package org.jboss.jms.server.jbosssx;

import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.jms.JMSSecurityException;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.jboss.jms.server.SecurityStore;
import org.jboss.jms.server.security.CheckType;
import org.jboss.jms.server.security.SecurityMetadata;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.ISecurityManagement;
import org.jboss.security.SimplePrincipal;
import org.w3c.dom.Element;

/* loaded from: input_file:org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.class */
public class JBossASSecurityMetadataStore implements SecurityStore, JBossASSecurityMetadataStoreMBean {
    private static final Logger log = Logger.getLogger(JBossASSecurityMetadataStore.class);
    public static final String DEFAULT_SUCKER_USER_PASSWORD = "CHANGE ME!!";
    private Element defaultSecurityConfig;
    private String suckerPassword;
    private final boolean trace = log.isTraceEnabled();
    private String securityDomain = "messaging";
    private ISecurityManagement securityManagement = null;
    private final Map queueSecurityConf = new HashMap();
    private final Map topicSecurityConf = new HashMap();

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public SecurityMetadata getSecurityMetadata(boolean z, String str) {
        SecurityMetadata securityMetadata = (SecurityMetadata) (z ? this.queueSecurityConf.get(str) : this.topicSecurityConf.get(str));
        if (securityMetadata == null) {
            if (this.defaultSecurityConfig != null) {
                log.debug("No SecurityMetadadata was available for " + str + ", using default security config");
                try {
                    securityMetadata = new SecurityMetadata(this.defaultSecurityConfig);
                } catch (Exception e) {
                    log.warn("Unable to apply default security for destName, using guest " + str, e);
                    securityMetadata = new SecurityMetadata();
                }
            } else {
                log.warn("No SecurityMetadadata was available for " + str + ", adding guest");
                securityMetadata = new SecurityMetadata();
            }
        }
        return securityMetadata;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void setSecurityConfig(boolean z, String str, Element element) throws Exception {
        if (this.trace) {
            log.trace("adding security configuration for " + (z ? "queue " : "topic ") + str);
        }
        if (element == null) {
            clearSecurityConfig(z, str);
            return;
        }
        SecurityMetadata securityMetadata = new SecurityMetadata(element);
        if (z) {
            this.queueSecurityConf.put(str, securityMetadata);
        } else {
            this.topicSecurityConf.put(str, securityMetadata);
        }
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void clearSecurityConfig(boolean z, String str) throws Exception {
        if (this.trace) {
            log.trace("clearing security configuration for " + (z ? "queue " : "topic ") + str);
        }
        if (z) {
            this.queueSecurityConf.remove(str);
        } else {
            this.topicSecurityConf.remove(str);
        }
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public Subject authenticate(String str, String str2) throws JMSSecurityException {
        boolean isValid;
        if (this.trace) {
            log.trace("authenticating user " + str);
        }
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        char[] cArr = null;
        if (str2 != null) {
            cArr = str2.toCharArray();
        }
        Subject subject = new Subject();
        if ("JBM.SUCKER".equals(str)) {
            if (this.trace) {
                log.trace("Authenticating sucker user");
            }
            checkDefaultSuckerPassword(str2);
            isValid = this.suckerPassword.equals(str2);
        } else {
            if (this.securityManagement == null) {
                throw new SecurityException("SecurityManagement has not been set");
            }
            AuthenticationManager authenticationManager = this.securityManagement.getAuthenticationManager(this.securityDomain);
            if (authenticationManager == null) {
                throw new SecurityException("AuthenticationManager is null for domain=" + this.securityDomain);
            }
            isValid = authenticationManager.isValid(simplePrincipal, cArr, subject);
        }
        if (!isValid) {
            throw new JMSSecurityException("User " + str + " is NOT authenticated");
        }
        SecurityActions.pushSubjectContext(simplePrincipal, cArr, subject, this.securityDomain);
        return subject;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public boolean authorize(String str, Set set, CheckType checkType) {
        if (this.trace) {
            log.trace("authorizing user " + str + " for role(s) " + set.toString());
        }
        if ("JBM.SUCKER".equals(str)) {
            return checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE);
        }
        SimplePrincipal simplePrincipal = str == null ? null : new SimplePrincipal(str);
        if (this.securityManagement == null) {
            throw new SecurityException("SecurityManagement has not been set");
        }
        AuthorizationManager authorizationManager = this.securityManagement.getAuthorizationManager(this.securityDomain);
        if (authorizationManager == null) {
            throw new SecurityException("AuthorizationManager is null for domain=" + this.securityDomain);
        }
        boolean doesUserHaveRole = authorizationManager.doesUserHaveRole(simplePrincipal, set);
        if (this.trace) {
            log.trace("user " + str + (doesUserHaveRole ? " is " : " is NOT ") + "authorized");
        }
        return doesUserHaveRole;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void setSuckerPassword(String str) {
        checkDefaultSuckerPassword(str);
        this.suckerPassword = str;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void setSecurityManagement(ISecurityManagement iSecurityManagement) {
        this.securityManagement = iSecurityManagement;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void start() throws NamingException {
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void stop() throws Exception {
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public String getSecurityDomain() {
        return this.securityDomain;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void setSecurityDomain(String str) {
        this.securityDomain = str;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public Element getDefaultSecurityConfig() {
        return this.defaultSecurityConfig;
    }

    @Override // org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean
    public void setDefaultSecurityConfig(Element element) throws Exception {
        new SecurityMetadata(element);
        this.defaultSecurityConfig = element;
    }

    private void checkDefaultSuckerPassword(String str) {
        if (DEFAULT_SUCKER_USER_PASSWORD.equals(str)) {
            log.warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component which sucks messages from one node to another has not had its password changed from the installation default. Please see the JBoss Messaging user guide for instructions on how to do this.");
        }
    }
}
