package io.jans.as.server.session.ws.rs;

import io.jans.as.common.model.session.SessionId;
import io.jans.as.model.common.FeatureFlagType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.userinfo.UserInfoErrorResponseType;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.DefaultScope;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.ExternalApplicationSessionService;
import io.jans.as.server.service.token.TokenService;
import io.jans.as.server.util.ServerUtil;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.HeaderParam;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONArray;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/session")
/* loaded from: input_file:io/jans/as/server/session/ws/rs/SessionRestWebService.class */
public class SessionRestWebService {

    @Inject
    private Logger log;

    @Inject
    private TokenService tokenService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private ExternalApplicationSessionService externalApplicationSessionService;

    @POST
    @Produces({"application/json"})
    @Path("/active")
    public Response requestActiveSessions(@HeaderParam("Authorization") String str, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context SecurityContext securityContext) {
        try {
            this.errorResponseFactory.validateFeatureEnabled(FeatureFlagType.ACTIVE_SESSION);
            AuthorizationGrant validateToken = validateToken(getToken(str));
            ExecutionContext executionContext = new ExecutionContext(httpServletRequest, httpServletResponse);
            executionContext.setGrant(validateToken);
            executionContext.setUserSessions(getUserSessions(validateToken));
            JSONArray createJsonArray = createJsonArray(executionContext);
            if (this.externalApplicationSessionService.modifyActiveSessionsResponse(createJsonArray, executionContext)) {
                createJsonArray = createJsonArray(executionContext);
                this.log.trace("Canceled changes made by external modifyActiveSessionsResponse script since method returned `false`.");
            } else {
                this.log.trace("Successfully run external modifyActiveSessionsResponse scripts.");
            }
            return Response.ok().cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate()).header(DpopService.PRAGMA, DpopService.NO_CACHE).type(MediaType.APPLICATION_JSON_TYPE).entity(createJsonArray.toString()).build();
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    private List<SessionId> getUserSessions(AuthorizationGrant authorizationGrant) {
        if (!StringUtils.isBlank(authorizationGrant.getUserDn())) {
            return this.sessionIdService.findByUser(authorizationGrant.getUserDn());
        }
        this.log.warn("User DN is not set in grant object, grant id: {}", authorizationGrant.getGrantId());
        return new ArrayList();
    }

    private JSONArray createJsonArray(ExecutionContext executionContext) {
        JSONArray jSONArray = new JSONArray();
        Iterator<SessionId> it = executionContext.getUserSessions().iterator();
        while (it.hasNext()) {
            jSONArray.put(createJsonObject(it.next()));
        }
        return jSONArray;
    }

    private JSONObject createJsonObject(SessionId sessionId) {
        Date expirationDate = sessionId.getExpirationDate();
        Date creationDate = sessionId.getCreationDate();
        Date lastUsedAt = sessionId.getLastUsedAt();
        String outsideSid = sessionId.getOutsideSid();
        Date authenticationTime = sessionId.getAuthenticationTime();
        JSONObject jSONObject = new JSONObject();
        if (lastUsedAt != null) {
            jSONObject.put("last_used_at", dateAsSeconds(lastUsedAt));
        }
        if (creationDate != null) {
            jSONObject.put("iat", dateAsSeconds(creationDate));
        }
        if (expirationDate != null) {
            jSONObject.put("exp", dateAsSeconds(expirationDate));
        }
        if (StringUtils.isNotBlank(outsideSid)) {
            jSONObject.put("sid", outsideSid);
        }
        if (authenticationTime != null) {
            jSONObject.put("authn_time", outsideSid);
        }
        return jSONObject;
    }

    private static int dateAsSeconds(Date date) {
        if (date == null) {
            return -1;
        }
        return (int) (date.getTime() / 1000);
    }

    private AuthorizationGrant validateToken(String str) {
        if (StringUtils.isBlank(str)) {
            throw new WebApplicationException(response(Response.Status.BAD_REQUEST, UserInfoErrorResponseType.INVALID_TOKEN));
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        if (authorizationGrantByAccessToken == null) {
            this.log.trace("Failed to find authorization grant by access_token: {}", str);
            throw new WebApplicationException(response(Response.Status.UNAUTHORIZED, UserInfoErrorResponseType.INVALID_TOKEN));
        }
        AbstractToken accessToken = authorizationGrantByAccessToken.getAccessToken(str);
        if (accessToken == null || !accessToken.isValid()) {
            Logger logger = this.log;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = Boolean.valueOf(accessToken == null);
            objArr[2] = false;
            logger.trace("Invalid access token object, access_token: {}, isNull: {}, isValid: {}", objArr);
            throw new WebApplicationException(response(Response.Status.UNAUTHORIZED, UserInfoErrorResponseType.INVALID_TOKEN));
        }
        Set<String> scopes = authorizationGrantByAccessToken.getScopes();
        if (BooleanUtils.isFalse(this.appConfiguration.getOpenidScopeBackwardCompatibility()) && !scopes.contains(DefaultScope.OPEN_ID.toString())) {
            throw new WebApplicationException(response(Response.Status.FORBIDDEN, UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
        }
        String activeSessionAuthorizationScope = this.appConfiguration.getActiveSessionAuthorizationScope();
        if (!StringUtils.isNotBlank(activeSessionAuthorizationScope) || scopes.contains(activeSessionAuthorizationScope)) {
            return authorizationGrantByAccessToken;
        }
        this.log.trace("Required scope {} is not present.", activeSessionAuthorizationScope);
        throw new WebApplicationException(response(Response.Status.FORBIDDEN, UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
    }

    private Response response(Response.Status status, UserInfoErrorResponseType userInfoErrorResponseType) {
        return Response.status(status).entity(this.errorResponseFactory.errorAsJson(userInfoErrorResponseType, (String) null)).type(MediaType.APPLICATION_JSON_TYPE).cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate()).build();
    }

    private String getToken(String str) {
        if (this.tokenService.isBearerAuthToken(str)) {
            return this.tokenService.getBearerToken(str);
        }
        return null;
    }
}
