package org.apache.activemq.artemis.core.server.management;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.MBeanAttributeInfo;
import javax.management.MBeanServer;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.security.auth.Subject;
import org.apache.activemq.artemis.api.core.SimpleString;
import org.apache.activemq.artemis.core.management.impl.ActiveMQServerControlImpl;
import org.apache.activemq.artemis.core.management.impl.ManagementRemotingConnection;
import org.apache.activemq.artemis.core.security.CheckType;
import org.apache.activemq.artemis.core.security.SecurityAuth;
import org.apache.activemq.artemis.core.server.ActivateCallback;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.metrics.MetricsManager;
import org.apache.activemq.artemis.logs.AuditLogger;
import org.apache.activemq.artemis.spi.core.protocol.RemotingConnection;

/* loaded from: input_file:org/apache/activemq/artemis/core/server/management/ArtemisRbacInvocationHandler.class */
public class ArtemisRbacInvocationHandler implements GuardInvocationHandler {
    private final MBeanServer delegate;
    private volatile ActiveMQServer activeMQServer;
    String brokerDomain;
    Pattern viewPermissionMatcher;
    SimpleString rbacPrefix;
    SimpleString mBeanServerRbacAddressPrefix;
    private final List<String> mBeanServerCheckedMethods = List.of("invoke", "getAttribute", "getAttributes", "setAttribute", "setAttributes", "queryMBeans", "queryNames");
    private final List<String> uncheckedDomains = List.of("hawtio");
    private final SecurityAuth delegateToAccessController = new SecurityAuth() { // from class: org.apache.activemq.artemis.core.server.management.ArtemisRbacInvocationHandler.2
        final ManagementRemotingConnection managementRemotingConnection = new ManagementRemotingConnection() { // from class: org.apache.activemq.artemis.core.server.management.ArtemisRbacInvocationHandler.2.1
            @Override // org.apache.activemq.artemis.core.management.impl.ManagementRemotingConnection
            public Subject getSubject() {
                AccessControlContext context = AccessController.getContext();
                if (context != null) {
                    return Subject.getSubject(context);
                }
                return null;
            }
        };

        @Override // org.apache.activemq.artemis.core.security.SecurityAuth
        public String getUsername() {
            return null;
        }

        @Override // org.apache.activemq.artemis.core.security.SecurityAuth
        public String getPassword() {
            return null;
        }

        @Override // org.apache.activemq.artemis.core.security.SecurityAuth
        public RemotingConnection getRemotingConnection() {
            return this.managementRemotingConnection;
        }

        @Override // org.apache.activemq.artemis.core.security.SecurityAuth
        public String getSecurityDomain() {
            return null;
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    public ArtemisRbacInvocationHandler(MBeanServer mBeanServer) {
        this.delegate = mBeanServer;
    }

    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
        initAuditLoggerContext();
        if (!this.mBeanServerCheckedMethods.contains(method.getName())) {
            initializeFromFirstServerMBeanRegistration(method, objArr);
        } else if (this.activeMQServer != null) {
            securityCheck(method, objArr);
        } else {
            if (method.getName().startsWith("query")) {
                return null;
            }
            if (!isUncheckedDomain(objArr)) {
                throw new IllegalStateException("initialisation pending");
            }
        }
        try {
            Object invoke = method.invoke(this.delegate, objArr);
            if (method.getName().startsWith("query") && (invoke instanceof Collection)) {
                ((Collection) invoke).removeIf(this::viewPermissionCheckFails);
            }
            return invoke;
        } catch (InvocationTargetException e) {
            throw e.getCause();
        }
    }

    private boolean isUncheckedDomain(Object[] objArr) {
        return isUncheckedDomain(objectNameFrom(objArr));
    }

    private boolean isUncheckedDomain(ObjectName objectName) {
        if (objectName != null) {
            return this.uncheckedDomains.contains(objectName.getDomain());
        }
        return false;
    }

    private ObjectName objectNameFrom(Object[] objArr) {
        if (objArr != null && objArr.length > 0) {
            Object obj = objArr[0];
            if (obj instanceof ObjectName) {
                return (ObjectName) obj;
            }
        }
        return null;
    }

    @Override // org.apache.activemq.artemis.core.server.management.GuardInvocationHandler
    public boolean canInvoke(String str, String str2) {
        boolean z = false;
        try {
            ObjectName objectName = ObjectName.getInstance(str);
            if (!isUncheckedDomain(objectName)) {
                securityStoreCheck(addressFrom(objectName, str2), permissionFrom(str2));
            }
            z = true;
        } catch (Throwable th) {
        }
        return z;
    }

    private void initializeFromFirstServerMBeanRegistration(Method method, Object[] objArr) {
        if (this.activeMQServer == null && method.getName().equals("registerMBean") && objArr != null) {
            Object obj = objArr[0];
            if (obj instanceof ActiveMQServerControlImpl) {
                ActiveMQServerControlImpl activeMQServerControlImpl = (ActiveMQServerControlImpl) obj;
                this.activeMQServer = activeMQServerControlImpl.getServer();
                this.brokerDomain = this.activeMQServer.getConfiguration().getJMXDomain();
                this.viewPermissionMatcher = Pattern.compile(this.activeMQServer.getConfiguration().getViewPermissionMethodMatchPattern());
                this.rbacPrefix = SimpleString.of(this.activeMQServer.getConfiguration().getManagementRbacPrefix());
                this.mBeanServerRbacAddressPrefix = this.rbacPrefix.concat(".mbeanserver.");
                activeMQServerControlImpl.getServer().registerActivateCallback(new ActivateCallback() { // from class: org.apache.activemq.artemis.core.server.management.ArtemisRbacInvocationHandler.1
                    @Override // org.apache.activemq.artemis.core.server.ActivateCallback
                    public void shutdown(ActiveMQServer activeMQServer) {
                        try {
                            ArtemisRbacInvocationHandler.this.activeMQServer.getManagementService().unregisterHawtioSecurity();
                        } catch (Exception e) {
                        }
                        ArtemisRbacInvocationHandler.this.activeMQServer = null;
                    }
                });
                try {
                    this.activeMQServer.getManagementService().registerHawtioSecurity(this);
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
        }
    }

    private void initAuditLoggerContext() {
        if (AuditLogger.isAnyLoggingEnabled() && AuditLogger.getRemoteAddress() == null) {
            String name = Thread.currentThread().getName();
            AuditLogger.setRemoteAddress(name.startsWith("RMI TCP Connection") ? name.substring(name.indexOf(45) + 1) : "internal");
        }
    }

    void securityCheck(Method method, Object[] objArr) {
        if (isUncheckedDomain(objArr)) {
            return;
        }
        try {
            String name = method.getName();
            if ("getAttribute".equals(name)) {
                handleGetAttribute(this.delegate, (ObjectName) objArr[0], (String) objArr[1]);
            } else if ("getAttributes".equals(name)) {
                handleGetAttributes(this.delegate, (ObjectName) objArr[0], (String[]) objArr[1]);
            } else if ("setAttribute".equals(name)) {
                handleSetAttribute(this.delegate, (ObjectName) objArr[0], (Attribute) objArr[1]);
            } else if ("setAttributes".equals(name)) {
                handleSetAttributes(this.delegate, (ObjectName) objArr[0], (AttributeList) objArr[1]);
            } else if ("invoke".equals(name)) {
                handleInvoke((ObjectName) objArr[0], (String) objArr[1]);
            } else if (method.getName().startsWith("query")) {
                securityStoreCheck(this.mBeanServerRbacAddressPrefix.concat(name), permissionFrom(name));
            }
        } catch (Exception e) {
            throw new SecurityException(e.getMessage());
        }
    }

    private void handleSetAttributes(MBeanServer mBeanServer, ObjectName objectName, AttributeList attributeList) throws Exception {
        Iterator it = attributeList.asList().iterator();
        while (it.hasNext()) {
            handleSetAttribute(mBeanServer, objectName, (Attribute) it.next());
        }
    }

    private void handleSetAttribute(MBeanServer mBeanServer, ObjectName objectName, Attribute attribute) throws Exception {
        handleInvoke(objectName, "set" + String.valueOf(attribute));
    }

    private void handleGetAttributes(MBeanServer mBeanServer, ObjectName objectName, String[] strArr) throws Exception {
        for (String str : strArr) {
            handleGetAttribute(mBeanServer, objectName, str);
        }
    }

    private void handleGetAttribute(MBeanServer mBeanServer, ObjectName objectName, String str) throws Exception {
        String str2 = "get";
        MBeanAttributeInfo[] attributes = mBeanServer.getMBeanInfo(objectName).getAttributes();
        int length = attributes.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            MBeanAttributeInfo mBeanAttributeInfo = attributes[i];
            if (mBeanAttributeInfo.getName().equals(str)) {
                str2 = mBeanAttributeInfo.isIs() ? "is" : "get";
            } else {
                i++;
            }
        }
        handleInvoke(objectName, str2 + str);
    }

    private void handleInvoke(ObjectName objectName, String str) throws Exception {
        securityStoreCheck(addressFrom(objectName, str), permissionFrom(str));
    }

    CheckType permissionFrom(String str) {
        return (str == null || !this.viewPermissionMatcher.matcher(str).matches()) ? CheckType.EDIT : CheckType.VIEW;
    }

    String removeQuotes(String str) {
        return (str == null || !str.endsWith("\"")) ? str : str.replace("\"", "");
    }

    SimpleString addressFrom(ObjectName objectName) {
        return addressFrom(objectName, null);
    }

    SimpleString addressFrom(ObjectName objectName, String str) {
        String removeQuotes = removeQuotes(objectName.getKeyProperty("name"));
        String removeQuotes2 = removeQuotes(objectName.getKeyProperty("component"));
        String str2 = null;
        SimpleString simpleString = this.rbacPrefix;
        if (!this.brokerDomain.equals(objectName.getDomain())) {
            simpleString = simpleString.concat('.').concat(objectName.getDomain());
            str2 = removeQuotes(objectName.getKeyProperty("type"));
        } else if (removeQuotes2 != null) {
            if ("addresses".equals(removeQuotes2)) {
                removeQuotes2 = "address";
                String keyProperty = objectName.getKeyProperty("subcomponent");
                if ("diverts".equals(keyProperty)) {
                    removeQuotes2 = "divert";
                } else if ("queues".equals(keyProperty)) {
                    removeQuotes2 = "queue";
                }
                removeQuotes = removeQuotes(objectName.getKeyProperty(removeQuotes2));
            }
        } else if (removeQuotes(objectName.getKeyProperty(MetricsManager.BROKER_TAG_NAME)) != null) {
            removeQuotes2 = MetricsManager.BROKER_TAG_NAME;
        }
        if (str2 != null) {
            simpleString = simpleString.concat('.').concat(str2);
        }
        if (removeQuotes2 != null) {
            simpleString = simpleString.concat('.').concat(removeQuotes2);
        }
        if (removeQuotes != null) {
            simpleString = simpleString.concat('.').concat(removeQuotes);
        }
        if (str != null) {
            simpleString = simpleString.concat('.').concat(str);
        }
        return simpleString;
    }

    private boolean viewPermissionCheckFails(Object obj) {
        boolean z = false;
        ObjectName objectName = obj instanceof ObjectInstance ? ((ObjectInstance) obj).getObjectName() : (ObjectName) obj;
        if (!isUncheckedDomain(objectName)) {
            try {
                securityStoreCheck(addressFrom(objectName), CheckType.VIEW);
            } catch (Exception e) {
                z = true;
            }
        }
        return z;
    }

    private void securityStoreCheck(SimpleString simpleString, CheckType checkType) throws Exception {
        this.activeMQServer.getSecurityStore().check(simpleString, checkType, this.delegateToAccessController);
    }
}
