package org.apache.nifi.registry.web.security.authorization;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.nifi.registry.security.authorization.AuthorizableLookup;
import org.apache.nifi.registry.security.authorization.RequestAction;
import org.apache.nifi.registry.security.authorization.exception.AccessDeniedException;
import org.apache.nifi.registry.security.authorization.resource.Authorizable;
import org.apache.nifi.registry.security.authorization.resource.ResourceType;
import org.apache.nifi.registry.security.authorization.user.NiFiUser;
import org.apache.nifi.registry.security.authorization.user.NiFiUserUtils;
import org.apache.nifi.registry.service.AuthorizationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authorization/ResourceAuthorizationFilter.class */
public class ResourceAuthorizationFilter extends GenericFilterBean {
    private static final Logger logger = LoggerFactory.getLogger(ResourceAuthorizationFilter.class);
    private Map<ResourceType, HttpMethodAuthorizationRules> resourceTypeAuthorizationRules;
    private AuthorizationService authorizationService;
    private AuthorizableLookup authorizableLookup;

    /* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authorization/ResourceAuthorizationFilter$Builder.class */
    public static class Builder {
        private AuthorizationService authorizationService;
        private final Map<ResourceType, HttpMethodAuthorizationRules> resourceTypeAuthorizationRules;

        private Builder() {
            this.resourceTypeAuthorizationRules = new HashMap();
        }

        public AuthorizationService getAuthorizationService() {
            return this.authorizationService;
        }

        public Builder setAuthorizationService(AuthorizationService authorizationService) {
            this.authorizationService = authorizationService;
            return this;
        }

        public Map<ResourceType, HttpMethodAuthorizationRules> getResourceTypeAuthorizationRules() {
            return this.resourceTypeAuthorizationRules;
        }

        public Builder addResourceType(ResourceType resourceType) {
            this.resourceTypeAuthorizationRules.put(resourceType, new HttpMethodAuthorizationRules() { // from class: org.apache.nifi.registry.web.security.authorization.ResourceAuthorizationFilter.Builder.1
            });
            return this;
        }

        public Builder addResourceType(ResourceType resourceType, HttpMethodAuthorizationRules httpMethodAuthorizationRules) {
            this.resourceTypeAuthorizationRules.put(resourceType, httpMethodAuthorizationRules);
            return this;
        }

        public ResourceAuthorizationFilter build() {
            return new ResourceAuthorizationFilter(this);
        }
    }

    ResourceAuthorizationFilter(Builder builder) {
        if (builder.getAuthorizationService() == null || builder.getResourceTypeAuthorizationRules() == null) {
            throw new IllegalArgumentException("Builder is missing one or more required fields [authorizationService, resourceTypeAuthorizationRules].");
        }
        this.resourceTypeAuthorizationRules = builder.getResourceTypeAuthorizationRules();
        this.authorizationService = builder.getAuthorizationService();
        this.authorizableLookup = this.authorizationService.getAuthorizableLookup();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpMethod resolve;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = false;
        String str = null;
        RequestAction requestAction = null;
        if (servletRequest.isSecure()) {
            str = httpServletRequest.getServletPath();
            if (str != null) {
                HttpMethodAuthorizationRules httpMethodAuthorizationRules = this.resourceTypeAuthorizationRules.get(ResourceType.mapFullResourcePathToResourceType(str));
                if (httpMethodAuthorizationRules != null && (resolve = HttpMethod.resolve(httpServletRequest.getMethod().toUpperCase())) != null && httpMethodAuthorizationRules.requiresAuthorization(resolve)) {
                    z = true;
                    requestAction = httpMethodAuthorizationRules.mapHttpMethodToAction(resolve);
                }
            }
        }
        if (!z) {
            forwardRequestWithoutAuthorizationCheck(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        try {
            authorizeAccess(str, requestAction);
            successfulAuthorization(httpServletRequest, httpServletResponse, filterChain);
        } catch (Exception e) {
            logger.debug("Exception occurred while performing authorization check.", e);
            failedAuthorization(httpServletRequest, httpServletResponse, filterChain, e);
        }
    }

    private boolean userIsAuthenticated() {
        NiFiUser niFiUser = NiFiUserUtils.getNiFiUser();
        return (niFiUser == null || niFiUser.isAnonymous()) ? false : true;
    }

    private void authorizeAccess(String str, RequestAction requestAction) throws AccessDeniedException {
        if (str == null || requestAction == null) {
            throw new IllegalArgumentException("Authorization is required, but a required input [resource, action] is absent.");
        }
        Authorizable authorizableByResource = this.authorizableLookup.getAuthorizableByResource(str);
        if (authorizableByResource == null) {
            throw new IllegalStateException("Resource Authorization Filter configured for non-authorizable resource: " + str);
        }
        this.authorizationService.authorize(authorizableByResource, requestAction);
    }

    private void forwardRequestWithoutAuthorizationCheck(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        logger.debug("Request filter authorization check is not required for this HTTP Method on this resource. Allowing request to proceed. An additional authorization check might be performed downstream of this filter.");
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void successfulAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        logger.debug("Request filter authorization check passed. Allowing request to proceed.");
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void failedAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Exception exc) throws IOException, ServletException {
        logger.debug("Request filter authorization check failed. Blocking access.");
        NiFiUser niFiUser = NiFiUserUtils.getNiFiUser();
        String obj = niFiUser != null ? niFiUser.toString() : "<no user found>";
        int i = !userIsAuthenticated() ? 401 : 403;
        logger.info("{} does not have permission to perform this action on the requested resource. {} Returning {} response.", new Object[]{obj, exc.getMessage(), Integer.valueOf(i)});
        logger.debug("", exc);
        if (httpServletResponse.isCommitted()) {
            return;
        }
        httpServletResponse.setStatus(i);
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.getWriter().println(String.format("Access is denied due to: %s Contact the system administrator.", exc.getLocalizedMessage()));
    }

    public static Builder builder() {
        return new Builder();
    }
}
