package org.graylog2.security.realm;

import com.google.common.base.Joiner;
import java.net.UnknownHostException;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAccount;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.graylog.security.authservice.AuthServiceAuthenticator;
import org.graylog.security.authservice.AuthServiceCredentials;
import org.graylog.security.authservice.AuthServiceException;
import org.graylog.security.authservice.AuthServiceResult;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.graylog2.security.headerauth.HTTPHeaderAuthConfig;
import org.graylog2.shared.security.HttpHeadersToken;
import org.graylog2.shared.security.ShiroSecurityContext;
import org.graylog2.utilities.IpSubnet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/security/realm/HTTPHeaderAuthenticationRealm.class */
public class HTTPHeaderAuthenticationRealm extends AuthenticatingRealm {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) HTTPHeaderAuthenticationRealm.class);
    private static final Joiner JOINER = Joiner.on(", ");
    public static final String NAME = "http-header-authentication";
    private final ClusterConfigService clusterConfigService;
    private final AuthServiceAuthenticator authServiceAuthenticator;
    private final Set<IpSubnet> trustedProxies;

    @Inject
    public HTTPHeaderAuthenticationRealm(ClusterConfigService clusterConfigService, AuthServiceAuthenticator authServiceAuthenticator, @Named("trusted_proxies") Set<IpSubnet> set) {
        this.clusterConfigService = clusterConfigService;
        this.authServiceAuthenticator = authServiceAuthenticator;
        this.trustedProxies = set;
        setAuthenticationTokenClass(HttpHeadersToken.class);
        setCachingEnabled(false);
        setCredentialsMatcher(new AllowAllCredentialsMatcher());
    }

    @Override // org.apache.shiro.realm.AuthenticatingRealm
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        HttpHeadersToken httpHeadersToken = (HttpHeadersToken) authenticationToken;
        HTTPHeaderAuthConfig loadConfig = loadConfig();
        if (!loadConfig.enabled()) {
            LOG.debug("Skipping disabled HTTP header authentication");
            return null;
        }
        Optional<String> headerValue = headerValue(httpHeadersToken.getHeaders(), loadConfig.usernameHeader());
        if (!headerValue.isPresent()) {
            return null;
        }
        String trim = headerValue.get().trim();
        if (StringUtils.isBlank(trim)) {
            LOG.warn("Skipping request with trusted HTTP header <{}> and blank value", loadConfig.usernameHeader());
            return null;
        }
        String remoteAddr = httpHeadersToken.getRemoteAddr();
        if (inTrustedSubnets(remoteAddr)) {
            return doAuthenticate(trim, loadConfig, remoteAddr);
        }
        LOG.warn("Request with trusted HTTP header <{}={}> received from <{}> which is not in the trusted proxies: <{}>", loadConfig.usernameHeader(), trim, remoteAddr, JOINER.join(this.trustedProxies));
        return null;
    }

    private AuthenticationInfo doAuthenticate(String str, HTTPHeaderAuthConfig hTTPHeaderAuthConfig, String str2) {
        LOG.debug("Attempting authentication for username <{}>", str);
        try {
            AuthServiceResult authenticate = this.authServiceAuthenticator.authenticate(AuthServiceCredentials.createAuthenticated(str));
            if (!authenticate.isSuccess()) {
                LOG.warn("Failed to authenticate username <{}> from trusted HTTP header <{}> via proxy <{}>", authenticate.username(), hTTPHeaderAuthConfig.usernameHeader(), str2);
                return null;
            }
            LOG.debug("Successfully authenticated username <{}> for user profile <{}> with backend <{}/{}/{}>", authenticate.username(), authenticate.userProfileId(), authenticate.backendTitle(), authenticate.backendType(), authenticate.backendId());
            ShiroSecurityContext.requestSessionCreation(true);
            return toAuthenticationInfo(authenticate);
        } catch (AuthServiceException e) {
            LOG.error("Authentication service error", (Throwable) e);
            return null;
        } catch (Exception e2) {
            LOG.error("Unhandled authentication error", (Throwable) e2);
            return null;
        }
    }

    private AuthenticationInfo toAuthenticationInfo(AuthServiceResult authServiceResult) {
        return new SimpleAccount(authServiceResult.userProfileId(), (Object) null, "http-header-authentication/" + authServiceResult.backendType());
    }

    private HTTPHeaderAuthConfig loadConfig() {
        return (HTTPHeaderAuthConfig) this.clusterConfigService.getOrDefault(HTTPHeaderAuthConfig.class, HTTPHeaderAuthConfig.createDisabled());
    }

    private Optional<String> headerValue(MultivaluedMap<String, String> multivaluedMap, @Nullable String str) {
        return str == null ? Optional.empty() : Optional.ofNullable(multivaluedMap.getFirst(str.toLowerCase(Locale.US)));
    }

    private boolean inTrustedSubnets(String str) {
        return this.trustedProxies.stream().anyMatch(ipSubnet -> {
            return ipSubnetContains(ipSubnet, str);
        });
    }

    private boolean ipSubnetContains(IpSubnet ipSubnet, String str) {
        try {
            return ipSubnet.contains(str);
        } catch (UnknownHostException e) {
            LOG.debug("Looking up remote address <{}> failed.", str);
            return false;
        }
    }
}
