package org.openremote.manager.mqtt;

import java.util.Set;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.activemq.artemis.core.config.impl.SecurityConfiguration;
import org.apache.activemq.artemis.core.remoting.CertificateUtil;
import org.apache.activemq.artemis.core.security.CheckType;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.openremote.container.security.keycloak.KeycloakIdentityProvider;
import org.openremote.manager.security.AuthorisationService;
import org.openremote.manager.security.MultiTenantJaasCallbackHandler;
import org.openremote.manager.security.RemotingConnectionPrincipal;
import org.openremote.manager.syslog.SyslogService;
import org.openremote.model.syslog.SyslogCategory;

/* loaded from: input_file:org/openremote/manager/mqtt/ActiveMQORSecurityManager.class */
public class ActiveMQORSecurityManager extends ActiveMQJAASSecurityManager {
    private static final Logger LOG = SyslogCategory.getLogger(SyslogCategory.API, ActiveMQORSecurityManager.class);
    protected AuthorisationService authorisationService;
    protected MQTTBrokerService brokerService;
    protected Function<String, KeycloakDeployment> deploymentResolver;
    protected String certificateConfigName;
    protected String configName;
    protected SecurityConfiguration config;
    protected SecurityConfiguration certificateConfig;
    protected ActiveMQServer server;

    /* renamed from: org.openremote.manager.mqtt.ActiveMQORSecurityManager$1, reason: invalid class name */
    /* loaded from: input_file:org/openremote/manager/mqtt/ActiveMQORSecurityManager$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$activemq$artemis$core$security$CheckType = new int[CheckType.values().length];

        static {
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.SEND.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.CONSUME.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.CREATE_ADDRESS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.DELETE_ADDRESS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.CREATE_DURABLE_QUEUE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.DELETE_DURABLE_QUEUE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.CREATE_NON_DURABLE_QUEUE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.DELETE_NON_DURABLE_QUEUE.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.MANAGE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.BROWSE.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.VIEW.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$apache$activemq$artemis$core$security$CheckType[CheckType.EDIT.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    public ActiveMQORSecurityManager(AuthorisationService authorisationService, MQTTBrokerService mQTTBrokerService, Function<String, KeycloakDeployment> function, String str, SecurityConfiguration securityConfiguration) {
        super(str, securityConfiguration);
        this.authorisationService = authorisationService;
        this.brokerService = mQTTBrokerService;
        this.deploymentResolver = function;
        this.configName = str;
        this.config = securityConfiguration;
    }

    public Subject authenticate(String str, String str2, RemotingConnection remotingConnection, String str3) {
        try {
            return remotingConnection.getSubject() != null ? remotingConnection.getSubject() : getAuthenticatedSubject(str, str2, remotingConnection, str3);
        } catch (LoginException e) {
            return null;
        }
    }

    protected Subject getAuthenticatedSubject(String str, String str2, RemotingConnection remotingConnection, String str3) throws LoginException {
        String str4 = null;
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        ClassLoader classLoader = getClass().getClassLoader();
        if (str != null) {
            String[] split = str.split(":");
            if (split.length == 2) {
                str4 = split[0];
                str = split[1];
            }
        }
        if (classLoader != contextClassLoader) {
            try {
                Thread.currentThread().setContextClassLoader(classLoader);
            } finally {
                if (classLoader != contextClassLoader) {
                    Thread.currentThread().setContextClassLoader(contextClassLoader);
                }
            }
        }
        LoginContext loginContext = str3 != null ? new LoginContext(str3, (Subject) null, new MultiTenantJaasCallbackHandler(this.deploymentResolver, str4, str, str2, remotingConnection), (Configuration) null) : (this.certificateConfigName == null || this.certificateConfigName.length() <= 0 || CertificateUtil.getCertsFromConnection(remotingConnection) == null) ? new LoginContext(this.configName, (Subject) null, new MultiTenantJaasCallbackHandler(this.deploymentResolver, str4, str, str2, remotingConnection), this.config) : new LoginContext(this.certificateConfigName, (Subject) null, new MultiTenantJaasCallbackHandler(this.deploymentResolver, str4, str, str2, remotingConnection), this.certificateConfig);
        try {
            loginContext.login();
            Subject subject = loginContext.getSubject();
            if (subject != null) {
                remotingConnection.setSubject(subject);
                subject.getPrincipals().add(new RemotingConnectionPrincipal(remotingConnection));
            }
            return subject;
        } catch (LoginException e) {
            throw e;
        }
    }

    public boolean authorize(Subject subject, Set<Role> set, CheckType checkType, String str) {
        switch (AnonymousClass1.$SwitchMap$org$apache$activemq$artemis$core$security$CheckType[checkType.ordinal()]) {
            case 1:
                return verifyRights(subject, str, true);
            case 2:
                return verifyRights(subject, str.substring(0, str.indexOf("::")), false);
            case 3:
            case 4:
            case SyslogService.OR_SYSLOG_MAX_AGE_DAYS_DEFAULT /* 5 */:
            case 6:
            case 7:
            case 8:
                return true;
            case 9:
            case 10:
            case 11:
            case 12:
                return false;
            default:
                throw new IncompatibleClassChangeError();
        }
    }

    protected boolean verifyRights(Subject subject, String str, boolean z) {
        try {
            Topic fromAddress = Topic.fromAddress(str, this.brokerService.getWildcardConfiguration());
            KeycloakSecurityContext securityContext = KeycloakIdentityProvider.getSecurityContext(subject);
            String str2 = MQTTHandler.topicClientID(fromAddress);
            if (str2 == null) {
                LOG.fine("Client ID not found but it must be included as the second token in the topic: topic=" + String.valueOf(fromAddress));
                return false;
            }
            RemotingConnection remotingConnectionFromSubject = RemotingConnectionPrincipal.getRemotingConnectionFromSubject(subject);
            if (remotingConnectionFromSubject == null) {
                LOG.info("Failed to find connection for the specified client ID: clientID=" + str2);
                return false;
            }
            if (z && fromAddress.hasWildcard()) {
                return false;
            }
            for (MQTTHandler mQTTHandler : this.brokerService.getCustomHandlers()) {
                if (mQTTHandler.handlesTopic(fromAddress)) {
                    LOG.finest("Passing topic to handler for " + (z ? "pub" : "sub") + ": handler=" + mQTTHandler.getName() + ", topic=" + String.valueOf(fromAddress) + ", " + MQTTBrokerService.connectionToString(remotingConnectionFromSubject));
                    boolean checkCanPublish = z ? mQTTHandler.checkCanPublish(remotingConnectionFromSubject, securityContext, fromAddress) : mQTTHandler.checkCanSubscribe(remotingConnectionFromSubject, securityContext, fromAddress);
                    if (checkCanPublish) {
                        LOG.finest("Handler '" + mQTTHandler.getName() + "' has authorised " + (z ? "pub" : "sub") + ": topic=" + String.valueOf(fromAddress) + ", " + MQTTBrokerService.connectionToString(remotingConnectionFromSubject));
                    } else {
                        LOG.finest("Handler '" + mQTTHandler.getName() + "' has not authorised " + (z ? "pub" : "sub") + ": topic=" + String.valueOf(fromAddress) + ", " + MQTTBrokerService.connectionToString(remotingConnectionFromSubject));
                    }
                    return checkCanPublish;
                }
            }
            LOG.info("Un-supported request " + (z ? "pub" : "sub") + ": topic=" + String.valueOf(fromAddress) + ", " + MQTTBrokerService.connectionToString(remotingConnectionFromSubject));
            return false;
        } catch (IllegalArgumentException e) {
            LOG.log(Level.FINE, "Invalid topic provided by client '" + str, (Throwable) e);
            return false;
        }
    }
}
