package org.apereo.cas.support.oauth.web.endpoints;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.token.OAuth20TokenRequestValidator;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.profile.ProfileManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.3.7.4.jar:org/apereo/cas/support/oauth/web/endpoints/OAuth20RevocationEndpointController.class */
public class OAuth20RevocationEndpointController extends BaseOAuth20Controller {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20RevocationEndpointController.class);

    public OAuth20RevocationEndpointController(OAuth20ConfigurationContext oAuth20ConfigurationContext) {
        super(oAuth20ConfigurationContext);
    }

    @PostMapping(path = {"//oauth2.0/revoke"}, produces = {"application/json"})
    public ModelAndView handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse, getOAuthConfigurationContext().getSessionStore());
        if (!verifyRevocationRequest(jEEContext)) {
            LOGGER.error("Revocation request verification failed. Request is missing required parameters");
            return OAuth20Utils.writeError(httpServletResponse, OAuth20Constants.INVALID_REQUEST);
        }
        ProfileManager profileManager = new ProfileManager(jEEContext, jEEContext.getSessionStore());
        String left = OAuth20Utils.getClientIdAndClientSecret(jEEContext).getLeft();
        OAuthRegisteredService registeredServiceByClientId = getRegisteredServiceByClientId(left);
        if (!OAuth20Utils.doesServiceNeedAuthentication(registeredServiceByClientId)) {
            if (getOAuthConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(getOAuthConfigurationContext().getWebApplicationServiceServiceFactory().createService(registeredServiceByClientId.getServiceId())).registeredService(registeredServiceByClientId).build()).isExecutionFailure()) {
                return OAuth20Utils.writeError(httpServletResponse, OAuth20Constants.INVALID_REQUEST);
            }
        } else if (profileManager.get(true).isEmpty()) {
            LOGGER.warn("Service [{}] requests authentication", left);
            return OAuth20Utils.writeError(httpServletResponse, OAuth20Constants.ACCESS_DENIED);
        }
        return generateRevocationResponse((String) jEEContext.getRequestParameter("token").map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""), left, httpServletResponse);
    }

    protected ModelAndView generateRevocationResponse(String str, String str2, HttpServletResponse httpServletResponse) {
        OAuth20Token oAuth20Token = (OAuth20Token) getOAuthConfigurationContext().getTicketRegistry().getTicket(str, OAuth20Token.class);
        if (oAuth20Token == null) {
            LOGGER.error("Provided token [{}] has not been found in the ticket registry", str);
        } else {
            if (!isRefreshToken(oAuth20Token) && !isAccessToken(oAuth20Token)) {
                LOGGER.error("Provided token [{}] is either not a refresh token or not an access token", str);
                return OAuth20Utils.writeError(httpServletResponse, OAuth20Constants.INVALID_REQUEST);
            }
            if (!StringUtils.equals(str2, oAuth20Token.getClientId())) {
                LOGGER.warn("Provided token [{}] has not been issued for the service [{}]", str, str2);
                return OAuth20Utils.writeError(httpServletResponse, OAuth20Constants.INVALID_REQUEST);
            }
            if (isRefreshToken(oAuth20Token)) {
                revokeToken((OAuth20RefreshToken) oAuth20Token);
            } else {
                revokeToken(oAuth20Token.getId());
            }
        }
        ModelAndView modelAndView = new ModelAndView(new MappingJackson2JsonView());
        modelAndView.setStatus(HttpStatus.OK);
        return modelAndView;
    }

    private void revokeToken(OAuth20RefreshToken oAuth20RefreshToken) {
        revokeToken(oAuth20RefreshToken.getId());
        oAuth20RefreshToken.getAccessTokens().forEach(this::revokeToken);
    }

    private void revokeToken(String str) {
        LOGGER.debug("Revoking token [{}]", str);
        getOAuthConfigurationContext().getTicketRegistry().deleteTicket(str);
    }

    private static boolean isRefreshToken(OAuth20Token oAuth20Token) {
        return oAuth20Token instanceof OAuth20RefreshToken;
    }

    private static boolean isAccessToken(OAuth20Token oAuth20Token) {
        return oAuth20Token instanceof OAuth20AccessToken;
    }

    private OAuthRegisteredService getRegisteredServiceByClientId(String str) {
        return OAuth20Utils.getRegisteredOAuthServiceByClientId(getOAuthConfigurationContext().getServicesManager(), str);
    }

    private boolean verifyRevocationRequest(JEEContext jEEContext) {
        OAuth20TokenRequestValidator orElse = getOAuthConfigurationContext().getAccessTokenGrantRequestValidators().stream().filter(oAuth20TokenRequestValidator -> {
            return oAuth20TokenRequestValidator.supports(jEEContext);
        }).findFirst().orElse(null);
        if (orElse != null) {
            return orElse.validate(jEEContext);
        }
        LOGGER.warn("Ignoring malformed request [{}] as no OAuth20 validator could declare support for its syntax", jEEContext.getFullRequestURL());
        return false;
    }
}
