package org.apache.nifi.web.security.oidc.client.web.converter;

import com.fasterxml.jackson.databind.Module;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import java.util.LinkedHashMap;
import java.util.Objects;
import org.apache.nifi.encrypt.PropertyEncryptor;
import org.apache.nifi.web.security.jwt.provider.SupportedClaim;
import org.apache.nifi.web.security.oidc.OidcConfigurationException;
import org.apache.nifi.web.security.oidc.client.web.OidcAuthorizedClient;
import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/client/web/converter/StandardAuthorizedClientConverter.class */
public class StandardAuthorizedClientConverter implements AuthorizedClientConverter {
    private static final Logger logger = LoggerFactory.getLogger(StandardAuthorizedClientConverter.class);
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper().registerModules(new Module[]{new JavaTimeModule()});
    private final PropertyEncryptor propertyEncryptor;
    private final ClientRegistrationRepository clientRegistrationRepository;

    public StandardAuthorizedClientConverter(PropertyEncryptor propertyEncryptor, ClientRegistrationRepository clientRegistrationRepository) {
        this.propertyEncryptor = (PropertyEncryptor) Objects.requireNonNull(propertyEncryptor, "Property Encryptor required");
        this.clientRegistrationRepository = (ClientRegistrationRepository) Objects.requireNonNull(clientRegistrationRepository, "Client Registry Repository required");
    }

    @Override // org.apache.nifi.web.security.oidc.client.web.converter.AuthorizedClientConverter
    public String getEncoded(OidcAuthorizedClient oidcAuthorizedClient) {
        Objects.requireNonNull(oidcAuthorizedClient, "Authorized Client required");
        try {
            return this.propertyEncryptor.encrypt(OBJECT_MAPPER.writeValueAsString(writeAuthorizedClient(oidcAuthorizedClient)));
        } catch (Exception e) {
            throw new OidcConfigurationException("OIDC Authorized Client serialization failed", e);
        }
    }

    @Override // org.apache.nifi.web.security.oidc.client.web.converter.AuthorizedClientConverter
    public OidcAuthorizedClient getDecoded(String str) {
        Objects.requireNonNull(str, "Encoded representation required");
        try {
            return readAuthorizedClient((AuthorizedClient) OBJECT_MAPPER.readValue(this.propertyEncryptor.decrypt(str), AuthorizedClient.class));
        } catch (Exception e) {
            logger.warn("OIDC Authorized Client decoding failed", e);
            return null;
        }
    }

    private AuthorizedClient writeAuthorizedClient(OidcAuthorizedClient oidcAuthorizedClient) {
        OAuth2AccessToken accessToken = oidcAuthorizedClient.getAccessToken();
        AuthorizedToken authorizedToken = new AuthorizedToken(accessToken.getTokenValue(), accessToken.getIssuedAt(), accessToken.getExpiresAt());
        OAuth2RefreshToken refreshToken = oidcAuthorizedClient.getRefreshToken();
        AuthorizedToken authorizedToken2 = refreshToken == null ? null : new AuthorizedToken(refreshToken.getTokenValue(), refreshToken.getIssuedAt(), refreshToken.getExpiresAt());
        OidcIdToken idToken = oidcAuthorizedClient.getIdToken();
        return new AuthorizedClient(oidcAuthorizedClient.getPrincipalName(), authorizedToken, authorizedToken2, new AuthorizedToken(idToken.getTokenValue(), idToken.getIssuedAt(), idToken.getExpiresAt()));
    }

    private OidcAuthorizedClient readAuthorizedClient(AuthorizedClient authorizedClient) {
        return new OidcAuthorizedClient(this.clientRegistrationRepository.findByRegistrationId(OidcRegistrationProperty.REGISTRATION_ID.getProperty()), authorizedClient.getPrincipalName(), getAccessToken(authorizedClient.getAccessToken()), getRefreshToken(authorizedClient.getRefreshToken()), getIdToken(authorizedClient));
    }

    private OAuth2AccessToken getAccessToken(AuthorizedToken authorizedToken) {
        return new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, authorizedToken.getTokenValue(), authorizedToken.getIssuedAt(), authorizedToken.getExpiresAt());
    }

    private OAuth2RefreshToken getRefreshToken(AuthorizedToken authorizedToken) {
        if (authorizedToken == null) {
            return null;
        }
        return new OAuth2RefreshToken(authorizedToken.getTokenValue(), authorizedToken.getIssuedAt(), authorizedToken.getExpiresAt());
    }

    private OidcIdToken getIdToken(AuthorizedClient authorizedClient) {
        AuthorizedToken idToken = authorizedClient.getIdToken();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(SupportedClaim.SUBJECT.getClaim(), authorizedClient.getPrincipalName());
        linkedHashMap.put(SupportedClaim.ISSUED_AT.getClaim(), idToken.getIssuedAt());
        linkedHashMap.put(SupportedClaim.EXPIRATION.getClaim(), idToken.getExpiresAt());
        return new OidcIdToken(idToken.getTokenValue(), idToken.getIssuedAt(), idToken.getExpiresAt(), linkedHashMap);
    }
}
