package org.springframework.security.oauth2.server.authorization.oidc.authentication;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationProvider.class */
public final class OidcLogoutAuthenticationProvider implements AuthenticationProvider {
    private static final OAuth2TokenType ID_TOKEN_TOKEN_TYPE = new OAuth2TokenType("id_token");
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final SessionRegistry sessionRegistry;
    private final Log logger = LogFactory.getLog(getClass());
    private Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new OidcLogoutAuthenticationValidator();

    public OidcLogoutAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, SessionRegistry sessionRegistry) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.sessionRegistry = sessionRegistry;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        SessionInformation findSessionInformation;
        OidcLogoutAuthenticationToken oidcLogoutAuthenticationToken = (OidcLogoutAuthenticationToken) authentication;
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oidcLogoutAuthenticationToken.getIdTokenHint(), ID_TOKEN_TOKEN_TYPE);
        if (findByToken == null) {
            throwError("invalid_token", "id_token_hint");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with ID Token");
        }
        OAuth2Authorization.Token token = findByToken.getToken(OidcIdToken.class);
        if (token.isInvalidated() || token.isBeforeUse()) {
            throwError("invalid_token", "id_token_hint");
        }
        RegisteredClient findById = this.registeredClientRepository.findById(findByToken.getRegisteredClientId());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        OidcIdToken token2 = token.getToken();
        List audience = token2.getAudience();
        if (CollectionUtils.isEmpty(audience) || !audience.contains(findById.getClientId())) {
            throwError("invalid_token", OAuth2TokenClaimNames.AUD);
        }
        if (StringUtils.hasText(oidcLogoutAuthenticationToken.getClientId()) && !oidcLogoutAuthenticationToken.getClientId().equals(findById.getClientId())) {
            throwError("invalid_request", OidcClientMetadataClaimNames.CLIENT_ID);
        }
        this.authenticationValidator.accept(OidcLogoutAuthenticationContext.with(oidcLogoutAuthenticationToken).registeredClient(findById).build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated logout request parameters");
        }
        if (oidcLogoutAuthenticationToken.isPrincipalAuthenticated()) {
            Authentication authentication2 = (Authentication) oidcLogoutAuthenticationToken.getPrincipal();
            Authentication authentication3 = (Authentication) findByToken.getAttribute(Principal.class.getName());
            if (!StringUtils.hasText(token2.getSubject()) || !authentication2.getName().equals(authentication3.getName())) {
                throwError("invalid_token", OAuth2TokenClaimNames.SUB);
            }
            if (StringUtils.hasText(oidcLogoutAuthenticationToken.getSessionId()) && (findSessionInformation = findSessionInformation(authentication2, oidcLogoutAuthenticationToken.getSessionId())) != null) {
                try {
                    String createHash = createHash(findSessionInformation.getSessionId());
                    String str = (String) token2.getClaim("sid");
                    if (!StringUtils.hasText(str) || !str.equals(createHash)) {
                        throwError("invalid_token", "sid");
                    }
                } catch (NoSuchAlgorithmException e) {
                    throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "Failed to compute hash for Session ID.", (String) null));
                }
            }
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated logout request");
        }
        return new OidcLogoutAuthenticationToken(token2, (Authentication) oidcLogoutAuthenticationToken.getPrincipal(), oidcLogoutAuthenticationToken.getSessionId(), oidcLogoutAuthenticationToken.getClientId(), oidcLogoutAuthenticationToken.getPostLogoutRedirectUri(), oidcLogoutAuthenticationToken.getState());
    }

    public boolean supports(Class<?> cls) {
        return OidcLogoutAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setAuthenticationValidator(Consumer<OidcLogoutAuthenticationContext> consumer) {
        Assert.notNull(consumer, "authenticationValidator cannot be null");
        this.authenticationValidator = consumer;
    }

    private SessionInformation findSessionInformation(Authentication authentication, String str) {
        List allSessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), true);
        SessionInformation sessionInformation = null;
        if (!CollectionUtils.isEmpty(allSessions)) {
            Iterator it = allSessions.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SessionInformation sessionInformation2 = (SessionInformation) it.next();
                if (sessionInformation2.getSessionId().equals(str)) {
                    sessionInformation = sessionInformation2;
                    break;
                }
            }
        }
        return sessionInformation;
    }

    private static void throwError(String str, String str2) {
        throw new OAuth2AuthenticationException(new OAuth2Error(str, "OpenID Connect 1.0 Logout Request Parameter: " + str2, "https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling"));
    }

    private static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }
}
