package org.apache.nifi.registry.web.security.authentication;

import java.io.IOException;
import java.io.PrintWriter;
import javassist.compiler.TokenId;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils;
import org.apache.nifi.registry.security.util.ProxiedEntitiesUtils;
import org.apache.nifi.registry.web.security.authentication.exception.InvalidAuthenticationException;
import org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Deprecated
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/IdentityAuthenticationFilter.class */
public class IdentityAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    private static final RequestMatcher requiresAuthenticationRequestMatcher = new RequestMatcher() { // from class: org.apache.nifi.registry.web.security.authentication.IdentityAuthenticationFilter.1
        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            return NiFiUserUtils.getNiFiUser() == null;
        }
    };
    private final IdentityProvider identityProvider;

    public IdentityAuthenticationFilter(IdentityProvider identityProvider, AuthenticationManager authenticationManager, String str) {
        super(str);
        super.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher(str));
        setAuthenticationManager(authenticationManager);
        this.identityProvider = identityProvider;
    }

    public IdentityAuthenticationFilter(IdentityProvider identityProvider, AuthenticationManager authenticationManager) {
        super(requiresAuthenticationRequestMatcher);
        setAuthenticationManager(authenticationManager);
        this.identityProvider = identityProvider;
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        if (!httpServletRequest.isSecure()) {
            throw new InvalidAuthenticationException("Authentication of user identity claim is only avaialble when running a securely.");
        }
        AuthenticationRequest extractCredentials = this.identityProvider.extractCredentials(httpServletRequest);
        if (extractCredentials == null) {
            throw new InvalidAuthenticationException("User credentials not found in httpServletRequest by " + this.identityProvider.getClass().getSimpleName());
        }
        Authentication authenticate = getAuthenticationManager().authenticate(new AuthenticationRequestToken(extractCredentials, this.identityProvider.getClass(), httpServletRequest.getRemoteAddr()));
        if (authenticate == null) {
            throw new InvalidAuthenticationException("User credentials not authenticated by " + this.identityProvider.getClass().getSimpleName());
        }
        return authenticate;
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        this.logger.info("Authentication success for " + authentication);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_ACCEPTED, Boolean.TRUE.toString());
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        this.logger.debug("Authentication request failed: " + authenticationException.toString(), authenticationException);
        SecurityContextHolder.clearContext();
        this.logger.debug("Updated SecurityContextHolder to contain null Authentication");
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_DETAILS, authenticationException.getMessage());
        }
        httpServletResponse.setContentType("text/plain");
        PrintWriter writer = httpServletResponse.getWriter();
        if (authenticationException instanceof InvalidAuthenticationException) {
            httpServletResponse.setStatus(TokenId.CharConstant);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof UntrustedProxyException) {
            httpServletResponse.setStatus(TokenId.LongConstant);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof AuthenticationServiceException) {
            this.logger.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(500);
            writer.println(String.format("Unable to authorize: %s", authenticationException.getMessage()));
        } else {
            this.logger.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(TokenId.LongConstant);
            writer.println("Access is denied.");
        }
        this.logger.warn(String.format("Rejecting access to web api: %s", authenticationException.getMessage()));
        this.logger.debug("", authenticationException);
    }
}
