package org.forgerock.openam.entitlement.conditions.environment;

import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.EntitlementConditionAdaptor;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.shared.debug.Debug;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import org.forgerock.openam.sdk.org.json.JSONArray;
import org.forgerock.openam.sdk.org.json.JSONException;
import org.forgerock.openam.sdk.org.json.JSONObject;
import org.forgerock.openam.utils.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:org/forgerock/openam/entitlement/conditions/environment/OAuth2ScopeCondition.class */
public class OAuth2ScopeCondition extends EntitlementConditionAdaptor {
    public static final String REQUEST_SCOPE_ATTRIBUTE = "scope";
    private static final String SCOPE_DELIMITERS = "\\s+";
    private static final Pattern VALID_SCOPE_PATTERN = Pattern.compile("[\\x21\\x23-\\x5B\\x5D-\\x7E]+");
    private static final String ATTR_SCOPES = "requiredScopes";
    private volatile Set<String> requiredScopes = new HashSet();
    private final Debug debug = PrivilegeManager.debug;

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void setState(String str) {
        try {
            JSONObject jSONObject = new JSONObject(str);
            setState(jSONObject);
            JSONArray jSONArray = jSONObject.getJSONArray(ATTR_SCOPES);
            for (int i = 0; i < jSONArray.length(); i++) {
                this.requiredScopes.add(jSONArray.getString(i));
            }
        } catch (JSONException e) {
            this.debug.message("OAuth2ScopeCondition: Failed to set state", e);
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public String getState() {
        return toString();
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public ConditionDecision evaluate(String str, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        if (this.debug.messageEnabled()) {
            this.debug.message("Entering OAuth2ScopeCondition.getConditionDecision(). Required scopes=" + this.requiredScopes + ". Request scopes=" + (map == null ? "<missing>" : map.get(REQUEST_SCOPE_ATTRIBUTE)));
        }
        Set<String> set = map == null ? null : map.get(REQUEST_SCOPE_ATTRIBUTE);
        String str3 = "";
        if (set != null && !set.isEmpty()) {
            str3 = set.iterator().next();
        }
        boolean z = false;
        try {
            z = toScopeSet(str3).containsAll(this.requiredScopes);
        } catch (EntitlementException e) {
            if (this.debug.messageEnabled()) {
                this.debug.message("Invalid scope in request: " + e.getMessage(), e);
            }
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("OAuth2ScopeCondition decision: " + z);
        }
        return new ConditionDecision(z, (Map<String, Set<String>>) Collections.emptyMap());
    }

    private Set<String> toScopeSet(String str) throws EntitlementException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (str != null) {
            for (String str2 : str.split(SCOPE_DELIMITERS)) {
                if (!VALID_SCOPE_PATTERN.matcher(str2.trim()).matches()) {
                    if (this.debug.errorEnabled()) {
                        this.debug.error("OAuth2ScopeCondition.toScopeSet(): invalid OAuth2 scope, " + str2);
                    }
                    throw new EntitlementException(EntitlementException.INVALID_OAUTH2_SCOPE, str2);
                }
                linkedHashSet.add(str2.trim());
            }
        }
        return linkedHashSet;
    }

    private JSONObject toJSONObject() throws JSONException {
        JSONObject jSONObject = new JSONObject();
        toJSONObject(jSONObject);
        JSONArray jSONArray = new JSONArray();
        Iterator<String> it = this.requiredScopes.iterator();
        while (it.hasNext()) {
            jSONArray.put(it.next());
        }
        jSONObject.put(ATTR_SCOPES, jSONArray);
        return jSONObject;
    }

    public String toString() {
        String str = null;
        try {
            str = toJSONObject().toString(2);
        } catch (JSONException e) {
            PrivilegeManager.debug.error("OAuth2ScopeCondition.toString()", e);
        }
        return str;
    }

    public Set<String> getRequiredScopes() {
        return this.requiredScopes;
    }

    public void setRequiredScopes(Set<String> set) {
        this.requiredScopes = set;
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void validate() throws EntitlementException {
        if (this.requiredScopes == null || this.requiredScopes.isEmpty()) {
            throw new EntitlementException(EntitlementException.PROPERTY_VALUE_NOT_DEFINED, ATTR_SCOPES);
        }
        for (String str : this.requiredScopes) {
            if (!VALID_SCOPE_PATTERN.matcher(str.trim()).matches()) {
                throw new EntitlementException(EntitlementException.INVALID_OAUTH2_SCOPE, str);
            }
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public boolean equals(Object obj) {
        if (super.equals(obj) && getClass().equals(obj.getClass())) {
            return CollectionUtils.genericCompare(this.requiredScopes, ((OAuth2ScopeCondition) obj).requiredScopes);
        }
        return false;
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public int hashCode() {
        int hashCode = super.hashCode();
        if (this.requiredScopes != null) {
            hashCode = (31 * hashCode) + this.requiredScopes.hashCode();
        }
        return hashCode;
    }
}
