package org.graylog2.shared.security;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Objects;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.SecurityContext;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.graylog2.indexer.indices.jobs.OptimizeIndexJob;
import org.graylog2.security.AccessTokenImpl;

@Priority(OptimizeIndexJob.MAX_CONCURRENCY)
/* loaded from: input_file:org/graylog2/shared/security/ShiroSecurityContextFilter.class */
public class ShiroSecurityContextFilter implements ContainerRequestFilter {
    private final DefaultSecurityManager securityManager;

    @Inject
    public ShiroSecurityContextFilter(DefaultSecurityManager defaultSecurityManager) {
        this.securityManager = (DefaultSecurityManager) Objects.requireNonNull(defaultSecurityManager);
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        SecurityContext createSecurityContext;
        boolean isSecure = containerRequestContext.getSecurityContext().isSecure();
        MultivaluedMap<String, String> headers = containerRequestContext.getHeaders();
        String str = (String) headers.getFirst("Host");
        String str2 = (String) headers.getFirst("Authorization");
        if (str2 == null || !str2.startsWith("Basic")) {
            createSecurityContext = createSecurityContext(null, null, isSecure, null, str, headers);
        } else {
            String[] split = decodeBase64(str2.substring(str2.indexOf(32) + 1)).split(":");
            if (split.length != 2) {
                throw new BadRequestException("Invalid credentials in Authorization header");
            }
            createSecurityContext = createSecurityContext(split[0], split[1], isSecure, "BASIC", str, headers);
        }
        containerRequestContext.setSecurityContext(createSecurityContext);
    }

    private String decodeBase64(String str) {
        try {
            return new String(Base64.getDecoder().decode(str), StandardCharsets.US_ASCII);
        } catch (IllegalArgumentException e) {
            return "";
        }
    }

    private SecurityContext createSecurityContext(String str, String str2, boolean z, String str3, String str4, MultivaluedMap<String, String> multivaluedMap) {
        return new ShiroSecurityContext(new Subject.Builder(this.securityManager).host(str4).sessionCreationEnabled(false).buildSubject(), "session".equalsIgnoreCase(str2) ? new SessionIdToken(str, str4) : AccessTokenImpl.TOKEN.equalsIgnoreCase(str2) ? new AccessTokenAuthToken(str, str4) : new UsernamePasswordToken(str, str2, str4), z, str3, multivaluedMap);
    }
}
