package org.apache.nifi.web.security.x509;

import java.io.IOException;
import java.io.PrintWriter;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.UserService;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.DnUtils;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidator;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;

/* loaded from: input_file:org/apache/nifi/web/security/x509/X509AuthenticationFilter.class */
public class X509AuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
    public static final String PROXY_ENTITIES_CHAIN = "X-ProxiedEntitiesChain";
    public static final String PROXY_ENTITIES_ACCEPTED = "X-ProxiedEntitiesAccepted";
    public static final String PROXY_ENTITIES_DETAILS = "X-ProxiedEntitiesDetails";
    private final X509CertificateExtractor certificateExtractor = new X509CertificateExtractor();
    private final X509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();
    private OcspCertificateValidator certificateValidator;
    private NiFiProperties properties;
    private UserService userService;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!isNewAccountRequest((HttpServletRequest) servletRequest)) {
            try {
                super.doFilter(servletRequest, servletResponse, filterChain);
                return;
            } catch (AuthenticationException e) {
                if (this.properties.getNeedClientAuth()) {
                    handleUnsuccessfulAuthentication((HttpServletRequest) servletRequest, httpServletResponse, e);
                    return;
                } else {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                }
            }
        }
        if (!this.properties.getSupportNewAccountRequests()) {
            handleUserServiceError((HttpServletRequest) servletRequest, httpServletResponse, 404, "This NiFi does not support new account requests.");
            return;
        }
        X509Certificate extractClientCertificate = this.certificateExtractor.extractClientCertificate((HttpServletRequest) servletRequest);
        if (extractClientCertificate == null) {
            handleMissingCertificate((HttpServletRequest) servletRequest, httpServletResponse);
            return;
        }
        String obj = this.principalExtractor.extractPrincipal(extractClientCertificate).toString();
        this.logger.info("Requesting new user account for " + obj);
        try {
            String parameter = servletRequest.getParameter("justification");
            if (parameter == null) {
                parameter = "";
            }
            this.userService.createPendingUserAccount(obj, parameter);
            httpServletResponse.setStatus(201);
            httpServletResponse.setContentType("text/plain");
            servletResponse.getWriter().println("Not authorized. User account created. Authorization pending.");
        } catch (IllegalArgumentException e2) {
            handleUserServiceError((HttpServletRequest) servletRequest, httpServletResponse, 400, e2.getMessage());
        } catch (AdministrationException e3) {
            handleUserServiceError((HttpServletRequest) servletRequest, httpServletResponse, 500, e3.getMessage());
        }
    }

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        X509Certificate extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
        if (extractClientCertificate == null) {
            return null;
        }
        String formatProxyDn = DnUtils.formatProxyDn(this.principalExtractor.extractPrincipal(extractClientCertificate).toString());
        try {
            extractClientCertificate.checkValidity();
            try {
                this.certificateValidator.validate(httpServletRequest);
                if (StringUtils.isNotBlank(httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN))) {
                    formatProxyDn = httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN) + formatProxyDn;
                }
                this.logger.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", formatProxyDn, httpServletRequest.getMethod(), httpServletRequest.getRequestURL().toString(), httpServletRequest.getRemoteAddr()));
                return formatProxyDn;
            } catch (Exception e) {
                this.logger.info(e.getMessage());
                if (!this.logger.isDebugEnabled()) {
                    return null;
                }
                this.logger.debug("", e);
                return null;
            }
        } catch (CertificateExpiredException e2) {
            this.logger.info(String.format("Client certificate for (%s) is expired.", formatProxyDn), e2);
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("", e2);
            return null;
        } catch (CertificateNotYetValidException e3) {
            this.logger.info(String.format("Client certificate for (%s) is not yet valid.", formatProxyDn), e3);
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("", e3);
            return null;
        }
    }

    protected Object getPreAuthenticatedCredentials(HttpServletRequest httpServletRequest) {
        return this.certificateExtractor.extractClientCertificate(httpServletRequest);
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(PROXY_ENTITIES_ACCEPTED, Boolean.TRUE.toString());
        }
        super.successfulAuthentication(httpServletRequest, httpServletResponse, authentication);
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) {
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(PROXY_ENTITIES_DETAILS, authenticationException.getMessage());
        }
        super.unsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException);
    }

    private boolean isNewAccountRequest(HttpServletRequest httpServletRequest) {
        if (!"POST".equalsIgnoreCase(httpServletRequest.getMethod())) {
            return false;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        return StringUtils.isNotBlank(pathInfo) && "/controller/users".equals(pathInfo);
    }

    private void handleUnsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletResponse.setContentType("text/plain");
        PrintWriter writer = httpServletResponse.getWriter();
        if (authenticationException instanceof UsernameNotFoundException) {
            if (this.properties.getSupportNewAccountRequests()) {
                httpServletResponse.setStatus(401);
                writer.println("Not authorized.");
            } else {
                httpServletResponse.setStatus(403);
                writer.println("Access is denied.");
            }
        } else if (authenticationException instanceof AccountStatusException) {
            httpServletResponse.setStatus(403);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof UntrustedProxyException) {
            httpServletResponse.setStatus(403);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof AuthenticationServiceException) {
            this.logger.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(500);
            writer.println(String.format("Unable to authorize: %s", authenticationException.getMessage()));
        } else {
            this.logger.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(403);
            writer.println("Access is denied.");
        }
        this.logger.info(String.format("Rejecting access to web api: %s", authenticationException.getMessage()));
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("", authenticationException);
        }
    }

    private void handleUserServiceError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i, String str) throws IOException {
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setStatus(i);
        httpServletResponse.getWriter().println(str);
        this.logger.info(String.format("Unable to process request because %s", str));
    }

    private void handleMissingCertificate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setStatus(400);
        httpServletResponse.getWriter().println("Unable to process request because the user certificate was not specified.");
        this.logger.info("Unable to process request because the user certificate was not specified.");
    }

    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    public void setUserService(UserService userService) {
        this.userService = userService;
    }

    public void setCertificateValidator(OcspCertificateValidator ocspCertificateValidator) {
        this.certificateValidator = ocspCertificateValidator;
    }
}
