package org.apache.nifi.registry.security.authorization;

import java.io.File;
import java.io.FilenameFilter;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.SecureClassLoader;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.sql.DataSource;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLStreamException;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.apache.nifi.properties.PropertyProtectionScheme;
import org.apache.nifi.properties.SensitivePropertyProtectionException;
import org.apache.nifi.properties.SensitivePropertyProviderFactory;
import org.apache.nifi.registry.extension.ExtensionClassLoader;
import org.apache.nifi.registry.extension.ExtensionCloseable;
import org.apache.nifi.registry.extension.ExtensionManager;
import org.apache.nifi.registry.properties.NiFiRegistryProperties;
import org.apache.nifi.registry.security.authorization.AuthorizationResult;
import org.apache.nifi.registry.security.authorization.annotation.AuthorizerContext;
import org.apache.nifi.registry.security.authorization.exception.AuthorizationAccessException;
import org.apache.nifi.registry.security.authorization.exception.UninheritableAuthorizationsException;
import org.apache.nifi.registry.security.authorization.generated.AccessPolicyProvider;
import org.apache.nifi.registry.security.authorization.generated.Authorizer;
import org.apache.nifi.registry.security.authorization.generated.Authorizers;
import org.apache.nifi.registry.security.authorization.generated.Prop;
import org.apache.nifi.registry.security.authorization.generated.UserGroupProvider;
import org.apache.nifi.registry.security.exception.SecurityProviderCreationException;
import org.apache.nifi.registry.security.exception.SecurityProviderDestructionException;
import org.apache.nifi.registry.security.identity.IdentityMapper;
import org.apache.nifi.registry.security.util.ClassLoaderUtils;
import org.apache.nifi.registry.security.util.XmlUtils;
import org.apache.nifi.registry.service.RegistryService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.lang.Nullable;
import org.springframework.transaction.annotation.Transactional;
import org.xml.sax.SAXException;

@Transactional
@Configuration("authorizerFactory")
/* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.2.jar:org/apache/nifi/registry/security/authorization/AuthorizerFactory.class */
public class AuthorizerFactory implements UserGroupProviderLookup, AccessPolicyProviderLookup, AuthorizerLookup, DisposableBean {
    private static final String AUTHORIZERS_XSD = "/authorizers.xsd";
    private static final String JAXB_GENERATED_PATH = "org.apache.nifi.registry.security.authorization.generated";
    private final NiFiRegistryProperties properties;
    private final ExtensionManager extensionManager;
    private final SensitivePropertyProviderFactory sensitivePropertyProviderFactory;
    private final RegistryService registryService;
    private final DataSource dataSource;
    private final IdentityMapper identityMapper;
    private Authorizer authorizer;
    private final Map<String, UserGroupProvider> userGroupProviders = new HashMap();
    private final Map<String, AccessPolicyProvider> accessPolicyProviders = new HashMap();
    private final Map<String, Authorizer> authorizers = new HashMap();
    private static final Logger logger = LoggerFactory.getLogger(AuthorizerFactory.class);
    private static final JAXBContext JAXB_CONTEXT = initializeJaxbContext();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.2.jar:org/apache/nifi/registry/security/authorization/AuthorizerFactory$AuthorizerWrapper.class */
    public static class AuthorizerWrapper implements Authorizer, WrappedAuthorizer {
        private final Authorizer baseAuthorizer;

        public AuthorizerWrapper(Authorizer authorizer) {
            this.baseAuthorizer = authorizer;
        }

        @Override // org.apache.nifi.registry.security.authorization.AuthorizerFactory.WrappedAuthorizer
        public Authorizer getBaseAuthorizer() {
            return this.baseAuthorizer;
        }

        public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
            AuthorizationResult authorize = this.baseAuthorizer.authorize(authorizationRequest);
            AuthorizerFactory.audit(this.baseAuthorizer, authorizationRequest, authorize);
            return authorize;
        }

        public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws SecurityProviderCreationException {
            this.baseAuthorizer.initialize(authorizerInitializationContext);
        }

        public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
            this.baseAuthorizer.onConfigured(authorizerConfigurationContext);
        }

        public void preDestruction() throws SecurityProviderDestructionException {
            this.baseAuthorizer.preDestruction();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.2.jar:org/apache/nifi/registry/security/authorization/AuthorizerFactory$ManagedAuthorizerWrapper.class */
    public static class ManagedAuthorizerWrapper implements ManagedAuthorizer, WrappedAuthorizer {
        private final ManagedAuthorizer baseManagedAuthorizer;

        public ManagedAuthorizerWrapper(ManagedAuthorizer managedAuthorizer) {
            this.baseManagedAuthorizer = managedAuthorizer;
        }

        @Override // org.apache.nifi.registry.security.authorization.AuthorizerFactory.WrappedAuthorizer
        public Authorizer getBaseAuthorizer() {
            return this.baseManagedAuthorizer;
        }

        public String getFingerprint() throws AuthorizationAccessException {
            return this.baseManagedAuthorizer.getFingerprint();
        }

        public void inheritFingerprint(String str) throws AuthorizationAccessException {
            this.baseManagedAuthorizer.inheritFingerprint(str);
        }

        public void checkInheritability(String str) throws AuthorizationAccessException, UninheritableAuthorizationsException {
            this.baseManagedAuthorizer.checkInheritability(str);
        }

        public AccessPolicyProvider getAccessPolicyProvider() {
            ConfigurableAccessPolicyProvider accessPolicyProvider = this.baseManagedAuthorizer.getAccessPolicyProvider();
            if (!(accessPolicyProvider instanceof ConfigurableAccessPolicyProvider)) {
                return accessPolicyProvider;
            }
            final ConfigurableAccessPolicyProvider configurableAccessPolicyProvider = accessPolicyProvider;
            return new ConfigurableAccessPolicyProvider() { // from class: org.apache.nifi.registry.security.authorization.AuthorizerFactory.ManagedAuthorizerWrapper.1
                public String getFingerprint() throws AuthorizationAccessException {
                    return configurableAccessPolicyProvider.getFingerprint();
                }

                public void inheritFingerprint(String str) throws AuthorizationAccessException {
                    configurableAccessPolicyProvider.inheritFingerprint(str);
                }

                public void checkInheritability(String str) throws AuthorizationAccessException, UninheritableAuthorizationsException {
                    configurableAccessPolicyProvider.checkInheritability(str);
                }

                public AccessPolicy addAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                    if (AuthorizerFactory.policyExists((AccessPolicyProvider) configurableAccessPolicyProvider, accessPolicy)) {
                        throw new IllegalStateException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
                    }
                    return configurableAccessPolicyProvider.addAccessPolicy(accessPolicy);
                }

                public boolean isConfigurable(AccessPolicy accessPolicy) {
                    return configurableAccessPolicyProvider.isConfigurable(accessPolicy);
                }

                public AccessPolicy updateAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                    if (configurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
                        return configurableAccessPolicyProvider.updateAccessPolicy(accessPolicy);
                    }
                    throw new IllegalArgumentException("The specified access policy is not support modification.");
                }

                public AccessPolicy deleteAccessPolicy(AccessPolicy accessPolicy) throws AuthorizationAccessException {
                    if (configurableAccessPolicyProvider.isConfigurable(accessPolicy)) {
                        return configurableAccessPolicyProvider.deleteAccessPolicy(accessPolicy);
                    }
                    throw new IllegalArgumentException("The specified access policy is not support modification.");
                }

                public Set<AccessPolicy> getAccessPolicies() throws AuthorizationAccessException {
                    return configurableAccessPolicyProvider.getAccessPolicies();
                }

                public AccessPolicy getAccessPolicy(String str) throws AuthorizationAccessException {
                    return configurableAccessPolicyProvider.getAccessPolicy(str);
                }

                public AccessPolicy getAccessPolicy(String str, RequestAction requestAction) throws AuthorizationAccessException {
                    return configurableAccessPolicyProvider.getAccessPolicy(str, requestAction);
                }

                public UserGroupProvider getUserGroupProvider() {
                    final ConfigurableUserGroupProvider userGroupProvider = configurableAccessPolicyProvider.getUserGroupProvider();
                    if (!(userGroupProvider instanceof ConfigurableUserGroupProvider)) {
                        return userGroupProvider;
                    }
                    final ConfigurableUserGroupProvider configurableUserGroupProvider = userGroupProvider;
                    return new ConfigurableUserGroupProvider() { // from class: org.apache.nifi.registry.security.authorization.AuthorizerFactory.ManagedAuthorizerWrapper.1.1
                        public String getFingerprint() throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getFingerprint();
                        }

                        public void inheritFingerprint(String str) throws AuthorizationAccessException {
                            configurableUserGroupProvider.inheritFingerprint(str);
                        }

                        public void checkInheritability(String str) throws AuthorizationAccessException, UninheritableAuthorizationsException {
                            configurableUserGroupProvider.checkInheritability(str);
                        }

                        public User addUser(User user) throws AuthorizationAccessException {
                            if (AuthorizerFactory.userExists(configurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
                                throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
                            }
                            return configurableUserGroupProvider.addUser(user);
                        }

                        public boolean isConfigurable(User user) {
                            return configurableUserGroupProvider.isConfigurable(user);
                        }

                        public User updateUser(User user) throws AuthorizationAccessException {
                            if (AuthorizerFactory.userExists(configurableUserGroupProvider, user.getIdentifier(), user.getIdentity())) {
                                throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", user.getIdentity()));
                            }
                            if (configurableUserGroupProvider.isConfigurable(user)) {
                                return configurableUserGroupProvider.updateUser(user);
                            }
                            throw new IllegalArgumentException("The specified user does not support modification.");
                        }

                        public User deleteUser(User user) throws AuthorizationAccessException {
                            if (configurableUserGroupProvider.isConfigurable(user)) {
                                return configurableUserGroupProvider.deleteUser(user);
                            }
                            throw new IllegalArgumentException("The specified user does not support modification.");
                        }

                        public Group addGroup(Group group) throws AuthorizationAccessException {
                            if (AuthorizerFactory.groupExists(configurableUserGroupProvider, group.getIdentifier(), group.getName())) {
                                throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
                            }
                            if (AuthorizerFactory.allGroupUsersExist(userGroupProvider, group)) {
                                return configurableUserGroupProvider.addGroup(group);
                            }
                            throw new IllegalStateException(String.format("Cannot create group '%s' with users that don't exist.", group.getName()));
                        }

                        public boolean isConfigurable(Group group) {
                            return configurableUserGroupProvider.isConfigurable(group);
                        }

                        public Group updateGroup(Group group) throws AuthorizationAccessException {
                            if (AuthorizerFactory.groupExists(configurableUserGroupProvider, group.getIdentifier(), group.getName())) {
                                throw new IllegalStateException(String.format("User/user group already exists with the identity '%s'.", group.getName()));
                            }
                            if (!configurableUserGroupProvider.isConfigurable(group)) {
                                throw new IllegalArgumentException("The specified group does not support modification.");
                            }
                            if (AuthorizerFactory.allGroupUsersExist(userGroupProvider, group)) {
                                return configurableUserGroupProvider.updateGroup(group);
                            }
                            throw new IllegalStateException(String.format("Cannot update group '%s' to add users that don't exist.", group.getName()));
                        }

                        public Group deleteGroup(Group group) throws AuthorizationAccessException {
                            if (configurableUserGroupProvider.isConfigurable(group)) {
                                return configurableUserGroupProvider.deleteGroup(group);
                            }
                            throw new IllegalArgumentException("The specified group does not support modification.");
                        }

                        public Set<User> getUsers() throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getUsers();
                        }

                        public User getUser(String str) throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getUser(str);
                        }

                        public User getUserByIdentity(String str) throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getUserByIdentity(str);
                        }

                        public Set<Group> getGroups() throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getGroups();
                        }

                        public Group getGroup(String str) throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getGroup(str);
                        }

                        public UserAndGroups getUserAndGroups(String str) throws AuthorizationAccessException {
                            return configurableUserGroupProvider.getUserAndGroups(str);
                        }

                        public void initialize(UserGroupProviderInitializationContext userGroupProviderInitializationContext) throws SecurityProviderCreationException {
                            configurableUserGroupProvider.initialize(userGroupProviderInitializationContext);
                        }

                        public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
                            configurableUserGroupProvider.onConfigured(authorizerConfigurationContext);
                        }

                        public void preDestruction() throws SecurityProviderDestructionException {
                            configurableUserGroupProvider.preDestruction();
                        }
                    };
                }

                public void initialize(AccessPolicyProviderInitializationContext accessPolicyProviderInitializationContext) throws SecurityProviderCreationException {
                    configurableAccessPolicyProvider.initialize(accessPolicyProviderInitializationContext);
                }

                public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
                    configurableAccessPolicyProvider.onConfigured(authorizerConfigurationContext);
                }

                public void preDestruction() throws SecurityProviderDestructionException {
                    configurableAccessPolicyProvider.preDestruction();
                }
            };
        }

        public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
            AuthorizationResult authorize = this.baseManagedAuthorizer.authorize(authorizationRequest);
            AuthorizerFactory.audit(this.baseManagedAuthorizer, authorizationRequest, authorize);
            return authorize;
        }

        public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws SecurityProviderCreationException {
            this.baseManagedAuthorizer.initialize(authorizerInitializationContext);
        }

        public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
            this.baseManagedAuthorizer.onConfigured(authorizerConfigurationContext);
            AccessPolicyProvider accessPolicyProvider = this.baseManagedAuthorizer.getAccessPolicyProvider();
            UserGroupProvider userGroupProvider = accessPolicyProvider.getUserGroupProvider();
            Set<AccessPolicy> accessPolicies = accessPolicyProvider.getAccessPolicies();
            for (AccessPolicy accessPolicy : accessPolicies) {
                if (AuthorizerFactory.policyExists(accessPolicies, accessPolicy)) {
                    throw new SecurityProviderCreationException(String.format("Found multiple policies for '%s' with '%s'.", accessPolicy.getResource(), accessPolicy.getAction()));
                }
            }
            for (User user : userGroupProvider.getUsers()) {
                if (AuthorizerFactory.userExists(userGroupProvider, user.getIdentifier(), user.getIdentity())) {
                    throw new SecurityProviderCreationException(String.format("Found multiple users/user groups with identity '%s'.", user.getIdentity()));
                }
            }
            for (Group group : userGroupProvider.getGroups()) {
                if (AuthorizerFactory.groupExists(userGroupProvider, group.getIdentifier(), group.getName())) {
                    throw new SecurityProviderCreationException(String.format("Found multiple users/user groups with name '%s'.", group.getName()));
                }
            }
        }

        public void preDestruction() throws SecurityProviderDestructionException {
            this.baseManagedAuthorizer.preDestruction();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/nifi-registry-framework-1.15.2.jar:org/apache/nifi/registry/security/authorization/AuthorizerFactory$WrappedAuthorizer.class */
    private interface WrappedAuthorizer {
        Authorizer getBaseAuthorizer();
    }

    private static JAXBContext initializeJaxbContext() {
        try {
            return JAXBContext.newInstance(JAXB_GENERATED_PATH, AuthorizerFactory.class.getClassLoader());
        } catch (JAXBException e) {
            throw new RuntimeException("Unable to create JAXBContext.", e);
        }
    }

    @Autowired
    public AuthorizerFactory(NiFiRegistryProperties niFiRegistryProperties, ExtensionManager extensionManager, @Nullable SensitivePropertyProviderFactory sensitivePropertyProviderFactory, RegistryService registryService, DataSource dataSource, IdentityMapper identityMapper) {
        this.properties = (NiFiRegistryProperties) Validate.notNull(niFiRegistryProperties);
        this.extensionManager = (ExtensionManager) Validate.notNull(extensionManager);
        this.sensitivePropertyProviderFactory = sensitivePropertyProviderFactory;
        this.registryService = (RegistryService) Validate.notNull(registryService);
        this.dataSource = (DataSource) Validate.notNull(dataSource);
        this.identityMapper = (IdentityMapper) Validate.notNull(identityMapper);
    }

    public UserGroupProvider getUserGroupProvider(String str) {
        return this.userGroupProviders.get(str);
    }

    public AccessPolicyProvider getAccessPolicyProvider(String str) {
        return this.accessPolicyProviders.get(str);
    }

    public Authorizer getAuthorizer(String str) {
        return this.authorizers.get(str);
    }

    @Bean
    public Authorizer getAuthorizer() throws AuthorizerFactoryException {
        ExtensionCloseable withClassLoader;
        ExtensionCloseable withClassLoader2;
        if (this.authorizer == null) {
            if (this.properties.getSslPort() == null) {
                this.authorizer = createDefaultAuthorizer();
            } else {
                String property = this.properties.getProperty("nifi.registry.security.authorizer");
                if (StringUtils.isBlank(property)) {
                    throw new AuthorizerFactoryException("When running securely, the authorizer identifier must be specified in the nifi-registry.properties file.");
                }
                try {
                    Authorizers loadAuthorizersConfiguration = loadAuthorizersConfiguration();
                    for (UserGroupProvider userGroupProvider : loadAuthorizersConfiguration.getUserGroupProvider()) {
                        if (this.userGroupProviders.containsKey(userGroupProvider.getIdentifier())) {
                            throw new AuthorizerFactoryException("Duplicate User Group Provider identifier in Authorizers configuration: " + userGroupProvider.getIdentifier());
                        }
                        this.userGroupProviders.put(userGroupProvider.getIdentifier(), createUserGroupProvider(userGroupProvider.getIdentifier(), userGroupProvider.getClazz()));
                    }
                    for (UserGroupProvider userGroupProvider2 : loadAuthorizersConfiguration.getUserGroupProvider()) {
                        UserGroupProvider userGroupProvider3 = this.userGroupProviders.get(userGroupProvider2.getIdentifier());
                        withClassLoader = ExtensionCloseable.withClassLoader(userGroupProvider3.getClass().getClassLoader());
                        Throwable th = null;
                        try {
                            try {
                                userGroupProvider3.onConfigured(loadAuthorizerConfiguration(userGroupProvider2.getIdentifier(), userGroupProvider2.getProperty()));
                                if (withClassLoader != null) {
                                    if (0 != 0) {
                                        try {
                                            withClassLoader.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        withClassLoader.close();
                                    }
                                }
                            } finally {
                            }
                        } finally {
                        }
                    }
                    for (AccessPolicyProvider accessPolicyProvider : loadAuthorizersConfiguration.getAccessPolicyProvider()) {
                        if (this.accessPolicyProviders.containsKey(accessPolicyProvider.getIdentifier())) {
                            throw new AuthorizerFactoryException("Duplicate Access Policy Provider identifier in Authorizers configuration: " + accessPolicyProvider.getIdentifier());
                        }
                        this.accessPolicyProviders.put(accessPolicyProvider.getIdentifier(), createAccessPolicyProvider(accessPolicyProvider.getIdentifier(), accessPolicyProvider.getClazz()));
                    }
                    for (AccessPolicyProvider accessPolicyProvider2 : loadAuthorizersConfiguration.getAccessPolicyProvider()) {
                        AccessPolicyProvider accessPolicyProvider3 = this.accessPolicyProviders.get(accessPolicyProvider2.getIdentifier());
                        withClassLoader2 = ExtensionCloseable.withClassLoader(accessPolicyProvider3.getClass().getClassLoader());
                        Throwable th3 = null;
                        try {
                            try {
                                accessPolicyProvider3.onConfigured(loadAuthorizerConfiguration(accessPolicyProvider2.getIdentifier(), accessPolicyProvider2.getProperty()));
                                if (withClassLoader2 != null) {
                                    if (0 != 0) {
                                        try {
                                            withClassLoader2.close();
                                        } catch (Throwable th4) {
                                            th3.addSuppressed(th4);
                                        }
                                    } else {
                                        withClassLoader2.close();
                                    }
                                }
                            } finally {
                            }
                        } finally {
                        }
                    }
                    for (Authorizer authorizer : loadAuthorizersConfiguration.getAuthorizer()) {
                        if (this.authorizers.containsKey(authorizer.getIdentifier())) {
                            throw new AuthorizerFactoryException("Duplicate Authorizer identifier in Authorizers configuration: " + authorizer.getIdentifier());
                        }
                        this.authorizers.put(authorizer.getIdentifier(), createAuthorizer(authorizer.getIdentifier(), authorizer.getClazz(), authorizer.getClasspath()));
                    }
                    for (Authorizer authorizer2 : loadAuthorizersConfiguration.getAuthorizer()) {
                        if (!authorizer2.getIdentifier().equals(property)) {
                            Authorizer authorizer3 = this.authorizers.get(authorizer2.getIdentifier());
                            withClassLoader2 = ExtensionCloseable.withClassLoader(authorizer3.getClass().getClassLoader());
                            Throwable th5 = null;
                            try {
                                try {
                                    authorizer3.onConfigured(loadAuthorizerConfiguration(authorizer2.getIdentifier(), authorizer2.getProperty()));
                                    if (withClassLoader2 != null) {
                                        if (0 != 0) {
                                            try {
                                                withClassLoader2.close();
                                            } catch (Throwable th6) {
                                                th5.addSuppressed(th6);
                                            }
                                        } else {
                                            withClassLoader2.close();
                                        }
                                    }
                                } finally {
                                }
                            } finally {
                                if (withClassLoader2 != null) {
                                    if (th5 != null) {
                                        try {
                                            withClassLoader2.close();
                                        } catch (Throwable th7) {
                                            th5.addSuppressed(th7);
                                        }
                                    } else {
                                        withClassLoader2.close();
                                    }
                                }
                            }
                        }
                    }
                    this.authorizer = getAuthorizer(property);
                    if (this.authorizer == null) {
                        throw new AuthorizerFactoryException(String.format("The specified authorizer '%s' could not be found.", property));
                    }
                    ClassLoader classLoader = this.authorizer.getClass().getClassLoader();
                    this.authorizer = installIntegrityChecks(this.authorizer);
                    AuthorizerConfigurationContext authorizerConfigurationContext = null;
                    Iterator<Authorizer> it = loadAuthorizersConfiguration.getAuthorizer().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Authorizer next = it.next();
                        if (next.getIdentifier().equals(property)) {
                            authorizerConfigurationContext = loadAuthorizerConfiguration(next.getIdentifier(), next.getProperty());
                            break;
                        }
                    }
                    if (authorizerConfigurationContext == null) {
                        throw new IllegalStateException("Unable to load configuration for authorizer with id: " + property);
                    }
                    withClassLoader = ExtensionCloseable.withClassLoader(classLoader);
                    Throwable th8 = null;
                    try {
                        try {
                            this.authorizer.onConfigured(authorizerConfigurationContext);
                            if (withClassLoader != null) {
                                if (0 != 0) {
                                    try {
                                        withClassLoader.close();
                                    } catch (Throwable th9) {
                                        th8.addSuppressed(th9);
                                    }
                                } else {
                                    withClassLoader.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                        if (withClassLoader != null) {
                            if (th8 != null) {
                                try {
                                    withClassLoader.close();
                                } catch (Throwable th10) {
                                    th8.addSuppressed(th10);
                                }
                            } else {
                                withClassLoader.close();
                            }
                        }
                    }
                } catch (AuthorizerFactoryException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new AuthorizerFactoryException("Failed to construct Authorizer.", e2);
                }
            }
        }
        return this.authorizer;
    }

    @Override // org.springframework.beans.factory.DisposableBean
    public void destroy() throws Exception {
        if (this.authorizers != null) {
            this.authorizers.forEach((str, authorizer) -> {
                authorizer.preDestruction();
            });
        }
        if (this.accessPolicyProviders != null) {
            this.accessPolicyProviders.forEach((str2, accessPolicyProvider) -> {
                accessPolicyProvider.preDestruction();
            });
        }
        if (this.userGroupProviders != null) {
            this.userGroupProviders.forEach((str3, userGroupProvider) -> {
                userGroupProvider.preDestruction();
            });
        }
    }

    private Authorizers loadAuthorizersConfiguration() throws Exception {
        File authorizersConfigurationFile = this.properties.getAuthorizersConfigurationFile();
        if (!authorizersConfigurationFile.exists()) {
            throw new Exception("Unable to find the authorizer configuration file at " + authorizersConfigurationFile.getAbsolutePath());
        }
        try {
            Schema newSchema = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema").newSchema(Authorizers.class.getResource(AUTHORIZERS_XSD));
            Unmarshaller createUnmarshaller = JAXB_CONTEXT.createUnmarshaller();
            createUnmarshaller.setSchema(newSchema);
            return (Authorizers) createUnmarshaller.unmarshal(XmlUtils.createSafeReader(new StreamSource(authorizersConfigurationFile)), Authorizers.class).getValue();
        } catch (XMLStreamException | JAXBException | SAXException e) {
            throw new Exception("Unable to load the authorizer configuration file at: " + authorizersConfigurationFile.getAbsolutePath(), e);
        }
    }

    private AuthorizerConfigurationContext loadAuthorizerConfiguration(String str, List<Prop> list) {
        HashMap hashMap = new HashMap();
        for (Prop prop : list) {
            if (StringUtils.isBlank(prop.getEncryption())) {
                hashMap.put(prop.getName(), prop.getValue());
            } else {
                hashMap.put(prop.getName(), decryptValue(prop.getValue(), prop.getEncryption(), prop.getName(), str));
            }
        }
        return new StandardAuthorizerConfigurationContext(str, hashMap);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private UserGroupProvider createUserGroupProvider(String str, String str2) throws Exception {
        ExtensionClassLoader extensionClassLoader = this.extensionManager.getExtensionClassLoader(str2);
        if (extensionClassLoader == null) {
            throw new IllegalStateException("Extension not found in any of the configured class loaders: " + str2);
        }
        ExtensionCloseable withClassLoader = ExtensionCloseable.withClassLoader(extensionClassLoader);
        Throwable th = null;
        try {
            try {
                Class asSubclass = Class.forName(str2, true, extensionClassLoader).asSubclass(UserGroupProvider.class);
                UserGroupProvider userGroupProvider = (UserGroupProvider) asSubclass.getConstructor(new Class[0]).newInstance(new Object[0]);
                performMethodInjection(userGroupProvider, asSubclass);
                performFieldInjection(userGroupProvider, asSubclass);
                userGroupProvider.initialize(new StandardAuthorizerInitializationContext(str, this, this, this));
                if (withClassLoader != null) {
                    if (0 != 0) {
                        try {
                            withClassLoader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        withClassLoader.close();
                    }
                }
                return userGroupProvider;
            } finally {
            }
        } catch (Throwable th3) {
            if (withClassLoader != null) {
                if (th != null) {
                    try {
                        withClassLoader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    withClassLoader.close();
                }
            }
            throw th3;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private AccessPolicyProvider createAccessPolicyProvider(String str, String str2) throws Exception {
        ExtensionClassLoader extensionClassLoader = this.extensionManager.getExtensionClassLoader(str2);
        if (extensionClassLoader == null) {
            throw new IllegalStateException("Extension not found in any of the configured class loaders: " + str2);
        }
        ExtensionCloseable withClassLoader = ExtensionCloseable.withClassLoader(extensionClassLoader);
        Throwable th = null;
        try {
            try {
                Class asSubclass = Class.forName(str2, true, extensionClassLoader).asSubclass(AccessPolicyProvider.class);
                AccessPolicyProvider accessPolicyProvider = (AccessPolicyProvider) asSubclass.getConstructor(new Class[0]).newInstance(new Object[0]);
                performMethodInjection(accessPolicyProvider, asSubclass);
                performFieldInjection(accessPolicyProvider, asSubclass);
                accessPolicyProvider.initialize(new StandardAuthorizerInitializationContext(str, this, this, this));
                if (withClassLoader != null) {
                    if (0 != 0) {
                        try {
                            withClassLoader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        withClassLoader.close();
                    }
                }
                return accessPolicyProvider;
            } finally {
            }
        } catch (Throwable th3) {
            if (withClassLoader != null) {
                if (th != null) {
                    try {
                        withClassLoader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    withClassLoader.close();
                }
            }
            throw th3;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Authorizer createAuthorizer(String str, String str2, String str3) throws Exception {
        SecureClassLoader secureClassLoader;
        ExtensionClassLoader extensionClassLoader = this.extensionManager.getExtensionClassLoader(str2);
        if (extensionClassLoader == null) {
            throw new IllegalStateException("Extension not found in any of the configured class loaders: " + str2);
        }
        if (StringUtils.isNotEmpty(str3)) {
            logger.info(String.format("Replacing Authorizer ClassLoader for '%s' to include additional resources: %s", str, str3));
            URL[] uRLs = extensionClassLoader.getURLs();
            URL[] uRLsForClasspath = ClassLoaderUtils.getURLsForClasspath(str3, (FilenameFilter) null, true);
            HashSet hashSet = new HashSet();
            hashSet.addAll(Arrays.asList(uRLs));
            hashSet.addAll(Arrays.asList(uRLsForClasspath));
            secureClassLoader = new URLClassLoader((URL[]) hashSet.toArray(new URL[hashSet.size()]), extensionClassLoader.getParent());
        } else {
            secureClassLoader = extensionClassLoader;
        }
        ExtensionCloseable withClassLoader = ExtensionCloseable.withClassLoader(secureClassLoader);
        Throwable th = null;
        try {
            try {
                Class asSubclass = Class.forName(str2, true, secureClassLoader).asSubclass(Authorizer.class);
                Authorizer authorizer = (Authorizer) asSubclass.getConstructor(new Class[0]).newInstance(new Object[0]);
                performMethodInjection(authorizer, asSubclass);
                performFieldInjection(authorizer, asSubclass);
                authorizer.initialize(new StandardAuthorizerInitializationContext(str, this, this, this));
                if (withClassLoader != null) {
                    if (0 != 0) {
                        try {
                            withClassLoader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        withClassLoader.close();
                    }
                }
                return authorizer;
            } finally {
            }
        } catch (Throwable th3) {
            if (withClassLoader != null) {
                if (th != null) {
                    try {
                        withClassLoader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    withClassLoader.close();
                }
            }
            throw th3;
        }
    }

    private void performMethodInjection(Object obj, Class cls) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
        Method[] methods = cls.getMethods();
        int length = methods.length;
        for (int i = 0; i < length; i++) {
            Method method = methods[i];
            if (method.isAnnotationPresent(AuthorizerContext.class)) {
                boolean isAccessible = method.isAccessible();
                method.setAccessible(true);
                try {
                    Class<?>[] parameterTypes = method.getParameterTypes();
                    if (parameterTypes.length == 1) {
                        Class<?> cls2 = parameterTypes[0];
                        if (NiFiRegistryProperties.class.isAssignableFrom(cls2)) {
                            method.invoke(obj, this.properties);
                        } else if (DataSource.class.isAssignableFrom(cls2)) {
                            method.invoke(obj, this.dataSource);
                        } else if (IdentityMapper.class.isAssignableFrom(cls2)) {
                            method.invoke(obj, this.identityMapper);
                        }
                    }
                } finally {
                    method.setAccessible(isAccessible);
                }
            }
        }
        Class superclass = cls.getSuperclass();
        if (superclass == null || !Authorizer.class.isAssignableFrom(superclass)) {
            return;
        }
        performMethodInjection(obj, superclass);
    }

    private void performFieldInjection(Object obj, Class cls) throws IllegalArgumentException, IllegalAccessException {
        Field[] declaredFields = cls.getDeclaredFields();
        int length = declaredFields.length;
        for (int i = 0; i < length; i++) {
            Field field = declaredFields[i];
            if (field.isAnnotationPresent(AuthorizerContext.class)) {
                boolean isAccessible = field.isAccessible();
                field.setAccessible(true);
                try {
                    Class<?> type = field.getType();
                    if (field.get(obj) == null) {
                        if (NiFiRegistryProperties.class.isAssignableFrom(type)) {
                            field.set(obj, this.properties);
                        } else if (DataSource.class.isAssignableFrom(type)) {
                            field.set(obj, this.dataSource);
                        } else if (IdentityMapper.class.isAssignableFrom(type)) {
                            field.set(obj, this.identityMapper);
                        }
                    }
                } finally {
                    field.setAccessible(isAccessible);
                }
            }
        }
        Class superclass = cls.getSuperclass();
        if (superclass == null || !Authorizer.class.isAssignableFrom(superclass)) {
            return;
        }
        performFieldInjection(obj, superclass);
    }

    private String decryptValue(String str, String str2, String str3, String str4) throws SensitivePropertyProtectionException {
        if (this.sensitivePropertyProviderFactory == null) {
            throw new SensitivePropertyProtectionException("Sensitive Property Provider Factory dependency was never wired, so protected properties cannot be decrypted. This usually indicates that a master key for this NiFi Registry was not detected and configured during the bootstrap startup sequence. Contact the system administrator.");
        }
        try {
            return this.sensitivePropertyProviderFactory.getProvider(PropertyProtectionScheme.fromIdentifier(str2)).unprotect(str, this.sensitivePropertyProviderFactory.getPropertyContext(str4, str3));
        } catch (IllegalArgumentException e) {
            throw new SensitivePropertyProtectionException(String.format("Authorizer configuration XML was protected using %s, which is not supported. Cannot configure this Authorizer due to failing to decrypt protected configuration properties.", str2));
        }
    }

    private Authorizer createDefaultAuthorizer() {
        return new Authorizer() { // from class: org.apache.nifi.registry.security.authorization.AuthorizerFactory.1
            public AuthorizationResult authorize(AuthorizationRequest authorizationRequest) throws AuthorizationAccessException {
                return AuthorizationResult.approved();
            }

            public void initialize(AuthorizerInitializationContext authorizerInitializationContext) throws SecurityProviderCreationException {
            }

            public void onConfigured(AuthorizerConfigurationContext authorizerConfigurationContext) throws SecurityProviderCreationException {
            }

            public void preDestruction() throws SecurityProviderCreationException {
            }
        };
    }

    private static Authorizer installIntegrityChecks(Authorizer authorizer) {
        return authorizer instanceof ManagedAuthorizer ? new ManagedAuthorizerWrapper((ManagedAuthorizer) authorizer) : new AuthorizerWrapper(authorizer);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void audit(Authorizer authorizer, AuthorizationRequest authorizationRequest, AuthorizationResult authorizationResult) {
        if ((authorizer instanceof AuthorizationAuditor) && authorizationRequest.isAccessAttempt() && !AuthorizationResult.Result.ResourceNotFound.equals(authorizationResult.getResult())) {
            ((AuthorizationAuditor) authorizer).auditAccessAttempt(authorizationRequest, authorizationResult);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean policyExists(AccessPolicyProvider accessPolicyProvider, AccessPolicy accessPolicy) {
        return policyExists(accessPolicyProvider.getAccessPolicies(), accessPolicy);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean policyExists(Collection<AccessPolicy> collection, AccessPolicy accessPolicy) {
        for (AccessPolicy accessPolicy2 : collection) {
            if (!accessPolicy2.getIdentifier().equals(accessPolicy.getIdentifier()) && accessPolicy2.getResource().equals(accessPolicy.getResource()) && accessPolicy2.getAction().equals(accessPolicy.getAction())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean userExists(UserGroupProvider userGroupProvider, String str, String str2) {
        for (User user : userGroupProvider.getUsers()) {
            if (!user.getIdentifier().equals(str) && user.getIdentity().equals(str2)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean groupExists(UserGroupProvider userGroupProvider, String str, String str2) {
        for (Group group : userGroupProvider.getGroups()) {
            if (!group.getIdentifier().equals(str) && group.getName().equals(str2)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean allGroupUsersExist(UserGroupProvider userGroupProvider, Group group) {
        Iterator it = group.getUsers().iterator();
        while (it.hasNext()) {
            if (userGroupProvider.getUser((String) it.next()) == null) {
                return false;
            }
        }
        return true;
    }
}
