package org.apache.nifi.controller.queue.clustered.server;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.nifi.cluster.coordination.ClusterCoordinator;
import org.apache.nifi.cluster.coordination.node.NodeConnectionState;
import org.apache.nifi.events.EventReporter;
import org.apache.nifi.reporting.Severity;
import org.apache.nifi.security.util.CertificateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/controller/queue/clustered/server/ClusterLoadBalanceAuthorizer.class */
public class ClusterLoadBalanceAuthorizer implements LoadBalanceAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger(ClusterLoadBalanceAuthorizer.class);
    private final ClusterCoordinator clusterCoordinator;
    private final EventReporter eventReporter;
    private final HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();

    public ClusterLoadBalanceAuthorizer(ClusterCoordinator clusterCoordinator, EventReporter eventReporter) {
        this.clusterCoordinator = clusterCoordinator;
        this.eventReporter = eventReporter;
    }

    @Override // org.apache.nifi.controller.queue.clustered.server.LoadBalanceAuthorizer
    public String authorize(SSLSocket sSLSocket) throws NotAuthorizedException, IOException {
        SSLSession session = sSLSocket.getSession();
        try {
            Set<String> certificateIdentities = getCertificateIdentities(session);
            logger.debug("Will perform authorization against Client Identities '{}'", certificateIdentities);
            Set<String> set = (Set) this.clusterCoordinator.getNodeIdentifiers(new NodeConnectionState[0]).stream().map((v0) -> {
                return v0.getApiAddress();
            }).collect(Collectors.toSet());
            for (String str : certificateIdentities) {
                if (set.contains(str)) {
                    logger.debug("Client ID '{}' is in the list of Nodes in the Cluster. Authorizing Client to Load Balance data", str);
                    return str;
                }
            }
            for (String str2 : set) {
                if (this.hostnameVerifier.verify(str2, session)) {
                    String hostName = sSLSocket.getInetAddress().getHostName();
                    logger.debug("The request was verified with node '{}'. The hostname derived from the socket is '{}'. Authorizing Client to Load Balance data", str2, hostName);
                    return hostName;
                }
            }
            logger.warn("Authorization failed for Client ID's to Load Balance data because none of the ID's are known Cluster Node Identifiers");
            this.eventReporter.reportEvent(Severity.WARNING, "Load Balanced Connections", "Authorization failed for Client ID's to Load Balance data because none of the ID's are known Cluster Node Identifiers");
            throw new NotAuthorizedException("Client ID's " + certificateIdentities + " are not authorized to Load Balance data");
        } catch (CertificateException e) {
            throw new IOException("Failed to extract Client Certificate", e);
        }
    }

    private Set<String> getCertificateIdentities(SSLSession sSLSession) throws CertificateException, SSLPeerUnverifiedException {
        Certificate[] peerCertificates = sSLSession.getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length == 0) {
            throw new SSLPeerUnverifiedException("No certificates found");
        }
        X509Certificate convertAbstractX509Certificate = CertificateUtils.convertAbstractX509Certificate(peerCertificates[0]);
        convertAbstractX509Certificate.checkValidity();
        return (Set) CertificateUtils.getSubjectAlternativeNames(convertAbstractX509Certificate).stream().map(CertificateUtils::extractUsername).collect(Collectors.toSet());
    }
}
