package org.pentaho.platform.web.http.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.pentaho.platform.api.security.ILoginAttemptService;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/* loaded from: input_file:org/pentaho/platform/web/http/security/PreventBruteForceUsernamePasswordAuthenticationFilter.class */
public class PreventBruteForceUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private ILoginAttemptService loginAttemptService;

    public PreventBruteForceUsernamePasswordAuthenticationFilter(ILoginAttemptService iLoginAttemptService) {
        this.loginAttemptService = iLoginAttemptService;
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (this.loginAttemptService.isBlocked(getClientIp(httpServletRequest))) {
            throw new PreventBruteForceException("Authentication blocked to prevent brute force login");
        }
        return super.attemptAuthentication(httpServletRequest, httpServletResponse);
    }

    private String getClientIp(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        return header == null ? httpServletRequest.getRemoteAddr() : header.split(",")[0];
    }
}
