package org.apache.nifi.web.security.oidc.authentication;

import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.spec.SecretKeySpec;
import org.apache.nifi.web.security.oidc.OidcConfigurationException;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenValidator;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/authentication/StandardOidcIdTokenDecoderFactory.class */
public class StandardOidcIdTokenDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
    private static final String MISSING_SIGNATURE_VERIFIER_ERROR_CODE = "missing_signature_verifier";
    private static final String UNSPECIFIED_ERROR_URI = null;
    private static final JwsAlgorithm DEFAULT_JWS_ALGORITHM = SignatureAlgorithm.RS256;
    private static final Map<JwsAlgorithm, String> SECRET_KEY_ALGORITHMS;
    private static final ClaimTypeConverter DEFAULT_CLAIM_TYPE_CONVERTER;
    private final Map<String, JwtDecoder> jwtDecoders = new ConcurrentHashMap();
    private final JwsAlgorithm configuredJwsAlgorithm;
    private final RestOperations restOperations;

    public StandardOidcIdTokenDecoderFactory(String str, RestOperations restOperations) {
        this.configuredJwsAlgorithm = getJwsAlgorithm(str);
        this.restOperations = (RestOperations) Objects.requireNonNull(restOperations, "REST Operations required");
    }

    public JwtDecoder createDecoder(ClientRegistration clientRegistration) {
        Objects.requireNonNull(clientRegistration, "Client Registration required");
        return this.jwtDecoders.computeIfAbsent(clientRegistration.getRegistrationId(), str -> {
            NimbusJwtDecoder buildDecoder = buildDecoder(clientRegistration);
            buildDecoder.setClaimSetConverter(DEFAULT_CLAIM_TYPE_CONVERTER);
            buildDecoder.setJwtValidator(getTokenValidator(clientRegistration));
            return buildDecoder;
        });
    }

    private NimbusJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
        NimbusJwtDecoder build;
        Class<?> cls = this.configuredJwsAlgorithm.getClass();
        if (SignatureAlgorithm.class.isAssignableFrom(cls)) {
            String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
            if (jwkSetUri == null || jwkSetUri.isEmpty()) {
                String format = String.format("JSON Web Key Set URI required for Signature Verifier JWS Algorithm [%s]", this.configuredJwsAlgorithm);
                throw new OAuth2AuthenticationException(getVerifierError(format), format);
            }
            build = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm(this.configuredJwsAlgorithm).restOperations(this.restOperations).build();
        } else {
            if (!MacAlgorithm.class.isAssignableFrom(cls)) {
                String format2 = String.format("Signature Verifier JWS Algorithm [%s] not supported", this.configuredJwsAlgorithm);
                throw new OAuth2AuthenticationException(getVerifierError(format2), format2);
            }
            String clientSecret = clientRegistration.getClientSecret();
            if (clientSecret == null || clientSecret.isEmpty()) {
                String format3 = String.format("Client Secret required for MAC Verifier JWS Algorithm [%s]", this.configuredJwsAlgorithm);
                throw new OAuth2AuthenticationException(getVerifierError(format3), format3);
            }
            build = NimbusJwtDecoder.withSecretKey(new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), SECRET_KEY_ALGORITHMS.get(this.configuredJwsAlgorithm))).macAlgorithm(this.configuredJwsAlgorithm).build();
        }
        return build;
    }

    private OAuth2TokenValidator<Jwt> getTokenValidator(ClientRegistration clientRegistration) {
        return new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{new JwtTimestampValidator(), new OidcIdTokenValidator(clientRegistration)});
    }

    private JwsAlgorithm getJwsAlgorithm(String str) {
        SignatureAlgorithm signatureAlgorithm;
        if (str == null || str.isEmpty()) {
            signatureAlgorithm = DEFAULT_JWS_ALGORITHM;
        } else {
            SignatureAlgorithm from = MacAlgorithm.from(str);
            if (from == null) {
                SignatureAlgorithm from2 = SignatureAlgorithm.from(str);
                if (from2 == null) {
                    throw new OidcConfigurationException(String.format("Preferred JWS Algorithm [%s] not supported", str));
                }
                signatureAlgorithm = from2;
            } else {
                signatureAlgorithm = from;
            }
        }
        return signatureAlgorithm;
    }

    private OAuth2Error getVerifierError(String str) {
        return new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, str, UNSPECIFIED_ERROR_URI);
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put(MacAlgorithm.HS256, "HmacSHA256");
        hashMap.put(MacAlgorithm.HS384, "HmacSHA384");
        hashMap.put(MacAlgorithm.HS512, "HmacSHA512");
        SECRET_KEY_ALGORITHMS = Collections.unmodifiableMap(hashMap);
        DEFAULT_CLAIM_TYPE_CONVERTER = new ClaimTypeConverter(OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters());
    }
}
