package org.apache.nifi.web.api;

import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.NameValuePair;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.protocol.HTTP;
import org.apache.nifi.authentication.exception.AuthenticationNotSupportedException;
import org.apache.nifi.authorization.user.NiFiUserUtils;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.api.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.jwt.provider.BearerTokenProvider;
import org.apache.nifi.web.security.oidc.OidcService;
import org.apache.nifi.web.security.oidc.TruststoreStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Api(value = "/access/oidc", description = "Endpoints for obtaining an access token or checking access status.")
@Path("/access/oidc")
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/api/OIDCAccessResource.class */
public class OIDCAccessResource extends ApplicationResource {
    private static final String OIDC_AUTHENTICATION_NOT_CONFIGURED = "OIDC authentication not configured";
    private static final String OIDC_ID_TOKEN_AUTHN_ERROR = "Unable to exchange authorization for ID token: ";
    private static final String OIDC_REQUEST_IDENTIFIER_NOT_FOUND = "The request identifier was not found in the request.";
    private static final String OIDC_FAILED_TO_PARSE_REDIRECT_URI = "Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue login/logout process.";
    private static final String REVOKE_ACCESS_TOKEN_LOGOUT = "oidc_access_token_logout";
    private static final String ID_TOKEN_LOGOUT = "oidc_id_token_logout";
    private static final String STANDARD_LOGOUT = "oidc_standard_logout";
    private static final int msTimeout = 30000;
    private static final boolean LOGGING_IN = true;
    private OidcService oidcService;
    private BearerTokenProvider bearerTokenProvider;
    private static final Logger logger = LoggerFactory.getLogger(OIDCAccessResource.class);
    private static final Pattern REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT = Pattern.compile("(\\.google\\.com)");
    private static final Pattern ID_TOKEN_LOGOUT_FORMAT = Pattern.compile("(\\.okta)");

    @GET
    @Path("/request")
    @Consumes({"*/*"})
    @ApiOperation(value = "Initiates a request to authenticate through the configured OpenId Connect provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcRequest(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        try {
            validateOidcConfiguration();
            httpServletResponse.sendRedirect(oidcRequestAuthorizationCode(httpServletResponse, getOidcCallback()).toString());
        } catch (AuthenticationNotSupportedException e) {
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, e.getMessage());
            throw e;
        }
    }

    @GET
    @Path("/callback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        AuthenticationResponse parseOidcResponse = parseOidcResponse(httpServletRequest, httpServletResponse, true);
        Optional<String> oidcRequestIdentifier = getOidcRequestIdentifier(httpServletRequest);
        if (!oidcRequestIdentifier.isPresent() || !parseOidcResponse.indicatesSuccess()) {
            removeOidcRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Unsuccessful login attempt.");
            return;
        }
        AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parseOidcResponse;
        String str = oidcRequestIdentifier.get();
        checkOidcState(httpServletResponse, str, authenticationSuccessResponse, true);
        try {
            this.oidcService.storeJwt(str, this.bearerTokenProvider.getBearerToken(this.oidcService.exchangeAuthorizationCodeForLoginAuthenticationToken(new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), URI.create(getOidcCallback())))));
            httpServletResponse.sendRedirect(getNiFiUri());
        } catch (Exception e) {
            logger.error("Unable to exchange authorization for ID token: " + e.getMessage(), e);
            removeOidcRequestCookie(httpServletResponse);
            forwardToLoginMessagePage(httpServletRequest, httpServletResponse, "Unable to exchange authorization for ID token: " + e.getMessage());
        }
    }

    @Path("/exchange")
    @Consumes({"*/*"})
    @ApiOperation(value = "Retrieves a JWT following a successful login sequence using the configured OpenId Connect provider.", response = String.class, notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @POST
    @Produces({HTTP.PLAIN_TEXT_TYPE})
    public Response oidcExchange(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        try {
            validateOidcConfiguration();
            Optional<String> oidcRequestIdentifier = getOidcRequestIdentifier(httpServletRequest);
            if (!oidcRequestIdentifier.isPresent()) {
                logger.warn("The login request identifier was not found in the request. Unable to continue.");
                return Response.status(Response.Status.BAD_REQUEST).entity("The login request identifier was not found in the request. Unable to continue.").build();
            }
            removeOidcRequestCookie(httpServletResponse);
            String jwt = this.oidcService.getJwt(oidcRequestIdentifier.get());
            if (jwt == null) {
                throw new IllegalArgumentException("A JWT for this login request identifier could not be found. Unable to continue.");
            }
            setBearerToken(httpServletResponse, jwt);
            return generateOkResponse(jwt).build();
        } catch (AuthenticationNotSupportedException e) {
            logger.debug("OIDC authentication not supported", e);
            return Response.status(Response.Status.CONFLICT).entity(e.getMessage()).build();
        }
    }

    @GET
    @Path("/logout")
    @Consumes({"*/*"})
    @ApiOperation(value = "Performs a logout in the OpenId Provider.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcLogout(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        try {
            validateOidcConfiguration();
            String niFiUserIdentity = NiFiUserUtils.getNiFiUserIdentity();
            this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER);
            logger.debug("Invalidated JWT for user [{}]", niFiUserIdentity);
            String determineLogoutMethod = determineLogoutMethod(this.properties.getOidcDiscoveryUrl());
            boolean z = -1;
            switch (determineLogoutMethod.hashCode()) {
                case -1853365018:
                    if (determineLogoutMethod.equals(STANDARD_LOGOUT)) {
                        z = 2;
                        break;
                    }
                    break;
                case -1170133298:
                    if (determineLogoutMethod.equals(ID_TOKEN_LOGOUT)) {
                        z = true;
                        break;
                    }
                    break;
                case 883140645:
                    if (determineLogoutMethod.equals(REVOKE_ACCESS_TOKEN_LOGOUT)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case true:
                    httpServletResponse.sendRedirect(oidcRequestAuthorizationCode(httpServletResponse, getOidcLogoutCallback()).toString());
                    return;
                case true:
                default:
                    URI endSessionEndpoint = this.oidcService.getEndSessionEndpoint();
                    String generateResourceUri = generateResourceUri("..", "nifi", "logout-complete");
                    if (endSessionEndpoint == null) {
                        httpServletResponse.sendRedirect(generateResourceUri);
                        return;
                    } else {
                        httpServletResponse.sendRedirect(UriBuilder.fromUri(endSessionEndpoint).queryParam("post_logout_redirect_uri", new Object[]{generateResourceUri}).build(new Object[0]).toString());
                        return;
                    }
            }
        } catch (AuthenticationNotSupportedException e) {
            throw e;
        }
    }

    @GET
    @Path("/logoutCallback")
    @Consumes({"*/*"})
    @ApiOperation(value = "Redirect/callback URI for processing the result of the OpenId Connect logout sequence.", notes = "Note: This endpoint is subject to change as NiFi and it's REST API evolve.")
    @Produces({"*/*"})
    public void oidcLogoutCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
        AuthenticationResponse parseOidcResponse = parseOidcResponse(httpServletRequest, httpServletResponse, false);
        Optional<String> oidcRequestIdentifier = getOidcRequestIdentifier(httpServletRequest);
        if (!oidcRequestIdentifier.isPresent() || parseOidcResponse == null || !parseOidcResponse.indicatesSuccess()) {
            removeOidcRequestCookie(httpServletResponse);
            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Unsuccessful logout attempt.");
            return;
        }
        AuthenticationSuccessResponse authenticationSuccessResponse = (AuthenticationSuccessResponse) parseOidcResponse;
        checkOidcState(httpServletResponse, oidcRequestIdentifier.get(), authenticationSuccessResponse, false);
        String determineLogoutMethod = determineLogoutMethod(this.properties.getOidcDiscoveryUrl());
        AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(authenticationSuccessResponse.getAuthorizationCode(), URI.create(getOidcLogoutCallback()));
        boolean z = -1;
        switch (determineLogoutMethod.hashCode()) {
            case -1170133298:
                if (determineLogoutMethod.equals(ID_TOKEN_LOGOUT)) {
                    z = true;
                    break;
                }
                break;
            case 883140645:
                if (determineLogoutMethod.equals(REVOKE_ACCESS_TOKEN_LOGOUT)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                try {
                    String exchangeAuthorizationCodeForAccessToken = this.oidcService.exchangeAuthorizationCodeForAccessToken(authorizationCodeGrant);
                    URI revokeEndpoint = getRevokeEndpoint();
                    if (revokeEndpoint != null) {
                        try {
                            revokeEndpointRequest(httpServletResponse, exchangeAuthorizationCodeForAccessToken, revokeEndpoint);
                            return;
                        } catch (IOException e) {
                            logger.error("There was an error logging out of the OpenId Connect Provider: " + e.getMessage(), e);
                            removeOidcRequestCookie(httpServletResponse);
                            forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "There was an error logging out of the OpenId Connect Provider: " + e.getMessage());
                            return;
                        }
                    }
                    return;
                } catch (Exception e2) {
                    logger.error("Unable to exchange authorization for the Access token: " + e2.getMessage(), e2);
                    removeOidcRequestCookie(httpServletResponse);
                    forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Unable to exchange authorization for ID token: " + e2.getMessage());
                    return;
                }
            case true:
                try {
                    String exchangeAuthorizationCodeForIdToken = this.oidcService.exchangeAuthorizationCodeForIdToken(authorizationCodeGrant);
                    URI endSessionEndpoint = this.oidcService.getEndSessionEndpoint();
                    String generateResourceUri = generateResourceUri("..", "nifi", "logout-complete");
                    if (endSessionEndpoint != null) {
                        httpServletResponse.sendRedirect(UriBuilder.fromUri(endSessionEndpoint).queryParam("id_token_hint", new Object[]{exchangeAuthorizationCodeForIdToken}).queryParam("post_logout_redirect_uri", new Object[]{generateResourceUri}).build(new Object[0]).toString());
                        return;
                    } else {
                        logger.debug("Unable to log out of the OpenId Connect Provider. The end session endpoint is: null. Redirecting to the logout page.");
                        httpServletResponse.sendRedirect(generateResourceUri);
                        return;
                    }
                } catch (Exception e3) {
                    logger.error("Unable to exchange authorization for ID token: " + e3.getMessage(), e3);
                    removeOidcRequestCookie(httpServletResponse);
                    forwardToLogoutMessagePage(httpServletRequest, httpServletResponse, "Unable to exchange authorization for ID token: " + e3.getMessage());
                    return;
                }
            default:
                return;
        }
    }

    private URI oidcRequestAuthorizationCode(@Context HttpServletResponse httpServletResponse, String str) {
        String uuid = UUID.randomUUID().toString();
        this.applicationCookieService.addCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.OIDC_REQUEST_IDENTIFIER, uuid);
        return UriBuilder.fromUri(this.oidcService.getAuthorizationEndpoint()).queryParam("client_id", new Object[]{this.oidcService.getClientId()}).queryParam("response_type", new Object[]{"code"}).queryParam("scope", new Object[]{this.oidcService.getScope().toString()}).queryParam("state", new Object[]{this.oidcService.createState(uuid).getValue()}).queryParam("redirect_uri", new Object[]{str}).build(new Object[0]);
    }

    private String determineLogoutMethod(String str) {
        return REVOKE_ACCESS_TOKEN_LOGOUT_FORMAT.matcher(str).find() ? REVOKE_ACCESS_TOKEN_LOGOUT : ID_TOKEN_LOGOUT_FORMAT.matcher(str).find() ? ID_TOKEN_LOGOUT : STANDARD_LOGOUT;
    }

    private void revokeEndpointRequest(@Context HttpServletResponse httpServletResponse, String str, URI uri) throws IOException {
        CloseableHttpClient httpClient = getHttpClient();
        HttpPost httpPost = new HttpPost(uri);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("token", str));
        httpPost.setEntity(new UrlEncodedFormEntity((List<? extends NameValuePair>) arrayList));
        try {
            CloseableHttpResponse execute = httpClient.execute((HttpUriRequest) httpPost);
            try {
                if (execute.getStatusLine().getStatusCode() == 200) {
                    logger.debug("You are logged out of the OpenId Connect Provider.");
                    httpServletResponse.sendRedirect(generateResourceUri("..", "nifi", "logout-complete"));
                } else {
                    logger.error("There was an error logging out of the OpenId Connect Provider. Response status: " + execute.getStatusLine().getStatusCode());
                }
                if (execute != null) {
                    execute.close();
                }
            } finally {
            }
        } finally {
            httpClient.close();
        }
    }

    private CloseableHttpClient getHttpClient() {
        HttpClientBuilder defaultRequestConfig = HttpClientBuilder.create().setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(msTimeout).setConnectionRequestTimeout(msTimeout).setSocketTimeout(msTimeout).build());
        if (TruststoreStrategy.NIFI.name().equals(this.properties.getOidcClientTruststoreStrategy())) {
            defaultRequestConfig.setSSLContext(getSslContext());
        }
        return defaultRequestConfig.build();
    }

    protected AuthenticationResponse parseOidcResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws Exception {
        String forwardPageTitle = getForwardPageTitle(z);
        try {
            validateOidcConfiguration();
            if (!getOidcRequestIdentifier(httpServletRequest).isPresent()) {
                forwardToMessagePage(httpServletRequest, httpServletResponse, forwardPageTitle, OIDC_REQUEST_IDENTIFIER_NOT_FOUND);
                throw new IllegalStateException(OIDC_REQUEST_IDENTIFIER_NOT_FOUND);
            }
            try {
                return AuthenticationResponseParser.parse(getRequestUri());
            } catch (ParseException e) {
                logger.error(OIDC_FAILED_TO_PARSE_REDIRECT_URI);
                removeOidcRequestCookie(httpServletResponse);
                forwardToMessagePage(httpServletRequest, httpServletResponse, forwardPageTitle, OIDC_FAILED_TO_PARSE_REDIRECT_URI);
                throw e;
            }
        } catch (AuthenticationNotSupportedException e2) {
            forwardToMessagePage(httpServletRequest, httpServletResponse, forwardPageTitle, e2.getMessage());
            throw e2;
        }
    }

    protected void checkOidcState(HttpServletResponse httpServletResponse, String str, AuthenticationSuccessResponse authenticationSuccessResponse, boolean z) throws Exception {
        State state = authenticationSuccessResponse.getState();
        if (state == null || !this.oidcService.isStateValid(str, state)) {
            logger.error("OIDC Request [{}] State [{}] not valid", str, state);
            removeOidcRequestCookie(httpServletResponse);
            forwardToMessagePage(this.httpServletRequest, httpServletResponse, getForwardPageTitle(z), "Purposed state does not match the stored state. Unable to continue login/logout process.");
        }
    }

    private SSLContext getSslContext() {
        try {
            return SslContextFactory.createSslContext(StandardTlsConfiguration.fromNiFiProperties(this.properties));
        } catch (TlsException e) {
            throw new RuntimeException("Unable to establish an SSL context for OIDC access resource from nifi.properties", e);
        }
    }

    private void validateOidcConfiguration() throws AuthenticationNotSupportedException {
        if (!this.httpServletRequest.isSecure()) {
            throw new AuthenticationNotSupportedException("User authentication/authorization is only supported when running over HTTPS.");
        }
        if (!this.oidcService.isOidcEnabled()) {
            throw new AuthenticationNotSupportedException(OIDC_AUTHENTICATION_NOT_CONFIGURED);
        }
    }

    private String getForwardPageTitle(boolean z) {
        return z ? "Unable to continue login sequence" : "Unable to continue logout sequence";
    }

    protected String getOidcCallback() {
        return generateResourceUri("access", "oidc", "callback");
    }

    private String getOidcLogoutCallback() {
        return generateResourceUri("access", "oidc", "logoutCallback");
    }

    private URI getRevokeEndpoint() {
        return this.oidcService.getRevocationEndpoint();
    }

    private void removeOidcRequestCookie(HttpServletResponse httpServletResponse) {
        this.applicationCookieService.removeCookie(getCookieResourceUri(), httpServletResponse, ApplicationCookieName.OIDC_REQUEST_IDENTIFIER);
    }

    private Optional<String> getOidcRequestIdentifier(HttpServletRequest httpServletRequest) {
        return this.applicationCookieService.getCookieValue(httpServletRequest, ApplicationCookieName.OIDC_REQUEST_IDENTIFIER);
    }

    public void setOidcService(OidcService oidcService) {
        this.oidcService = oidcService;
    }

    public void setBearerTokenProvider(BearerTokenProvider bearerTokenProvider) {
        this.bearerTokenProvider = bearerTokenProvider;
    }

    @Override // org.apache.nifi.web.api.ApplicationResource
    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.nifi.web.api.ApplicationResource
    public NiFiProperties getProperties() {
        return this.properties;
    }
}
