package org.jboss.jms.server.container;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.jms.Destination;
import javax.jms.JMSSecurityException;
import javax.jms.Message;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.jms.destination.JBossDestination;
import org.jboss.jms.message.JBossMessage;
import org.jboss.jms.server.SecurityStore;
import org.jboss.jms.server.endpoint.ServerConnectionEndpoint;
import org.jboss.jms.server.endpoint.ServerConsumerEndpoint;
import org.jboss.jms.server.endpoint.ServerSessionEndpoint;
import org.jboss.jms.server.endpoint.advised.ConnectionAdvised;
import org.jboss.jms.server.endpoint.advised.ConsumerAdvised;
import org.jboss.jms.server.endpoint.advised.SessionAdvised;
import org.jboss.jms.server.security.CheckType;
import org.jboss.jms.server.security.SecurityMetadata;
import org.jboss.jms.tx.ClientTransaction;
import org.jboss.jms.tx.TransactionRequest;
import org.jboss.logging.Logger;

/* loaded from: input_file:org/jboss/jms/server/container/SecurityAspect.class */
public class SecurityAspect {
    private static final Logger log = Logger.getLogger(SecurityAspect.class);
    private boolean trace = log.isTraceEnabled();
    private Set readCache = new HashSet();
    private Set writeCache = new HashSet();
    private Set createCache = new HashSet();
    private static final long INVALIDATION_INTERVAL = 15000;
    private long lastCheck;

    public Object handleCreateConsumerDelegate(Invocation invocation) throws Throwable {
        MethodInvocation methodInvocation = (MethodInvocation) invocation;
        Destination destination = (Destination) methodInvocation.getArguments()[0];
        ServerSessionEndpoint serverSessionEndpoint = (ServerSessionEndpoint) ((SessionAdvised) invocation.getTargetObject()).getEndpoint();
        check(destination, CheckType.READ, serverSessionEndpoint.getConnectionEndpoint());
        if (((String) methodInvocation.getArguments()[3]) != null) {
            check(destination, CheckType.CREATE, serverSessionEndpoint.getConnectionEndpoint());
        }
        return invocation.invokeNext();
    }

    public Object handleCreateBrowserDelegate(Invocation invocation) throws Throwable {
        check((Destination) ((MethodInvocation) invocation).getArguments()[0], CheckType.READ, ((ServerSessionEndpoint) ((SessionAdvised) invocation.getTargetObject()).getEndpoint()).getConnectionEndpoint());
        return invocation.invokeNext();
    }

    public Object handleSend(Invocation invocation) throws Throwable {
        check(((Message) ((MethodInvocation) invocation).getArguments()[0]).getJMSDestination(), CheckType.WRITE, ((ServerSessionEndpoint) ((SessionAdvised) invocation.getTargetObject()).getEndpoint()).getConnectionEndpoint());
        return invocation.invokeNext();
    }

    public Object handleSendTransaction(Invocation invocation) throws Throwable {
        ServerConnectionEndpoint serverConnectionEndpoint = (ServerConnectionEndpoint) ((ConnectionAdvised) invocation.getTargetObject()).getEndpoint();
        ClientTransaction state = ((TransactionRequest) ((MethodInvocation) invocation).getArguments()[0]).getState();
        if (state != null) {
            HashSet hashSet = new HashSet();
            Iterator it = state.getSessionStates().iterator();
            while (it.hasNext()) {
                Iterator it2 = ((ClientTransaction.SessionTxState) it.next()).getMsgs().iterator();
                while (it2.hasNext()) {
                    hashSet.add(((JBossMessage) it2.next()).getJMSDestination());
                }
            }
            Iterator it3 = hashSet.iterator();
            while (it3.hasNext()) {
                check((Destination) it3.next(), CheckType.WRITE, serverConnectionEndpoint);
            }
        }
        return invocation.invokeNext();
    }

    protected void checkConsumerAccess(Invocation invocation) throws Throwable {
        ServerConsumerEndpoint serverConsumerEndpoint = (ServerConsumerEndpoint) ((ConsumerAdvised) invocation.getTargetObject()).getEndpoint();
        check(serverConsumerEndpoint.getDestination(), CheckType.READ, serverConsumerEndpoint.getSessionEndpoint().getConnectionEndpoint());
    }

    private boolean checkCached(Destination destination, CheckType checkType) {
        long currentTimeMillis = System.currentTimeMillis();
        boolean z = false;
        if (currentTimeMillis - this.lastCheck > INVALIDATION_INTERVAL) {
            this.readCache.clear();
            this.writeCache.clear();
            this.createCache.clear();
        } else {
            switch (checkType.type) {
                case 0:
                    z = this.readCache.contains(destination);
                    break;
                case 1:
                    z = this.writeCache.contains(destination);
                    break;
                case 2:
                    z = this.createCache.contains(destination);
                    break;
                default:
                    throw new IllegalArgumentException("Invalid checkType:" + checkType);
            }
        }
        this.lastCheck = currentTimeMillis;
        return z;
    }

    private void check(Destination destination, CheckType checkType, ServerConnectionEndpoint serverConnectionEndpoint) throws JMSSecurityException {
        JBossDestination jBossDestination = (JBossDestination) destination;
        if (jBossDestination.isTemporary()) {
            if (this.trace) {
                log.trace("skipping permission check on temporary destination " + destination);
                return;
            }
            return;
        }
        if (this.trace) {
            log.trace("checking access permissions to " + destination);
        }
        if (checkCached(destination, checkType)) {
            return;
        }
        boolean isQueue = jBossDestination.isQueue();
        String name = jBossDestination.getName();
        SecurityStore securityManager = serverConnectionEndpoint.getSecurityManager();
        SecurityMetadata securityMetadata = securityManager.getSecurityMetadata(isQueue, name);
        if (securityMetadata == null) {
            throw new JMSSecurityException("No security configuration avaliable for " + name);
        }
        securityManager.authenticate(serverConnectionEndpoint.getUsername(), serverConnectionEndpoint.getPassword());
        try {
            if (!securityManager.authorize(serverConnectionEndpoint.getUsername(), checkType == CheckType.READ ? securityMetadata.getReadPrincipals() : checkType == CheckType.WRITE ? securityMetadata.getWritePrincipals() : securityMetadata.getCreatePrincipals(), checkType)) {
                throw new JMSSecurityException("User: " + serverConnectionEndpoint.getUsername() + " is not authorized to " + (checkType == CheckType.READ ? "read from" : checkType == CheckType.WRITE ? "write to" : "create durable sub on") + " destination " + name);
            }
            switch (checkType.type) {
                case 0:
                    this.readCache.add(destination);
                    return;
                case 1:
                    this.writeCache.add(destination);
                    return;
                case 2:
                    this.createCache.add(destination);
                    return;
                default:
                    throw new IllegalArgumentException("Invalid checkType:" + checkType);
            }
        } finally {
            SecurityActions.popSubjectContext();
        }
    }
}
