package org.apache.nifi.web.security.jwt.provider;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jwt.JWTClaimsSet;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.nifi.web.security.jwt.jws.JwsSignerContainer;
import org.apache.nifi.web.security.jwt.jws.JwsSignerProvider;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;

/* loaded from: input_file:org/apache/nifi/web/security/jwt/provider/StandardBearerTokenProvider.class */
public class StandardBearerTokenProvider implements BearerTokenProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(StandardBearerTokenProvider.class);
    private static final String URL_ENCODED_CHARACTER_SET = StandardCharsets.UTF_8.name();
    private static final Duration MAXIMUM_EXPIRATION = Duration.ofHours(12);
    private static final Duration MINIMUM_EXPIRATION = Duration.ofMinutes(1);
    private final JwsSignerProvider jwsSignerProvider;

    public StandardBearerTokenProvider(JwsSignerProvider jwsSignerProvider) {
        this.jwsSignerProvider = jwsSignerProvider;
    }

    @Override // org.apache.nifi.web.security.jwt.provider.BearerTokenProvider
    public String getBearerToken(LoginAuthenticationToken loginAuthenticationToken) {
        Objects.requireNonNull(loginAuthenticationToken, "LoginAuthenticationToken required");
        String obj = Objects.requireNonNull(loginAuthenticationToken.getPrincipal(), "Principal required").toString();
        String name = loginAuthenticationToken.getName();
        List<String> groups = getGroups(loginAuthenticationToken.getAuthorities());
        String urlEncoded = getUrlEncoded(loginAuthenticationToken.getIssuer());
        Date date = new Date();
        return getSignedBearerToken(new JWTClaimsSet.Builder().jwtID(UUID.randomUUID().toString()).subject(obj).issuer(urlEncoded).audience(urlEncoded).notBeforeTime(date).issueTime(date).expirationTime(getExpirationTime(loginAuthenticationToken)).claim(SupportedClaim.PREFERRED_USERNAME.getClaim(), name).claim(SupportedClaim.GROUPS.getClaim(), groups).build());
    }

    private Date getExpirationTime(LoginAuthenticationToken loginAuthenticationToken) {
        Instant ofEpochMilli = Instant.ofEpochMilli(loginAuthenticationToken.getExpiration());
        Instant plus = Instant.now().plus((TemporalAmount) MAXIMUM_EXPIRATION);
        Instant plus2 = Instant.now().plus((TemporalAmount) MINIMUM_EXPIRATION);
        String name = loginAuthenticationToken.getName();
        if (ofEpochMilli.isAfter(plus)) {
            LOGGER.warn("Identity [{}] Token Expiration [{}] greater than maximum [{}]", new Object[]{name, ofEpochMilli, MAXIMUM_EXPIRATION});
            ofEpochMilli = plus;
        } else if (ofEpochMilli.isBefore(plus2)) {
            LOGGER.warn("Identity [{}] Token Expiration [{}] less than minimum [{}]", new Object[]{name, ofEpochMilli, MINIMUM_EXPIRATION});
            ofEpochMilli = plus2;
        }
        return Date.from(ofEpochMilli);
    }

    private String getSignedBearerToken(JWTClaimsSet jWTClaimsSet) {
        JwsSignerContainer jwsSignerContainer = this.jwsSignerProvider.getJwsSignerContainer(jWTClaimsSet.getExpirationTime().toInstant());
        String keyIdentifier = jwsSignerContainer.getKeyIdentifier();
        JWSAlgorithm jwsAlgorithm = jwsSignerContainer.getJwsAlgorithm();
        JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(jwsAlgorithm).keyID(keyIdentifier).build(), new Payload(jWTClaimsSet.toJSONObject()));
        try {
            jWSObject.sign(jwsSignerContainer.getJwsSigner());
            LOGGER.debug("Signed Bearer Token using Key [{}] for Subject [{}]", keyIdentifier, jWTClaimsSet.getSubject());
            return jWSObject.serialize();
        } catch (JOSEException e) {
            throw new IllegalArgumentException(String.format("Signing Failed for Algorithm [%s] Key Identifier [%s]", jwsAlgorithm, keyIdentifier), e);
        }
    }

    private String getUrlEncoded(String str) {
        try {
            return URLEncoder.encode(str, URL_ENCODED_CHARACTER_SET);
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException(String.format("URL Encoding [%s] Failed", str), e);
        }
    }

    private List<String> getGroups(Collection<? extends GrantedAuthority> collection) {
        return (List) collection.stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList());
    }
}
