package org.apache.nifi.web.security.x509;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.ListIterator;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.authorization.AuthorizationRequest;
import org.apache.nifi.authorization.AuthorizationResult;
import org.apache.nifi.authorization.Authorizer;
import org.apache.nifi.authorization.RequestAction;
import org.apache.nifi.authorization.UserContextKeys;
import org.apache.nifi.authorization.resource.ResourceFactory;
import org.apache.nifi.authorization.user.NiFiUser;
import org.apache.nifi.authorization.user.NiFiUserDetails;
import org.apache.nifi.authorization.user.StandardNiFiUser;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.InvalidAuthenticationException;
import org.apache.nifi.web.security.NiFiAuthenticationProvider;
import org.apache.nifi.web.security.ProxiedEntitiesUtils;
import org.apache.nifi.web.security.UntrustedProxyException;
import org.apache.nifi.web.security.token.NiFiAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:org/apache/nifi/web/security/x509/X509AuthenticationProvider.class */
public class X509AuthenticationProvider extends NiFiAuthenticationProvider {
    private X509IdentityProvider certificateIdentityProvider;
    private Authorizer authorizer;

    public X509AuthenticationProvider(X509IdentityProvider x509IdentityProvider, Authorizer authorizer, NiFiProperties niFiProperties) {
        super(niFiProperties);
        this.certificateIdentityProvider = x509IdentityProvider;
        this.authorizer = authorizer;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        X509AuthenticationRequestToken x509AuthenticationRequestToken = (X509AuthenticationRequestToken) authentication;
        try {
            AuthenticationResponse authenticate = this.certificateIdentityProvider.authenticate(x509AuthenticationRequestToken.getCertificates());
            if (StringUtils.isBlank(x509AuthenticationRequestToken.getProxiedEntitiesChain())) {
                return new NiFiAuthenticationToken(new NiFiUserDetails(new StandardNiFiUser(mapIdentity(authenticate.getIdentity()), x509AuthenticationRequestToken.getClientAddress())));
            }
            ArrayList arrayList = new ArrayList(ProxiedEntitiesUtils.tokenizeProxiedEntitiesChain(x509AuthenticationRequestToken.getProxiedEntitiesChain()));
            arrayList.add(authenticate.getIdentity());
            NiFiUser niFiUser = null;
            ListIterator listIterator = arrayList.listIterator(arrayList.size());
            while (listIterator.hasPrevious()) {
                String mapIdentity = mapIdentity((String) listIterator.previous());
                if (listIterator.hasPrevious()) {
                    if (!AuthorizationResult.Result.Approved.equals(this.authorizer.authorize(new AuthorizationRequest.Builder().identity(mapIdentity).anonymous(false).accessAttempt(true).action(RequestAction.WRITE).resource(ResourceFactory.getProxyResource()).userContext(niFiUser == null ? getUserContext(x509AuthenticationRequestToken) : null).build()).getResult())) {
                        throw new UntrustedProxyException(String.format("Untrusted proxy %s", mapIdentity));
                    }
                }
                niFiUser = niFiUser == null ? new StandardNiFiUser(mapIdentity, niFiUser, x509AuthenticationRequestToken.getClientAddress()) : new StandardNiFiUser(mapIdentity, niFiUser, (String) null);
            }
            return new NiFiAuthenticationToken(new NiFiUserDetails(niFiUser));
        } catch (IllegalArgumentException e) {
            throw new InvalidAuthenticationException(e.getMessage(), e);
        }
    }

    private Map<String, String> getUserContext(X509AuthenticationRequestToken x509AuthenticationRequestToken) {
        HashMap hashMap;
        if (StringUtils.isBlank(x509AuthenticationRequestToken.getClientAddress())) {
            hashMap = null;
        } else {
            hashMap = new HashMap();
            hashMap.put(UserContextKeys.CLIENT_ADDRESS.name(), x509AuthenticationRequestToken.getClientAddress());
        }
        return hashMap;
    }

    public boolean supports(Class<?> cls) {
        return X509AuthenticationRequestToken.class.isAssignableFrom(cls);
    }
}
