package org.apache.nifi.registry.web.security;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.nifi.registry.properties.NiFiRegistryProperties;
import org.apache.nifi.registry.security.authorization.resource.ResourceType;
import org.apache.nifi.registry.service.AuthorizationService;
import org.apache.nifi.registry.web.security.authentication.AnonymousIdentityFilter;
import org.apache.nifi.registry.web.security.authentication.IdentityAuthenticationProvider;
import org.apache.nifi.registry.web.security.authentication.IdentityFilter;
import org.apache.nifi.registry.web.security.authentication.exception.UntrustedProxyException;
import org.apache.nifi.registry.web.security.authentication.jwt.JwtIdentityProvider;
import org.apache.nifi.registry.web.security.authentication.x509.X509IdentityAuthenticationProvider;
import org.apache.nifi.registry.web.security.authentication.x509.X509IdentityProvider;
import org.apache.nifi.registry.web.security.authorization.ResourceAuthorizationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/NiFiRegistrySecurityConfig.class */
public class NiFiRegistrySecurityConfig extends WebSecurityConfigurerAdapter {
    private static final Logger logger = LoggerFactory.getLogger(NiFiRegistrySecurityConfig.class);

    @Autowired
    private NiFiRegistryProperties properties;

    @Autowired
    private AuthorizationService authorizationService;
    private AnonymousIdentityFilter anonymousAuthenticationFilter;

    @Autowired
    private X509IdentityProvider x509IdentityProvider;
    private IdentityFilter x509AuthenticationFilter;
    private IdentityAuthenticationProvider x509AuthenticationProvider;

    @Autowired
    private JwtIdentityProvider jwtIdentityProvider;
    private IdentityFilter jwtAuthenticationFilter;
    private IdentityAuthenticationProvider jwtAuthenticationProvider;
    private ResourceAuthorizationFilter resourceAuthorizationFilter;

    public NiFiRegistrySecurityConfig() {
        super(true);
        this.anonymousAuthenticationFilter = new AnonymousIdentityFilter();
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers("/access/token/**");
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((HttpSecurity) ((HttpSecurity) ((HttpSecurity) httpSecurity.rememberMe().disable()).authorizeRequests().anyRequest().fullyAuthenticated().and()).exceptionHandling().authenticationEntryPoint(http401AuthenticationEntryPoint()).and()).sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        httpSecurity.addFilterBefore((Filter) x509AuthenticationFilter(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore((Filter) jwtAuthenticationFilter(), AnonymousAuthenticationFilter.class);
        if (this.properties.getSslPort() == null) {
            httpSecurity.anonymous().authenticationFilter(this.anonymousAuthenticationFilter);
        }
        httpSecurity.addFilterAfter((Filter) resourceAuthorizationFilter(), FilterSecurityInterceptor.class);
    }

    @Override // org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) x509AuthenticationProvider()).authenticationProvider((AuthenticationProvider) jwtAuthenticationProvider());
    }

    private IdentityFilter x509AuthenticationFilter() throws Exception {
        if (this.x509AuthenticationFilter == null) {
            this.x509AuthenticationFilter = new IdentityFilter(this.x509IdentityProvider);
        }
        return this.x509AuthenticationFilter;
    }

    private IdentityAuthenticationProvider x509AuthenticationProvider() {
        if (this.x509AuthenticationProvider == null) {
            this.x509AuthenticationProvider = new X509IdentityAuthenticationProvider(this.properties, this.authorizationService.getAuthorizer(), this.x509IdentityProvider);
        }
        return this.x509AuthenticationProvider;
    }

    private IdentityFilter jwtAuthenticationFilter() throws Exception {
        if (this.jwtAuthenticationFilter == null) {
            this.jwtAuthenticationFilter = new IdentityFilter(this.jwtIdentityProvider);
        }
        return this.jwtAuthenticationFilter;
    }

    private IdentityAuthenticationProvider jwtAuthenticationProvider() {
        if (this.jwtAuthenticationProvider == null) {
            this.jwtAuthenticationProvider = new IdentityAuthenticationProvider(this.properties, this.authorizationService.getAuthorizer(), this.jwtIdentityProvider);
        }
        return this.jwtAuthenticationProvider;
    }

    private ResourceAuthorizationFilter resourceAuthorizationFilter() {
        if (this.resourceAuthorizationFilter == null) {
            this.resourceAuthorizationFilter = ResourceAuthorizationFilter.builder().setAuthorizationService(this.authorizationService).addResourceType(ResourceType.Actuator).addResourceType(ResourceType.Swagger).build();
        }
        return this.resourceAuthorizationFilter;
    }

    private AuthenticationEntryPoint http401AuthenticationEntryPoint() {
        return new AuthenticationEntryPoint() { // from class: org.apache.nifi.registry.web.security.NiFiRegistrySecurityConfig.1
            @Override // org.springframework.security.web.AuthenticationEntryPoint
            public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
                int i;
                if (authenticationException instanceof UntrustedProxyException) {
                    i = 403;
                    NiFiRegistrySecurityConfig.logger.info("Identity in proxy chain not trusted to act as a proxy: {} Returning 403 response.", authenticationException.toString());
                } else {
                    i = 401;
                    NiFiRegistrySecurityConfig.logger.info("Client could not be authenticated due to: {} Returning 401 response.", authenticationException.toString());
                }
                NiFiRegistrySecurityConfig.logger.debug("", authenticationException);
                if (httpServletResponse.isCommitted()) {
                    return;
                }
                httpServletResponse.setStatus(i);
                httpServletResponse.setContentType("text/plain");
                httpServletResponse.getWriter().println(String.format("%s Contact the system administrator.", authenticationException.getLocalizedMessage()));
            }
        };
    }
}
