package org.mitre.oauth2.web;

import java.security.Principal;
import org.mitre.oauth2.exception.PermissionDeniedException;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
/* loaded from: input_file:WEB-INF/classes/org/mitre/oauth2/web/RevocationEndpoint.class */
public class RevocationEndpoint {

    @Autowired
    OAuth2TokenEntityService tokenServices;
    private static Logger logger = LoggerFactory.getLogger(RevocationEndpoint.class);

    public RevocationEndpoint() {
    }

    public RevocationEndpoint(OAuth2TokenEntityService oAuth2TokenEntityService) {
        this.tokenServices = oAuth2TokenEntityService;
    }

    @RequestMapping({"/revoke"})
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
    public ModelAndView revoke(@RequestParam("token") String str, Principal principal, ModelAndView modelAndView) {
        OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity = null;
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity = null;
        try {
            oAuth2RefreshTokenEntity = this.tokenServices.getRefreshToken(str);
        } catch (InvalidTokenException e) {
        }
        try {
            oAuth2AccessTokenEntity = this.tokenServices.readAccessToken(str);
        } catch (AuthenticationException e2) {
        } catch (InvalidTokenException e3) {
        }
        if (oAuth2RefreshTokenEntity == null && oAuth2AccessTokenEntity == null) {
            throw new InvalidTokenException("Invalid OAuth token: " + str);
        }
        if (principal instanceof OAuth2Authentication) {
            this.tokenServices.getAccessToken((OAuth2Authentication) principal);
            AuthorizationRequest authorizationRequest = ((OAuth2Authentication) principal).getAuthorizationRequest();
            if (oAuth2RefreshTokenEntity != null) {
                if (!oAuth2RefreshTokenEntity.getClient().getClientId().equals(authorizationRequest.getClientId())) {
                    throw new PermissionDeniedException("Client tried to revoke a token it doesn't own");
                }
            } else if (!oAuth2AccessTokenEntity.getClient().getClientId().equals(authorizationRequest.getClientId())) {
                throw new PermissionDeniedException("Client tried to revoke a token it doesn't own");
            }
        }
        if (oAuth2RefreshTokenEntity != null) {
            this.tokenServices.revokeRefreshToken(oAuth2RefreshTokenEntity);
        } else {
            this.tokenServices.revokeAccessToken(oAuth2AccessTokenEntity);
        }
        return modelAndView;
    }
}
