package org.graylog2.security.realm;

import javax.inject.Inject;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog2.plugin.database.ValidationException;
import org.graylog2.plugin.database.users.User;
import org.graylog2.security.AccessToken;
import org.graylog2.security.AccessTokenService;
import org.graylog2.shared.security.AccessTokenAuthToken;
import org.graylog2.shared.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/AccessTokenAuthenticator.class */
public class AccessTokenAuthenticator extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger(AccessTokenAuthenticator.class);
    private final AccessTokenService accessTokenService;
    private final UserService userService;
    private final LdapUserAuthenticator ldapAuthenticator;

    @Inject
    public AccessTokenAuthenticator(AccessTokenService accessTokenService, UserService userService, LdapUserAuthenticator ldapUserAuthenticator) {
        this.accessTokenService = accessTokenService;
        this.userService = userService;
        this.ldapAuthenticator = ldapUserAuthenticator;
        setAuthenticationTokenClass(AccessTokenAuthToken.class);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        User load;
        AccessToken load2 = this.accessTokenService.load(String.valueOf(((AccessTokenAuthToken) authenticationToken).getToken()));
        if (load2 == null || (load = this.userService.load(load2.getUserName())) == null) {
            return null;
        }
        if (load.isExternalUser() && !this.ldapAuthenticator.isEnabled()) {
            throw new LockedAccountException("LDAP authentication is currently disabled.");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found user {} for access token.", load);
        }
        try {
            this.accessTokenService.touch(load2);
        } catch (ValidationException e) {
            LOG.warn("Unable to update access token's last access date.", e);
        }
        return new SimpleAccount(load.getName(), (Object) null, "access token realm");
    }
}
