package org.graylog2.security.realm;

import com.google.common.base.Preconditions;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.authc.pam.UnsupportedTokenException;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog.security.authservice.AuthServiceAuthenticator;
import org.graylog.security.authservice.AuthServiceCredentials;
import org.graylog.security.authservice.AuthServiceException;
import org.graylog.security.authservice.AuthServiceResult;
import org.graylog2.security.encryption.EncryptedValueService;
import org.graylog2.shared.security.AuthenticationServiceUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/UsernamePasswordRealm.class */
public class UsernamePasswordRealm extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger(UsernamePasswordRealm.class);
    public static final String NAME = "username-password";
    private final AuthServiceAuthenticator authenticator;
    private final EncryptedValueService encryptedValueService;
    private final String rootUsername;

    @Inject
    public UsernamePasswordRealm(AuthServiceAuthenticator authServiceAuthenticator, EncryptedValueService encryptedValueService, @Named("root_username") String str) {
        Preconditions.checkArgument(!StringUtils.isBlank(str), "root_username cannot be null or blank");
        this.authenticator = authServiceAuthenticator;
        this.encryptedValueService = encryptedValueService;
        this.rootUsername = str;
        setAuthenticationTokenClass(UsernamePasswordToken.class);
        setCachingEnabled(false);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken instanceof UsernamePasswordToken) {
            return doGetAuthenticationInfo((UsernamePasswordToken) authenticationToken);
        }
        throw new UnsupportedTokenException("Unsupported authentication token type: " + authenticationToken.getClass());
    }

    private AuthenticationInfo doGetAuthenticationInfo(UsernamePasswordToken usernamePasswordToken) throws AuthenticationException {
        String username = usernamePasswordToken.getUsername();
        String valueOf = String.valueOf(usernamePasswordToken.getPassword());
        if (StringUtils.isBlank(username) || StringUtils.isBlank(valueOf)) {
            LOG.error("Username or password were empty. Not attempting authentication service authentication");
            return null;
        }
        if (this.rootUsername.equals(username)) {
            LOG.debug("Authentication services should not handle the local admin user <{}> - skipping", username);
            return null;
        }
        LOG.debug("Attempting authentication for username <{}>", username);
        try {
            AuthServiceResult authenticate = this.authenticator.authenticate(AuthServiceCredentials.create(username, this.encryptedValueService.encrypt(valueOf)));
            if (authenticate.isSuccess()) {
                LOG.debug("Successfully authenticated username <{}> for user profile <{}> with backend <{}/{}/{}>", new Object[]{authenticate.username(), authenticate.userProfileId(), authenticate.backendTitle(), authenticate.backendType(), authenticate.backendId()});
                return toAuthenticationInfo(authenticate);
            }
            LOG.debug("Failed to authenticate username <{}> with backend <{}/{}/{}>", new Object[]{authenticate.username(), authenticate.backendTitle(), authenticate.backendType(), authenticate.backendId()});
            return null;
        } catch (AuthServiceException e) {
            throw new AuthenticationServiceUnavailableException("Authentication service error", e);
        } catch (Exception e2) {
            LOG.error("Unhandled authentication error", e2);
            return null;
        } catch (AuthenticationServiceUnavailableException e3) {
            throw e3;
        }
    }

    private AuthenticationInfo toAuthenticationInfo(AuthServiceResult authServiceResult) {
        return new SimpleAccount(authServiceResult.userProfileId(), (Object) null, "username-password/" + authServiceResult.backendType());
    }
}
