package org.apache.activemq.artemis.core.security.impl;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import org.apache.activemq.artemis.api.core.ActiveMQSecurityException;
import org.apache.activemq.artemis.api.core.Pair;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.api.core.management.CoreNotificationType;
import org.apache.activemq.artemis.api.core.management.ManagementHelper;
import org.apache.activemq.artemis.core.remoting.CertificateUtil;
import org.apache.activemq.artemis.core.security.CheckType;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.security.SecurityAuth;
import org.apache.activemq.artemis.core.security.SecurityStore;
import org.apache.activemq.artemis.core.server.ActiveMQMessageBundle;
import org.apache.activemq.artemis.core.server.ActiveMQServerLogger;
import org.apache.activemq.artemis.core.server.management.Notification;
import org.apache.activemq.artemis.core.server.management.NotificationService;
import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
import org.apache.activemq.artemis.core.settings.HierarchicalRepositoryChangeListener;
import org.apache.activemq.artemis.logs.AuditLogger;
import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager2;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager3;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager4;
import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager5;
import org.apache.activemq.artemis.spi.core.security.jaas.UserPrincipal;
import org.apache.activemq.artemis.utils.CompositeAddress;
import org.apache.activemq.artemis.utils.collections.ConcurrentHashSet;
import org.apache.activemq.artemis.utils.collections.TypedProperties;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.jboss.logging.Logger;

/* loaded from: input_file:org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.class */
public class SecurityStoreImpl implements SecurityStore, HierarchicalRepositoryChangeListener {
    private static final Logger logger = Logger.getLogger((Class<?>) SecurityStoreImpl.class);
    private final HierarchicalRepository<Set<Role>> securityRepository;
    private final ActiveMQSecurityManager securityManager;
    private final Cache<String, ConcurrentHashSet<SimpleString>> authorizationCache;
    private final Cache<String, Pair<Boolean, Subject>> authenticationCache;
    private boolean securityEnabled;
    private final String managementClusterUser;
    private final String managementClusterPassword;
    private final NotificationService notificationService;

    public SecurityStoreImpl(HierarchicalRepository<Set<Role>> hierarchicalRepository, ActiveMQSecurityManager activeMQSecurityManager, long j, boolean z, String str, String str2, NotificationService notificationService, long j2, long j3) {
        this.securityRepository = hierarchicalRepository;
        this.securityManager = activeMQSecurityManager;
        this.securityEnabled = z;
        this.managementClusterUser = str;
        this.managementClusterPassword = str2;
        this.notificationService = notificationService;
        this.authenticationCache = CacheBuilder.newBuilder().maximumSize(j2).expireAfterWrite(j, TimeUnit.MILLISECONDS).build();
        this.authorizationCache = CacheBuilder.newBuilder().maximumSize(j3).expireAfterWrite(j, TimeUnit.MILLISECONDS).build();
        this.securityRepository.registerListener(this);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public boolean isSecurityEnabled() {
        return this.securityEnabled;
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void setSecurityEnabled(boolean z) {
        this.securityEnabled = z;
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void stop() {
        this.securityRepository.unRegisterListener(this);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public String authenticate(String str, String str2, RemotingConnection remotingConnection) throws Exception {
        return authenticate(str, str2, remotingConnection, null);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public String authenticate(String str, String str2, RemotingConnection remotingConnection, String str3) throws Exception {
        if (!this.securityEnabled) {
            return null;
        }
        if (this.managementClusterUser.equals(str)) {
            if (logger.isTraceEnabled()) {
                logger.trace("Authenticating cluster admin user");
            }
            if (this.managementClusterPassword.equals(str2)) {
                return this.managementClusterUser;
            }
            throw ActiveMQMessageBundle.BUNDLE.unableToValidateClusterUser(str);
        }
        String str4 = null;
        boolean z = false;
        boolean z2 = true;
        Subject subject = null;
        Pair<Boolean, Subject> ifPresent = this.authenticationCache.getIfPresent(createAuthenticationCacheKey(str, str2, remotingConnection));
        if (ifPresent != null) {
            if (ifPresent.getA().booleanValue()) {
                z2 = false;
                z = true;
                subject = ifPresent.getB();
                str4 = getUserFromSubject(subject);
            } else {
                z2 = false;
            }
        }
        if (z2) {
            if (this.securityManager instanceof ActiveMQSecurityManager5) {
                subject = ((ActiveMQSecurityManager5) this.securityManager).authenticate(str, str2, remotingConnection, str3);
                this.authenticationCache.put(createAuthenticationCacheKey(str, str2, remotingConnection), new Pair<>(Boolean.valueOf(subject != null), subject));
                str4 = getUserFromSubject(subject);
            } else if (this.securityManager instanceof ActiveMQSecurityManager4) {
                str4 = ((ActiveMQSecurityManager4) this.securityManager).validateUser(str, str2, remotingConnection, str3);
            } else if (this.securityManager instanceof ActiveMQSecurityManager3) {
                str4 = ((ActiveMQSecurityManager3) this.securityManager).validateUser(str, str2, remotingConnection);
            } else {
                z = this.securityManager instanceof ActiveMQSecurityManager2 ? ((ActiveMQSecurityManager2) this.securityManager).validateUser(str, str2, CertificateUtil.getCertsFromConnection(remotingConnection)) : this.securityManager.validateUser(str, str2);
            }
        }
        if (!z && str4 == null) {
            authenticationFailed(str, remotingConnection);
        }
        if (AuditLogger.isAnyLoggingEnabled() && remotingConnection != null) {
            remotingConnection.setAuditSubject(subject);
        }
        if (AuditLogger.isResourceLoggingEnabled()) {
            AuditLogger.userSuccesfullyAuthenticatedInAudit(subject, remotingConnection.getRemoteAddress());
        }
        return str4;
    }

    public String getCertSubjectDN(RemotingConnection remotingConnection) {
        String str = "unavailable";
        X509Certificate[] certsFromConnection = CertificateUtil.getCertsFromConnection(remotingConnection);
        if (certsFromConnection != null && certsFromConnection.length > 0 && certsFromConnection[0] != null) {
            str = certsFromConnection[0].getSubjectDN().getName();
        }
        return str;
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void check(SimpleString simpleString, CheckType checkType, SecurityAuth securityAuth) throws Exception {
        check(simpleString, null, checkType, securityAuth);
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public void check(SimpleString simpleString, SimpleString simpleString2, CheckType checkType, SecurityAuth securityAuth) throws Exception {
        Boolean valueOf;
        ConcurrentHashSet<SimpleString> concurrentHashSet;
        if (this.securityEnabled) {
            SimpleString extractAddressName = CompositeAddress.extractAddressName(simpleString);
            SimpleString extractQueueName = CompositeAddress.extractQueueName(simpleString2);
            if (logger.isTraceEnabled()) {
                logger.trace("checking access permissions to " + ((Object) extractAddressName));
            }
            String username = securityAuth.getUsername();
            if (this.managementClusterUser.equals(username) && securityAuth.getPassword().equals(this.managementClusterPassword)) {
                return;
            }
            Set<Role> match = this.securityRepository.getMatch(extractAddressName.toString());
            SimpleString simpleString3 = null;
            if (extractQueueName != null) {
                simpleString3 = CompositeAddress.toFullyQualified(extractAddressName, extractQueueName);
                if (this.securityRepository.containsExactMatch(simpleString3.toString())) {
                    match = this.securityRepository.getMatch(simpleString3.toString());
                }
            }
            if (checkAuthorizationCache(simpleString3 != null ? simpleString3 : extractAddressName, username, checkType)) {
                return;
            }
            if (this.securityManager instanceof ActiveMQSecurityManager5) {
                Subject subjectForAuthorization = getSubjectForAuthorization(securityAuth, (ActiveMQSecurityManager5) this.securityManager);
                if (subjectForAuthorization == null) {
                    authenticationFailed(username, securityAuth.getRemotingConnection());
                }
                valueOf = Boolean.valueOf(((ActiveMQSecurityManager5) this.securityManager).authorize(subjectForAuthorization, match, checkType, simpleString3 != null ? simpleString3.toString() : extractAddressName.toString()));
            } else if (this.securityManager instanceof ActiveMQSecurityManager4) {
                valueOf = Boolean.valueOf(((ActiveMQSecurityManager4) this.securityManager).validateUserAndRole(username, securityAuth.getPassword(), match, checkType, extractAddressName.toString(), securityAuth.getRemotingConnection(), securityAuth.getSecurityDomain()) != null);
            } else if (this.securityManager instanceof ActiveMQSecurityManager3) {
                valueOf = Boolean.valueOf(((ActiveMQSecurityManager3) this.securityManager).validateUserAndRole(username, securityAuth.getPassword(), match, checkType, extractAddressName.toString(), securityAuth.getRemotingConnection()) != null);
            } else {
                valueOf = this.securityManager instanceof ActiveMQSecurityManager2 ? Boolean.valueOf(((ActiveMQSecurityManager2) this.securityManager).validateUserAndRole(username, securityAuth.getPassword(), match, checkType, extractAddressName.toString(), securityAuth.getRemotingConnection())) : Boolean.valueOf(this.securityManager.validateUserAndRole(username, securityAuth.getPassword(), match, checkType));
            }
            if (valueOf.booleanValue()) {
                String createAuthorizationCacheKey = createAuthorizationCacheKey(username, checkType);
                ConcurrentHashSet<SimpleString> ifPresent = this.authorizationCache.getIfPresent(createAuthorizationCacheKey);
                if (ifPresent != null) {
                    concurrentHashSet = ifPresent;
                } else {
                    concurrentHashSet = new ConcurrentHashSet<>();
                    this.authorizationCache.put(createAuthorizationCacheKey, concurrentHashSet);
                }
                concurrentHashSet.add(simpleString3 != null ? simpleString3 : extractAddressName);
                return;
            }
            if (this.notificationService != null) {
                TypedProperties typedProperties = new TypedProperties();
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_ADDRESS, extractAddressName);
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_CHECK_TYPE, new SimpleString(checkType.toString()));
                typedProperties.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(username));
                this.notificationService.sendNotification(new Notification(null, CoreNotificationType.SECURITY_PERMISSION_VIOLATION, typedProperties));
            }
            ActiveMQSecurityException userNoPermissions = extractQueueName == null ? ActiveMQMessageBundle.BUNDLE.userNoPermissions(securityAuth.getUsername(), checkType, extractAddressName) : ActiveMQMessageBundle.BUNDLE.userNoPermissionsQueue(securityAuth.getUsername(), checkType, extractQueueName, extractAddressName);
            AuditLogger.securityFailure(userNoPermissions);
            throw userNoPermissions;
        }
    }

    @Override // org.apache.activemq.artemis.core.settings.HierarchicalRepositoryChangeListener
    public void onChange() {
        invalidateAuthorizationCache();
    }

    public static String getUserFromSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        String str = "";
        Iterator it = subject.getPrincipals(UserPrincipal.class).iterator();
        while (it.hasNext()) {
            str = ((UserPrincipal) it.next()).getName();
        }
        return str;
    }

    @Override // org.apache.activemq.artemis.core.security.SecurityStore
    public Subject getSessionSubject(SecurityAuth securityAuth) {
        if (this.securityManager instanceof ActiveMQSecurityManager5) {
            return getSubjectForAuthorization(securityAuth, (ActiveMQSecurityManager5) this.securityManager);
        }
        return null;
    }

    private void authenticationFailed(String str, RemotingConnection remotingConnection) throws Exception {
        String certSubjectDN = getCertSubjectDN(remotingConnection);
        if (this.notificationService != null) {
            TypedProperties typedProperties = new TypedProperties();
            typedProperties.putSimpleStringProperty(ManagementHelper.HDR_USER, SimpleString.toSimpleString(str));
            typedProperties.putSimpleStringProperty(ManagementHelper.HDR_CERT_SUBJECT_DN, SimpleString.toSimpleString(certSubjectDN));
            typedProperties.putSimpleStringProperty(ManagementHelper.HDR_REMOTE_ADDRESS, SimpleString.toSimpleString(remotingConnection == null ? "null" : remotingConnection.getRemoteAddress()));
            this.notificationService.sendNotification(new Notification(null, CoreNotificationType.SECURITY_AUTHENTICATION_VIOLATION, typedProperties));
        }
        ActiveMQSecurityException unableToValidateUser = ActiveMQMessageBundle.BUNDLE.unableToValidateUser(remotingConnection == null ? "null" : remotingConnection.getRemoteAddress(), str, certSubjectDN);
        ActiveMQServerLogger.LOGGER.securityProblemWhileAuthenticating(unableToValidateUser.getMessage());
        if (AuditLogger.isResourceLoggingEnabled()) {
            AuditLogger.userFailedAuthenticationInAudit(null, unableToValidateUser.getMessage());
        }
        throw unableToValidateUser;
    }

    private Subject getSubjectForAuthorization(SecurityAuth securityAuth, ActiveMQSecurityManager5 activeMQSecurityManager5) {
        Pair<Boolean, Subject> ifPresent = this.authenticationCache.getIfPresent(createAuthenticationCacheKey(securityAuth.getUsername(), securityAuth.getPassword(), securityAuth.getRemotingConnection()));
        return ifPresent == null ? activeMQSecurityManager5.authenticate(securityAuth.getUsername(), securityAuth.getPassword(), securityAuth.getRemotingConnection(), securityAuth.getSecurityDomain()) : ifPresent.getB();
    }

    public void invalidateAuthorizationCache() {
        this.authorizationCache.invalidateAll();
    }

    public void invalidateAuthenticationCache() {
        this.authenticationCache.invalidateAll();
    }

    public long getAuthenticationCacheSize() {
        return this.authenticationCache.size();
    }

    public long getAuthorizationCacheSize() {
        return this.authorizationCache.size();
    }

    private boolean checkAuthorizationCache(SimpleString simpleString, String str, CheckType checkType) {
        boolean z = false;
        ConcurrentHashSet<SimpleString> ifPresent = this.authorizationCache.getIfPresent(createAuthorizationCacheKey(str, checkType));
        if (ifPresent != null) {
            z = ifPresent.contains(simpleString);
        }
        return z;
    }

    private String createAuthenticationCacheKey(String str, String str2, RemotingConnection remotingConnection) {
        return str + str2 + getCertSubjectDN(remotingConnection);
    }

    private String createAuthorizationCacheKey(String str, CheckType checkType) {
        return str + DefaultExpressionEngineSymbols.DEFAULT_PROPERTY_DELIMITER + checkType.name();
    }
}
