package org.springframework.security.config.web.server;

import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:WEB-INF/lib/spring-security-config-6.3.0.jar:org/springframework/security/config/web/server/OidcLogoutServerAuthenticationConverter.class */
final class OidcLogoutServerAuthenticationConverter implements ServerAuthenticationConverter {
    private static final String DEFAULT_LOGOUT_URI = "/logout/connect/back-channel/{registrationId}";
    private final ReactiveClientRegistrationRepository clientRegistrationRepository;
    private final Log logger = LogFactory.getLog(getClass());
    private ServerWebExchangeMatcher exchangeMatcher = new PathPatternParserServerWebExchangeMatcher(DEFAULT_LOGOUT_URI, HttpMethod.POST);

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcLogoutServerAuthenticationConverter(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository) {
        Assert.notNull(reactiveClientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.clientRegistrationRepository = reactiveClientRegistrationRepository;
    }

    @Override // org.springframework.security.web.server.authentication.ServerAuthenticationConverter
    public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
        return this.exchangeMatcher.matches(serverWebExchange).filter((v0) -> {
            return v0.isMatch();
        }).flatMap(matchResult -> {
            return this.clientRegistrationRepository.findByRegistrationId((String) matchResult.getVariables().get("registrationId")).switchIfEmpty(Mono.error((Supplier<? extends Throwable>) () -> {
                this.logger.debug("Did not process OIDC Back-Channel Logout since no ClientRegistration was found");
                return new OAuth2AuthenticationException("invalid_request");
            }));
        }).flatMap(clientRegistration -> {
            return serverWebExchange.getFormData().map(multiValueMap -> {
                return new OidcLogoutAuthenticationToken((String) multiValueMap.getFirst("logout_token"), clientRegistration);
            }).switchIfEmpty(Mono.error((Supplier<? extends Throwable>) () -> {
                this.logger.debug("Failed to process OIDC Back-Channel Logout since no logout token was found");
                return new OAuth2AuthenticationException("invalid_request");
            }));
        });
    }

    void setExchangeMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "exchangeMatcher cannot be null");
        this.exchangeMatcher = serverWebExchangeMatcher;
    }
}
