package org.graylog2.shared.security;

import com.google.common.collect.ImmutableMap;
import jakarta.inject.Inject;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.graylog.schema.SessionFields;
import org.graylog2.audit.AuditActor;
import org.graylog2.audit.AuditEventSender;
import org.graylog2.audit.AuditEventTypes;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.graylog2.plugin.database.users.User;
import org.graylog2.security.headerauth.HTTPHeaderAuthConfig;
import org.graylog2.security.realm.HTTPHeaderAuthenticationRealm;
import org.graylog2.shared.users.UserService;
import org.graylog2.users.UserConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/shared/security/SessionCreator.class */
public class SessionCreator {
    private static final Logger log = LoggerFactory.getLogger(SessionCreator.class);
    private final UserService userService;
    private final AuditEventSender auditEventSender;
    private final ClusterConfigService clusterConfigService;

    @Inject
    public SessionCreator(UserService userService, AuditEventSender auditEventSender, ClusterConfigService clusterConfigService) {
        this.userService = userService;
        this.auditEventSender = auditEventSender;
        this.clusterConfigService = clusterConfigService;
    }

    /* JADX WARN: Type inference failed for: r11v1, types: [java.lang.Throwable, org.graylog2.shared.security.AuthenticationServiceUnavailableException] */
    public Optional<Session> login(@Nullable String str, String str2, ActorAwareAuthenticationToken actorAwareAuthenticationToken) throws AuthenticationServiceUnavailableException {
        Subject buildSubject = new Subject.Builder().sessionId((String) StringUtils.defaultIfBlank(str, (CharSequence) null)).host(str2).buildSubject();
        ThreadContext.bind(buildSubject);
        try {
            Session session = buildSubject.getSession();
            buildSubject.login(actorAwareAuthenticationToken);
            return createSession(buildSubject, session, str2);
        } catch (AuthenticationServiceUnavailableException e) {
            log.info("Session creation failed due to authentication service being unavailable. Actor: \"{}\"", actorAwareAuthenticationToken.getActor().urn());
            this.auditEventSender.failure(actorAwareAuthenticationToken.getActor(), AuditEventTypes.SESSION_CREATE, ImmutableMap.of("remote_address", str2, "message", "Authentication service unavailable: " + e.getMessage()));
            throw e;
        } catch (AuthenticationException e2) {
            log.info("Invalid credentials in session create request. Actor: \"{}\"", actorAwareAuthenticationToken.getActor().urn());
            this.auditEventSender.failure(actorAwareAuthenticationToken.getActor(), AuditEventTypes.SESSION_CREATE, ImmutableMap.of("remote_address", str2));
            return Optional.empty();
        }
    }

    public Optional<Session> create(Subject subject, String str) {
        ThreadContext.bind(subject);
        Session session = subject.getSession();
        HTTPHeaderAuthConfig loadHTTPHeaderConfig = loadHTTPHeaderConfig();
        Optional<String> headerFromThreadContext = ShiroRequestHeadersBinder.getHeaderFromThreadContext(loadHTTPHeaderConfig.usernameHeader());
        if (loadHTTPHeaderConfig.enabled() && headerFromThreadContext.isPresent()) {
            session.setAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER, headerFromThreadContext.get());
        }
        return createSession(subject, session, str);
    }

    private Optional<Session> createSession(Subject subject, Session session, String str) {
        User loadById = this.userService.loadById(subject.getPrincipal().toString());
        if (loadById != null) {
            session.setTimeout(loadById.getSessionTimeoutMs());
            session.setAttribute("username", loadById.getName());
            Map<?, ?> sessionAttributes = getSessionAttributes(subject);
            Objects.requireNonNull(session);
            sessionAttributes.forEach(session::setAttribute);
        } else {
            session.setTimeout(UserConfiguration.DEFAULT_VALUES.globalSessionTimeoutInterval().toMillis());
        }
        session.touch();
        SecurityUtils.getSecurityManager().getSubjectDAO().save(subject);
        this.auditEventSender.success(AuditActor.user(loadById.getName()), AuditEventTypes.SESSION_CREATE, ImmutableMap.of(SessionFields.SESSION_ID, session.getId(), "remote_address", str));
        return Optional.of(session);
    }

    private Map<?, ?> getSessionAttributes(Subject subject) {
        List asList = subject.getPrincipals().asList();
        if (asList.size() < 2) {
            return Collections.emptyMap();
        }
        Object obj = asList.get(1);
        if (obj instanceof Map) {
            return (Map) obj;
        }
        log.error("Unable to extract session attributes from subject. Expected <Map.class> but got <{}>.", obj.getClass().getSimpleName());
        return Collections.emptyMap();
    }

    private HTTPHeaderAuthConfig loadHTTPHeaderConfig() {
        return (HTTPHeaderAuthConfig) this.clusterConfigService.getOrDefault(HTTPHeaderAuthConfig.class, HTTPHeaderAuthConfig.createDisabled());
    }
}
