package com.adobe.granite.oauth.server.impl;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Constants;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Helper;
import com.day.cq.i18n.I18n;
import java.io.IOException;
import java.util.List;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.oltu.commons.encodedtoken.TokenDecoder;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.OptingServlet;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(metatype = true, label = "%oauth.client.revocation.endpoint.name", description = "%oauth.client.revocation.endpoint.description")
@Deprecated
@Service({Servlet.class})
@Properties({@Property(name = "sling.servlet.resourceTypes", value = {OAuth2Constants.OAUTH_CLIENT}, propertyPrivate = true), @Property(name = "sling.servlet.methods", value = {"POST"}, propertyPrivate = true), @Property(name = "service.description", value = {"OAuth Client Revocation Servlet (DEPRECATED)"})})
/* loaded from: input_file:com/adobe/granite/oauth/server/impl/OAuth2ClientRevocationServlet.class */
public class OAuth2ClientRevocationServlet extends SlingAllMethodsServlet implements OptingServlet {
    private static final Logger log = LoggerFactory.getLogger(OAuth2ClientRevocationServlet.class);
    protected static final String ACTIVE = "oauth.client.revocation.active";

    @Property(name = ACTIVE)
    protected static final boolean ACTIVE_DEFAULT = false;
    private boolean active;

    @Reference
    SlingRepository repository;

    @Reference
    UserConfiguration userConfiguration;

    @Reference
    ConfigurationAdmin confAdmin;

    @Reference
    CryptoSupport cryptoSupport;

    public boolean accepts(SlingHttpServletRequest slingHttpServletRequest) {
        try {
            Configuration configuration = this.confAdmin.getConfiguration("com.adobe.granite.oauth.server.impl.OAuth2ClientRevocationServlet");
            if (configuration != null && configuration.getProperties() != null) {
                this.active = OsgiUtil.toBoolean(configuration.getProperties().get(ACTIVE), false);
            }
        } catch (IOException e) {
            log.error("Unable to query OSGI config to determine active status.", e);
        }
        return this.active && StringUtils.equalsIgnoreCase(slingHttpServletRequest.getParameter(":operation"), "revoke");
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        String parameter = slingHttpServletRequest.getParameter(":redirect");
        String parameter2 = slingHttpServletRequest.getParameter("clientId");
        String parameter3 = slingHttpServletRequest.getParameter("clientIdHmac");
        String str = ACTIVE_DEFAULT;
        String str2 = ACTIVE_DEFAULT;
        if (!this.active) {
            log.error("OAuth client revocation endpoint invoked, but client revocation is not active");
        } else {
            if (StringUtils.isBlank(parameter2)) {
                throw new IllegalArgumentException("Missing required clientId parameter.");
            }
            if (StringUtils.isBlank(parameter3)) {
                throw new IllegalArgumentException("Missing required clientId hmac parameter.");
            }
            try {
                if (!StringUtils.equals(TokenDecoder.base64Encode(this.cryptoSupport.hmac_sha256(parameter2.getBytes())), parameter3)) {
                    throw new IllegalArgumentException("Possibly forged clientId hmac parameter.");
                }
                Session session = null;
                try {
                    try {
                        Session loginService = this.repository.loginService((String) null, (String) null);
                        List<Node> tokensForClient = OAuth2Helper.getTokensForClient(loginService, (String) this.userConfiguration.getParameters().getConfigValue("usersPath", "/rep:security/rep:authorizables/rep:users"), parameter2);
                        for (Node node : tokensForClient) {
                            boolean isNodeType = node.getPrimaryNodeType().isNodeType(OAuth2Constants.OAUTH_REFRESH_TOKEN);
                            String path = isNodeType ? node.getPath() : node.getProperty(OAuth2Constants.OAUTH_TOKEN_PATH).getString();
                            OAuth2Helper.revokeToken(loginService, path);
                            if (!isNodeType) {
                                OAuth2Helper.removeAccessTokenReference(loginService, path);
                            }
                        }
                        if (loginService.hasPendingChanges()) {
                            loginService.save();
                        }
                        if (tokensForClient.size() == 0) {
                            str = I18n.get(slingHttpServletRequest, "No valid tokens found to revoke.");
                        } else {
                            int size = tokensForClient.size();
                            str = size == 1 ? I18n.get(slingHttpServletRequest, "{0} token has been revoked.", "0 is the number of tokens", new Object[]{Integer.valueOf(size)}) : I18n.get(slingHttpServletRequest, "{0} tokens have been revoked.", "0 is the number of tokens", new Object[]{Integer.valueOf(size)});
                        }
                        if (loginService != null && loginService.isLive()) {
                            loginService.logout();
                        }
                    } catch (RepositoryException e) {
                        log.error("Unable to revoke tokens for client ID {}.", parameter2, e);
                        str2 = "Error occurred while revoking tokens.  See logs for details.";
                        if (ACTIVE_DEFAULT != 0 && session.isLive()) {
                            session.logout();
                        }
                    }
                } catch (Throwable th) {
                    if (ACTIVE_DEFAULT != 0 && session.isLive()) {
                        session.logout();
                    }
                    throw th;
                }
            } catch (CryptoException e2) {
                throw new ServletException("Crypto exception while trying to compute clientId Hmac.", e2);
            }
        }
        if (!StringUtils.isNotBlank(parameter)) {
            if (StringUtils.isBlank(str2)) {
                slingHttpServletResponse.setStatus(200);
                return;
            } else {
                slingHttpServletResponse.setStatus(500);
                return;
            }
        }
        if (StringUtils.isNotBlank(str2)) {
            parameter = parameter + "?error=" + str2;
        } else if (StringUtils.isNotBlank(str)) {
            parameter = parameter + "?status=" + str;
        }
        slingHttpServletResponse.sendRedirect(parameter);
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindUserConfiguration(UserConfiguration userConfiguration) {
        this.userConfiguration = userConfiguration;
    }

    protected void unbindUserConfiguration(UserConfiguration userConfiguration) {
        if (this.userConfiguration == userConfiguration) {
            this.userConfiguration = null;
        }
    }

    protected void bindConfAdmin(ConfigurationAdmin configurationAdmin) {
        this.confAdmin = configurationAdmin;
    }

    protected void unbindConfAdmin(ConfigurationAdmin configurationAdmin) {
        if (this.confAdmin == configurationAdmin) {
            this.confAdmin = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }
}
