package org.springframework.security.config.annotation.web.configurers.oauth2.client;

import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-config-6.3.4.jar:org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutAuthenticationConverter.class */
final class OidcLogoutAuthenticationConverter implements AuthenticationConverter {
    private static final String DEFAULT_LOGOUT_URI = "/logout/connect/back-channel/{registrationId}";
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final Log logger = LogFactory.getLog(getClass());
    private RequestMatcher requestMatcher = new AntPathRequestMatcher(DEFAULT_LOGOUT_URI, "POST");

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcLogoutAuthenticationConverter(ClientRegistrationRepository clientRegistrationRepository) {
        Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    @Override // org.springframework.security.web.authentication.AuthenticationConverter
    public Authentication convert(HttpServletRequest httpServletRequest) {
        RequestMatcher.MatchResult matcher = this.requestMatcher.matcher(httpServletRequest);
        if (!matcher.isMatch()) {
            return null;
        }
        ClientRegistration findByRegistrationId = this.clientRegistrationRepository.findByRegistrationId(matcher.getVariables().get(DefaultServerOAuth2AuthorizationRequestResolver.DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME));
        if (findByRegistrationId == null) {
            this.logger.debug("Did not process OIDC Back-Channel Logout since no ClientRegistration was found");
            throw new OAuth2AuthenticationException("invalid_request");
        }
        String parameter = httpServletRequest.getParameter("logout_token");
        if (parameter != null) {
            return new OidcLogoutAuthenticationToken(parameter, findByRegistrationId);
        }
        this.logger.debug("Failed to process OIDC Back-Channel Logout since no logout token was found");
        throw new OAuth2AuthenticationException("invalid_request");
    }

    void setRequestMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "requestMatcher cannot be null");
        this.requestMatcher = requestMatcher;
    }
}
