package org.apache.nifi.oauth2;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.PropertyNamingStrategies;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import okhttp3.FormBody;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.ConfigVerificationResult;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.components.Validator;
import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.controller.VerifiableControllerService;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.ssl.SSLContextService;

@CapabilityDescription("Provides OAuth 2.0 access tokens that can be used as Bearer authorization header in HTTP requests. Uses Resource Owner Password Credentials Grant.")
@Tags({"oauth2", "provider", "authorization", "access token", "http"})
/* loaded from: input_file:org/apache/nifi/oauth2/StandardOauth2AccessTokenProvider.class */
public class StandardOauth2AccessTokenProvider extends AbstractControllerService implements OAuth2AccessTokenProvider, VerifiableControllerService {
    public static final PropertyDescriptor AUTHORIZATION_SERVER_URL = new PropertyDescriptor.Builder().name("authorization-server-url").displayName("Authorization Server URL").description("The URL of the authorization server that issues access tokens.").required(true).addValidator(StandardValidators.URL_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).build();
    public static AllowableValue RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE = new AllowableValue("password", "User Password", "Resource Owner Password Credentials Grant. Used to access resources available to users. Requires username and password and usually Client ID and Client Secret");
    public static AllowableValue CLIENT_CREDENTIALS_GRANT_TYPE = new AllowableValue("client_credentials", "Client Credentials", "Client Credentials Grant. Used to access resources available to clients. Requires Client ID and Client Secret");
    public static final PropertyDescriptor GRANT_TYPE = new PropertyDescriptor.Builder().name("grant-type").displayName("Grant Type").description("The OAuth2 Grant Type to be used when acquiring an access token.").required(true).allowableValues(new AllowableValue[]{RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE, CLIENT_CREDENTIALS_GRANT_TYPE}).defaultValue(RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE.getValue()).build();
    public static final PropertyDescriptor USERNAME = new PropertyDescriptor.Builder().name("service-user-name").displayName("Username").description("Username on the service that is being accessed.").dependsOn(GRANT_TYPE, new AllowableValue[]{RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE}).required(true).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).build();
    public static final PropertyDescriptor PASSWORD = new PropertyDescriptor.Builder().name("service-password").displayName("Password").description("Password for the username on the service that is being accessed.").dependsOn(GRANT_TYPE, new AllowableValue[]{RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE}).required(true).sensitive(true).addValidator(StandardValidators.NON_BLANK_VALIDATOR).build();
    public static final PropertyDescriptor CLIENT_ID = new PropertyDescriptor.Builder().name("client-id").displayName("Client ID").required(false).addValidator(StandardValidators.NON_BLANK_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).build();
    public static final PropertyDescriptor CLIENT_SECRET = new PropertyDescriptor.Builder().name("client-secret").displayName("Client secret").dependsOn(CLIENT_ID, new AllowableValue[0]).required(true).sensitive(true).addValidator(StandardValidators.NON_BLANK_VALIDATOR).build();
    public static final PropertyDescriptor SCOPE = new PropertyDescriptor.Builder().name(OAuth2TokenProviderImpl.KEY_SCOPE).displayName("Scope").description("Space-delimited, case-sensitive list of scopes of the access request (as per the OAuth 2.0 specification)").required(false).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor REFRESH_WINDOW = new PropertyDescriptor.Builder().name("refresh-window").displayName("Refresh Window").description("The service will attempt to refresh tokens expiring within the refresh window, subtracting the configured duration from the token expiration.").addValidator(StandardValidators.TIME_PERIOD_VALIDATOR).defaultValue("0 s").required(true).build();
    public static final PropertyDescriptor SSL_CONTEXT = new PropertyDescriptor.Builder().name("ssl-context-service").displayName("SSL Context Service").addValidator(Validator.VALID).identifiesControllerService(SSLContextService.class).required(false).build();
    public static final PropertyDescriptor HTTP_PROTOCOL_STRATEGY = new PropertyDescriptor.Builder().name("HTTP Protocols").description("HTTP Protocols supported for Application Layer Protocol Negotiation with TLS").required(true).allowableValues(HttpProtocolStrategy.class).defaultValue(HttpProtocolStrategy.H2_HTTP_1_1.getValue()).dependsOn(SSL_CONTEXT, new AllowableValue[0]).build();
    private static final List<PropertyDescriptor> PROPERTIES = Collections.unmodifiableList(Arrays.asList(AUTHORIZATION_SERVER_URL, GRANT_TYPE, USERNAME, PASSWORD, CLIENT_ID, CLIENT_SECRET, SCOPE, REFRESH_WINDOW, SSL_CONTEXT, HTTP_PROTOCOL_STRATEGY));
    public static final ObjectMapper ACCESS_DETAILS_MAPPER = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).setPropertyNamingStrategy(PropertyNamingStrategies.SNAKE_CASE);
    private volatile String authorizationServerUrl;
    private volatile OkHttpClient httpClient;
    private volatile String grantType;
    private volatile String username;
    private volatile String password;
    private volatile String clientId;
    private volatile String clientSecret;
    private volatile String scope;
    private volatile long refreshWindowSeconds;
    private volatile AccessToken accessDetails;

    public List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return PROPERTIES;
    }

    @OnEnabled
    public void onEnabled(ConfigurationContext configurationContext) {
        this.authorizationServerUrl = configurationContext.getProperty(AUTHORIZATION_SERVER_URL).evaluateAttributeExpressions().getValue();
        this.httpClient = createHttpClient(configurationContext);
        this.grantType = configurationContext.getProperty(GRANT_TYPE).getValue();
        this.username = configurationContext.getProperty(USERNAME).evaluateAttributeExpressions().getValue();
        this.password = configurationContext.getProperty(PASSWORD).getValue();
        this.clientId = configurationContext.getProperty(CLIENT_ID).evaluateAttributeExpressions().getValue();
        this.clientSecret = configurationContext.getProperty(CLIENT_SECRET).getValue();
        this.scope = configurationContext.getProperty(SCOPE).getValue();
        this.refreshWindowSeconds = configurationContext.getProperty(REFRESH_WINDOW).asTimePeriod(TimeUnit.SECONDS).longValue();
    }

    @OnDisabled
    public void onDisabled() {
        this.accessDetails = null;
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList(super.customValidate(validationContext));
        if (validationContext.getProperty(GRANT_TYPE).getValue().equals(CLIENT_CREDENTIALS_GRANT_TYPE.getValue()) && !validationContext.getProperty(CLIENT_ID).isSet()) {
            arrayList.add(new ValidationResult.Builder().subject(CLIENT_ID.getDisplayName()).valid(false).explanation(String.format("When '%s' is set to '%s', '%s' is required", GRANT_TYPE.getDisplayName(), CLIENT_CREDENTIALS_GRANT_TYPE.getDisplayName(), CLIENT_ID.getDisplayName())).build());
        }
        return arrayList;
    }

    protected OkHttpClient createHttpClient(ConfigurationContext configurationContext) {
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        SSLContextService asControllerService = configurationContext.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class);
        if (asControllerService != null) {
            builder.sslSocketFactory(asControllerService.createContext().getSocketFactory(), asControllerService.createTrustManager());
        }
        builder.protocols(HttpProtocolStrategy.valueOf(configurationContext.getProperty(HTTP_PROTOCOL_STRATEGY).getValue()).getProtocols());
        return builder.build();
    }

    public AccessToken getAccessDetails() {
        if (this.accessDetails == null) {
            acquireAccessDetails();
        } else if (isRefreshRequired()) {
            if (this.accessDetails.getRefreshToken() == null) {
                acquireAccessDetails();
            } else {
                try {
                    refreshAccessDetails();
                } catch (Exception e) {
                    getLogger().info("Refresh Access Token request failed [{}]", new Object[]{this.authorizationServerUrl, e});
                    acquireAccessDetails();
                }
            }
        }
        return this.accessDetails;
    }

    private void acquireAccessDetails() {
        getLogger().debug("New Access Token request started [{}]", new Object[]{this.authorizationServerUrl});
        FormBody.Builder builder = new FormBody.Builder();
        if (this.grantType.equals(RESOURCE_OWNER_PASSWORD_CREDENTIALS_GRANT_TYPE.getValue())) {
            builder.add("grant_type", "password").add("username", this.username).add("password", this.password);
        } else if (this.grantType.equals(CLIENT_CREDENTIALS_GRANT_TYPE.getValue())) {
            builder.add("grant_type", "client_credentials");
        }
        if (this.clientId != null) {
            builder.add("client_id", this.clientId);
            builder.add("client_secret", this.clientSecret);
        }
        if (this.scope != null) {
            builder.add(OAuth2TokenProviderImpl.KEY_SCOPE, this.scope);
        }
        this.accessDetails = getAccessDetails(new Request.Builder().url(this.authorizationServerUrl).post(builder.build()).build());
    }

    private void refreshAccessDetails() {
        getLogger().debug("Refresh Access Token request started [{}]", new Object[]{this.authorizationServerUrl});
        FormBody.Builder add = new FormBody.Builder().add("grant_type", OAuth2TokenProviderImpl.KEY_REFRESH_TOKEN).add(OAuth2TokenProviderImpl.KEY_REFRESH_TOKEN, this.accessDetails.getRefreshToken());
        if (this.clientId != null) {
            add.add("client_id", this.clientId);
            add.add("client_secret", this.clientSecret);
        }
        if (this.scope != null) {
            add.add(OAuth2TokenProviderImpl.KEY_SCOPE, this.scope);
        }
        this.accessDetails = getAccessDetails(new Request.Builder().url(this.authorizationServerUrl).post(add.build()).build());
    }

    private AccessToken getAccessDetails(Request request) {
        try {
            Response execute = this.httpClient.newCall(request).execute();
            String string = execute.body().string();
            if (execute.isSuccessful()) {
                getLogger().debug("OAuth2 Access Token retrieved [HTTP {}]", new Object[]{Integer.valueOf(execute.code())});
                return (AccessToken) ACCESS_DETAILS_MAPPER.readValue(string, AccessToken.class);
            }
            getLogger().error(String.format("OAuth2 access token request failed [HTTP %d], response:%n%s", Integer.valueOf(execute.code()), string));
            throw new ProcessException(String.format("OAuth2 access token request failed [HTTP %d]", Integer.valueOf(execute.code())));
        } catch (IOException e) {
            throw new UncheckedIOException("OAuth2 access token request failed", e);
        }
    }

    private boolean isRefreshRequired() {
        return Instant.now().isAfter(this.accessDetails.getFetchTime().plusSeconds(this.accessDetails.getExpiresIn()).minusSeconds(this.refreshWindowSeconds));
    }

    public List<ConfigVerificationResult> verify(ConfigurationContext configurationContext, ComponentLog componentLog, Map<String, String> map) {
        ConfigVerificationResult.Builder verificationStepName = new ConfigVerificationResult.Builder().verificationStepName("Can acquire token");
        try {
            getAccessDetails();
            verificationStepName.outcome(ConfigVerificationResult.Outcome.SUCCESSFUL);
        } catch (Exception e) {
            verificationStepName.outcome(ConfigVerificationResult.Outcome.FAILED).explanation(e.getMessage());
        }
        return Arrays.asList(verificationStepName.build());
    }
}
