package org.apache.nifi.web;

import java.util.Arrays;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.anonymous.NiFiAnonymousUserFilter;
import org.apache.nifi.web.security.jwt.JwtAuthenticationFilter;
import org.apache.nifi.web.security.jwt.JwtAuthenticationProvider;
import org.apache.nifi.web.security.knox.KnoxAuthenticationFilter;
import org.apache.nifi.web.security.knox.KnoxAuthenticationProvider;
import org.apache.nifi.web.security.otp.OtpAuthenticationFilter;
import org.apache.nifi.web.security.otp.OtpAuthenticationProvider;
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.apache.nifi.web.security.x509.X509IdentityProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.class */
public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private static final Logger logger = LoggerFactory.getLogger(NiFiWebApiSecurityConfiguration.class);
    private NiFiProperties properties;
    private X509AuthenticationFilter x509AuthenticationFilter;
    private X509CertificateExtractor certificateExtractor;
    private X509PrincipalExtractor principalExtractor;
    private X509IdentityProvider certificateIdentityProvider;
    private X509AuthenticationProvider x509AuthenticationProvider;
    private JwtAuthenticationFilter jwtAuthenticationFilter;
    private JwtAuthenticationProvider jwtAuthenticationProvider;
    private OtpAuthenticationFilter otpAuthenticationFilter;
    private OtpAuthenticationProvider otpAuthenticationProvider;
    private KnoxAuthenticationFilter knoxAuthenticationFilter;
    private KnoxAuthenticationProvider knoxAuthenticationProvider;
    private NiFiAnonymousUserFilter anonymousAuthenticationFilter;

    public NiFiWebApiSecurityConfiguration() {
        super(true);
    }

    public void configure(WebSecurity webSecurity) throws Exception {
        webSecurity.ignoring().antMatchers(new String[]{"/access", "/access/config", "/access/token", "/access/kerberos", "/access/oidc/exchange", "/access/oidc/callback", "/access/oidc/request", "/access/knox/callback", "/access/knox/request"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.cors().and().rememberMe().disable().authorizeRequests().anyRequest()).fullyAuthenticated().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        httpSecurity.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(jwtFilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(otpFilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.anonymous().authenticationFilter(anonymousFilterBean());
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.setAllowedMethods(Arrays.asList("HEAD", "GET"));
        UrlBasedCorsConfigurationSource urlBasedCorsConfigurationSource = new UrlBasedCorsConfigurationSource();
        urlBasedCorsConfigurationSource.registerCorsConfiguration("/process-groups/*/templates/upload", corsConfiguration);
        return urlBasedCorsConfigurationSource;
    }

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(this.x509AuthenticationProvider).authenticationProvider(this.jwtAuthenticationProvider).authenticationProvider(this.otpAuthenticationProvider).authenticationProvider(this.knoxAuthenticationProvider);
    }

    @Bean
    public JwtAuthenticationFilter jwtFilterBean() throws Exception {
        if (this.jwtAuthenticationFilter == null) {
            this.jwtAuthenticationFilter = new JwtAuthenticationFilter();
            this.jwtAuthenticationFilter.setProperties(this.properties);
            this.jwtAuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.jwtAuthenticationFilter;
    }

    @Bean
    public OtpAuthenticationFilter otpFilterBean() throws Exception {
        if (this.otpAuthenticationFilter == null) {
            this.otpAuthenticationFilter = new OtpAuthenticationFilter();
            this.otpAuthenticationFilter.setProperties(this.properties);
            this.otpAuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.otpAuthenticationFilter;
    }

    @Bean
    public KnoxAuthenticationFilter knoxFilterBean() throws Exception {
        if (this.knoxAuthenticationFilter == null) {
            this.knoxAuthenticationFilter = new KnoxAuthenticationFilter();
            this.knoxAuthenticationFilter.setProperties(this.properties);
            this.knoxAuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.knoxAuthenticationFilter;
    }

    @Bean
    public X509AuthenticationFilter x509FilterBean() throws Exception {
        if (this.x509AuthenticationFilter == null) {
            this.x509AuthenticationFilter = new X509AuthenticationFilter();
            this.x509AuthenticationFilter.setProperties(this.properties);
            this.x509AuthenticationFilter.setCertificateExtractor(this.certificateExtractor);
            this.x509AuthenticationFilter.setPrincipalExtractor(this.principalExtractor);
            this.x509AuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.x509AuthenticationFilter;
    }

    @Bean
    public NiFiAnonymousUserFilter anonymousFilterBean() throws Exception {
        if (this.anonymousAuthenticationFilter == null) {
            this.anonymousAuthenticationFilter = new NiFiAnonymousUserFilter();
        }
        return this.anonymousAuthenticationFilter;
    }

    @Autowired
    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    @Autowired
    public void setJwtAuthenticationProvider(JwtAuthenticationProvider jwtAuthenticationProvider) {
        this.jwtAuthenticationProvider = jwtAuthenticationProvider;
    }

    @Autowired
    public void setOtpAuthenticationProvider(OtpAuthenticationProvider otpAuthenticationProvider) {
        this.otpAuthenticationProvider = otpAuthenticationProvider;
    }

    @Autowired
    public void setKnoxAuthenticationProvider(KnoxAuthenticationProvider knoxAuthenticationProvider) {
        this.knoxAuthenticationProvider = knoxAuthenticationProvider;
    }

    @Autowired
    public void setX509AuthenticationProvider(X509AuthenticationProvider x509AuthenticationProvider) {
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }

    @Autowired
    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }

    @Autowired
    public void setPrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
    }

    @Autowired
    public void setCertificateIdentityProvider(X509IdentityProvider x509IdentityProvider) {
        this.certificateIdentityProvider = x509IdentityProvider;
    }
}
