package pl.edu.icm.unity.oauth.as.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import java.util.Arrays;
import javax.ws.rs.FormParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.server.api.internal.SessionManagement;
import pl.edu.icm.unity.server.api.internal.Token;
import pl.edu.icm.unity.server.api.internal.TokensManagement;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.types.basic.EntityParam;

@Produces({"application/json"})
@Path(OAuthTokenEndpoint.TOKEN_REVOCATION_PATH)
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/RevocationResource.class */
public class RevocationResource extends BaseOAuthResource {
    public static final String TOKEN_TYPE = "token_type_hint";
    public static final String TOKEN_TYPE_AC = "access_token";
    public static final String UNSUPPORTED_TOKEN_TYPE_ERROR = "unsupported_token_type";
    public static final String TOKEN = "token";
    public static final String CLIENT = "client_id";
    public static final String LOGOUT = "logout";
    public static final String LOGOUT_SCOPE = "single-logout";
    private TokensManagement tokensManagement;
    private SessionManagement sessionManagement;
    private AuthenticationRealm realm;

    public RevocationResource(TokensManagement tokensManagement, SessionManagement sessionManagement, AuthenticationRealm authenticationRealm) {
        this.tokensManagement = tokensManagement;
        this.sessionManagement = sessionManagement;
        this.realm = authenticationRealm;
    }

    @POST
    @Path("/")
    public Response revoke(@FormParam("token") String str, @FormParam("client_id") String str2, @FormParam("token_type_hint") String str3, @FormParam("logout") String str4) throws EngineException, JsonProcessingException {
        Response killSession;
        if (str == null) {
            return makeError(OAuth2Error.INVALID_REQUEST, "To access the token revocation endpoint a token must be provided");
        }
        if (str2 == null) {
            return makeError(OAuth2Error.INVALID_REQUEST, "To access the token revocation endpoint a client_id must be provided");
        }
        if (str3 != null && !TOKEN_TYPE_AC.equals(str3)) {
            return makeError(new ErrorObject(UNSUPPORTED_TOKEN_TYPE_ERROR, "Invalid request", 400), "Only access_token type of token is supported");
        }
        try {
            Token tokenById = this.tokensManagement.getTokenById(OAuthProcessor.INTERNAL_ACCESS_TOKEN, str);
            OAuthToken parseInternalToken = parseInternalToken(tokenById);
            if (!str2.equals(parseInternalToken.getClientUsername())) {
                return makeError(OAuth2Error.INVALID_CLIENT, "Wrong client/token");
            }
            if ("true".equals(str4) && (killSession = killSession(parseInternalToken, tokenById.getOwner().longValue())) != null) {
                return killSession;
            }
            try {
                this.tokensManagement.removeToken(OAuthProcessor.INTERNAL_ACCESS_TOKEN, str);
            } catch (WrongArgumentException e) {
            }
            return toResponse(Response.ok());
        } catch (WrongArgumentException e2) {
            return toResponse(Response.ok());
        }
    }

    private Response killSession(OAuthToken oAuthToken, long j) throws EngineException {
        if (oAuthToken.getScope() != null && Arrays.stream(oAuthToken.getScope()).filter(str -> {
            return LOGOUT_SCOPE.equals(str);
        }).findAny().isPresent()) {
            try {
                this.sessionManagement.removeSession(this.sessionManagement.getOwnedSession(new EntityParam(Long.valueOf(j)), this.realm.getName()).getId(), true);
                return null;
            } catch (WrongArgumentException e) {
                return null;
            }
        }
        return makeError(OAuth2Error.INVALID_SCOPE, "Insufficent scope to perform full logout.");
    }
}
