package org.graylog2.shared.security;

import java.io.IOException;
import javax.annotation.Priority;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
/* loaded from: input_file:org/graylog2/shared/security/ShiroAuthorizationFilter.class */
public class ShiroAuthorizationFilter implements ContainerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger(ShiroAuthorizationFilter.class);
    private final RequiresPermissions annotation;

    public ShiroAuthorizationFilter(RequiresPermissions requiresPermissions) {
        this.annotation = requiresPermissions;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        ShiroSecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (securityContext instanceof ShiroSecurityContext) {
            ShiroSecurityContext shiroSecurityContext = securityContext;
            try {
                LOG.debug("Checking authorization for user {}, needs permissions {}", shiroSecurityContext.getSubject(), this.annotation.value());
                new ContextAwarePermissionAnnotationHandler(shiroSecurityContext).assertAuthorized(this.annotation);
            } catch (AuthorizationException e) {
                LOG.info("User not authorized.", e);
                throw new NotAuthorizedException(e, "Basic realm=\"Graylog Server\"", new Object[0]);
            }
        }
    }
}
