package org.graylog2.security.realm;

import javax.inject.Inject;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.graylog2.security.SessionIdToken;
import org.graylog2.users.User;
import org.graylog2.users.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/SessionAuthenticator.class */
public class SessionAuthenticator extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger(SessionAuthenticator.class);
    private final UserService userService;
    private final LdapUserAuthenticator ldapAuthenticator;

    @Inject
    public SessionAuthenticator(UserService userService, LdapUserAuthenticator ldapUserAuthenticator) {
        this.userService = userService;
        this.ldapAuthenticator = ldapUserAuthenticator;
        setAuthenticationTokenClass(SessionIdToken.class);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        SessionIdToken sessionIdToken = (SessionIdToken) authenticationToken;
        Subject buildSubject = new Subject.Builder().sessionId(sessionIdToken.getSessionId()).buildSubject();
        Session session = buildSubject.getSession(false);
        if (session == null) {
            LOG.debug("Invalid session {}. Either it has expired or did not exist.", sessionIdToken.getSessionId());
            return null;
        }
        Object principal = buildSubject.getPrincipal();
        User load = this.userService.load(String.valueOf(principal));
        if (load == null) {
            LOG.debug("No user named {} found for session {}", principal, sessionIdToken.getSessionId());
            return null;
        }
        if (load.isExternalUser() && !this.ldapAuthenticator.isEnabled()) {
            throw new LockedAccountException("LDAP authentication is currently disabled.");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found session {} for user name {}", session.getId(), principal);
        }
        MultivaluedMap multivaluedMap = (MultivaluedMap) ThreadContext.get("REQUEST_HEADERS");
        if (multivaluedMap == null || !"true".equalsIgnoreCase((String) multivaluedMap.getFirst("X-Graylog2-No-Session-Extension"))) {
            session.touch();
        } else {
            LOG.debug("Not extending session because the request indicated not to.");
        }
        ThreadContext.bind(buildSubject);
        return new SimpleAccount(load.getName(), (Object) null, "session authenticator");
    }
}
