package org.apache.nifi.registry.web.security.authentication.x509;

import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.properties.NiFiRegistryProperties;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authorization.Authorizer;
import org.apache.nifi.registry.security.authorization.RequestAction;
import org.apache.nifi.registry.security.authorization.Resource;
import org.apache.nifi.registry.security.authorization.exception.AccessDeniedException;
import org.apache.nifi.registry.security.authorization.resource.Authorizable;
import org.apache.nifi.registry.security.authorization.resource.ResourceFactory;
import org.apache.nifi.registry.security.authorization.user.NiFiUser;
import org.apache.nifi.registry.security.authorization.user.NiFiUserDetails;
import org.apache.nifi.registry.security.authorization.user.StandardNiFiUser;
import org.apache.nifi.registry.security.util.ProxiedEntitiesUtils;
import org.apache.nifi.registry.web.security.authentication.AuthenticationRequestToken;
import org.apache.nifi.registry.web.security.authentication.AuthenticationSuccessToken;
import org.apache.nifi.registry.web.security.authentication.IdentityAuthenticationProvider;
import org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException;

/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityAuthenticationProvider.class */
public class X509IdentityAuthenticationProvider extends IdentityAuthenticationProvider {
    private static final Authorizable PROXY_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.registry.web.security.authentication.x509.X509IdentityAuthenticationProvider.1
        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Authorizable getParentAuthorizable() {
            return null;
        }

        @Override // org.apache.nifi.registry.security.authorization.resource.Authorizable
        public Resource getResource() {
            return ResourceFactory.getProxyResource();
        }
    };

    public X509IdentityAuthenticationProvider(NiFiRegistryProperties niFiRegistryProperties, Authorizer authorizer, IdentityProvider identityProvider) {
        super(niFiRegistryProperties, authorizer, identityProvider);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.nifi.registry.web.security.authentication.IdentityAuthenticationProvider
    public AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken authenticationRequestToken, AuthenticationResponse authenticationResponse) {
        AuthenticationRequest authenticationRequest = authenticationRequestToken.getAuthenticationRequest();
        String str = authenticationRequest.getDetails() != null ? (String) authenticationRequest.getDetails() : null;
        if (StringUtils.isBlank(str)) {
            return super.buildAuthenticatedToken(authenticationRequestToken, authenticationResponse);
        }
        List<String> list = ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(str);
        list.add(authenticationResponse.getIdentity());
        NiFiUser niFiUser = null;
        ListIterator<String> listIterator = list.listIterator(list.size());
        while (listIterator.hasPrevious()) {
            String previous = listIterator.previous();
            boolean isBlank = StringUtils.isBlank(previous);
            String mapIdentity = isBlank ? "anonymous" : mapIdentity(previous);
            niFiUser = createUser(mapIdentity, getUserGroups(mapIdentity), niFiUser, niFiUser == null ? authenticationRequestToken.getClientAddress() : null, isBlank);
            if (listIterator.hasPrevious()) {
                try {
                    PROXY_AUTHORIZABLE.authorize(this.authorizer, RequestAction.WRITE, niFiUser);
                } catch (AccessDeniedException e) {
                    throw new UntrustedProxyException(String.format("Untrusted proxy %s", mapIdentity));
                }
            }
        }
        return new AuthenticationSuccessToken(new NiFiUserDetails(niFiUser));
    }

    private static NiFiUser createUser(String str, Set<String> set, NiFiUser niFiUser, String str2, boolean z) {
        return z ? StandardNiFiUser.populateAnonymousUser(niFiUser, str2) : new StandardNiFiUser.Builder().identity(str).groups(set).chain(niFiUser).clientAddress(str2).build();
    }
}
