package org.graylog2.security.realm;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog2.Core;
import org.graylog2.security.AccessToken;
import org.graylog2.security.AccessTokenAuthToken;
import org.graylog2.users.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/AccessTokenAuthenticator.class */
public class AccessTokenAuthenticator extends AuthenticatingRealm {
    private static final Logger log = LoggerFactory.getLogger(AccessTokenAuthenticator.class);
    private final Core core;

    public AccessTokenAuthenticator(Core core) {
        this.core = core;
        setAuthenticationTokenClass(AccessTokenAuthToken.class);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        User load;
        AccessToken load2 = AccessToken.load(String.valueOf(((AccessTokenAuthToken) authenticationToken).getToken()), this.core);
        if (load2 == null || (load = User.load(load2.getUserName(), this.core)) == null) {
            return null;
        }
        if (load.isExternalUser() && !this.core.getLdapAuthenticator().isEnabled()) {
            throw new LockedAccountException("LDAP authentication is currently disabled.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Found user {} for access token.", load);
        }
        return new SimpleAccount(load.getName(), (Object) null, "access token realm");
    }
}
