package org.apache.nifi.web.security.x509;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.ListIterator;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authorization.AccessDeniedException;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.Resource;
import org.apache.nifi.authorization.UserContextKeys;
import org.apache.nifi.authorization.resource.Authorizable;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.NiFiAuthenticationProvider;
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:org/apache/nifi/web/security/x509/X509AuthenticationProvider.class */
public class X509AuthenticationProvider extends NiFiAuthenticationProvider {
    private static final Authorizable PROXY_AUTHORIZABLE = new Authorizable() { // from class: org.apache.nifi.web.security.x509.X509AuthenticationProvider.1
        public Authorizable getParentAuthorizable() {
            return null;
        }

        public Resource getResource() {
            return ResourceFactory.getProxyResource();
        }
    };
    private X509IdentityProvider certificateIdentityProvider;
    private Authorizer authorizer;
    final NiFiProperties properties;

    public X509AuthenticationProvider(X509IdentityProvider x509IdentityProvider, Authorizer authorizer, NiFiProperties niFiProperties) {
        super(niFiProperties, authorizer);
        this.certificateIdentityProvider = x509IdentityProvider;
        this.authorizer = authorizer;
        this.properties = niFiProperties;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String mapIdentity;
        X509AuthenticationRequestToken x509AuthenticationRequestToken = (X509AuthenticationRequestToken) authentication;
        try {
            AuthenticationResponse authenticate = this.certificateIdentityProvider.authenticate(x509AuthenticationRequestToken.getCertificates());
            if (StringUtils.isBlank(x509AuthenticationRequestToken.getProxiedEntitiesChain())) {
                String mapIdentity2 = mapIdentity(authenticate.getIdentity());
                return new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser.Builder().identity(mapIdentity2).groups(getUserGroups(mapIdentity2)).clientAddress(x509AuthenticationRequestToken.getClientAddress()).build()));
            }
            ArrayList arrayList = new ArrayList(ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(x509AuthenticationRequestToken.getProxiedEntitiesChain()));
            arrayList.add(authenticate.getIdentity());
            NiFiUser niFiUser = null;
            ListIterator listIterator = arrayList.listIterator(arrayList.size());
            while (listIterator.hasPrevious()) {
                String str = (String) listIterator.previous();
                boolean isBlank = StringUtils.isBlank(str);
                if (!isBlank) {
                    mapIdentity = mapIdentity(str);
                } else {
                    if (!this.properties.isAnonymousAuthenticationAllowed().booleanValue()) {
                        throw new InvalidAuthenticationException("Anonymous authentication has not been configured.");
                    }
                    mapIdentity = "anonymous";
                }
                niFiUser = createUser(mapIdentity, getUserGroups(mapIdentity), niFiUser, niFiUser == null ? x509AuthenticationRequestToken.getClientAddress() : null, isBlank);
                if (listIterator.hasPrevious()) {
                    try {
                        PROXY_AUTHORIZABLE.authorize(this.authorizer, RequestAction.WRITE, niFiUser);
                    } catch (AccessDeniedException e) {
                        throw new UntrustedProxyException(String.format("Untrusted proxy %s", mapIdentity));
                    }
                }
            }
            return new NiFiAuthenticationToken(new NiFiUserDetails(niFiUser));
        } catch (IllegalArgumentException e2) {
            throw new InvalidAuthenticationException(e2.getMessage(), e2);
        }
    }

    protected static NiFiUser createUser(String str, Set<String> set, NiFiUser niFiUser, String str2, boolean z) {
        return z ? StandardNiFiUser.populateAnonymousUser(niFiUser, str2) : new StandardNiFiUser.Builder().identity(str).groups(set).chain(niFiUser).clientAddress(str2).build();
    }

    private Map<String, String> getUserContext(X509AuthenticationRequestToken x509AuthenticationRequestToken) {
        HashMap hashMap;
        if (StringUtils.isBlank(x509AuthenticationRequestToken.getClientAddress())) {
            hashMap = null;
        } else {
            hashMap = new HashMap();
            hashMap.put(UserContextKeys.CLIENT_ADDRESS.name(), x509AuthenticationRequestToken.getClientAddress());
        }
        return hashMap;
    }

    public boolean supports(Class<?> cls) {
        return X509AuthenticationRequestToken.class.isAssignableFrom(cls);
    }
}
