package org.yamcs.security;

import com.google.gson.JsonObject;
import io.netty.handler.codec.http.DefaultHttpResponse;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpHeaderValues;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpVersion;
import org.yamcs.http.BadRequestException;
import org.yamcs.http.BodyHandler;
import org.yamcs.http.HandlerContext;
import org.yamcs.http.NotFoundException;
import org.yamcs.http.auth.JwtHelper;

/* loaded from: input_file:org/yamcs/security/OpenIDBackChannelHandler.class */
public class OpenIDBackChannelHandler extends BodyHandler {
    private OpenIDAuthModule authModule;

    public OpenIDBackChannelHandler(OpenIDAuthModule openIDAuthModule) {
        this.authModule = openIDAuthModule;
    }

    @Override // org.yamcs.http.HttpHandler
    public boolean requireAuth() {
        return false;
    }

    @Override // org.yamcs.http.HttpHandler
    public void handle(HandlerContext handlerContext) {
        if (!handlerContext.getPathWithoutContext().equals("/openid/backchannel-logout")) {
            throw new NotFoundException();
        }
        handleBackChannelLogout(handlerContext);
    }

    private void handleBackChannelLogout(HandlerContext handlerContext) {
        handlerContext.requirePOST();
        handlerContext.requireFormEncoding();
        try {
            JsonObject decodeUnverified = JwtHelper.decodeUnverified(new OpenIDBackChannelLogoutRequest(handlerContext).getLogoutToken());
            String asString = decodeUnverified.get("iss").getAsString();
            String str = null;
            if (decodeUnverified.has("sub")) {
                str = decodeUnverified.get("sub").getAsString();
            }
            String str2 = null;
            if (decodeUnverified.has("sid")) {
                str2 = decodeUnverified.get("sid").getAsString();
            }
            if (str2 != null) {
                this.log.debug("Back-channel logout for sid={}", str2);
                this.authModule.logoutByOidcSessionId(asString, str2);
            } else {
                this.log.debug("Back-channel logout for sub={}", str);
                this.authModule.logoutByOidcSubject(asString, str);
            }
            DefaultHttpResponse defaultHttpResponse = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK);
            defaultHttpResponse.headers().set(HttpHeaderNames.CACHE_CONTROL, HttpHeaderValues.NO_STORE);
            handlerContext.sendResponse(defaultHttpResponse);
        } catch (JwtHelper.JwtDecodeException e) {
            throw new BadRequestException(e);
        }
    }
}
