package org.apache.nifi.web.security.configuration;

import java.net.http.HttpClient;
import java.time.Duration;
import java.util.Arrays;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.oidc.registration.DisabledClientRegistrationRepository;
import org.apache.nifi.web.security.oidc.registration.StandardClientRegistrationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.JdkClientHttpRequestFactory;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.http.converter.StringHttpMessageConverter;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

@Configuration
/* loaded from: input_file:org/apache/nifi/web/security/configuration/ClientRegistrationConfiguration.class */
public class ClientRegistrationConfiguration {
    private static final Duration DEFAULT_SOCKET_TIMEOUT = Duration.ofSeconds(5);
    private static final String NIFI_TRUSTSTORE_STRATEGY = "NIFI";
    private final NiFiProperties properties;
    private final SSLContext sslContext;

    public ClientRegistrationConfiguration(@Autowired NiFiProperties niFiProperties, @Autowired(required = false) SSLContext sSLContext) {
        this.properties = (NiFiProperties) Objects.requireNonNull(niFiProperties, "Application properties required");
        this.sslContext = sSLContext;
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return this.properties.isOidcEnabled() ? new InMemoryClientRegistrationRepository(new ClientRegistration[]{new StandardClientRegistrationProvider(this.properties, oidcRestOperations()).getClientRegistration()}) : new DisabledClientRegistrationRepository();
    }

    @Bean
    public RestOperations oidcRestOperations() {
        RestTemplate restTemplate = new RestTemplate(oidcClientHttpRequestFactory());
        restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
        restTemplate.setMessageConverters(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter(), new StringHttpMessageConverter(), new MappingJackson2HttpMessageConverter()));
        return restTemplate;
    }

    @Bean
    public ClientHttpRequestFactory oidcClientHttpRequestFactory() {
        JdkClientHttpRequestFactory jdkClientHttpRequestFactory = new JdkClientHttpRequestFactory(getHttpClient());
        jdkClientHttpRequestFactory.setReadTimeout(getTimeout(this.properties.getOidcReadTimeout()));
        return jdkClientHttpRequestFactory;
    }

    private HttpClient getHttpClient() {
        HttpClient.Builder connectTimeout = HttpClient.newBuilder().connectTimeout(getTimeout(this.properties.getOidcConnectTimeout()));
        if (NIFI_TRUSTSTORE_STRATEGY.equals(this.properties.getOidcClientTruststoreStrategy())) {
            connectTimeout.sslContext(this.sslContext);
        }
        return connectTimeout.build();
    }

    private Duration getTimeout(String str) {
        try {
            return Duration.ofMillis(Math.round(FormatUtils.getPreciseTimeDuration(str, TimeUnit.MILLISECONDS)));
        } catch (RuntimeException e) {
            return DEFAULT_SOCKET_TIMEOUT;
        }
    }
}
