package org.apache.nifi.web.security;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:org/apache/nifi/web/security/ProxiedEntitiesUtils.class */
public class ProxiedEntitiesUtils {
    private static final Logger logger = LoggerFactory.getLogger(ProxiedEntitiesUtils.class);
    public static final String PROXY_ENTITIES_CHAIN = "X-ProxiedEntitiesChain";
    public static final String PROXY_ENTITIES_ACCEPTED = "X-ProxiedEntitiesAccepted";
    public static final String PROXY_ENTITIES_DETAILS = "X-ProxiedEntitiesDetails";
    public static final String PROXY_ENTITY_GROUPS = "X-ProxiedEntityGroups";
    public static final String PROXY_ENTITY_GROUPS_EMPTY = "<>";
    private static final String GT = ">";
    private static final String ESCAPED_GT = "\\\\>";
    private static final String LT = "<";
    private static final String ESCAPED_LT = "\\\\<";
    private static final String ANONYMOUS_CHAIN = "<>";
    private static final String ANONYMOUS_IDENTITY = "";

    public static String getProxiedEntitiesChain(String... strArr) {
        return getProxiedEntitiesChain((List<String>) Arrays.asList(strArr));
    }

    public static String getProxiedEntitiesChain(List<String> list) {
        if (list == null) {
            return null;
        }
        return StringUtils.join((List) list.stream().map(org.apache.nifi.registry.security.util.ProxiedEntitiesUtils::formatProxyDn).collect(Collectors.toList()), ANONYMOUS_IDENTITY);
    }

    public static List<String> tokenizeProxiedEntitiesChain(String str) {
        ArrayList arrayList = new ArrayList();
        if (!StringUtils.isEmpty(str)) {
            if (!isValidChainFormat(str)) {
                throw new IllegalArgumentException("Proxy chain format is not recognized and can not safely be converted to a list.");
            }
            if (str.equals("<>")) {
                arrayList.add(ANONYMOUS_IDENTITY);
            } else {
                Stream map = Arrays.stream(StringUtils.splitByWholeSeparatorPreserveAllTokens(str.substring(1, str.length() - 1), "><")).map(ProxiedEntitiesUtils::unsanitizeDn);
                Objects.requireNonNull(arrayList);
                map.forEach((v1) -> {
                    r1.add(v1);
                });
            }
        }
        return arrayList;
    }

    public static Set<String> tokenizeProxiedEntityGroups(String str) {
        List<String> list = tokenizeProxiedEntitiesChain(str);
        return list.isEmpty() ? Collections.emptySet() : (Set) list.stream().filter(str2 -> {
            return !StringUtils.isBlank(str2);
        }).collect(Collectors.toSet());
    }

    public static String buildProxiedEntitiesChainString(NiFiUser niFiUser) {
        List buildProxiedEntitiesChain = NiFiUserUtils.buildProxiedEntitiesChain(niFiUser);
        return buildProxiedEntitiesChain.isEmpty() ? "<>" : StringUtils.join((List) buildProxiedEntitiesChain.stream().map(ProxiedEntitiesUtils::formatProxyDn).collect(Collectors.toList()), ANONYMOUS_IDENTITY);
    }

    public static String buildProxiedEntityGroupsString(Set<String> set) {
        return (set == null || set.isEmpty()) ? "<>" : StringUtils.join((List) set.stream().map(ProxiedEntitiesUtils::formatProxyDn).collect(Collectors.toList()), ANONYMOUS_IDENTITY);
    }

    public static void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(PROXY_ENTITIES_ACCEPTED, Boolean.TRUE.toString());
        }
    }

    public static void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) {
        if (StringUtils.isNotBlank(httpServletRequest.getHeader(PROXY_ENTITIES_CHAIN))) {
            httpServletResponse.setHeader(PROXY_ENTITIES_DETAILS, authenticationException.getMessage());
        }
    }

    public static String formatProxyDn(String str) {
        return "<" + sanitizeDn(str) + ">";
    }

    private static String sanitizeDn(String str) {
        if (StringUtils.isEmpty(str)) {
            return str;
        }
        String replaceAll = str.replaceAll(GT, ESCAPED_GT).replaceAll(LT, ESCAPED_LT);
        if (!replaceAll.equals(str)) {
            logger.warn("The provided DN [{}] contained dangerous characters that were escaped to [{}]", str, replaceAll);
        }
        if (isPureAscii(replaceAll)) {
            return replaceAll;
        }
        String base64Encode = base64Encode(replaceAll);
        logger.debug("The provided DN [{}] contained non-ASCII characters and was encoded as [{}]", str, base64Encode);
        return base64Encode;
    }

    private static String unsanitizeDn(String str) {
        Object obj;
        if (StringUtils.isEmpty(str)) {
            return str;
        }
        if (isBase64Encoded(str)) {
            obj = base64Decode(str);
            logger.debug("The provided DN [{}] had been encoded, and was reconstituted to the original DN [{}]", str, obj);
        } else {
            obj = str;
        }
        String replaceAll = obj.replaceAll(ESCAPED_GT, GT).replaceAll(ESCAPED_LT, LT);
        if (!replaceAll.equals(obj)) {
            logger.warn("The provided DN [{}] had been escaped, and was reconstituted to the dangerous DN [{}]", str, replaceAll);
        }
        return replaceAll;
    }

    private static String base64Encode(String str) {
        return "<" + Base64.getEncoder().encodeToString(str.getBytes(StandardCharsets.UTF_8)) + ">";
    }

    private static String base64Decode(String str) {
        return new String(Base64.getDecoder().decode(str.substring(1, str.length() - 1)), StandardCharsets.UTF_8);
    }

    private static boolean isValidChainFormat(String str) {
        return isWrappedInAngleBrackets(str);
    }

    private static boolean isBase64Encoded(String str) {
        return isWrappedInAngleBrackets(str);
    }

    private static boolean isWrappedInAngleBrackets(String str) {
        return str.startsWith(LT) && str.endsWith(GT);
    }

    private static boolean isPureAscii(String str) {
        return StandardCharsets.US_ASCII.newEncoder().canEncode(str);
    }
}
