package org.apache.nifi.registry.web.api;

import io.jsonwebtoken.JwtException;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.Authorization;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.nifi.registry.authorization.CurrentUser;
import org.apache.nifi.registry.event.EventService;
import org.apache.nifi.registry.exception.AdministrationException;
import org.apache.nifi.registry.properties.NiFiRegistryProperties;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.BasicAuthIdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProviderUsage;
import org.apache.nifi.registry.security.authentication.exception.IdentityAccessException;
import org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils;
import org.apache.nifi.registry.service.AuthorizationService;
import org.apache.nifi.registry.web.exception.UnauthorizedException;
import org.apache.nifi.registry.web.security.authentication.jwt.JwtService;
import org.apache.nifi.registry.web.security.authentication.kerberos.KerberosSpnegoIdentityProvider;
import org.apache.nifi.registry.web.security.authentication.x509.X509IdentityProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.lang.Nullable;
import org.springframework.stereotype.Component;

@Api(value = "access", description = "Endpoints for obtaining an access token or checking access status.")
@Path("/access")
@Component
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/api/AccessResource.class */
public class AccessResource extends ApplicationResource {
    private static final Logger logger = LoggerFactory.getLogger(AccessResource.class);
    private NiFiRegistryProperties properties;
    private AuthorizationService authorizationService;
    private JwtService jwtService;
    private X509IdentityProvider x509IdentityProvider;
    private KerberosSpnegoIdentityProvider kerberosSpnegoIdentityProvider;
    private IdentityProvider identityProvider;

    @Autowired
    public AccessResource(NiFiRegistryProperties niFiRegistryProperties, AuthorizationService authorizationService, JwtService jwtService, X509IdentityProvider x509IdentityProvider, @Nullable KerberosSpnegoIdentityProvider kerberosSpnegoIdentityProvider, @Nullable IdentityProvider identityProvider, EventService eventService) {
        super(eventService);
        this.properties = niFiRegistryProperties;
        this.jwtService = jwtService;
        this.x509IdentityProvider = x509IdentityProvider;
        this.kerberosSpnegoIdentityProvider = kerberosSpnegoIdentityProvider;
        this.identityProvider = identityProvider;
        this.authorizationService = authorizationService;
    }

    @GET
    @ApiResponses({@ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry might be running unsecured.")})
    @Consumes({"*/*"})
    @ApiOperation(value = "Get access status", notes = "Returns the current client's authenticated identity and permissions to top-level resources", response = CurrentUser.class, authorizations = {@Authorization("Authorization")})
    @Produces({"application/json"})
    public Response getAccessStatus(@Context HttpServletRequest httpServletRequest) {
        if (NiFiUserUtils.getNiFiUser() == null) {
            throw new WebApplicationException(new Throwable("Unable to access details for current user."));
        }
        CurrentUser currentUser = this.authorizationService.getCurrentUser();
        currentUser.setLoginSupported(httpServletRequest.isSecure() && this.identityProvider != null);
        return generateOkResponse(currentUser).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login with username/password."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token")
    @Consumes({"*/*"})
    @ApiOperation(value = "Create token trying all providers", notes = "Creates a token for accessing the REST API via auto-detected method of verifying client identity claim credentials. The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class)
    @POST
    @Produces({"text/plain"})
    public Response createAccessTokenByTryingAllProviders(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS");
        }
        List<IdentityProvider> generateIdentityProviderWaterfall = generateIdentityProviderWaterfall();
        String str = null;
        for (IdentityProvider identityProvider : generateIdentityProviderWaterfall) {
            AuthenticationRequest extractCredentials = identityProvider.extractCredentials(httpServletRequest);
            if (extractCredentials != null) {
                try {
                    str = createAccessToken(identityProvider, extractCredentials);
                    break;
                } catch (InvalidCredentialsException e) {
                    logger.debug("{}: the supplied client credentials are invalid.", identityProvider.getClass().getSimpleName());
                    logger.debug("", e);
                }
            }
        }
        if (StringUtils.isEmpty(str)) {
            throw new UnauthorizedException("Client credentials are missing or invalid according to all configured identity providers.").withAuthenticateChallenge((List<IdentityProviderUsage.AuthType>) generateIdentityProviderWaterfall.stream().map((v0) -> {
                return v0.getUsageInstructions();
            }).map((v0) -> {
                return v0.getAuthType();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).distinct().collect(Collectors.toList()));
        }
        return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), str).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login with username/password."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token/login")
    @Consumes({"*/*"})
    @ApiOperation(value = "Create token using basic auth", notes = "Creates a token for accessing the REST API via username/password. The user credentials must be passed in standard HTTP Basic Auth format. That is: 'Authorization: Basic <credentials>', where <credentials> is the base64 encoded value of '<username>:<password>'. The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class, authorizations = {@Authorization("BasicAuth")})
    @POST
    @Produces({"text/plain"})
    public Response createAccessTokenUsingBasicAuthCredentials(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS");
        }
        if (this.identityProvider == null) {
            logger.debug("An Identity Provider must be configured to use this endpoint. Please consult the administration guide.");
            throw new IllegalStateException("Username/Password login not supported by this NiFi. Contact System Administrator.");
        }
        if (!(this.identityProvider instanceof BasicAuthIdentityProvider)) {
            logger.debug("An Identity Provider is configured, but it does not support HTTP Basic Auth authentication. The configured Identity Provider must extend {}", BasicAuthIdentityProvider.class);
            throw new IllegalStateException("Username/Password login not supported by this NiFi. Contact System Administrator.");
        }
        AuthenticationRequest extractCredentials = this.identityProvider.extractCredentials(httpServletRequest);
        if (extractCredentials == null) {
            throw new UnauthorizedException("The client credentials are missing from the request.").withAuthenticateChallenge(IdentityProviderUsage.AuthType.OTHER);
        }
        try {
            return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), createAccessToken(this.identityProvider, extractCredentials)).build();
        } catch (InvalidCredentialsException e) {
            throw new UnauthorizedException("The supplied client credentials are not valid.", e).withAuthenticateChallenge(IdentityProviderUsage.AuthType.OTHER);
        }
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login Kerberos credentials."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token/kerberos")
    @Consumes({"*/*"})
    @ApiOperation(value = "Create token using kerberos", notes = "Creates a token for accessing the REST API via Kerberos Service Tickets or SPNEGO Tokens (which includes Kerberos Service Tickets). The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class)
    @POST
    @Produces({"text/plain"})
    public Response createAccessTokenUsingKerberosTicket(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS");
        }
        if (!this.properties.isKerberosSpnegoSupportEnabled() || this.kerberosSpnegoIdentityProvider == null) {
            throw new IllegalStateException("Kerberos service ticket login not supported by this NiFi Registry");
        }
        AuthenticationRequest extractCredentials = this.kerberosSpnegoIdentityProvider.extractCredentials(httpServletRequest);
        if (extractCredentials == null) {
            throw new UnauthorizedException("The client credentials are missing from the request.").withAuthenticateChallenge(this.kerberosSpnegoIdentityProvider.getUsageInstructions().getAuthType());
        }
        try {
            return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), createAccessToken(this.kerberosSpnegoIdentityProvider, extractCredentials)).build();
        } catch (InvalidCredentialsException e) {
            throw new UnauthorizedException("The supplied client credentials are not valid.", e).withAuthenticateChallenge(this.kerberosSpnegoIdentityProvider.getUsageInstructions().getAuthType());
        }
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login with customized credentials."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token/identity-provider")
    @Consumes({"*/*"})
    @ApiOperation(value = "Create token using identity provider", notes = "Creates a token for accessing the REST API via a custom identity provider. The user credentials must be passed in a format understood by the custom identity provider, e.g., a third-party auth token in an HTTP header. The exact format of the user credentials expected by the custom identity provider can be discovered by 'GET /access/token/identity-provider/usage'. The token returned is formatted as a JSON Web Token (JWT). The token is base64 encoded and comprised of three parts. The header, the body, and the signature. The expiration of the token is a contained within the body. The token can be used in the Authorization header in the format 'Authorization: Bearer <token>'.", response = String.class)
    @POST
    @Produces({"text/plain"})
    public Response createAccessTokenUsingIdentityProviderCredentials(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS");
        }
        if (this.identityProvider == null) {
            throw new IllegalStateException("Custom login not supported by this NiFi Registry");
        }
        AuthenticationRequest extractCredentials = this.identityProvider.extractCredentials(httpServletRequest);
        if (extractCredentials == null) {
            throw new UnauthorizedException("The client credentials are missing from the request.").withAuthenticateChallenge(this.identityProvider.getUsageInstructions().getAuthType());
        }
        try {
            return generateCreatedResponse(URI.create(generateResourceUri("access", "token")), createAccessToken(this.identityProvider, extractCredentials)).build();
        } catch (InvalidCredentialsException e) {
            throw new UnauthorizedException("The supplied client credentials are not valid.", e).withAuthenticateChallenge(this.identityProvider.getUsageInstructions().getAuthType());
        }
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login with customized credentials."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token/identity-provider/usage")
    @Consumes({"*/*"})
    @ApiOperation(value = "Get identity provider usage", notes = "Provides a description of how the currently configured identity provider expects credentials to be passed to POST /access/token/identity-provider", response = String.class)
    @Produces({"text/plain"})
    public Response getIdentityProviderUsageInstructions(@Context HttpServletRequest httpServletRequest) {
        if (this.identityProvider == null) {
            throw new IllegalStateException("Custom login not supported by this NiFi Registry");
        }
        Class<?> cls = this.identityProvider.getClass();
        try {
            return generateOkResponse(("Usage Instructions for '" + (StringUtils.isNotEmpty(cls.getSimpleName()) ? cls.getSimpleName() : cls.getName()) + "': ") + this.identityProvider.getUsageInstructions().getText()).build();
        } catch (Exception e) {
            return Response.status(Response.Status.NOT_IMPLEMENTED).entity("The currently configured identity provider, '" + this.identityProvider.getClass().getName() + "' does not provide usage instructions.").build();
        }
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "The format of the credentials were not recognized by the currently configured identity provider."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid. The NiFi Registry may not be configured to support login with customized credentials."), @ApiResponse(code = 500, message = "NiFi Registry was unable to complete the request because an unexpected error occurred.")})
    @Path("/token/identity-provider/test")
    @Consumes({"*/*"})
    @ApiOperation(value = "Test identity provider", notes = "Tests the format of the credentials against this identity provider without preforming authentication on the credentials to validate them. The user credentials should be passed in a format understood by the custom identity provider as defined by 'GET /access/token/identity-provider/usage'.", response = String.class)
    @POST
    @Produces({"text/plain"})
    public Response testIdentityProviderRecognizesCredentialsFormat(@Context HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            throw new IllegalStateException("Access tokens are only issued over HTTPS");
        }
        if (this.identityProvider == null) {
            throw new IllegalStateException("Custom login not supported by this NiFi Registry");
        }
        Class<?> cls = this.identityProvider.getClass();
        String simpleName = StringUtils.isNotEmpty(cls.getSimpleName()) ? cls.getSimpleName() : cls.getName();
        if (this.identityProvider.extractCredentials(httpServletRequest) == null) {
            throw new UnauthorizedException("The format of the credentials were not recognized by the currently configured identity provider '" + simpleName + "'. " + this.identityProvider.getUsageInstructions().getText()).withAuthenticateChallenge(this.identityProvider.getUsageInstructions().getAuthType());
        }
        return generateOkResponse(simpleName + " recognized the format of the credentials in the HTTP request.").build();
    }

    private String createAccessToken(IdentityProvider identityProvider, AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, AdministrationException {
        try {
            return this.jwtService.generateSignedToken(identityProvider.authenticate(authenticationRequest));
        } catch (IdentityAccessException | JwtException e) {
            throw new AdministrationException(e.getMessage());
        }
    }

    private List<IdentityProvider> generateIdentityProviderWaterfall() {
        ArrayList arrayList = new ArrayList();
        if (this.x509IdentityProvider != null) {
            arrayList.add(this.x509IdentityProvider);
        }
        if (this.kerberosSpnegoIdentityProvider != null) {
            arrayList.add(this.kerberosSpnegoIdentityProvider);
        }
        if (this.identityProvider != null) {
            arrayList.add(this.identityProvider);
        }
        return arrayList;
    }
}
