package org.apache.nifi.web;

import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationFilter;
import org.apache.nifi.web.security.anonymous.NiFiAnonymousAuthenticationProvider;
import org.apache.nifi.web.security.csrf.CsrfCookieRequestMatcher;
import org.apache.nifi.web.security.csrf.StandardCookieCsrfTokenRepository;
import org.apache.nifi.web.security.jwt.resolver.StandardBearerTokenResolver;
import org.apache.nifi.web.security.knox.KnoxAuthenticationFilter;
import org.apache.nifi.web.security.knox.KnoxAuthenticationProvider;
import org.apache.nifi.web.security.log.AuthenticationUserFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationFilter;
import org.apache.nifi.web.security.x509.X509AuthenticationProvider;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/web/NiFiWebApiSecurityConfiguration.class */
public class NiFiWebApiSecurityConfiguration extends WebSecurityConfigurerAdapter {
    private NiFiProperties properties;
    private X509AuthenticationFilter x509AuthenticationFilter;
    private X509CertificateExtractor certificateExtractor;
    private X509PrincipalExtractor principalExtractor;
    private X509AuthenticationProvider x509AuthenticationProvider;
    private JwtAuthenticationProvider jwtAuthenticationProvider;
    private KnoxAuthenticationFilter knoxAuthenticationFilter;
    private KnoxAuthenticationProvider knoxAuthenticationProvider;
    private NiFiAnonymousAuthenticationFilter anonymousAuthenticationFilter;
    private NiFiAnonymousAuthenticationProvider anonymousAuthenticationProvider;

    public NiFiWebApiSecurityConfiguration() {
        super(true);
    }

    public void configure(WebSecurity webSecurity) {
        webSecurity.ignoring().antMatchers(new String[]{"/access", "/access/config", "/access/token", "/access/kerberos", "/access/oidc/exchange", "/access/oidc/request", "/access/oidc/callback", "/access/oidc/logoutCallback", "/access/knox/callback", "/access/knox/request", "/access/saml/metadata", "/access/samllogin/request", "/access/saml/login/consumer", "/access/saml/login/exchange", "/access/saml/single-logout/request", "/access/saml/single-logout/consumer", "/access/saml/local-logout", "/access/logout/complete"});
    }

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) httpSecurity.rememberMe().disable().authorizeRequests().anyRequest()).fullyAuthenticated().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().csrf().requireCsrfProtectionMatcher(new AndRequestMatcher(new RequestMatcher[]{CsrfFilter.DEFAULT_CSRF_MATCHER, new CsrfCookieRequestMatcher()})).csrfTokenRepository(new StandardCookieCsrfTokenRepository(this.properties.getAllowedContextPathsAsList()));
        httpSecurity.addFilterBefore(x509FilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(bearerTokenAuthenticationFilter(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterBefore(knoxFilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterAfter(anonymousFilterBean(), AnonymousAuthenticationFilter.class);
        httpSecurity.addFilterAfter(new AuthenticationUserFilter(), AnonymousAuthenticationFilter.class);
        httpSecurity.anonymous().disable();
    }

    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.authenticationProvider(this.x509AuthenticationProvider).authenticationProvider(this.jwtAuthenticationProvider).authenticationProvider(this.knoxAuthenticationProvider).authenticationProvider(this.anonymousAuthenticationProvider);
    }

    @Bean
    public KnoxAuthenticationFilter knoxFilterBean() throws Exception {
        if (this.knoxAuthenticationFilter == null) {
            this.knoxAuthenticationFilter = new KnoxAuthenticationFilter();
            this.knoxAuthenticationFilter.setProperties(this.properties);
            this.knoxAuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.knoxAuthenticationFilter;
    }

    @Bean
    public X509AuthenticationFilter x509FilterBean() throws Exception {
        if (this.x509AuthenticationFilter == null) {
            this.x509AuthenticationFilter = new X509AuthenticationFilter();
            this.x509AuthenticationFilter.setProperties(this.properties);
            this.x509AuthenticationFilter.setCertificateExtractor(this.certificateExtractor);
            this.x509AuthenticationFilter.setPrincipalExtractor(this.principalExtractor);
            this.x509AuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.x509AuthenticationFilter;
    }

    @Bean
    public BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter() throws Exception {
        BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter = new BearerTokenAuthenticationFilter(authenticationManager());
        bearerTokenAuthenticationFilter.setBearerTokenResolver(bearerTokenResolver());
        return bearerTokenAuthenticationFilter;
    }

    @Bean
    public BearerTokenResolver bearerTokenResolver() {
        return new StandardBearerTokenResolver();
    }

    @Bean
    public NiFiAnonymousAuthenticationFilter anonymousFilterBean() throws Exception {
        if (this.anonymousAuthenticationFilter == null) {
            this.anonymousAuthenticationFilter = new NiFiAnonymousAuthenticationFilter();
            this.anonymousAuthenticationFilter.setProperties(this.properties);
            this.anonymousAuthenticationFilter.setAuthenticationManager(authenticationManager());
        }
        return this.anonymousAuthenticationFilter;
    }

    @Autowired
    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    @Autowired
    public void setJwtAuthenticationProvider(JwtAuthenticationProvider jwtAuthenticationProvider) {
        this.jwtAuthenticationProvider = jwtAuthenticationProvider;
    }

    @Autowired
    public void setKnoxAuthenticationProvider(KnoxAuthenticationProvider knoxAuthenticationProvider) {
        this.knoxAuthenticationProvider = knoxAuthenticationProvider;
    }

    @Autowired
    public void setAnonymousAuthenticationProvider(NiFiAnonymousAuthenticationProvider niFiAnonymousAuthenticationProvider) {
        this.anonymousAuthenticationProvider = niFiAnonymousAuthenticationProvider;
    }

    @Autowired
    public void setX509AuthenticationProvider(X509AuthenticationProvider x509AuthenticationProvider) {
        this.x509AuthenticationProvider = x509AuthenticationProvider;
    }

    @Autowired
    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }

    @Autowired
    public void setPrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor) {
        this.principalExtractor = x509PrincipalExtractor;
    }
}
