package io.jans.as.server.session.ws.rs;

import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.common.ComponentType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorHandlingMethod;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.gluu.GluuErrorResponseType;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.session.EndSessionErrorResponseType;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.util.URLPatternList;
import io.jans.as.model.util.Util;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.SessionId;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.CookieService;
import io.jans.as.server.service.GrantService;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.ExternalApplicationSessionService;
import io.jans.as.server.service.external.ExternalEndSessionService;
import io.jans.as.server.service.external.context.EndSessionContext;
import io.jans.as.server.util.ServerUtil;
import io.jans.model.security.Identity;
import io.jans.util.Pair;
import io.jans.util.StringHelper;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriBuilder;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/session/ws/rs/EndSessionRestWebServiceImpl.class */
public class EndSessionRestWebServiceImpl implements EndSessionRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ExternalApplicationSessionService externalApplicationSessionService;

    @Inject
    private ExternalEndSessionService externalEndSessionService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CookieService cookieService;

    @Inject
    private ClientService clientService;

    @Inject
    private GrantService grantService;

    @Inject
    private Identity identity;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private LogoutTokenFactory logoutTokenFactory;

    @Override // io.jans.as.server.session.ws.rs.EndSessionRestWebService
    public Response requestEndSession(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        try {
            this.log.debug("Attempting to end session, idTokenHint: {}, postLogoutRedirectUri: {}, sid: {}, Is Secure = {}", new Object[]{str, str2, str4, Boolean.valueOf(securityContext.isSecure())});
            this.errorResponseFactory.validateComponentEnabled(ComponentType.END_SESSION);
            Jwt validateIdTokenHint = validateIdTokenHint(str, str2);
            validateSidRequestParameter(str4, str2);
            Pair<SessionId, AuthorizationGrant> pair = getPair(str, str4, httpServletRequest);
            if (pair.getFirst() == null) {
                throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "Failed to identify session by session_id query parameter or by session_id cookie."));
            }
            String validatePostLogoutRedirectUri = validatePostLogoutRedirectUri(str2, pair);
            validateSid(validatePostLogoutRedirectUri, validateIdTokenHint, (SessionId) pair.getFirst());
            endSession(pair, httpServletRequest, httpServletResponse);
            auditLogging(httpServletRequest, pair);
            Set<Client> ssoClients = getSsoClients(pair);
            HashSet newHashSet = Sets.newHashSet();
            HashMap newHashMap = Maps.newHashMap();
            for (Client client : ssoClients) {
                boolean z = false;
                for (String str5 : client.getAttributes().getBackchannelLogoutUri()) {
                    if (!Util.isNullOrEmpty(str5)) {
                        newHashMap.put(str5, client);
                        z = true;
                    }
                }
                if (!z) {
                    if (StringUtils.isNotBlank(client.getFrontChannelLogoutUri())) {
                        String frontChannelLogoutUri = client.getFrontChannelLogoutUri();
                        if (client.getFrontChannelLogoutSessionRequired().booleanValue()) {
                            frontChannelLogoutUri = EndSessionUtils.appendSid(frontChannelLogoutUri, ((SessionId) pair.getFirst()).getOutsideSid(), this.appConfiguration.getIssuer());
                        }
                        newHashSet.add(frontChannelLogoutUri);
                    }
                }
            }
            backChannel(newHashMap, (AuthorizationGrant) pair.getSecond(), (SessionId) pair.getFirst());
            String addStateInPostLogoutRedirectUri = addStateInPostLogoutRedirectUri(validatePostLogoutRedirectUri, str3);
            if (!newHashSet.isEmpty() || !StringUtils.isNotBlank(addStateInPostLogoutRedirectUri)) {
                return httpBased(newHashSet, addStateInPostLogoutRedirectUri, str3, pair, httpServletRequest);
            }
            this.log.trace("No frontchannel_redirect_uri's found in clients involved in SSO.");
            try {
                this.log.trace("Redirect to postlogout_redirect_uri: " + addStateInPostLogoutRedirectUri);
                return Response.status(Response.Status.FOUND).location(new URI(addStateInPostLogoutRedirectUri)).build();
            } catch (URISyntaxException e) {
                String str6 = "Failed to create URI for " + addStateInPostLogoutRedirectUri + " postlogout_redirect_uri.";
                this.log.error(str6);
                return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(EndSessionErrorResponseType.INVALID_REQUEST, str6)).build();
            }
        } catch (Exception e2) {
            if (this.log.isErrorEnabled()) {
                this.log.error(e2.getMessage(), e2);
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(GluuErrorResponseType.SERVER_ERROR)).build());
        } catch (WebApplicationException e3) {
            if (e3.getResponse() != null) {
                return e3.getResponse();
            }
            throw e3;
        }
    }

    private String addStateInPostLogoutRedirectUri(String str, String str2) {
        return (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) ? str : UriBuilder.fromUri(str).queryParam("state", new Object[]{str2}).build(new Object[0]).toString();
    }

    private void validateSid(String str, Jwt jwt, SessionId sessionId) {
        if (jwt == null) {
            return;
        }
        String claimAsString = jwt.getClaims().getClaimAsString("sid");
        if (!StringUtils.isNotBlank(claimAsString) || claimAsString.equals(sessionId.getOutsideSid())) {
            return;
        }
        this.log.error("sid in id_token_hint does not match sid of the session. id_token_hint sid: {}, session sid: {}", claimAsString, sessionId.getOutsideSid());
        throw new WebApplicationException(createErrorResponse(str, EndSessionErrorResponseType.INVALID_REQUEST, "sid in id_token_hint does not match sid of the session"));
    }

    private void backChannel(Map<String, Client> map, AuthorizationGrant authorizationGrant, SessionId sessionId) {
        if (map.isEmpty()) {
            return;
        }
        this.log.trace("backchannel_redirect_uri's: " + map);
        User user = authorizationGrant != null ? authorizationGrant.getUser() : null;
        if (user == null) {
            user = this.sessionIdService.getUser(sessionId);
        }
        ExecutorService executorService = EndSessionUtils.getExecutorService();
        for (Map.Entry<String, Client> entry : map.entrySet()) {
            JsonWebResponse createLogoutToken = this.logoutTokenFactory.createLogoutToken(entry.getValue(), sessionId.getOutsideSid(), user);
            if (createLogoutToken == null) {
                this.log.error("Failed to create logout_token for client: " + entry.getValue().getClientId());
                return;
            }
            executorService.execute(() -> {
                EndSessionUtils.callRpWithBackchannelUri((String) entry.getKey(), createLogoutToken.toString());
            });
        }
        executorService.shutdown();
        try {
            executorService.awaitTermination(30L, TimeUnit.SECONDS);
            this.log.trace("Finished backchannel calls.");
        } catch (InterruptedException e) {
            this.log.error("Thread is interrupted.");
            Thread.currentThread().interrupt();
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getJsonErrorResponse(GluuErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private Response createErrorResponse(String str, EndSessionErrorResponseType endSessionErrorResponseType, String str2) {
        this.log.debug(str2);
        try {
            if (allowPostLogoutRedirect(str)) {
                if (ErrorHandlingMethod.REMOTE == this.appConfiguration.getErrorHandlingMethod()) {
                    str = str + (str.contains("?") ? "&" : "?") + this.errorResponseFactory.getErrorAsQueryString(endSessionErrorResponseType, "", str2);
                }
                return Response.status(Response.Status.FOUND).location(new URI(str)).build();
            }
        } catch (URISyntaxException e) {
            this.log.error("Can't perform redirect", e);
        }
        return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(endSessionErrorResponseType, str2)).build();
    }

    private boolean allowPostLogoutRedirect(String str) {
        Boolean allowPostLogoutRedirectWithoutValidation;
        return !StringUtils.isBlank(str) && (allowPostLogoutRedirectWithoutValidation = this.appConfiguration.getAllowPostLogoutRedirectWithoutValidation()) != null && allowPostLogoutRedirectWithoutValidation.booleanValue() && new URLPatternList(this.appConfiguration.getClientWhiteList()).isUrlListed(str);
    }

    private void validateSidRequestParameter(String str, String str2) {
        if (StringUtils.isNotBlank(str) && this.sessionIdService.getSessionBySid(str) == null) {
            this.log.error("sid parameter in request is not valid. Logout is rejected. sid parameter in request can be skipped or otherwise valid value must be provided.");
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "sid parameter in request is not valid. Logout is rejected. sid parameter in request can be skipped or otherwise valid value must be provided."));
        }
    }

    private Jwt validateIdTokenHint(String str, String str2) {
        if (this.appConfiguration.getForceIdTokenHintPrecense().booleanValue() && StringUtils.isBlank(str)) {
            this.log.trace("id_token_hint is not set");
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_REQUEST, "id_token_hint is not set"));
        }
        AuthorizationGrant tokenHintGrant = getTokenHintGrant(str);
        if (this.appConfiguration.getForceIdTokenHintPrecense().booleanValue() && tokenHintGrant == null) {
            this.log.trace("id_token_hint is not set");
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_REQUEST, "id_token_hint is not set"));
        }
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        if (tokenHintGrant == null) {
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided."));
        }
        try {
            return Jwt.parse(str);
        } catch (InvalidJwtException e) {
            this.log.error("Unable to parse id_token_hint as JWT.", e);
            throw new WebApplicationException(createErrorResponse(str2, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "Unable to parse id_token_hint as JWT."));
        }
    }

    private AuthorizationGrant getTokenHintGrant(String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(str);
        if (authorizationGrantByIdToken != null) {
            return authorizationGrantByIdToken;
        }
        Boolean endSessionWithAccessToken = this.appConfiguration.getEndSessionWithAccessToken();
        if (endSessionWithAccessToken == null || !endSessionWithAccessToken.booleanValue()) {
            return null;
        }
        return this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
    }

    private String validatePostLogoutRedirectUri(String str, Pair<SessionId, AuthorizationGrant> pair) {
        try {
            if (StringUtils.isBlank(str)) {
                return "";
            }
            if (this.appConfiguration.getAllowPostLogoutRedirectWithoutValidation().booleanValue()) {
                this.log.trace("Skipped post_logout_redirect_uri validation (because allowPostLogoutRedirectWithoutValidation=true)");
                return str;
            }
            String validatePostLogoutRedirectUri = pair.getSecond() == null ? this.redirectionUriService.validatePostLogoutRedirectUri((SessionId) pair.getFirst(), str) : this.redirectionUriService.validatePostLogoutRedirectUri(((AuthorizationGrant) pair.getSecond()).getClient().getClientId(), str);
            if (StringUtils.isBlank(validatePostLogoutRedirectUri)) {
                this.log.trace("Failed to validate post_logout_redirect_uri.");
                throw new WebApplicationException(createErrorResponse(str, EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, ""));
            }
            if (StringUtils.isNotBlank(validatePostLogoutRedirectUri)) {
                return validatePostLogoutRedirectUri;
            }
            this.log.trace("Unable to validate post_logout_redirect_uri.");
            throw new WebApplicationException(createErrorResponse(str, EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, ""));
        } catch (WebApplicationException e) {
            if (pair.getFirst() == null) {
                throw e;
            }
            this.log.error(e.getMessage(), e);
            throw new WebApplicationException(createErrorResponse(str, EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, ""));
        }
    }

    private Response httpBased(Set<String> set, String str, String str2, Pair<SessionId, AuthorizationGrant> pair, HttpServletRequest httpServletRequest) {
        try {
            String frontchannelHtml = this.externalEndSessionService.getFrontchannelHtml(new EndSessionContext(httpServletRequest, set, str, (SessionId) pair.getFirst()));
            if (StringUtils.isNotBlank(frontchannelHtml)) {
                this.log.debug("HTML from `getFrontchannelHtml` external script: " + frontchannelHtml);
                return okResponse(frontchannelHtml);
            }
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
        }
        String createFronthannelHtml = EndSessionUtils.createFronthannelHtml(set, str, str2);
        this.log.debug("Constructed html logout page: " + createFronthannelHtml);
        return okResponse(createFronthannelHtml);
    }

    private Response okResponse(String str) {
        return Response.ok().cacheControl(ServerUtil.cacheControl(true, true)).header("Pragma", "no-cache").type(MediaType.TEXT_HTML_TYPE).entity(str).build();
    }

    private Pair<SessionId, AuthorizationGrant> getPair(String str, String str2, HttpServletRequest httpServletRequest) {
        Boolean endSessionWithAccessToken;
        AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(str);
        if (authorizationGrantByIdToken == null && (endSessionWithAccessToken = this.appConfiguration.getEndSessionWithAccessToken()) != null && endSessionWithAccessToken.booleanValue()) {
            authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        }
        SessionId sessionId = null;
        try {
            String sessionIdFromCookie = this.cookieService.getSessionIdFromCookie(httpServletRequest);
            if (StringHelper.isNotEmpty(sessionIdFromCookie)) {
                sessionId = this.sessionIdService.getSessionId(sessionIdFromCookie);
            }
            if (StringUtils.isNotBlank(str2) && sessionId == null) {
                sessionId = this.sessionIdService.getSessionBySid(str2);
            }
        } catch (Exception e) {
            this.log.error("Failed to current session id.", e);
        }
        return new Pair<>(sessionId, authorizationGrantByIdToken);
    }

    private void endSession(Pair<SessionId, AuthorizationGrant> pair, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        removeConsentSessionId(httpServletRequest, httpServletResponse);
        removeSessionId(pair, httpServletResponse);
        boolean z = false;
        boolean isEnabled = this.externalApplicationSessionService.isEnabled();
        if (isEnabled) {
            String str = ((SessionId) pair.getFirst()).getSessionAttributes().get(Constants.AUTHENTICATED_USER);
            z = this.externalApplicationSessionService.executeExternalEndSessionMethods(httpServletRequest, (SessionId) pair.getFirst());
            this.log.info("End session result for '{}': '{}'", str, Boolean.valueOf(z));
        }
        boolean z2 = isEnabled && z;
        if (isEnabled && !z2) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, EndSessionErrorResponseType.INVALID_GRANT, "External logout is present but executed external logout script returned failed result.");
        }
        this.grantService.logout(((SessionId) pair.getFirst()).getDn());
        if (this.identity != null) {
            this.identity.logout();
        }
    }

    private Set<Client> getSsoClients(Pair<SessionId, AuthorizationGrant> pair) {
        SessionId sessionId = (SessionId) pair.getFirst();
        AuthorizationGrant authorizationGrant = (AuthorizationGrant) pair.getSecond();
        if (sessionId == null) {
            this.log.error("session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id.");
            return Sets.newHashSet();
        }
        Set<Client> client = sessionId.getPermissionGrantedMap() != null ? this.clientService.getClient((Collection<String>) sessionId.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
        if (authorizationGrant != null) {
            client.add(authorizationGrant.getClient());
        }
        return client;
    }

    private void removeSessionId(Pair<SessionId, AuthorizationGrant> pair, HttpServletResponse httpServletResponse) {
        try {
            try {
                if (!this.sessionIdService.remove((SessionId) pair.getFirst())) {
                    this.log.error("Failed to remove session_id '{}'", ((SessionId) pair.getFirst()).getId());
                }
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                this.cookieService.removeSessionIdCookie(httpServletResponse);
                this.cookieService.removeOPBrowserStateCookie(httpServletResponse);
            }
        } finally {
            this.cookieService.removeSessionIdCookie(httpServletResponse);
            this.cookieService.removeOPBrowserStateCookie(httpServletResponse);
        }
    }

    private void removeConsentSessionId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            try {
                String consentSessionIdFromCookie = this.cookieService.getConsentSessionIdFromCookie(httpServletRequest);
                if (StringHelper.isNotEmpty(consentSessionIdFromCookie)) {
                    SessionId sessionId = this.sessionIdService.getSessionId(consentSessionIdFromCookie);
                    if (sessionId == null) {
                        this.log.error("Failed to load session by consent_session_id: '{}'", consentSessionIdFromCookie);
                    } else if (!this.sessionIdService.remove(sessionId)) {
                        this.log.error("Failed to remove consent_session_id '{}'", consentSessionIdFromCookie);
                    }
                }
                this.cookieService.removeConsentSessionIdCookie(httpServletResponse);
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                this.cookieService.removeConsentSessionIdCookie(httpServletResponse);
            }
        } catch (Throwable th) {
            this.cookieService.removeConsentSessionIdCookie(httpServletResponse);
            throw th;
        }
    }

    private void auditLogging(HttpServletRequest httpServletRequest, Pair<SessionId, AuthorizationGrant> pair) {
        SessionId sessionId = (SessionId) pair.getFirst();
        AuthorizationGrant authorizationGrant = (AuthorizationGrant) pair.getSecond();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.SESSION_DESTROYED);
        oAuth2AuditLog.setSuccess(true);
        if (authorizationGrant != null) {
            oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
            oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
            oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
        } else if (sessionId != null) {
            oAuth2AuditLog.setClientId(sessionId.getPermissionGrantedMap().getClientIds(true).toString());
            oAuth2AuditLog.setScope(sessionId.getSessionAttributes().get("scope"));
            oAuth2AuditLog.setUsername(sessionId.getUserDn());
        }
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
    }
}
