package com.adobe.granite.oauth.server.impl;

import com.adobe.granite.oauth.jwt.JwsValidator;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Constants;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Helper;
import java.io.IOException;
import java.util.Map;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.Servlet;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(metatype = true, label = "%oauth.revocation.endpoint.name")
@Deprecated
@Service({Servlet.class})
@Properties({@Property(name = OAuth2RevocationEndpointServlet.OAUTH_SERVLET_PATH, value = {OAuth2RevocationEndpointServlet.DEFAULT_SERVLET_PATH}), @Property(name = "sling.servlet.methods", value = {"POST"}, propertyPrivate = true), @Property(name = "service.description", value = {"OAuth Revocation Servlet (DEPRECATED)"})})
/* loaded from: input_file:com/adobe/granite/oauth/server/impl/OAuth2RevocationEndpointServlet.class */
public class OAuth2RevocationEndpointServlet extends SlingAllMethodsServlet {
    private static final Logger log = LoggerFactory.getLogger(OAuth2RevocationEndpointServlet.class);
    protected static final String ACTIVE = "oauth.revocation.active";
    protected static final String OAUTH_SERVLET_PATH = "sling.servlet.paths";
    protected static final String DEFAULT_SERVLET_PATH = "/libs/granite/oauth/revoke";

    @Property(name = ACTIVE)
    protected static final boolean ACTIVE_DEFAULT = false;
    private boolean active;

    @Reference
    SlingRepository repository;

    @Reference
    UserConfiguration userConfiguration;

    @Reference
    JwsValidator jwsValidator;

    @Modified
    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        log.info("'Adobe Granite OAuth Server' has been deprecated.");
        this.active = OsgiUtil.toBoolean(map.get(ACTIVE), false);
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws IOException {
        if (!this.active) {
            log.error("OAuth revocation endpoint invoked, but revocation is not active");
            slingHttpServletResponse.sendError(503, "Revocation service not active.");
            return;
        }
        String userID = slingHttpServletRequest.getResourceResolver().getUserID();
        String parameter = slingHttpServletRequest.getParameter(OAuth2Constants.TOKEN);
        if (!StringUtils.isNotBlank(parameter) || !StringUtils.isNotBlank(userID) || !this.jwsValidator.validate(parameter)) {
            slingHttpServletResponse.sendError(400, "A valid token is required.");
            return;
        }
        String subject = OAuth2Helper.getSubject(parameter);
        String jwtUserId = OAuth2Helper.getJwtUserId(parameter);
        if (!StringUtils.equals(userID, subject) && !StringUtils.equals(userID, jwtUserId)) {
            log.error("Token was not granted by the currently logged in user.");
            slingHttpServletResponse.sendError(403);
            return;
        }
        Session session = ACTIVE_DEFAULT;
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                Node refreshTokenNode = OAuth2Helper.getRefreshTokenNode(session, (String) this.userConfiguration.getParameters().getConfigValue("usersPath", "/rep:security/rep:authorizables/rep:users"), parameter);
                if (refreshTokenNode != null) {
                    OAuth2Helper.revokeToken(session, refreshTokenNode.getPath());
                } else {
                    User user = OAuth2Helper.getUser(session, OAuth2Helper.getJwtUserId(parameter));
                    if (user != null) {
                        String path = user.getPath();
                        OAuth2Helper.revokeToken(session, path);
                        OAuth2Helper.removeAccessTokenReference(session, path);
                    }
                }
                if (session.hasPendingChanges()) {
                    session.save();
                }
                if (session == null || !session.isLive()) {
                    return;
                }
                session.logout();
            } catch (RepositoryException e) {
                log.error("Failed to revoke token {}. ", parameter, e);
                slingHttpServletResponse.sendError(503, "Failed to revoke token.");
                if (session == null || !session.isLive()) {
                    return;
                }
                session.logout();
            }
        } catch (Throwable th) {
            if (session != null && session.isLive()) {
                session.logout();
            }
            throw th;
        }
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindUserConfiguration(UserConfiguration userConfiguration) {
        this.userConfiguration = userConfiguration;
    }

    protected void unbindUserConfiguration(UserConfiguration userConfiguration) {
        if (this.userConfiguration == userConfiguration) {
            this.userConfiguration = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }
}
