package org.apache.nifi.web.security.saml.impl;

import java.io.File;
import java.net.URI;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.Timer;
import java.util.concurrent.TimeUnit;
import javax.servlet.ServletException;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.params.HttpClientParams;
import org.apache.commons.httpclient.protocol.Protocol;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.FormatUtils;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.apache.nifi.web.security.saml.NiFiSAMLContextProvider;
import org.apache.nifi.web.security.saml.SAMLConfiguration;
import org.apache.nifi.web.security.saml.SAMLConfigurationFactory;
import org.apache.nifi.web.security.saml.impl.StandardSAMLConfiguration;
import org.apache.nifi.web.security.saml.impl.tls.CompositeKeyManager;
import org.apache.nifi.web.security.saml.impl.tls.CustomTLSProtocolSocketFactory;
import org.apache.nifi.web.security.saml.impl.tls.TruststoreStrategy;
import org.apache.velocity.app.VelocityEngine;
import org.opensaml.Configuration;
import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProvider;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.parse.ParserPool;
import org.opensaml.xml.parse.StaticBasicParserPool;
import org.opensaml.xml.parse.XMLParserException;
import org.opensaml.xml.security.BasicSecurityConfiguration;
import org.opensaml.xml.security.SecurityHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.security.saml.SAMLBootstrap;
import org.springframework.security.saml.key.JKSKeyManager;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLDefaultLogger;
import org.springframework.security.saml.log.SAMLLogger;
import org.springframework.security.saml.metadata.CachingMetadataManager;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.processor.HTTPArtifactBinding;
import org.springframework.security.saml.processor.HTTPPAOS11Binding;
import org.springframework.security.saml.processor.HTTPPostBinding;
import org.springframework.security.saml.processor.HTTPRedirectDeflateBinding;
import org.springframework.security.saml.processor.HTTPSOAP11Binding;
import org.springframework.security.saml.processor.SAMLProcessor;
import org.springframework.security.saml.processor.SAMLProcessorImpl;
import org.springframework.security.saml.storage.EmptyStorageFactory;
import org.springframework.security.saml.util.VelocityFactory;
import org.springframework.security.saml.websso.ArtifactResolutionProfileImpl;
import org.springframework.security.saml.websso.SingleLogoutProfile;
import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfile;
import org.springframework.security.saml.websso.WebSSOProfileConsumer;
import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
import org.springframework.security.saml.websso.WebSSOProfileECPImpl;
import org.springframework.security.saml.websso.WebSSOProfileHoKImpl;
import org.springframework.security.saml.websso.WebSSOProfileImpl;
import org.springframework.security.saml.websso.WebSSOProfileOptions;

/* loaded from: input_file:org/apache/nifi/web/security/saml/impl/StandardSAMLConfigurationFactory.class */
public class StandardSAMLConfigurationFactory implements SAMLConfigurationFactory {
    private static final Logger LOGGER = LoggerFactory.getLogger(StandardSAMLConfigurationFactory.class);

    @Override // org.apache.nifi.web.security.saml.SAMLConfigurationFactory
    public SAMLConfiguration create(NiFiProperties niFiProperties) throws Exception {
        int preciseTimeDuration;
        int preciseTimeDuration2;
        if (niFiProperties.isOidcEnabled() || niFiProperties.isKnoxSsoEnabled() || niFiProperties.isLoginIdentityProviderEnabled()) {
            throw new RuntimeException("SAML cannot be enabled if the Login Identity Provider or OpenId Connect or KnoxSSO is configured.");
        }
        LOGGER.info("Initializing SAML configuration...");
        String samlServiceProviderEntityId = niFiProperties.getSamlServiceProviderEntityId();
        if (StringUtils.isBlank(samlServiceProviderEntityId)) {
            throw new RuntimeException("Entity ID is required when configuring SAML");
        }
        LOGGER.info("Service Provider Entity ID = '{}'", samlServiceProviderEntityId);
        String samlIdentityProviderMetadataUrl = niFiProperties.getSamlIdentityProviderMetadataUrl();
        if (StringUtils.isBlank(samlIdentityProviderMetadataUrl)) {
            throw new RuntimeException("IDP Metadata URL is required when configuring SAML");
        }
        if (!samlIdentityProviderMetadataUrl.startsWith("file://") && !samlIdentityProviderMetadataUrl.startsWith("http://") && !samlIdentityProviderMetadataUrl.startsWith("https://")) {
            throw new RuntimeException("IDP Medata URL must start with file://, http://, or https://");
        }
        URI create = URI.create(samlIdentityProviderMetadataUrl);
        LOGGER.info("Identity Provider Metadata Location = '{}'", create);
        String samlAuthenticationExpiration = niFiProperties.getSamlAuthenticationExpiration();
        LOGGER.info("Authentication Expiration = '{}'", samlAuthenticationExpiration);
        try {
            long round = Math.round(FormatUtils.getPreciseTimeDuration(samlAuthenticationExpiration, TimeUnit.MILLISECONDS));
            String samlIdentityAttributeName = niFiProperties.getSamlIdentityAttributeName();
            if (!StringUtils.isBlank(samlIdentityAttributeName)) {
                LOGGER.info("Identity Attribute Name = '{}'", samlIdentityAttributeName);
            }
            String samlGroupAttributeName = niFiProperties.getSamlGroupAttributeName();
            if (!StringUtils.isBlank(samlGroupAttributeName)) {
                LOGGER.info("Group Attribute Name = '{}'", samlGroupAttributeName);
            }
            try {
                TruststoreStrategy valueOf = TruststoreStrategy.valueOf(niFiProperties.getSamlHttpClientTruststoreStrategy());
                LOGGER.info("HttpClient Truststore Strategy = `{}`", valueOf.name());
                String samlHttpClientConnectTimeout = niFiProperties.getSamlHttpClientConnectTimeout();
                try {
                    preciseTimeDuration = (int) FormatUtils.getPreciseTimeDuration(samlHttpClientConnectTimeout, TimeUnit.MILLISECONDS);
                } catch (Exception e) {
                    LOGGER.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", new Object[]{"nifi.security.user.saml.http.client.connect.timeout", samlHttpClientConnectTimeout, "30 secs"});
                    preciseTimeDuration = (int) FormatUtils.getPreciseTimeDuration("30 secs", TimeUnit.MILLISECONDS);
                }
                String samlHttpClientReadTimeout = niFiProperties.getSamlHttpClientReadTimeout();
                try {
                    preciseTimeDuration2 = (int) FormatUtils.getPreciseTimeDuration(samlHttpClientReadTimeout, TimeUnit.MILLISECONDS);
                } catch (Exception e2) {
                    LOGGER.warn("Failed to parse value of property '{}' as a valid time period. Value was '{}'. Ignoring this value and using the default value of '{}'", new Object[]{"nifi.security.user.saml.http.client.read.timeout", samlHttpClientReadTimeout, "30 secs"});
                    preciseTimeDuration2 = (int) FormatUtils.getPreciseTimeDuration("30 secs", TimeUnit.MILLISECONDS);
                }
                new SAMLBootstrap().postProcessBeanFactory((ConfigurableListableBeanFactory) null);
                ParserPool createParserPool = createParserPool();
                VelocityEngine engine = VelocityFactory.getEngine();
                StandardTlsConfiguration fromNiFiProperties = StandardTlsConfiguration.fromNiFiProperties(niFiProperties);
                KeyManager createKeyManager = createKeyManager(fromNiFiProperties);
                HttpClient createHttpClient = createHttpClient(preciseTimeDuration, preciseTimeDuration2);
                if (valueOf == TruststoreStrategy.NIFI) {
                    configureCustomTLSSocketFactory(fromNiFiProperties);
                }
                boolean isSamlMetadataSigningEnabled = niFiProperties.isSamlMetadataSigningEnabled();
                String samlSignatureAlgorithm = niFiProperties.getSamlSignatureAlgorithm();
                configureGlobalSecurityDefaults(createKeyManager, samlSignatureAlgorithm, niFiProperties.getSamlSignatureDigestAlgorithm());
                ExtendedMetadata createExtendedMetadata = createExtendedMetadata(samlSignatureAlgorithm, isSamlMetadataSigningEnabled);
                Timer timer = new Timer(true);
                MetadataManager createMetadataManager = createMetadataManager(createIdpMetadataProvider(create, createHttpClient, timer, createParserPool), createExtendedMetadata, createKeyManager);
                SAMLProcessor createSAMLProcessor = createSAMLProcessor(createParserPool, engine, createHttpClient);
                return new StandardSAMLConfiguration.Builder().spEntityId(samlServiceProviderEntityId).processor(createSAMLProcessor).contextProvider(createContextProvider(createMetadataManager, createKeyManager)).logger(createSAMLLogger(niFiProperties)).webSSOProfileOptions(createWebSSOProfileOptions()).webSSOProfile(createWebSSOProfile(createMetadataManager, createSAMLProcessor)).webSSOProfileECP(createWebSSOProfileECP(createMetadataManager, createSAMLProcessor)).webSSOProfileHoK(createWebSSOProfileHok(createMetadataManager, createSAMLProcessor)).webSSOProfileConsumer(createWebSSOProfileConsumer(createMetadataManager, createSAMLProcessor)).webSSOProfileHoKConsumer(createWebSSOProfileHokConsumer(createMetadataManager, createSAMLProcessor)).singleLogoutProfile(createSingeLogoutProfile(createMetadataManager, createSAMLProcessor)).metadataManager(createMetadataManager).extendedMetadata(createExtendedMetadata).backgroundTaskTimer(timer).keyManager(createKeyManager).authExpiration(round).identityAttributeName(samlIdentityAttributeName).groupAttributeName(samlGroupAttributeName).requestSigningEnabled(niFiProperties.isSamlRequestSigningEnabled()).wantAssertionsSigned(niFiProperties.isSamlWantAssertionsSigned()).build();
            } catch (Exception e3) {
                throw new RuntimeException("Truststore Strategy must be one of " + TruststoreStrategy.NIFI.name() + " or " + TruststoreStrategy.JDK.name());
            }
        } catch (IllegalArgumentException e4) {
            throw new RuntimeException("Invalid SAML authentication expiration: " + samlAuthenticationExpiration);
        }
    }

    private static ParserPool createParserPool() throws XMLParserException {
        StaticBasicParserPool staticBasicParserPool = new StaticBasicParserPool();
        staticBasicParserPool.initialize();
        return staticBasicParserPool;
    }

    private static HttpClient createHttpClient(int i, int i2) {
        HttpClientParams httpClientParams = new HttpClientParams();
        httpClientParams.setParameter("http.connection.timeout", Integer.valueOf(i));
        httpClientParams.setParameter("http.socket.timeout", Integer.valueOf(i2));
        return new HttpClient(httpClientParams);
    }

    private static void configureCustomTLSSocketFactory(TlsConfiguration tlsConfiguration) throws TlsException {
        Protocol protocol = new Protocol("https", new CustomTLSProtocolSocketFactory(SslContextFactory.createSSLSocketFactory(tlsConfiguration)), 443);
        Protocol.registerProtocol(protocol.getScheme(), protocol);
    }

    private static SAMLProcessor createSAMLProcessor(ParserPool parserPool, VelocityEngine velocityEngine, HttpClient httpClient) {
        HTTPSOAP11Binding hTTPSOAP11Binding = new HTTPSOAP11Binding(parserPool);
        HTTPPAOS11Binding hTTPPAOS11Binding = new HTTPPAOS11Binding(parserPool);
        HTTPPostBinding hTTPPostBinding = new HTTPPostBinding(parserPool, velocityEngine);
        HTTPRedirectDeflateBinding hTTPRedirectDeflateBinding = new HTTPRedirectDeflateBinding(parserPool);
        ArtifactResolutionProfileImpl artifactResolutionProfileImpl = new ArtifactResolutionProfileImpl(httpClient);
        artifactResolutionProfileImpl.setProcessor(new SAMLProcessorImpl(hTTPSOAP11Binding));
        HTTPArtifactBinding hTTPArtifactBinding = new HTTPArtifactBinding(parserPool, velocityEngine, artifactResolutionProfileImpl);
        ArrayList arrayList = new ArrayList();
        arrayList.add(hTTPRedirectDeflateBinding);
        arrayList.add(hTTPPostBinding);
        arrayList.add(hTTPArtifactBinding);
        arrayList.add(hTTPSOAP11Binding);
        arrayList.add(hTTPPAOS11Binding);
        return new SAMLProcessorImpl(arrayList);
    }

    private static NiFiSAMLContextProvider createContextProvider(MetadataManager metadataManager, KeyManager keyManager) throws ServletException {
        NiFiSAMLContextProviderImpl niFiSAMLContextProviderImpl = new NiFiSAMLContextProviderImpl();
        niFiSAMLContextProviderImpl.setMetadata(metadataManager);
        niFiSAMLContextProviderImpl.setKeyManager(keyManager);
        niFiSAMLContextProviderImpl.setStorageFactory(new EmptyStorageFactory());
        niFiSAMLContextProviderImpl.afterPropertiesSet();
        return niFiSAMLContextProviderImpl;
    }

    private static WebSSOProfileOptions createWebSSOProfileOptions() {
        WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
        webSSOProfileOptions.setIncludeScoping(false);
        return webSSOProfileOptions;
    }

    private static WebSSOProfile createWebSSOProfile(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        WebSSOProfileImpl webSSOProfileImpl = new WebSSOProfileImpl(sAMLProcessor, metadataManager);
        webSSOProfileImpl.afterPropertiesSet();
        return webSSOProfileImpl;
    }

    private static WebSSOProfile createWebSSOProfileECP(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        WebSSOProfileECPImpl webSSOProfileECPImpl = new WebSSOProfileECPImpl();
        webSSOProfileECPImpl.setProcessor(sAMLProcessor);
        webSSOProfileECPImpl.setMetadata(metadataManager);
        webSSOProfileECPImpl.afterPropertiesSet();
        return webSSOProfileECPImpl;
    }

    private static WebSSOProfile createWebSSOProfileHok(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        WebSSOProfileHoKImpl webSSOProfileHoKImpl = new WebSSOProfileHoKImpl();
        webSSOProfileHoKImpl.setProcessor(sAMLProcessor);
        webSSOProfileHoKImpl.setMetadata(metadataManager);
        webSSOProfileHoKImpl.afterPropertiesSet();
        return webSSOProfileHoKImpl;
    }

    private static WebSSOProfileConsumer createWebSSOProfileConsumer(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        WebSSOProfileConsumerImpl webSSOProfileConsumerImpl = new WebSSOProfileConsumerImpl();
        webSSOProfileConsumerImpl.setProcessor(sAMLProcessor);
        webSSOProfileConsumerImpl.setMetadata(metadataManager);
        webSSOProfileConsumerImpl.afterPropertiesSet();
        return webSSOProfileConsumerImpl;
    }

    private static WebSSOProfileConsumer createWebSSOProfileHokConsumer(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        WebSSOProfileConsumerHoKImpl webSSOProfileConsumerHoKImpl = new WebSSOProfileConsumerHoKImpl();
        webSSOProfileConsumerHoKImpl.setProcessor(sAMLProcessor);
        webSSOProfileConsumerHoKImpl.setMetadata(metadataManager);
        webSSOProfileConsumerHoKImpl.afterPropertiesSet();
        return webSSOProfileConsumerHoKImpl;
    }

    private static SingleLogoutProfile createSingeLogoutProfile(MetadataManager metadataManager, SAMLProcessor sAMLProcessor) throws Exception {
        SingleLogoutProfileImpl singleLogoutProfileImpl = new SingleLogoutProfileImpl();
        singleLogoutProfileImpl.setProcessor(sAMLProcessor);
        singleLogoutProfileImpl.setMetadata(metadataManager);
        singleLogoutProfileImpl.afterPropertiesSet();
        return singleLogoutProfileImpl;
    }

    private static SAMLLogger createSAMLLogger(NiFiProperties niFiProperties) {
        SAMLDefaultLogger sAMLDefaultLogger = new SAMLDefaultLogger();
        if (niFiProperties.isSamlMessageLoggingEnabled()) {
            sAMLDefaultLogger.setLogAllMessages(true);
            sAMLDefaultLogger.setLogErrors(true);
            sAMLDefaultLogger.setLogMessagesOnException(true);
        } else {
            sAMLDefaultLogger.setLogAllMessages(false);
            sAMLDefaultLogger.setLogErrors(false);
            sAMLDefaultLogger.setLogMessagesOnException(false);
        }
        return sAMLDefaultLogger;
    }

    private static KeyManager createKeyManager(TlsConfiguration tlsConfiguration) throws TlsException, KeyStoreException {
        String keystorePath = tlsConfiguration.getKeystorePath();
        char[] charArray = tlsConfiguration.getKeystorePassword().toCharArray();
        String type = tlsConfiguration.getKeystoreType().getType();
        String truststorePath = tlsConfiguration.getTruststorePath();
        char[] charArray2 = tlsConfiguration.getTruststorePassword().toCharArray();
        String type2 = tlsConfiguration.getTruststoreType().getType();
        KeyStore loadKeyStore = KeyStoreUtils.loadKeyStore(keystorePath, charArray, type);
        KeyStore loadTrustStore = KeyStoreUtils.loadTrustStore(truststorePath, charArray2, type2);
        String privateKeyAlias = getPrivateKeyAlias(loadKeyStore, keystorePath);
        LOGGER.info("Default key alias = {}", privateKeyAlias);
        String keystorePassword = StringUtils.isBlank(tlsConfiguration.getKeyPassword()) ? tlsConfiguration.getKeystorePassword() : tlsConfiguration.getKeyPassword();
        HashMap hashMap = new HashMap();
        if (!StringUtils.isBlank(keystorePassword)) {
            hashMap.put(privateKeyAlias, keystorePassword);
        }
        return new CompositeKeyManager(new JKSKeyManager(loadKeyStore, hashMap, privateKeyAlias), new JKSKeyManager(loadTrustStore, Collections.emptyMap(), (String) null));
    }

    private static String getPrivateKeyAlias(KeyStore keyStore, String str) throws KeyStoreException {
        Set<String> keyAliases = getKeyAliases(keyStore);
        int i = 0;
        Iterator<String> it = keyAliases.iterator();
        while (it.hasNext()) {
            if (keyStore.isKeyEntry(it.next())) {
                i++;
            }
        }
        if (i == 0) {
            throw new RuntimeException("Unable to determine signing key, the keystore '" + str + "' does not contain any private keys");
        }
        if (i > 1) {
            throw new RuntimeException("Unable to determine signing key, the keystore '" + str + "' contains more than one private key");
        }
        String str2 = null;
        Iterator<String> it2 = keyAliases.iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            String next = it2.next();
            if (keyStore.isKeyEntry(next)) {
                str2 = next;
                break;
            }
        }
        return str2;
    }

    private static Set<String> getKeyAliases(KeyStore keyStore) throws KeyStoreException {
        HashSet hashSet = new HashSet();
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            hashSet.add(aliases.nextElement());
        }
        return hashSet;
    }

    private static ExtendedMetadata createExtendedMetadata(String str, boolean z) {
        ExtendedMetadata extendedMetadata = new ExtendedMetadata();
        extendedMetadata.setIdpDiscoveryEnabled(true);
        extendedMetadata.setSigningAlgorithm(str);
        extendedMetadata.setSignMetadata(z);
        extendedMetadata.setEcpEnabled(true);
        return extendedMetadata;
    }

    private static MetadataProvider createIdpMetadataProvider(URI uri, HttpClient httpClient, Timer timer, ParserPool parserPool) throws Exception {
        return uri.getScheme().startsWith("http") ? createHttpIdpMetadataProvider(uri, httpClient, timer, parserPool) : createFileIdpMetadataProvider(uri, parserPool);
    }

    private static MetadataProvider createFileIdpMetadataProvider(URI uri, ParserPool parserPool) throws MetadataProviderException {
        File file = new File(uri.getPath());
        LOGGER.info("Loading IDP metadata from file located at: " + file.getAbsolutePath());
        FilesystemMetadataProvider filesystemMetadataProvider = new FilesystemMetadataProvider(file);
        filesystemMetadataProvider.setParserPool(parserPool);
        filesystemMetadataProvider.initialize();
        return filesystemMetadataProvider;
    }

    private static MetadataProvider createHttpIdpMetadataProvider(URI uri, HttpClient httpClient, Timer timer, ParserPool parserPool) throws Exception {
        HTTPMetadataProvider hTTPMetadataProvider = new HTTPMetadataProvider(timer, httpClient, uri.toString());
        hTTPMetadataProvider.setParserPool(parserPool);
        hTTPMetadataProvider.initialize();
        return hTTPMetadataProvider;
    }

    private static MetadataManager createMetadataManager(MetadataProvider metadataProvider, ExtendedMetadata extendedMetadata, KeyManager keyManager) throws MetadataProviderException {
        MetadataProvider extendedMetadataDelegate = new ExtendedMetadataDelegate(metadataProvider, extendedMetadata);
        extendedMetadataDelegate.setMetadataTrustCheck(true);
        extendedMetadataDelegate.setMetadataRequireSignature(false);
        CachingMetadataManager cachingMetadataManager = new CachingMetadataManager(Arrays.asList(extendedMetadataDelegate));
        cachingMetadataManager.setKeyManager(keyManager);
        cachingMetadataManager.afterPropertiesSet();
        return cachingMetadataManager;
    }

    private static void configureGlobalSecurityDefaults(KeyManager keyManager, String str, String str2) {
        BasicSecurityConfiguration globalSecurityConfiguration = Configuration.getGlobalSecurityConfiguration();
        if (!StringUtils.isBlank(str)) {
            String algorithm = SecurityHelper.extractSigningKey(keyManager.getDefaultCredential()).getAlgorithm();
            if (!str.contains(algorithm.toLowerCase())) {
                throw new IllegalStateException("Key algorithm '" + algorithm + "' cannot be used to create signatures of type '" + str + "'");
            }
            globalSecurityConfiguration.registerSignatureAlgorithmURI(algorithm, str);
        }
        if (StringUtils.isBlank(str2)) {
            return;
        }
        globalSecurityConfiguration.setSignatureReferenceDigestMethod(str2);
    }
}
