package be.atbash.ee.security.sso.server.authz;

import be.atbash.ee.security.octopus.SecurityUtils;
import be.atbash.ee.security.octopus.authz.UnauthenticatedException;
import be.atbash.ee.security.octopus.filter.authz.AuthorizationFilter;
import be.atbash.ee.security.octopus.util.WebUtils;
import be.atbash.ee.security.sso.server.client.ClientInfo;
import be.atbash.ee.security.sso.server.client.ClientInfoRetriever;
import be.atbash.ee.security.sso.server.store.SSOTokenStore;
import be.atbash.ee.security.sso.server.token.UserPrincipalToken;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.openid.connect.sdk.LogoutRequest;
import java.io.IOException;
import java.util.Date;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:be/atbash/ee/security/sso/server/authz/SSOLogoutFilter.class */
public class SSOLogoutFilter extends AuthorizationFilter {
    private Logger logger = LoggerFactory.getLogger(SSOLogoutFilter.class);

    @Inject
    private SSOTokenStore tokenStore;

    @Inject
    private ClientInfoRetriever clientInfoRetriever;

    @PostConstruct
    public void initInstance() {
        setName("ssoLogout");
    }

    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        LogoutRequest parse;
        boolean z = getSubject().getPrincipal() != null;
        boolean z2 = false;
        try {
            parse = LogoutRequest.parse(WebUtils.toHttp(servletRequest).getQueryString());
            z2 = validate((SignedJWT) parse.getIDTokenHint());
        } catch (ParseException | java.text.ParseException e) {
            this.logger.warn(String.format("SSOLogoutFilter: Parsing of the id_token_hint failed %s", servletRequest.getParameter("id_token_hint")));
        }
        if (!z2) {
            return z2;
        }
        if (!z) {
            try {
                SecurityUtils.getSubject().login(new UserPrincipalToken(this.tokenStore.getUserByAccessCode(parse.getIDTokenHint().getJWTClaimsSet().getSubject())));
                z2 = true;
            } catch (UnauthenticatedException e2) {
                throw new AtbashUnexpectedException(e2);
            }
        }
        return z2;
    }

    private boolean validate(SignedJWT signedJWT) {
        if (signedJWT == null) {
            this.logger.warn("SSOLogoutFilter: no query parameters found");
            return false;
        }
        try {
            String obj = signedJWT.getHeader().getCustomParam("clientId").toString();
            ClientInfo retrieveInfo = this.clientInfoRetriever.retrieveInfo(obj);
            if (retrieveInfo == null) {
                this.logger.warn(String.format("SSOLogoutFilter: unknown clientId : %s", obj));
                return false;
            }
            if (!signedJWT.verify(new MACVerifier(new Base64(retrieveInfo.getClientSecret()).decode()))) {
                this.logger.warn(String.format("SSOLogoutFilter: JWT Signing verification failed : %s", signedJWT.serialize()));
                return false;
            }
            boolean before = signedJWT.getJWTClaimsSet().getExpirationTime().before(new Date());
            if (before) {
                this.logger.warn(String.format("SSOLogoutFilter: JWT expired : %s", signedJWT.serialize()));
            }
            return !before;
        } catch (JOSEException | java.text.ParseException e) {
            return false;
        }
    }

    protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException {
        WebUtils.toHttp(servletResponse).sendError(401);
        return false;
    }
}
