package org.apache.nifi.registry.web.security.authentication.x509;

import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import org.apache.nifi.registry.security.authentication.AuthenticationRequest;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authentication.IdentityProviderConfigurationContext;
import org.apache.nifi.registry.security.authentication.IdentityProviderUsage;
import org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.security.util.ProxiedEntitiesUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/x509/X509IdentityProvider.class */
public class X509IdentityProvider implements IdentityProvider {
    private static final Logger logger = LoggerFactory.getLogger(X509IdentityProvider.class);
    private static final String issuer = X509IdentityProvider.class.getSimpleName();
    private static final long expiration = TimeUnit.MILLISECONDS.convert(12, TimeUnit.HOURS);
    private static final IdentityProviderUsage usage = new IdentityProviderUsage() { // from class: org.apache.nifi.registry.web.security.authentication.x509.X509IdentityProvider.1
        public String getText() {
            return "The client must connect over HTTPS and must provide a client certificate during the TLS handshake. Additionally, the client may declare itself a proxy for another user identity by populating the X-ProxiedEntitiesChain HTTP header field with a value of the format '<end-user-identity><proxy1-identity><proxy2-identity>...<proxyN-identity>'for all identities in the chain prior to this client. If the X-ProxiedEntitiesChain header is present in the request, this client's identity will be extracted from the client certificate used for TLS and added to the end of the chain, and then the entire chain will be authorized. Each proxy will be authorized to have 'write' access to '/proxy', and the originating user identity will be authorized for access to the resource being accessed in the request.";
        }

        public IdentityProviderUsage.AuthType getAuthType() {
            return IdentityProviderUsage.AuthType.OTHER.httpAuthScheme("TLS-client-cert");
        }
    };
    private X509PrincipalExtractor principalExtractor;
    private X509CertificateExtractor certificateExtractor;

    @Autowired
    public X509IdentityProvider(X509PrincipalExtractor x509PrincipalExtractor, X509CertificateExtractor x509CertificateExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
        this.certificateExtractor = x509CertificateExtractor;
    }

    public IdentityProviderUsage getUsageInstructions() {
        return usage;
    }

    public AuthenticationRequest extractCredentials(HttpServletRequest httpServletRequest) {
        X509Certificate[] extractClientCertificate;
        if (!httpServletRequest.isSecure() || (extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest)) == null || extractClientCertificate.length == 0) {
            return null;
        }
        return new AuthenticationRequest(this.principalExtractor.extractPrincipal(extractClientCertificate[0]).toString(), extractClientCertificate[0], new X509AuthenticationRequestDetails(httpServletRequest.getHeader(ProxiedEntitiesUtils.PROXY_ENTITIES_CHAIN), httpServletRequest.getMethod()));
    }

    public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException {
        if (authenticationRequest == null || authenticationRequest.getUsername() == null) {
            return null;
        }
        String username = authenticationRequest.getUsername();
        try {
            validateClientCertificate((X509Certificate) authenticationRequest.getCredentials());
        } catch (CertificateExpiredException e) {
            String format = String.format("Client certificate for (%s) is expired.", username);
            logger.warn(format, e);
            throw new InvalidCredentialsException(format, e);
        } catch (CertificateNotYetValidException e2) {
            String format2 = String.format("Client certificate for (%s) is not yet valid.", username);
            logger.warn(format2, e2);
            throw new InvalidCredentialsException(format2, e2);
        } catch (Exception e3) {
            logger.warn(e3.getMessage(), e3);
        }
        return new AuthenticationResponse(username, username, expiration, issuer);
    }

    public void onConfigured(IdentityProviderConfigurationContext identityProviderConfigurationContext) throws SecurityProviderCreationException {
        throw new SecurityProviderCreationException(X509IdentityProvider.class.getSimpleName() + " does not currently support being loaded via IdentityProviderFactory");
    }

    public void preDestruction() throws SecurityProviderDestructionException {
    }

    private void validateClientCertificate(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        x509Certificate.checkValidity();
    }
}
