package org.apache.nifi.registry.web.security.authentication.kerberos;

import java.nio.charset.StandardCharsets;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.registry.properties.NiFiRegistryProperties;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProviderConfigurationContext;
import org.apache.nifi.registry.security.authentication.IdentityProviderUsage;
import org.apache.nifi.registry.security.authentication.exception.IdentityAccessException;
import org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.security.util.CryptoUtils;
import org.apache.nifi.registry.util.FormatUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/kerberos/KerberosSpnegoIdentityProvider.class */
public class KerberosSpnegoIdentityProvider implements IdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(KerberosSpnegoIdentityProvider.class);
    private static final String issuer = KerberosSpnegoIdentityProvider.class.getSimpleName();
    private static final IdentityProviderUsage usage = new IdentityProviderUsage() { // from class: org.apache.nifi.registry.web.security.authentication.kerberos.KerberosSpnegoIdentityProvider.1
        public String getText() {
            return "The Kerberos user credentials must be passed in the HTTP Authorization header as specified by SPNEGO-based Kerberos. That is: 'Authorization: Negotiate <kerberosTicket>', where <kerberosTicket> is a value that will be validated by this identity provider against a Kerberos cluster.";
        }

        public IdentityProviderUsage.AuthType getAuthType() {
            return IdentityProviderUsage.AuthType.NEGOTIATE;
        }
    };
    private static final String AUTHORIZATION = "Authorization";
    private static final String AUTHORIZATION_NEGOTIATE = "Negotiate";
    private KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider;
    private long expiration = TimeUnit.MILLISECONDS.convert(12, TimeUnit.HOURS);
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();

    @Autowired
    public KerberosSpnegoIdentityProvider(@Nullable KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider, NiFiRegistryProperties niFiRegistryProperties) {
        this.kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider;
        String kerberosSpnegoAuthenticationExpiration = niFiRegistryProperties.getKerberosSpnegoAuthenticationExpiration();
        if (kerberosSpnegoAuthenticationExpiration != null) {
            FormatUtils.getTimeDuration(kerberosSpnegoAuthenticationExpiration, TimeUnit.MILLISECONDS);
        }
    }

    public IdentityProviderUsage getUsageInstructions() {
        return usage;
    }

    public AuthenticationRequest extractCredentials(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            return null;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (!isValidKerberosHeader(header)) {
            return null;
        }
        logger.debug("Detected 'Authorization: Negotiate header in request {}", httpServletRequest.getRequestURL());
        byte[] decode = Base64.decode(header.substring(header.indexOf(StringUtils.SPACE) + 1).getBytes(StandardCharsets.UTF_8));
        if (decode != null) {
            logger.debug("Successfully decoded SPNEGO/Kerberos ticket passed in Authorization: Negotiate <ticket> header.", httpServletRequest.getRequestURL());
        }
        return new AuthenticationRequest((String) null, decode, this.authenticationDetailsSource.buildDetails(httpServletRequest));
    }

    public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
        String str;
        if (authenticationRequest == null) {
            logger.info("Cannot authenticate null authenticationRequest, returning null.");
            return null;
        }
        Object credentials = authenticationRequest.getCredentials();
        byte[] bArr = (credentials == null || !(credentials instanceof byte[])) ? null : (byte[]) authenticationRequest.getCredentials();
        if (credentials == null) {
            logger.info("Kerberos Ticket not found in authenticationRequest credentials, returning null.");
            return null;
        }
        if (this.kerberosServiceAuthenticationProvider == null) {
            throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
        }
        try {
            KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(bArr);
            kerberosServiceRequestToken.setDetails(authenticationRequest.getDetails());
            Authentication authenticate = this.kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
            if (authenticate == null) {
                throw new InvalidCredentialsException("Kerberos credentials could not be authenticated.");
            }
            String name = authenticate.getName();
            return new AuthenticationResponse(name, name, this.expiration, issuer);
        } catch (AuthenticationException e) {
            str = "Kerberos credentials could not be authenticated.";
            str = Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted()) ? "Kerberos credentials could not be authenticated." : str + " This Java Runtime does not support unlimited strength encryption. This could cause Kerberos authentication to fail as it can require AES-256.";
            logger.info(str);
            throw new InvalidCredentialsException(str, e);
        }
    }

    public void onConfigured(IdentityProviderConfigurationContext identityProviderConfigurationContext) throws SecurityProviderCreationException {
        throw new SecurityProviderCreationException(KerberosSpnegoIdentityProvider.class.getSimpleName() + " does not currently support being loaded via IdentityProviderFactory");
    }

    public void preDestruction() throws SecurityProviderDestructionException {
    }

    public boolean isValidKerberosHeader(String str) {
        return str != null && (str.startsWith("Negotiate ") || str.startsWith("Kerberos "));
    }
}
