package org.wso2.carbon.andes.authorization.andes;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dna.mqtt.moquette.server.IAuthorizer;
import org.wso2.andes.configuration.enums.MQTTAuthoriztionPermissionLevel;
import org.wso2.andes.mqtt.MQTTAuthorizationSubject;
import org.wso2.carbon.andes.authorization.config.AuthorizationConfigurationManager;
import org.wso2.carbon.andes.authorization.internal.AuthorizationServiceDataHolder;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.authorization.TreeNode;

/* loaded from: input_file:org/wso2/carbon/andes/authorization/andes/CarbonPermissionBasedMQTTAuthorizer.class */
public class CarbonPermissionBasedMQTTAuthorizer implements IAuthorizer {
    private static final Log logger = LogFactory.getLog(CarbonPermissionBasedMQTTAuthorizer.class);
    private static final String PERMISSION_PREFIX = "/permission/admin/mqtt/topic/";
    private static final String CONNECTION_PERMISSION_CONFIG = "connectionPermission";

    public boolean isAuthorizedForTopic(MQTTAuthorizationSubject mQTTAuthorizationSubject, String str, MQTTAuthoriztionPermissionLevel mQTTAuthoriztionPermissionLevel) {
        String permissionStringFromTopic = getPermissionStringFromTopic(str);
        String lowerCase = TreeNode.Permission.SUBSCRIBE.toString().toLowerCase();
        if (mQTTAuthoriztionPermissionLevel == MQTTAuthoriztionPermissionLevel.PUBLISH) {
            lowerCase = TreeNode.Permission.PUBLISH.toString().toLowerCase();
        }
        return isUserAuthorized(mQTTAuthorizationSubject, permissionStringFromTopic, lowerCase);
    }

    public boolean isAuthorizedToConnect(MQTTAuthorizationSubject mQTTAuthorizationSubject) {
        String property = AuthorizationConfigurationManager.getInstance().getProperty(CONNECTION_PERMISSION_CONFIG);
        if (property == null || property.isEmpty()) {
            return true;
        }
        return isUserAuthorized(mQTTAuthorizationSubject, property, TreeNode.Permission.AUTHORIZE.toString().toLowerCase());
    }

    private boolean isUserAuthorized(MQTTAuthorizationSubject mQTTAuthorizationSubject, String str, String str2) {
        String username = mQTTAuthorizationSubject.getUsername();
        try {
            try {
                PrivilegedCarbonContext.startTenantFlow();
                PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(mQTTAuthorizationSubject.getTenantDomain(), true);
                UserRealm tenantUserRealm = AuthorizationServiceDataHolder.getInstance().getRealmService().getTenantUserRealm(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId());
                if (tenantUserRealm == null || tenantUserRealm.getAuthorizationManager() == null) {
                    PrivilegedCarbonContext.endTenantFlow();
                    return false;
                }
                boolean isUserAuthorized = tenantUserRealm.getAuthorizationManager().isUserAuthorized(username, str, str2);
                PrivilegedCarbonContext.endTenantFlow();
                return isUserAuthorized;
            } catch (UserStoreException e) {
                logger.error(String.format("Unable to authorize the user : %s", username), e);
                PrivilegedCarbonContext.endTenantFlow();
                return false;
            }
        } catch (Throwable th) {
            PrivilegedCarbonContext.endTenantFlow();
            throw th;
        }
    }

    private String getPermissionStringFromTopic(String str) {
        String str2 = str;
        if (str != null && !str.isEmpty()) {
            if (str2.charAt(0) == '/') {
                str2 = str2.substring(1, str2.length());
            }
            str2 = PERMISSION_PREFIX + str2.split("\\+")[0].split("#")[0];
            if (str2.charAt(str2.length() - 1) == '/') {
                str2 = str2.substring(0, str2.length() - 1);
            }
        }
        return str2;
    }
}
