package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.time.Duration;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.oauth2.messaging.context.OAuth2TokenMgmtResponseContext;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultChainRevocationLifetimeLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultRootTokenIdentifierLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultTokenRevocationLifetimeLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.oidc.profile.config.navigate.RevocationMethodLookupFunction;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2TokenRevocationConfiguration;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/RevokeToken.class */
public class RevokeToken extends AbstractProfileAction {

    @NonnullAfterInit
    private RevocationCache revocationCache;
    private OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod revocationMethod;
    private Duration revocationLifetime;
    private JWTClaimsSet claimsSet;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(RevokeToken.class);

    @Nonnull
    private Function<ProfileRequestContext, OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod> revocationMethodLookupStrategy = new RevocationMethodLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, Duration> chainRevocationLifetimeLookupStrategy = new DefaultChainRevocationLifetimeLookupStrategy();

    @Nonnull
    private Function<JWTClaimsSet, Duration> tokenRevocationLifetimeLookupStrategy = new DefaultTokenRevocationLifetimeLookupStrategy();

    @Nonnull
    private Function<JWTClaimsSet, String> rootTokenIdentifierLookupStrategy = new DefaultRootTokenIdentifierLookupStrategy();

    public void setRevocationCache(@Nonnull RevocationCache revocationCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.revocationCache = (RevocationCache) Constraint.isNotNull(revocationCache, "RevocationCache cannot be null");
    }

    public void setRevocationMethodLookupStrategy(@Nonnull Function<ProfileRequestContext, OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod> function) {
        this.revocationMethodLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    public void setChainRevocationLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        this.chainRevocationLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    public void setTokenRevocationLifetimeLookupStrategy(@Nullable Function<JWTClaimsSet, Duration> function) {
        this.tokenRevocationLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    public void setRootTokenIdentifierLookupStrategy(@Nullable Function<JWTClaimsSet, String> function) {
        this.rootTokenIdentifierLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.revocationCache == null) {
            throw new ComponentInitializationException("RevocationCache cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.revocationMethod = this.revocationMethodLookupStrategy.apply(profileRequestContext);
        if (this.revocationMethod == null) {
            this.log.error("{} Unable to obtain revocation method to use", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        OAuth2TokenMgmtResponseContext subcontext = profileRequestContext.getOutboundMessageContext().getSubcontext(OAuth2TokenMgmtResponseContext.class);
        if (subcontext == null || subcontext.getTokenClaimsSet() == null) {
            this.log.debug("{} No token validated for revocation, assumed to be invalid", getLogPrefix());
            return false;
        }
        this.claimsSet = subcontext.getTokenClaimsSet();
        if (OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN.equals(this.revocationMethod)) {
            this.revocationLifetime = this.chainRevocationLifetimeLookupStrategy.apply(profileRequestContext);
        } else if (OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN.equals(this.revocationMethod)) {
            this.revocationLifetime = this.tokenRevocationLifetimeLookupStrategy.apply(this.claimsSet);
        }
        if (this.revocationLifetime != null && !Duration.ZERO.equals(this.revocationLifetime)) {
            return true;
        }
        this.log.error("{} Unable to obtain revocation lifetime to use", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        String str;
        String jwtid = this.claimsSet.getJWTID();
        if (jwtid == null) {
            this.log.error("{} No ID found in token claims set (this should be impossible)", getLogPrefix());
            return;
        }
        if (!OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.CHAIN.equals(this.revocationMethod)) {
            if (!OAuth2TokenRevocationConfiguration.OAuth2TokenRevocationMethod.TOKEN.equals(this.revocationMethod)) {
                this.log.error("{} Unrecognized revocation method: {}", getLogPrefix(), this.revocationMethod);
                ActionSupport.buildEvent(profileRequestContext, "RevocationFailed");
                return;
            } else if (this.revocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, jwtid, this.revocationLifetime)) {
                this.log.debug("{} Revoked the single token with ID '{}'", getLogPrefix(), jwtid);
                return;
            } else {
                this.log.warn("{} Failed to revoke the single token with ID '{}'", getLogPrefix(), jwtid);
                ActionSupport.buildEvent(profileRequestContext, "RevocationFailed");
                return;
            }
        }
        String apply = this.rootTokenIdentifierLookupStrategy.apply(this.claimsSet);
        if (StringSupport.trimOrNull(apply) == null) {
            this.log.warn("{} No root token identifier returned, using JWT id", getLogPrefix());
            str = jwtid;
        } else {
            str = apply;
        }
        if (this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, str, this.revocationLifetime)) {
            this.log.debug("{} Revoked all tokens based on ID '{}'", getLogPrefix(), str);
        } else {
            this.log.warn("{} Failed to revoke tokens based on ID '{}'", getLogPrefix(), str);
            ActionSupport.buildEvent(profileRequestContext, "RevocationFailed");
        }
    }
}
