package io.quarkus.oidc.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.runtime.ShutdownEvent;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Observes;
import jakarta.inject.Singleton;
import java.lang.annotation.Annotation;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwt.consumer.InvalidJwtException;

@Singleton
/* loaded from: input_file:io/quarkus/oidc/runtime/BackChannelLogoutHandler.class */
public final class BackChannelLogoutHandler implements Handler<RoutingContext> {
    private static final Logger LOG = Logger.getLogger(BackChannelLogoutHandler.class);
    private final DefaultTenantConfigResolver resolver;
    private volatile ImmutablePathMatcher<Handler<RoutingContext>> pathMatcher = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/BackChannelLogoutHandler$NewBackChannelLogoutPath.class */
    public static final class NewBackChannelLogoutPath extends Record {
        NewBackChannelLogoutPath() {
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, NewBackChannelLogoutPath.class), NewBackChannelLogoutPath.class, "").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, NewBackChannelLogoutPath.class), NewBackChannelLogoutPath.class, "").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, NewBackChannelLogoutPath.class, Object.class), NewBackChannelLogoutPath.class, "").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/BackChannelLogoutHandler$RouteHandler.class */
    public static final class RouteHandler implements Handler<RoutingContext> {
        private final TenantConfigContext tenantContext;
        private final DefaultTenantConfigResolver resolver;
        private final String tenantId;

        private RouteHandler(TenantConfigContext tenantConfigContext, DefaultTenantConfigResolver defaultTenantConfigResolver) {
            this.tenantContext = tenantConfigContext;
            this.resolver = defaultTenantConfigResolver;
            this.tenantId = tenantConfigContext.oidcConfig().tenantId().get();
        }

        public void handle(final RoutingContext routingContext) {
            BackChannelLogoutHandler.LOG.debugf("Back channel logout request for the tenant %s received", this.tenantId);
            if (OidcUtils.isFormUrlEncodedRequest(routingContext)) {
                OidcUtils.getFormUrlEncodedData(routingContext).subscribe().with(new Consumer<MultiMap>() { // from class: io.quarkus.oidc.runtime.BackChannelLogoutHandler.RouteHandler.1
                    @Override // java.util.function.Consumer
                    public void accept(MultiMap multiMap) {
                        String str = multiMap.get("logout_token");
                        if (str == null) {
                            BackChannelLogoutHandler.LOG.debug("Back channel logout token is missing");
                            routingContext.response().setStatusCode(400);
                        } else {
                            try {
                                TokenVerificationResult verifyLogoutJwtToken = RouteHandler.this.tenantContext.provider().verifyLogoutJwtToken(str);
                                if (RouteHandler.this.verifyLogoutTokenClaims(verifyLogoutJwtToken)) {
                                    String string = verifyLogoutJwtToken.localVerificationResult.getString(RouteHandler.this.tenantContext.oidcConfig().logout().backchannel().logoutTokenKey());
                                    BackChannelLogoutTokenCache backChannelLogoutTokenCache = RouteHandler.this.resolver.getBackChannelLogoutTokens().get(RouteHandler.this.tenantId);
                                    if (backChannelLogoutTokenCache == null) {
                                        backChannelLogoutTokenCache = new BackChannelLogoutTokenCache(RouteHandler.this.tenantContext.oidcConfig(), routingContext.vertx());
                                        RouteHandler.this.resolver.getBackChannelLogoutTokens().put(RouteHandler.this.tenantId, backChannelLogoutTokenCache);
                                    }
                                    backChannelLogoutTokenCache.addTokenVerification(string, verifyLogoutJwtToken);
                                    if (RouteHandler.this.resolver.isSecurityEventObserved()) {
                                        SecurityEventHelper.fire(RouteHandler.this.resolver.getSecurityEvent(), new SecurityEvent(SecurityEvent.Type.OIDC_BACKCHANNEL_LOGOUT_INITIATED, (Map<String, Object>) Map.of("logout_token", verifyLogoutJwtToken)));
                                    }
                                    routingContext.response().setStatusCode(200);
                                } else {
                                    routingContext.response().setStatusCode(400);
                                }
                            } catch (InvalidJwtException e) {
                                BackChannelLogoutHandler.LOG.debug("Back channel logout token is invalid");
                                routingContext.response().setStatusCode(400);
                            }
                        }
                        routingContext.response().end();
                    }
                });
                return;
            }
            BackChannelLogoutHandler.LOG.debug("HTTP POST and " + HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString() + " content type must be used with the Back channel logout request");
            routingContext.response().setStatusCode(400);
            routingContext.response().end();
        }

        private boolean verifyLogoutTokenClaims(TokenVerificationResult tokenVerificationResult) {
            JsonObject jsonObject = tokenVerificationResult.localVerificationResult.getJsonObject("events");
            if (jsonObject == null || jsonObject.getJsonObject("http://schemas.openid.net/event/backchannel-logout") == null) {
                BackChannelLogoutHandler.LOG.debug("Back channel logout token does not have a valid 'events' claim");
                return false;
            }
            if (!tokenVerificationResult.localVerificationResult.containsKey(this.tenantContext.oidcConfig().logout().backchannel().logoutTokenKey())) {
                BackChannelLogoutHandler.LOG.debugf("Back channel logout token does not have %s", this.tenantContext.oidcConfig().logout().backchannel().logoutTokenKey());
                return false;
            }
            if (!tokenVerificationResult.localVerificationResult.containsKey(Claims.nonce.name())) {
                return true;
            }
            BackChannelLogoutHandler.LOG.debug("Back channel logout token must not contain 'nonce' claim");
            return false;
        }
    }

    BackChannelLogoutHandler(DefaultTenantConfigResolver defaultTenantConfigResolver) {
        this.resolver = defaultTenantConfigResolver;
    }

    public void handle(RoutingContext routingContext) {
        Handler handler;
        ImmutablePathMatcher<Handler<RoutingContext>> immutablePathMatcher = this.pathMatcher;
        if (immutablePathMatcher == null || (handler = (Handler) immutablePathMatcher.match(routingContext.normalizedPath()).getValue()) == null) {
            routingContext.next();
        } else {
            handler.handle(routingContext);
        }
    }

    void createPathMatcher(@Observes Router router) {
        createOrUpdatePathMatcher();
    }

    synchronized void updatePathMatcher(@Observes NewBackChannelLogoutPath newBackChannelLogoutPath, Vertx vertx) {
        clearCache(vertx, createOrUpdatePathMatcher());
    }

    void clearCacheOnShutdown(@Observes ShutdownEvent shutdownEvent, Vertx vertx) {
        clearCache(vertx, null);
    }

    private void clearCache(Vertx vertx, Set<String> set) {
        BackChannelLogoutTokenCache remove;
        if (set == null) {
            Iterator<BackChannelLogoutTokenCache> it = this.resolver.getBackChannelLogoutTokens().values().iterator();
            while (it.hasNext()) {
                it.next().shutdown(vertx);
            }
            this.resolver.getBackChannelLogoutTokens().clear();
            return;
        }
        for (String str : new HashSet(this.resolver.getBackChannelLogoutTokens().keySet())) {
            if (!set.contains(str) && (remove = this.resolver.getBackChannelLogoutTokens().remove(str)) != null) {
                remove.shutdown(vertx);
            }
        }
    }

    private Set<String> createOrUpdatePathMatcher() {
        ImmutablePathMatcher.ImmutablePathMatcherBuilder immutablePathMatcherBuilder = null;
        HashMap hashMap = null;
        HashSet hashSet = null;
        for (TenantConfigContext tenantConfigContext : this.resolver.getTenantConfigBean().getAllTenantConfigs()) {
            if (tenantConfigContext.ready() && tenantConfigContext.oidcConfig().tenantEnabled() && tenantConfigContext.oidcConfig().logout().backchannel().path().isPresent()) {
                if (immutablePathMatcherBuilder == null) {
                    immutablePathMatcherBuilder = ImmutablePathMatcher.builder();
                    hashMap = new HashMap();
                    hashSet = new HashSet();
                }
                String tenantLogoutPath = getTenantLogoutPath(tenantConfigContext);
                if (tenantLogoutPath.contains("*")) {
                    throw new IllegalStateException("Back-channel logout path cannot contain a wildcard '*' character");
                }
                io.quarkus.oidc.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.OidcTenantConfig) hashMap.put(tenantLogoutPath, tenantConfigContext.oidcConfig());
                hashSet.add(tenantConfigContext.oidcConfig().tenantId().get());
                if (oidcTenantConfig == null) {
                    immutablePathMatcherBuilder.addPath(tenantLogoutPath, new RouteHandler(tenantConfigContext, this.resolver));
                } else {
                    String str = oidcTenantConfig.tenantId().get();
                    String str2 = tenantConfigContext.oidcConfig().tenantId().get();
                    if (!str.equals(str2)) {
                        String formatted = "OIDC tenants '%s' and '%s' share the same back-channel logout path '%s', which is not supported".formatted(str, str2, tenantLogoutPath);
                        LOG.error(formatted);
                        throw new OIDCException(formatted);
                    }
                }
            }
        }
        if (immutablePathMatcherBuilder != null) {
            this.pathMatcher = immutablePathMatcherBuilder.build();
        } else {
            this.pathMatcher = null;
        }
        return hashSet;
    }

    private String getTenantLogoutPath(TenantConfigContext tenantConfigContext) {
        return OidcUtils.getRootPath(this.resolver.getRootPath()) + tenantConfigContext.oidcConfig().logout().backchannel().path().orElse(null);
    }

    public static void fireBackChannelLogoutChangedEvent(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, TenantConfigContext tenantConfigContext) {
        if (oidcTenantConfig.logout().backchannel().path().isPresent()) {
            if (tenantConfigContext.oidcConfig() == null || !oidcTenantConfig.logout().backchannel().path().get().equals(tenantConfigContext.oidcConfig().logout().backchannel().path().orElse(null))) {
                fireBackChannelLogoutEvent();
            }
        }
    }

    public static void fireBackChannelLogoutReadyEvent(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (oidcTenantConfig.logout().backchannel().path().isPresent()) {
            fireBackChannelLogoutEvent();
        }
    }

    private static void fireBackChannelLogoutEvent() {
        Arc.container().beanManager().getEvent().select(NewBackChannelLogoutPath.class, new Annotation[0]).fire(new NewBackChannelLogoutPath());
    }
}
