package org.apache.nifi.websocket.jetty;

import java.net.URI;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.annotation.lifecycle.OnShutdown;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.ssl.SSLContextService;
import org.apache.nifi.websocket.WebSocketConfigurationException;
import org.apache.nifi.websocket.WebSocketServerService;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultAuthenticatorFactory;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.websocket.api.Session;
import org.eclipse.jetty.websocket.api.WebSocketPolicy;
import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
import org.eclipse.jetty.websocket.servlet.WebSocketCreator;
import org.eclipse.jetty.websocket.servlet.WebSocketServlet;
import org.eclipse.jetty.websocket.servlet.WebSocketServletFactory;

@CapabilityDescription("Implementation of WebSocketServerService. This service uses Jetty WebSocket server module to provide WebSocket session management throughout the application.")
@Tags({"WebSocket", "Jetty", "server"})
/* loaded from: input_file:org/apache/nifi/websocket/jetty/JettyWebSocketServer.class */
public class JettyWebSocketServer extends AbstractJettyWebSocketService implements WebSocketServerService {
    private static final Map<Integer, JettyWebSocketServer> portToControllerService = new ConcurrentHashMap();
    public static final AllowableValue CLIENT_NONE = new AllowableValue("no", "No Authentication", "Processor will not authenticate clients. Anyone can communicate with this Processor anonymously");
    public static final AllowableValue CLIENT_WANT = new AllowableValue("want", "Want Authentication", "Processor will try to verify the client but if unable to verify will allow the client to communicate anonymously");
    public static final AllowableValue CLIENT_NEED = new AllowableValue("need", "Need Authentication", "Processor will reject communications from any client unless the client provides a certificate that is trusted by the TrustStore specified in the SSL Context Service");
    public static final AllowableValue LOGIN_SERVICE_HASH = new AllowableValue("hash", "HashLoginService", "See http://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/security/HashLoginService.html for detail.");
    public static final PropertyDescriptor CLIENT_AUTH = new PropertyDescriptor.Builder().name("client-authentication").displayName("SSL Client Authentication").description("Specifies whether or not the Processor should authenticate client by its certificate. This value is ignored if the <SSL Context Service> Property is not specified or the SSL Context provided uses only a KeyStore and not a TrustStore.").required(true).allowableValues(new AllowableValue[]{CLIENT_NONE, CLIENT_WANT, CLIENT_NEED}).defaultValue(CLIENT_NONE.getValue()).build();
    public static final PropertyDescriptor LISTEN_PORT = new PropertyDescriptor.Builder().name("listen-port").displayName("Listen Port").description("The port number on which this WebSocketServer listens to.").required(true).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).addValidator(StandardValidators.PORT_VALIDATOR).build();
    public static final PropertyDescriptor BASIC_AUTH = new PropertyDescriptor.Builder().name("basic-auth").displayName("Enable Basic Authentication").description("If enabled, client connection requests are authenticated with Basic authentication using the specified Login Provider.").required(true).allowableValues(new String[]{"true", "false"}).defaultValue("false").build();
    public static final PropertyDescriptor AUTH_PATH_SPEC = new PropertyDescriptor.Builder().name("auth-path-spec").displayName("Basic Authentication Path Spec").description("Specify a Path Spec to apply Basic Authentication.").required(false).defaultValue("/*").expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor AUTH_ROLES = new PropertyDescriptor.Builder().name("auth-roles").displayName("Basic Authentication Roles").description("The authenticated user must have one of specified role. Multiple roles can be set as comma separated string. '*' represents any role and so does '**' any role including no role.").required(false).defaultValue("**").expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    public static final PropertyDescriptor LOGIN_SERVICE = new PropertyDescriptor.Builder().name("login-service").displayName("Login Service").description("Specify which Login Service to use for Basic Authentication.").required(false).allowableValues(new AllowableValue[]{LOGIN_SERVICE_HASH}).defaultValue(LOGIN_SERVICE_HASH.getValue()).build();
    public static final PropertyDescriptor USERS_PROPERTIES_FILE = new PropertyDescriptor.Builder().name("users-properties-file").displayName("Users Properties File").description("Specify a property file containing users for Basic Authentication using HashLoginService. See http://www.eclipse.org/jetty/documentation/current/configuring-security.html for detail.").required(false).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).addValidator(StandardValidators.FILE_EXISTS_VALIDATOR).build();
    private static final List<PropertyDescriptor> properties;
    private WebSocketPolicy configuredPolicy;
    private Server server;
    private Integer listenPort;
    private ServletHandler servletHandler;

    /* loaded from: input_file:org/apache/nifi/websocket/jetty/JettyWebSocketServer$JettyWebSocketServlet.class */
    public static class JettyWebSocketServlet extends WebSocketServlet implements WebSocketCreator {
        public void configure(WebSocketServletFactory webSocketServletFactory) {
            webSocketServletFactory.setCreator(this);
        }

        public Object createWebSocket(ServletUpgradeRequest servletUpgradeRequest, ServletUpgradeResponse servletUpgradeResponse) {
            URI requestURI = servletUpgradeRequest.getRequestURI();
            int localPort = servletUpgradeRequest.getLocalPort();
            final JettyWebSocketServer jettyWebSocketServer = (JettyWebSocketServer) JettyWebSocketServer.portToControllerService.get(Integer.valueOf(localPort));
            if (jettyWebSocketServer == null) {
                throw new RuntimeException("No controller service is bound with port: " + localPort);
            }
            try {
                return new RoutingWebSocketListener(jettyWebSocketServer.routers.getRouterOrFail(requestURI.getPath())) { // from class: org.apache.nifi.websocket.jetty.JettyWebSocketServer.JettyWebSocketServlet.1
                    @Override // org.apache.nifi.websocket.jetty.RoutingWebSocketListener
                    public void onWebSocketConnect(Session session) {
                        WebSocketPolicy policy = session.getPolicy();
                        policy.setInputBufferSize(jettyWebSocketServer.configuredPolicy.getInputBufferSize());
                        policy.setMaxTextMessageSize(jettyWebSocketServer.configuredPolicy.getMaxTextMessageSize());
                        policy.setMaxBinaryMessageSize(jettyWebSocketServer.configuredPolicy.getMaxBinaryMessageSize());
                        super.onWebSocketConnect(session);
                    }
                };
            } catch (WebSocketConfigurationException e) {
                throw new IllegalStateException("Failed to get router due to: " + e, e);
            }
        }
    }

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return properties;
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        if (validationContext.getProperty(BASIC_AUTH).asBoolean().booleanValue()) {
            if (LOGIN_SERVICE_HASH.equals(validationContext.getProperty(LOGIN_SERVICE).getValue()) && !validationContext.getProperty(USERS_PROPERTIES_FILE).isSet()) {
                arrayList.add(new ValidationResult.Builder().subject(USERS_PROPERTIES_FILE.getDisplayName()).explanation("it is required by HashLoginService").valid(false).build());
            }
        }
        return arrayList;
    }

    @OnEnabled
    public void startServer(ConfigurationContext configurationContext) throws Exception {
        if (this.server != null && this.server.isRunning()) {
            getLogger().info("A WebSocket server is already running. {}", new Object[]{this.server});
            return;
        }
        this.configuredPolicy = WebSocketPolicy.newServerPolicy();
        configurePolicy(configurationContext, this.configuredPolicy);
        this.server = new Server();
        ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection();
        Handler servletContextHandler = new ServletContextHandler();
        if (configurationContext.getProperty(BASIC_AUTH).asBoolean().booleanValue()) {
            ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
            servletContextHandler.insertHandler(constraintSecurityHandler);
            Constraint constraint = new Constraint();
            constraint.setName("auth");
            constraint.setAuthenticate(true);
            constraint.setRoles(configurationContext.getProperty(AUTH_ROLES).evaluateAttributeExpressions().getValue().split(","));
            ConstraintMapping constraintMapping = new ConstraintMapping();
            constraintMapping.setPathSpec(configurationContext.getProperty(AUTH_PATH_SPEC).evaluateAttributeExpressions().getValue());
            constraintMapping.setConstraint(constraint);
            constraintSecurityHandler.setAuthenticatorFactory(new DefaultAuthenticatorFactory());
            constraintSecurityHandler.setAuthMethod("BASIC");
            constraintSecurityHandler.setRealmName(getClass().getSimpleName());
            constraintSecurityHandler.setConstraintMappings(Collections.singletonList(constraintMapping));
            String value = configurationContext.getProperty(LOGIN_SERVICE).getValue();
            if (!LOGIN_SERVICE_HASH.equals(value)) {
                throw new IllegalArgumentException("Unsupported Login Service: " + value);
            }
            HashLoginService hashLoginService = new HashLoginService("HashLoginService", configurationContext.getProperty(USERS_PROPERTIES_FILE).evaluateAttributeExpressions().getValue());
            this.server.addBean(hashLoginService);
            constraintSecurityHandler.setLoginService(hashLoginService);
        }
        this.servletHandler = new ServletHandler();
        servletContextHandler.insertHandler(this.servletHandler);
        contextHandlerCollection.setHandlers(new Handler[]{servletContextHandler});
        this.server.setHandler(contextHandlerCollection);
        this.listenPort = configurationContext.getProperty(LISTEN_PORT).evaluateAttributeExpressions().asInteger();
        this.server.setConnectors(new Connector[]{createConnector(createSslFactory(configurationContext), this.listenPort)});
        this.servletHandler.addServletWithMapping(JettyWebSocketServlet.class, "/*");
        getLogger().info("Starting JettyWebSocketServer on port {}.", new Object[]{this.listenPort});
        this.server.start();
        portToControllerService.put(this.listenPort, this);
    }

    private ServerConnector createConnector(SslContextFactory sslContextFactory, Integer num) {
        ServerConnector serverConnector;
        if (sslContextFactory == null) {
            serverConnector = new ServerConnector(this.server);
        } else {
            HttpConfiguration httpConfiguration = new HttpConfiguration();
            httpConfiguration.setSecureScheme("https");
            httpConfiguration.addCustomizer(new SecureRequestCustomizer());
            serverConnector = new ServerConnector(this.server, new ConnectionFactory[]{new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(httpConfiguration)});
        }
        serverConnector.setPort(num.intValue());
        return serverConnector;
    }

    private SslContextFactory createSslFactory(ConfigurationContext configurationContext) {
        boolean z;
        boolean z2;
        SSLContextService sSLContextService = (SSLContextService) configurationContext.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class);
        String value = configurationContext.getProperty(CLIENT_AUTH).getValue();
        if (CLIENT_NEED.equals(value)) {
            z = true;
            z2 = false;
        } else if (CLIENT_WANT.equals(value)) {
            z = false;
            z2 = true;
        } else {
            z = false;
            z2 = false;
        }
        return sSLContextService == null ? null : createSslFactory(sSLContextService, z, z2, null);
    }

    @OnShutdown
    @OnDisabled
    public void stopServer() throws Exception {
        if (this.server == null) {
            return;
        }
        getLogger().info("Stopping JettyWebSocketServer.");
        this.server.stop();
        if (portToControllerService.containsKey(this.listenPort) && getIdentifier().equals(portToControllerService.get(this.listenPort).getIdentifier())) {
            portToControllerService.remove(this.listenPort);
        }
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(getAbstractPropertyDescriptors());
        arrayList.add(LISTEN_PORT);
        arrayList.add(SSL_CONTEXT);
        arrayList.add(CLIENT_AUTH);
        arrayList.add(BASIC_AUTH);
        arrayList.add(AUTH_PATH_SPEC);
        arrayList.add(AUTH_ROLES);
        arrayList.add(LOGIN_SERVICE);
        arrayList.add(USERS_PROPERTIES_FILE);
        properties = Collections.unmodifiableList(arrayList);
    }
}
