package org.apache.nifi.registry.web.security.authentication.oidc;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.State;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.nifi.registry.web.security.authentication.util.CacheKey;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/oidc/OidcService.class */
public class OidcService {
    private OidcIdentityProvider identityProvider;
    private Cache<CacheKey, State> stateLookupForPendingRequests;
    private Cache<CacheKey, String> jwtLookupForCompletedRequests;

    @Autowired
    public OidcService(OidcIdentityProvider oidcIdentityProvider) {
        this(oidcIdentityProvider, 60, TimeUnit.SECONDS);
    }

    public OidcService(OidcIdentityProvider oidcIdentityProvider, int i, TimeUnit timeUnit) {
        if (oidcIdentityProvider == null) {
            throw new RuntimeException("The OidcIdentityProvider must be specified.");
        }
        oidcIdentityProvider.initializeProvider();
        this.identityProvider = oidcIdentityProvider;
        this.stateLookupForPendingRequests = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
        this.jwtLookupForCompletedRequests = CacheBuilder.newBuilder().expireAfterWrite(i, timeUnit).build();
    }

    public boolean isOidcEnabled() {
        return this.identityProvider.isOidcEnabled();
    }

    public URI getAuthorizationEndpoint() {
        return this.identityProvider.getAuthorizationEndpoint();
    }

    public URI getEndSessionEndpoint() {
        return this.identityProvider.getEndSessionEndpoint();
    }

    public Scope getScope() {
        return this.identityProvider.getScope();
    }

    public String getClientId() {
        return this.identityProvider.getClientId().getValue();
    }

    public State createState(String str) {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        CacheKey cacheKey = new CacheKey(str);
        State state = new State(generateStateValue());
        try {
            synchronized (this.stateLookupForPendingRequests) {
                if (!timeConstantEqualityCheck(state.getValue(), this.stateLookupForPendingRequests.get(cacheKey, () -> {
                    return state;
                }).getValue())) {
                    throw new IllegalStateException("An existing login request is already in progress.");
                }
            }
            return state;
        } catch (ExecutionException e) {
            throw new IllegalStateException("Unable to store the login request state.");
        }
    }

    private String generateStateValue() {
        return new BigInteger(130, new SecureRandom()).toString(32);
    }

    public boolean isStateValid(String str, State state) {
        boolean z;
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        if (state == null) {
            throw new IllegalArgumentException("Proposed state must be specified.");
        }
        CacheKey cacheKey = new CacheKey(str);
        synchronized (this.stateLookupForPendingRequests) {
            State ifPresent = this.stateLookupForPendingRequests.getIfPresent(cacheKey);
            if (ifPresent != null) {
                this.stateLookupForPendingRequests.invalidate(cacheKey);
            }
            z = ifPresent != null && timeConstantEqualityCheck(ifPresent.getValue(), state.getValue());
        }
        return z;
    }

    public void exchangeAuthorizationCode(String str, AuthorizationGrant authorizationGrant) throws IOException {
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        CacheKey cacheKey = new CacheKey(str);
        String exchangeAuthorizationCode = this.identityProvider.exchangeAuthorizationCode(authorizationGrant);
        try {
            synchronized (this.jwtLookupForCompletedRequests) {
                if (!timeConstantEqualityCheck(exchangeAuthorizationCode, this.jwtLookupForCompletedRequests.get(cacheKey, () -> {
                    return exchangeAuthorizationCode;
                }))) {
                    throw new IllegalStateException("An existing login request is already in progress.");
                }
            }
        } catch (ExecutionException e) {
            throw new IllegalStateException("Unable to store the login authentication token.");
        }
    }

    public String getJwt(String str) {
        String ifPresent;
        if (!isOidcEnabled()) {
            throw new IllegalStateException(OidcIdentityProvider.OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
        }
        CacheKey cacheKey = new CacheKey(str);
        synchronized (this.jwtLookupForCompletedRequests) {
            ifPresent = this.jwtLookupForCompletedRequests.getIfPresent(cacheKey);
            if (ifPresent != null) {
                this.jwtLookupForCompletedRequests.invalidate(cacheKey);
            }
        }
        return ifPresent;
    }

    private boolean timeConstantEqualityCheck(String str, String str2) {
        if (str == null || str2 == null) {
            return false;
        }
        return MessageDigest.isEqual(str.getBytes(StandardCharsets.UTF_8), str2.getBytes(StandardCharsets.UTF_8));
    }
}
