package org.springframework.security.config.annotation.web.configurers.oauth2.client;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.oidc.session.OidcSessionInformation;
import org.springframework.security.oauth2.client.oidc.session.OidcSessionRegistry;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.4.2.jar:org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcBackChannelLogoutHandler.class */
public final class OidcBackChannelLogoutHandler implements LogoutHandler {
    private final OidcSessionRegistry sessionRegistry;
    private final Log logger = LogFactory.getLog(getClass());
    private RestOperations restOperations = new RestTemplate();
    private String logoutUri = "{baseUrl}/logout/connect/back-channel/{registrationId}";
    private String sessionCookieName = "JSESSIONID";
    private final OAuth2ErrorHttpMessageConverter errorHttpMessageConverter = new OAuth2ErrorHttpMessageConverter();

    public OidcBackChannelLogoutHandler(OidcSessionRegistry oidcSessionRegistry) {
        this.sessionRegistry = oidcSessionRegistry;
    }

    @Override // org.springframework.security.web.authentication.logout.LogoutHandler
    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        if (!(authentication instanceof OidcBackChannelLogoutAuthentication)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(String.format("Did not perform OIDC Back-Channel Logout since authentication [%s] was of the wrong type", authentication.getClass().getSimpleName()));
                return;
            }
            return;
        }
        OidcBackChannelLogoutAuthentication oidcBackChannelLogoutAuthentication = (OidcBackChannelLogoutAuthentication) authentication;
        Iterable<OidcSessionInformation> removeSessionInformation = this.sessionRegistry.removeSessionInformation(oidcBackChannelLogoutAuthentication.getPrincipal());
        ArrayList arrayList = new ArrayList();
        int i = 0;
        int i2 = 0;
        for (OidcSessionInformation oidcSessionInformation : removeSessionInformation) {
            i++;
            try {
                eachLogout(httpServletRequest, oidcBackChannelLogoutAuthentication, oidcSessionInformation);
                i2++;
            } catch (RestClientException e) {
                this.logger.debug("Failed to invalidate session", e);
                arrayList.add(e.getMessage());
                this.sessionRegistry.saveSessionInformation(oidcSessionInformation);
            }
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(String.format("Invalidated %d out of %d sessions", Integer.valueOf(i2), Integer.valueOf(i)));
        }
        if (arrayList.isEmpty()) {
            return;
        }
        handleLogoutFailure(httpServletResponse, oauth2Error(arrayList));
    }

    private void eachLogout(HttpServletRequest httpServletRequest, OidcBackChannelLogoutAuthentication oidcBackChannelLogoutAuthentication, OidcSessionInformation oidcSessionInformation) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Cookie", this.sessionCookieName + "=" + oidcSessionInformation.getSessionId());
        for (Map.Entry entry : oidcSessionInformation.getAuthorities().entrySet()) {
            httpHeaders.add((String) entry.getKey(), (String) entry.getValue());
        }
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        String computeLogoutEndpoint = computeLogoutEndpoint(httpServletRequest, oidcBackChannelLogoutAuthentication);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("logout_token", oidcBackChannelLogoutAuthentication.getPrincipal().getTokenValue());
        linkedMultiValueMap.add("_spring_security_internal_logout", "true");
        this.restOperations.postForEntity(computeLogoutEndpoint, new HttpEntity(linkedMultiValueMap, httpHeaders), Object.class, new Object[0]);
    }

    String computeLogoutEndpoint(HttpServletRequest httpServletRequest, OidcBackChannelLogoutAuthentication oidcBackChannelLogoutAuthentication) {
        UriComponents build = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(httpServletRequest)).replacePath(httpServletRequest.getContextPath()).replaceQuery((String) null).fragment((String) null).build();
        HashMap hashMap = new HashMap();
        String scheme = build.getScheme();
        hashMap.put("baseScheme", scheme != null ? scheme : "");
        hashMap.put("baseUrl", build.toUriString());
        String host = build.getHost();
        hashMap.put("baseHost", host != null ? host : "");
        String path = build.getPath();
        hashMap.put("basePath", path != null ? path : "");
        int port = build.getPort();
        hashMap.put("basePort", port == -1 ? "" : ":" + port);
        hashMap.put("registrationId", oidcBackChannelLogoutAuthentication.getClientRegistration().getRegistrationId());
        return UriComponentsBuilder.fromUriString(this.logoutUri).buildAndExpand(hashMap).toUriString();
    }

    private OAuth2Error oauth2Error(Collection<String> collection) {
        return new OAuth2Error("partial_logout", "not all sessions were terminated: " + collection, "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
    }

    private void handleLogoutFailure(HttpServletResponse httpServletResponse, OAuth2Error oAuth2Error) {
        httpServletResponse.setStatus(400);
        try {
            this.errorHttpMessageConverter.write(oAuth2Error, (MediaType) null, new ServletServerHttpResponse(httpServletResponse));
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    public void setLogoutUri(String str) {
        Assert.hasText(str, "logoutUri cannot be empty");
        this.logoutUri = str;
    }

    public void setSessionCookieName(String str) {
        Assert.hasText(str, "clientSessionCookieName cannot be empty");
        this.sessionCookieName = str;
    }
}
