package org.duracloud.security.impl;

import org.duracloud.security.DuracloudUserDetailsService;
import org.glassfish.hk2.utilities.BuilderHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.util.matcher.IpAddressMatcher;

/* loaded from: input_file:WEB-INF/lib/security-3.4.0.jar:org/duracloud/security/impl/DuracloudAuthProvider.class */
public class DuracloudAuthProvider extends DaoAuthenticationProvider {
    private final Logger log = LoggerFactory.getLogger(DuracloudAuthProvider.class);

    public DuracloudAuthProvider(DuracloudUserDetailsService duracloudUserDetailsService, Object obj) {
        super.setUserDetailsService(duracloudUserDetailsService);
        super.setPasswordEncoder(obj);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.authentication.dao.DaoAuthenticationProvider, org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider
    public void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException {
        super.additionalAuthenticationChecks(userDetails, usernamePasswordAuthenticationToken);
        DuracloudUserDetails duracloudUserDetails = (DuracloudUserDetails) userDetails;
        String ipLimits = duracloudUserDetails.getIpLimits();
        if (null == ipLimits || ipLimits.equals("")) {
            this.log.debug("Allowing authentication check to continue for user " + duracloudUserDetails.getUsername() + " because no IP limits are defined");
            return;
        }
        String remoteAddress = ((WebAuthenticationDetails) usernamePasswordAuthenticationToken.getDetails()).getRemoteAddress();
        for (String str : ipLimits.split(BuilderHelper.TOKEN_SEPARATOR)) {
            if (ipInRange(remoteAddress, str)) {
                this.log.debug("Allowing authentication check to continue for user " + duracloudUserDetails.getUsername() + " because their IP " + remoteAddress + " exists in a valid range " + str);
                return;
            }
        }
        this.log.debug("Denying authentication request for user " + duracloudUserDetails.getUsername() + " because their IP " + remoteAddress + " does not match any valid ranges " + ipLimits);
        throw new InsufficientAuthenticationException("Originating IP for authentication request" + remoteAddress + " is not in an accepted range.");
    }

    protected boolean ipInRange(String str, String str2) {
        return new IpAddressMatcher(str2).matches(str);
    }
}
