package org.apache.nifi.web.security.configuration;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.time.Duration;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import org.apache.nifi.components.state.StateManagerProvider;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.jwt.converter.StandardIssuerJwtDecoder;
import org.apache.nifi.web.security.jwt.jws.StandardJWSKeySelector;
import org.apache.nifi.web.security.jwt.key.StandardVerificationKeySelector;
import org.apache.nifi.web.security.jwt.key.service.StandardVerificationKeyService;
import org.apache.nifi.web.security.jwt.key.service.VerificationKeyService;
import org.apache.nifi.web.security.jwt.provider.SupportedClaim;
import org.apache.nifi.web.security.jwt.revocation.JwtRevocationService;
import org.apache.nifi.web.security.jwt.revocation.JwtRevocationValidator;
import org.apache.nifi.web.security.jwt.revocation.StandardJwtRevocationService;
import org.apache.nifi.web.security.oidc.authentication.AccessTokenDecoderFactory;
import org.apache.nifi.web.security.oidc.authentication.StandardOidcIdTokenDecoderFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.web.client.RestOperations;

@Configuration
/* loaded from: input_file:org/apache/nifi/web/security/configuration/JwtDecoderConfiguration.class */
public class JwtDecoderConfiguration {
    private static final Set<String> REQUIRED_CLAIMS = new HashSet(Arrays.asList(SupportedClaim.ISSUER.getClaim(), SupportedClaim.SUBJECT.getClaim(), SupportedClaim.AUDIENCE.getClaim(), SupportedClaim.EXPIRATION.getClaim(), SupportedClaim.NOT_BEFORE.getClaim(), SupportedClaim.ISSUED_AT.getClaim(), SupportedClaim.JWT_ID.getClaim(), SupportedClaim.GROUPS.getClaim()));
    private final NiFiProperties properties;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final RestOperations oidcRestOperations;
    private final StateManagerProvider stateManagerProvider;
    private final Duration keyRotationPeriod;

    @Autowired
    public JwtDecoderConfiguration(NiFiProperties niFiProperties, ClientRegistrationRepository clientRegistrationRepository, @Qualifier("oidcRestOperations") RestOperations restOperations, StateManagerProvider stateManagerProvider) {
        this.properties = (NiFiProperties) Objects.requireNonNull(niFiProperties, "Application properties required");
        this.clientRegistrationRepository = (ClientRegistrationRepository) Objects.requireNonNull(clientRegistrationRepository, "Client Registration Repository required");
        this.oidcRestOperations = (RestOperations) Objects.requireNonNull(restOperations, "OIDC REST Operations required");
        this.stateManagerProvider = (StateManagerProvider) Objects.requireNonNull(stateManagerProvider, "State Manager Provider required");
        this.keyRotationPeriod = niFiProperties.getSecurityUserJwsKeyRotationPeriod();
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(jwtProcessor());
        nimbusJwtDecoder.setJwtValidator(jwtTokenValidator());
        return new StandardIssuerJwtDecoder(nimbusJwtDecoder, new AccessTokenDecoderFactory(this.properties.getOidcPreferredJwsAlgorithm(), this.oidcRestOperations), this.clientRegistrationRepository);
    }

    @Bean
    public JWTProcessor<SecurityContext> jwtProcessor() {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(new StandardJWSKeySelector(verificationKeySelector()));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier((JWTClaimsSet) null, REQUIRED_CLAIMS));
        return defaultJWTProcessor;
    }

    @Bean
    public OAuth2TokenValidator<Jwt> jwtTokenValidator() {
        return new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{JwtValidators.createDefault(), new JwtRevocationValidator(jwtRevocationService())});
    }

    @Bean
    public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
        return new StandardOidcIdTokenDecoderFactory(this.properties.getOidcPreferredJwsAlgorithm(), this.oidcRestOperations);
    }

    @Bean
    public JwtRevocationService jwtRevocationService() {
        return new StandardJwtRevocationService(this.stateManagerProvider.getStateManager(StandardJwtRevocationService.class.getName()));
    }

    @Bean
    public StandardVerificationKeySelector verificationKeySelector() {
        return new StandardVerificationKeySelector(verificationKeyService(), this.keyRotationPeriod);
    }

    @Bean
    public VerificationKeyService verificationKeyService() {
        return new StandardVerificationKeyService(this.stateManagerProvider.getStateManager(StandardVerificationKeyService.class.getName()));
    }
}
