package org.graylog2.security.realm;

import com.google.common.collect.ImmutableList;
import jakarta.inject.Inject;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.graylog.security.authservice.AuthServiceAuthenticator;
import org.graylog.security.authservice.AuthServiceException;
import org.graylog.security.authservice.AuthServiceResult;
import org.graylog.security.authservice.AuthServiceToken;
import org.graylog2.shared.security.AuthenticationServiceUnavailableException;
import org.graylog2.shared.security.TypedBearerToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/BearerTokenRealm.class */
public class BearerTokenRealm extends AuthenticatingRealm {
    private static final Logger log = LoggerFactory.getLogger(BearerTokenRealm.class);
    public static final String NAME = "bearer-token";
    private final AuthServiceAuthenticator authenticator;

    @Inject
    public BearerTokenRealm(AuthServiceAuthenticator authServiceAuthenticator) {
        this.authenticator = authServiceAuthenticator;
        setAuthenticationTokenClass(TypedBearerToken.class);
        setCachingEnabled(false);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken instanceof TypedBearerToken) {
            return doGetAuthenticationInfo((TypedBearerToken) authenticationToken);
        }
        throw new UnsupportedTokenException("Unsupported authentication token type: " + authenticationToken.getClass());
    }

    private AuthenticationInfo doGetAuthenticationInfo(TypedBearerToken typedBearerToken) throws AuthenticationException {
        log.debug("Attempting authentication for bearer token of type <{}>.", typedBearerToken.getType());
        try {
            AuthServiceResult authenticate = this.authenticator.authenticate(AuthServiceToken.builder().token(typedBearerToken.getToken()).type(typedBearerToken.getType()).build());
            if (authenticate.isSuccess()) {
                log.debug("Successfully authenticated username <{}> for user profile <{}> with backend <{}/{}/{}>", new Object[]{authenticate.username(), authenticate.userProfileId(), authenticate.backendTitle(), authenticate.backendType(), authenticate.backendId()});
                return toAuthenticationInfo(authenticate);
            }
            log.warn("Failed to authenticate username <{}> with backend <{}/{}/{}>", new Object[]{authenticate.username(), authenticate.backendTitle(), authenticate.backendType(), authenticate.backendId()});
            return null;
        } catch (AuthServiceException e) {
            throw new AuthenticationServiceUnavailableException(e);
        } catch (Exception e2) {
            log.error("Unhandled authentication error", e2);
            return null;
        }
    }

    private AuthenticationInfo toAuthenticationInfo(AuthServiceResult authServiceResult) {
        String str = "bearer-token/" + authServiceResult.backendType();
        return new SimpleAccount(new SimplePrincipalCollection(ImmutableList.of(authServiceResult.userProfileId(), authServiceResult.sessionAttributes()), str), (Object) null, str);
    }
}
