package org.springframework.security.config.web.server;

import java.util.Collections;
import java.util.Objects;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.actuate.endpoint.web.WebEndpointResponse;
import org.springframework.core.ResolvableType;
import org.springframework.http.MediaType;
import org.springframework.http.codec.EncoderHttpMessageWriter;
import org.springframework.http.codec.HttpMessageWriter;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.4.4.jar:org/springframework/security/config/web/server/OidcBackChannelLogoutWebFilter.class */
class OidcBackChannelLogoutWebFilter implements WebFilter {
    private final ServerAuthenticationConverter authenticationConverter;
    private final ReactiveAuthenticationManager authenticationManager;
    private final ServerLogoutHandler logoutHandler;
    private final Log logger = LogFactory.getLog(getClass());
    private final HttpMessageWriter<OAuth2Error> errorHttpMessageConverter = new EncoderHttpMessageWriter(new OAuth2ErrorEncoder());

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcBackChannelLogoutWebFilter(ServerAuthenticationConverter serverAuthenticationConverter, ReactiveAuthenticationManager reactiveAuthenticationManager, ServerLogoutHandler serverLogoutHandler) {
        Assert.notNull(serverAuthenticationConverter, "authenticationConverter cannot be null");
        Assert.notNull(reactiveAuthenticationManager, "authenticationManager cannot be null");
        Assert.notNull(serverLogoutHandler, "logoutHandler cannot be null");
        this.authenticationConverter = serverAuthenticationConverter;
        this.authenticationManager = reactiveAuthenticationManager;
        this.logoutHandler = serverLogoutHandler;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        Mono switchIfEmpty = this.authenticationConverter.convert(serverWebExchange).onErrorResume(AuthenticationException.class, authenticationException -> {
            this.logger.debug("Failed to process OIDC Back-Channel Logout", authenticationException);
            return authenticationException instanceof AuthenticationServiceException ? Mono.error(authenticationException) : handleAuthenticationFailure(serverWebExchange, authenticationException).then(Mono.empty());
        }).switchIfEmpty(webFilterChain.filter(serverWebExchange).then(Mono.empty()));
        ReactiveAuthenticationManager reactiveAuthenticationManager = this.authenticationManager;
        Objects.requireNonNull(reactiveAuthenticationManager);
        return switchIfEmpty.flatMap(reactiveAuthenticationManager::authenticate).onErrorResume(AuthenticationException.class, authenticationException2 -> {
            this.logger.debug("Failed to process OIDC Back-Channel Logout", authenticationException2);
            return authenticationException2 instanceof AuthenticationServiceException ? Mono.error(authenticationException2) : handleAuthenticationFailure(serverWebExchange, authenticationException2).then(Mono.empty());
        }).flatMap(authentication -> {
            return this.logoutHandler.logout(new WebFilterExchange(serverWebExchange, webFilterChain), authentication);
        });
    }

    private Mono<Void> handleAuthenticationFailure(ServerWebExchange serverWebExchange, Exception exc) {
        this.logger.debug("Failed to process OIDC Back-Channel Logout", exc);
        serverWebExchange.getResponse().setRawStatusCode(Integer.valueOf(WebEndpointResponse.STATUS_BAD_REQUEST));
        return this.errorHttpMessageConverter.write(Mono.just(oauth2Error(exc)), ResolvableType.forClass(Object.class), ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, serverWebExchange.getRequest(), serverWebExchange.getResponse(), Collections.emptyMap());
    }

    private OAuth2Error oauth2Error(Exception exc) {
        return exc instanceof OAuth2AuthenticationException ? ((OAuth2AuthenticationException) exc).getError() : new OAuth2Error("invalid_request", exc.getMessage(), "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
    }
}
