package org.apache.nifi.web.security.oidc.client.web;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.cookie.ApplicationCookieService;
import org.apache.nifi.web.security.cookie.StandardApplicationCookieService;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.jwt.provider.SupportedClaim;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.servlet.shared.RequestUriBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/apache/nifi/web/security/oidc/client/web/OidcBearerTokenRefreshFilter.class */
public class OidcBearerTokenRefreshFilter extends OncePerRequestFilter {
    private static final String ROOT_PATH = "/";
    private static final Logger logger = LoggerFactory.getLogger(OidcBearerTokenRefreshFilter.class);
    private final Duration refreshWindow;
    private final BearerTokenProvider bearerTokenProvider;
    private final BearerTokenResolver bearerTokenResolver;
    private final JwtDecoder jwtDecoder;
    private final OAuth2AuthorizedClientRepository authorizedClientRepository;
    private final OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenResponseClient;
    private final AntPathRequestMatcher currentUserRequestMatcher = new AntPathRequestMatcher("/flow/current-user");
    private final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService();
    private final ConcurrentMap<String, Instant> refreshRequests = new ConcurrentHashMap();

    public OidcBearerTokenRefreshFilter(Duration duration, BearerTokenProvider bearerTokenProvider, BearerTokenResolver bearerTokenResolver, JwtDecoder jwtDecoder, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository, OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> oAuth2AccessTokenResponseClient) {
        this.refreshWindow = (Duration) Objects.requireNonNull(duration, "Refresh Window required");
        this.bearerTokenProvider = (BearerTokenProvider) Objects.requireNonNull(bearerTokenProvider, "Bearer Token Provider required");
        this.bearerTokenResolver = (BearerTokenResolver) Objects.requireNonNull(bearerTokenResolver, "Bearer Token Resolver required");
        this.jwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder, "JWT Decoder required");
        this.authorizedClientRepository = (OAuth2AuthorizedClientRepository) Objects.requireNonNull(oAuth2AuthorizedClientRepository, "Authorized Client Repository required");
        this.refreshTokenResponseClient = (OAuth2AccessTokenResponseClient) Objects.requireNonNull(oAuth2AccessTokenResponseClient, "Refresh Token Response Client required");
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (this.currentUserRequestMatcher.matches(httpServletRequest)) {
            String niFiUserIdentity = NiFiUserUtils.getNiFiUserIdentity();
            if (this.refreshRequests.putIfAbsent(niFiUserIdentity, Instant.now()) == null) {
                logger.debug("Identity [{}] Bearer Token refresh processing started", niFiUserIdentity);
                try {
                    try {
                        processRequest(niFiUserIdentity, httpServletRequest, httpServletResponse);
                        this.refreshRequests.remove(niFiUserIdentity);
                        logger.debug("Identity [{}] Bearer Token refresh processing completed", niFiUserIdentity);
                    } catch (Exception e) {
                        logger.error("Identity [{}] Bearer Token refresh processing failed", niFiUserIdentity, e);
                        this.refreshRequests.remove(niFiUserIdentity);
                        logger.debug("Identity [{}] Bearer Token refresh processing completed", niFiUserIdentity);
                    }
                } catch (Throwable th) {
                    this.refreshRequests.remove(niFiUserIdentity);
                    logger.debug("Identity [{}] Bearer Token refresh processing completed", niFiUserIdentity);
                    throw th;
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void processRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (isRefreshRequired(str, httpServletRequest)) {
            logger.info("Identity [{}] Bearer Token refresh required", str);
            OidcAuthorizedClient loadAuthorizedClient = loadAuthorizedClient(httpServletRequest);
            if (loadAuthorizedClient == null) {
                logger.warn("Identity [{}] OIDC Authorized Client not found", str);
                return;
            }
            OAuth2AccessTokenResponse refreshTokenResponse = getRefreshTokenResponse(loadAuthorizedClient, httpServletRequest, httpServletResponse);
            if (refreshTokenResponse == null) {
                logger.warn("Identity [{}] OpenID Connect Refresh Token not found", str);
                return;
            }
            this.applicationCookieService.addSessionCookie(RequestUriBuilder.fromHttpServletRequest(httpServletRequest).path(ROOT_PATH).build(), httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER, getBearerToken(str, refreshTokenResponse));
        }
    }

    private boolean isRefreshRequired(String str, HttpServletRequest httpServletRequest) {
        boolean isAfter;
        String resolve = this.bearerTokenResolver.resolve(httpServletRequest);
        if (resolve == null) {
            logger.debug("Identity [{}] Bearer Token not found", str);
            isAfter = false;
        } else {
            isAfter = Instant.now().plus((TemporalAmount) this.refreshWindow).isAfter((Instant) Objects.requireNonNull(this.jwtDecoder.decode(resolve).getExpiresAt(), "Bearer Token expiration claim not found"));
        }
        return isAfter;
    }

    private OidcAuthorizedClient loadAuthorizedClient(HttpServletRequest httpServletRequest) {
        return (OidcAuthorizedClient) this.authorizedClientRepository.loadAuthorizedClient(OidcRegistrationProperty.REGISTRATION_ID.getProperty(), SecurityContextHolder.getContext().getAuthentication(), httpServletRequest);
    }

    private String getBearerToken(String str, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        return this.bearerTokenProvider.getBearerToken(new LoginAuthenticationToken(str, getSessionExpiration(oAuth2AccessTokenResponse.getAccessToken()), getProviderAuthorities()));
    }

    private Instant getSessionExpiration(OAuth2AccessToken oAuth2AccessToken) {
        Instant expiresAt = oAuth2AccessToken.getExpiresAt();
        if (expiresAt == null) {
            throw new IllegalArgumentException("OpenID Connect Access Token expiration claim not found");
        }
        return expiresAt;
    }

    private OAuth2AccessTokenResponse getRefreshTokenResponse(OidcAuthorizedClient oidcAuthorizedClient, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        OAuth2AccessTokenResponse refreshTokenResponse;
        if (oidcAuthorizedClient.getRefreshToken() == null) {
            refreshTokenResponse = null;
        } else {
            refreshTokenResponse = getRefreshTokenResponse(oidcAuthorizedClient);
            OAuth2RefreshToken refreshToken = refreshTokenResponse.getRefreshToken();
            this.authorizedClientRepository.saveAuthorizedClient(new OidcAuthorizedClient(oidcAuthorizedClient.getClientRegistration(), oidcAuthorizedClient.getPrincipalName(), refreshTokenResponse.getAccessToken(), refreshToken == null ? oidcAuthorizedClient.getRefreshToken() : refreshToken, oidcAuthorizedClient.getIdToken()), getAuthenticationToken(oidcAuthorizedClient), httpServletRequest, httpServletResponse);
        }
        return refreshTokenResponse;
    }

    private OAuth2AccessTokenResponse getRefreshTokenResponse(OidcAuthorizedClient oidcAuthorizedClient) {
        return this.refreshTokenResponseClient.getTokenResponse(new OAuth2RefreshTokenGrantRequest(oidcAuthorizedClient.getClientRegistration(), oidcAuthorizedClient.getAccessToken(), (OAuth2RefreshToken) Objects.requireNonNull(oidcAuthorizedClient.getRefreshToken(), "Refresh Token required")));
    }

    private OAuth2AuthenticationToken getAuthenticationToken(OidcAuthorizedClient oidcAuthorizedClient) {
        ClientRegistration clientRegistration = oidcAuthorizedClient.getClientRegistration();
        return new OAuth2AuthenticationToken(new DefaultOidcUser(Collections.emptyList(), oidcAuthorizedClient.getIdToken(), SupportedClaim.SUBJECT.getClaim()), Collections.emptyList(), clientRegistration.getRegistrationId());
    }

    private Set<? extends GrantedAuthority> getProviderAuthorities() {
        Set identityProviderGroups = NiFiUserUtils.getNiFiUser().getIdentityProviderGroups();
        return identityProviderGroups == null ? Collections.emptySet() : (Set) identityProviderGroups.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
    }
}
