package org.forgerock.openam.oauth2.rest;

import java.util.Collections;
import java.util.Iterator;
import javax.inject.Inject;
import org.forgerock.json.JsonValue;
import org.forgerock.oauth2.core.ClientAuthenticator;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.OAuth2RequestFactory;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.Utils;
import org.forgerock.oauth2.core.exceptions.InvalidClientAuthZHeaderException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.OAuth2Exception;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.restlet.ExceptionHandler;
import org.forgerock.oauth2.restlet.OAuth2RestletException;
import org.forgerock.oauth2.restlet.RestletConstants;
import org.forgerock.openam.cts.api.fields.OAuthTokenField;
import org.forgerock.openam.cts.exceptions.CoreTokenException;
import org.forgerock.openam.oauth2.OAuth2RealmResolver;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.util.query.QueryFilter;
import org.json.JSONObject;
import org.restlet.data.ChallengeRequest;
import org.restlet.data.ChallengeScheme;
import org.restlet.ext.json.JsonRepresentation;
import org.restlet.representation.Representation;
import org.restlet.resource.Post;
import org.restlet.resource.ServerResource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openam/oauth2/rest/TokenRevocationResource.class */
public class TokenRevocationResource extends ServerResource {
    private final Logger logger = LoggerFactory.getLogger("OAuth2Provider");
    private final OAuth2RequestFactory requestFactory;
    private final ClientAuthenticator clientAuthenticator;
    private final TokenStore tokenStore;
    private final ExceptionHandler exceptionHandler;
    private final OAuth2RealmResolver realmResolver;

    @Inject
    public TokenRevocationResource(OAuth2RequestFactory oAuth2RequestFactory, ClientAuthenticator clientAuthenticator, TokenStore tokenStore, ExceptionHandler exceptionHandler, OAuth2RealmResolver oAuth2RealmResolver) {
        this.clientAuthenticator = clientAuthenticator;
        this.requestFactory = oAuth2RequestFactory;
        this.tokenStore = tokenStore;
        this.exceptionHandler = exceptionHandler;
        this.realmResolver = oAuth2RealmResolver;
    }

    @Post
    public Representation revoke(Representation representation) throws OAuth2RestletException {
        OAuth2Request create = this.requestFactory.create(getRequest());
        String resolveFrom = this.realmResolver.resolveFrom(create);
        String str = (String) create.getParameter("token");
        try {
            if (Utils.isEmpty(str)) {
                throw new InvalidRequestException("Missing parameter: token");
            }
            String clientId = this.clientAuthenticator.authenticate(create, null).getClientId();
            JsonValue token = getToken(clientId, str);
            if (token != null) {
                String attributeValue = getAttributeValue(token, "tokenName");
                boolean z = -1;
                switch (attributeValue.hashCode()) {
                    case -1938933922:
                        if (attributeValue.equals("access_token")) {
                            z = false;
                            break;
                        }
                        break;
                    case -1432035435:
                        if (attributeValue.equals("refresh_token")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        deleteAccessToken(resolveFrom, str);
                        break;
                    case true:
                        deleteRefreshTokenAndAccessTokens(resolveFrom, token, clientId);
                        break;
                    default:
                        throw new InvalidRequestException("Invalid token name: " + attributeValue);
                }
            }
            return new JsonRepresentation(new JSONObject());
        } catch (CoreTokenException e) {
            this.logger.error(e.getMessage(), e);
            throw new OAuth2RestletException(500, "Failed to find token with id :" + str, e.getMessage(), (String) create.getParameter("state"));
        } catch (InvalidClientAuthZHeaderException e2) {
            getResponse().setChallengeRequests(Collections.singletonList(new ChallengeRequest(ChallengeScheme.valueOf(RestletConstants.SUPPORTED_RESTLET_CHALLENGE_SCHEMES.get(e2.getChallengeScheme())), e2.getChallengeRealm())));
            throw new OAuth2RestletException(e2.getStatusCode(), e2.getError(), e2.getMessage(), (String) create.getParameter("state"));
        } catch (InvalidClientException e3) {
            this.logger.error(e3.getMessage(), e3);
            throw new OAuth2RestletException(e3.getStatusCode(), e3.getError(), e3.getMessage(), (String) create.getParameter("state"));
        } catch (OAuth2Exception e4) {
            this.logger.error(e4.getMessage(), e4);
            throw new OAuth2RestletException(e4.getStatusCode(), e4.getError(), e4.getMessage(), (String) create.getParameter("redirect_uri"), (String) create.getParameter("state"), e4.getParameterLocation());
        }
    }

    private void deleteAccessToken(String str, String str2) throws ServerException, NotFoundException {
        try {
            this.tokenStore.delete(str, str2);
        } catch (ServerException e) {
            this.logger.error("Failed to delete access token with id :" + str2, e);
            throw new ServerException("Failed to revoke access token");
        }
    }

    private void deleteRefreshTokenAndAccessTokens(String str, JsonValue jsonValue, String str2) throws ServerException, NotFoundException {
        String attributeValue = getAttributeValue(jsonValue, OAuthTokenField.USER_NAME.getOAuthField());
        int i = 0;
        try {
            JsonValue tokens = getTokens(str, str2, attributeValue, getAttributeValue(jsonValue, "authGrantId"));
            String str3 = null;
            Iterator it = tokens.iterator();
            while (it.hasNext()) {
                try {
                    str3 = getAttributeValue((JsonValue) it.next(), OAuthTokenField.ID.getOAuthField());
                    this.tokenStore.delete(str, str3);
                    i++;
                } catch (ServerException e) {
                    this.logger.error("Failed to delete token with id :" + str3, e);
                }
            }
            int size = tokens.size();
            if (i < size) {
                this.logger.error("Failed to revoke " + (size - i) + " from " + size + " tokens");
            }
        } catch (NotFoundException | ServerException e2) {
            this.logger.error("Failed to fetch all the related tokens for the client :" + str2 + "and user name :" + attributeValue, e2);
            throw new ServerException("Failed to revoke refresh and access tokens");
        }
    }

    private JsonValue getTokens(String str, String str2, String str3, String str4) throws ServerException, NotFoundException {
        return this.tokenStore.queryForToken(str, QueryFilter.and(new QueryFilter[]{QueryFilter.equalTo(OAuthTokenField.USER_NAME.getField(), str3), QueryFilter.equalTo(OAuthTokenField.CLIENT_ID.getField(), str2), QueryFilter.equalTo(OAuthTokenField.AUTH_GRANT_ID.getField(), str4)}));
    }

    private JsonValue getToken(String str, String str2) throws CoreTokenException, InvalidRequestException, InvalidGrantException, ServerException, NotFoundException {
        JsonValue read = this.tokenStore.read(str2);
        if (read == null || str.equals(getAttributeValue(read, OAuthTokenField.CLIENT_ID.getOAuthField()))) {
            return read;
        }
        throw new InvalidGrantException("The provided token id : " + str2 + " belongs to different access grant.");
    }

    private String getAttributeValue(JsonValue jsonValue, String str) {
        String str2 = null;
        JsonValue jsonValue2 = jsonValue.get(str);
        if (jsonValue2.isString()) {
            str2 = jsonValue2.asString();
        } else if (jsonValue2.isCollection()) {
            str2 = (String) CollectionUtils.getFirstItem(jsonValue2.asCollection(String.class));
        }
        return str2;
    }

    protected void doCatch(Throwable th) {
        this.exceptionHandler.handle(th, getResponse());
    }
}
