package org.apache.nifi.web.security.saml.impl;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.util.StringUtils;
import org.apache.nifi.web.security.saml.SAMLConfiguration;
import org.apache.nifi.web.security.saml.SAMLConfigurationFactory;
import org.apache.nifi.web.security.saml.SAMLEndpoints;
import org.apache.nifi.web.security.saml.SAMLService;
import org.opensaml.common.SAMLException;
import org.opensaml.common.SAMLRuntimeException;
import org.opensaml.common.binding.decoding.URIComparator;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.LogoutRequest;
import org.opensaml.saml2.core.LogoutResponse;
import org.opensaml.saml2.metadata.Endpoint;
import org.opensaml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.encryption.DecryptionException;
import org.opensaml.xml.schema.XSString;
import org.opensaml.xml.schema.impl.XSAnyImpl;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.validation.ValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.security.saml.SAMLLogoutProcessingFilter;
import org.springframework.security.saml.SAMLProcessingFilter;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.key.KeyManager;
import org.springframework.security.saml.log.SAMLLogger;
import org.springframework.security.saml.metadata.ExtendedMetadata;
import org.springframework.security.saml.metadata.ExtendedMetadataDelegate;
import org.springframework.security.saml.metadata.MetadataGenerator;
import org.springframework.security.saml.metadata.MetadataManager;
import org.springframework.security.saml.metadata.MetadataMemoryProvider;
import org.springframework.security.saml.util.DefaultURLComparator;
import org.springframework.security.saml.util.SAMLUtil;
import org.springframework.security.saml.websso.WebSSOProfileOptions;
import org.springframework.security.web.authentication.logout.LogoutHandler;

/* loaded from: input_file:org/apache/nifi/web/security/saml/impl/StandardSAMLService.class */
public class StandardSAMLService implements SAMLService {
    private static final Logger LOGGER = LoggerFactory.getLogger(StandardSAMLService.class);
    private final NiFiProperties properties;
    private final SAMLConfigurationFactory samlConfigurationFactory;
    private final AtomicBoolean initialized = new AtomicBoolean(false);
    private final AtomicBoolean spMetadataInitialized = new AtomicBoolean(false);
    private final AtomicReference<String> spBaseUrl = new AtomicReference<>(null);
    private final URIComparator uriComparator = new DefaultURLComparator();
    private SAMLConfiguration samlConfiguration;

    public StandardSAMLService(SAMLConfigurationFactory sAMLConfigurationFactory, NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
        this.samlConfigurationFactory = sAMLConfigurationFactory;
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public synchronized void initialize() {
        if (this.properties.isSamlEnabled() && !this.initialized.get()) {
            try {
                LOGGER.info("Initializing SAML Service...");
                this.samlConfiguration = this.samlConfigurationFactory.create(this.properties);
                this.initialized.set(true);
                LOGGER.info("Finished initializing SAML Service");
            } catch (Exception e) {
                throw new RuntimeException("Unable to initialize SAML configuration due to: " + e.getMessage(), e);
            }
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public void shutdown() {
        if (this.properties.isSamlEnabled()) {
            LOGGER.info("Shutting down SAML Service...");
            if (this.samlConfiguration != null) {
                try {
                    Timer backgroundTaskTimer = this.samlConfiguration.getBackgroundTaskTimer();
                    backgroundTaskTimer.purge();
                    backgroundTaskTimer.cancel();
                } catch (Exception e) {
                    LOGGER.warn("Error shutting down background timer: " + e.getMessage(), e);
                }
                try {
                    this.samlConfiguration.getMetadataManager().destroy();
                } catch (Exception e2) {
                    LOGGER.warn("Error shutting down metadata manager: " + e2.getMessage(), e2);
                }
            }
            this.samlConfiguration = null;
            this.initialized.set(false);
            this.spMetadataInitialized.set(false);
            this.spBaseUrl.set(null);
            LOGGER.info("Finished shutting down SAML Service");
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public boolean isSamlEnabled() {
        return this.properties.isSamlEnabled();
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public boolean isServiceProviderInitialized() {
        return this.spMetadataInitialized.get();
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public synchronized void initializeServiceProvider(String str) {
        if (!isSamlEnabled()) {
            throw new IllegalStateException(SAMLService.SAML_SUPPORT_IS_NOT_CONFIGURED);
        }
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("baseUrl is required when initializing the service provider");
        }
        if (isServiceProviderInitialized()) {
            LOGGER.info("Service provider already initialized with baseUrl = '{}'", new Object[]{this.spBaseUrl.get()});
            return;
        }
        LOGGER.info("Initializing SAML service provider with baseUrl = '{}'", new Object[]{str});
        try {
            initializeServiceProviderMetadata(str);
            this.spBaseUrl.set(str);
            this.spMetadataInitialized.set(true);
            LOGGER.info("Done initializing SAML service provider");
        } catch (Exception e) {
            throw new RuntimeException("Unable to initialize SAML service provider: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public String getServiceProviderMetadata() {
        verifyReadyForSamlOperations();
        try {
            KeyManager keyManager = this.samlConfiguration.getKeyManager();
            MetadataManager metadataManager = this.samlConfiguration.getMetadataManager();
            return SAMLUtil.getMetadataAsString(metadataManager, keyManager, metadataManager.getEntityDescriptor(this.samlConfiguration.getSpEntityId()), (ExtendedMetadata) null);
        } catch (Exception e) {
            throw new RuntimeException("Unable to obtain SAML service provider metadata", e);
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public long getAuthExpiration() {
        verifyReadyForSamlOperations();
        return this.samlConfiguration.getAuthExpiration();
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public void initiateLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        verifyReadyForSamlOperations();
        SAMLLogger logger = this.samlConfiguration.getLogger();
        try {
            SAMLMessageContext localAndPeerEntity = this.samlConfiguration.getContextProvider().getLocalAndPeerEntity(httpServletRequest, httpServletResponse, Collections.emptyMap());
            WebSSOProfileOptions clone = this.samlConfiguration.getWebSSOProfileOptions().clone();
            clone.setRelayState(str);
            try {
                this.samlConfiguration.getWebSSOProfile().sendAuthenticationRequest(localAndPeerEntity, clone);
                logger.log("AuthNRequest", "SUCCESS", localAndPeerEntity);
            } catch (Exception e) {
                logger.log("AuthNRequest", "FAILURE", localAndPeerEntity);
                throw new RuntimeException("Unable to initiate SAML authentication request: " + e.getMessage(), e);
            }
        } catch (MetadataProviderException e2) {
            throw new IllegalStateException("Unable to create SAML Message Context: " + e2.getMessage(), e2);
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public SAMLCredential processLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) {
        verifyReadyForSamlOperations();
        LOGGER.info("Attempting SAML2 authentication using profile {}", "urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser");
        try {
            SAMLMessageContext localEntity = this.samlConfiguration.getContextProvider().getLocalEntity(httpServletRequest, httpServletResponse, map);
            try {
                this.samlConfiguration.getProcessor().retrieveMessage(localEntity);
                localEntity.setCommunicationProfileId("urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser");
                try {
                    localEntity.setLocalEntityEndpoint(getLocalEntityEndpoint(localEntity));
                    if (!"urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser".equals(localEntity.getCommunicationProfileId())) {
                        throw new IllegalStateException("Unsupported profile encountered in the context: " + localEntity.getCommunicationProfileId());
                    }
                    SAMLLogger logger = this.samlConfiguration.getLogger();
                    try {
                        SAMLCredential processAuthenticationResponse = this.samlConfiguration.getWebSSOProfileConsumer().processAuthenticationResponse(localEntity);
                        LOGGER.debug("SAML Response contains successful authentication for NameID: " + processAuthenticationResponse.getNameID().getValue());
                        logger.log("AuthNResponse", "SUCCESS", localEntity);
                        return processAuthenticationResponse;
                    } catch (SAMLException | SAMLRuntimeException e) {
                        LOGGER.error("Error validating SAML message", e);
                        logger.log("AuthNResponse", "FAILURE", localEntity, e);
                        throw new RuntimeException("Error validating SAML message: " + e.getMessage(), e);
                    } catch (DecryptionException e2) {
                        LOGGER.error("Error decrypting SAML message", e2);
                        logger.log("AuthNResponse", "FAILURE", localEntity, e2);
                        throw new RuntimeException("Error decrypting SAML message: " + e2.getMessage(), e2);
                    } catch (SecurityException | ValidationException e3) {
                        LOGGER.error("Error validating signature", e3);
                        logger.log("AuthNResponse", "FAILURE", localEntity, e3);
                        throw new RuntimeException("Error validating SAML message signature: " + e3.getMessage(), e3);
                    }
                } catch (SAMLException e4) {
                    throw new RuntimeException(e4.getMessage(), e4);
                }
            } catch (Exception e5) {
                throw new RuntimeException("Unable to load SAML message: " + e5.getMessage(), e5);
            }
        } catch (MetadataProviderException e6) {
            throw new IllegalStateException("Unable to create SAML Message Context: " + e6.getMessage(), e6);
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public String getUserIdentity(SAMLCredential sAMLCredential) {
        verifyReadyForSamlOperations();
        if (sAMLCredential == null) {
            throw new IllegalArgumentException("SAML Credential is required");
        }
        String str = null;
        String identityAttributeName = this.samlConfiguration.getIdentityAttributeName();
        if (StringUtils.isBlank(identityAttributeName)) {
            str = sAMLCredential.getNameID().getValue();
            LOGGER.info("No identity attribute specified, using NameID for user identity: {}", str);
        } else {
            LOGGER.debug("Looking for SAML attribute {} ...", identityAttributeName);
            List attributes = sAMLCredential.getAttributes();
            if (attributes != null && !attributes.isEmpty()) {
                Iterator it = attributes.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    Attribute attribute = (Attribute) it.next();
                    if (identityAttributeName.equals(attribute.getName())) {
                        Iterator it2 = attribute.getAttributeValues().iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            XSString xSString = (XMLObject) it2.next();
                            if (xSString instanceof XSString) {
                                str = xSString.getValue();
                                break;
                            }
                            LOGGER.debug("Value was not XSString, but was " + xSString.getClass().getCanonicalName());
                        }
                        if (str != null) {
                            LOGGER.info("Found user identity {} in attribute {}", str, attribute.getName());
                            break;
                        }
                    } else {
                        LOGGER.trace("Skipping SAML attribute {}", attribute.getName());
                    }
                }
            } else {
                str = sAMLCredential.getNameID().getValue();
                LOGGER.warn("No attributes returned in SAML response, using NameID for user identity: {}", str);
            }
            if (str == null) {
                str = sAMLCredential.getNameID().getValue();
                LOGGER.warn("No attribute found named {}, using NameID for user identity: {}", identityAttributeName, str);
            }
        }
        return str;
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public Set<String> getUserGroups(SAMLCredential sAMLCredential) {
        verifyReadyForSamlOperations();
        if (sAMLCredential == null) {
            throw new IllegalArgumentException("SAML Credential is required");
        }
        String value = sAMLCredential.getNameID().getValue();
        String groupAttributeName = this.samlConfiguration.getGroupAttributeName();
        if (StringUtils.isBlank(groupAttributeName)) {
            LOGGER.warn("Cannot obtain groups for {} because no group attribute name has been configured", value);
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        if (sAMLCredential.getAttributes() != null) {
            for (Attribute attribute : sAMLCredential.getAttributes()) {
                if (groupAttributeName.equals(attribute.getName())) {
                    for (XSAnyImpl xSAnyImpl : attribute.getAttributeValues()) {
                        if (xSAnyImpl instanceof XSString) {
                            String value2 = ((XSString) xSAnyImpl).getValue();
                            LOGGER.debug("Found group {} for {}", value2, value);
                            hashSet.add(value2);
                        } else if (xSAnyImpl instanceof XSAnyImpl) {
                            String textContent = xSAnyImpl.getTextContent();
                            LOGGER.debug("Found group {} for {}", textContent, value);
                            hashSet.add(textContent);
                        } else {
                            LOGGER.debug("Value was not XSString and XSAnyImpl, but was " + xSAnyImpl.getClass().getCanonicalName());
                        }
                    }
                } else {
                    LOGGER.debug("Skipping SAML attribute {}", attribute.getName());
                }
            }
        }
        return hashSet;
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public void initiateLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SAMLCredential sAMLCredential) {
        verifyReadyForSamlOperations();
        try {
            SAMLMessageContext localAndPeerEntity = this.samlConfiguration.getContextProvider().getLocalAndPeerEntity(httpServletRequest, httpServletResponse, Collections.emptyMap());
            SAMLLogger logger = this.samlConfiguration.getLogger();
            try {
                this.samlConfiguration.getSingleLogoutProfile().sendLogoutRequest(localAndPeerEntity, sAMLCredential);
                logger.log("LogoutRequest", "SUCCESS", localAndPeerEntity);
            } catch (Exception e) {
                logger.log("LogoutRequest", "FAILURE", localAndPeerEntity);
                throw new RuntimeException("Unable to initiate SAML logout request: " + e.getMessage(), e);
            }
        } catch (MetadataProviderException e2) {
            throw new IllegalStateException("Unable to create SAML Message Context: " + e2.getMessage(), e2);
        }
    }

    @Override // org.apache.nifi.web.security.saml.SAMLService
    public void processLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Map<String, String> map) {
        verifyReadyForSamlOperations();
        try {
            SAMLMessageContext localAndPeerEntity = this.samlConfiguration.getContextProvider().getLocalAndPeerEntity(httpServletRequest, httpServletResponse, map);
            try {
                this.samlConfiguration.getProcessor().retrieveMessage(localAndPeerEntity);
                localAndPeerEntity.setCommunicationProfileId("urn:oasis:names:tc:SAML:2.0:profiles:SSO:logout");
                try {
                    localAndPeerEntity.setLocalEntityEndpoint(getLocalEntityEndpoint(localAndPeerEntity));
                    if (localAndPeerEntity.getInboundSAMLMessage() instanceof LogoutResponse) {
                        processLogoutResponse(localAndPeerEntity);
                    } else if (localAndPeerEntity.getInboundSAMLMessage() instanceof LogoutRequest) {
                        processLogoutRequest(localAndPeerEntity);
                    }
                } catch (SAMLException e) {
                    throw new RuntimeException(e.getMessage(), e);
                }
            } catch (Exception e2) {
                throw new RuntimeException("Unable to load SAML message: " + e2.getMessage(), e2);
            }
        } catch (MetadataProviderException e3) {
            throw new IllegalStateException("Unable to create SAML Message Context: " + e3.getMessage(), e3);
        }
    }

    private void processLogoutResponse(SAMLMessageContext sAMLMessageContext) {
        SAMLLogger logger = this.samlConfiguration.getLogger();
        try {
            this.samlConfiguration.getSingleLogoutProfile().processLogoutResponse(sAMLMessageContext);
            logger.log("LogoutResponse", "SUCCESS", sAMLMessageContext);
        } catch (Exception e) {
            LOGGER.error("Received logout response is invalid", e);
            logger.log("LogoutResponse", "FAILURE", sAMLMessageContext, e);
            throw new RuntimeException("Received logout response is invalid: " + e.getMessage(), e);
        }
    }

    private void processLogoutRequest(SAMLMessageContext sAMLMessageContext) {
        throw new UnsupportedOperationException("Apache NiFi currently does not support IDP initiated logout");
    }

    private Endpoint getLocalEntityEndpoint(SAMLMessageContext sAMLMessageContext) throws SAMLException {
        return SAMLUtil.getEndpoint(sAMLMessageContext.getLocalEntityRoleMetadata().getEndpoints(), sAMLMessageContext.getInboundSAMLBinding(), sAMLMessageContext.getInboundMessageTransport(), this.uriComparator);
    }

    private void initializeServiceProviderMetadata(String str) throws MetadataProviderException {
        SAMLProcessingFilter sAMLProcessingFilter = new SAMLProcessingFilter();
        sAMLProcessingFilter.setFilterProcessesUrl(SAMLEndpoints.LOGIN_CONSUMER);
        SAMLLogoutProcessingFilter sAMLLogoutProcessingFilter = new SAMLLogoutProcessingFilter("/nifi", new LogoutHandler[]{(httpServletRequest, httpServletResponse, authentication) -> {
        }});
        sAMLLogoutProcessingFilter.setFilterProcessesUrl(SAMLEndpoints.SINGLE_LOGOUT_CONSUMER);
        MetadataGenerator metadataGenerator = new MetadataGenerator();
        metadataGenerator.setEntityId(this.samlConfiguration.getSpEntityId());
        metadataGenerator.setEntityBaseURL(str);
        metadataGenerator.setExtendedMetadata(this.samlConfiguration.getExtendedMetadata());
        metadataGenerator.setIncludeDiscoveryExtension(false);
        metadataGenerator.setKeyManager(this.samlConfiguration.getKeyManager());
        metadataGenerator.setSamlWebSSOFilter(sAMLProcessingFilter);
        metadataGenerator.setSamlLogoutProcessingFilter(sAMLLogoutProcessingFilter);
        metadataGenerator.setRequestSigned(this.samlConfiguration.isRequestSigningEnabled());
        metadataGenerator.setWantAssertionSigned(this.samlConfiguration.isWantAssertionsSigned());
        EntityDescriptor generateMetadata = metadataGenerator.generateMetadata();
        ExtendedMetadata generateExtendedMetadata = metadataGenerator.generateExtendedMetadata();
        MetadataMemoryProvider metadataMemoryProvider = new MetadataMemoryProvider(generateMetadata);
        metadataMemoryProvider.initialize();
        ExtendedMetadataDelegate extendedMetadataDelegate = new ExtendedMetadataDelegate(metadataMemoryProvider, generateExtendedMetadata);
        MetadataManager metadataManager = this.samlConfiguration.getMetadataManager();
        metadataManager.addMetadataProvider(extendedMetadataDelegate);
        metadataManager.setHostedSPName(generateMetadata.getEntityID());
        metadataManager.refreshMetadata();
    }

    private void verifyReadyForSamlOperations() {
        if (!isSamlEnabled()) {
            throw new IllegalStateException(SAMLService.SAML_SUPPORT_IS_NOT_CONFIGURED);
        }
        if (!this.initialized.get()) {
            throw new IllegalStateException("StandardSAMLService has not been initialized");
        }
        if (!isServiceProviderInitialized()) {
            throw new IllegalStateException("Service Provider is not initialized");
        }
    }
}
