package org.apache.nifi.web.security.configuration;

import com.github.benmanes.caffeine.cache.Caffeine;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.components.state.StateManagerProvider;
import org.apache.nifi.encrypt.PropertyEncryptor;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.StandardAuthenticationEntryPoint;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.oidc.OidcUrlPath;
import org.apache.nifi.web.security.oidc.client.web.AuthorizedClientExpirationCommand;
import org.apache.nifi.web.security.oidc.client.web.OidcBearerTokenRefreshFilter;
import org.apache.nifi.web.security.oidc.client.web.StandardAuthorizationRequestRepository;
import org.apache.nifi.web.security.oidc.client.web.StandardOAuth2AuthorizationRequestResolver;
import org.apache.nifi.web.security.oidc.client.web.StandardOidcAuthorizedClientRepository;
import org.apache.nifi.web.security.oidc.client.web.converter.AuthenticationResultConverter;
import org.apache.nifi.web.security.oidc.client.web.converter.AuthorizedClientConverter;
import org.apache.nifi.web.security.oidc.client.web.converter.StandardAuthorizedClientConverter;
import org.apache.nifi.web.security.oidc.logout.OidcLogoutFilter;
import org.apache.nifi.web.security.oidc.logout.OidcLogoutSuccessHandler;
import org.apache.nifi.web.security.oidc.revocation.StandardTokenRevocationResponseClient;
import org.apache.nifi.web.security.oidc.revocation.TokenRevocationResponseClient;
import org.apache.nifi.web.security.oidc.userinfo.StandardOidcUserService;
import org.apache.nifi.web.security.oidc.web.authentication.OidcAuthenticationSuccessHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.cache.caffeine.CaffeineCache;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultRefreshTokenTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.savedrequest.NullRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.web.client.RestOperations;

@Configuration
/* loaded from: input_file:org/apache/nifi/web/security/configuration/OidcSecurityConfiguration.class */
public class OidcSecurityConfiguration {
    private static final long AUTHORIZATION_REQUEST_CACHE_SIZE = 1000;
    private final Duration keyRotationPeriod;
    private final NiFiProperties properties;
    private final StateManagerProvider stateManagerProvider;
    private final PropertyEncryptor propertyEncryptor;
    private final BearerTokenProvider bearerTokenProvider;
    private final BearerTokenResolver bearerTokenResolver;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final JwtDecoder jwtDecoder;
    private final JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory;
    private final RestOperations oidcRestOperations;
    private final LogoutRequestManager logoutRequestManager;
    private static final Duration REQUEST_EXPIRATION = Duration.ofSeconds(60);
    private static final RequestCache nullRequestCache = new NullRequestCache();

    @Autowired
    public OidcSecurityConfiguration(NiFiProperties niFiProperties, StateManagerProvider stateManagerProvider, PropertyEncryptor propertyEncryptor, BearerTokenProvider bearerTokenProvider, BearerTokenResolver bearerTokenResolver, ClientRegistrationRepository clientRegistrationRepository, JwtDecoder jwtDecoder, JwtDecoderFactory<ClientRegistration> jwtDecoderFactory, @Qualifier("oidcRestOperations") RestOperations restOperations, LogoutRequestManager logoutRequestManager) {
        this.properties = (NiFiProperties) Objects.requireNonNull(niFiProperties, "Properties required");
        this.stateManagerProvider = (StateManagerProvider) Objects.requireNonNull(stateManagerProvider, "State Manager Provider required");
        this.propertyEncryptor = (PropertyEncryptor) Objects.requireNonNull(propertyEncryptor, "Property Encryptor required");
        this.bearerTokenProvider = (BearerTokenProvider) Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required");
        this.bearerTokenResolver = (BearerTokenResolver) Objects.requireNonNull(bearerTokenResolver, "Bearer Token Resolver required");
        this.clientRegistrationRepository = (ClientRegistrationRepository) Objects.requireNonNull(clientRegistrationRepository, "Registration Repository required");
        this.jwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder, "JWT Decoder required");
        this.idTokenDecoderFactory = (JwtDecoderFactory) Objects.requireNonNull(jwtDecoderFactory, "ID Token Decoder Factory required");
        this.oidcRestOperations = (RestOperations) Objects.requireNonNull(restOperations, "OIDC REST Operations required");
        this.logoutRequestManager = (LogoutRequestManager) Objects.requireNonNull(logoutRequestManager, "Logout Request Manager required");
        this.keyRotationPeriod = niFiProperties.getSecurityUserJwsKeyRotationPeriod();
    }

    @Bean
    public OAuth2AuthorizationCodeGrantFilter oAuth2AuthorizationCodeGrantFilter(AuthenticationManager authenticationManager) {
        OAuth2AuthorizationCodeGrantFilter oAuth2AuthorizationCodeGrantFilter = new OAuth2AuthorizationCodeGrantFilter(this.clientRegistrationRepository, authorizedClientRepository(), authenticationManager);
        oAuth2AuthorizationCodeGrantFilter.setAuthorizationRequestRepository(authorizationRequestRepository());
        oAuth2AuthorizationCodeGrantFilter.setRequestCache(nullRequestCache);
        return oAuth2AuthorizationCodeGrantFilter;
    }

    @Bean
    public OAuth2AuthorizationRequestRedirectFilter oAuth2AuthorizationRequestRedirectFilter() {
        OAuth2AuthorizationRequestRedirectFilter oAuth2AuthorizationRequestRedirectFilter = new OAuth2AuthorizationRequestRedirectFilter(new StandardOAuth2AuthorizationRequestResolver(this.clientRegistrationRepository));
        oAuth2AuthorizationRequestRedirectFilter.setAuthorizationRequestRepository(authorizationRequestRepository());
        oAuth2AuthorizationRequestRedirectFilter.setRequestCache(nullRequestCache);
        return oAuth2AuthorizationRequestRedirectFilter;
    }

    @Bean
    public OAuth2LoginAuthenticationFilter oAuth2LoginAuthenticationFilter(AuthenticationManager authenticationManager, StandardAuthenticationEntryPoint standardAuthenticationEntryPoint) {
        OAuth2LoginAuthenticationFilter oAuth2LoginAuthenticationFilter = new OAuth2LoginAuthenticationFilter(this.clientRegistrationRepository, authorizedClientRepository(), OidcUrlPath.CALLBACK.getPath());
        oAuth2LoginAuthenticationFilter.setAuthenticationManager(authenticationManager);
        oAuth2LoginAuthenticationFilter.setAuthorizationRequestRepository(authorizationRequestRepository());
        oAuth2LoginAuthenticationFilter.setAuthenticationSuccessHandler(getAuthenticationSuccessHandler());
        oAuth2LoginAuthenticationFilter.setAllowSessionCreation(false);
        oAuth2LoginAuthenticationFilter.setSessionAuthenticationStrategy(new NullAuthenticatedSessionStrategy());
        oAuth2LoginAuthenticationFilter.setAuthenticationResultConverter(new AuthenticationResultConverter());
        oAuth2LoginAuthenticationFilter.setAuthenticationFailureHandler(new AuthenticationEntryPointFailureHandler(standardAuthenticationEntryPoint));
        return oAuth2LoginAuthenticationFilter;
    }

    @Bean
    public OidcBearerTokenRefreshFilter oidcBearerTokenRefreshFilter() {
        DefaultRefreshTokenTokenResponseClient defaultRefreshTokenTokenResponseClient = new DefaultRefreshTokenTokenResponseClient();
        defaultRefreshTokenTokenResponseClient.setRestOperations(this.oidcRestOperations);
        return new OidcBearerTokenRefreshFilter(Duration.ofSeconds(Math.round(FormatUtils.getPreciseTimeDuration(this.properties.getOidcTokenRefreshWindow(), TimeUnit.SECONDS))), this.bearerTokenProvider, this.bearerTokenResolver, this.jwtDecoder, authorizedClientRepository(), defaultRefreshTokenTokenResponseClient);
    }

    @Bean
    public OidcLogoutFilter oidcLogoutFilter() {
        return new OidcLogoutFilter(oidcLogoutSuccessHandler());
    }

    @Bean
    public LogoutSuccessHandler oidcLogoutSuccessHandler() {
        return new OidcLogoutSuccessHandler(this.logoutRequestManager, this.clientRegistrationRepository, authorizedClientRepository(), tokenRevocationResponseClient());
    }

    @Bean
    public OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider() {
        OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider = new OidcAuthorizationCodeAuthenticationProvider(accessTokenResponseClient(), oidcUserService());
        oidcAuthorizationCodeAuthenticationProvider.setJwtDecoderFactory(this.idTokenDecoderFactory);
        return oidcAuthorizationCodeAuthenticationProvider;
    }

    @Bean
    public OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
        DefaultAuthorizationCodeTokenResponseClient defaultAuthorizationCodeTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
        defaultAuthorizationCodeTokenResponseClient.setRestOperations(this.oidcRestOperations);
        return defaultAuthorizationCodeTokenResponseClient;
    }

    @Bean
    public OidcUserService oidcUserService() {
        StandardOidcUserService standardOidcUserService = new StandardOidcUserService(getUserClaimNames(), IdentityMappingUtil.getIdentityMappings(this.properties));
        DefaultOAuth2UserService defaultOAuth2UserService = new DefaultOAuth2UserService();
        defaultOAuth2UserService.setRestOperations(this.oidcRestOperations);
        standardOidcUserService.setOauth2UserService(defaultOAuth2UserService);
        return standardOidcUserService;
    }

    @Bean
    public StandardOidcAuthorizedClientRepository authorizedClientRepository() {
        return new StandardOidcAuthorizedClientRepository(this.stateManagerProvider.getStateManager(StandardOidcAuthorizedClientRepository.class.getName()), authorizedClientConverter());
    }

    @Bean
    public AuthorizedClientExpirationCommand authorizedClientExpirationCommand() {
        AuthorizedClientExpirationCommand authorizedClientExpirationCommand = new AuthorizedClientExpirationCommand(authorizedClientRepository(), tokenRevocationResponseClient());
        oidcCommandScheduler().scheduleAtFixedRate(authorizedClientExpirationCommand, this.keyRotationPeriod);
        return authorizedClientExpirationCommand;
    }

    @Bean
    public ThreadPoolTaskScheduler oidcCommandScheduler() {
        ThreadPoolTaskScheduler threadPoolTaskScheduler = new ThreadPoolTaskScheduler();
        threadPoolTaskScheduler.setThreadNamePrefix(OidcSecurityConfiguration.class.getSimpleName());
        return threadPoolTaskScheduler;
    }

    @Bean
    public AuthorizedClientConverter authorizedClientConverter() {
        return new StandardAuthorizedClientConverter(this.propertyEncryptor, this.clientRegistrationRepository);
    }

    @Bean
    public AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository() {
        return new StandardAuthorizationRequestRepository(new CaffeineCache(StandardAuthorizationRequestRepository.class.getSimpleName(), Caffeine.newBuilder().maximumSize(AUTHORIZATION_REQUEST_CACHE_SIZE).expireAfterWrite(REQUEST_EXPIRATION).build()));
    }

    @Bean
    public TokenRevocationResponseClient tokenRevocationResponseClient() {
        return new StandardTokenRevocationResponseClient(this.oidcRestOperations, this.clientRegistrationRepository);
    }

    private OidcAuthenticationSuccessHandler getAuthenticationSuccessHandler() {
        return new OidcAuthenticationSuccessHandler(this.bearerTokenProvider, IdentityMappingUtil.getIdentityMappings(this.properties), IdentityMappingUtil.getGroupMappings(this.properties), getUserClaimNames(), this.properties.getOidcClaimGroups());
    }

    private List<String> getUserClaimNames() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.properties.getOidcClaimIdentifyingUser());
        arrayList.addAll(this.properties.getOidcFallbackClaimsIdentifyingUser());
        return arrayList;
    }
}
