package org.apache.nifi.web.security.oidc.web.authentication;

import java.net.URI;
import java.time.Instant;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.nifi.authorization.util.IdentityMapping;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.cookie.ApplicationCookieService;
import org.apache.nifi.web.security.cookie.StandardApplicationCookieService;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.oidc.OidcConfigurationException;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.util.RequestUriBuilder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/web/authentication/OidcAuthenticationSuccessHandler.class */
public class OidcAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
    private static final String UI_PATH = "/nifi/";
    private static final String ROOT_PATH = "/";
    private final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService();
    private final BearerTokenProvider bearerTokenProvider;
    private final List<IdentityMapping> userIdentityMappings;
    private final List<IdentityMapping> groupIdentityMappings;
    private final List<String> userClaimNames;
    private final String groupsClaimName;

    public OidcAuthenticationSuccessHandler(BearerTokenProvider bearerTokenProvider, List<IdentityMapping> list, List<IdentityMapping> list2, List<String> list3, String str) {
        this.bearerTokenProvider = (BearerTokenProvider) Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required");
        this.userIdentityMappings = (List) Objects.requireNonNull(list, "User Identity Mappings required");
        this.groupIdentityMappings = (List) Objects.requireNonNull(list2, "Group Identity Mappings required");
        this.userClaimNames = (List) Objects.requireNonNull(list3, "User Claim Names required");
        this.groupsClaimName = str;
    }

    public String determineTargetUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        processAuthentication(httpServletResponse, authentication, RequestUriBuilder.fromHttpServletRequest(httpServletRequest).path(ROOT_PATH).build());
        return RequestUriBuilder.fromHttpServletRequest(httpServletRequest).path(UI_PATH).build().toString();
    }

    private void processAuthentication(HttpServletResponse httpServletResponse, Authentication authentication, URI uri) {
        OAuth2AuthenticationToken authenticationToken = getAuthenticationToken(authentication);
        OidcUser oidcUser = getOidcUser(authenticationToken);
        this.applicationCookieService.addSessionCookie(uri, httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER, getBearerToken(getIdentity(oidcUser), getAccessToken(authenticationToken), getGroups(oidcUser)));
    }

    private String getBearerToken(String str, OAuth2AccessToken oAuth2AccessToken, Set<String> set) {
        return this.bearerTokenProvider.getBearerToken(new LoginAuthenticationToken(str, getSessionExpiration(oAuth2AccessToken), (Set) set.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet())));
    }

    private Instant getSessionExpiration(OAuth2Token oAuth2Token) {
        Instant expiresAt = oAuth2Token.getExpiresAt();
        if (expiresAt == null) {
            throw new IllegalArgumentException("Token expiration claim not found");
        }
        return expiresAt;
    }

    private OAuth2AuthenticationToken getAuthenticationToken(Authentication authentication) {
        if (authentication instanceof OAuth2AuthenticationToken) {
            return (OAuth2AuthenticationToken) authentication;
        }
        throw new IllegalArgumentException(String.format("OAuth2AuthenticationToken not found [%s]", authentication.getClass()));
    }

    private OAuth2AccessToken getAccessToken(OAuth2AuthenticationToken oAuth2AuthenticationToken) {
        Object credentials = oAuth2AuthenticationToken.getCredentials();
        if (credentials instanceof OAuth2AccessToken) {
            return (OAuth2AccessToken) credentials;
        }
        throw new IllegalArgumentException(String.format("OAuth2AccessToken not found in credentials [%s]", credentials.getClass()));
    }

    private OidcUser getOidcUser(OAuth2AuthenticationToken oAuth2AuthenticationToken) {
        OidcUser principal = oAuth2AuthenticationToken.getPrincipal();
        if (principal instanceof OidcUser) {
            return principal;
        }
        throw new IllegalArgumentException(String.format("OpenID Connect User not found [%s]", principal.getClass()));
    }

    private String getIdentity(OidcUser oidcUser) {
        Stream<String> stream = this.userClaimNames.stream();
        oidcUser.getClass();
        return IdentityMappingUtil.mapIdentity((String) stream.map(oidcUser::getClaimAsString).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst().orElseThrow(() -> {
            return new OidcConfigurationException(String.format("User Identity not found in Token Claims %s", this.userClaimNames));
        }), this.userIdentityMappings);
    }

    private Set<String> getGroups(OidcUser oidcUser) {
        Set<String> emptySet;
        if (this.groupsClaimName == null || this.groupsClaimName.isEmpty()) {
            emptySet = Collections.emptySet();
        } else {
            List claimAsStringList = oidcUser.getClaimAsStringList(this.groupsClaimName);
            emptySet = (Set) (claimAsStringList == null ? Collections.emptyList() : claimAsStringList).stream().map(str -> {
                return IdentityMappingUtil.mapIdentity(str, this.groupIdentityMappings);
            }).collect(Collectors.toSet());
        }
        return emptySet;
    }
}
