package org.apache.activemq.artemis.core.security.impl;

import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.security.cert.X509Certificate;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
import org.apache.activemq.artemis.api.core.management.ManagementHelper;
import org.apache.activemq.artemis.core.security.CheckType;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.security.SecurityAuth;
import org.apache.activemq.artemis.core.security.SecurityStore;
import org.apache.activemq.artemis.core.server.ActiveMQMessageBundle;
import org.apache.activemq.artemis.core.server.management.Notification;
import org.apache.activemq.artemis.core.server.management.NotificationService;
import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
import org.apache.activemq.artemis.core.settings.HierarchicalRepositoryChangeListener;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3;
import org.apache.activemq.artemis.utils.ConcurrentHashSet;
import org.apache.activemq.artemis.utils.TypedProperties;
import org.jboss.logging.Logger;

/* loaded from: input_file:WEB-INF/lib/artemis-server-1.5.5.jbossorg-005.jar:org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.class */
public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryChangeListener {
    private static final Logger logger = Logger.getLogger((Class<?>) SecurityStoreImpl.class);
    private final HierarchicalRepository<Set<Role>> securityRepository;
    private final ActiveMQSecurityManager securityManager;
    private final ConcurrentMap<String, ConcurrentHashSet<SimpleString>> cache = new ConcurrentHashMap();
    private final long invalidationInterval;
    private volatile long lastCheck;
    private final boolean securityEnabled;
    private final String managementClusterUser;
    private final String managementClusterPassword;
    private final NotificationService notificationService;

    public SecurityStoreImpl(HierarchicalRepository<Set<Role>> hierarchicalRepository, ActiveMQSecurityManager activeMQSecurityManager, long j, boolean z, String str, String str2, NotificationService notificationService) {
        this.securityRepository = hierarchicalRepository;
        this.securityManager = activeMQSecurityManager;
        this.invalidationInterval = j;
        this.securityEnabled = z;
        this.managementClusterUser = str;
        this.managementClusterPassword = str2;
        this.notificationService = notificationService;
        this.securityRepository.registerListener(this);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public boolean isSecurityEnabled() {
        return this.securityEnabled;
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void stop() {
        this.securityRepository.unRegisterListener(this);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public String authenticate(String str, String str2, X509Certificate[] x509CertificateArr) throws Exception {
        if (!this.securityEnabled) {
            return null;
        }
        if (this.managementClusterUser.equals(str)) {
            if (logger.isTraceEnabled()) {
                logger.trace("Authenticating cluster admin user");
            }
            if (this.managementClusterPassword.equals(str2)) {
                return this.managementClusterUser;
            }
            throw ActiveMQMessageBundle.BUNDLE.unableToValidateClusterUser(str);
        }
        String str3 = null;
        boolean z = false;
        if (this.securityManager instanceof ActiveMQSecurityManager3) {
            str3 = ((ActiveMQSecurityManager3) this.securityManager).validateUser(str, str2, x509CertificateArr);
        } else {
            z = this.securityManager instanceof ActiveMQSecurityManager2 ? ((ActiveMQSecurityManager2) this.securityManager).validateUser(str, str2, x509CertificateArr) : this.securityManager.validateUser(str, str2);
        }
        if (z || str3 != null) {
            return str3;
        }
        if (this.notificationService != null) {
            this.notificationService.sendNotification(new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, new TypedProperties()));
        }
        throw ActiveMQMessageBundle.BUNDLE.unableToValidateUser();
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void check(SimpleString simpleString, CheckType checkType, SecurityAuth securityAuth) throws Exception {
        boolean validateUserAndRole;
        if (this.securityEnabled) {
            if (logger.isTraceEnabled()) {
                logger.trace("checking access permissions to " + ((Object) simpleString));
            }
            String username = securityAuth.getUsername();
            if (checkCached(simpleString, username, checkType)) {
                return;
            }
            String simpleString2 = simpleString.toString();
            Set<Role> match = this.securityRepository.getMatch(simpleString2);
            if (this.managementClusterUser.equals(username) && securityAuth.getPassword().equals(this.managementClusterPassword)) {
                return;
            }
            if (this.securityManager instanceof ActiveMQSecurityManager3) {
                validateUserAndRole = ((ActiveMQSecurityManager3) this.securityManager).validateUserAndRole(username, securityAuth.getPassword(), match, checkType, simpleString2, securityAuth.getRemotingConnection()) != null;
            } else {
                validateUserAndRole = this.securityManager instanceof ActiveMQSecurityManager2 ? ((ActiveMQSecurityManager2) this.securityManager).validateUserAndRole(username, securityAuth.getPassword(), match, checkType, simpleString2, securityAuth.getRemotingConnection()) : this.securityManager.validateUserAndRole(username, securityAuth.getPassword(), match, checkType);
            }
            if (validateUserAndRole) {
                ConcurrentHashSet<SimpleString> concurrentHashSet = new ConcurrentHashSet<>();
                ConcurrentHashSet<SimpleString> putIfAbsent = this.cache.putIfAbsent(username + "." + checkType.name(), concurrentHashSet);
                if (putIfAbsent != null) {
                    concurrentHashSet = putIfAbsent;
                }
                concurrentHashSet.add(simpleString);
                return;
            }
            if (this.notificationService != null) {
                TypedProperties typedProperties = new TypedProperties();
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_ADDRESS, simpleString);
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_CHECK_TYPE, new SimpleString(checkType.toString()));
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(username));
                this.notificationService.sendNotification(new Notification(null, CoreNotificationType.SECURITY_PERMISSION_VIOLATION, typedProperties));
            }
            throw ActiveMQMessageBundle.BUNDLE.userNoPermissions(securityAuth.getUsername(), checkType, simpleString2);
        }
    }

    @Override // org.apache.activemq.artemis.core.settings.HierarchicalRepositoryChangeListener
    public void onChange() {
        invalidateCache();
    }

    private void invalidateCache() {
        this.cache.clear();
    }

    private boolean checkCached(SimpleString simpleString, String str, CheckType checkType) {
        long currentTimeMillis = System.currentTimeMillis();
        boolean z = false;
        if (currentTimeMillis - this.lastCheck > this.invalidationInterval) {
            invalidateCache();
            this.lastCheck = currentTimeMillis;
        } else {
            ConcurrentHashSet<SimpleString> concurrentHashSet = this.cache.get(str + "." + checkType.name());
            if (concurrentHashSet != null) {
                z = concurrentHashSet.contains(simpleString);
            }
        }
        return z;
    }
}
