package org.apache.nifi.web.api;

import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiOperation;
import com.wordnik.swagger.annotations.ApiParam;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import io.jsonwebtoken.JwtException;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
import org.apache.nifi.security.util.CertificateUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.api.dto.AccessConfigurationDTO;
import org.apache.nifi.web.api.dto.AccessStatusDTO;
import org.apache.nifi.web.api.dto.RevisionDTO;
import org.apache.nifi.web.api.entity.AccessConfigurationEntity;
import org.apache.nifi.web.api.entity.AccessStatusEntity;
import org.apache.nifi.web.api.request.ClientIdParameter;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.jwt.JwtService;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.apache.nifi.web.security.x509.X509IdentityProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

@Path("/access")
@Api(value = "/access", description = "Endpoints for obtaining an access token or checking access status")
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/api/AccessResource.class */
public class AccessResource extends ApplicationResource {
    private static final Logger logger = LoggerFactory.getLogger(AccessResource.class);
    private NiFiProperties properties;
    private LoginIdentityProvider loginIdentityProvider;
    private X509CertificateExtractor certificateExtractor;
    private X509IdentityProvider certificateIdentityProvider;
    private JwtService jwtService;
    private AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> userDetailsService;

    @GET
    @Path("/config")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves the access configuration for this NiFi", response = AccessConfigurationEntity.class)
    @Produces({"application/json", "application/xml"})
    public Response getLoginConfig(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "If the client id is not specified, new one will be generated. This value (whether specified or generated) is included in the response.", required = false) @QueryParam("clientId") @DefaultValue("") ClientIdParameter clientIdParameter) {
        AccessConfigurationDTO accessConfigurationDTO = new AccessConfigurationDTO();
        accessConfigurationDTO.setSupportsLogin(Boolean.valueOf(this.loginIdentityProvider != null && httpServletRequest.isSecure()));
        accessConfigurationDTO.setSupportsAnonymous(Boolean.valueOf((this.properties.getAnonymousAuthorities().isEmpty() && httpServletRequest.isSecure()) ? false : true));
        RevisionDTO revisionDTO = new RevisionDTO();
        revisionDTO.setClientId(clientIdParameter.getClientId());
        AccessConfigurationEntity accessConfigurationEntity = new AccessConfigurationEntity();
        accessConfigurationEntity.setRevision(revisionDTO);
        accessConfigurationEntity.setConfig(accessConfigurationDTO);
        return clusterContext(generateOkResponse(accessConfigurationEntity)).build();
    }

    @GET
    @Path("")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets the status the client's access", response = AccessStatusEntity.class)
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = 403, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = 500, message = "Unable to determine access status because an unexpected error occurred.")})
    @Produces({"application/xml", "application/json"})
    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "If the client id is not specified, new one will be generated. This value (whether specified or generated) is included in the response.", required = false) @QueryParam("clientId") @DefaultValue("") ClientIdParameter clientIdParameter) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("User authentication/authorization is only supported when running over HTTPS.");
        }
        AccessStatusDTO accessStatusDTO = new AccessStatusDTO();
        try {
            X509Certificate[] extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
            if (extractClientCertificate == null) {
                String header = httpServletRequest.getHeader("Authorization");
                if (header == null) {
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                    accessStatusDTO.setMessage("No credentials supplied, unknown user.");
                } else {
                    if (this.loginIdentityProvider == null) {
                        throw new IllegalStateException("This NiFi is not configured to support username/password logins.");
                    }
                    try {
                        String authenticationFromToken = this.jwtService.getAuthenticationFromToken(StringUtils.substringAfterLast(header, " "));
                        accessStatusDTO.setIdentity(authenticationFromToken);
                        accessStatusDTO.setUsername(CertificateUtils.extractUsername(authenticationFromToken));
                        UserDetails checkAuthorization = checkAuthorization(Arrays.asList(authenticationFromToken));
                        accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                        if (checkAuthorization.getAuthorities().isEmpty()) {
                            accessStatusDTO.setMessage("Your account is active but currently does not have any level of access.");
                        } else {
                            accessStatusDTO.setMessage("Your account is active and you are already logged in.");
                        }
                    } catch (JwtException e) {
                        throw new InvalidAuthenticationException(e.getMessage(), e);
                    }
                }
            } else {
                try {
                    AuthenticationResponse authenticate = this.certificateIdentityProvider.authenticate(extractClientCertificate);
                    List<String> buildProxiedEntitiesChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(httpServletRequest, authenticate.getIdentity());
                    if (buildProxiedEntitiesChain.isEmpty()) {
                        logger.error(String.format("Unable to parse the proxy chain %s from the incoming request.", authenticate.getIdentity()));
                        throw new IllegalArgumentException("Unable to determine the user from the incoming request.");
                    }
                    accessStatusDTO.setIdentity(buildProxiedEntitiesChain.get(0));
                    accessStatusDTO.setUsername(CertificateUtils.extractUsername(buildProxiedEntitiesChain.get(0)));
                    UserDetails checkAuthorization2 = checkAuthorization(buildProxiedEntitiesChain);
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    if (checkAuthorization2.getAuthorities().isEmpty()) {
                        accessStatusDTO.setMessage("Your account is active but currently does not have any level of access.");
                    } else {
                        accessStatusDTO.setMessage("Your account is active and you are already logged in.");
                    }
                } catch (IllegalArgumentException e2) {
                    throw new InvalidAuthenticationException(e2.getMessage(), e2);
                }
            }
        } catch (UntrustedProxyException e3) {
            throw new AccessDeniedException(e3.getMessage(), e3);
        } catch (AccountStatusException e4) {
            accessStatusDTO.setStatus(AccessStatusDTO.Status.NOT_ACTIVE.name());
            accessStatusDTO.setMessage(e4.getMessage());
        } catch (AuthenticationServiceException e5) {
            throw new AdministrationException(e5.getMessage(), e5);
        } catch (UsernameNotFoundException e6) {
            if (this.properties.getSupportNewAccountRequests()) {
                accessStatusDTO.setStatus(AccessStatusDTO.Status.UNREGISTERED.name());
                accessStatusDTO.setMessage(String.format("Unregistered user %s", accessStatusDTO.getIdentity()));
            } else {
                accessStatusDTO.setStatus(AccessStatusDTO.Status.NOT_ACTIVE.name());
                accessStatusDTO.setMessage("This NiFi does not support new account requests.");
            }
        }
        RevisionDTO revisionDTO = new RevisionDTO();
        revisionDTO.setClientId(clientIdParameter.getClientId());
        AccessStatusEntity accessStatusEntity = new AccessStatusEntity();
        accessStatusEntity.setRevision(revisionDTO);
        accessStatusEntity.setAccessStatus(accessStatusDTO);
        return generateOkResponse(accessStatusEntity).build();
    }

    private UserDetails checkAuthorization(List<String> list) throws AuthenticationException {
        return this.userDetailsService.loadUserDetails(new NiFiAuthortizationRequestToken(list));
    }

    @Path("/token")
    @Consumes({"application/x-www-form-urlencoded"})
    @ApiOperation(value = "Creates a token for accessing the REST API via username/password", response = String.class)
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 409, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support username/password login."), @ApiResponse(code = 500, message = "Unable to create access token because an unexpected error occurred.")})
    @POST
    @Produces({"text/plain"})
    public Response createAccessToken(@Context HttpServletRequest httpServletRequest, @FormParam("username") String str, @FormParam("password") String str2) {
        LoginAuthenticationToken loginAuthenticationToken;
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS.");
        }
        if (this.loginIdentityProvider == null) {
            throw new IllegalStateException("Username/Password login not supported by this NiFi.");
        }
        X509Certificate[] extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
        if (extractClientCertificate != null) {
            AuthenticationResponse authenticate = this.certificateIdentityProvider.authenticate(extractClientCertificate);
            List<String> buildProxiedEntitiesChain = ProxiedEntitiesUtils.buildProxiedEntitiesChain(httpServletRequest, authenticate.getIdentity());
            if (buildProxiedEntitiesChain.isEmpty()) {
                logger.error(String.format("Unable to parse the proxy chain %s from the incoming request.", authenticate.getIdentity()));
                throw new IllegalArgumentException("Unable to determine the user from the incoming request.");
            }
            authorizeProxyIfNecessary(buildProxiedEntitiesChain);
            loginAuthenticationToken = new LoginAuthenticationToken(buildProxiedEntitiesChain.get(0), authenticate.getExpiration(), authenticate.getIssuer());
        } else {
            if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
                throw new IllegalArgumentException("The username and password must be specified.");
            }
            try {
                AuthenticationResponse authenticate2 = this.loginIdentityProvider.authenticate(new LoginCredentials(str, str2));
                long convert = TimeUnit.MILLISECONDS.convert(12L, TimeUnit.HOURS);
                long convert2 = TimeUnit.MILLISECONDS.convert(1L, TimeUnit.MINUTES);
                long expiration = authenticate2.getExpiration();
                if (expiration > convert) {
                    expiration = convert;
                    logger.warn(String.format("Max token expiration exceeded. Setting expiration to %s from %s for %s", Long.valueOf(expiration), Long.valueOf(authenticate2.getExpiration()), authenticate2.getIdentity()));
                } else if (expiration < convert2) {
                    expiration = convert2;
                    logger.warn(String.format("Min token expiration not met. Setting expiration to %s from %s for %s", Long.valueOf(expiration), Long.valueOf(authenticate2.getExpiration()), authenticate2.getIdentity()));
                }
                loginAuthenticationToken = new LoginAuthenticationToken(authenticate2.getIdentity(), expiration, authenticate2.getIssuer());
            } catch (InvalidLoginCredentialsException e) {
                throw new IllegalArgumentException("The supplied username and password are not valid.", e);
            } catch (IdentityAccessException e2) {
                throw new AdministrationException(e2.getMessage(), e2);
            }
        }
        return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), this.jwtService.generateSignedToken(loginAuthenticationToken)).build();
    }

    private void authorizeProxyIfNecessary(List<String> list) throws AuthenticationException {
        if (list.size() > 1) {
            try {
                this.userDetailsService.loadUserDetails(new NiFiAuthortizationRequestToken(list));
            } catch (Exception e) {
                throw new AccessDeniedException(e.getMessage(), e);
            } catch (AuthenticationServiceException e2) {
                throw new AdministrationException(e2.getMessage(), e2);
            } catch (UsernameNotFoundException e3) {
            }
        }
    }

    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    public void setLoginIdentityProvider(LoginIdentityProvider loginIdentityProvider) {
        this.loginIdentityProvider = loginIdentityProvider;
    }

    public void setJwtService(JwtService jwtService) {
        this.jwtService = jwtService;
    }

    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }

    public void setCertificateIdentityProvider(X509IdentityProvider x509IdentityProvider) {
        this.certificateIdentityProvider = x509IdentityProvider;
    }

    public void setUserDetailsService(AuthenticationUserDetailsService<NiFiAuthortizationRequestToken> authenticationUserDetailsService) {
        this.userDetailsService = authenticationUserDetailsService;
    }
}
