package org.apache.brooklyn.rest.security.provider;

import java.util.LinkedHashSet;
import java.util.Set;
import java.util.StringTokenizer;
import javax.servlet.http.HttpSession;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.config.StringConfigMap;
import org.apache.brooklyn.core.internal.BrooklynProperties;
import org.apache.brooklyn.rest.BrooklynWebConfig;
import org.apache.brooklyn.rest.security.PasswordHasher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/brooklyn/rest/security/provider/ExplicitUsersSecurityProvider.class */
public class ExplicitUsersSecurityProvider extends AbstractSecurityProvider implements SecurityProvider {
    public static final Logger LOG = LoggerFactory.getLogger(ExplicitUsersSecurityProvider.class);
    protected final ManagementContext mgmt;
    private boolean allowAnyUserWithValidPass;
    private Set<String> allowedUsers = null;

    public ExplicitUsersSecurityProvider(ManagementContext managementContext) {
        this.mgmt = managementContext;
        initialize();
    }

    private synchronized void initialize() {
        if (this.allowedUsers != null) {
            return;
        }
        StringConfigMap config = this.mgmt.getConfig();
        this.allowedUsers = new LinkedHashSet();
        String str = (String) config.getConfig(BrooklynWebConfig.USERS);
        if (str == null) {
            LOG.warn("REST has no users configured; no one will be able to log in!");
            return;
        }
        if ("*".equals(str)) {
            LOG.info("REST allowing any user (so long as valid password is set)");
            this.allowAnyUserWithValidPass = true;
        } else {
            StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
            while (stringTokenizer.hasMoreElements()) {
                this.allowedUsers.add(("" + stringTokenizer.nextElement()).trim());
            }
            LOG.info("REST allowing users: " + this.allowedUsers);
        }
    }

    @Override // org.apache.brooklyn.rest.security.provider.SecurityProvider
    public boolean authenticate(HttpSession httpSession, String str, String str2) {
        if (httpSession == null || str == null) {
            return false;
        }
        if (!this.allowAnyUserWithValidPass && !this.allowedUsers.contains(str)) {
            LOG.debug("REST rejecting unknown user " + str);
            return false;
        }
        if (checkExplicitUserPassword(this.mgmt, str, str2)) {
            return allow(httpSession, str);
        }
        return false;
    }

    public static boolean checkExplicitUserPassword(ManagementContext managementContext, String str, String str2) {
        BrooklynProperties config = managementContext.getConfig();
        return checkPassword(str2, (String) config.getConfig(BrooklynWebConfig.PASSWORD_FOR_USER(str)), (String) config.getConfig(BrooklynWebConfig.SHA256_FOR_USER(str)), (String) config.getConfig(BrooklynWebConfig.SALT_FOR_USER(str)));
    }

    public static boolean checkPassword(String str, String str2, String str3, String str4) {
        if (str2 != null) {
            return str2.equals(str);
        }
        if (str3 != null) {
            return str3.equals(PasswordHasher.sha256(str4, str));
        }
        return false;
    }

    @Override // org.apache.brooklyn.rest.security.provider.SecurityProvider
    public boolean requiresUserPass() {
        return true;
    }
}
