package org.apache.qpid.server.security;

import java.net.SocketAddress;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.configuration.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.qpid.framing.AMQShortString;
import org.apache.qpid.server.exchange.Exchange;
import org.apache.qpid.server.plugin.AccessControlFactory;
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.queue.AMQQueue;
import org.apache.qpid.server.security.access.ObjectProperties;
import org.apache.qpid.server.security.access.ObjectType;
import org.apache.qpid.server.security.access.Operation;

/* loaded from: input_file:org/apache/qpid/server/security/SecurityManager.class */
public class SecurityManager {
    private static final Logger _logger = Logger.getLogger(SecurityManager.class);
    private static final ThreadLocal<Subject> _subject = new ThreadLocal<>();
    public static final ThreadLocal<Boolean> _accessChecksDisabled = new ClearingThreadLocal(false);
    private Map<String, AccessControl> _globalPlugins;
    private Map<String, AccessControl> _hostPlugins;
    private ConcurrentHashMap<String, ConcurrentHashMap<String, PublishAccessCheck>> _immediatePublishPropsCache;
    private ConcurrentHashMap<String, ConcurrentHashMap<String, PublishAccessCheck>> _publishPropsCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/server/security/SecurityManager$AccessCheck.class */
    public abstract class AccessCheck {
        private AccessCheck() {
        }

        abstract Result allowed(AccessControl accessControl);
    }

    /* loaded from: input_file:org/apache/qpid/server/security/SecurityManager$CachedPropertiesMap.class */
    private static class CachedPropertiesMap extends LinkedHashMap<String, PublishAccessCheck> {
        private CachedPropertiesMap() {
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, PublishAccessCheck> entry) {
            return size() >= 200;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/SecurityManager$ClearingThreadLocal.class */
    private static final class ClearingThreadLocal extends ThreadLocal<Boolean> {
        private Boolean _defaultValue;

        public ClearingThreadLocal(Boolean bool) {
            this._defaultValue = bool;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Boolean initialValue() {
            return this._defaultValue;
        }

        @Override // java.lang.ThreadLocal
        public void set(Boolean bool) {
            if (bool == this._defaultValue) {
                super.remove();
            } else {
                super.set((ClearingThreadLocal) bool);
            }
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Boolean get() {
            Boolean bool = (Boolean) super.get();
            if (bool == this._defaultValue) {
                super.remove();
            }
            return bool;
        }
    }

    /* loaded from: input_file:org/apache/qpid/server/security/SecurityManager$PublishAccessCheck.class */
    private class PublishAccessCheck extends AccessCheck {
        private final ObjectProperties _props;

        public PublishAccessCheck(ObjectProperties objectProperties) {
            super();
            this._props = objectProperties;
        }

        @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
        Result allowed(AccessControl accessControl) {
            return accessControl.authorise(Operation.PUBLISH, ObjectType.EXCHANGE, this._props);
        }
    }

    public SecurityManager(SecurityManager securityManager, Configuration configuration) throws ConfigurationException {
        this(configuration);
        this._globalPlugins = securityManager._hostPlugins;
    }

    public SecurityManager(Configuration configuration) throws ConfigurationException {
        this._globalPlugins = new HashMap();
        this._hostPlugins = new HashMap();
        this._immediatePublishPropsCache = new ConcurrentHashMap<>();
        this._publishPropsCache = new ConcurrentHashMap<>();
        Configuration subset = configuration.subset("security");
        Iterator it = new QpidServiceLoader().instancesOf(AccessControlFactory.class).iterator();
        while (it.hasNext()) {
            AccessControl createInstance = ((AccessControlFactory) it.next()).createInstance(subset);
            if (createInstance != null) {
                addHostPlugin(createInstance);
            }
        }
        if (_logger.isDebugEnabled()) {
            _logger.debug("Configured " + this._hostPlugins.size() + " access control plugins");
        }
    }

    public static Subject getThreadSubject() {
        return _subject.get();
    }

    public static void setThreadSubject(Subject subject) {
        _subject.set(subject);
    }

    public static Logger getLogger() {
        return _logger;
    }

    private boolean checkAllPlugins(AccessCheck accessCheck) {
        if (_accessChecksDisabled.get().booleanValue()) {
            return true;
        }
        Map emptyMap = this._globalPlugins.isEmpty() ? Collections.emptyMap() : this._hostPlugins.isEmpty() ? this._globalPlugins : new HashMap(this._globalPlugins);
        if (!this._hostPlugins.isEmpty()) {
            for (Map.Entry<String, AccessControl> entry : this._hostPlugins.entrySet()) {
                AccessControl accessControl = (AccessControl) emptyMap.get(entry.getKey());
                if (accessControl != null) {
                    emptyMap.remove(entry.getKey());
                }
                Result allowed = accessCheck.allowed(entry.getValue());
                if (allowed == Result.DENIED) {
                    return false;
                }
                if (allowed != Result.ALLOWED) {
                    if (accessControl == null) {
                        if (allowed == Result.DEFER) {
                            allowed = entry.getValue().getDefault();
                        }
                        if (allowed == Result.DENIED) {
                            return false;
                        }
                    } else {
                        Result allowed2 = accessCheck.allowed(accessControl);
                        if (allowed2 == Result.DEFER) {
                            allowed2 = accessControl.getDefault();
                        }
                        if (allowed2 == Result.ABSTAIN && allowed == Result.DEFER) {
                            allowed2 = entry.getValue().getDefault();
                        }
                        if (allowed2 == Result.DENIED) {
                            return false;
                        }
                    }
                }
            }
        }
        for (AccessControl accessControl2 : emptyMap.values()) {
            Result allowed3 = accessCheck.allowed(accessControl2);
            if (allowed3 == Result.DEFER) {
                allowed3 = accessControl2.getDefault();
            }
            if (allowed3 == Result.DENIED) {
                return false;
            }
        }
        return true;
    }

    public boolean authoriseBind(final Exchange exchange, final AMQQueue aMQQueue, final AMQShortString aMQShortString) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.1
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.BIND, ObjectType.EXCHANGE, new ObjectProperties(exchange, aMQQueue, aMQShortString));
            }
        });
    }

    public boolean authoriseMethod(final Operation operation, final String str, final String str2) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.2
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                ObjectProperties objectProperties = new ObjectProperties();
                objectProperties.setName(str2);
                if (str != null) {
                    objectProperties.put(ObjectProperties.Property.COMPONENT, str);
                }
                return accessControl.authorise(operation, ObjectType.METHOD, objectProperties);
            }
        });
    }

    public boolean accessManagement() {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.3
            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.access(ObjectType.MANAGEMENT, null);
            }
        });
    }

    public boolean accessVirtualhost(String str, final SocketAddress socketAddress) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.4
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.access(ObjectType.VIRTUALHOST, socketAddress);
            }
        });
    }

    public boolean authoriseConsume(final AMQQueue aMQQueue) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.5
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.CONSUME, ObjectType.QUEUE, new ObjectProperties(aMQQueue));
            }
        });
    }

    public boolean authoriseCreateExchange(final Boolean bool, final Boolean bool2, final AMQShortString aMQShortString, final Boolean bool3, final Boolean bool4, final Boolean bool5, final AMQShortString aMQShortString2) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.6
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.CREATE, ObjectType.EXCHANGE, new ObjectProperties(bool, bool2, aMQShortString, bool3, bool4, bool5, aMQShortString2));
            }
        });
    }

    public boolean authoriseCreateQueue(final Boolean bool, final Boolean bool2, final Boolean bool3, final Boolean bool4, final Boolean bool5, final AMQShortString aMQShortString, final String str) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.7
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.CREATE, ObjectType.QUEUE, new ObjectProperties(bool, bool2, bool3, bool4, bool5, aMQShortString, str));
            }
        });
    }

    public boolean authoriseDelete(final AMQQueue aMQQueue) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.8
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.DELETE, ObjectType.QUEUE, new ObjectProperties(aMQQueue));
            }
        });
    }

    public boolean authoriseDelete(final Exchange exchange) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.9
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.DELETE, ObjectType.EXCHANGE, new ObjectProperties(exchange.getName()));
            }
        });
    }

    public boolean authoriseGroupOperation(final Operation operation, final String str) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.10
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(operation, ObjectType.GROUP, new ObjectProperties(str));
            }
        });
    }

    public boolean authoriseUserOperation(final Operation operation, final String str) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.11
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(operation, ObjectType.USER, new ObjectProperties(str));
            }
        });
    }

    public boolean authorisePublish(boolean z, String str, String str2) {
        if (str == null) {
            str = "";
        }
        if (str2 == null) {
            str2 = "";
        }
        ConcurrentHashMap<String, ConcurrentHashMap<String, PublishAccessCheck>> concurrentHashMap = z ? this._immediatePublishPropsCache : this._publishPropsCache;
        ConcurrentHashMap<String, PublishAccessCheck> concurrentHashMap2 = concurrentHashMap.get(str2);
        if (concurrentHashMap2 == null) {
            concurrentHashMap.putIfAbsent(str2, new ConcurrentHashMap<>());
            concurrentHashMap2 = concurrentHashMap.get(str2);
        }
        PublishAccessCheck publishAccessCheck = concurrentHashMap2.get(str);
        if (publishAccessCheck == null) {
            publishAccessCheck = new PublishAccessCheck(new ObjectProperties(str2, str, Boolean.valueOf(z)));
            concurrentHashMap2.put(str, publishAccessCheck);
        }
        return checkAllPlugins(publishAccessCheck);
    }

    public boolean authorisePurge(final AMQQueue aMQQueue) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.12
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.PURGE, ObjectType.QUEUE, new ObjectProperties(aMQQueue));
            }
        });
    }

    public boolean authoriseUnbind(final Exchange exchange, final AMQShortString aMQShortString, final AMQQueue aMQQueue) {
        return checkAllPlugins(new AccessCheck() { // from class: org.apache.qpid.server.security.SecurityManager.13
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // org.apache.qpid.server.security.SecurityManager.AccessCheck
            Result allowed(AccessControl accessControl) {
                return accessControl.authorise(Operation.UNBIND, ObjectType.EXCHANGE, new ObjectProperties(exchange, aMQQueue, aMQShortString));
            }
        });
    }

    public static boolean setAccessChecksDisabled(boolean z) {
        boolean booleanValue = _accessChecksDisabled.get().booleanValue();
        _accessChecksDisabled.set(Boolean.valueOf(z));
        return booleanValue;
    }

    public void addHostPlugin(AccessControl accessControl) {
        this._hostPlugins.put(accessControl.getClass().getName(), accessControl);
    }
}
