package org.apache.nifi.authorization;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
import java.util.Set;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLOutputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.authorization.exception.AuthorizerCreationException;
import org.apache.nifi.authorization.exception.AuthorizerDestructionException;
import org.apache.nifi.authorization.exception.UninheritableAuthorizationsException;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.security.xml.XmlUtils;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/apache/nifi/authorization/StandardManagedAuthorizer.class */
public class StandardManagedAuthorizer implements ManagedAuthorizer {
    private static final XMLOutputFactory XML_OUTPUT_FACTORY = XMLOutputFactory.newInstance();
    private static final String USER_GROUP_PROVIDER_ELEMENT = "userGroupProvider";
    private static final String ACCESS_POLICY_PROVIDER_ELEMENT = "accessPolicyProvider";
    private AccessPolicyProviderLookup accessPolicyProviderLookup;
    private AccessPolicyProvider accessPolicyProvider;
    private UserGroupProvider userGroupProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/nifi/authorization/StandardManagedAuthorizer$FingerprintHolder.class */
    public static class FingerprintHolder {
        private final String policyFingerprint;
        private final String userGroupFingerprint;

        public FingerprintHolder(String str, String str2) {
            this.policyFingerprint = str;
            this.userGroupFingerprint = str2;
        }

        public String getPolicyFingerprint() {
            return this.policyFingerprint;
        }

        public String getUserGroupFingerprint() {
            return this.userGroupFingerprint;
        }
    }

    public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws AuthorizerCreationException {
        this.accessPolicyProviderLookup = authorizerInitializationContext.getAccessPolicyProviderLookup();
    }

    public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws AuthorizerCreationException {
        PropertyValue property = authorizerConfigurationContext.getProperty("Access Policy Provider");
        if (!property.isSet()) {
            throw new AuthorizerCreationException("The Access Policy Provider must be set.");
        }
        this.accessPolicyProvider = this.accessPolicyProviderLookup.getAccessPolicyProvider(property.getValue());
        if (this.accessPolicyProvider == null) {
            throw new AuthorizerCreationException(String.format("Unable to locate configured Access Policy Provider: %s", property));
        }
        this.userGroupProvider = this.accessPolicyProvider.getUserGroupProvider();
        if (this.userGroupProvider == null) {
            throw new AuthorizerCreationException(String.format("Configured Access Policy Provider %s does not contain a User Group Provider", property));
        }
    }

    public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
        AccessPolicy accessPolicy = this.accessPolicyProvider.getAccessPolicy(authorizationRequest.getResource().getIdentifier(), authorizationRequest.getAction());
        if (accessPolicy == null) {
            return AuthorizationResult.resourceNotFound();
        }
        UserAndGroups userAndGroups = this.userGroupProvider.getUserAndGroups(authorizationRequest.getIdentity());
        User user = userAndGroups.getUser();
        if (user == null) {
            return AuthorizationResult.denied(String.format("Unknown user with identity '%s'.", authorizationRequest.getIdentity()));
        }
        return (accessPolicy.getUsers().contains(user.getIdentifier()) || containsGroup(userAndGroups.getGroups(), accessPolicy)) ? AuthorizationResult.approved() : AuthorizationResult.denied((String) authorizationRequest.getExplanationSupplier().get());
    }

    private boolean containsGroup(Set<Group> set, AccessPolicy accessPolicy) {
        if (set == null || set.isEmpty() || accessPolicy.getGroups().isEmpty()) {
            return false;
        }
        Iterator<Group> it = set.iterator();
        while (it.hasNext()) {
            if (accessPolicy.getGroups().contains(it.next().getIdentifier())) {
                return true;
            }
        }
        return false;
    }

    public String getFingerprint() throws AuthorizationAccessException {
        XMLStreamWriter xMLStreamWriter = null;
        StringWriter stringWriter = new StringWriter();
        try {
            try {
                xMLStreamWriter = XML_OUTPUT_FACTORY.createXMLStreamWriter(stringWriter);
                xMLStreamWriter.writeStartDocument();
                xMLStreamWriter.writeStartElement("managedAuthorizations");
                xMLStreamWriter.writeStartElement(ACCESS_POLICY_PROVIDER_ELEMENT);
                if (this.accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
                    xMLStreamWriter.writeCharacters(this.accessPolicyProvider.getFingerprint());
                }
                xMLStreamWriter.writeEndElement();
                xMLStreamWriter.writeStartElement(USER_GROUP_PROVIDER_ELEMENT);
                if (this.userGroupProvider instanceof ConfigurableUserGroupProvider) {
                    xMLStreamWriter.writeCharacters(this.userGroupProvider.getFingerprint());
                }
                xMLStreamWriter.writeEndElement();
                xMLStreamWriter.writeEndElement();
                xMLStreamWriter.writeEndDocument();
                xMLStreamWriter.flush();
                if (xMLStreamWriter != null) {
                    try {
                        xMLStreamWriter.close();
                    } catch (XMLStreamException e) {
                    }
                }
                return stringWriter.toString();
            } catch (XMLStreamException e2) {
                throw new AuthorizationAccessException("Unable to generate fingerprint", e2);
            }
        } catch (Throwable th) {
            if (xMLStreamWriter != null) {
                try {
                    xMLStreamWriter.close();
                } catch (XMLStreamException e3) {
                }
            }
            throw th;
        }
    }

    public void inheritFingerprint(String str) throws AuthorizationAccessException {
        if (StringUtils.isBlank(str)) {
            return;
        }
        FingerprintHolder parseFingerprint = parseFingerprint(str);
        if (StringUtils.isNotBlank(parseFingerprint.getPolicyFingerprint()) && (this.accessPolicyProvider instanceof ConfigurableAccessPolicyProvider)) {
            this.accessPolicyProvider.inheritFingerprint(parseFingerprint.getPolicyFingerprint());
        }
        if (StringUtils.isNotBlank(parseFingerprint.getUserGroupFingerprint()) && (this.userGroupProvider instanceof ConfigurableUserGroupProvider)) {
            this.userGroupProvider.inheritFingerprint(parseFingerprint.getUserGroupFingerprint());
        }
    }

    public void forciblyInheritFingerprint(String str) throws AuthorizationAccessException {
        FingerprintHolder parseFingerprint = parseFingerprint(str);
        if (this.accessPolicyProvider instanceof ConfigurableAccessPolicyProvider) {
            this.accessPolicyProvider.forciblyInheritFingerprint(parseFingerprint.getPolicyFingerprint());
        }
        if (this.userGroupProvider instanceof ConfigurableUserGroupProvider) {
            this.userGroupProvider.forciblyInheritFingerprint(parseFingerprint.getUserGroupFingerprint());
        }
    }

    public void checkInheritability(String str) throws AuthorizationAccessException, UninheritableAuthorizationsException {
        FingerprintHolder parseFingerprint = parseFingerprint(str);
        if (StringUtils.isNotBlank(parseFingerprint.getPolicyFingerprint())) {
            if (!(this.accessPolicyProvider instanceof ConfigurableAccessPolicyProvider)) {
                throw new UninheritableAuthorizationsException("Policy fingerprint is not blank and the configured AccessPolicyProvider does not support fingerprinting.");
            }
            this.accessPolicyProvider.checkInheritability(parseFingerprint.getPolicyFingerprint());
        }
        if (StringUtils.isNotBlank(parseFingerprint.getUserGroupFingerprint())) {
            if (!(this.userGroupProvider instanceof ConfigurableUserGroupProvider)) {
                throw new UninheritableAuthorizationsException("User/Group fingerprint is not blank and the configured UserGroupProvider does not support fingerprinting.");
            }
            this.userGroupProvider.checkInheritability(parseFingerprint.getUserGroupFingerprint());
        }
    }

    private final FingerprintHolder parseFingerprint(String str) throws AuthorizationAccessException {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                Element documentElement = XmlUtils.createSafeDocumentBuilder(true).parse(byteArrayInputStream).getDocumentElement();
                NodeList elementsByTagName = documentElement.getElementsByTagName(ACCESS_POLICY_PROVIDER_ELEMENT);
                if (elementsByTagName.getLength() != 1) {
                    throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", ACCESS_POLICY_PROVIDER_ELEMENT, str));
                }
                NodeList elementsByTagName2 = documentElement.getElementsByTagName(USER_GROUP_PROVIDER_ELEMENT);
                if (elementsByTagName2.getLength() != 1) {
                    throw new AuthorizationAccessException(String.format("Only one %s element is allowed: %s", USER_GROUP_PROVIDER_ELEMENT, str));
                }
                FingerprintHolder fingerprintHolder = new FingerprintHolder(elementsByTagName.item(0).getTextContent(), elementsByTagName2.item(0).getTextContent());
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return fingerprintHolder;
            } finally {
            }
        } catch (IOException | ParserConfigurationException | SAXException e) {
            throw new AuthorizationAccessException("Unable to parse fingerprint", e);
        }
    }

    public AccessPolicyProvider getAccessPolicyProvider() {
        return this.accessPolicyProvider;
    }

    public void preDestruction() throws AuthorizerDestructionException {
    }
}
