package org.graylog2.shared.security;

import com.google.common.base.Strings;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.SecurityContext;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;
import org.glassfish.grizzly.http.server.Request;
import org.graylog2.rest.RestTools;
import org.graylog2.security.AccessTokenImpl;
import org.graylog2.utilities.IpSubnet;

@Priority(990)
/* loaded from: input_file:org/graylog2/shared/security/ShiroSecurityContextFilter.class */
public class ShiroSecurityContextFilter implements ContainerRequestFilter {
    public static final String SESSION_COOKIE_NAME = "authentication";
    private final DefaultSecurityManager securityManager;
    private final Provider<Request> grizzlyRequestProvider;
    private final Set<IpSubnet> trustedProxies;

    @Inject
    public ShiroSecurityContextFilter(DefaultSecurityManager defaultSecurityManager, Provider<Request> provider, @Named("trusted_proxies") Set<IpSubnet> set) {
        this.securityManager = (DefaultSecurityManager) Objects.requireNonNull(defaultSecurityManager);
        this.grizzlyRequestProvider = provider;
        this.trustedProxies = set;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        SecurityContext createSecurityContext;
        ThreadContext.unbindSubject();
        boolean isSecure = containerRequestContext.getSecurityContext().isSecure();
        MultivaluedMap<String, String> headers = containerRequestContext.getHeaders();
        Map<String, Cookie> cookies = containerRequestContext.getCookies();
        Request request = (Request) this.grizzlyRequestProvider.get();
        String remoteAddrFromRequest = RestTools.getRemoteAddrFromRequest(request, this.trustedProxies);
        String str = (String) headers.getFirst("Authorization");
        if (str == null || !str.startsWith("Basic")) {
            createSecurityContext = createSecurityContext(null, null, isSecure, null, remoteAddrFromRequest, request.getRemoteAddr(), headers, cookies);
        } else {
            String[] split = decodeBase64(str.substring(str.indexOf(32) + 1)).split(":", 2);
            if (split.length != 2) {
                throw new BadRequestException("Invalid credentials in Authorization header");
            }
            createSecurityContext = createSecurityContext(split[0], split[1], isSecure, "BASIC", remoteAddrFromRequest, request.getRemoteAddr(), headers, cookies);
        }
        containerRequestContext.setSecurityContext(createSecurityContext);
    }

    private String decodeBase64(String str) {
        try {
            return new String(Base64.getDecoder().decode(str), StandardCharsets.US_ASCII);
        } catch (IllegalArgumentException e) {
            return "";
        }
    }

    private SecurityContext createSecurityContext(String str, String str2, boolean z, String str3, String str4, String str5, MultivaluedMap<String, String> multivaluedMap, Map<String, Cookie> map) {
        return new ShiroSecurityContext(new Subject.Builder(this.securityManager).host(str4).sessionCreationEnabled(true).buildSubject(), createAuthenticationToken(str, str2, str4, str5, map), z, str3, multivaluedMap);
    }

    private AuthenticationToken createAuthenticationToken(String str, String str2, String str3, String str4, Map<String, Cookie> map) {
        return "session".equalsIgnoreCase(str2) ? new SessionIdToken(str, str3, str4) : AccessTokenImpl.TOKEN.equalsIgnoreCase(str2) ? new AccessTokenAuthToken(str, str3) : map.containsKey(SESSION_COOKIE_NAME) ? new SessionIdToken(map.get(SESSION_COOKIE_NAME).getValue(), str3, str4) : (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str2)) ? new PossibleTrustedHeaderToken(str3, str4) : new UsernamePasswordToken(str, str2, str3);
    }
}
