package org.jboss.jms.server.security;

import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.jms.JMSSecurityException;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.jms.server.SecurityStore;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectSecurityManager;
import org.w3c.dom.Element;

/* loaded from: input_file:org/jboss/jms/server/security/SecurityMetadataStore.class */
public class SecurityMetadataStore implements SecurityStore {
    private static final Logger log = Logger.getLogger(SecurityMetadataStore.class);
    public static final String SUCKER_USER = "JBM.SUCKER";
    public static final String DEFAULT_SUCKER_USER_PASSWORD = "CHANGE ME!!";
    private boolean trace = log.isTraceEnabled();
    private Map queueSecurityConf = new HashMap();
    private Map topicSecurityConf = new HashMap();
    private AuthenticationManager authenticationManager;
    private RealmMapping realmMapping;
    private Element defaultSecurityConfig;
    private String securityDomain;
    private String suckerPassword;

    @Override // org.jboss.jms.server.SecurityStore
    public SecurityMetadata getSecurityMetadata(boolean z, String str) {
        SecurityMetadata securityMetadata = (SecurityMetadata) (z ? this.queueSecurityConf.get(str) : this.topicSecurityConf.get(str));
        if (securityMetadata == null) {
            if (this.defaultSecurityConfig != null) {
                log.debug("No SecurityMetadadata was available for " + str + ", using default security config");
                try {
                    securityMetadata = new SecurityMetadata(this.defaultSecurityConfig);
                } catch (Exception e) {
                    log.warn("Unable to apply default security for destName, using guest " + str, e);
                    securityMetadata = new SecurityMetadata();
                }
            } else {
                log.warn("No SecurityMetadadata was available for " + str + ", adding guest");
                securityMetadata = new SecurityMetadata();
            }
        }
        return securityMetadata;
    }

    @Override // org.jboss.jms.server.SecurityStore
    public void setSecurityConfig(boolean z, String str, Element element) throws Exception {
        if (this.trace) {
            log.trace("adding security configuration for " + (z ? "queue " : "topic ") + str);
        }
        if (element == null) {
            clearSecurityConfig(z, str);
            return;
        }
        SecurityMetadata securityMetadata = new SecurityMetadata(element);
        if (z) {
            this.queueSecurityConf.put(str, securityMetadata);
        } else {
            this.topicSecurityConf.put(str, securityMetadata);
        }
    }

    @Override // org.jboss.jms.server.SecurityStore
    public void clearSecurityConfig(boolean z, String str) throws Exception {
        if (this.trace) {
            log.trace("clearing security configuration for " + (z ? "queue " : "topic ") + str);
        }
        if (z) {
            this.queueSecurityConf.remove(str);
        } else {
            this.topicSecurityConf.remove(str);
        }
    }

    @Override // org.jboss.jms.server.SecurityStore
    public Subject authenticate(String str, String str2) throws JMSSecurityException {
        boolean isValid;
        if (this.trace) {
            log.trace("authenticating user " + str);
        }
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        char[] cArr = null;
        if (str2 != null) {
            cArr = str2.toCharArray();
        }
        Subject subject = new Subject();
        if (SUCKER_USER.equals(str)) {
            if (this.trace) {
                log.trace("Authenticating sucker user");
            }
            checkDefaultSuckerPassword(str2);
            isValid = this.suckerPassword.equals(str2);
        } else {
            isValid = this.authenticationManager.isValid(simplePrincipal, cArr, subject);
        }
        if (!isValid) {
            throw new JMSSecurityException("User " + str + " is NOT authenticated");
        }
        SecurityActions.pushSubjectContext(simplePrincipal, cArr, subject);
        return subject;
    }

    @Override // org.jboss.jms.server.SecurityStore
    public boolean authorize(String str, Set set, CheckType checkType) {
        if (this.trace) {
            log.trace("authorizing user " + str + " for role(s) " + set.toString());
        }
        if (SUCKER_USER.equals(str)) {
            return checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE);
        }
        boolean doesUserHaveRole = this.realmMapping.doesUserHaveRole(str == null ? null : new SimplePrincipal(str), set);
        if (this.trace) {
            log.trace("user " + str + (doesUserHaveRole ? " is " : " is NOT ") + "authorized");
        }
        return doesUserHaveRole;
    }

    public void setSuckerPassword(String str) {
        checkDefaultSuckerPassword(str);
        this.suckerPassword = str;
    }

    public void start() throws NamingException {
        if (this.trace) {
            log.trace("initializing SecurityMetadataStore");
        }
        InitialContext initialContext = new InitialContext();
        try {
            try {
                Object lookup = initialContext.lookup(this.securityDomain);
                log.debug("JaasSecurityManager is " + lookup);
                this.authenticationManager = (AuthenticationManager) lookup;
                this.realmMapping = (RealmMapping) lookup;
                log.trace("SecurityMetadataStore initialized");
                initialContext.close();
            } catch (NamingException e) {
                log.warn("Failed to lookup securityDomain " + this.securityDomain, e);
                if (this.securityDomain.startsWith("java:/jaas/")) {
                    throw e;
                }
                this.authenticationManager = (SubjectSecurityManager) initialContext.lookup("java:/jaas/" + this.securityDomain);
                initialContext.close();
            }
        } catch (Throwable th) {
            initialContext.close();
            throw th;
        }
    }

    public void stop() throws Exception {
    }

    public String getSecurityDomain() {
        return this.securityDomain;
    }

    public void setSecurityDomain(String str) {
        this.securityDomain = str;
    }

    public Element getDefaultSecurityConfig() {
        return this.defaultSecurityConfig;
    }

    public void setDefaultSecurityConfig(Element element) throws Exception {
        new SecurityMetadata(element);
        this.defaultSecurityConfig = element;
    }

    private void checkDefaultSuckerPassword(String str) {
        if (DEFAULT_SUCKER_USER_PASSWORD.equals(str)) {
            log.warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component which sucks messages from one node to another has not had its password changed from the installation default. Please see the userguide for instructions on how to do this.");
        }
    }
}
