package org.fusesource.fabric.security.sso.activemq;

import java.io.IOException;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import org.apache.activemq.broker.Broker;
import org.apache.activemq.broker.BrokerFilter;
import org.apache.activemq.broker.ConnectionContext;
import org.apache.activemq.broker.ProducerBrokerExchange;
import org.apache.activemq.broker.region.Subscription;
import org.apache.activemq.command.ActiveMQDestination;
import org.apache.activemq.command.ConnectionInfo;
import org.apache.activemq.command.ConsumerInfo;
import org.apache.activemq.command.Message;
import org.apache.activemq.command.ProducerInfo;
import org.apache.activemq.jaas.JassCredentialCallbackHandler;
import org.apache.activemq.security.SecurityContext;
import org.fusesource.fabric.security.sso.client.OpenAMRestClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/fusesource/fabric/security/sso/activemq/OpenAMAuthenticationBroker.class */
public class OpenAMAuthenticationBroker extends BrokerFilter {
    private static Logger LOG = LoggerFactory.getLogger(OpenAMAuthenticationBroker.class);
    private final OpenAMRestClient client;
    private final String jassConfiguration;
    private final CopyOnWriteArrayList<SecurityContext> securityContexts;
    private boolean authorizeSend;

    /* loaded from: input_file:org/fusesource/fabric/security/sso/activemq/OpenAMAuthenticationBroker$OpenAMSecurityContext.class */
    static class OpenAMSecurityContext extends SecurityContext {
        private final Subject subject;
        private final LoginContext lc;

        public OpenAMSecurityContext(String str, Subject subject, LoginContext loginContext) {
            super(str);
            this.subject = subject;
            this.lc = loginContext;
        }

        public Set<Principal> getPrincipals() {
            return this.subject.getPrincipals();
        }

        public LoginContext getLoginContext() {
            return this.lc;
        }
    }

    public OpenAMAuthenticationBroker(Broker broker, String str, OpenAMRestClient openAMRestClient) {
        super(broker);
        this.securityContexts = new CopyOnWriteArrayList<>();
        this.authorizeSend = false;
        this.jassConfiguration = str;
        this.client = openAMRestClient;
    }

    public void setAuthorizeSend(boolean z) {
        this.authorizeSend = z;
    }

    /* JADX WARN: Finally extract failed */
    public void addConnection(ConnectionContext connectionContext, ConnectionInfo connectionInfo) throws Exception {
        LOG.info("Adding connection with context {} and info {}", new Object[]{connectionContext, connectionInfo});
        if (connectionContext.getSecurityContext() == null) {
            ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
            Thread.currentThread().setContextClassLoader(OpenAMAuthenticationBroker.class.getClassLoader());
            try {
                try {
                    LoginContext loginContext = new LoginContext(this.jassConfiguration, new JassCredentialCallbackHandler(connectionInfo.getUserName(), connectionInfo.getPassword()));
                    loginContext.login();
                    Subject subject = loginContext.getSubject();
                    LOG.info("Got subject {}", subject);
                    OpenAMSecurityContext openAMSecurityContext = new OpenAMSecurityContext(connectionInfo.getUserName(), subject, loginContext);
                    connectionContext.setSecurityContext(openAMSecurityContext);
                    this.securityContexts.add(openAMSecurityContext);
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                } catch (Exception e) {
                    throw ((SecurityException) new SecurityException("User name or password is invalid.").initCause(e));
                }
            } catch (Throwable th) {
                Thread.currentThread().setContextClassLoader(contextClassLoader);
                throw th;
            }
        }
        super.addConnection(connectionContext, connectionInfo);
    }

    public void addProducer(ConnectionContext connectionContext, ProducerInfo producerInfo) throws Exception {
        authorizeDestinations(producerInfo.getDestination(), getToken(connectionContext.getSecurityContext()), "addProducer");
        super.addProducer(connectionContext, producerInfo);
    }

    public Subscription addConsumer(ConnectionContext connectionContext, ConsumerInfo consumerInfo) throws Exception {
        authorizeDestinations(consumerInfo.getDestination(), getToken(connectionContext.getSecurityContext()), "addConsumer");
        return super.addConsumer(connectionContext, consumerInfo);
    }

    public void send(ProducerBrokerExchange producerBrokerExchange, Message message) throws Exception {
        if (message.getProperty("SSO_TOKEN") == null) {
            LOG.info("No SSO token on incoming message, checking if producer had logged in previously");
            addToken(producerBrokerExchange, message);
        } else {
            LOG.info("SSO token present in incoming message");
        }
        if (this.authorizeSend) {
            authorizeDestinations(message.getDestination(), getToken(message), "send");
        }
        super.send(producerBrokerExchange, message);
    }

    private void authorizeDestinations(ActiveMQDestination activeMQDestination, String str, String str2) {
        LOG.info("checking if token {} can interact with destination {}", new Object[]{str, activeMQDestination});
        if (activeMQDestination == null) {
            return;
        }
        if (!activeMQDestination.isComposite()) {
            String str3 = "/" + str2 + "/" + activeMQDestination.getDestinationTypeAsString() + "/" + activeMQDestination.getPhysicalName();
            LOG.info("Authorizing token {} for uri {}", new Object[]{str, this.client.getURLPrefix() + str3});
            if (!this.client.authorize(str3, str)) {
                throw new SecurityException(String.format("Client is not authorized to perform action \"%s\" on destination \"%s\"", str2, activeMQDestination.getQualifiedName()));
            }
            return;
        }
        for (ActiveMQDestination activeMQDestination2 : activeMQDestination.getCompositeDestinations()) {
            authorizeDestinations(activeMQDestination2, str, str2);
        }
    }

    private String getToken(SecurityContext securityContext) {
        if (securityContext == null) {
            return "";
        }
        for (Principal principal : securityContext.getPrincipals()) {
            if (principal instanceof TokenPrincipal) {
                return ((TokenPrincipal) principal).getName();
            }
        }
        return "";
    }

    private void addToken(ProducerBrokerExchange producerBrokerExchange, Message message) throws IOException {
        message.setProperty("SSO_TOKEN", getToken(producerBrokerExchange.getConnectionContext().getSecurityContext()));
    }

    private String getToken(Message message) throws IOException {
        String str;
        Object property = message.getProperty("SSO_TOKEN");
        if (property == null) {
            throw new SecurityException("No SSO token available in message for verification");
        }
        if (property instanceof byte[]) {
            str = new String((byte[]) property);
        } else {
            if (!(property instanceof String)) {
                throw new SecurityException("Unrecognized SSO token format");
            }
            str = (String) property;
        }
        return str;
    }

    public void removeConnection(ConnectionContext connectionContext, ConnectionInfo connectionInfo, Throwable th) throws Exception {
        super.removeConnection(connectionContext, connectionInfo, th);
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (this.securityContexts.remove(securityContext)) {
            if (securityContext instanceof OpenAMSecurityContext) {
                ((OpenAMSecurityContext) securityContext).getLoginContext().logout();
            }
            connectionContext.setSecurityContext((SecurityContext) null);
        }
    }

    public void refresh() {
        LOG.info(String.format("%s.%s", getClass().getSimpleName(), "refresh"));
        Iterator<SecurityContext> it = this.securityContexts.iterator();
        while (it.hasNext()) {
            SecurityContext next = it.next();
            next.getAuthorizedReadDests().clear();
            next.getAuthorizedWriteDests().clear();
        }
    }
}
