package won.cryptography.activemq;

import java.security.cert.X509Certificate;
import org.apache.activemq.broker.Broker;
import org.apache.activemq.broker.BrokerFilter;
import org.apache.activemq.broker.ConnectionContext;
import org.apache.activemq.broker.region.Subscription;
import org.apache.activemq.command.ConsumerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import won.cryptography.ssl.AliasFromFingerprintGenerator;
import won.cryptography.ssl.AliasGenerator;

/* loaded from: input_file:WEB-INF/lib/won-cryptography-0.2.jar:won/cryptography/activemq/CertificateCheckingBrokerFilter.class */
public class CertificateCheckingBrokerFilter extends BrokerFilter {
    private String queueNamePrefixToCheck;
    private AliasGenerator aliasGenerator;
    private final Logger logger;
    static final /* synthetic */ boolean $assertionsDisabled;

    public CertificateCheckingBrokerFilter(Broker broker, String str) {
        super(broker);
        this.aliasGenerator = new AliasFromFingerprintGenerator();
        this.logger = LoggerFactory.getLogger(getClass());
        this.queueNamePrefixToCheck = str;
    }

    @Override // org.apache.activemq.broker.BrokerFilter, org.apache.activemq.broker.region.Region
    public Subscription addConsumer(ConnectionContext connectionContext, ConsumerInfo consumerInfo) throws Exception {
        if (!$assertionsDisabled && consumerInfo == null) {
            throw new AssertionError("ConsumerInfo must not be null");
        }
        if (!$assertionsDisabled && connectionContext == null) {
            throw new AssertionError("ConnectionContext must not be null");
        }
        if (shouldCheck(consumerInfo)) {
            try {
                if (!isOwnerAllowedToConsume(connectionContext, consumerInfo)) {
                    throw new SecurityException("consumer " + consumerInfo.getConsumerId() + " not allowed to consume from destination " + consumerInfo.getDestination());
                }
            } catch (Exception e) {
                throw new SecurityException("could not perform access control check for consumer " + consumerInfo.getConsumerId() + " and destination " + consumerInfo.getDestination());
            }
        }
        this.logger.debug("consumer added. destination: {}, consumerId: {}", consumerInfo.getDestination(), consumerInfo.getConsumerId());
        return super.addConsumer(connectionContext, consumerInfo);
    }

    private boolean isOwnerAllowedToConsume(ConnectionContext connectionContext, ConsumerInfo consumerInfo) {
        this.logger.debug("checking if consumer {} is allowed to consume {} ", consumerInfo.getConsumerId(), consumerInfo.getDestination());
        if (!(connectionContext.getConnectionState().getInfo().getTransportContext() instanceof X509Certificate[])) {
            this.logger.info("denying message consumption to owner transportContext is not an X.509 certificate");
            return false;
        }
        String str = null;
        try {
            str = this.aliasGenerator.generateAlias(((X509Certificate[]) connectionContext.getConnectionState().getInfo().getTransportContext())[0]);
            this.logger.debug("digest value of certificate: {}", str);
        } catch (Exception e) {
            new IllegalArgumentException("Could not calculate sha-1 of owner certificate", e);
        }
        String substring = consumerInfo.getDestination().getPhysicalName().substring(this.queueNamePrefixToCheck.length());
        this.logger.debug("owner id suffix of queue name: {}", substring);
        if (str.equals(substring)) {
            this.logger.debug("allowing to consume");
            return true;
        }
        this.logger.info("denying message consumption to owner as public key hash does not equal owner id");
        return false;
    }

    private boolean shouldCheck(ConsumerInfo consumerInfo) {
        return consumerInfo.getDestination().getPhysicalName().indexOf(this.queueNamePrefixToCheck) == 0;
    }

    static {
        $assertionsDisabled = !CertificateCheckingBrokerFilter.class.desiredAssertionStatus();
    }
}
