package org.wso2.carbon.identity.oauth2.token.bindings.handlers;

import java.util.Arrays;
import java.util.Collections;
import java.util.Optional;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.event.IdentityEventConstants;
import org.wso2.carbon.identity.event.IdentityEventException;
import org.wso2.carbon.identity.event.event.Event;
import org.wso2.carbon.identity.event.handler.AbstractEventHandler;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/bindings/handlers/TokenBindingExpiryEventHandler.class */
public class TokenBindingExpiryEventHandler extends AbstractEventHandler {
    private static final Log log = LogFactory.getLog(TokenBindingExpiryEventHandler.class);

    public void handleEvent(Event event) throws IdentityEventException {
        if (log.isDebugEnabled()) {
            log.debug(event.getEventName() + " event received to TokenBindingExpiryEventHandler.");
        }
        if (IdentityEventConstants.EventName.SESSION_TERMINATE.name().equals(event.getEventName()) || IdentityEventConstants.EventName.SESSION_EXPIRE.name().equals(event.getEventName())) {
            HttpServletRequest httpRequestFromEvent = getHttpRequestFromEvent(event);
            AuthenticationContext authenticationContext = (AuthenticationContext) event.getEventProperties().get("context");
            if (httpRequestFromEvent == null) {
                return;
            }
            try {
                if ("oidc".equals(httpRequestFromEvent.getParameter("type"))) {
                    String relyingParty = authenticationContext.getRelyingParty();
                    String tokenBindingType = OAuth2Util.getAppInformationByClientId(relyingParty).getTokenBindingType();
                    if (tokenBindingType != null) {
                        revokeTokensForBindingType(httpRequestFromEvent, authenticationContext.getLastAuthenticatedUser(), relyingParty, tokenBindingType);
                    }
                    if (!OAuth2Constants.TokenBinderType.SSO_SESSION_BASED_TOKEN_BINDER.equals(tokenBindingType)) {
                        revokeTokensForCommonAuthCookie(httpRequestFromEvent, authenticationContext.getLastAuthenticatedUser());
                    }
                } else {
                    revokeTokensForCommonAuthCookie(httpRequestFromEvent, authenticationContext.getLastAuthenticatedUser());
                }
            } catch (IdentityOAuth2Exception | OAuthSystemException | InvalidOAuthClientException e) {
                log.error("Error while revoking the tokens on session termination.", e);
            }
        }
    }

    public String getName() {
        return "TokenBindingExpiryEventHandler";
    }

    private HttpServletRequest getHttpRequestFromEvent(Event event) {
        return (HttpServletRequest) event.getEventProperties().get(Constants.REQUEST);
    }

    private void revokeTokensForBindingType(HttpServletRequest httpServletRequest, AuthenticatedUser authenticatedUser, String str, String str2) throws IdentityOAuth2Exception, InvalidOAuthClientException, OAuthSystemException {
        revokeTokensOfBindingRef(authenticatedUser, getBindingRefFromType(httpServletRequest, str, str2));
    }

    private void revokeTokensForCommonAuthCookie(HttpServletRequest httpServletRequest, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        revokeTokensOfBindingRef(authenticatedUser, getBindingRefFromCommonAuthCookie(httpServletRequest));
    }

    private String getBindingRefFromType(HttpServletRequest httpServletRequest, String str, String str2) throws IdentityOAuth2Exception, OAuthSystemException {
        if (StringUtils.isBlank(str2)) {
            return null;
        }
        Optional<TokenBinder> tokenBinder = OAuth2ServiceComponentHolder.getInstance().getTokenBinder(str2);
        if (!tokenBinder.isPresent()) {
            throw new IdentityOAuth2Exception("Token binder for the binding type: " + str2 + " is not registered.");
        }
        String tokenBindingReference = OAuth2Util.getTokenBindingReference(tokenBinder.get().getTokenBindingValue(httpServletRequest));
        if (StringUtils.isBlank(tokenBindingReference)) {
            throw new IdentityOAuth2Exception("Token binding reference is null for the application " + str + " with binding type " + str2 + Constants.FULL_STOP_DELIMITER);
        }
        return tokenBindingReference;
    }

    private String getBindingRefFromCommonAuthCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (ArrayUtils.isEmpty(cookies)) {
            return null;
        }
        Optional findAny = Arrays.stream(cookies).filter(cookie -> {
            return "commonAuthId".equals(cookie.getName());
        }).findAny();
        if (!findAny.isPresent() || StringUtils.isBlank(((Cookie) findAny.get()).getValue())) {
            return null;
        }
        return OAuth2Util.getTokenBindingReference(DigestUtils.sha256Hex(((Cookie) findAny.get()).getValue()));
    }

    private void revokeTokensOfBindingRef(AuthenticatedUser authenticatedUser, String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        if (StringUtils.isBlank(str) || authenticatedUser == null) {
            return;
        }
        for (AccessTokenDO accessTokenDO : OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().getAccessTokensByBindingRef(authenticatedUser, str)) {
            String consumerKey = accessTokenDO.getConsumerKey();
            if (OAuth2Util.getAppInformationByClientId(consumerKey).isTokenRevocationWithIDPSessionTerminationEnabled()) {
                OAuthUtil.clearOAuthCache(consumerKey, accessTokenDO.getAuthzUser(), OAuth2Util.buildScopeString(accessTokenDO.getScope()), str);
                OAuthUtil.clearOAuthCache(consumerKey, (User) accessTokenDO.getAuthzUser(), OAuth2Util.buildScopeString(accessTokenDO.getScope()));
                OAuthUtil.clearOAuthCache(consumerKey, (User) accessTokenDO.getAuthzUser());
                OAuthUtil.clearOAuthCache(accessTokenDO.getAccessToken());
                OAuthUtil.invokePreRevocationBySystemListeners(accessTokenDO, Collections.emptyMap());
                OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().revokeAccessTokens(new String[]{accessTokenDO.getAccessToken()}, OAuth2Util.isHashEnabled());
                OAuthUtil.invokePostRevocationBySystemListeners(accessTokenDO, Collections.emptyMap());
            }
        }
    }
}
