package org.apache.nifi.web.api;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.protocol.HTTP;
import org.apache.nifi.admin.service.IdpUserGroupService;
import org.apache.nifi.authentication.exception.AuthenticationNotSupportedException;
import org.apache.nifi.authorization.util.IdentityMappingUtil;
import org.apache.nifi.idp.IdpType;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.api.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.logout.LogoutRequest;
import org.apache.nifi.web.security.logout.LogoutRequestManager;
import org.apache.nifi.web.security.saml.SAMLCredentialStore;
import org.apache.nifi.web.security.saml.SAMLService;
import org.apache.nifi.web.security.saml.SAMLStateManager;
import org.apache.nifi.web.security.token.LoginAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.SAMLCredential;

@Api(value = "/access/saml", description = "Endpoints for authenticating, obtaining an access token or logging out of a configured SAML authentication provider.")
@Path("/access/saml")
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/api/SAMLAccessResource.class */
public class SAMLAccessResource extends ApplicationResource {
    private static final Logger logger;
    private static final String SAML_METADATA_MEDIA_TYPE = "application/samlmetadata+xml";
    private static final String LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND = "The logout request identifier was not found in the request. Unable to continue.";
    private static final String LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER = "No logout request was found for the given identifier. Unable to continue.";
    private static final boolean LOGGING_IN = true;
    private SAMLService samlService;
    private SAMLStateManager samlStateManager;
    private SAMLCredentialStore samlCredentialStore;
    private IdpUserGroupService idpUserGroupService;
    private LogoutRequestManager logoutRequestManager;
    static final /* synthetic */ boolean $assertionsDisabled;

    @GET
    @Path("/metadata")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves the service provider metadata.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({SAML_METADATA_MEDIA_TYPE})
    public Response samlMetadata(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("User authentication/authorization is only supported when running over HTTPS.");
        }
        if (this.samlService.isSamlEnabled()) {
            initializeSamlServiceProvider();
            return Response.ok(this.samlService.getServiceProviderMetadata(), SAML_METADATA_MEDIA_TYPE).build();
        }
        logger.debug("SAML support is not configured");
        return Response.status(Response.Status.CONFLICT).entity("SAML support is not configured").build();
    }

    @GET
    @Path("login/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates an SSO request to the configured SAML identity provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLoginRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, true)) {
            throw new AssertionError();
        }
        initializeSamlServiceProvider();
        String uuid = UUID.randomUUID().toString();
        this.applicationCookieService.addCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.SAML_REQUEST_IDENTIFIER, uuid);
        try {
            this.samlService.initiateLogin(httpServletRequest, httpServletResponse, this.samlStateManager.createState(uuid));
        } catch (Exception e) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @Path("/login/consumer")
    @Consumes({URLEncodedUtils.CONTENT_TYPE})
    @ApiOperation(value = "Processes the SSO response from the SAML identity provider for HTTP-POST binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({"*/*"})
    public void samlLoginHttpPostConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, MultivaluedMap<String, String> multivaluedMap) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, true)) {
            throw new AssertionError();
        }
        samlLoginConsumer(httpServletRequest, httpServletResponse, getParameterMap(multivaluedMap));
    }

    @GET
    @Path("/login/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes the SSO response from the SAML identity provider for HTTP-REDIRECT binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLoginHttpRedirectConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context UriInfo uriInfo) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, true)) {
            throw new AssertionError();
        }
        samlLoginConsumer(httpServletRequest, httpServletResponse, getParameterMap(uriInfo.getQueryParameters()));
    }

    private void samlLoginConsumer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) throws Exception {
        initializeSamlServiceProvider();
        Optional<String> samlRequestIdentifier = getSamlRequestIdentifier();
        if (!samlRequestIdentifier.isPresent()) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue.");
            return;
        }
        String str = map.get("RelayState");
        if (str == null) {
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "The RelayState parameter was not found in the request. Unable to continue.");
            return;
        }
        String str2 = samlRequestIdentifier.get();
        if (!this.samlStateManager.isStateValid(str2, str)) {
            logger.error("The RelayState value returned by the SAML IDP does not match the stored state. Unable to continue login process.");
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Purposed RelayState does not match the stored state. Unable to continue login process.");
            return;
        }
        try {
            SAMLCredential processLogin = this.samlService.processLogin(httpServletRequest, httpServletResponse, map);
            String mapIdentity = IdentityMappingUtil.mapIdentity(this.samlService.getUserIdentity(processLogin), IdentityMappingUtil.getIdentityMappings(this.properties));
            this.samlStateManager.createJwt(str2, new LoginAuthenticationToken(mapIdentity, mapIdentity, this.samlService.getAuthExpiration(), processLogin.getRemoteEntityID()));
            this.samlCredentialStore.save(mapIdentity, processLogin);
            Set userGroups = this.samlService.getUserGroups(processLogin);
            if (logger.isDebugEnabled()) {
                logger.debug("SAML User '{}' belongs to the unmapped groups {}", mapIdentity, StringUtils.join(new Set[]{userGroups}));
            }
            List groupMappings = IdentityMappingUtil.getGroupMappings(this.properties);
            Set set = (Set) userGroups.stream().map(str3 -> {
                return IdentityMappingUtil.mapIdentity(str3, groupMappings);
            }).collect(Collectors.toSet());
            logger.info("SAML User '{}' belongs to the mapped groups {}", mapIdentity, StringUtils.join(new Set[]{set}));
            this.idpUserGroupService.replaceUserGroups(mapIdentity, IdpType.SAML, set);
            httpServletResponse.sendRedirect(getNiFiUri());
        } catch (Exception e) {
            removeSamlRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @Path("/login/exchange")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves a JWT following a successful login sequence using the configured SAML identity provider.", response = String.class, notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response samlLoginExchange(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        if (!httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("User authentication/authorization is only supported when running over HTTPS.");
        }
        if (!this.samlService.isSamlEnabled()) {
            logger.debug("SAML support is not configured");
            return Response.status(Response.Status.CONFLICT).entity("SAML support is not configured").build();
        }
        initializeSamlServiceProvider();
        Optional<String> samlRequestIdentifier = getSamlRequestIdentifier();
        if (!samlRequestIdentifier.isPresent()) {
            logger.warn("The login request identifier was not found in the request. Unable to continue.");
            return Response.status(Response.Status.BAD_REQUEST).entity("The login request identifier was not found in the request. Unable to continue.").build();
        }
        removeSamlRequestCookie(httpServletResponse);
        String str = samlRequestIdentifier.get();
        String jwt = this.samlStateManager.getJwt(str);
        if (jwt == null) {
            throw new IllegalArgumentException("A JWT for this login request identifier could not be found. Unable to continue.");
        }
        logger.info("SAML Login Request [{}] Completed", str);
        setBearerToken(httpServletResponse, jwt);
        return generateOkResponse(jwt).build();
    }

    @GET
    @Path("/single-logout/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a logout request using the SingleLogout service of the configured SAML identity provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlSingleLogoutRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, false)) {
            throw new AssertionError();
        }
        Optional<String> logoutRequestIdentifier = getLogoutRequestIdentifier();
        if (!logoutRequestIdentifier.isPresent()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND);
            return;
        }
        LogoutRequest logoutRequest = this.logoutRequestManager.get(logoutRequestIdentifier.get());
        if (logoutRequest == null) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER);
            return;
        }
        initializeSamlServiceProvider();
        String mappedUserIdentity = logoutRequest.getMappedUserIdentity();
        logger.info("Attempting to performing SAML Single Logout for {}", mappedUserIdentity);
        SAMLCredential sAMLCredential = this.samlCredentialStore.get(mappedUserIdentity);
        if (sAMLCredential == null) {
            throw new IllegalStateException("Unable to find a stored SAML credential for " + mappedUserIdentity);
        }
        try {
            logger.info("Initiating SAML Single Logout with IDP...");
            this.samlService.initiateLogout(httpServletRequest, httpServletResponse, sAMLCredential);
        } catch (Exception e) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @GET
    @Path("/single-logout/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes a SingleLogout message from the configured SAML identity provider using the HTTP-REDIRECT binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlSingleLogoutHttpRedirectConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Context UriInfo uriInfo) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, false)) {
            throw new AssertionError();
        }
        samlSingleLogoutConsumer(httpServletRequest, httpServletResponse, getParameterMap(uriInfo.getQueryParameters()));
    }

    @Path("/single-logout/consumer")
    @Consumes({"*/*"})
    @ApiOperation(value = "Processes a SingleLogout message from the configured SAML identity provider using the HTTP-POST binding.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({"*/*"})
    public void samlSingleLogoutHttpPostConsumer(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, MultivaluedMap<String, String> multivaluedMap) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, false)) {
            throw new AssertionError();
        }
        samlSingleLogoutConsumer(httpServletRequest, httpServletResponse, getParameterMap(multivaluedMap));
    }

    private void samlSingleLogoutConsumer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) throws Exception {
        initializeSamlServiceProvider();
        Optional<String> logoutRequestIdentifier = getLogoutRequestIdentifier();
        if (!logoutRequestIdentifier.isPresent()) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_IDENTIFIER_NOT_FOUND);
            return;
        }
        String str = logoutRequestIdentifier.get();
        LogoutRequest logoutRequest = this.logoutRequestManager.get(str);
        if (logoutRequest == null) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, LOGOUT_REQUEST_NOT_FOUND_FOR_GIVEN_IDENTIFIER);
            return;
        }
        this.logoutRequestManager.complete(str);
        removeLogoutRequestCookie(httpServletResponse);
        String mappedUserIdentity = logoutRequest.getMappedUserIdentity();
        logger.info("Consuming SAML Single Logout for {}", mappedUserIdentity);
        this.samlCredentialStore.delete(mappedUserIdentity);
        this.idpUserGroupService.deleteUserGroups(mappedUserIdentity);
        try {
            this.samlService.processLogout(httpServletRequest, httpServletResponse, map);
            logger.info("Completed SAML Single Logout for {}", mappedUserIdentity);
            httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
        } catch (Exception e) {
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
        }
    }

    @GET
    @Path("/local-logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Local logout when SAML is enabled, does not communicate with the IDP.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void samlLocalLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        if (!$assertionsDisabled && !isSamlEnabled(httpServletRequest, httpServletResponse, false)) {
            throw new AssertionError();
        }
        Optional<String> logoutRequestIdentifier = getLogoutRequestIdentifier();
        if (logoutRequestIdentifier.isPresent()) {
            String str = logoutRequestIdentifier.get();
            String mappedUserIdentity = this.logoutRequestManager.complete(str).getMappedUserIdentity();
            this.samlCredentialStore.delete(mappedUserIdentity);
            this.idpUserGroupService.deleteUserGroups(mappedUserIdentity);
            logger.info("Logout Request [{}] Identity [{}] SAML Local Logout Completed", str, mappedUserIdentity);
        } else {
            logger.warn("Logout Request Cookie [{}] not found", ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER.getCookieName());
        }
        removeLogoutRequestCookie(httpServletResponse);
        httpServletResponse.sendRedirect(getNiFiLogoutCompleteUri());
    }

    private void initializeSamlServiceProvider() {
        if (this.samlService.isServiceProviderInitialized()) {
            return;
        }
        this.samlService.initializeServiceProvider(generateResourceUri("saml", "metadata").replace("/saml/metadata", ""));
    }

    private Map<String, String> getParameterMap(MultivaluedMap<String, String> multivaluedMap) {
        HashMap hashMap = new HashMap();
        for (String str : multivaluedMap.keySet()) {
            hashMap.put(str, (String) multivaluedMap.getFirst(str));
        }
        return hashMap;
    }

    private void removeSamlRequestCookie(HttpServletResponse httpServletResponse) {
        this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.SAML_REQUEST_IDENTIFIER);
    }

    private boolean isSamlEnabled(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws Exception {
        String forwardPageTitle = getForwardPageTitle(z);
        if (!httpServletRequest.isSecure()) {
            forwardToMessagePage(httpServletRequest, httpServletResponse, forwardPageTitle, "User authentication/authorization is only supported when running over HTTPS.");
            return false;
        }
        if (this.samlService.isSamlEnabled()) {
            return true;
        }
        forwardToMessagePage(httpServletRequest, httpServletResponse, forwardPageTitle, "SAML support is not configured");
        return false;
    }

    private String getForwardPageTitle(boolean z) {
        return z ? "Unable to continue login sequence" : "Unable to continue logout sequence";
    }

    private Optional<String> getSamlRequestIdentifier() {
        return this.applicationCookieService.getCookieValue(this.httpServletRequest, ApplicationCookieName.SAML_REQUEST_IDENTIFIER);
    }

    private void removeLogoutRequestCookie(HttpServletResponse httpServletResponse) {
        this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER);
    }

    private Optional<String> getLogoutRequestIdentifier() {
        return this.applicationCookieService.getCookieValue(this.httpServletRequest, ApplicationCookieName.LOGOUT_REQUEST_IDENTIFIER);
    }

    private String getNiFiLogoutCompleteUri() {
        return getNiFiUri() + "logout-complete";
    }

    public void setSamlService(SAMLService sAMLService) {
        this.samlService = sAMLService;
    }

    public void setSamlStateManager(SAMLStateManager sAMLStateManager) {
        this.samlStateManager = sAMLStateManager;
    }

    public void setSamlCredentialStore(SAMLCredentialStore sAMLCredentialStore) {
        this.samlCredentialStore = sAMLCredentialStore;
    }

    public void setIdpUserGroupService(IdpUserGroupService idpUserGroupService) {
        this.idpUserGroupService = idpUserGroupService;
    }

    @Override // org.apache.nifi.web.api.ApplicationResource
    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.nifi.web.api.ApplicationResource
    public NiFiProperties getProperties() {
        return this.properties;
    }

    public void setLogoutRequestManager(LogoutRequestManager logoutRequestManager) {
        this.logoutRequestManager = logoutRequestManager;
    }

    static {
        $assertionsDisabled = !SAMLAccessResource.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(SAMLAccessResource.class);
    }
}
