package org.wso2.carbon.identity.oidc.session.backchannellogout;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import net.minidev.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oidc.session.OIDCSessionConstants;
import org.wso2.carbon.identity.oidc.session.OIDCSessionState;
import org.wso2.carbon.identity.oidc.session.util.OIDCSessionManagementUtil;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oidc/session/backchannellogout/DefaultLogoutTokenBuilder.class */
public class DefaultLogoutTokenBuilder implements LogoutTokenBuilder {
    private static final Log log = LogFactory.getLog(DefaultLogoutTokenBuilder.class);
    private OAuthServerConfiguration config;
    private JWSAlgorithm signatureAlgorithm;
    private static final String OPENID_IDP_ENTITY_ID = "IdPEntityId";
    private static final String ERROR_GET_RESIDENT_IDP = "Error while getting Resident Identity Provider of '%s' tenant.";
    private static final String BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";

    public DefaultLogoutTokenBuilder() throws IdentityOAuth2Exception {
        this.config = null;
        this.signatureAlgorithm = null;
        this.config = OAuthServerConfiguration.getInstance();
        this.signatureAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(this.config.getIdTokenSignatureAlgorithm());
    }

    @Override // org.wso2.carbon.identity.oidc.session.backchannellogout.LogoutTokenBuilder
    public Map<String, String> buildLogoutToken(HttpServletRequest httpServletRequest) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        HashMap hashMap = new HashMap();
        Cookie oPBrowserStateCookie = OIDCSessionManagementUtil.getOPBrowserStateCookie(httpServletRequest);
        OIDCSessionState sessionState = getSessionState(oPBrowserStateCookie != null ? oPBrowserStateCookie.getValue() : null);
        if (sessionState != null) {
            Set<String> sessionParticipants = getSessionParticipants(sessionState);
            if (!sessionParticipants.isEmpty()) {
                for (String str : sessionParticipants) {
                    if (!StringUtils.equals(str, getClientId(httpServletRequest, getOAuthAppDO(str).getAppOwner().getTenantDomain()))) {
                        addToLogoutTokenList(hashMap, sessionState, str);
                    }
                }
            }
        }
        return hashMap;
    }

    @Override // org.wso2.carbon.identity.oidc.session.backchannellogout.LogoutTokenBuilder
    public Map<String, String> buildLogoutToken(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        HashMap hashMap = new HashMap();
        OIDCSessionState sessionState = getSessionState(str);
        if (sessionState != null) {
            Set<String> sessionParticipants = getSessionParticipants(sessionState);
            if (!sessionParticipants.isEmpty()) {
                Iterator<String> it = sessionParticipants.iterator();
                while (it.hasNext()) {
                    addToLogoutTokenList(hashMap, sessionState, it.next());
                }
            }
        }
        return hashMap;
    }

    private void addToLogoutTokenList(Map<String, String> map, OIDCSessionState oIDCSessionState, String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAppDO oAuthAppDO = getOAuthAppDO(str);
        String backChannelLogoutUrl = oAuthAppDO.getBackChannelLogoutUrl();
        if (StringUtils.isNotBlank(backChannelLogoutUrl)) {
            map.put(OAuth2Util.signJWT(buildJwtToken(oIDCSessionState, getTenanatDomain(oAuthAppDO), str), this.signatureAlgorithm, getSigningTenantDomain(oAuthAppDO)).serialize(), backChannelLogoutUrl);
            if (log.isDebugEnabled()) {
                log.debug("Logout token created for the client: " + str);
            }
        }
    }

    private JWTClaimsSet buildJwtToken(OIDCSessionState oIDCSessionState, String str, String str2) throws IdentityOAuth2Exception {
        String authenticatedUser = oIDCSessionState.getAuthenticatedUser();
        String uuid = UUID.randomUUID().toString();
        String issuer = getIssuer(str);
        List<String> audience = getAudience(str2);
        long logoutTokenExpiryInMillis = getLogoutTokenExpiryInMillis();
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        Date date = new Date(timeInMillis);
        String sidClaim = getSidClaim(oIDCSessionState);
        JSONObject appendField = new JSONObject().appendField(BACKCHANNEL_LOGOUT_EVENT, new JSONObject());
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.subject(authenticatedUser);
        builder.issuer(issuer);
        builder.audience(audience);
        builder.claim("jti", uuid);
        builder.claim("events", appendField);
        builder.expirationTime(new Date(timeInMillis + logoutTokenExpiryInMillis));
        builder.claim("iat", date);
        builder.claim("sid", sidClaim);
        return builder.build();
    }

    private String getClientId(HttpServletRequest httpServletRequest, String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        String str2 = null;
        String idToken = getIdToken(httpServletRequest);
        if (idToken == null) {
            log.debug("IdTokenHint is not found in the request ");
            return null;
        }
        if (OIDCSessionManagementUtil.isIDTokenEncrypted(idToken)) {
            try {
                str2 = OIDCSessionManagementUtil.extractClientIDFromDecryptedIDToken(OIDCSessionManagementUtil.decryptWithRSA(str, idToken));
            } catch (ParseException e) {
                log.error("Error in extracting the client ID from the ID token.");
            }
            return str2;
        }
        String clientIdFromIDTokenHint = getClientIdFromIDTokenHint(idToken);
        if (validateIdTokenHint(clientIdFromIDTokenHint, idToken).booleanValue()) {
            return clientIdFromIDTokenHint;
        }
        log.debug("Id Token is not valid");
        return null;
    }

    private String getSigningTenantDomain(OAuthAppDO oAuthAppDO) {
        return OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey() ? getTenanatDomain(oAuthAppDO) : oAuthAppDO.getUser().getTenantDomain();
    }

    private OIDCSessionState getSessionState(String str) {
        if (StringUtils.isNotEmpty(str)) {
            return OIDCSessionManagementUtil.getSessionManager().getOIDCSessionState(str);
        }
        return null;
    }

    private Set<String> getSessionParticipants(OIDCSessionState oIDCSessionState) {
        return oIDCSessionState.getSessionParticipants();
    }

    private String getSidClaim(OIDCSessionState oIDCSessionState) {
        return oIDCSessionState.getSidClaim();
    }

    private IdentityProvider getResidentIdp(String str) throws IdentityOAuth2Exception {
        try {
            return IdentityProviderManager.getInstance().getResidentIdP(str);
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format(ERROR_GET_RESIDENT_IDP, str), e);
        }
    }

    private String getIssuer(String str) throws IdentityOAuth2Exception {
        return OAuth2Util.getIdTokenIssuer(str);
    }

    private OAuthAppDO getOAuthAppDO(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        return OAuth2Util.getAppInformationByClientId(str);
    }

    private String getTenanatDomain(OAuthAppDO oAuthAppDO) {
        return OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
    }

    private List<String> getAudience(String str) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        return arrayList;
    }

    private long getLogoutTokenExpiryInMillis() {
        return Integer.parseInt(this.config.getOpenIDConnectBCLogoutTokenExpiration()) * 1000;
    }

    private String getIdToken(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(OIDCSessionConstants.OIDC_ID_TOKEN_HINT_PARAM);
        if (parameter != null) {
            return parameter;
        }
        return null;
    }

    private String getClientIdFromIDTokenHint(String str) {
        String str2 = null;
        if (StringUtils.isNotBlank(str)) {
            try {
                str2 = extractClientFromIdToken(str);
            } catch (ParseException e) {
                log.error("Error while decoding the ID Token Hint.", e);
            }
        }
        return str2;
    }

    private String extractClientFromIdToken(String str) throws ParseException {
        return (String) SignedJWT.parse(str).getJWTClaimsSet().getAudience().get(0);
    }

    private Boolean validateIdTokenHint(String str, String str2) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        RSAPublicKey rSAPublicKey;
        String signingTenantDomain = getSigningTenantDomain(getOAuthAppDO(str));
        if (StringUtils.isEmpty(signingTenantDomain)) {
            return false;
        }
        try {
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(IdentityTenantUtil.getTenantId(signingTenantDomain));
            if (signingTenantDomain.equals("carbon.super")) {
                rSAPublicKey = (RSAPublicKey) keyStoreManager.getDefaultPublicKey();
            } else {
                rSAPublicKey = (RSAPublicKey) keyStoreManager.getKeyStore(signingTenantDomain.trim().replace(".", "-") + ".jks").getCertificate(signingTenantDomain).getPublicKey();
            }
            return Boolean.valueOf(SignedJWT.parse(str2).verify(new RSASSAVerifier(rSAPublicKey)));
        } catch (Exception e) {
            log.error("Error occurred while validating id token signature.", e);
            return false;
        } catch (JOSEException | ParseException e2) {
            log.error("Error occurred while validating id token signature.", e2);
            return false;
        }
    }
}
