package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Observes;
import jakarta.inject.Inject;
import java.util.Iterator;
import java.util.Map;
import java.util.function.Consumer;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwt.consumer.InvalidJwtException;

/* loaded from: input_file:io/quarkus/oidc/runtime/BackChannelLogoutHandler.class */
public class BackChannelLogoutHandler {
    private static final Logger LOG = Logger.getLogger(BackChannelLogoutHandler.class);

    @Inject
    DefaultTenantConfigResolver resolver;
    private final OidcConfig oidcConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/BackChannelLogoutHandler$RouteHandler.class */
    public class RouteHandler implements Handler<RoutingContext> {
        private final OidcTenantConfig oidcTenantConfig;

        RouteHandler(OidcTenantConfig oidcTenantConfig) {
            this.oidcTenantConfig = oidcTenantConfig;
        }

        public void handle(final RoutingContext routingContext) {
            BackChannelLogoutHandler.LOG.debugf("Back channel logout request for the tenant %s received", this.oidcTenantConfig.getTenantId().get());
            final TenantConfigContext tenantConfigContext = getTenantConfigContext(routingContext);
            if (tenantConfigContext == null) {
                BackChannelLogoutHandler.LOG.errorf("Tenant configuration for the tenant %s is not available or does not match the backchannel logout path", this.oidcTenantConfig.getTenantId().get());
                routingContext.response().setStatusCode(400);
                routingContext.response().end();
            } else {
                if (OidcUtils.isFormUrlEncodedRequest(routingContext)) {
                    OidcUtils.getFormUrlEncodedData(routingContext).subscribe().with(new Consumer<MultiMap>() { // from class: io.quarkus.oidc.runtime.BackChannelLogoutHandler.RouteHandler.1
                        @Override // java.util.function.Consumer
                        public void accept(MultiMap multiMap) {
                            String str = multiMap.get("logout_token");
                            if (str == null) {
                                BackChannelLogoutHandler.LOG.debug("Back channel logout token is missing");
                                routingContext.response().setStatusCode(400);
                            } else {
                                try {
                                    TokenVerificationResult verifyLogoutJwtToken = tenantConfigContext.provider.verifyLogoutJwtToken(str);
                                    if (RouteHandler.this.verifyLogoutTokenClaims(verifyLogoutJwtToken)) {
                                        String string = verifyLogoutJwtToken.localVerificationResult.getString(RouteHandler.this.oidcTenantConfig.logout.backchannel.logoutTokenKey);
                                        BackChannelLogoutTokenCache backChannelLogoutTokenCache = BackChannelLogoutHandler.this.resolver.getBackChannelLogoutTokens().get(RouteHandler.this.oidcTenantConfig.tenantId.get());
                                        if (backChannelLogoutTokenCache == null) {
                                            backChannelLogoutTokenCache = new BackChannelLogoutTokenCache(RouteHandler.this.oidcTenantConfig, routingContext.vertx());
                                            BackChannelLogoutHandler.this.resolver.getBackChannelLogoutTokens().put(RouteHandler.this.oidcTenantConfig.tenantId.get(), backChannelLogoutTokenCache);
                                        }
                                        backChannelLogoutTokenCache.addTokenVerification(string, verifyLogoutJwtToken);
                                        if (BackChannelLogoutHandler.this.resolver.isSecurityEventObserved()) {
                                            SecurityEventHelper.fire(BackChannelLogoutHandler.this.resolver.getSecurityEvent(), new SecurityEvent(SecurityEvent.Type.OIDC_BACKCHANNEL_LOGOUT_INITIATED, (Map<String, Object>) Map.of("logout_token", verifyLogoutJwtToken)));
                                        }
                                        routingContext.response().setStatusCode(200);
                                    } else {
                                        routingContext.response().setStatusCode(400);
                                    }
                                } catch (InvalidJwtException e) {
                                    BackChannelLogoutHandler.LOG.debug("Back channel logout token is invalid");
                                    routingContext.response().setStatusCode(400);
                                }
                            }
                            routingContext.response().end();
                        }
                    });
                    return;
                }
                BackChannelLogoutHandler.LOG.debug("HTTP POST and " + HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString() + " content type must be used with the Back channel logout request");
                routingContext.response().setStatusCode(400);
                routingContext.response().end();
            }
        }

        private boolean verifyLogoutTokenClaims(TokenVerificationResult tokenVerificationResult) {
            JsonObject jsonObject = tokenVerificationResult.localVerificationResult.getJsonObject("events");
            if (jsonObject == null || jsonObject.getJsonObject("http://schemas.openid.net/event/backchannel-logout") == null) {
                BackChannelLogoutHandler.LOG.debug("Back channel logout token does not have a valid 'events' claim");
                return false;
            }
            if (!tokenVerificationResult.localVerificationResult.containsKey(this.oidcTenantConfig.logout.backchannel.logoutTokenKey)) {
                BackChannelLogoutHandler.LOG.debugf("Back channel logout token does not have %s", this.oidcTenantConfig.logout.backchannel.logoutTokenKey);
                return false;
            }
            if (!tokenVerificationResult.localVerificationResult.containsKey(Claims.nonce.name())) {
                return true;
            }
            BackChannelLogoutHandler.LOG.debug("Back channel logout token must not contain 'nonce' claim");
            return false;
        }

        private TenantConfigContext getTenantConfigContext(RoutingContext routingContext) {
            String path = routingContext.request().path();
            if (isMatchingTenant(path, BackChannelLogoutHandler.this.resolver.getTenantConfigBean().getDefaultTenant())) {
                return BackChannelLogoutHandler.this.resolver.getTenantConfigBean().getDefaultTenant();
            }
            for (TenantConfigContext tenantConfigContext : BackChannelLogoutHandler.this.resolver.getTenantConfigBean().getStaticTenantsConfig().values()) {
                if (isMatchingTenant(path, tenantConfigContext)) {
                    return tenantConfigContext;
                }
            }
            return null;
        }

        private boolean isMatchingTenant(String str, TenantConfigContext tenantConfigContext) {
            return tenantConfigContext.oidcConfig.isTenantEnabled() && tenantConfigContext.oidcConfig.getTenantId().get().equals(this.oidcTenantConfig.getTenantId().get()) && str.equals(tenantConfigContext.oidcConfig.logout.backchannel.path.orElse(null));
        }
    }

    public BackChannelLogoutHandler(OidcConfig oidcConfig) {
        this.oidcConfig = oidcConfig;
    }

    public void setup(@Observes Router router) {
        addRoute(router, this.oidcConfig.defaultTenant);
        Iterator<OidcTenantConfig> it = this.oidcConfig.namedTenants.values().iterator();
        while (it.hasNext()) {
            addRoute(router, it.next());
        }
    }

    private void addRoute(Router router, OidcTenantConfig oidcTenantConfig) {
        if (oidcTenantConfig.isTenantEnabled() && oidcTenantConfig.logout.backchannel.path.isPresent()) {
            router.route(oidcTenantConfig.logout.backchannel.path.get()).handler(new RouteHandler(oidcTenantConfig));
        }
    }
}
