package com.vaadin.sso.starter;

import java.io.IOException;
import java.util.Objects;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.log.LogMessage;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.JwtValidationException;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:BOOT-INF/lib/sso-kit-starter-1.0.new-auto-configuration-SNAPSHOT.jar:com/vaadin/sso/starter/BackChannelLogoutFilter.class */
public class BackChannelLogoutFilter extends GenericFilterBean {
    static final String TOKEN_PARAM_NAME = "logout_token";
    static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
    private static final String LOG_MESSAGE = "Did not match request to %s";
    private final SessionRegistry sessionRegistry;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final JwtDecoderFactory<ClientRegistration> decoderFactory;
    private RequestMatcher requestMatcher;

    public BackChannelLogoutFilter(SessionRegistry sessionRegistry, ClientRegistrationRepository clientRegistrationRepository) {
        this(sessionRegistry, clientRegistrationRepository, clientRegistration -> {
            return JwtDecoders.fromOidcIssuerLocation(clientRegistration.getProviderDetails().getIssuerUri());
        });
    }

    BackChannelLogoutFilter(SessionRegistry sessionRegistry, ClientRegistrationRepository clientRegistrationRepository, JwtDecoderFactory<ClientRegistration> jwtDecoderFactory) {
        this.requestMatcher = new AntPathRequestMatcher("/logout/back-channel/{registrationId}");
        Objects.requireNonNull(sessionRegistry);
        Objects.requireNonNull(clientRegistrationRepository);
        Objects.requireNonNull(jwtDecoderFactory);
        this.sessionRegistry = sessionRegistry;
        this.clientRegistrationRepository = clientRegistrationRepository;
        this.decoderFactory = jwtDecoderFactory;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (requiresLogout(httpServletRequest)) {
            this.logger.debug("Matching Back-Channel logout request");
            performLogout(httpServletRequest, httpServletResponse);
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void performLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws JwtValidationException {
        String str = this.requestMatcher.matcher(httpServletRequest).getVariables().get("registrationId");
        if (str == null) {
            this.logger.warn("Back-Channel logout request matcher missing required registrationId URI variable:registrationId");
            httpServletResponse.setStatus(400);
            return;
        }
        ClientRegistration findByRegistrationId = this.clientRegistrationRepository.findByRegistrationId(str);
        if (findByRegistrationId == null) {
            this.logger.warn("Client registration not found: " + str);
            httpServletResponse.setStatus(400);
            return;
        }
        String parameter = httpServletRequest.getParameter(TOKEN_PARAM_NAME);
        if (parameter == null) {
            this.logger.warn("Back-Channel logout request missing parameter: logout_token");
            httpServletResponse.setStatus(400);
            return;
        }
        Jwt decode = this.decoderFactory.createDecoder(findByRegistrationId).decode(parameter);
        if (new OidcLogoutTokenValidator(findByRegistrationId).validate(decode).hasErrors()) {
            this.logger.warn("Invalid logout token");
            httpServletResponse.setStatus(400);
        } else {
            String subject = decode.getSubject();
            String claimAsString = decode.getClaimAsString("sid");
            this.sessionRegistry.getAllPrincipals().stream().filter(obj -> {
                if (!(obj instanceof OidcUser)) {
                    return false;
                }
                OidcUser oidcUser = (OidcUser) obj;
                return claimAsString != null ? Objects.equals(claimAsString, oidcUser.getClaimAsString("sid")) : Objects.equals(subject, oidcUser.getSubject());
            }).flatMap(obj2 -> {
                return this.sessionRegistry.getAllSessions(obj2, false).stream();
            }).forEach((v0) -> {
                v0.expireNow();
            });
            httpServletResponse.setStatus(200);
        }
    }

    private boolean requiresLogout(HttpServletRequest httpServletRequest) {
        if (this.requestMatcher.matches(httpServletRequest)) {
            return true;
        }
        if (!this.logger.isTraceEnabled()) {
            return false;
        }
        this.logger.trace(LogMessage.format(LOG_MESSAGE, this.requestMatcher));
        return false;
    }

    public RequestMatcher getRequestMatcher() {
        return this.requestMatcher;
    }

    public void setRequestMatcher(RequestMatcher requestMatcher) {
        this.requestMatcher = (RequestMatcher) Objects.requireNonNull(requestMatcher);
    }

    public void setBackChannelLogoutRoute(String str) {
        Objects.requireNonNull(str);
        setRequestMatcher(new AntPathRequestMatcher(str, "POST"));
    }
}
