package org.apache.nifi.web.security;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Objects;
import org.apache.nifi.web.security.cookie.ApplicationCookieName;
import org.apache.nifi.web.security.cookie.ApplicationCookieService;
import org.apache.nifi.web.security.cookie.StandardApplicationCookieService;
import org.apache.nifi.web.servlet.shared.RequestUriBuilder;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/apache/nifi/web/security/StandardAuthenticationEntryPoint.class */
public class StandardAuthenticationEntryPoint implements AuthenticationEntryPoint {
    protected static final String AUTHENTICATE_HEADER = "WWW-Authenticate";
    protected static final String BEARER_HEADER = "Bearer";
    protected static final String UNAUTHORIZED = "Unauthorized";
    protected static final String EXPIRED_JWT = "Expired JWT";
    protected static final String SESSION_EXPIRED = "Session Expired";
    private static final String ROOT_PATH = "/";
    private static final ApplicationCookieService applicationCookieService = new StandardApplicationCookieService();
    private final BearerTokenAuthenticationEntryPoint bearerTokenAuthenticationEntryPoint;

    public StandardAuthenticationEntryPoint(BearerTokenAuthenticationEntryPoint bearerTokenAuthenticationEntryPoint) {
        this.bearerTokenAuthenticationEntryPoint = (BearerTokenAuthenticationEntryPoint) Objects.requireNonNull(bearerTokenAuthenticationEntryPoint);
    }

    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        if (authenticationException instanceof OAuth2AuthenticationException) {
            this.bearerTokenAuthenticationEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
        } else {
            httpServletResponse.setStatus(401);
        }
        removeAuthorizationBearerCookie(httpServletRequest, httpServletResponse);
        sendErrorMessage(httpServletResponse, authenticationException);
    }

    private void sendErrorMessage(HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletResponse.setContentType("text/plain");
        String errorMessage = getErrorMessage(httpServletResponse, authenticationException);
        PrintWriter writer = httpServletResponse.getWriter();
        try {
            writer.print(errorMessage);
            if (writer != null) {
                writer.close();
            }
        } catch (Throwable th) {
            if (writer != null) {
                try {
                    writer.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private String getErrorMessage(HttpServletResponse httpServletResponse, AuthenticationException authenticationException) {
        String header = httpServletResponse.getHeader(AUTHENTICATE_HEADER);
        return StringUtils.endsWithIgnoreCase(authenticationException.getMessage(), EXPIRED_JWT) ? SESSION_EXPIRED : (header == null ? UNAUTHORIZED : header).replaceFirst(BEARER_HEADER, UNAUTHORIZED);
    }

    private void removeAuthorizationBearerCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (applicationCookieService.getCookieValue(httpServletRequest, ApplicationCookieName.AUTHORIZATION_BEARER).isPresent()) {
            applicationCookieService.removeCookie(RequestUriBuilder.fromHttpServletRequest(httpServletRequest).path(ROOT_PATH).build(), httpServletResponse, ApplicationCookieName.AUTHORIZATION_BEARER);
        }
    }
}
