package org.activemq.security;

import java.util.Set;
import javax.jms.JMSException;
import org.activemq.broker.Broker;
import org.activemq.broker.BrokerFilter;
import org.activemq.broker.ConnectionContext;
import org.activemq.broker.region.Destination;
import org.activemq.command.ActiveMQDestination;
import org.activemq.command.ActiveMQTempDestination;
import org.activemq.command.ConsumerInfo;
import org.activemq.command.Message;
import org.activemq.command.ProducerInfo;
import org.activemq.filter.BooleanExpression;
import org.activemq.filter.DestinationMap;
import org.activemq.filter.MessageEvaluationContext;

/* loaded from: input_file:org/activemq/security/SimpleAuthorizationBroker.class */
public class SimpleAuthorizationBroker extends BrokerFilter {
    private final DestinationMap writeACLs;
    private final DestinationMap readACLs;
    private final DestinationMap adminACLs;
    private boolean filterReads;

    public SimpleAuthorizationBroker(Broker broker, DestinationMap destinationMap, DestinationMap destinationMap2, DestinationMap destinationMap3) {
        super(broker);
        this.filterReads = true;
        this.writeACLs = destinationMap;
        this.readACLs = destinationMap2;
        this.adminACLs = destinationMap3;
    }

    @Override // org.activemq.broker.BrokerFilter, org.activemq.broker.region.Region
    public Destination addDestination(ConnectionContext connectionContext, ActiveMQDestination activeMQDestination) throws Throwable {
        Set set;
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        if ((activeMQDestination.isTemporary() && ((ActiveMQTempDestination) activeMQDestination).getConnectionId().equals(connectionContext.getConnectionId().getConnectionId())) || (set = this.adminACLs.get(activeMQDestination)) == null || securityContext.isInOneOf(set)) {
            return super.addDestination(connectionContext, activeMQDestination);
        }
        throw new SecurityException(new StringBuffer().append("User ").append(securityContext.getUserName()).append(" is not authorized to create: ").append(activeMQDestination).toString());
    }

    @Override // org.activemq.broker.BrokerFilter, org.activemq.broker.region.Region
    public void removeDestination(ConnectionContext connectionContext, ActiveMQDestination activeMQDestination, long j) throws Throwable {
        Set set;
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        if ((!activeMQDestination.isTemporary() || !((ActiveMQTempDestination) activeMQDestination).getConnectionId().equals(connectionContext.getConnectionId().getConnectionId())) && (set = this.adminACLs.get(activeMQDestination)) != null && !securityContext.isInOneOf(set)) {
            throw new SecurityException(new StringBuffer().append("User ").append(securityContext.getUserName()).append(" is not authorized to remove: ").append(activeMQDestination).toString());
        }
        super.removeDestination(connectionContext, activeMQDestination, j);
    }

    @Override // org.activemq.broker.BrokerFilter, org.activemq.broker.region.Region
    public void addConsumer(ConnectionContext connectionContext, ConsumerInfo consumerInfo) throws Throwable {
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        Set set = this.readACLs.get(consumerInfo.getDestination());
        if (set != null && !securityContext.isInOneOf(set)) {
            throw new SecurityException(new StringBuffer().append("User ").append(securityContext.getUserName()).append(" is not authorized to read from: ").append(consumerInfo.getDestination()).toString());
        }
        securityContext.getAuthorizedReadDests().put(consumerInfo.getDestination(), consumerInfo.getDestination());
        if (this.filterReads) {
            consumerInfo.setAdditionalPredicate(new BooleanExpression(this, securityContext) { // from class: org.activemq.security.SimpleAuthorizationBroker.1
                private final SecurityContext val$subject;
                private final SimpleAuthorizationBroker this$0;

                {
                    this.this$0 = this;
                    this.val$subject = securityContext;
                }

                @Override // org.activemq.filter.BooleanExpression
                public boolean matches(MessageEvaluationContext messageEvaluationContext) throws JMSException {
                    if (this.val$subject.getAuthorizedReadDests().contains(messageEvaluationContext.getDestination())) {
                        return true;
                    }
                    Set set2 = this.this$0.readACLs.get(messageEvaluationContext.getDestination());
                    if (set2 != null && !this.val$subject.isInOneOf(set2)) {
                        return false;
                    }
                    this.val$subject.getAuthorizedReadDests().put(messageEvaluationContext.getDestination(), messageEvaluationContext.getDestination());
                    return true;
                }

                @Override // org.activemq.filter.Expression
                public Object evaluate(MessageEvaluationContext messageEvaluationContext) throws JMSException {
                    return matches(messageEvaluationContext) ? Boolean.TRUE : Boolean.FALSE;
                }
            });
        }
        super.addConsumer(connectionContext, consumerInfo);
    }

    @Override // org.activemq.broker.BrokerFilter, org.activemq.broker.Broker
    public void addProducer(ConnectionContext connectionContext, ProducerInfo producerInfo) throws Throwable {
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        if (producerInfo.getDestination() != null) {
            Set set = this.writeACLs.get(producerInfo.getDestination());
            if (set != null && !securityContext.isInOneOf(set)) {
                throw new SecurityException(new StringBuffer().append("User ").append(securityContext.getUserName()).append(" is not authorized to write to: ").append(producerInfo.getDestination()).toString());
            }
            securityContext.getAuthorizedWriteDests().put(producerInfo.getDestination(), producerInfo.getDestination());
        }
        super.addProducer(connectionContext, producerInfo);
    }

    @Override // org.activemq.broker.BrokerFilter, org.activemq.broker.region.Region
    public void send(ConnectionContext connectionContext, Message message) throws Throwable {
        SecurityContext securityContext = connectionContext.getSecurityContext();
        if (securityContext == null) {
            throw new SecurityException("User is not authenticated.");
        }
        if (!securityContext.getAuthorizedWriteDests().contains(message.getDestination())) {
            Set set = this.writeACLs.get(message.getDestination());
            if (set != null && !securityContext.isInOneOf(set)) {
                throw new SecurityException(new StringBuffer().append("User ").append(securityContext.getUserName()).append(" is not authorized to write to: ").append(message.getDestination()).toString());
            }
            securityContext.getAuthorizedWriteDests().put(message.getDestination(), message.getDestination());
        }
        super.send(connectionContext, message);
    }

    public boolean isFilterReads() {
        return this.filterReads;
    }

    public void setFilterReads(boolean z) {
        this.filterReads = z;
    }
}
