package org.apache.nifi.web.security.node;

import java.io.IOException;
import java.security.cert.X509Certificate;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.authentication.AuthenticationResponse;
import org.apache.nifi.controller.FlowController;
import org.apache.nifi.util.NiFiProperties;
import org.apache.nifi.web.security.token.NiFiAuthorizationToken;
import org.apache.nifi.web.security.user.NiFiUserDetails;
import org.apache.nifi.web.security.x509.X509CertificateExtractor;
import org.apache.nifi.web.security.x509.X509IdentityProvider;
import org.apache.nifi.web.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/apache/nifi/web/security/node/NodeAuthorizedUserFilter.class */
public class NodeAuthorizedUserFilter extends GenericFilterBean {
    private static final Logger LOGGER = LoggerFactory.getLogger(NodeAuthorizedUserFilter.class);
    public static final String PROXY_USER_DETAILS = "X-ProxiedEntityUserDetails";
    private NiFiProperties properties;
    private X509CertificateExtractor certificateExtractor;
    private X509IdentityProvider certificateIdentityProvider;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String header = httpServletRequest.getHeader(PROXY_USER_DETAILS);
        if (StringUtils.isNotBlank(header) && this.properties.isNode()) {
            FlowController flowController = (FlowController) WebApplicationContextUtils.getWebApplicationContext(getServletContext()).getBean("flowController", FlowController.class);
            if (flowController.getNodeId() != null) {
                try {
                    X509Certificate[] extractClientCertificate = this.certificateExtractor.extractClientCertificate(httpServletRequest);
                    if (extractClientCertificate != null) {
                        AuthenticationResponse authenticate = this.certificateIdentityProvider.authenticate(extractClientCertificate);
                        String clusterManagerDN = flowController.getClusterManagerDN();
                        if (clusterManagerDN != null && clusterManagerDN.equals(authenticate.getIdentity())) {
                            Object deserializeHexToObject = WebUtils.deserializeHexToObject(header);
                            if (deserializeHexToObject instanceof NiFiUserDetails) {
                                NiFiUserDetails niFiUserDetails = (NiFiUserDetails) deserializeHexToObject;
                                this.logger.info(String.format("Attempting request for (%s) %s %s (source ip: %s)", niFiUserDetails.getNiFiUser().getIdentity(), httpServletRequest.getMethod(), httpServletRequest.getRequestURL().toString(), servletRequest.getRemoteAddr()));
                                SecurityContextHolder.getContext().setAuthentication(new NiFiAuthorizationToken(niFiUserDetails));
                            }
                        }
                    }
                } catch (ClassNotFoundException e) {
                    LOGGER.warn("Classpath issue detected because failed to deserialize authorized user in request header due to: " + e, e);
                } catch (IllegalArgumentException e2) {
                }
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void setProperties(NiFiProperties niFiProperties) {
        this.properties = niFiProperties;
    }

    public void setCertificateIdentityProvider(X509IdentityProvider x509IdentityProvider) {
        this.certificateIdentityProvider = x509IdentityProvider;
    }

    public void setCertificateExtractor(X509CertificateExtractor x509CertificateExtractor) {
        this.certificateExtractor = x509CertificateExtractor;
    }
}
