package org.apache.nifi.web.security.configuration;

import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.time.Duration;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.apache.nifi.admin.service.IdpUserGroupService;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.components.state.StateManagerProvider;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.StandardAuthenticationEntryPoint;
import org.apache.nifi.web.security.jwt.converter.StandardJwtAuthenticationConverter;
import org.apache.nifi.web.security.jwt.jws.StandardJWSKeySelector;
import org.apache.nifi.web.security.jwt.jws.StandardJwsSignerProvider;
import org.apache.nifi.web.security.jwt.key.StandardVerificationKeySelector;
import org.apache.nifi.web.security.jwt.key.command.KeyExpirationCommand;
import org.apache.nifi.web.security.jwt.key.command.KeyGenerationCommand;
import org.apache.nifi.web.security.jwt.key.service.StandardVerificationKeyService;
import org.apache.nifi.web.security.jwt.key.service.VerificationKeyService;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.jwt.provider.StandardBearerTokenProvider;
import org.apache.nifi.web.security.jwt.provider.SupportedClaim;
import org.apache.nifi.web.security.jwt.resolver.StandardBearerTokenResolver;
import org.apache.nifi.web.security.jwt.revocation.JwtLogoutListener;
import org.apache.nifi.web.security.jwt.revocation.JwtRevocationService;
import org.apache.nifi.web.security.jwt.revocation.JwtRevocationValidator;
import org.apache.nifi.web.security.jwt.revocation.StandardJwtLogoutListener;
import org.apache.nifi.web.security.jwt.revocation.StandardJwtRevocationService;
import org.apache.nifi.web.security.jwt.revocation.command.RevocationExpirationCommand;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;

@Configuration
/* loaded from: input_file:org/apache/nifi/web/security/configuration/JwtAuthenticationSecurityConfiguration.class */
public class JwtAuthenticationSecurityConfiguration {
    private static final Set<String> REQUIRED_CLAIMS = new HashSet(Arrays.asList(SupportedClaim.ISSUER.getClaim(), SupportedClaim.SUBJECT.getClaim(), SupportedClaim.AUDIENCE.getClaim(), SupportedClaim.EXPIRATION.getClaim(), SupportedClaim.NOT_BEFORE.getClaim(), SupportedClaim.ISSUED_AT.getClaim(), SupportedClaim.JWT_ID.getClaim()));
    private final NiFiProperties niFiProperties;
    private final Authorizer authorizer;
    private final IdpUserGroupService idpUserGroupService;
    private final StateManagerProvider stateManagerProvider;
    private final Duration keyRotationPeriod;

    @Autowired
    public JwtAuthenticationSecurityConfiguration(NiFiProperties niFiProperties, Authorizer authorizer, IdpUserGroupService idpUserGroupService, StateManagerProvider stateManagerProvider) {
        this.niFiProperties = niFiProperties;
        this.authorizer = authorizer;
        this.idpUserGroupService = idpUserGroupService;
        this.stateManagerProvider = stateManagerProvider;
        this.keyRotationPeriod = niFiProperties.getSecurityUserJwsKeyRotationPeriod();
    }

    @Bean
    public BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter(AuthenticationManager authenticationManager) {
        BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter = new BearerTokenAuthenticationFilter(authenticationManager);
        bearerTokenAuthenticationFilter.setBearerTokenResolver(bearerTokenResolver());
        bearerTokenAuthenticationFilter.setAuthenticationEntryPoint(authenticationEntryPoint());
        return bearerTokenAuthenticationFilter;
    }

    @Bean
    public BearerTokenResolver bearerTokenResolver() {
        return new StandardBearerTokenResolver();
    }

    @Bean
    public StandardAuthenticationEntryPoint authenticationEntryPoint() {
        return new StandardAuthenticationEntryPoint(new BearerTokenAuthenticationEntryPoint());
    }

    @Bean
    public JwtAuthenticationProvider jwtAuthenticationProvider() {
        JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder());
        jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter());
        return jwtAuthenticationProvider;
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(jwtProcessor());
        nimbusJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{JwtValidators.createDefault(), jwtRevocationValidator()}));
        return nimbusJwtDecoder;
    }

    @Bean
    public OAuth2TokenValidator<Jwt> jwtRevocationValidator() {
        return new JwtRevocationValidator(jwtRevocationService());
    }

    @Bean
    public JwtRevocationService jwtRevocationService() {
        return new StandardJwtRevocationService(this.stateManagerProvider.getStateManager(StandardJwtRevocationService.class.getName()));
    }

    @Bean
    public JwtLogoutListener jwtLogoutListener() {
        return new StandardJwtLogoutListener(jwtDecoder(), jwtRevocationService());
    }

    @Bean
    public JWTProcessor<SecurityContext> jwtProcessor() {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(jwsKeySelector());
        defaultJWTProcessor.setJWTClaimsSetVerifier(claimsSetVerifier());
        return defaultJWTProcessor;
    }

    @Bean
    public JWSKeySelector<SecurityContext> jwsKeySelector() {
        return new StandardJWSKeySelector(verificationKeySelector());
    }

    @Bean
    public JWTClaimsSetVerifier<SecurityContext> claimsSetVerifier() {
        return new DefaultJWTClaimsVerifier((JWTClaimsSet) null, REQUIRED_CLAIMS);
    }

    @Bean
    public StandardJwtAuthenticationConverter jwtAuthenticationConverter() {
        return new StandardJwtAuthenticationConverter(this.authorizer, this.idpUserGroupService, this.niFiProperties);
    }

    @Bean
    public BearerTokenProvider bearerTokenProvider() {
        return new StandardBearerTokenProvider(jwsSignerProvider());
    }

    @Bean
    public StandardJwsSignerProvider jwsSignerProvider() {
        return new StandardJwsSignerProvider(verificationKeySelector());
    }

    @Bean
    public StandardVerificationKeySelector verificationKeySelector() {
        return new StandardVerificationKeySelector(verificationKeyService(), this.keyRotationPeriod);
    }

    @Bean
    public VerificationKeyService verificationKeyService() {
        return new StandardVerificationKeyService(this.stateManagerProvider.getStateManager(StandardVerificationKeyService.class.getName()));
    }

    @Bean
    public KeyGenerationCommand keyGenerationCommand() {
        KeyGenerationCommand keyGenerationCommand = new KeyGenerationCommand(jwsSignerProvider(), verificationKeySelector());
        commandScheduler().scheduleAtFixedRate(keyGenerationCommand, this.keyRotationPeriod);
        return keyGenerationCommand;
    }

    @Bean
    public KeyExpirationCommand keyExpirationCommand() {
        KeyExpirationCommand keyExpirationCommand = new KeyExpirationCommand(verificationKeyService());
        commandScheduler().scheduleAtFixedRate(keyExpirationCommand, this.keyRotationPeriod);
        return keyExpirationCommand;
    }

    @Bean
    public RevocationExpirationCommand revocationExpirationCommand() {
        RevocationExpirationCommand revocationExpirationCommand = new RevocationExpirationCommand(jwtRevocationService());
        commandScheduler().scheduleAtFixedRate(revocationExpirationCommand, this.keyRotationPeriod);
        return revocationExpirationCommand;
    }

    @Bean
    public ThreadPoolTaskScheduler commandScheduler() {
        ThreadPoolTaskScheduler threadPoolTaskScheduler = new ThreadPoolTaskScheduler();
        threadPoolTaskScheduler.setThreadNamePrefix(getClass().getSimpleName());
        return threadPoolTaskScheduler;
    }
}
