package org.keycloak.protocol.oidc;

import java.net.URI;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.utils.StringUtil;

/* loaded from: input_file:org/keycloak/protocol/oidc/FrontChannelLogoutHandler.class */
public class FrontChannelLogoutHandler {
    private final KeycloakSession session;
    private final String sid;
    private final String issuer;
    private final List<ClientInfo> clients = new ArrayList();
    private String logoutRedirectUri;

    /* loaded from: input_file:org/keycloak/protocol/oidc/FrontChannelLogoutHandler$ClientInfo.class */
    public class ClientInfo {
        private final ClientModel client;
        private final URI frontChannelLogoutUrl;

        public ClientInfo(ClientModel clientModel) {
            this.client = clientModel;
            this.frontChannelLogoutUrl = FrontChannelLogoutHandler.this.createFrontChannelLogoutUrl(clientModel);
        }

        public String getFrontChannelLogoutUrl() {
            return this.frontChannelLogoutUrl.toString();
        }

        public String getName() {
            String name = this.client.getName();
            return name == null ? this.client.getClientId() : name;
        }
    }

    public static FrontChannelLogoutHandler current(KeycloakSession keycloakSession) {
        return (FrontChannelLogoutHandler) keycloakSession.getAttribute(FrontChannelLogoutHandler.class.getName());
    }

    public static FrontChannelLogoutHandler currentOrCreate(KeycloakSession keycloakSession, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        FrontChannelLogoutHandler current = current(keycloakSession);
        return current == null ? new FrontChannelLogoutHandler(keycloakSession, authenticatedClientSessionModel) : current;
    }

    private FrontChannelLogoutHandler(KeycloakSession keycloakSession, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        this.session = keycloakSession;
        this.sid = authenticatedClientSessionModel.getUserSession().getId();
        this.issuer = authenticatedClientSessionModel.getNote(OIDCLoginProtocol.ISSUER);
        this.session.setAttribute(getClass().getName(), this);
    }

    public void addClient(ClientModel clientModel) {
        this.clients.add(new ClientInfo(clientModel));
    }

    public List<ClientInfo> getClients() {
        return this.clients;
    }

    public String getLogoutRedirectUri() {
        return this.logoutRedirectUri;
    }

    public Response renderLogoutPage(String str) {
        configureCSP();
        this.logoutRedirectUri = str;
        return this.session.getProvider(LoginFormsProvider.class).createFrontChannelLogoutPage();
    }

    private void configureCSP() {
        StringBuilder sb = new StringBuilder();
        Iterator<ClientInfo> it = this.clients.iterator();
        while (it.hasNext()) {
            sb.append(it.next().frontChannelLogoutUrl.getAuthority()).append(' ');
        }
        this.session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor();
        this.session.getProvider(SecurityHeadersProvider.class).options().allowFrameSrc(sb.toString());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public URI createFrontChannelLogoutUrl(ClientModel clientModel) {
        String frontChannelLogoutUrl = OIDCAdvancedConfigWrapper.fromClientModel(clientModel).getFrontChannelLogoutUrl();
        if (StringUtil.isBlank(frontChannelLogoutUrl)) {
            frontChannelLogoutUrl = clientModel.getBaseUrl();
        }
        if (frontChannelLogoutUrl == null) {
            throw new RuntimeException("Client [" + clientModel.getClientId() + "] does not have a valid frontend logout URL");
        }
        UriBuilder fromUri = UriBuilder.fromUri(frontChannelLogoutUrl);
        fromUri.queryParam("sid", new Object[]{this.sid});
        fromUri.queryParam(OIDCLoginProtocol.ISSUER, new Object[]{this.issuer});
        return fromUri.build(new Object[0]);
    }
}
