package org.apache.nifi.web.security.saml2.registration;

import java.io.IOException;
import java.io.InputStream;
import java.time.Duration;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.saml2.SamlConfigurationException;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.ResourceLoader;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;

/* loaded from: input_file:org/apache/nifi/web/security/saml2/registration/StandardRegistrationBuilderProvider.class */
class StandardRegistrationBuilderProvider implements RegistrationBuilderProvider {
    static final String NIFI_TRUST_STORE_STRATEGY = "NIFI";
    private static final String HTTP_SCHEME_PREFIX = "http";
    private static final ResourceLoader resourceLoader = new DefaultResourceLoader();
    private final NiFiProperties properties;

    public StandardRegistrationBuilderProvider(NiFiProperties niFiProperties) {
        this.properties = (NiFiProperties) Objects.requireNonNull(niFiProperties, "Properties required");
    }

    @Override // org.apache.nifi.web.security.saml2.registration.RegistrationBuilderProvider
    public RelyingPartyRegistration.Builder getRegistrationBuilder() {
        String str = (String) Objects.requireNonNull(this.properties.getSamlIdentityProviderMetadataUrl(), "Metadata URL required");
        try {
            InputStream inputStream = getInputStream(str);
            try {
                RelyingPartyRegistration.Builder fromMetadata = RelyingPartyRegistrations.fromMetadata(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return fromMetadata;
            } finally {
            }
        } catch (IOException e) {
            throw new SamlConfigurationException(String.format("SAML Metadata loading failed [%s]", str), e);
        }
    }

    private InputStream getInputStream(String str) throws IOException {
        return str.startsWith(HTTP_SCHEME_PREFIX) ? getRemoteInputStream(str) : resourceLoader.getResource(str).getInputStream();
    }

    private InputStream getRemoteInputStream(String str) {
        try {
            Response execute = getHttpClient().newCall(new Request.Builder().get().url(str).build()).execute();
            if (execute.isSuccessful()) {
                return ((ResponseBody) Objects.requireNonNull(execute.body(), "SAML Metadata response not found")).byteStream();
            }
            execute.close();
            throw new SamlConfigurationException(String.format("SAML Metadata retrieval failed [%s] HTTP %d", str, Integer.valueOf(execute.code())));
        } catch (IOException e) {
            throw new SamlConfigurationException(String.format("SAML Metadata retrieval failed [%s]", str), e);
        }
    }

    private OkHttpClient getHttpClient() {
        Duration ofMillis = Duration.ofMillis((long) FormatUtils.getPreciseTimeDuration(this.properties.getSamlHttpClientConnectTimeout(), TimeUnit.MILLISECONDS));
        OkHttpClient.Builder readTimeout = new OkHttpClient.Builder().connectTimeout(ofMillis).readTimeout(Duration.ofMillis((long) FormatUtils.getPreciseTimeDuration(this.properties.getSamlHttpClientReadTimeout(), TimeUnit.MILLISECONDS)));
        if (NIFI_TRUST_STORE_STRATEGY.equals(this.properties.getSamlHttpClientTruststoreStrategy())) {
            setSslSocketFactory(readTimeout);
        }
        return readTimeout.build();
    }

    private void setSslSocketFactory(OkHttpClient.Builder builder) {
        TlsConfiguration fromNiFiProperties = StandardTlsConfiguration.fromNiFiProperties(this.properties);
        try {
            X509TrustManager x509TrustManager = (X509TrustManager) Objects.requireNonNull(SslContextFactory.getX509TrustManager(fromNiFiProperties), "TrustManager required");
            builder.sslSocketFactory(((SSLContext) Objects.requireNonNull(SslContextFactory.createSslContext(fromNiFiProperties, new TrustManager[]{x509TrustManager}), "SSLContext required")).getSocketFactory(), x509TrustManager);
        } catch (TlsException e) {
            throw new SamlConfigurationException("SAML Metadata HTTP TLS configuration failed", e);
        }
    }
}
