package org.apache.nifi.web.security.authorization;

import java.util.ArrayList;
import java.util.List;
import java.util.ListIterator;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.admin.service.AccountDisabledException;
import org.apache.nifi.admin.service.AccountNotFoundException;
import org.apache.nifi.admin.service.AccountPendingException;
import org.apache.nifi.admin.service.AdministrationException;
import org.apache.nifi.admin.service.UserService;
import org.apache.nifi.authorization.Authority;
import org.apache.nifi.user.NiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.token.NiFiAuthorizationRequestToken;
import org.apache.nifi.web.security.user.NiFiUserDetails;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.DataAccessException;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/* loaded from: input_file:org/apache/nifi/web/security/authorization/NiFiAuthorizationService.class */
public class NiFiAuthorizationService implements AuthenticationUserDetailsService<NiFiAuthorizationRequestToken> {
    private static final Logger logger = LoggerFactory.getLogger(NiFiAuthorizationService.class);
    private UserService userService;
    private NiFiProperties properties;

    public synchronized UserDetails loadUserDetails(NiFiAuthorizationRequestToken niFiAuthorizationRequestToken) throws UsernameNotFoundException, DataAccessException {
        NiFiUserDetails niFiUserDetails = null;
        ArrayList arrayList = new ArrayList(niFiAuthorizationRequestToken.getChain());
        if (arrayList.isEmpty()) {
            logger.warn("Malformed proxy chain: " + StringUtils.join(new List[]{niFiAuthorizationRequestToken.getChain()}));
            throw new UntrustedProxyException("Malformed proxy chain.");
        }
        NiFiUser niFiUser = null;
        ListIterator<String> listIterator = niFiAuthorizationRequestToken.getChain().listIterator(arrayList.size());
        while (listIterator.hasPrevious()) {
            String previous = listIterator.previous();
            if (listIterator.hasPrevious()) {
                try {
                    NiFiUser niFiUser2 = getNiFiUserDetails(previous).getNiFiUser();
                    if (!niFiUser2.getAuthorities().contains(Authority.ROLE_PROXY)) {
                        logger.warn(String.format("Proxy '%s' must have '%s' authority. Current authorities: %s", previous, Authority.ROLE_PROXY.toString(), StringUtils.join(niFiUser2.getAuthorities(), ", ")));
                        throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", previous, Authority.ROLE_PROXY.toString()));
                    }
                    if (niFiUser != null) {
                        niFiUser2.setChain(niFiUser);
                    }
                    niFiUser = niFiUser2;
                } catch (UsernameNotFoundException e) {
                    if (this.properties.getSupportNewAccountRequests()) {
                        try {
                            logger.warn(String.format("Automatic account request generated for unknown proxy: %s", previous));
                            this.userService.createPendingUserAccount(previous, "Automatic account request generated for unknown proxy.");
                        } catch (AdministrationException e2) {
                            throw new AuthenticationServiceException(String.format("Unable to create an account request for '%s': %s", previous, e2.getMessage()), e2);
                        } catch (IllegalArgumentException e3) {
                            String format = String.format("Account request was already submitted for '%s'", previous);
                            logger.warn(format);
                            throw new AccountStatusException(format) { // from class: org.apache.nifi.web.security.authorization.NiFiAuthorizationService.1
                            };
                        }
                    }
                    logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", previous, Authority.ROLE_PROXY.toString(), e.getMessage()));
                    throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", previous, Authority.ROLE_PROXY.toString()));
                } catch (AuthenticationException e4) {
                    logger.warn(String.format("Untrusted proxy '%s' must be authorized with '%s' authority: %s", previous, Authority.ROLE_PROXY.toString(), e4.getMessage()));
                    throw new UntrustedProxyException(String.format("Untrusted proxy '%s' must be authorized with '%s'.", previous, Authority.ROLE_PROXY.toString()));
                }
            } else {
                niFiUserDetails = getNiFiUserDetails(previous);
                if (niFiUser != null) {
                    niFiUserDetails.getNiFiUser().setChain(niFiUser);
                }
            }
        }
        return niFiUserDetails;
    }

    private NiFiUserDetails getNiFiUserDetails(String str) {
        try {
            return new NiFiUserDetails(this.userService.checkAuthorization(str));
        } catch (AdministrationException e) {
            throw new AuthenticationServiceException(String.format("An error occurred while accessing the user credentials for '%s': %s", str, e.getMessage()), e);
        } catch (AccountNotFoundException e2) {
            throw new UsernameNotFoundException(e2.getMessage());
        } catch (AccountDisabledException | AccountPendingException e3) {
            throw new AccountStatusException(e3.getMessage(), e3) { // from class: org.apache.nifi.web.security.authorization.NiFiAuthorizationService.2
            };
        }
    }

    public void setUserService(UserService userService) {
        this.userService = userService;
    }

    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }
}
