package org.cloudfoundry.identity.uaa.oauth;

import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.audit.event.SystemDeletable;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.event.TokenRevocationEvent;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.MultitenantJdbcClientDetailsService;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator;
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
import org.springframework.security.oauth2.provider.expression.OAuth2ExpressionUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.19.2.jar:org/cloudfoundry/identity/uaa/oauth/TokenRevocationEndpoint.class */
public class TokenRevocationEndpoint implements ApplicationEventPublisherAware {
    private final ScimUserProvisioning userProvisioning;
    private final MultitenantJdbcClientDetailsService clientDetailsService;
    private final RevocableTokenProvisioning tokenProvisioning;
    private ApplicationEventPublisher eventPublisher;
    protected final Log logger = LogFactory.getLog(getClass());
    private WebResponseExceptionTranslator exceptionTranslator = new DefaultWebResponseExceptionTranslator();
    private final RandomValueStringGenerator generator = new RandomValueStringGenerator(8);

    public TokenRevocationEndpoint(MultitenantJdbcClientDetailsService multitenantJdbcClientDetailsService, ScimUserProvisioning scimUserProvisioning, RevocableTokenProvisioning revocableTokenProvisioning) {
        this.clientDetailsService = multitenantJdbcClientDetailsService;
        this.userProvisioning = scimUserProvisioning;
        this.tokenProvisioning = revocableTokenProvisioning;
    }

    @RequestMapping({"/oauth/token/revoke/user/{userId}"})
    public ResponseEntity<Void> revokeTokensForUser(@PathVariable String str) {
        this.logger.debug("Revoking tokens for user: " + str);
        String id = IdentityZoneHolder.get().getId();
        ScimUser retrieve = this.userProvisioning.retrieve(str, id);
        retrieve.setSalt(this.generator.generate());
        this.userProvisioning.update(str, retrieve, id);
        this.eventPublisher.publishEvent((ApplicationEvent) new TokenRevocationEvent(str, null, id, SecurityContextHolder.getContext().getAuthentication()));
        this.logger.debug("Tokens revoked for user: " + str);
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @RequestMapping({"/oauth/token/revoke/user/{userId}/client/{clientId}"})
    public ResponseEntity<Void> revokeTokensForUserAndClient(@PathVariable String str, @PathVariable String str2) {
        String id = IdentityZoneHolder.get().getId();
        this.logger.debug("Revoking tokens for user " + str + " and client " + str2);
        Iterator<RevocableToken> it = this.tokenProvisioning.getUserTokens(str, str2, id).iterator();
        while (it.hasNext()) {
            this.tokenProvisioning.delete(it.next().getTokenId(), -1, id);
        }
        this.eventPublisher.publishEvent((ApplicationEvent) new TokenRevocationEvent(str, str2, id, SecurityContextHolder.getContext().getAuthentication()));
        this.logger.debug("Tokens revoked for user " + str + " and client " + str2);
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @RequestMapping({"/oauth/token/revoke/client/{clientId}"})
    public ResponseEntity<Void> revokeTokensForClient(@PathVariable String str) {
        this.logger.debug("Revoking tokens for client: " + str);
        String id = IdentityZoneHolder.get().getId();
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(str, id);
        baseClientDetails.addAdditionalInformation(ClientConstants.TOKEN_SALT, this.generator.generate());
        this.clientDetailsService.updateClientDetails(baseClientDetails, id);
        this.eventPublisher.publishEvent((ApplicationEvent) new TokenRevocationEvent(null, str, id, SecurityContextHolder.getContext().getAuthentication()));
        this.logger.debug("Tokens revoked for client: " + str);
        ((SystemDeletable) this.tokenProvisioning).deleteByClient(str, id);
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @RequestMapping(value = {"/oauth/token/revoke/{tokenId}"}, method = {RequestMethod.DELETE})
    public ResponseEntity<Void> revokeTokenById(@PathVariable String str) {
        this.logger.debug("Revoking token with ID:" + str);
        String id = IdentityZoneHolder.get().getId();
        RevocableToken delete = this.tokenProvisioning.delete(str, -1, id);
        this.eventPublisher.publishEvent((ApplicationEvent) new TokenRevocationEvent(delete.getUserId(), delete.getClientId(), id, SecurityContextHolder.getContext().getAuthentication()));
        this.logger.debug("Revoked token with ID: " + str);
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @RequestMapping(value = {"/oauth/token/list"}, method = {RequestMethod.GET})
    public ResponseEntity<List<RevocableToken>> listUserTokens(OAuth2Authentication oAuth2Authentication) {
        String id = ((UaaPrincipal) oAuth2Authentication.getUserAuthentication().getPrincipal()).getId();
        String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
        this.logger.debug("Listing revocable tokens access token userId:" + id + " clientId:" + clientId);
        List<RevocableToken> userTokens = this.tokenProvisioning.getUserTokens(id, clientId, IdentityZoneHolder.get().getId());
        removeTokenValues(userTokens);
        return new ResponseEntity<>(userTokens, HttpStatus.OK);
    }

    protected void removeTokenValues(List<RevocableToken> list) {
        list.stream().forEach(revocableToken -> {
            revocableToken.setValue(null);
        });
    }

    @RequestMapping(value = {"/oauth/token/list/user/{userId}"}, method = {RequestMethod.GET})
    public ResponseEntity<List<RevocableToken>> listUserTokens(@PathVariable String str, OAuth2Authentication oAuth2Authentication) {
        if (!OAuth2ExpressionUtils.hasAnyScope(oAuth2Authentication, new String[]{"tokens.list", "uaa.admin"})) {
            return listUserTokens(oAuth2Authentication);
        }
        this.logger.debug("Listing revocable tokens for user:" + str);
        List<RevocableToken> userTokens = this.tokenProvisioning.getUserTokens(str, IdentityZoneHolder.get().getId());
        removeTokenValues(userTokens);
        return new ResponseEntity<>(userTokens, HttpStatus.OK);
    }

    @RequestMapping(value = {"/oauth/token/list/client/{clientId}"}, method = {RequestMethod.GET})
    public ResponseEntity<List<RevocableToken>> listClientTokens(@PathVariable String str, OAuth2Authentication oAuth2Authentication) {
        if (!OAuth2ExpressionUtils.hasAnyScope(oAuth2Authentication, new String[]{"tokens.list", "uaa.admin"})) {
            return listUserTokens(oAuth2Authentication);
        }
        this.logger.debug("Listing revocable tokens for client:" + str);
        List<RevocableToken> clientTokens = this.tokenProvisioning.getClientTokens(str, IdentityZoneHolder.get().getId());
        removeTokenValues(clientTokens);
        return new ResponseEntity<>(clientTokens, HttpStatus.OK);
    }

    @ExceptionHandler({ScimResourceNotFoundException.class, NoSuchClientException.class, EmptyResultDataAccessException.class})
    public ResponseEntity<OAuth2Exception> handleException(Exception exc) throws Exception {
        this.logger.info("Handling error: " + exc.getClass().getSimpleName() + ", " + exc.getMessage());
        return this.exceptionTranslator.translate(new InvalidTokenException("Resource not found") { // from class: org.cloudfoundry.identity.uaa.oauth.TokenRevocationEndpoint.1
            @Override // org.springframework.security.oauth2.common.exceptions.InvalidTokenException, org.springframework.security.oauth2.common.exceptions.ClientAuthenticationException, org.springframework.security.oauth2.common.exceptions.OAuth2Exception
            public int getHttpErrorCode() {
                return 404;
            }
        });
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }
}
