package net.trajano.openidconnect.provider.endpoints;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.net.URI;
import java.security.GeneralSecurityException;
import javax.ejb.EJB;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.validation.constraints.NotNull;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.ext.Providers;
import net.trajano.openidconnect.core.ErrorCode;
import net.trajano.openidconnect.core.OpenIdConnectException;
import net.trajano.openidconnect.crypto.JsonWebTokenProcessor;
import net.trajano.openidconnect.provider.spi.Authenticator;
import net.trajano.openidconnect.provider.spi.ClientManager;
import net.trajano.openidconnect.provider.spi.KeyProvider;
import net.trajano.openidconnect.provider.spi.TokenProvider;
import net.trajano.openidconnect.token.IdToken;

@Produces({"application/json"})
@Path("end")
/* loaded from: input_file:net/trajano/openidconnect/provider/endpoints/EndSessionEndpoint.class */
public class EndSessionEndpoint {

    @EJB
    private Authenticator authenticator;

    @EJB
    private ClientManager clientManager;

    @EJB
    private KeyProvider keyProvider;

    @Context
    private Providers providers;

    @EJB
    private TokenProvider tokenProvider;

    @POST
    @Path("confirm")
    public Response confirm(@NotNull @FormParam("nonce") String str, @NotNull @FormParam("logout") boolean z, @Context HttpServletRequest httpServletRequest) throws IOException, GeneralSecurityException {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || !session.getAttribute("nonce").equals(str)) {
            throw new OpenIdConnectException(ErrorCode.access_denied);
        }
        URI uri = (URI) session.getAttribute("post_logout_redirect_uri");
        String str2 = (String) session.getAttribute("state");
        if (z) {
            this.authenticator.endSession(httpServletRequest);
            session.invalidate();
        }
        return Response.temporaryRedirect(UriBuilder.fromUri(uri).queryParam("state", new Object[]{str2}).build(new Object[0])).build();
    }

    @GET
    public Response getOp(@QueryParam("post_logout_redirect_uri") URI uri, @QueryParam("id_token_hint") String str, @QueryParam("state") String str2, @Context HttpServletRequest httpServletRequest) throws IOException, GeneralSecurityException {
        return op(uri, str, str2, httpServletRequest);
    }

    @POST
    public Response op(@FormParam("post_logout_redirect_uri") URI uri, @FormParam("id_token_hint") String str, @FormParam("state") String str2, @Context HttpServletRequest httpServletRequest) throws IOException, GeneralSecurityException {
        IdToken idToken = null;
        if (str != null) {
            JsonWebTokenProcessor jwks = new JsonWebTokenProcessor(str).jwks(this.keyProvider.getPrivateJwks());
            if (!jwks.isJwkAvailable()) {
                throw new OpenIdConnectException(ErrorCode.invalid_request, "no jwk available for kid");
            }
            idToken = (IdToken) this.providers.getMessageBodyReader(IdToken.class, IdToken.class, new Annotation[0], MediaType.APPLICATION_JSON_TYPE).readFrom(IdToken.class, IdToken.class, new Annotation[0], MediaType.APPLICATION_JSON_TYPE, (MultivaluedMap) null, new ByteArrayInputStream(jwks.getPayload()));
        }
        if (uri != null && idToken != null && !this.clientManager.isPostLogoutRedirectUriValidForClient(idToken.getAzp(), uri)) {
            throw new OpenIdConnectException(ErrorCode.invalid_request);
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || !this.authenticator.isAuthenticated(httpServletRequest)) {
            return Response.temporaryRedirect(UriBuilder.fromUri(uri).queryParam("state", new Object[]{str2}).build(new Object[0])).build();
        }
        if (!this.authenticator.getSubject(httpServletRequest).equals(idToken.getSub())) {
            throw new OpenIdConnectException(ErrorCode.access_denied);
        }
        UriBuilder replacePath = UriBuilder.fromUri(httpServletRequest.getRequestURL().toString()).replacePath(httpServletRequest.getContextPath());
        session.setAttribute("post_logout_redirect_uri", uri);
        if (idToken != null) {
            session.setAttribute(WellKnownOpenIdConfiguration.ID_TOKEN, idToken);
        }
        session.setAttribute("state", str2);
        String nextEncodedToken = this.keyProvider.nextEncodedToken();
        session.setAttribute("nonce", nextEncodedToken);
        return Response.temporaryRedirect(this.authenticator.logout(nextEncodedToken, idToken, str2, uri, httpServletRequest, replacePath)).build();
    }
}
