        this.user = userSessionWithClient.getUser();
        if (this.user == null) {
            this.event.error(Errors.USER_NOT_FOUND);
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        this.event.user(this.user);
    }

    private void revokeClient() {
        this.session.users().revokeConsentForClient(this.realm, this.user.getId(), this.client.getId());
        if (TokenUtil.TOKEN_TYPE_OFFLINE.equals(this.token.getType())) {
            new UserSessionManager(this.session).revokeOfflineToken(this.user, this.client);
        }
        Iterator<UserSessionModel> it = this.session.sessions().getUserSessions(this.realm, this.user).iterator();
        while (it.hasNext()) {
            AuthenticatedClientSessionModel authenticatedClientSessionByClient = it.next().getAuthenticatedClientSessionByClient(this.client.getId());
            if (authenticatedClientSessionByClient != null) {
                TokenManager.dettachClientSession(this.session.sessions(), this.realm, authenticatedClientSessionByClient);
            }
        }
    }
}
