package org.apache.nifi.web.api;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import java.net.URI;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.protocol.HTTP;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authentication.LoginCredentials;
import org.apache.nifi.authentication.LoginIdentityProvider;
import org.apache.nifi.authentication.exception.AuthenticationNotSupportedException;
import org.apache.nifi.authentication.exception.IdentityAccessException;
import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.web.api.cookie.ApplicationCookieName;
import org.apache.nifi.web.api.dto.AccessConfigurationDTO;
import org.apache.nifi.web.api.dto.AccessStatusDTO;
import org.apache.nifi.web.api.entity.AccessConfigurationEntity;
import org.apache.nifi.web.api.entity.AccessStatusEntity;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.LogoutException;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.jwt.revocation.JwtLogoutListener;
import org.apache.nifi.web.security.kerberos.KerberosService;
import org.apache.nifi.web.security.knox.KnoxService;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509AuthenticationRequestToken;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;

@Api(value = "/access", description = "Endpoints for obtaining an access token or checking access status.")
@Path("/access")
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/api/AccessResource.class */
public class AccessResource extends ApplicationResource {
    private static final Logger logger = LoggerFactory.getLogger(AccessResource.class);
    protected static final String AUTHENTICATION_NOT_ENABLED_MSG = "User authentication/authorization is only supported when running over HTTPS.";
    private X509CertificateExtractor certificateExtractor;
    private X509AuthenticationProvider x509AuthenticationProvider;
    private X509PrincipalExtractor principalExtractor;
    private LoginIdentityProvider loginIdentityProvider;
    private JwtAuthenticationProvider jwtAuthenticationProvider;
    private JwtLogoutListener jwtLogoutListener;
    private BearerTokenProvider bearerTokenProvider;
    private BearerTokenResolver bearerTokenResolver;
    private KnoxService knoxService;
    private KerberosService kerberosService;
    private LogoutRequestManager logoutRequestManager;

    @GET
    @Path("config")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves the access configuration for this NiFi", response = AccessConfigurationEntity.class)
    @Produces({"application/json"})
    public Response getLoginConfig(@Context HttpServletRequest httpServletRequest) {
        AccessConfigurationDTO accessConfigurationDTO = new AccessConfigurationDTO();
        accessConfigurationDTO.setSupportsLogin(Boolean.valueOf(this.loginIdentityProvider != null && httpServletRequest.isSecure()));
        AccessConfigurationEntity accessConfigurationEntity = new AccessConfigurationEntity();
        accessConfigurationEntity.setConfig(accessConfigurationDTO);
        return generateOkResponse(accessConfigurationEntity).build();
    }

    @GET
    @Path("knox/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a request to authenticate through Apache Knox.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (!this.knoxService.isKnoxEnabled()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Apache Knox SSO support is not configured.");
        } else {
            httpServletResponse.sendRedirect(UriBuilder.fromUri(this.knoxService.getKnoxUrl()).queryParam("originalUrl", new Object[]{generateResourceUri("access", "knox", "callback")}).build(new Object[0]).toString());
        }
    }

    @GET
    @Path("knox/callback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the Apache Knox login sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, AUTHENTICATION_NOT_ENABLED_MSG);
        } else if (this.knoxService.isKnoxEnabled()) {
            httpServletResponse.sendRedirect(getNiFiUri());
        } else {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Apache Knox SSO support is not configured.");
        }
    }

    @GET
    @Path("knox/logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Performs a logout in the Apache Knox.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void knoxLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.sendRedirect(generateResourceUri("..", "nifi", "login"));
    }

    @GET
    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Unable to determine access status because the client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Unable to determine access status because the client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to determine access status because NiFi is not in the appropriate state."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to determine access status because an unexpected error occurred.")})
    @Path("")
    @Consumes({"*/*"})
    @ApiOperation(value = "Gets the status the client's access", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.", response = AccessStatusEntity.class)
    @Produces({"application/json"})
    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        AccessStatusDTO accessStatusDTO = new AccessStatusDTO();
        try {
            X509Certificate[] extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
            if (extractClientCertificate == null) {
                String resolve = this.bearerTokenResolver.resolve(httpServletRequest);
                if (resolve == null) {
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.UNKNOWN.name());
                    accessStatusDTO.setMessage("Access Unknown: Certificate and Token not found.");
                } else {
                    try {
                        accessStatusDTO.setIdentity(((NiFiUserDetails) this.jwtAuthenticationProvider.authenticate(new BearerTokenAuthenticationToken(resolve)).getPrincipal()).getUsername());
                        accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                        accessStatusDTO.setMessage("Access Granted: Token authenticated.");
                    } catch (AuthenticationException e) {
                        this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER);
                        throw e;
                    }
                }
            } else {
                try {
                    accessStatusDTO.setIdentity(((NiFiUserDetails) this.x509AuthenticationProvider.authenticate(new X509AuthenticationRequestToken(httpServletRequest.getHeader("X-ProxiedEntitiesChain"), httpServletRequest.getHeader("X-ProxiedEntityGroups"), this.principalExtractor, extractClientCertificate, httpServletRequest.getRemoteAddr())).getDetails()).getNiFiUser().getIdentity());
                    accessStatusDTO.setStatus(AccessStatusDTO.Status.ACTIVE.name());
                    accessStatusDTO.setMessage("Access Granted: Certificate authenticated.");
                } catch (IllegalArgumentException e2) {
                    throw new InvalidAuthenticationException(e2.getMessage(), e2);
                }
            }
            AccessStatusEntity accessStatusEntity = new AccessStatusEntity();
            accessStatusEntity.setAccessStatus(accessStatusDTO);
            return generateOkResponse(accessStatusEntity).build();
        } catch (AuthenticationServiceException e3) {
            throw new AdministrationException(e3.getMessage(), e3);
        } catch (UntrustedProxyException e4) {
            throw new AccessDeniedException(e4.getMessage(), e4);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "NiFi was unable to complete the request because it did not contain a valid Kerberos ticket in the Authorization header. Retry this request after initializing a ticket with kinit and ensuring your browser is configured to support SPNEGO."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support Kerberos login."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create access token because an unexpected error occurred.")})
    @Path("/kerberos")
    @Consumes({HTTP.PLAIN_TEXT_TYPE})
    @ApiOperation(value = "Creates a token for accessing the REST API via Kerberos ticket exchange / SPNEGO negotiation", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'. It is also stored in the browser as a cookie.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createAccessTokenFromTicket(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("Access tokens are only issued over HTTPS.");
        }
        if (!this.properties.isKerberosSpnegoSupportEnabled() || this.kerberosService == null) {
            logger.debug("Kerberos ticket login not supported by this NiFi.");
            return Response.status(Response.Status.CONFLICT).entity("Kerberos ticket login not supported by this NiFi.").build();
        }
        if (!this.kerberosService.isValidKerberosHeader(httpServletRequest.getHeader("Authorization"))) {
            return generateNotAuthorizedResponse().header("WWW-Authenticate", "Negotiate").build();
        }
        try {
            Authentication validateKerberosTicket = this.kerberosService.validateKerberosTicket(httpServletRequest);
            if (validateKerberosTicket == null) {
                throw new IllegalArgumentException("Request is not HTTPS or Kerberos ticket missing or malformed");
            }
            String bearerToken = this.bearerTokenProvider.getBearerToken(new LoginAuthenticationToken(IdentityMappingUtil.mapIdentity(validateKerberosTicket.getName(), IdentityMappingUtil.getIdentityMappings(this.properties)), Math.round(FormatUtils.getPreciseTimeDuration(this.properties.getKerberosAuthenticationExpiration(), TimeUnit.MILLISECONDS)), "KerberosService"));
            URI create = URI.create(generateResourceUri("access", "kerberos"));
            setBearerToken(httpServletResponse, bearerToken);
            return generateCreatedResponse(create, bearerToken).build();
        } catch (AuthenticationException e) {
            throw new AccessDeniedException(e.getMessage(), e);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_BAD_REQUEST, message = "NiFi was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_FORBIDDEN, message = "Client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "Unable to create access token because NiFi is not in the appropriate state. (i.e. may not be configured to support username/password login."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Unable to create access token because an unexpected error occurred.")})
    @Path("/token")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Creates a token for accessing the REST API via username/password", notes = "The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. It is stored in the browser as a cookie, but also returned inthe response body to be stored/used by third party client scripts.", response = String.class)
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response createAccessToken(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @FormParam("username") String str, @FormParam("password") String str2) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("Access tokens are only issued over HTTPS.");
        }
        if (this.loginIdentityProvider == null) {
            throw new IllegalStateException("Username/Password login not supported by this NiFi.");
        }
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            throw new IllegalArgumentException("The username and password must be specified.");
        }
        try {
            AuthenticationResponse authenticate = this.loginIdentityProvider.authenticate(new LoginCredentials(str, str2));
            String bearerToken = this.bearerTokenProvider.getBearerToken(new LoginAuthenticationToken(IdentityMappingUtil.mapIdentity(authenticate.getIdentity(), IdentityMappingUtil.getIdentityMappings(this.properties)), authenticate.getExpiration(), authenticate.getIssuer()));
            URI create = URI.create(generateResourceUri("access", "token"));
            setBearerToken(httpServletResponse, bearerToken);
            return generateCreatedResponse(create, bearerToken).build();
        } catch (IdentityAccessException e) {
            throw new AdministrationException(e.getMessage(), e);
        } catch (InvalidLoginCredentialsException e2) {
            throw new IllegalArgumentException("The supplied username and password are not valid.", e2);
        }
    }

    @ApiResponses({@ApiResponse(code = HttpStatus.SC_OK, message = "User was logged out successfully."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Authentication token provided was empty or not in the correct JWT format."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Client failed to log out.")})
    @Path("/logout")
    @Consumes({"*/*"})
    @DELETE
    @ApiOperation(value = "Performs a logout for other providers that have been issued a JWT.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public Response logOut(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        String niFiUserIdentity = NiFiUserUtils.getNiFiUserIdentity();
        if (StringUtils.isBlank(niFiUserIdentity)) {
            return Response.status(Response.Status.UNAUTHORIZED).entity("Authentication token provided was empty or not in the correct JWT format.").build();
        }
        try {
            logger.info("Logout Started [{}]", niFiUserIdentity);
            logger.debug("Removing Authorization Cookie [{}]", niFiUserIdentity);
            this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER);
            this.jwtLogoutListener.logout(this.bearerTokenResolver.resolve(httpServletRequest));
            LogoutRequest logoutRequest = new LogoutRequest(UUID.randomUUID().toString(), niFiUserIdentity);
            this.logoutRequestManager.start(logoutRequest);
            this.applicationCookieService.addCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER, logoutRequest.getRequestIdentifier());
            return generateOkResponse().build();
        } catch (LogoutException e) {
            logger.error("Logout Failed Identity [{}]", niFiUserIdentity, e);
            return Response.serverError().build();
        }
    }

    @GET
    @ApiResponses({@ApiResponse(code = HttpStatus.SC_OK, message = "User was logged out successfully."), @ApiResponse(code = HttpStatus.SC_UNAUTHORIZED, message = "Authentication token provided was empty or not in the correct JWT format."), @ApiResponse(code = HttpStatus.SC_INTERNAL_SERVER_ERROR, message = "Client failed to log out.")})
    @Path("/logout/complete")
    @Consumes({"*/*"})
    @ApiOperation(value = "Completes the logout sequence by removing the cached Logout Request and Cookie if they existed and redirects to /nifi/login.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void logOutComplete(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException(AUTHENTICATION_NOT_ENABLED_MSG);
        }
        completeLogoutRequest(httpServletResponse);
        httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
    }

    private LogoutRequest completeLogoutRequest(HttpServletResponse httpServletResponse) {
        LogoutRequest logoutRequest = null;
        Optional<String> logoutRequestIdentifier = getLogoutRequestIdentifier();
        if (logoutRequestIdentifier.isPresent()) {
            String str = logoutRequestIdentifier.get();
            logoutRequest = this.logoutRequestManager.complete(str);
            logger.info("Logout Request [{}] Completed [{}]", str, logoutRequest.getMappedUserIdentity());
        } else {
            logger.warn("Logout Request Cookie [{}] not found", ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER.getCookieName());
        }
        removeLogoutRequestCookie(httpServletResponse);
        return logoutRequest;
    }

    private String getNiFiLogoutCompleteUri() {
        return getNiFiUri() + "logout-complete";
    }

    private void removeLogoutRequestCookie(HttpServletResponse httpServletResponse) {
        this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER);
    }

    private Optional<String> getLogoutRequestIdentifier() {
        return this.applicationCookieService.getCookieValue(this.httpServletRequest, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER);
    }

    public void setLoginIdentityProvider(LoginIdentityProvider loginIdentityProvider) {
        this.loginIdentityProvider = loginIdentityProvider;
    }

    public void setBearerTokenProvider(BearerTokenProvider bearerTokenProvider) {
        this.bearerTokenProvider = bearerTokenProvider;
    }

    public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
        this.bearerTokenResolver = bearerTokenResolver;
    }

    public void setJwtAuthenticationProvider(JwtAuthenticationProvider jwtAuthenticationProvider) {
        this.jwtAuthenticationProvider = jwtAuthenticationProvider;
    }

    public void setJwtLogoutListener(JwtLogoutListener jwtLogoutListener) {
        this.jwtLogoutListener = jwtLogoutListener;
    }

    public void setKerberosService(KerberosService kerberosService) {
        this.kerberosService = kerberosService;
    }

    public void setX509AuthenticationProvider(X509AuthenticationProvider x509AuthenticationProvider) {
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }

    public void setPrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
    }

    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }

    public void setKnoxService(KnoxService knoxService) {
        this.knoxService = knoxService;
    }

    public void setLogoutRequestManager(LogoutRequestManager logoutRequestManager) {
        this.logoutRequestManager = logoutRequestManager;
    }
}
