package org.keycloak.protocol.oidc.endpoints;

import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenVerifier;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.BackchannelLogoutResponse;
import org.keycloak.protocol.oidc.LogoutTokenValidationCode;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.LogoutToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.LogoutRequestContext;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.class */
public class LogoutEndpoint {
    private static final Logger logger = Logger.getLogger(LogoutEndpoint.class);

    @Context
    private KeycloakSession session;

    @Context
    private ClientConnection clientConnection;

    @Context
    private HttpRequest request;

    @Context
    private HttpHeaders headers;
    private TokenManager tokenManager;
    private RealmModel realm;
    private EventBuilder event;
    private Cors cors;

    public LogoutEndpoint(TokenManager tokenManager, RealmModel realmModel, EventBuilder eventBuilder) {
        this.tokenManager = tokenManager;
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    @Path("/")
    @OPTIONS
    public Response issueUserInfoPreflight() {
        return Cors.add(this.request, Response.ok()).auth().preflight().build();
    }

    @GET
    @NoCache
    public Response logout(@QueryParam("redirect_uri") String str, @QueryParam("id_token_hint") String str2, @QueryParam("post_logout_redirect_uri") String str3, @QueryParam("state") String str4, @QueryParam("initiating_idp") String str5) {
        String str6 = str3 != null ? str3 : str;
        IDToken iDToken = null;
        if (str2 != null) {
            try {
                iDToken = this.tokenManager.verifyIDTokenSignature(this.session, str2);
                TokenVerifier.createWithoutSignature(iDToken).tokenType("ID").verify();
            } catch (OAuthErrorException | VerificationException e) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_token");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE, new Object[0]);
            }
        }
        if (str6 != null) {
            ClientModel clientByClientId = (iDToken == null || iDToken.getIssuedFor() == null) ? null : this.realm.getClientByClientId(iDToken.getIssuedFor());
            String verifyRedirectUri = clientByClientId != null ? RedirectUtils.verifyRedirectUri(this.session, str6, clientByClientId) : RedirectUtils.verifyRealmRedirectUri(this.session, str6);
            if (verifyRedirectUri == null) {
                this.event.event(EventType.LOGOUT);
                this.event.detail("redirect_uri", str6);
                this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
            }
            str6 = verifyRedirectUri;
        }
        UserSessionModel userSessionModel = null;
        if (iDToken != null) {
            try {
                userSessionModel = this.session.sessions().getUserSession(this.realm, iDToken.getSessionState());
                if (userSessionModel != null) {
                    checkTokenIssuedAt(iDToken, userSessionModel);
                }
            } catch (OAuthErrorException e2) {
                this.event.event(EventType.LOGOUT);
                this.event.error("invalid_token");
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.SESSION_NOT_ACTIVE, new Object[0]);
            }
        }
        AuthenticationManager.AuthResult authenticateIdentityCookie = AuthenticationManager.authenticateIdentityCookie(this.session, this.realm, false);
        if (authenticateIdentityCookie != null) {
            return initiateBrowserLogout(userSessionModel != null ? userSessionModel : authenticateIdentityCookie.getSession(), str6, str4, str5);
        }
        if (userSessionModel != null) {
            if (iDToken != null && iDToken.getSessionState().equals(AuthenticationManager.getSessionIdFromSessionCookie(this.session))) {
                return initiateBrowserLogout(userSessionModel, str6, str4, str5);
            }
            if (userSessionModel.getState() != UserSessionModel.State.LOGGING_OUT && userSessionModel.getState() != UserSessionModel.State.LOGGED_OUT) {
                this.event.event(EventType.LOGOUT);
                AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true);
                this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
            }
        }
        if (str6 == null) {
            this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
            return Response.ok().build();
        }
        UriBuilder fromUri = UriBuilder.fromUri(str6);
        if (str4 != null) {
            fromUri.queryParam("state", new Object[]{str4});
        }
        return Response.status(302).location(fromUri.build(new Object[0])).build();
    }

    @POST
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response logoutToken() {
        this.cors = Cors.add(this.request).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        checkSsl();
        this.event.event(EventType.LOGOUT);
        ClientModel authorizeClient = authorizeClient();
        String str = (String) decodedFormParameters.getFirst(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
        if (str == null) {
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "No refresh token", Response.Status.BAD_REQUEST);
        }
        try {
            this.session.clientPolicy().triggerOnEvent(new LogoutRequestContext(decodedFormParameters));
            try {
                RefreshToken verifyRefreshToken = this.tokenManager.verifyRefreshToken(this.session, this.realm, authorizeClient, this.request, str, false);
                boolean equals = "Offline".equals(verifyRefreshToken.getType());
                UserSessionModel findOfflineUserSession = equals ? new UserSessionManager(this.session).findOfflineUserSession(this.realm, verifyRefreshToken.getSessionState()) : this.session.sessions().getUserSession(this.realm, verifyRefreshToken.getSessionState());
                if (findOfflineUserSession != null) {
                    checkTokenIssuedAt(verifyRefreshToken, findOfflineUserSession);
                    logout(findOfflineUserSession, equals);
                }
                return this.cors.builder(Response.noContent()).build();
            } catch (OAuthErrorException e) {
                if (MtlsHoKTokenUtil.CERT_VERIFY_ERROR_DESC.equals(e.getDescription())) {
                    this.event.error("not_allowed");
                    throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.UNAUTHORIZED);
                }
                this.event.error("invalid_token");
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getDescription(), Response.Status.BAD_REQUEST);
            }
        } catch (ClientPolicyException e2) {
            throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), e2.getErrorStatus());
        }
    }

    @POST
    @Path("/backchannel-logout")
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response backchannelLogout() {
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        this.event.event(EventType.LOGOUT);
        String str = (String) decodedFormParameters.getFirst("logout_token");
        if (str == null) {
            this.event.error("invalid_token");
            throw new ErrorResponseException("invalid_request", "No logout token", Response.Status.BAD_REQUEST);
        }
        LogoutTokenValidationCode verifyLogoutToken = this.tokenManager.verifyLogoutToken(this.session, this.realm, str);
        if (!verifyLogoutToken.equals(LogoutTokenValidationCode.VALIDATION_SUCCESS)) {
            this.event.error("invalid_token");
            throw new ErrorResponseException("invalid_request", verifyLogoutToken.getErrorMessage(), Response.Status.BAD_REQUEST);
        }
        LogoutToken logoutToken = this.tokenManager.toLogoutToken(str).get();
        Stream<String> map = this.tokenManager.getValidOIDCIdentityProvidersForBackchannelLogout(this.realm, this.session, str, logoutToken).map(oIDCIdentityProvider -> {
            return oIDCIdentityProvider.m148getConfig().getAlias();
        });
        boolean parseBoolean = Boolean.parseBoolean(logoutToken.getEvents().getOrDefault("revoke_offline_access", false).toString());
        BackchannelLogoutResponse backchannelLogoutWithSessionId = logoutToken.getSid() != null ? backchannelLogoutWithSessionId(logoutToken.getSid(), map, parseBoolean) : backchannelLogoutFederatedUserId(logoutToken.getSubject(), map, parseBoolean);
        if (backchannelLogoutWithSessionId.getLocalLogoutSucceeded()) {
            this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
            return oneOrMoreDownstreamLogoutsFailed(backchannelLogoutWithSessionId) ? Cors.add(this.request).auth().builder(Response.status(Response.Status.GATEWAY_TIMEOUT).type(javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build() : Cors.add(this.request).auth().builder(Response.ok().type(javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE)).build();
        }
        this.event.error("logout_failed");
        throw new ErrorResponseException("server_error", "There was an error in the local logout", Response.Status.NOT_IMPLEMENTED);
    }

    private BackchannelLogoutResponse backchannelLogoutWithSessionId(String str, Stream<String> stream, boolean z) {
        AtomicReference atomicReference = new AtomicReference(new BackchannelLogoutResponse());
        ((BackchannelLogoutResponse) atomicReference.get()).setLocalLogoutSucceeded(true);
        stream.forEach(str2 -> {
            UserSessionModel userSessionByBrokerSessionId = this.session.sessions().getUserSessionByBrokerSessionId(this.realm, str2 + "." + str);
            if (z) {
                logoutOfflineUserSession(str2 + "." + str);
            }
            if (userSessionByBrokerSessionId != null) {
                atomicReference.set(logoutUserSession(userSessionByBrokerSessionId));
            }
        });
        return (BackchannelLogoutResponse) atomicReference.get();
    }

    private void logoutOfflineUserSession(String str) {
        UserSessionModel offlineUserSessionByBrokerSessionId = this.session.sessions().getOfflineUserSessionByBrokerSessionId(this.realm, str);
        if (offlineUserSessionByBrokerSessionId != null) {
            new UserSessionManager(this.session).revokeOfflineUserSession(offlineUserSessionByBrokerSessionId);
        }
    }

    private BackchannelLogoutResponse backchannelLogoutFederatedUserId(String str, Stream<String> stream, boolean z) {
        BackchannelLogoutResponse backchannelLogoutResponse = new BackchannelLogoutResponse();
        backchannelLogoutResponse.setLocalLogoutSucceeded(true);
        stream.forEach(str2 -> {
            if (z) {
                logoutOfflineUserSessions(str2 + "." + str);
            }
            ((List) this.session.sessions().getUserSessionByBrokerUserIdStream(this.realm, str2 + "." + str).collect(Collectors.toList())).forEach(userSessionModel -> {
                BackchannelLogoutResponse logoutUserSession = logoutUserSession(userSessionModel);
                backchannelLogoutResponse.setLocalLogoutSucceeded(backchannelLogoutResponse.getLocalLogoutSucceeded() && logoutUserSession.getLocalLogoutSucceeded());
                List<BackchannelLogoutResponse.DownStreamBackchannelLogoutResponse> clientResponses = logoutUserSession.getClientResponses();
                Objects.requireNonNull(backchannelLogoutResponse);
                clientResponses.forEach(backchannelLogoutResponse::addClientResponses);
            });
        });
        return backchannelLogoutResponse;
    }

    private void logoutOfflineUserSessions(String str) {
        UserSessionManager userSessionManager = new UserSessionManager(this.session);
        List list = (List) this.session.sessions().getOfflineUserSessionByBrokerUserIdStream(this.realm, str).collect(Collectors.toList());
        Objects.requireNonNull(userSessionManager);
        list.forEach(userSessionManager::revokeOfflineUserSession);
    }

    private BackchannelLogoutResponse logoutUserSession(UserSessionModel userSessionModel) {
        BackchannelLogoutResponse backchannelLogout = AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, false);
        if (backchannelLogout.getLocalLogoutSucceeded()) {
            this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
        }
        return backchannelLogout;
    }

    private boolean oneOrMoreDownstreamLogoutsFailed(BackchannelLogoutResponse backchannelLogoutResponse) {
        BackchannelLogoutResponse backchannelLogoutResponse2 = new BackchannelLogoutResponse();
        for (BackchannelLogoutResponse.DownStreamBackchannelLogoutResponse downStreamBackchannelLogoutResponse : backchannelLogoutResponse.getClientResponses()) {
            if (downStreamBackchannelLogoutResponse.isWithBackchannelLogoutUrl()) {
                backchannelLogoutResponse2.addClientResponses(downStreamBackchannelLogoutResponse);
            }
        }
        return backchannelLogoutResponse.getClientResponses().stream().filter((v0) -> {
            return v0.isWithBackchannelLogoutUrl();
        }).anyMatch(downStreamBackchannelLogoutResponse2 -> {
            return (downStreamBackchannelLogoutResponse2.getResponseCode().isPresent() && (downStreamBackchannelLogoutResponse2.getResponseCode().get().intValue() == Response.Status.OK.getStatusCode() || downStreamBackchannelLogoutResponse2.getResponseCode().get().intValue() == Response.Status.NO_CONTENT.getStatusCode())) ? false : true;
        });
    }

    private void logout(UserSessionModel userSessionModel, boolean z) {
        AuthenticationManager.backchannelLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, true, z);
        this.event.user(userSessionModel.getUser()).session(userSessionModel).success();
    }

    private ClientModel authorizeClient() {
        ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors).getClient();
        this.cors.allowedOrigins(this.session, client);
        if (client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
        return client;
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkTokenIssuedAt(IDToken iDToken, UserSessionModel userSessionModel) throws OAuthErrorException {
        if (iDToken.getIssuedAt() + 1 < userSessionModel.getStarted()) {
            throw new OAuthErrorException("invalid_grant", "Refresh toked issued before the user session started");
        }
    }

    private Response initiateBrowserLogout(UserSessionModel userSessionModel, String str, String str2, String str3) {
        if (str != null) {
            userSessionModel.setNote(OIDCLoginProtocol.LOGOUT_REDIRECT_URI, str);
        }
        if (str2 != null) {
            userSessionModel.setNote(OIDCLoginProtocol.LOGOUT_STATE_PARAM, str2);
        }
        userSessionModel.setNote(AuthenticationManager.KEYCLOAK_LOGOUT_PROTOCOL, "openid-connect");
        logger.debug("Initiating OIDC browser logout");
        Response browserLogout = AuthenticationManager.browserLogout(this.session, this.realm, userSessionModel, this.session.getContext().getUri(), this.clientConnection, this.headers, str3);
        logger.debug("finishing OIDC browser logout");
        return browserLogout;
    }
}
