package org.apache.nifi.web.security.oidc.logout;

import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.nifi.admin.service.IdpUserGroupService;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.cookie.ApplicationCookieService;
import org.apache.nifi.web.security.cookie.StandardApplicationCookieService;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.oidc.client.web.OidcAuthorizedClient;
import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationRequest;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationResponseClient;
import org.apache.nifi.web.security.oidc.revocation.TokenTypeHint;
import org.apache.nifi.web.security.token.LogoutAuthenticationToken;
import org.apache.nifi.web.util.RequestUriBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/logout/OidcLogoutSuccessHandler.class */
public class OidcLogoutSuccessHandler implements LogoutSuccessHandler {
    static final String END_SESSION_ENDPOINT = "end_session_endpoint";
    private static final String LOGOUT_COMPLETE_PATH = "/nifi/logout-complete";
    private static final String ID_TOKEN_HINT_PARAMETER = "id_token_hint";
    private static final String POST_LOGOUT_REDIRECT_URI_PARAMETER = "post_logout_redirect_uri";
    private static final Logger logger = LoggerFactory.getLogger(OidcLogoutSuccessHandler.class);
    private final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService();
    private final LogoutRequestManager logoutRequestManager;
    private final IdpUserGroupService idpUserGroupService;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final OAuth2AuthorizedClientRepository authorizedClientRepository;
    private final TokenRevocationResponseClient tokenRevocationResponseClient;

    public OidcLogoutSuccessHandler(LogoutRequestManager logoutRequestManager, IdpUserGroupService idpUserGroupService, ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository, TokenRevocationResponseClient tokenRevocationResponseClient) {
        this.logoutRequestManager = (LogoutRequestManager) Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required");
        this.idpUserGroupService = (IdpUserGroupService) Objects.requireNonNull(idpUserGroupService, "User Group Service required");
        this.clientRegistrationRepository = (ClientRegistrationRepository) Objects.requireNonNull(clientRegistrationRepository, "Client Registration Repository required");
        this.authorizedClientRepository = (OAuth2AuthorizedClientRepository) Objects.requireNonNull(oAuth2AuthorizedClientRepository, "Authorized Client Repository required");
        this.tokenRevocationResponseClient = (TokenRevocationResponseClient) Objects.requireNonNull(tokenRevocationResponseClient, "Revocation Response Client required");
    }

    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        String processLogoutRequest;
        Optional<String> cookieValue = this.applicationCookieService.getCookieValue(httpServletRequest, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER);
        if (cookieValue.isPresent()) {
            String str = cookieValue.get();
            LogoutRequest logoutRequest = this.logoutRequestManager.get(str);
            if (logoutRequest == null) {
                logger.warn("OIDC Logout Request [{}] not found", str);
                processLogoutRequest = getPostLogoutRedirectUri(httpServletRequest);
            } else {
                String mappedUserIdentity = logoutRequest.getMappedUserIdentity();
                this.idpUserGroupService.deleteUserGroups(mappedUserIdentity);
                processLogoutRequest = processLogoutRequest(httpServletRequest, httpServletResponse, str, mappedUserIdentity);
            }
            httpServletResponse.sendRedirect(processLogoutRequest);
        }
    }

    private String processLogoutRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        String endSessionTargetUrl;
        ClientRegistration findByRegistrationId = this.clientRegistrationRepository.findByRegistrationId(OidcRegistrationProperty.REGISTRATION_ID.getProperty());
        OidcAuthorizedClient oidcAuthorizedClient = getOidcAuthorizedClient(findByRegistrationId, str2, httpServletRequest);
        if (oidcAuthorizedClient == null) {
            endSessionTargetUrl = getPostLogoutRedirectUri(httpServletRequest);
            logger.warn("OIDC Logout Request [{}] Identity [{}] ID Token not found", str, str2);
        } else {
            URI endSessionEndpoint = getEndSessionEndpoint(findByRegistrationId);
            if (endSessionEndpoint == null) {
                endSessionTargetUrl = getPostLogoutRedirectUri(httpServletRequest);
                logger.debug("OIDC Logout Request [{}] Identity [{}] end_session_endpoint not provided", str, str2);
            } else {
                endSessionTargetUrl = getEndSessionTargetUrl(endSessionEndpoint, oidcAuthorizedClient.getIdToken().getTokenValue(), getPostLogoutRedirectUri(httpServletRequest));
                logger.info("OIDC Logout Request [{}] Identity [{}] initiated", str, str2);
            }
            this.authorizedClientRepository.removeAuthorizedClient(OidcRegistrationProperty.REGISTRATION_ID.getProperty(), new LogoutAuthenticationToken(str2), httpServletRequest, httpServletResponse);
            processRefreshTokenRevocation(oidcAuthorizedClient, str2);
            processAccessTokenRevocation(oidcAuthorizedClient, str2);
        }
        return endSessionTargetUrl;
    }

    private void processAccessTokenRevocation(OidcAuthorizedClient oidcAuthorizedClient, String str) {
        logger.info("Identity [{}] OIDC Access Token Revocation completed [HTTP {}]", str, Integer.valueOf(this.tokenRevocationResponseClient.getRevocationResponse(new TokenRevocationRequest(oidcAuthorizedClient.getAccessToken().getTokenValue(), TokenTypeHint.ACCESS_TOKEN.getHint())).getStatusCode()));
    }

    private void processRefreshTokenRevocation(OidcAuthorizedClient oidcAuthorizedClient, String str) {
        OAuth2RefreshToken refreshToken = oidcAuthorizedClient.getRefreshToken();
        if (refreshToken == null) {
            logger.debug("Identity [{}] OIDC Refresh Token not found for revocation", str);
            return;
        }
        logger.info("Identity [{}] OIDC Refresh Token Revocation completed [HTTP {}]", str, Integer.valueOf(this.tokenRevocationResponseClient.getRevocationResponse(new TokenRevocationRequest(refreshToken.getTokenValue(), TokenTypeHint.REFRESH_TOKEN.getHint())).getStatusCode()));
    }

    private OidcAuthorizedClient getOidcAuthorizedClient(ClientRegistration clientRegistration, String str, HttpServletRequest httpServletRequest) {
        OidcAuthorizedClient oidcAuthorizedClient;
        OAuth2AuthorizedClient loadAuthorizedClient = this.authorizedClientRepository.loadAuthorizedClient(clientRegistration.getRegistrationId(), new LogoutAuthenticationToken(str), httpServletRequest);
        if (loadAuthorizedClient == null) {
            logger.warn("Identity [{}] OpenID Connect Authorized Client not found", str);
            oidcAuthorizedClient = null;
        } else if (loadAuthorizedClient instanceof OidcAuthorizedClient) {
            oidcAuthorizedClient = (OidcAuthorizedClient) loadAuthorizedClient;
        } else {
            logger.error("Identity [{}] OpenID Connect Authorized Client Class not found [{}]", str, loadAuthorizedClient.getClass());
            oidcAuthorizedClient = null;
        }
        return oidcAuthorizedClient;
    }

    private URI getEndSessionEndpoint(ClientRegistration clientRegistration) {
        Object obj = clientRegistration.getProviderDetails().getConfigurationMetadata().get(END_SESSION_ENDPOINT);
        if (obj == null) {
            return null;
        }
        return URI.create(obj.toString());
    }

    private String getEndSessionTargetUrl(URI uri, String str, String str2) {
        UriComponentsBuilder fromUri = UriComponentsBuilder.fromUri(uri);
        fromUri.queryParam(ID_TOKEN_HINT_PARAMETER, new Object[]{str});
        fromUri.queryParam(POST_LOGOUT_REDIRECT_URI_PARAMETER, new Object[]{str2});
        return fromUri.encode(StandardCharsets.UTF_8).build().toUriString();
    }

    private String getPostLogoutRedirectUri(HttpServletRequest httpServletRequest) {
        return RequestUriBuilder.fromHttpServletRequest(httpServletRequest).path(LOGOUT_COMPLETE_PATH).build().toString();
    }
}
