package brooklyn.rest.security.provider;

import brooklyn.config.BrooklynProperties;
import brooklyn.config.StringConfigMap;
import brooklyn.management.ManagementContext;
import brooklyn.rest.BrooklynWebConfig;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.StringTokenizer;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.class */
public class ExplicitUsersSecurityProvider implements SecurityProvider {
    public static final Logger LOG = LoggerFactory.getLogger(ExplicitUsersSecurityProvider.class);
    public static final String AUTHENTICATION_KEY = String.valueOf(ExplicitUsersSecurityProvider.class.getCanonicalName()) + ".AUTHENTICATED";
    private static final Set<String> DEPRECATED_WARNING_EXPLICIT_USERS = Collections.synchronizedSet(new HashSet());
    protected final ManagementContext mgmt;
    private boolean allowAnyUserWithValidPass = false;
    private Set<String> allowedUsers = null;

    public ExplicitUsersSecurityProvider(ManagementContext managementContext) {
        this.mgmt = managementContext;
    }

    @Override // brooklyn.rest.security.provider.SecurityProvider
    public boolean isAuthenticated(HttpSession httpSession) {
        return (httpSession == null || httpSession.getAttribute(AUTHENTICATION_KEY) == null) ? false : true;
    }

    private synchronized void initialize() {
        if (this.allowedUsers != null) {
            return;
        }
        StringConfigMap config = this.mgmt.getConfig();
        this.allowedUsers = new LinkedHashSet();
        String str = (String) config.getConfig(BrooklynWebConfig.USERS);
        if (str == null) {
            str = (String) config.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__USERS);
            if (str != null) {
                LOG.warn("Using deprecated config key " + BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__USERS.getName() + "; use " + BrooklynWebConfig.USERS.getName() + " instead");
            }
        }
        if (str == null) {
            LOG.warn("Web console has no users configured; no one will be able to log in!");
            return;
        }
        if ("*".equals(str)) {
            LOG.info("Web console allowing any user (so long as valid password is set)");
            this.allowAnyUserWithValidPass = true;
        } else {
            StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
            while (stringTokenizer.hasMoreElements()) {
                this.allowedUsers.add(new StringBuilder().append(stringTokenizer.nextElement()).toString().trim());
            }
            LOG.info("Web console allowing users: " + this.allowedUsers);
        }
    }

    @Override // brooklyn.rest.security.provider.SecurityProvider
    public boolean authenticate(HttpSession httpSession, String str, String str2) {
        if (httpSession == null || str == null) {
            return false;
        }
        initialize();
        if (!this.allowAnyUserWithValidPass && !this.allowedUsers.contains(str)) {
            LOG.info("Web console rejecting unknown user " + str);
            return false;
        }
        BrooklynProperties config = this.mgmt.getConfig();
        String str3 = (String) config.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(str));
        if (str3 == null) {
            str3 = (String) config.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__PASSWORD(str));
            if (str3 != null && DEPRECATED_WARNING_EXPLICIT_USERS.add(str)) {
                LOG.warn("Web console user password set using deprecated property " + BrooklynWebConfig.SECURITY_PROVIDER_EXPLICIT__PASSWORD(str).getName() + "; configure using " + BrooklynWebConfig.PASSWORD_FOR_USER(str).getName() + " instead");
            }
        }
        if (str3 == null) {
            LOG.warn("Web console rejecting passwordless user " + str);
            return false;
        }
        if (str3.equals(str2)) {
            return allow(httpSession, str);
        }
        LOG.info("Web console rejecting bad password for user " + str);
        return false;
    }

    private boolean allow(HttpSession httpSession, String str) {
        LOG.debug("Web console " + getClass().getSimpleName() + " authenticated user " + str);
        httpSession.setAttribute(AUTHENTICATION_KEY, str);
        return true;
    }

    @Override // brooklyn.rest.security.provider.SecurityProvider
    public boolean logout(HttpSession httpSession) {
        if (httpSession == null) {
            return false;
        }
        httpSession.removeAttribute(AUTHENTICATION_KEY);
        return true;
    }
}
