package org.apache.nifi.web.security;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.user.NiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.token.NiFiAuthortizationRequestToken;
import org.apache.nifi.web.security.user.NiFiUserUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/apache/nifi/web/security/NiFiAuthenticationFilter.class */
public abstract class NiFiAuthenticationFilter extends GenericFilterBean {
    private static final Logger log = LoggerFactory.getLogger(NiFiAuthenticationFilter.class);
    private AuthenticationManager authenticationManager;
    private NiFiProperties properties;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (log.isDebugEnabled()) {
            log.debug("Checking secure context token: " + SecurityContextHolder.getContext().getAuthentication());
        }
        if (requiresAuthentication((HttpServletRequest) servletRequest)) {
            authenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private boolean requiresAuthentication(HttpServletRequest httpServletRequest) {
        if (isAnonymousUser()) {
            return true;
        }
        return NiFiUserUtils.getNiFiUser() == null && NiFiUserUtils.getNewAccountRequest() == null;
    }

    private boolean isAnonymousUser() {
        NiFiUser niFiUser = NiFiUserUtils.getNiFiUser();
        return niFiUser != null && "anonymous".equals(niFiUser.getIdentity());
    }

    private void authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str = null;
        try {
            NiFiAuthortizationRequestToken attemptAuthentication = attemptAuthentication(httpServletRequest);
            if (attemptAuthentication != null) {
                str = ProxiedEntitiesUtils.formatProxyDn(StringUtils.join(attemptAuthentication.getChain(), "><"));
                log.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", str, httpServletRequest.getMethod(), httpServletRequest.getRequestURL().toString(), httpServletRequest.getRemoteAddr()));
                successfulAuthorization(httpServletRequest, httpServletResponse, this.authenticationManager.authenticate(attemptAuthentication));
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (InvalidAuthenticationException e) {
            unsuccessfulAuthorization(httpServletRequest, httpServletResponse, e);
        } catch (AuthenticationException e2) {
            if (!isAnonymousUser()) {
                unsuccessfulAuthorization(httpServletRequest, httpServletResponse, e2);
                return;
            }
            if (str == null) {
                log.info(String.format("Continuing as anonymous user. Unable to authenticate %s: %s", str, e2));
            } else {
                log.info(String.format("Continuing as anonymous user. Unable to authenticate: %s", e2));
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    public abstract NiFiAuthortizationRequestToken attemptAuthentication(HttpServletRequest httpServletRequest);

    protected void successfulAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        if (log.isDebugEnabled()) {
            log.debug("Authentication success: " + authentication);
        }
        SecurityContextHolder.getContext().setAuthentication(authentication);
        ProxiedEntitiesUtils.successfulAuthorization(httpServletRequest, httpServletResponse, authentication);
    }

    protected void unsuccessfulAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        ProxiedEntitiesUtils.unsuccessfulAuthorization(httpServletRequest, httpServletResponse, authenticationException);
        httpServletResponse.setContentType("text/plain");
        PrintWriter writer = httpServletResponse.getWriter();
        if (authenticationException instanceof UsernameNotFoundException) {
            if (this.properties.getSupportNewAccountRequests()) {
                httpServletResponse.setStatus(401);
                writer.println("Not authorized.");
            } else {
                httpServletResponse.setStatus(403);
                writer.println("Access is denied.");
            }
        } else if (authenticationException instanceof InvalidAuthenticationException) {
            httpServletResponse.setStatus(401);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof AccountStatusException) {
            httpServletResponse.setStatus(403);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof UntrustedProxyException) {
            httpServletResponse.setStatus(403);
            writer.println(authenticationException.getMessage());
        } else if (authenticationException instanceof AuthenticationServiceException) {
            log.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(500);
            writer.println(String.format("Unable to authorize: %s", authenticationException.getMessage()));
        } else {
            log.error(String.format("Unable to authorize: %s", authenticationException.getMessage()), authenticationException);
            httpServletResponse.setStatus(403);
            writer.println("Access is denied.");
        }
        log.info(String.format("Rejecting access to web api: %s", authenticationException.getMessage()));
        if (log.isDebugEnabled()) {
            log.debug("", authenticationException);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean isNewAccountRequest(HttpServletRequest httpServletRequest) {
        if (!"POST".equalsIgnoreCase(httpServletRequest.getMethod())) {
            return false;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        return StringUtils.isNotBlank(pathInfo) && "/controller/users".equals(pathInfo);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final String getJustification(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("justification");
        if (parameter == null) {
            parameter = "";
        }
        return parameter;
    }

    public void destroy() {
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }
}
