package org.jboss.mq.security;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Set;
import javax.jms.JMSException;
import javax.jms.JMSSecurityException;
import javax.management.MBeanServer;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.mq.ConnectionToken;
import org.jboss.mq.server.JMSServerInterceptor;
import org.jboss.mq.server.jmx.InterceptorMBeanSupport;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectSecurityManager;
import org.w3c.dom.Element;

/* loaded from: input_file:org/jboss/mq/security/SecurityManager.class */
public class SecurityManager extends InterceptorMBeanSupport implements SecurityManagerMBean {
    private ObjectName name;
    Context securityCtx;
    HashMap authCache = new HashMap(32);
    HashMap securityConf = new HashMap(32);
    ServerSecurityInterceptor interceptor;
    SubjectSecurityManager sec;
    SessionIDGenerator idGenerator;
    Element defaultSecurityConfig;
    String securityDomain;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/jboss/mq/security/SecurityManager$SubjectInfo.class */
    public class SubjectInfo {
        Subject subject;
        Principal principal;
        Group roles;

        SubjectInfo() {
        }

        public String toString() {
            return "SubjectInfo {subject=" + this.subject + ";principal=" + this.principal + ";roles=" + this.roles.toString();
        }
    }

    protected ObjectName getObjectName(MBeanServer mBeanServer, ObjectName objectName) throws MalformedObjectNameException {
        this.name = objectName == null ? OBJECT_NAME : objectName;
        return this.name;
    }

    public JMSServerInterceptor getInvoker() {
        return this.interceptor;
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public Element getDefaultSecurityConfig() {
        return this.defaultSecurityConfig;
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public void setDefaultSecurityConfig(Element element) throws Exception {
        this.defaultSecurityConfig = element;
        new SecurityMetadata(element);
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public String getSecurityDomain() {
        return this.securityDomain;
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public void setSecurityDomain(String str) {
        this.securityDomain = str;
    }

    public String printAuthCache() {
        return this.authCache.toString();
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public void addDestination(String str, Element element) throws Exception {
        this.securityConf.put(str, new SecurityMetadata(element));
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public void addDestination(String str, String str2) throws Exception {
        this.securityConf.put(str, new SecurityMetadata(str2));
    }

    @Override // org.jboss.mq.security.SecurityManagerMBean
    public void removeDestination(String str) throws Exception {
        this.securityConf.remove(str);
    }

    public SecurityMetadata getSecurityMetadata(String str) {
        SecurityMetadata securityMetadata = (SecurityMetadata) this.securityConf.get(str);
        if (securityMetadata == null) {
            if (this.defaultSecurityConfig != null) {
                this.log.debug("No SecurityMetadadata was available for " + str + " using default security config");
                try {
                    securityMetadata = new SecurityMetadata(this.defaultSecurityConfig);
                } catch (Exception e) {
                    this.log.warn("Unable to apply default security for destName, using guest " + str, e);
                    securityMetadata = new SecurityMetadata();
                }
            } else {
                this.log.warn("No SecurityMetadadata was available for " + str + " adding guest");
                securityMetadata = new SecurityMetadata();
            }
            this.securityConf.put(str, securityMetadata);
        }
        return securityMetadata;
    }

    @Override // org.jboss.mq.server.jmx.InterceptorMBeanSupport
    public void startService() throws Exception {
        InitialContext initialContext = new InitialContext();
        try {
            this.sec = (SubjectSecurityManager) initialContext.lookup(this.securityDomain);
        } catch (NamingException e) {
            this.log.debug("Failed to lookup securityDomain=" + this.securityDomain, e);
            if (this.securityDomain.startsWith("java:/jaas/")) {
                throw e;
            }
            this.sec = (SubjectSecurityManager) initialContext.lookup("java:/jaas/" + this.securityDomain);
        }
        this.interceptor = new ServerSecurityInterceptor(this);
        this.idGenerator = new SessionIDGenerator();
        super.startService();
    }

    public void stopService() throws Exception {
    }

    public String authenticate(String str, String str2) throws JMSException {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        char[] cArr = null;
        if (str2 != null) {
            cArr = str2.toCharArray();
        }
        Subject subject = new Subject();
        if (!this.sec.isValid(simplePrincipal, cArr, subject)) {
            if (isTraceEnabled) {
                this.log.trace("User: " + str + " is NOT authenticated");
            }
            throw new JMSSecurityException("User: " + str + " is NOT authenticated");
        }
        if (isTraceEnabled) {
            this.log.trace("Username: " + str + " is authenticated");
        }
        String generateId = generateId(subject);
        addId(generateId, subject, simplePrincipal);
        return generateId;
    }

    public boolean authorize(ConnectionToken connectionToken, Set set) throws JMSException {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        boolean z = false;
        SubjectInfo subjectInfo = (SubjectInfo) this.authCache.get(connectionToken.getSessionId());
        if (subjectInfo == null) {
            throw new JMSSecurityException("User session is not valid");
        }
        if (isTraceEnabled) {
            this.log.trace("Checking authorize on subjectInfo: " + subjectInfo.toString() + " for rolePrincipals " + set.toString());
        }
        Group group = subjectInfo.roles;
        if (group != null) {
            Iterator it = set.iterator();
            while (!z && it.hasNext()) {
                z = group.isMember((Principal) it.next());
            }
        }
        return z;
    }

    public void logout(ConnectionToken connectionToken) {
        if (connectionToken == null) {
            return;
        }
        removeId(connectionToken.getSessionId());
    }

    private void addId(String str, Subject subject, Principal principal) {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        SubjectInfo subjectInfo = new SubjectInfo();
        subjectInfo.subject = subject;
        subjectInfo.principal = principal;
        for (Group group : subject.getPrincipals(Group.class)) {
            String name = group.getName();
            if (name.equals("CallerPrincipal")) {
                Enumeration<? extends Principal> members = group.members();
                if (members.hasMoreElements()) {
                    subjectInfo.principal = members.nextElement();
                }
            } else if (name.equals("Roles")) {
                if (isTraceEnabled) {
                    this.log.trace("Adding group : " + group.getClass() + " " + group.toString());
                }
                subjectInfo.roles = group;
            }
        }
        if (principal == null && subjectInfo.principal == null) {
            for (Principal principal2 : subject.getPrincipals(Principal.class)) {
                if (!(principal2 instanceof Group)) {
                    subjectInfo.principal = principal2;
                }
            }
        }
        synchronized (this.authCache) {
            this.authCache.put(str, subjectInfo);
        }
    }

    private void removeId(String str) {
        synchronized (this.authCache) {
            this.authCache.remove(str);
        }
    }

    private String generateId(Subject subject) throws JMSException {
        try {
            return this.idGenerator.nextSessionId();
        } catch (Exception e) {
            this.log.error("Could not generate a secure sessionID", e);
            throw new JMSSecurityException("Could not generate a secure sessionID");
        }
    }

    @Override // org.jboss.mq.server.jmx.InterceptorMBean
    public JMSServerInterceptor getInterceptor() {
        return this.interceptor;
    }
}
