package org.graylog2.rest.resources.system;

import com.fasterxml.jackson.databind.JsonNode;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import java.io.IOException;
import java.util.Optional;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.validation.constraints.NotNull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.ServiceUnavailableException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.glassfish.grizzly.http.server.Request;
import org.graylog2.audit.AuditEventTypes;
import org.graylog2.audit.jersey.AuditEvent;
import org.graylog2.audit.jersey.NoAuditEvent;
import org.graylog2.plugin.database.users.User;
import org.graylog2.rest.MoreMediaTypes;
import org.graylog2.rest.RestTools;
import org.graylog2.rest.models.system.sessions.responses.SessionResponse;
import org.graylog2.rest.models.system.sessions.responses.SessionResponseFactory;
import org.graylog2.rest.models.system.sessions.responses.SessionValidationResponse;
import org.graylog2.shared.rest.documentation.generator.Generator;
import org.graylog2.shared.rest.resources.RestResource;
import org.graylog2.shared.security.ActorAwareAuthenticationTokenFactory;
import org.graylog2.shared.security.AuthenticationServiceUnavailableException;
import org.graylog2.shared.security.SessionCreator;
import org.graylog2.shared.security.ShiroAuthenticationFilter;
import org.graylog2.shared.security.ShiroSecurityContext;
import org.graylog2.shared.users.UserService;
import org.graylog2.utilities.IpSubnet;

@Api(value = "System/Sessions", tags = {Generator.CLOUD_VISIBLE})
@Path("/system/sessions")
@Consumes({MoreMediaTypes.APPLICATION_JSON})
@Produces({MoreMediaTypes.APPLICATION_JSON})
/* loaded from: input_file:org/graylog2/rest/resources/system/SessionsResource.class */
public class SessionsResource extends RestResource {
    private final DefaultSecurityManager securityManager;
    private final ShiroAuthenticationFilter authenticationFilter;
    private final Set<IpSubnet> trustedSubnets;
    private final Request grizzlyRequest;
    private final SessionCreator sessionCreator;
    private final ActorAwareAuthenticationTokenFactory tokenFactory;
    private final SessionResponseFactory sessionResponseFactory;
    private final CookieFactory cookieFactory;
    private static final String USERNAME = "username";

    @Inject
    public SessionsResource(UserService userService, DefaultSecurityManager defaultSecurityManager, ShiroAuthenticationFilter shiroAuthenticationFilter, @Named("trusted_proxies") Set<IpSubnet> set, @Context Request request, SessionCreator sessionCreator, ActorAwareAuthenticationTokenFactory actorAwareAuthenticationTokenFactory, SessionResponseFactory sessionResponseFactory, CookieFactory cookieFactory) {
        this.cookieFactory = cookieFactory;
        this.userService = userService;
        this.securityManager = defaultSecurityManager;
        this.authenticationFilter = shiroAuthenticationFilter;
        this.trustedSubnets = set;
        this.grizzlyRequest = request;
        this.sessionCreator = sessionCreator;
        this.tokenFactory = actorAwareAuthenticationTokenFactory;
        this.sessionResponseFactory = sessionResponseFactory;
    }

    @POST
    @ApiOperation(value = "Create a new session", notes = "This request creates a new session for a user or reactivates an existing session: the equivalent of logging in.", response = SessionResponse.class)
    @NoAuditEvent("dispatches audit events in the method body")
    public Response newSession(@Context ContainerRequestContext containerRequestContext, @NotNull @ApiParam(name = "Login request", value = "Credentials. The default implementation requires presence of two properties: 'username' and 'password'. However a plugin may customize which kind of credentials are accepted and therefore expect different properties.", required = true) JsonNode jsonNode) {
        rejectServiceAccount(jsonNode);
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (!(securityContext instanceof ShiroSecurityContext)) {
            throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!");
        }
        ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext;
        try {
            try {
                Optional<Session> login = this.sessionCreator.login(shiroSecurityContext.getUsername(), RestTools.getRemoteAddrFromRequest(this.grizzlyRequest, this.trustedSubnets), this.tokenFactory.forRequestBody(jsonNode));
                if (!login.isPresent()) {
                    throw new NotAuthorizedException("Invalid credentials.", "Basic realm=\"Graylog Server session\"", new Object[0]);
                }
                SessionResponse forSession = this.sessionResponseFactory.forSession(login.get());
                return Response.ok().entity(forSession).cookie(new NewCookie[]{this.cookieFactory.createAuthenticationCookie(forSession, containerRequestContext)}).build();
            } catch (AuthenticationServiceUnavailableException e) {
                throw new ServiceUnavailableException("Authentication service unavailable");
            }
        } catch (IllegalArgumentException e2) {
            throw new BadRequestException(e2.getMessage());
        }
    }

    private void rejectServiceAccount(JsonNode jsonNode) {
        User load;
        if (jsonNode.has("username") && (load = this.userService.load(jsonNode.get("username").asText())) != null && load.isServiceAccount()) {
            throw new BadRequestException("Cannot login with service account " + load.getName());
        }
    }

    @GET
    @ApiOperation(value = "Validate an existing session", notes = "Checks the session with the given ID: returns http status 204 (No Content) if session is valid.", code = 204, response = SessionValidationResponse.class)
    public Response validateSession(@Context ContainerRequestContext containerRequestContext) {
        try {
            this.authenticationFilter.filter(containerRequestContext);
            Subject subject = getSubject();
            if (!subject.isAuthenticated()) {
                return Response.ok(SessionValidationResponse.invalid()).cookie(new NewCookie[]{this.cookieFactory.deleteAuthenticationCookie(containerRequestContext)}).build();
            }
            Session retrieveOrCreateSession = retrieveOrCreateSession(subject);
            return Response.ok(SessionValidationResponse.validWithNewSession(String.valueOf(retrieveOrCreateSession.getId()), String.valueOf(getCurrentUser().getName()))).cookie(new NewCookie[]{this.cookieFactory.createAuthenticationCookie(this.sessionResponseFactory.forSession(retrieveOrCreateSession), containerRequestContext)}).build();
        } catch (NotAuthorizedException | LockedAccountException | IOException e) {
            return Response.ok(SessionValidationResponse.invalid()).cookie(new NewCookie[]{this.cookieFactory.deleteAuthenticationCookie(containerRequestContext)}).build();
        }
    }

    private Session retrieveOrCreateSession(Subject subject) {
        Session session = subject.getSession(false);
        if (!needToCreateNewSession(session)) {
            return session;
        }
        return this.sessionCreator.create(subject, RestTools.getRemoteAddrFromRequest(this.grizzlyRequest, this.trustedSubnets)).orElseThrow(() -> {
            return new NotAuthorizedException("Invalid credentials.", "Basic realm=\"Graylog Server session\"", new Object[0]);
        });
    }

    private boolean needToCreateNewSession(Session session) {
        return session == null && ShiroSecurityContext.isSessionCreationRequested();
    }

    @RequiresAuthentication
    @Path("/{sessionId}")
    @AuditEvent(type = AuditEventTypes.SESSION_DELETE)
    @DELETE
    @ApiOperation(value = "Terminate an existing session", notes = "Destroys the session with the given ID: the equivalent of logging out.")
    @Deprecated
    public Response terminateSessionWithId(@PathParam("sessionId") @ApiParam(name = "sessionId", required = true) String str, @Context ContainerRequestContext containerRequestContext) {
        this.securityManager.logout(getSubject());
        return Response.ok().cookie(new NewCookie[]{this.cookieFactory.deleteAuthenticationCookie(containerRequestContext)}).build();
    }

    @RequiresAuthentication
    @AuditEvent(type = AuditEventTypes.SESSION_DELETE)
    @DELETE
    @ApiOperation(value = "Terminate an existing session", notes = "Destroys the session with the given ID: the equivalent of logging out.")
    public Response terminateSession(@Context ContainerRequestContext containerRequestContext) {
        this.securityManager.logout(getSubject());
        return Response.ok().cookie(new NewCookie[]{this.cookieFactory.deleteAuthenticationCookie(containerRequestContext)}).build();
    }
}
