package org.apache.nifi.web.security.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Request;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import com.nimbusds.openid.connect.sdk.validators.InvalidHashException;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.jwt.JwtService;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/StandardOidcIdentityProvider.class */
public class StandardOidcIdentityProvider implements OidcIdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(StandardOidcIdentityProvider.class);
    private final String EMAIL_CLAIM = "email";
    private NiFiProperties properties;
    private JwtService jwtService;
    private OIDCProviderMetadata oidcProviderMetadata;
    private int oidcConnectTimeout;
    private int oidcReadTimeout;
    private IDTokenValidator tokenValidator;
    private ClientID clientId;
    private Secret clientSecret;

    public StandardOidcIdentityProvider(JwtService jwtService, NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
        this.jwtService = jwtService;
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public void initializeProvider() {
        if (!this.properties.isOidcEnabled()) {
            logger.debug("The OIDC provider is not configured or enabled");
            return;
        }
        validateOIDCConfiguration();
        try {
            this.oidcProviderMetadata = retrieveOidcProviderMetadata(this.properties.getOidcDiscoveryUrl());
            validateOIDCProviderMetadata();
        } catch (IOException | ParseException e) {
            throw new RuntimeException("Unable to retrieve OpenId Connect Provider metadata from: " + this.properties.getOidcDiscoveryUrl(), e);
        }
    }

    private void validateOIDCProviderMetadata() {
        if (this.oidcProviderMetadata.getAuthorizationEndpointURI() == null) {
            throw new RuntimeException("OpenId Connect Provider metadata does not contain an Authorization Endpoint.");
        }
        if (this.oidcProviderMetadata.getTokenEndpointURI() == null) {
            throw new RuntimeException("OpenId Connect Provider metadata does not contain a Token Endpoint.");
        }
        List tokenEndpointAuthMethods = this.oidcProviderMetadata.getTokenEndpointAuthMethods();
        logger.info("OpenId Connect: Available clientAuthenticationMethods {} ", tokenEndpointAuthMethods);
        if (tokenEndpointAuthMethods == null || tokenEndpointAuthMethods.isEmpty()) {
            ArrayList arrayList = new ArrayList();
            arrayList.add(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
            this.oidcProviderMetadata.setTokenEndpointAuthMethods(arrayList);
            logger.warn("OpenId Connect: ClientAuthenticationMethods is null, Setting clientAuthenticationMethods as CLIENT_SECRET_BASIC");
        } else if (!tokenEndpointAuthMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) && !tokenEndpointAuthMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
            throw new RuntimeException(String.format("OpenId Connect Provider does not support %s or %s", ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue(), ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue()));
        }
        List iDTokenJWSAlgs = this.oidcProviderMetadata.getIDTokenJWSAlgs();
        if (iDTokenJWSAlgs == null || iDTokenJWSAlgs.isEmpty()) {
            throw new RuntimeException("The OpenId Connect Provider does not support any JWS algorithms.");
        }
        try {
            JWSAlgorithm extractJwsAlgorithm = extractJwsAlgorithm();
            if (extractJwsAlgorithm == null) {
                this.tokenValidator = new IDTokenValidator(this.oidcProviderMetadata.getIssuer(), this.clientId);
            } else if (JWSAlgorithm.HS256.equals(extractJwsAlgorithm) || JWSAlgorithm.HS384.equals(extractJwsAlgorithm) || JWSAlgorithm.HS512.equals(extractJwsAlgorithm)) {
                this.tokenValidator = new IDTokenValidator(this.oidcProviderMetadata.getIssuer(), this.clientId, extractJwsAlgorithm, this.clientSecret);
            } else {
                this.tokenValidator = new IDTokenValidator(this.oidcProviderMetadata.getIssuer(), this.clientId, extractJwsAlgorithm, this.oidcProviderMetadata.getJWKSetURI().toURL(), new DefaultResourceRetriever(this.oidcConnectTimeout, this.oidcReadTimeout));
            }
        } catch (Exception e) {
            throw new RuntimeException("Unable to create the ID token validator for the configured OpenId Connect Provider: " + e.getMessage(), e);
        }
    }

    private JWSAlgorithm extractJwsAlgorithm() {
        String oidcPreferredJwsAlgorithm = this.properties.getOidcPreferredJwsAlgorithm();
        return StringUtils.isBlank(oidcPreferredJwsAlgorithm) ? JWSAlgorithm.RS256 : "none".equalsIgnoreCase(oidcPreferredJwsAlgorithm) ? null : JWSAlgorithm.parse(oidcPreferredJwsAlgorithm);
    }

    private void validateOIDCConfiguration() {
        if (this.properties.isLoginIdentityProviderEnabled() || this.properties.isKnoxSsoEnabled()) {
            throw new RuntimeException("OpenId Connect support cannot be enabled if the Login Identity Provider or Apache Knox SSO is configured.");
        }
        String oidcConnectTimeout = this.properties.getOidcConnectTimeout();
        try {
            this.oidcConnectTimeout = (int) FormatUtils.getPreciseTimeDuration(oidcConnectTimeout, TimeUnit.MILLISECONDS);
        } catch (Exception e) {
            logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", new Object[]{"nifi.security.user.oidc.connect.timeout", oidcConnectTimeout, "5 secs"});
            this.oidcConnectTimeout = (int) FormatUtils.getPreciseTimeDuration("5 secs", TimeUnit.MILLISECONDS);
        }
        String oidcReadTimeout = this.properties.getOidcReadTimeout();
        try {
            this.oidcReadTimeout = (int) FormatUtils.getPreciseTimeDuration(oidcReadTimeout, TimeUnit.MILLISECONDS);
        } catch (Exception e2) {
            logger.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", new Object[]{"nifi.security.user.oidc.read.timeout", oidcReadTimeout, "5 secs"});
            this.oidcReadTimeout = (int) FormatUtils.getPreciseTimeDuration("5 secs", TimeUnit.MILLISECONDS);
        }
        String oidcClientId = this.properties.getOidcClientId();
        if (StringUtils.isBlank(oidcClientId)) {
            throw new RuntimeException("Client ID is required when configuring an OIDC Provider.");
        }
        this.clientId = new ClientID(oidcClientId);
        String oidcClientSecret = this.properties.getOidcClientSecret();
        if (StringUtils.isBlank(oidcClientSecret)) {
            throw new RuntimeException("Client secret is required when configuring an OIDC Provider.");
        }
        this.clientSecret = new Secret(oidcClientSecret);
    }

    private OIDCProviderMetadata retrieveOidcProviderMetadata(String str) throws IOException, ParseException {
        URL url = new URL(str);
        HTTPRequest hTTPRequest = new HTTPRequest(HTTPRequest.Method.GET, url);
        hTTPRequest.setConnectTimeout(this.oidcConnectTimeout);
        hTTPRequest.setReadTimeout(this.oidcReadTimeout);
        HTTPResponse send = hTTPRequest.send();
        if (send.getStatusCode() != 200) {
            throw new IOException("Unable to download OpenId Connect Provider metadata from " + url + ": Status code " + send.getStatusCode());
        }
        return OIDCProviderMetadata.parse(send.getContentAsJSONObject());
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public boolean isOidcEnabled() {
        return this.properties.isOidcEnabled();
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public URI getAuthorizationEndpoint() {
        if (isOidcEnabled()) {
            return this.oidcProviderMetadata.getAuthorizationEndpointURI();
        }
        throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public URI getEndSessionEndpoint() {
        if (isOidcEnabled()) {
            return this.oidcProviderMetadata.getEndSessionEndpointURI();
        }
        throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public URI getRevocationEndpoint() {
        if (isOidcEnabled()) {
            return this.oidcProviderMetadata.getRevocationEndpointURI();
        }
        throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public Scope getScope() {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        Scope scope = new Scope(new String[]{"openid", "email"});
        Iterator it = this.properties.getOidcAdditionalScopes().iterator();
        while (it.hasNext()) {
            scope.add((String) it.next());
        }
        return scope;
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public ClientID getClientId() {
        if (isOidcEnabled()) {
            return this.clientId;
        }
        throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public LoginAuthenticationToken exchangeAuthorizationCodeforLoginAuthenticationToken(AuthorizationGrant authorizationGrant) throws IOException {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        try {
            return convertOIDCTokenToLoginAuthenticationToken((OIDCTokenResponse) authorizeClient(authorizationGrant));
        } catch (RuntimeException | ParseException | JOSEException | BadJOSEException | java.text.ParseException e) {
            throw new RuntimeException("Unable to parse the response from the Token request: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public String exchangeAuthorizationCodeForAccessToken(AuthorizationGrant authorizationGrant) throws Exception {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        try {
            return getAccessTokenString((OIDCTokenResponse) authorizeClient(authorizationGrant));
        } catch (RuntimeException | ParseException | IOException | java.text.ParseException | InvalidHashException e) {
            throw new RuntimeException("Unable to parse the response from the Token request: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.nifi.web.security.oidc.OidcIdentityProvider
    public String exchangeAuthorizationCodeForIdToken(AuthorizationGrant authorizationGrant) {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        try {
            return getIdTokenString((OIDCTokenResponse) authorizeClient(authorizationGrant));
        } catch (RuntimeException | JOSEException | BadJOSEException | ParseException | IOException e) {
            throw new RuntimeException("Unable to parse the response from the Token request: " + e.getMessage(), e);
        }
    }

    private String getAccessTokenString(OIDCTokenResponse oIDCTokenResponse) throws Exception {
        OIDCTokens oidcTokens = getOidcTokens(oIDCTokenResponse);
        validateAccessToken(oidcTokens);
        return oidcTokens.getAccessToken().getValue();
    }

    private String getIdTokenString(OIDCTokenResponse oIDCTokenResponse) throws BadJOSEException, JOSEException {
        OIDCTokens oidcTokens = getOidcTokens(oIDCTokenResponse);
        validateIdToken(oidcTokens.getIDToken());
        return oidcTokens.getIDTokenString();
    }

    private TokenResponse authorizeClient(AuthorizationGrant authorizationGrant) throws ParseException, IOException {
        return authorizeClientRequest(createTokenHTTPRequest(authorizationGrant, createClientAuthentication()));
    }

    private TokenResponse authorizeClientRequest(HTTPRequest hTTPRequest) throws ParseException, IOException {
        TokenErrorResponse parse = OIDCTokenResponseParser.parse(hTTPRequest.send());
        if (parse.indicatesSuccess()) {
            return parse;
        }
        throw new RuntimeException("An error occurred while invoking the Token endpoint: " + parse.getErrorObject().getDescription());
    }

    private LoginAuthenticationToken convertOIDCTokenToLoginAuthenticationToken(OIDCTokenResponse oIDCTokenResponse) throws BadJOSEException, JOSEException, java.text.ParseException, IOException {
        OIDCTokens oidcTokens = getOidcTokens(oIDCTokenResponse);
        JWT iDToken = oidcTokens.getIDToken();
        IDTokenClaimsSet validateIdToken = validateIdToken(iDToken);
        String oidcClaimIdentifyingUser = this.properties.getOidcClaimIdentifyingUser();
        String stringClaim = validateIdToken.getStringClaim(oidcClaimIdentifyingUser);
        if (StringUtils.isBlank(stringClaim)) {
            List<String> availableClaims = getAvailableClaims(iDToken.getJWTClaimsSet());
            logger.warn("Failed to obtain the identity of the user with the claim '{}'. The available claims on the OIDC response are: {}. Will attempt to obtain the identity from secondary sources", oidcClaimIdentifyingUser, availableClaims);
            if (oidcClaimIdentifyingUser.equalsIgnoreCase("email") || !availableClaims.contains("email")) {
                Iterator it = this.properties.getOidcFallbackClaimsIdentifyingUser().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str = (String) it.next();
                    if (availableClaims.contains(str)) {
                        stringClaim = validateIdToken.getStringClaim(str);
                        break;
                    }
                }
                if (StringUtils.isBlank(stringClaim)) {
                    stringClaim = retrieveIdentityFromUserInfoEndpoint(oidcTokens);
                }
            } else {
                stringClaim = validateIdToken.getStringClaim("email");
                logger.info("The 'email' claim was present. Using that claim to avoid extra remote call");
            }
        }
        return new LoginAuthenticationToken(stringClaim, stringClaim, validateIdToken.getExpirationTime().getTime() - Calendar.getInstance().getTimeInMillis(), validateIdToken.getIssuer().getValue());
    }

    private OIDCTokens getOidcTokens(OIDCTokenResponse oIDCTokenResponse) {
        return oIDCTokenResponse.getOIDCTokens();
    }

    private String retrieveIdentityFromUserInfoEndpoint(OIDCTokens oIDCTokens) throws IOException {
        BearerAccessToken bearerAccessToken = oIDCTokens.getBearerAccessToken();
        if (bearerAccessToken == null) {
            throw new IllegalStateException("No access token found in the ID tokens");
        }
        return lookupIdentityInUserInfo(createUserInfoRequest(bearerAccessToken));
    }

    private HTTPRequest createTokenHTTPRequest(AuthorizationGrant authorizationGrant, ClientAuthentication clientAuthentication) {
        return formHTTPRequest(new TokenRequest(this.oidcProviderMetadata.getTokenEndpointURI(), clientAuthentication, authorizationGrant));
    }

    private HTTPRequest createUserInfoRequest(BearerAccessToken bearerAccessToken) {
        return formHTTPRequest(new UserInfoRequest(this.oidcProviderMetadata.getUserInfoEndpointURI(), bearerAccessToken));
    }

    private HTTPRequest formHTTPRequest(Request request) {
        HTTPRequest hTTPRequest = request.toHTTPRequest();
        hTTPRequest.setConnectTimeout(this.oidcConnectTimeout);
        hTTPRequest.setReadTimeout(this.oidcReadTimeout);
        return hTTPRequest;
    }

    private ClientAuthentication createClientAuthentication() {
        List tokenEndpointAuthMethods = this.oidcProviderMetadata.getTokenEndpointAuthMethods();
        return (tokenEndpointAuthMethods == null || !tokenEndpointAuthMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_POST)) ? new ClientSecretBasic(this.clientId, this.clientSecret) : new ClientSecretPost(this.clientId, this.clientSecret);
    }

    private static List<String> getAvailableClaims(JWTClaimsSet jWTClaimsSet) {
        return (List) jWTClaimsSet.getClaims().entrySet().stream().filter(entry -> {
            return StringUtils.isNotBlank(entry.getValue().toString());
        }).map((v0) -> {
            return v0.getKey();
        }).sorted().collect(Collectors.toList());
    }

    private void validateAccessToken(OIDCTokens oIDCTokens) throws Exception {
        try {
            AccessTokenValidator.validate(oIDCTokens.getAccessToken(), extractJwsAlgorithm(), new AccessTokenHash(oIDCTokens.getIDToken().getJWTClaimsSet().getStringClaim("at_hash")));
        } catch (InvalidHashException e) {
            throw new Exception("Unable to validate the Access Token: " + e.getMessage());
        }
    }

    private IDTokenClaimsSet validateIdToken(JWT jwt) throws BadJOSEException, JOSEException {
        try {
            return this.tokenValidator.validate(jwt, (Nonce) null);
        } catch (BadJOSEException e) {
            throw new BadJOSEException("Unable to validate the ID Token: " + e.getMessage());
        }
    }

    private String lookupIdentityInUserInfo(HTTPRequest hTTPRequest) throws IOException {
        try {
            UserInfoSuccessResponse parse = UserInfoResponse.parse(hTTPRequest.send());
            if (!parse.indicatesSuccess()) {
                throw new IdentityAccessException("An error occurred while invoking the UserInfo endpoint: " + ((UserInfoErrorResponse) parse).getErrorObject().getDescription());
            }
            UserInfoSuccessResponse userInfoSuccessResponse = parse;
            String stringClaim = (userInfoSuccessResponse.getUserInfo() != null ? userInfoSuccessResponse.getUserInfo().toJWTClaimsSet() : userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet()).getStringClaim(this.properties.getOidcClaimIdentifyingUser());
            if (StringUtils.isBlank(stringClaim)) {
                throw new IllegalStateException("Unable to extract identity from the UserInfo token using the claim '" + this.properties.getOidcClaimIdentifyingUser() + "'.");
            }
            return stringClaim;
        } catch (ParseException | java.text.ParseException e) {
            throw new IdentityAccessException("Unable to parse the response from the UserInfo token request: " + e.getMessage());
        }
    }
}
