package org.keycloak.protocol.oidc.endpoints;

import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.OPTIONS;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.headers.SecurityHeadersProvider;
import org.keycloak.http.HttpRequest;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.UserSessionProvider;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.clientpolicy.ClientPolicyException;
import org.keycloak.services.clientpolicy.context.TokenRevokeContext;
import org.keycloak.services.clientpolicy.context.TokenRevokeResponseContext;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.UserConsentManager;
import org.keycloak.services.managers.UserSessionManager;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.class */
public class TokenRevocationEndpoint {
    public static final String PARAM_TOKEN = "token";
    private final KeycloakSession session;
    private final HttpRequest request;
    private final ClientConnection clientConnection;
    private MultivaluedMap<String, String> formParams;
    private ClientModel client;
    private final RealmModel realm;
    private final EventBuilder event;
    private Cors cors;
    private AccessToken token;
    private UserModel user;

    public TokenRevocationEndpoint(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.clientConnection = keycloakSession.getContext().getConnection();
        this.realm = keycloakSession.getContext().getRealm();
        this.event = eventBuilder;
        this.request = keycloakSession.getContext().getHttpRequest();
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public Response revoke() {
        this.event.event(EventType.REVOKE_GRANT);
        this.cors = Cors.builder().auth().allowedMethods(new String[]{"POST"}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods"});
        checkSsl();
        checkRealm();
        checkClient();
        this.formParams = this.request.getDecodedFormParameters();
        checkParameterDuplicated(this.formParams);
        try {
            this.session.clientPolicy().triggerOnEvent(new TokenRevokeContext(this.formParams));
            checkToken();
            checkIssuedFor();
            checkUser();
            if ("Refresh".equals(this.token.getType()) || "Offline".equals(this.token.getType())) {
                revokeClient();
                this.event.detail("revoked_client", this.client.getClientId());
            } else {
                revokeAccessToken();
                this.event.detail("token_id", this.token.getId());
            }
            this.event.success();
            try {
                this.session.clientPolicy().triggerOnEvent(new TokenRevokeResponseContext(this.formParams));
                this.session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
                return this.cors.add(Response.ok());
            } catch (ClientPolicyException e) {
                this.event.error(e.getError());
                throw new CorsErrorResponseException(this.cors, e.getError(), e.getErrorDetail(), e.getErrorStatus());
            }
        } catch (ClientPolicyException e2) {
            this.event.error(e2.getError());
            throw new CorsErrorResponseException(this.cors, e2.getError(), e2.getErrorDetail(), e2.getErrorStatus());
        }
    }

    @OPTIONS
    public Response preflight() {
        return Cors.builder().auth().preflight().allowedMethods(new String[]{"POST", "OPTIONS"}).add(Response.ok());
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkRealm() {
        if (!this.realm.isEnabled()) {
            throw new CorsErrorResponseException(this.cors.allowAllOrigins(), AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Realm not enabled", Response.Status.FORBIDDEN);
        }
    }

    private void checkClient() {
        this.client = AuthorizeClientUtil.authorizeClient(this.session, this.event, this.cors).getClient();
        this.event.client(this.client);
        this.cors.allowedOrigins(this.session, this.client);
        if (this.client.isBearerOnly()) {
            throw new CorsErrorResponseException(this.cors, "invalid_client", "Bearer-only not allowed", Response.Status.BAD_REQUEST);
        }
    }

    private void checkToken() {
        String str = (String) this.formParams.getFirst("token");
        if (str == null) {
            this.event.detail("reason", "Token not provided");
            this.event.error("invalid_request");
            throw new CorsErrorResponseException(this.cors, "invalid_request", "Token not provided", Response.Status.BAD_REQUEST);
        }
        this.token = this.session.tokens().decode(str, AccessToken.class);
        if (this.token == null) {
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        if ("Refresh".equals(this.token.getType()) || "Offline".equals(this.token.getType()) || "Bearer".equals(this.token.getType()) || "DPoP".equals(this.token.getType())) {
            return;
        }
        this.event.detail("reason", "Unsupported token type");
        this.event.error("invalid_token_type");
        throw new CorsErrorResponseException(this.cors, "unsupported_token_type", "Unsupported token type", Response.Status.BAD_REQUEST);
    }

    private void checkIssuedFor() {
        String issuedFor = this.token.getIssuedFor();
        if (issuedFor == null) {
            this.event.detail("reason", "Issued for not set");
            this.event.error("invalid_token");
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        if (this.client.getClientId().equals(issuedFor)) {
            return;
        }
        this.event.detail("reason", "Unmatching clients");
        this.event.error("invalid_request");
        throw new CorsErrorResponseException(this.cors, "invalid_request", "Unmatching clients", Response.Status.BAD_REQUEST);
    }

    private void checkUser() {
        if (this.token.getSessionState() == null) {
            this.user = TokenManager.lookupUserFromStatelessToken(this.session, this.realm, this.token);
        } else {
            UserSessionProvider sessions = this.session.sessions();
            UserSessionModel userSessionIfClientExists = sessions.getUserSessionIfClientExists(this.realm, this.token.getSessionId(), false, this.client.getId());
            if (userSessionIfClientExists == null) {
                userSessionIfClientExists = sessions.getUserSessionIfClientExists(this.realm, this.token.getSessionId(), true, this.client.getId());
                if (userSessionIfClientExists == null) {
                    this.event.error("user_session_not_found");
                    throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
                }
            }
            this.user = userSessionIfClientExists.getUser();
        }
        if (this.user == null) {
            this.event.error("user_not_found");
            throw new CorsErrorResponseException(this.cors, "invalid_token", "Invalid token", Response.Status.OK);
        }
        this.event.user(this.user);
    }

    private void checkParameterDuplicated(MultivaluedMap<String, String> multivaluedMap) {
        Iterator it = multivaluedMap.keySet().iterator();
        while (it.hasNext()) {
            if (((List) multivaluedMap.get((String) it.next())).size() != 1) {
                throw new CorsErrorResponseException(this.cors, "invalid_request", "duplicated parameter", Response.Status.BAD_REQUEST);
            }
        }
    }

    private void revokeClient() {
        UserConsentManager.revokeConsentForClient(this.session, this.realm, this.user, this.client.getId());
        if ("Offline".equals(this.token.getType())) {
            new UserSessionManager(this.session).revokeOfflineToken(this.user, this.client);
        }
        ((List) this.session.sessions().getUserSessionsStream(this.realm, this.user).map(userSessionModel -> {
            return userSessionModel.getAuthenticatedClientSessionByClient(this.client.getId());
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList())).forEach(authenticatedClientSessionModel -> {
            UserSessionModel userSession = authenticatedClientSessionModel.getUserSession();
            TokenManager.dettachClientSession(authenticatedClientSessionModel);
            if (userSession == null || !userSession.getAuthenticatedClientSessions().isEmpty()) {
                return;
            }
            this.session.sessions().removeUserSession(this.realm, userSession);
        });
    }

    private void revokeAccessToken() {
        this.session.singleUseObjects().put(this.token.getId() + ".revoked", Math.max((this.token.getExp().longValue() - Time.currentTime()) + 1, 10L), Collections.emptyMap());
    }
}
