package org.apache.nifi.web.api;

import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import io.jsonwebtoken.JwtException;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import java.io.IOException;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.http.NameValuePair;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.conn.routing.HttpRouteDirector;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.protocol.HTTP;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.IdpUserGroupService;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
import org.apache.nifi.authentication.exception.AuthenticationNotSupportedException;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.idp.IdpType;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.web.api.dto.AccessConfigurationDTO;
import org.apache.nifi.web.api.dto.AccessStatusDTO;
import org.apache.nifi.web.api.entity.AccessConfigurationEntity;
import org.apache.nifi.web.api.entity.AccessStatusEntity;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.jwt.JwtAuthenticationProvider;
import org.apache.nifi.web.security.jwt.JwtAuthenticationRequestToken;
import org.apache.nifi.web.security.jwt.JwtService;
import org.apache.nifi.web.security.kerberos.KerberosService;
import org.apache.nifi.web.security.knox.KnoxService;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.oidc.OidcService;
import org.apache.nifi.web.security.otp.OtpService;
import org.apache.nifi.web.security.saml.SAMLCredentialStore;
import org.apache.nifi.web.security.saml.SAMLService;
import org.apache.nifi.web.security.saml.SAMLStateManager;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.token.OtpAuthenticationToken;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509AuthenticationRequestToken;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;

@Api(value = "/access", description = "Endpoints for obtaining an access token or checking access status.")
@Path("/access")
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/api/AccessResource.class */
public class AccessResource extends ApplicationResource {
    private static final String OIDC_REQUEST_IDENTIFIER = "oidc-request-identifier";
    private static final String OIDC_ID_TOKEN_AUTHN_ERROR = "Unable to exchange authorization for ID token: ";
    private static final String OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG = "OpenId Connect support is not configured";
    private static final String REVOKE_ACCESS_TOKEN_LOGOUT = "oidc_access_token_logout";
    private static final String ID_TOKEN_LOGOUT = "oidc_id_token_logout";
    private static final String STANDARD_LOGOUT = "oidc_standard_logout";
    private static final int msTimeout = 30000;
    private static final String SAML_REQUEST_IDENTIFIER = "saml-request-identifier";
    private static final String SAML_METADATA_MEDIA_TYPE = "application/samlmetadata+xml";
    private static final String LOGIN_ERROR_TITLE = "Unable to continue login sequence";
    private static final String LOGOUT_ERROR_TITLE = "Unable to continue logout sequence";
    private static final String LOGOUT_REQUEST_IDENTIFIER = "nifi-logout-request-identifier";
    private static final String AUTHENTICATION_NOT_ENABLED_MSG = "User authentication/authorization is only supported when running over HTTPS.";
    private static final String LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND = "The logout request identifier was not found in the request. Unable to continue.";
    private static final String LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER = "No logout request was found for the given identifier. Unable to continue.";
    private X509CertificateExtractor certificateExtractor;
    private X509AuthenticationProvider x509AuthenticationProvider;
    private X509PrincipalExtractor principalExtractor;
    private LoginIdentityProvider loginIdentityProvider;
    private JwtAuthenticationProvider jwtAuthenticationProvider;
    private JwtService jwtService;
    private OtpService otpService;
    private OidcService oidcService;
    private KnoxService knoxService;
    private KerberosService kerberosService;
    private SAMLService samlService;
    private SAMLStateManager samlStateManager;
    private SAMLCredentialStore samlCredentialStore;
    private IdpUserGroupService idpUserGroupService;
    private LogoutRequestManager logoutRequestManager;
    private static final Logger logger = LoggerFactory.getLogger(AccessResource.class);
    private static final Pattern REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT = Pattern.compile("(\\.google\\.com)");
    private static final Pattern ID_TOKEN_LOGOUT_FORMAT = Pattern.compile("(\\.okta)");

    @GET
    @Path("config")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves the access configuration for this NiFi", response = AccessConfigurationEntity.class)
    @Produces({"application/json"})
    public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) {
        AccessConfigurationDTO accessConfigurationDTO = new AccessConfigurationDTO();
        accessConfigurationDTO.setSupportsLogin(Boolean.valueOf(this.loginIdentityProvider != null && httpServletRequest.isSecure()));
        AccessConfigurationEntity accessConfigurationEntity = new AccessConfigurationEntity();
        accessConfigurationEntity.setConfig(accessConfigurationDTO);
        return generateOkResponse(accessConfigurationEntity).build();
    }

    @GET
    @Path("/saml/metadata")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves the service provider metadata.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({SAML_METADATA_MEDIA_TYPE})
    public Response samlMetadata(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (this.samlService.isSamlEnabled()) {
            initializeSamlServiceProvider();
            return Response.ok(this.samlService.getServiceProviderMetadata(), SAML_METADATA_MEDIA_TYPE).build();
        }
        logger.debug("SAML support is not configured");
        return Response.status(Response.Status.CONFLICT).entity("SAML support is not configured").build();
    }

    @GET
    @Path("/saml/login/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates an SSO request to the configured SAML identity provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLoginRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
            return;
        }
        if (!this.samlService.isSamlEnabled()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
            return;
        }
        initializeSamlServiceProvider();
        String uuid = UUID.randomUUID().toString();
        Cookie cookie = new Cookie(SAML_REQUEST_IDENTIFIER, uuid);
        cookie.setPath("/");
        cookie.setHttpOnly(true);
        cookie.setMaxAge(60);
        cookie.setSecure(true);
        httpServletResponse.addCookie(cookie);
        try {
            this.samlService.initiateLogin(httpServletRequest, httpServletResponse, this.samlStateManager.createState(uuid));
        } catch (Exception e) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @Path("/saml/login/consumer")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Processes the SSO response from the SAML identity provider for HTTP-POST binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({"*/*"})
    public void samlLoginHttpPostConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, MultivaluedMap<String, String> multivaluedMap) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (this.samlService.isSamlEnabled()) {
            samlLoginConsumer(httpServletRequest, httpServletResponse, getParameterMap(multivaluedMap));
        } else {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
        }
    }

    @GET
    @Path("/saml/login/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes the SSO response from the SAML identity provider for HTTP-REDIRECT binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLoginHttpRedirectConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context UriInfo uriInfo) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (this.samlService.isSamlEnabled()) {
            samlLoginConsumer(httpServletRequest, httpServletResponse, getParameterMap(uriInfo.getQueryParameters()));
        } else {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
        }
    }

    private void samlLoginConsumer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) throws Exception {
        initializeSamlServiceProvider();
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), SAML_REQUEST_IDENTIFIER);
        if (cookieValue == null) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue.");
            return;
        }
        String str = map.get("RelayState");
        if (str == null) {
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "The RelayState parameter was not found in the request. Unable to continue.");
            return;
        }
        if (!this.samlStateManager.isStateValid(cookieValue, str)) {
            logger.error("The RelayState value returned by the SAML IDP does not match the stored state. Unable to continue login process.");
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Purposed RelayState does not match the stored state. Unable to continue login process.");
            return;
        }
        try {
            SAMLCredential processLogin = this.samlService.processLogin(httpServletRequest, httpServletResponse, map);
            String mapIdentity = IdentityMappingUtil.mapIdentity(this.samlService.getUserIdentity(processLogin), IdentityMappingUtil.getIdentityMappings(this.properties));
            this.samlStateManager.createJwt(cookieValue, new LoginAuthenticationToken(mapIdentity, mapIdentity, validateTokenExpiration(this.samlService.getAuthExpiration(), mapIdentity), processLogin.getRemoteEntityID()));
            this.samlCredentialStore.save(mapIdentity, processLogin);
            Set userGroups = this.samlService.getUserGroups(processLogin);
            if (logger.isDebugEnabled()) {
                logger.debug("SAML User '{}' belongs to the unmapped groups {}", mapIdentity, StringUtils.join(new Set[]{userGroups}));
            }
            List groupMappings = IdentityMappingUtil.getGroupMappings(this.properties);
            Set set = (Set) userGroups.stream().map(str2 -> {
                return IdentityMappingUtil.mapIdentity(str2, groupMappings);
            }).collect(Collectors.toSet());
            logger.info("SAML User '{}' belongs to the mapped groups {}", mapIdentity, StringUtils.join(new Set[]{set}));
            this.idpUserGroupService.replaceUserGroups(mapIdentity, IdpType.SAML, set);
            httpServletResponse.sendRedirect(getNiFiUri());
        } catch (Exception e) {
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @Path("/saml/login/exchange")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves a JWT following a successful login sequence using the configured SAML identity provider.", response = String.class, notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response samlLoginExchange(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (!this.samlService.isSamlEnabled()) {
            logger.debug("SAML support is not configured");
            return Response.status(Response.Status.CONFLICT).entity("SAML support is not configured").build();
        }
        logger.info("Attempting to exchange SAML login request for a NiFi JWT...");
        initializeSamlServiceProvider();
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), SAML_REQUEST_IDENTIFIER);
        if (cookieValue == null) {
            logger.warn("The login request identifier was not found in the request. Unable to continue.");
            return Response.status(Response.Status.BAD_REQUEST).entity("The login request identifier was not found in the request. Unable to continue.").build();
        }
        removeSamlRequestCookie(httpServletResponse);
        String jwt = this.samlStateManager.getJwt(cookieValue);
        if (jwt == null) {
            throw new IllegalArgumentException("A JWT for this login request identifier could not be found. Unable to continue.");
        }
        logger.info("SAML login exchange complete");
        return generateOkResponse(jwt).build();
    }

    @GET
    @Path("/saml/single-logout/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a logout request using the SingleLogout service of the configured SAML identity provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlSingleLogoutRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (!this.samlService.isSamlEnabled()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
            return;
        }
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), LOGOUT_REQUEST_IDENTIFIER);
        if (StringUtils.isBlank(cookieValue)) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND);
            return;
        }
        LogoutRequest logoutRequest = this.logoutRequestManager.get(cookieValue);
        if (logoutRequest == null) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER);
            return;
        }
        initializeSamlServiceProvider();
        String mappedUserIdentity = logoutRequest.getMappedUserIdentity();
        logger.info("Attempting to performing SAML Single Logout for {}", mappedUserIdentity);
        SAMLCredential sAMLCredential = this.samlCredentialStore.get(mappedUserIdentity);
        if (sAMLCredential == null) {
            throw new IllegalStateException("Unable to find a stored SAML credential for " + mappedUserIdentity);
        }
        try {
            logger.info("Initiating SAML Single Logout with IDP...");
            this.samlService.initiateLogout(httpServletRequest, httpServletResponse, sAMLCredential);
        } catch (Exception e) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @GET
    @Path("/saml/single-logout/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes a SingleLogout message from the configured SAML identity provider using the HTTP-REDIRECT binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlSingleLogoutHttpRedirectConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context UriInfo uriInfo) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (this.samlService.isSamlEnabled()) {
            samlSingleLogoutConsumer(httpServletRequest, httpServletResponse, getParameterMap(uriInfo.getQueryParameters()));
        } else {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
        }
    }

    @Path("/saml/single-logout/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes a SingleLogout message from the configured SAML identity provider using the HTTP-POST binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({"*/*"})
    public void samlSingleLogoutHttpPostConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, MultivaluedMap<String, String> multivaluedMap) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (this.samlService.isSamlEnabled()) {
            samlSingleLogoutConsumer(httpServletRequest, httpServletResponse, getParameterMap(multivaluedMap));
        } else {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
        }
    }

    private void samlSingleLogoutConsumer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) throws Exception {
        initializeSamlServiceProvider();
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), LOGOUT_REQUEST_IDENTIFIER);
        if (StringUtils.isBlank(cookieValue)) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND);
            return;
        }
        LogoutRequest logoutRequest = this.logoutRequestManager.get(cookieValue);
        if (logoutRequest == null) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER);
            return;
        }
        this.logoutRequestManager.complete(cookieValue);
        removeLogoutRequestCookie(httpServletResponse);
        String mappedUserIdentity = logoutRequest.getMappedUserIdentity();
        logger.info("Consuming SAML Single Logout for {}", mappedUserIdentity);
        this.samlCredentialStore.delete(mappedUserIdentity);
        this.idpUserGroupService.deleteUserGroups(mappedUserIdentity);
        try {
            this.samlService.processLogout(httpServletRequest, httpServletResponse, map);
            logger.info("Completed SAML Single Logout for {}", mappedUserIdentity);
            httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
        } catch (Exception e) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @GET
    @Path("/saml/local-logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Local logout when SAML is enabled, does not communicate with the IDP.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLocalLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (!this.samlService.isSamlEnabled()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "SAML support is not configured");
            return;
        }
        LogoutRequest completeLogoutRequest = completeLogoutRequest(httpServletResponse);
        if (completeLogoutRequest != null) {
            String mappedUserIdentity = completeLogoutRequest.getMappedUserIdentity();
            logger.info("Removing cached SAML information for " + mappedUserIdentity);
            this.samlCredentialStore.delete(mappedUserIdentity);
            logger.info("Removing cached SAML Groups for " + mappedUserIdentity);
            this.idpUserGroupService.deleteUserGroups(mappedUserIdentity);
        }
        httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
    }

    private void initializeSamlServiceProvider() throws MetadataProviderException {
        if (this.samlService.isServiceProviderInitialized()) {
            return;
        }
        this.samlService.initializeServiceProvider(generateResourceUri("saml", "metadata").replace("/saml/metadata", ""));
    }

    private Map<String, String> getParameterMap(MultivaluedMap<String, String> multivaluedMap) {
        HashMap hashMap = new HashMap();
        for (String str : multivaluedMap.keySet()) {
            hashMap.put(str, multivaluedMap.getFirst(str));
        }
        return hashMap;
    }

    @GET
    @Path("oidc/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a request to authenticate through the configured OpenId Connect provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (this.oidcService.isOidcEnabled()) {
            httpServletResponse.sendRedirect(oidcRequestAuthorizationCode(httpServletResponse, getOidcCallback()).toString());
        } else {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG);
        }
    }

    @GET
    @Path("oidc/callback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
            return;
        }
        if (!this.oidcService.isOidcEnabled()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG);
            return;
        }
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
        if (cookieValue == null) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue.");
            return;
        }
        try {
            AuthenticationSuccessResponse parse = AuthenticationResponseParser.parse(getRequestUri());
            if (!parse.indicatesSuccess()) {
                removeOidcRequestCookie(httpServletResponse);
                forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Unsuccessful login attempt: " + ((AuthenticationErrorResponse) parse).getErrorObject().getDescription());
                return;
            }
            AuthenticationSuccessResponse authenticationSuccessResponse = parse;
            State state = authenticationSuccessResponse.getState();
            if (state == null || !this.oidcService.isStateValid(cookieValue, state)) {
                logger.error("The state value returned by the OpenId Connect Provider does not match the stored state. Unable to continue login process.");
                removeOidcRequestCookie(httpServletResponse);
                forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Purposed state does not match the stored state. Unable to continue login process.");
                return;
            }
            try {
                this.oidcService.storeJwt(cookieValue, this.jwtService.generateSignedToken(this.oidcService.exchangeAuthorizationCodeForLoginAuthenticationToken(new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), URI.create(getOidcCallback())))));
                httpServletResponse.sendRedirect(getNiFiUri());
            } catch (Exception e) {
                logger.error(OIDC_ID_TOKEN_AUTHN_ERROR + e.getMessage(), e);
                removeOidcRequestCookie(httpServletResponse);
                forwardToLoginMessagePage(httpServletRequest, httpServletResponse, OIDC_ID_TOKEN_AUTHN_ERROR + e.getMessage());
            }
        } catch (ParseException e2) {
            logger.error("Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue login process.");
            removeOidcRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue login process.");
        }
    }

    @Path("oidc/exchange")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves a JWT following a successful login sequence using the configured OpenId Connect provider.", response = String.class, notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response oidcExchange(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (!this.oidcService.isOidcEnabled()) {
            logger.debug(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG);
            return Response.status(Response.Status.CONFLICT).entity(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG).build();
        }
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
        if (cookieValue == null) {
            logger.warn("The login request identifier was not found in the request. Unable to continue.");
            return Response.status(Response.Status.BAD_REQUEST).entity("The login request identifier was not found in the request. Unable to continue.").build();
        }
        removeOidcRequestCookie(httpServletResponse);
        String jwt = this.oidcService.getJwt(cookieValue);
        if (jwt == null) {
            throw new IllegalArgumentException("A JWT for this login request identifier could not be found. Unable to continue.");
        }
        return generateOkResponse(jwt).build();
    }

    @GET
    @Path("oidc/logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Performs a logout in the OpenId Provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        if (!this.oidcService.isOidcEnabled()) {
            throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG);
        }
        String determineLogoutMethod = determineLogoutMethod(this.properties.getOidcDiscoveryUrl());
        boolean z = -1;
        switch (determineLogoutMethod.hashCode()) {
            case -1853365018:
                if (determineLogoutMethod.equals(STANDARD_LOGOUT)) {
                    z = 2;
                    break;
                }
                break;
            case -1170133298:
                if (determineLogoutMethod.equals(ID_TOKEN_LOGOUT)) {
                    z = true;
                    break;
                }
                break;
            case 883140645:
                if (determineLogoutMethod.equals(REVOKE_ACCESS_TOKEN_LOGOUT)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case HttpRouteDirector.COMPLETE /* 0 */:
            case HttpRouteDirector.CONNECT_TARGET /* 1 */:
                httpServletResponse.sendRedirect(oidcRequestAuthorizationCode(httpServletResponse, getOidcLogoutCallback()).toString());
                return;
            case true:
            default:
                URI endSessionEndpoint = this.oidcService.getEndSessionEndpoint();
                String generateResourceUri = generateResourceUri("..", "nifi", "logout-complete");
                if (endSessionEndpoint == null) {
                    httpServletResponse.sendRedirect(generateResourceUri);
                    return;
                } else {
                    httpServletResponse.sendRedirect(UriBuilder.fromUri(endSessionEndpoint).queryParam("post_logout_redirect_uri", new Object[]{generateResourceUri}).build(new Object[0]).toString());
                    return;
                }
        }
    }

    @GET
    @Path("oidc/logoutCallback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the OpenId Connect logout sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcLogoutCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
            return;
        }
        if (!this.oidcService.isOidcEnabled()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED_MSG);
            return;
        }
        String cookieValue = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
        if (cookieValue == null) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue.");
            return;
        }
        try {
            AuthenticationSuccessResponse parse = AuthenticationResponseParser.parse(getRequestUri());
            if (!parse.indicatesSuccess()) {
                removeOidcRequestCookie(httpServletResponse);
                forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Unsuccessful logout attempt: " + ((AuthenticationErrorResponse) parse).getErrorObject().getDescription());
                return;
            }
            AuthenticationSuccessResponse authenticationSuccessResponse = parse;
            State state = authenticationSuccessResponse.getState();
            if (state == null || !this.oidcService.isStateValid(cookieValue, state)) {
                logger.error("The state value returned by the OpenId Connect Provider does not match the stored state. Unable to continue login process.");
                removeOidcRequestCookie(httpServletResponse);
                forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Purposed state does not match the stored state. Unable to continue login process.");
                return;
            }
            String determineLogoutMethod = determineLogoutMethod(this.properties.getOidcDiscoveryUrl());
            AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), URI.create(getOidcLogoutCallback()));
            boolean z = -1;
            switch (determineLogoutMethod.hashCode()) {
                case -1170133298:
                    if (determineLogoutMethod.equals(ID_TOKEN_LOGOUT)) {
                        z = true;
                        break;
                    }
                    break;
                case 883140645:
                    if (determineLogoutMethod.equals(REVOKE_ACCESS_TOKEN_LOGOUT)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case HttpRouteDirector.COMPLETE /* 0 */:
                    try {
                        String exchangeAuthorizationCodeForAccessToken = this.oidcService.exchangeAuthorizationCodeForAccessToken(authorizationCodeGrant);
                        URI revokeEndpoint = getRevokeEndpoint();
                        if (revokeEndpoint != null) {
                            try {
                                revokeEndpointRequest(httpServletResponse, exchangeAuthorizationCodeForAccessToken, revokeEndpoint);
                                return;
                            } catch (IOException e) {
                                logger.error("There was an error logging out of the OpenId Connect Provider: " + e.getMessage(), e);
                                removeOidcRequestCookie(httpServletResponse);
                                forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "There was an error logging out of the OpenId Connect Provider: " + e.getMessage());
                                return;
                            }
                        }
                        return;
                    } catch (Exception e2) {
                        logger.error("Unable to exchange authorization for the Access token: " + e2.getMessage(), e2);
                        removeOidcRequestCookie(httpServletResponse);
                        forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, OIDC_ID_TOKEN_AUTHN_ERROR + e2.getMessage());
                        return;
                    }
                case HttpRouteDirector.CONNECT_TARGET /* 1 */:
                    try {
                        String exchangeAuthorizationCodeForIdToken = this.oidcService.exchangeAuthorizationCodeForIdToken(authorizationCodeGrant);
                        URI endSessionEndpoint = this.oidcService.getEndSessionEndpoint();
                        String generateResourceUri = generateResourceUri("..", "nifi", "logout-complete");
                        if (endSessionEndpoint != null) {
                            httpServletResponse.sendRedirect(UriBuilder.fromUri(endSessionEndpoint).queryParam("id_token_hint", new Object[]{exchangeAuthorizationCodeForIdToken}).queryParam("post_logout_redirect_uri", new Object[]{generateResourceUri}).build(new Object[0]).toString());
                            return;
                        } else {
                            logger.debug("Unable to log out of the OpenId Connect Provider. The end session endpoint is: null. Redirecting to the logout page.");
                            httpServletResponse.sendRedirect(generateResourceUri);
                            return;
                        }
                    } catch (Exception e3) {
                        logger.error(OIDC_ID_TOKEN_AUTHN_ERROR + e3.getMessage(), e3);
                        removeOidcRequestCookie(httpServletResponse);
                        forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, OIDC_ID_TOKEN_AUTHN_ERROR + e3.getMessage());
                        return;
                    }
                default:
                    return;
            }
        } catch (ParseException e4) {
            logger.error("Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue logout process: " + e4.getMessage(), e4);
            removeOidcRequestCookie(httpServletResponse);
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue logout process.");
        }
    }

    @GET
    @Path("knox/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a request to authenticate through Apache Knox.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (!this.knoxService.isKnoxEnabled()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Apache Knox SSO support is not configured.");
        } else {
            httpServletResponse.sendRedirect(UriBuilder.fromUri(this.knoxService.getKnoxUrl()).queryParam("originalUrl", new Object[]{generateResourceUri("access", "knox", "callback")}).build(new Object[0]).toString());
        }
    }

    @GET
    @Path("knox/callback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the Apache Knox login sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (this.knoxService.isKnoxEnabled()) {
            httpServletResponse.sendRedirect(getNiFiUri());
        } else {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Apache Knox SSO support is not configured.");
        }
    }

    @GET
    @Path("knox/logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Performs a logout in the Apache Knox.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.sendRedirect(generateResourceUri("..", "nifi", "login"));
    }

    @GET
    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to determine access status because an unexpected error occurred.")})
    @Path("")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets the status the client's access", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.", response = AccessStatusEntity.class)
    @Produces({"application/json"})
    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        AccessStatusDTO accessStatusDTO = new AccessStatusDTO();
        try {
            X509Certificate[] extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
            if (extractClientCertificate == null) {
                String header = httpServletRequest.getHeader("Authorization");
                if (header == null) {
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                    accessStatusDTO.setMessage("No credentials supplied, unknown user.");
                } else {
                    try {
                        accessStatusDTO.setIdentity(((NiFiUserDetails) this.jwtAuthenticationProvider.authenticate(new JwtAuthenticationRequestToken(StringUtils.substringAfterLast(header, " "), httpServletRequest.getRemoteAddr())).getDetails()).getNiFiUser().getIdentity());
                        accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                        accessStatusDTO.setMessage("You are already logged in.");
                    } catch (JwtException e) {
                        throw new InvalidAuthenticationException(e.getMessage(), e);
                    }
                }
            } else {
                try {
                    accessStatusDTO.setIdentity(((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(new X509AuthenticationRequestToken(httpServletRequest.getHeader("X-ProxiedEntitiesChain"), httpServletRequest.getHeader("X-ProxiedEntityGroups"), this.principalExtractor, extractClientCertificate, httpServletRequest.getRemoteAddr())).getDetails()).getNiFiUser().getIdentity());
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    accessStatusDTO.setMessage("You are already logged in.");
                } catch (IllegalArgumentException e2) {
                    throw new InvalidAuthenticationException(e2.getMessage(), e2);
                }
            }
            AccessStatusEntity accessStatusEntity = new AccessStatusEntity();
            accessStatusEntity.setAccessStatus(accessStatusDTO);
            return generateOkResponse(accessStatusEntity).build();
        } catch (AuthenticationServiceException e3) {
            throw new AdministrationException(e3.getMessage(), e3);
        } catch (UntrustedProxyException e4) {
            throw new AccessDeniedException(e4.getMessage(), e4);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create the download token because NiFi is not in the appropriate state. (i.e. may not have any tokens to grant or be configured to support username/password login)"), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create download token because an unexpected error occurred.")})
    @Path("/download-token")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Creates a single use access token for downloading FlowFile content.", notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. It is used as a query parameter name 'access_token'.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createDownloadToken(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Download tokens are only issued over HTTPS.");
        }
        NiFiUser niFiUser = NiFiUserUtils.getNiFiUser();
        if (niFiUser == null) {
            throw new AccessDeniedException("No user authenticated in the request.");
        }
        return generateCreatedResponse(URI.create(generateResourceUri("access", "download-token")), this.otpService.generateDownloadToken(new OtpAuthenticationToken(niFiUser.getIdentity()))).build();
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create the download token because NiFi is not in the appropriate state. (i.e. may not have any tokens to grant or be configured to support username/password login)"), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create download token because an unexpected error occurred.")})
    @Path("/ui-extension-token")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Creates a single use access token for accessing a NiFi UI extension.", notes = "The token returned is a base64 encoded string. It is valid for a single request up to five minutes from being issued. It is used as a query parameter name 'access_token'.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createUiExtensionToken(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("UI extension access tokens are only issued over HTTPS.");
        }
        NiFiUser niFiUser = NiFiUserUtils.getNiFiUser();
        if (niFiUser == null) {
            throw new AccessDeniedException("No user authenticated in the request.");
        }
        return generateCreatedResponse(URI.create(generateResourceUri("access", "ui-extension-token")), this.otpService.generateUiExtensionToken(new OtpAuthenticationToken(niFiUser.getIdentity()))).build();
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "NiFi was unable to complete the request because it did not contain a valid Kerberos ticket in the Authorization header. Retry this request after initializing a ticket with kinit and ensuring your browser is configured to support SPNEGO."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support Kerberos login."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create access token because an unexpected error occurred.")})
    @Path("/kerberos")
    @Consumes({HTTP.PLAIN_TEXT_TYPE})
    @ApiOperation(value = "Creates a token for accessing the REST API via Kerberos ticket exchange / SPNEGO negotiation", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createAccessTokenFromTicket(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("Access tokens are only issued over HTTPS.");
        }
        if (!this.properties.isKerberosSpnegoSupportEnabled() || this.kerberosService == null) {
            logger.debug("Kerberos ticket login not supported by this NiFi.");
            return Response.status(Response.Status.CONFLICT).entity("Kerberos ticket login not supported by this NiFi.").build();
        }
        if (!this.kerberosService.isValidKerberosHeader(httpServletRequest.getHeader("Authorization"))) {
            return generateNotAuthorizedResponse().header("WWW-Authenticate", "Negotiate").build();
        }
        try {
            Authentication validateKerberosTicket = this.kerberosService.validateKerberosTicket(httpServletRequest);
            if (validateKerberosTicket == null) {
                throw new IllegalArgumentException("Request is not HTTPS or Kerberos ticket missing or malformed");
            }
            long timeDuration = FormatUtils.getTimeDuration(this.properties.getKerberosAuthenticationExpiration(), TimeUnit.MILLISECONDS);
            String mapIdentity = IdentityMappingUtil.mapIdentity(validateKerberosTicket.getName(), IdentityMappingUtil.getIdentityMappings(this.properties));
            return generateCreatedResponse(URI.create(generateResourceUri("access", "kerberos")), this.jwtService.generateSignedToken(new LoginAuthenticationToken(mapIdentity, validateTokenExpiration(timeDuration, mapIdentity), "KerberosService"))).build();
        } catch (AuthenticationException e) {
            throw new AccessDeniedException(e.getMessage(), e);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support username/password login."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create access token because an unexpected error occurred.")})
    @Path("/token")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Creates a token for accessing the REST API via username/password", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createAccessToken(@Context HttpServletRequest httpServletRequest, @FormParam("username") String str, @FormParam("password") String str2) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("Access tokens are only issued over HTTPS.");
        }
        if (this.loginIdentityProvider == null) {
            throw new IllegalStateException("Username/Password login not supported by this NiFi.");
        }
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            throw new IllegalArgumentException("The username and password must be specified.");
        }
        try {
            AuthenticationResponse authenticate = this.loginIdentityProvider.authenticate(new LoginCredentials(str, str2));
            String mapIdentity = IdentityMappingUtil.mapIdentity(authenticate.getIdentity(), IdentityMappingUtil.getIdentityMappings(this.properties));
            return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), this.jwtService.generateSignedToken(new LoginAuthenticationToken(mapIdentity, validateTokenExpiration(authenticate.getExpiration(), mapIdentity), authenticate.getIssuer()))).build();
        } catch (InvalidLoginCredentialsException e) {
            throw new IllegalArgumentException("The supplied username and password are not valid.", e);
        } catch (IdentityAccessException e2) {
            throw new AdministrationException(e2.getMessage(), e2);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_OK, message = "User was logged out successfully."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Authentication token provided was empty or not in the correct JWT format."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Client failed to log out.")})
    @Path("/logout")
    @Consumes({"*/*"})
    @DELETE
    @ApiOperation(value = "Performs a logout for other providers that have been issued a JWT.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public Response logOut(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        String niFiUserIdentity = NiFiUserUtils.getNiFiUserIdentity();
        if (StringUtils.isBlank(niFiUserIdentity)) {
            return Response.status(Response.Status.UNAUTHORIZED).entity("Authentication token provided was empty or not in the correct JWT format.").build();
        }
        try {
            logger.info("Logging out " + niFiUserIdentity);
            this.jwtService.logOutUsingAuthHeader(httpServletRequest.getHeader("Authorization"));
            logger.info("Successfully invalidated JWT for " + niFiUserIdentity);
            LogoutRequest logoutRequest = new LogoutRequest(UUID.randomUUID().toString(), niFiUserIdentity);
            this.logoutRequestManager.start(logoutRequest);
            Cookie cookie = new Cookie(LOGOUT_REQUEST_IDENTIFIER, logoutRequest.getRequestIdentifier());
            cookie.setPath("/");
            cookie.setHttpOnly(true);
            cookie.setMaxAge(60);
            cookie.setSecure(true);
            httpServletResponse.addCookie(cookie);
            return generateOkResponse().build();
        } catch (JwtException e) {
            logger.error("Logout of user " + niFiUserIdentity + " failed due to: " + e.getMessage(), e);
            return Response.serverError().build();
        }
    }

    @GET
    @ApiResponses({@ApiResponse(code = HttpStatus.SC_OK, message = "User was logged out successfully."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Authentication token provided was empty or not in the correct JWT format."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Client failed to log out.")})
    @Path("/logout/complete")
    @Consumes({"*/*"})
    @ApiOperation(value = "Completes the logout sequence by removing the cached Logout Request and Cookie if they existed and redirects to /nifi/login.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void logOutComplete(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        completeLogoutRequest(httpServletResponse);
        httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
    }

    private LogoutRequest completeLogoutRequest(HttpServletResponse httpServletResponse) {
        LogoutRequest logoutRequest = null;
        String cookieValue = getCookieValue(this.httpServletRequest.getCookies(), LOGOUT_REQUEST_IDENTIFIER);
        if (cookieValue != null) {
            logoutRequest = this.logoutRequestManager.complete(cookieValue);
        }
        if (logoutRequest == null) {
            logger.warn("Logout request did not exist for identifier: " + cookieValue);
        } else {
            logger.info("Completed logout request for " + logoutRequest.getMappedUserIdentity());
        }
        removeLogoutRequestCookie(httpServletResponse);
        return logoutRequest;
    }

    private long validateTokenExpiration(long j, String str) {
        long convert = TimeUnit.MILLISECONDS.convert(12L, TimeUnit.HOURS);
        long convert2 = TimeUnit.MILLISECONDS.convert(1L, TimeUnit.MINUTES);
        if (j > convert) {
            logger.warn(String.format("Max token expiration exceeded. Setting expiration to %s from %s for %s", Long.valueOf(convert), Long.valueOf(j), str));
            j = convert;
        } else if (j < convert2) {
            logger.warn(String.format("Min token expiration not met. Setting expiration to %s from %s for %s", Long.valueOf(convert2), Long.valueOf(j), str));
            j = convert2;
        }
        return j;
    }

    private String getCookieValue(Cookie[] cookieArr, String str) {
        if (cookieArr == null) {
            return null;
        }
        for (Cookie cookie : cookieArr) {
            if (str.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
        return null;
    }

    private String getOidcCallback() {
        return generateResourceUri("access", "oidc", "callback");
    }

    private String getOidcLogoutCallback() {
        return generateResourceUri("access", "oidc", "logoutCallback");
    }

    private URI getRevokeEndpoint() {
        return this.oidcService.getRevocationEndpoint();
    }

    private String getNiFiUri() {
        return StringUtils.substringBeforeLast(generateResourceUri(new String[0]), "/nifi-api") + "/nifi/";
    }

    private String getNiFiLogoutCompleteUri() {
        return getNiFiUri() + "logout-complete";
    }

    private void removeOidcRequestCookie(HttpServletResponse httpServletResponse) {
        removeCookie(httpServletResponse, OIDC_REQUEST_IDENTIFIER);
    }

    private void removeSamlRequestCookie(HttpServletResponse httpServletResponse) {
        removeCookie(httpServletResponse, SAML_REQUEST_IDENTIFIER);
    }

    private void removeLogoutRequestCookie(HttpServletResponse httpServletResponse) {
        removeCookie(httpServletResponse, LOGOUT_REQUEST_IDENTIFIER);
    }

    private void removeCookie(HttpServletResponse httpServletResponse, String str) {
        Cookie cookie = new Cookie(str, (String) null);
        cookie.setPath("/");
        cookie.setHttpOnly(true);
        cookie.setMaxAge(0);
        cookie.setSecure(true);
        httpServletResponse.addCookie(cookie);
    }

    private void forwardToLoginMessagePage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        forwardToMessagePage(httpServletRequest, httpServletResponse, LOGIN_ERROR_TITLE, str);
    }

    private void forwardToLogoutMessagePage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        forwardToMessagePage(httpServletRequest, httpServletResponse, LOGOUT_ERROR_TITLE, str);
    }

    private void forwardToMessagePage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws Exception {
        httpServletRequest.setAttribute("title", str);
        httpServletRequest.setAttribute("messages", str2);
        httpServletRequest.getServletContext().getContext("/nifi").getRequestDispatcher("/WEB-INF/pages/message-page.jsp").forward(httpServletRequest, httpServletResponse);
    }

    private String determineLogoutMethod(String str) {
        return REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(str).find() ? REVOKE_ACCESS_TOKEN_LOGOUT : ID_TOKEN_LOGOUT_FORMAT.matcher(str).find() ? ID_TOKEN_LOGOUT : STANDARD_LOGOUT;
    }

    private URI oidcRequestAuthorizationCode(@Context HttpServletResponse httpServletResponse, String str) {
        String uuid = UUID.randomUUID().toString();
        Cookie cookie = new Cookie(OIDC_REQUEST_IDENTIFIER, uuid);
        cookie.setPath("/");
        cookie.setHttpOnly(true);
        cookie.setMaxAge(60);
        cookie.setSecure(true);
        httpServletResponse.addCookie(cookie);
        return UriBuilder.fromUri(this.oidcService.getAuthorizationEndpoint()).queryParam("client_id", new Object[]{this.oidcService.getClientId()}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{this.oidcService.getScope().toString()}).queryParam("state", new Object[]{this.oidcService.createState(uuid).getValue()}).queryParam("redirect_uri", new Object[]{str}).build(new Object[0]);
    }

    private void revokeEndpointRequest(@Context HttpServletResponse httpServletResponse, String str, URI uri) throws IOException {
        CloseableHttpClient build = HttpClientBuilder.create().setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(msTimeout).setConnectionRequestTimeout(msTimeout).setSocketTimeout(msTimeout).build()).build();
        HttpPost httpPost = new HttpPost(uri);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("token", str));
        httpPost.setEntity(new UrlEncodedFormEntity((List<? extends NameValuePair>) arrayList));
        CloseableHttpResponse execute = build.execute((HttpUriRequest) httpPost);
        Throwable th = null;
        try {
            build.close();
            if (execute.getStatusLine().getStatusCode() == 200) {
                logger.debug("You are logged out of the OpenId Connect Provider.");
                httpServletResponse.sendRedirect(generateResourceUri("..", "nifi", "logout-complete"));
            } else {
                logger.error("There was an error logging out of the OpenId Connect Provider. Response status: " + execute.getStatusLine().getStatusCode());
            }
            if (execute != null) {
                if (0 == 0) {
                    execute.close();
                    return;
                }
                try {
                    execute.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (execute != null) {
                if (0 != 0) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    execute.close();
                }
            }
            throw th3;
        }
    }

    public void setLoginIdentityProvider(LoginIdentityProvider loginIdentityProvider) {
        this.loginIdentityProvider = loginIdentityProvider;
    }

    public void setJwtService(JwtService jwtService) {
        this.jwtService = jwtService;
    }

    public void setJwtAuthenticationProvider(JwtAuthenticationProvider jwtAuthenticationProvider) {
        this.jwtAuthenticationProvider = jwtAuthenticationProvider;
    }

    public void setKerberosService(KerberosService kerberosService) {
        this.kerberosService = kerberosService;
    }

    public void setX509AuthenticationProvider(X509AuthenticationProvider x509AuthenticationProvider) {
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }

    public void setPrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
    }

    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }

    public void setOtpService(OtpService otpService) {
        this.otpService = otpService;
    }

    public void setOidcService(OidcService oidcService) {
        this.oidcService = oidcService;
    }

    public void setKnoxService(KnoxService knoxService) {
        this.knoxService = knoxService;
    }

    public void setSamlService(SAMLService sAMLService) {
        this.samlService = sAMLService;
    }

    public void setSamlStateManager(SAMLStateManager sAMLStateManager) {
        this.samlStateManager = sAMLStateManager;
    }

    public void setSamlCredentialStore(SAMLCredentialStore sAMLCredentialStore) {
        this.samlCredentialStore = sAMLCredentialStore;
    }

    public void setIdpUserGroupService(IdpUserGroupService idpUserGroupService) {
        this.idpUserGroupService = idpUserGroupService;
    }

    public void setLogoutRequestManager(LogoutRequestManager logoutRequestManager) {
        this.logoutRequestManager = logoutRequestManager;
    }
}
