package org.apache.nifi.web.security.saml.impl;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.nifi.util.StringUtils;
import org.apache.nifi.web.security.jwt.JwtService;
import org.apache.nifi.web.security.saml.SAMLStateManager;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.util.CacheKey;
import org.apache.nifi.web.security.util.IdentityProviderUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/saml/impl/StandardSAMLStateManager.class */
public class StandardSAMLStateManager implements SAMLStateManager {
    private static Logger LOGGER = LoggerFactory.getLogger(StandardSAMLStateManager.class);
    private final JwtService jwtService;
    private final Cache<CacheKey, String> stateLookupForPendingRequests;
    private final Cache<CacheKey, String> jwtLookupForCompletedRequests;

    public StandardSAMLStateManager(JwtService jwtService) {
        this(jwtService, 60, TimeUnit.SECONDS);
    }

    public StandardSAMLStateManager(JwtService jwtService, int i, TimeUnit timeUnit) {
        this.jwtService = jwtService;
        this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
        this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
    }

    @Override // org.apache.nifi.web.security.saml.SAMLStateManager
    public String createState(String str) {
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Request identifier is required");
        }
        CacheKey cacheKey = new CacheKey(str);
        String generateStateValue = IdentityProviderUtils.generateStateValue();
        try {
            synchronized (this.stateLookupForPendingRequests) {
                if (!IdentityProviderUtils.timeConstantEqualityCheck(generateStateValue, (String) this.stateLookupForPendingRequests.get(cacheKey, () -> {
                    return generateStateValue;
                }))) {
                    throw new IllegalStateException("An existing login request is already in progress.");
                }
            }
            return generateStateValue;
        } catch (ExecutionException e) {
            throw new IllegalStateException("Unable to store the login request state.");
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLStateManager
    public boolean isStateValid(String str, String str2) {
        boolean z;
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Request identifier is required");
        }
        if (StringUtils.isBlank(str2)) {
            throw new IllegalArgumentException("Proposed state must be specified.");
        }
        CacheKey cacheKey = new CacheKey(str);
        synchronized (this.stateLookupForPendingRequests) {
            String str3 = (String) this.stateLookupForPendingRequests.getIfPresent(cacheKey);
            if (str3 != null) {
                this.stateLookupForPendingRequests.invalidate(cacheKey);
            }
            z = str3 != null && IdentityProviderUtils.timeConstantEqualityCheck(str3, str2);
        }
        return z;
    }

    @Override // org.apache.nifi.web.security.saml.SAMLStateManager
    public void createJwt(String str, LoginAuthenticationToken loginAuthenticationToken) {
        if (StringUtils.isBlank(str)) {
            throw new IllegalStateException("Request identifier is required");
        }
        if (loginAuthenticationToken == null) {
            throw new IllegalArgumentException("Token is required");
        }
        CacheKey cacheKey = new CacheKey(str);
        String generateSignedToken = this.jwtService.generateSignedToken(loginAuthenticationToken);
        try {
            synchronized (this.jwtLookupForCompletedRequests) {
                if (!IdentityProviderUtils.timeConstantEqualityCheck(generateSignedToken, (String) this.jwtLookupForCompletedRequests.get(cacheKey, () -> {
                    return generateSignedToken;
                }))) {
                    throw new IllegalStateException("An existing login request is already in progress.");
                }
            }
        } catch (ExecutionException e) {
            throw new IllegalStateException("Unable to store the login authentication token.");
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLStateManager
    public String getJwt(String str) {
        String str2;
        if (StringUtils.isBlank(str)) {
            throw new IllegalStateException("Request identifier is required");
        }
        CacheKey cacheKey = new CacheKey(str);
        synchronized (this.jwtLookupForCompletedRequests) {
            str2 = (String) this.jwtLookupForCompletedRequests.getIfPresent(cacheKey);
            if (str2 != null) {
                this.jwtLookupForCompletedRequests.invalidate(cacheKey);
            }
        }
        return str2;
    }
}
