package org.apache.nifi.authorization.azure;

import com.google.gson.JsonObject;
import com.microsoft.graph.core.ClientException;
import com.microsoft.graph.models.extensions.IGraphServiceClient;
import com.microsoft.graph.options.Option;
import com.microsoft.graph.options.QueryOption;
import com.microsoft.graph.requests.extensions.GraphServiceClient;
import com.microsoft.graph.requests.extensions.IGroupCollectionPage;
import com.microsoft.graph.requests.extensions.IGroupCollectionRequest;
import com.microsoft.graph.requests.extensions.IGroupCollectionRequestBuilder;
import com.microsoft.graph.requests.extensions.IUserCollectionWithReferencesPage;
import com.microsoft.graph.requests.extensions.IUserCollectionWithReferencesRequestBuilder;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import org.apache.nifi.authorization.AuthorizerConfigurationContext;
import org.apache.nifi.authorization.Group;
import org.apache.nifi.authorization.User;
import org.apache.nifi.authorization.UserAndGroups;
import org.apache.nifi.authorization.UserGroupProvider;
import org.apache.nifi.authorization.UserGroupProviderInitializationContext;
import org.apache.nifi.authorization.azure.ClientCredentialAuthProvider;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.StopWatch;
import org.apache.nifi.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/authorization/azure/AzureGraphUserGroupProvider.class */
public class AzureGraphUserGroupProvider implements UserGroupProvider {
    private String claimForUserName;
    private ScheduledExecutorService scheduler;
    public static final String REFRESH_DELAY_PROPERTY = "Refresh Delay";
    private static final long MINIMUM_SYNC_INTERVAL_MILLISECONDS = 10000;
    public static final String AUTHORITY_ENDPOINT_PROPERTY = "Authority Endpoint";
    public static final String TENANT_ID_PROPERTY = "Directory ID";
    public static final String APP_REG_CLIENT_ID_PROPERTY = "Application ID";
    public static final String APP_REG_CLIENT_SECRET_PROPERTY = "Client Secret";
    public static final String GROUP_FILTER_LIST_PROPERTY = "Group Filter List Inclusion";
    public static final String GROUP_FILTER_PREFIX_PROPERTY = "Group Filter Prefix";
    public static final String GROUP_FILTER_SUFFIX_PROPERTY = "Group Filter Suffix";
    public static final String GROUP_FILTER_SUBSTRING_PROPERTY = "Group Filter Substring";
    public static final String PAGE_SIZE_PROPERTY = "Page Size";
    public static final String CLAIM_FOR_USERNAME = "Claim for Username";
    public static final String DEFAULT_REFRESH_DELAY = "5 mins";
    public static final String DEFAULT_PAGE_SIZE = "50";
    public static final String DEFAULT_CLAIM_FOR_USERNAME = "upn";
    public static final int MAX_PAGE_SIZE = 999;
    public static final String AZURE_PUBLIC_CLOUD = "https://login.microsoftonline.com/";
    private ClientCredentialAuthProvider authProvider;
    private IGraphServiceClient graphClient;
    private final AtomicReference<ImmutableAzureGraphUserGroup> azureGraphUserGroupRef = new AtomicReference<>();
    private static final Logger logger = LoggerFactory.getLogger(AzureGraphUserGroupProvider.class);
    static final List<String> REST_CALL_KEYWORDS = Arrays.asList("$select", "$top", "$expand", "$search", "$filter", "$format", "$count", "$skip", "$orderby");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/authorization/azure/AzureGraphUserGroupProvider$UserGroupQueryResult.class */
    public static class UserGroupQueryResult {
        private final Group group;
        private final Set<User> users;

        public UserGroupQueryResult(Group group, Set<User> set) {
            this.group = group;
            this.users = set;
        }

        public Group getGroup() {
            return this.group;
        }

        public Set<User> getUsers() {
            return this.users;
        }
    }

    public Group getGroup(String str) throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getGroup(str);
    }

    public Set<Group> getGroups() throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getGroups();
    }

    public User getUser(String str) throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getUser(str);
    }

    public UserAndGroups getUserAndGroups(String str) throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getUserAndGroups(str);
    }

    public User getUserByIdentity(String str) throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getUserByPrincipalName(str);
    }

    public Set<User> getUsers() throws AuthorizationAccessException {
        return this.azureGraphUserGroupRef.get().getUsers();
    }

    public void initialize(final UserGroupProviderInitializationContext userGroupProviderInitializationContext) throws AuthorizerCreationException {
        this.scheduler = Executors.newSingleThreadScheduledExecutor(new ThreadFactory() { // from class: org.apache.nifi.authorization.azure.AzureGraphUserGroupProvider.1
            @Override // java.util.concurrent.ThreadFactory
            public Thread newThread(Runnable runnable) {
                Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
                newThread.setName(String.format("%s (%s) - UserGroup Refresh", getClass().getSimpleName(), userGroupProviderInitializationContext.getIdentifier()));
                return newThread;
            }
        });
    }

    private String getProperty(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        PropertyValue property = authorizerConfigurationContext.getProperty(str);
        if (property != null && property.isSet()) {
            String value = property.getValue();
            if (StringUtils.isNotBlank(value)) {
                return value;
            }
        }
        return str2;
    }

    private long getDelayProperty(AuthorizerConfigurationContext authorizerConfigurationContext, String str, String str2) {
        String property = getProperty(authorizerConfigurationContext, str, str2);
        try {
            long round = Math.round(FormatUtils.getPreciseTimeDuration(property, TimeUnit.MILLISECONDS));
            if (round < MINIMUM_SYNC_INTERVAL_MILLISECONDS) {
                throw new AuthorizerCreationException(String.format("The %s '%s' is below the minimum value of '%d ms'", str, property, Long.valueOf(MINIMUM_SYNC_INTERVAL_MILLISECONDS)));
            }
            return round;
        } catch (IllegalArgumentException e) {
            throw new AuthorizerCreationException(String.format("The %s '%s' is not a valid time interval.", str, property));
        }
    }

    private boolean hasReservedKeyword(String str) {
        return REST_CALL_KEYWORDS.contains(str);
    }

    public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws AuthorizerCreationException {
        long delayProperty = getDelayProperty(authorizerConfigurationContext, REFRESH_DELAY_PROPERTY, DEFAULT_REFRESH_DELAY);
        String property = getProperty(authorizerConfigurationContext, AUTHORITY_ENDPOINT_PROPERTY, AZURE_PUBLIC_CLOUD);
        String property2 = getProperty(authorizerConfigurationContext, TENANT_ID_PROPERTY, null);
        String property3 = getProperty(authorizerConfigurationContext, APP_REG_CLIENT_ID_PROPERTY, null);
        String property4 = getProperty(authorizerConfigurationContext, APP_REG_CLIENT_SECRET_PROPERTY, null);
        int parseInt = Integer.parseInt(getProperty(authorizerConfigurationContext, PAGE_SIZE_PROPERTY, DEFAULT_PAGE_SIZE));
        this.claimForUserName = getProperty(authorizerConfigurationContext, CLAIM_FOR_USERNAME, DEFAULT_CLAIM_FOR_USERNAME);
        String simpleName = getClass().getSimpleName();
        if (StringUtils.isBlank(property2)) {
            throw new AuthorizerCreationException(String.format("%s is a required field for %s", TENANT_ID_PROPERTY, simpleName));
        }
        if (StringUtils.isBlank(property3)) {
            throw new AuthorizerCreationException(String.format("%s is a required field for %s", APP_REG_CLIENT_ID_PROPERTY, simpleName));
        }
        if (StringUtils.isBlank(property4)) {
            throw new AuthorizerCreationException(String.format("%s is a required field for %s", APP_REG_CLIENT_SECRET_PROPERTY, simpleName));
        }
        if (parseInt > 999) {
            throw new AuthorizerCreationException(String.format("Max page size for Microsoft Graph is %d.", Integer.valueOf(MAX_PAGE_SIZE)));
        }
        try {
            this.authProvider = new ClientCredentialAuthProvider.Builder().authorityEndpoint(property).tenantId(property2).clientId(property3).clientSecret(property4).build();
            this.graphClient = GraphServiceClient.builder().authenticationProvider(this.authProvider).buildClient();
            String property5 = getProperty(authorizerConfigurationContext, GROUP_FILTER_PREFIX_PROPERTY, null);
            String property6 = getProperty(authorizerConfigurationContext, GROUP_FILTER_SUFFIX_PROPERTY, null);
            String property7 = getProperty(authorizerConfigurationContext, GROUP_FILTER_SUBSTRING_PROPERTY, null);
            String property8 = getProperty(authorizerConfigurationContext, GROUP_FILTER_LIST_PROPERTY, null);
            if (StringUtils.isBlank(property5) && StringUtils.isBlank(property6) && StringUtils.isBlank(property7) && StringUtils.isBlank(property8)) {
                throw new AuthorizerCreationException(String.format("At least one group filter (%s, %s, %s) should be specified for %s", GROUP_FILTER_PREFIX_PROPERTY, GROUP_FILTER_SUFFIX_PROPERTY, GROUP_FILTER_LIST_PROPERTY, simpleName));
            }
            if (hasReservedKeyword(property5)) {
                throw new AuthorizerCreationException(String.format("Prefix shouldn't have any reserved keywords ([%s])", StringUtils.join(REST_CALL_KEYWORDS, ",")));
            }
            try {
                refreshUserGroup(property8, property5, property6, property7, parseInt);
                this.scheduler.scheduleWithFixedDelay(() -> {
                    try {
                        refreshUserGroup(property8, property5, property6, property7, parseInt);
                    } catch (Throwable th) {
                        logger.error("Error refreshing user groups due to {}", th.getMessage(), th);
                    }
                }, delayProperty, delayProperty, TimeUnit.MILLISECONDS);
            } catch (IOException | ClientException e) {
                throw new AuthorizerCreationException(String.format("Failed to load UserGroup due to %s", e.getMessage()), e);
            }
        } catch (ClientException e2) {
            throw new AuthorizerCreationException(String.format("Failed to create a GraphServiceClient due to %s", e2.getMessage()), e2);
        }
    }

    private void refreshUserGroup(String str, String str2, String str3, String str4, int i) throws IOException, ClientException {
        if (logger.isDebugEnabled()) {
            logger.debug("Refreshing user groups");
        }
        StopWatch stopWatch = new StopWatch(true);
        Set<String> groupsWith = getGroupsWith(str, str2, str3, str4, i);
        refreshUserGroupData(groupsWith, i);
        stopWatch.stop();
        if (logger.isDebugEnabled()) {
            logger.debug("Refreshed {} user groups in {}", Integer.valueOf(groupsWith.size()), stopWatch.getDuration());
        }
    }

    private Set<String> getGroupsWith(String str, String str2, String str3, String str4, int i) {
        HashSet hashSet = new HashSet();
        if (!StringUtils.isBlank(str2) || !StringUtils.isBlank(str3) || !StringUtils.isBlank(str4)) {
            hashSet.addAll(queryGroupsWith(str2, str3, str4, i));
        }
        if (!StringUtils.isBlank(str)) {
            hashSet.addAll((Collection) Arrays.stream(str.split(",")).map((v0) -> {
                return v0.trim();
            }).filter(str5 -> {
                return !str5.isEmpty();
            }).collect(Collectors.toList()));
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private Set<String> queryGroupsWith(String str, String str2, String str3, int i) {
        HashSet hashSet = new HashSet();
        IGroupCollectionRequest select = (str == null || str.isEmpty()) ? this.graphClient.groups().buildRequest(new Option[0]).select("displayName") : this.graphClient.groups().buildRequest(Arrays.asList(new QueryOption("$filter", String.format("startswith(displayName, '%s')", str)))).select("displayName");
        if (i > 0) {
            select = select.top(i);
        }
        IGroupCollectionPage iGroupCollectionPage = select.get();
        List currentPage = iGroupCollectionPage.getCurrentPage();
        while (true) {
            List<com.microsoft.graph.models.extensions.Group> list = currentPage;
            if (list == null) {
                return Collections.unmodifiableSet(hashSet);
            }
            for (com.microsoft.graph.models.extensions.Group group : list) {
                boolean z = true;
                if (!StringUtils.isEmpty(str2) && !group.displayName.endsWith(str2)) {
                    z = false;
                }
                if (!StringUtils.isEmpty(str3) && !group.displayName.contains(str3)) {
                    z = false;
                }
                if (z) {
                    hashSet.add(group.displayName);
                }
            }
            IGroupCollectionRequestBuilder nextPage = iGroupCollectionPage.getNextPage();
            if (nextPage != null) {
                iGroupCollectionPage = nextPage.buildRequest(new Option[0]).get();
                currentPage = iGroupCollectionPage.getCurrentPage();
            } else {
                currentPage = null;
            }
        }
    }

    private UserGroupQueryResult getUsersFrom(String str, int i) throws IOException, ClientException {
        HashSet hashSet = new HashSet();
        IGroupCollectionPage iGroupCollectionPage = this.graphClient.groups().buildRequest(Arrays.asList(new QueryOption("$filter", String.format("displayName eq '%s'", str)))).get();
        List currentPage = iGroupCollectionPage.getCurrentPage();
        if (currentPage == null || currentPage.size() <= 0) {
            return null;
        }
        com.microsoft.graph.models.extensions.Group group = (com.microsoft.graph.models.extensions.Group) iGroupCollectionPage.getCurrentPage().get(0);
        Group.Builder name = new Group.Builder().identifier(group.id).name(group.displayName);
        IUserCollectionWithReferencesPage iUserCollectionWithReferencesPage = this.graphClient.groups(group.id).transitiveMembersAsUser().buildRequest(new Option[0]).select("id, displayName, mail, userPrincipalName").get();
        while (true) {
            IUserCollectionWithReferencesPage iUserCollectionWithReferencesPage2 = iUserCollectionWithReferencesPage;
            if (iUserCollectionWithReferencesPage2 != null && iUserCollectionWithReferencesPage2.getCurrentPage() != null) {
                Iterator it = iUserCollectionWithReferencesPage2.getCurrentPage().iterator();
                while (it.hasNext()) {
                    JsonObject rawObject = ((com.microsoft.graph.models.extensions.User) it.next()).getRawObject();
                    String asString = !rawObject.get("id").isJsonNull() ? rawObject.get("id").getAsString() : "";
                    hashSet.add(new User.Builder().identifier(asString).identity(this.claimForUserName.equals("email") ? !rawObject.get("mail").isJsonNull() ? rawObject.get("mail").getAsString() : rawObject.get("userPrincipalName").getAsString() : rawObject.get("userPrincipalName").getAsString()).build());
                    name.addUser(asString);
                }
                IUserCollectionWithReferencesRequestBuilder nextPage = iUserCollectionWithReferencesPage2.getNextPage();
                if (nextPage == null) {
                    break;
                }
                iUserCollectionWithReferencesPage = nextPage.buildRequest(new Option[0]).get();
            } else {
                break;
            }
        }
        return new UserGroupQueryResult(name.build(), hashSet);
    }

    private void refreshUserGroupData(Set<String> set, int i) throws IOException, ClientException {
        Objects.requireNonNull(set);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (String str : set) {
            if (logger.isDebugEnabled()) {
                logger.debug("Getting users for group filter: {}", str);
            }
            UserGroupQueryResult usersFrom = getUsersFrom(str, i);
            if (usersFrom != null) {
                hashSet2.add(usersFrom.getGroup());
                hashSet.addAll(usersFrom.getUsers());
            }
        }
        this.azureGraphUserGroupRef.set(ImmutableAzureGraphUserGroup.newInstance(hashSet, hashSet2));
    }

    public void preDestruction() throws AuthorizerDestructionException {
        this.scheduler.shutdown();
        try {
            if (!this.scheduler.awaitTermination(MINIMUM_SYNC_INTERVAL_MILLISECONDS, TimeUnit.MILLISECONDS)) {
                this.scheduler.shutdownNow();
            }
        } catch (InterruptedException e) {
            logger.warn("Error shutting down user group refresh scheduler due to {}", e.getMessage(), e);
        }
    }
}
