package org.springframework.security.config.web.server;

import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.ResponseEntity;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.oidc.server.session.InMemoryReactiveOidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.server.session.ReactiveOidcSessionRegistry;
import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.server.session.HeaderWebSessionIdResolver;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.2.1.jar:org/springframework/security/config/web/server/OidcBackChannelServerLogoutHandler.class */
final class OidcBackChannelServerLogoutHandler implements ServerLogoutHandler {
    private final Log logger = LogFactory.getLog(getClass());
    private ReactiveOidcSessionRegistry sessionRegistry = new InMemoryReactiveOidcSessionRegistry();
    private WebClient web = WebClient.create();
    private String logoutEndpointName = "/logout";
    private String sessionCookieName = HeaderWebSessionIdResolver.DEFAULT_HEADER_NAME;

    @Override // org.springframework.security.web.server.authentication.logout.ServerLogoutHandler
    public Mono<Void> logout(WebFilterExchange webFilterExchange, Authentication authentication) {
        if (!(authentication instanceof OidcBackChannelLogoutAuthentication)) {
            return Mono.defer(() -> {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug(String.format("Did not perform OIDC Back-Channel Logout since authentication [%s] was of the wrong type", authentication.getClass().getSimpleName()));
                }
                return Mono.empty();
            });
        }
        OidcBackChannelLogoutAuthentication oidcBackChannelLogoutAuthentication = (OidcBackChannelLogoutAuthentication) authentication;
        AtomicInteger atomicInteger = new AtomicInteger(0);
        AtomicInteger atomicInteger2 = new AtomicInteger(0);
        return this.sessionRegistry.removeSessionInformation(oidcBackChannelLogoutAuthentication.getPrincipal()).concatMap(oidcSessionInformation -> {
            atomicInteger.incrementAndGet();
            return eachLogout(webFilterExchange, oidcSessionInformation).flatMap(responseEntity -> {
                atomicInteger2.incrementAndGet();
                return Mono.empty();
            }).onErrorResume(th -> {
                this.logger.debug("Failed to invalidate session", th);
                return this.sessionRegistry.saveSessionInformation(oidcSessionInformation).then(Mono.just(th.getMessage()));
            });
        }).collectList().flatMap(list -> {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(String.format("Invalidated %d out of %d sessions", Integer.valueOf(atomicInteger2.intValue()), Integer.valueOf(atomicInteger.intValue())));
            }
            return !list.isEmpty() ? handleLogoutFailure(webFilterExchange.getExchange().getResponse(), oauth2Error(list)) : Mono.empty();
        });
    }

    private Mono<ResponseEntity<Void>> eachLogout(WebFilterExchange webFilterExchange, OidcSessionInformation oidcSessionInformation) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Cookie", this.sessionCookieName + "=" + oidcSessionInformation.getSessionId());
        for (Map.Entry<String, String> entry : oidcSessionInformation.getAuthorities().entrySet()) {
            httpHeaders.add(entry.getKey(), entry.getValue());
        }
        return this.web.post().uri(UriComponentsBuilder.fromHttpUrl(webFilterExchange.getExchange().getRequest().getURI().toString()).replacePath(this.logoutEndpointName).build().toUriString(), new Object[0]).headers(httpHeaders2 -> {
            httpHeaders2.putAll(httpHeaders);
        }).retrieve().toBodilessEntity();
    }

    private OAuth2Error oauth2Error(Collection<?> collection) {
        return new OAuth2Error("partial_logout", "not all sessions were terminated: " + collection, "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
    }

    private Mono<Void> handleLogoutFailure(ServerHttpResponse serverHttpResponse, OAuth2Error oAuth2Error) {
        serverHttpResponse.setRawStatusCode(400);
        return serverHttpResponse.writeWith(Flux.just(serverHttpResponse.bufferFactory().wrap(String.format("{\n\t\"error_code\": \"%s\",\n\t\"error_description\": \"%s\",\n\t\"error_uri: \"%s\"\n}\n", oAuth2Error.getErrorCode(), oAuth2Error.getDescription(), oAuth2Error.getUri()).getBytes(StandardCharsets.UTF_8))));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setSessionRegistry(ReactiveOidcSessionRegistry reactiveOidcSessionRegistry) {
        Assert.notNull(reactiveOidcSessionRegistry, "sessionRegistry cannot be null");
        this.sessionRegistry = reactiveOidcSessionRegistry;
    }

    void setWebClient(WebClient webClient) {
        Assert.notNull(webClient, "web cannot be null");
        this.web = webClient;
    }

    void setLogoutUri(String str) {
        Assert.hasText(str, "logoutUri cannot be empty");
        this.logoutEndpointName = str;
    }

    void setSessionCookieName(String str) {
        Assert.hasText(str, "clientSessionCookieName cannot be empty");
        this.sessionCookieName = str;
    }
}
