package org.graylog2.security.realm;

import jakarta.inject.Inject;
import java.util.Optional;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.graylog2.plugin.database.users.User;
import org.graylog2.security.headerauth.HTTPHeaderAuthConfig;
import org.graylog2.shared.security.SessionIdToken;
import org.graylog2.shared.security.ShiroRequestHeadersBinder;
import org.graylog2.shared.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/SessionAuthenticator.class */
public class SessionAuthenticator extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger(SessionAuthenticator.class);
    public static final String NAME = "mongodb-session";
    public static final String X_GRAYLOG_NO_SESSION_EXTENSION = "X-Graylog-No-Session-Extension";
    private final UserService userService;
    private final ClusterConfigService clusterConfigService;

    @Inject
    SessionAuthenticator(UserService userService, ClusterConfigService clusterConfigService) {
        this.userService = userService;
        this.clusterConfigService = clusterConfigService;
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
        setAuthenticationTokenClass(SessionIdToken.class);
        setCachingEnabled(false);
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        Subject buildSubject = new Subject.Builder().sessionId(((SessionIdToken) authenticationToken).getSessionId()).buildSubject();
        Session session = buildSubject.getSession(false);
        if (session == null) {
            LOG.debug("Invalid session. Either it has expired or did not exist.");
            return null;
        }
        Object principal = buildSubject.getPrincipal();
        User loadById = this.userService.loadById(String.valueOf(principal));
        if (loadById == null) {
            LOG.debug("No user with userId {} found for session", principal);
            return null;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found session for userId {}", principal);
        }
        String str = (String) session.getAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER);
        if (str != null) {
            HTTPHeaderAuthConfig loadHTTPHeaderConfig = loadHTTPHeaderConfig();
            Optional<String> headerFromThreadContext = ShiroRequestHeadersBinder.getHeaderFromThreadContext(loadHTTPHeaderConfig.usernameHeader());
            if (loadHTTPHeaderConfig.enabled() && headerFromThreadContext.isPresent() && !headerFromThreadContext.get().equalsIgnoreCase(str)) {
                LOG.warn("Terminating session where user <{}> does not match trusted HTTP header <{}>.", str, headerFromThreadContext.get());
                session.stop();
                return null;
            }
        }
        Optional<String> headerFromThreadContext2 = ShiroRequestHeadersBinder.getHeaderFromThreadContext(X_GRAYLOG_NO_SESSION_EXTENSION);
        if (headerFromThreadContext2.isPresent() && "true".equalsIgnoreCase(headerFromThreadContext2.get())) {
            LOG.debug("Not extending session because the request indicated not to.");
        } else {
            session.touch();
        }
        ThreadContext.bind(buildSubject);
        return new SimpleAccount(loadById.getId(), (Object) null, "session authenticator");
    }

    private HTTPHeaderAuthConfig loadHTTPHeaderConfig() {
        return (HTTPHeaderAuthConfig) this.clusterConfigService.getOrDefault(HTTPHeaderAuthConfig.class, HTTPHeaderAuthConfig.createDisabled());
    }
}
