package org.apache.nifi.registry.web.security.authentication;

import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.nifi.registry.security.authentication.AuthenticationResponse;
import org.apache.nifi.registry.security.authentication.IdentityProvider;
import org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException;
import org.apache.nifi.registry.security.authorization.Authorizer;
import org.apache.nifi.registry.security.authorization.ManagedAuthorizer;
import org.apache.nifi.registry.security.authorization.UserAndGroups;
import org.apache.nifi.registry.security.authorization.user.NiFiUserDetails;
import org.apache.nifi.registry.security.authorization.user.StandardNiFiUser;
import org.apache.nifi.registry.security.identity.IdentityMapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/security/authentication/IdentityAuthenticationProvider.class */
public class IdentityAuthenticationProvider implements AuthenticationProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(IdentityAuthenticationProvider.class);
    protected Authorizer authorizer;
    protected final IdentityProvider identityProvider;
    protected final IdentityMapper identityMapper;

    public IdentityAuthenticationProvider(Authorizer authorizer, IdentityProvider identityProvider, IdentityMapper identityMapper) {
        this.authorizer = authorizer;
        this.identityProvider = identityProvider;
        this.identityMapper = identityMapper;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!checkTokenOriginatedFromThisIdentityProvider(authentication)) {
            return null;
        }
        AuthenticationRequestToken authenticationRequestToken = (AuthenticationRequestToken) authentication;
        try {
            AuthenticationResponse authenticate = this.identityProvider.authenticate(authenticationRequestToken.getAuthenticationRequest());
            if (authenticate == null) {
                return null;
            }
            return buildAuthenticatedToken(authenticationRequestToken, authenticate);
        } catch (InvalidCredentialsException e) {
            throw new BadCredentialsException("Identity Provider authentication failed.", e);
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return AuthenticationRequestToken.class.isAssignableFrom(cls);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthenticationSuccessToken buildAuthenticatedToken(AuthenticationRequestToken authenticationRequestToken, AuthenticationResponse authenticationResponse) {
        String mapIdentity = mapIdentity(authenticationResponse.getIdentity());
        return new AuthenticationSuccessToken(new NiFiUserDetails(new StandardNiFiUser.Builder().identity(mapIdentity).groups(getUserGroups(mapIdentity)).clientAddress(authenticationRequestToken.getClientAddress()).build()));
    }

    protected boolean checkTokenOriginatedFromThisIdentityProvider(Authentication authentication) {
        return (authentication instanceof AuthenticationRequestToken) && this.identityProvider.getClass().equals(((AuthenticationRequestToken) authentication).getAuthenticationRequestOrigin());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String mapIdentity(String str) {
        return this.identityMapper.mapUser(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> getUserGroups(String str) {
        return getUserGroups(this.authorizer, str);
    }

    private static Set<String> getUserGroups(Authorizer authorizer, String str) {
        if (!(authorizer instanceof ManagedAuthorizer)) {
            return null;
        }
        UserAndGroups userAndGroups = ((ManagedAuthorizer) authorizer).getAccessPolicyProvider().getUserGroupProvider().getUserAndGroups(str);
        Set groups = userAndGroups.getGroups();
        return (groups == null || groups.isEmpty()) ? Collections.emptySet() : (Set) userAndGroups.getGroups().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
    }
}
