package com.sun.identity.delegation;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.common.DNUtils;
import com.sun.identity.delegation.interfaces.DelegationInterface;
import com.sun.identity.entitlement.Entitlement;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.Evaluator;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.policy.PolicyManager;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.Constants;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.forgerock.openam.entitlement.PolicyConstants;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/delegation/DelegationEvaluatorImpl.class */
public class DelegationEvaluatorImpl implements DelegationEvaluator {
    private static AMIdentity privilegedUser;
    static AMIdentity adminUserId;
    private DelegationInterface pluginInstance = null;
    static final Debug debug = DelegationManager.debug;
    private static boolean installTime = Boolean.valueOf(SystemProperties.get(AdminTokenAction.AMADMIN_MODE, "false")).booleanValue();
    static Set adminUserSet = new HashSet();

    public DelegationEvaluatorImpl() {
        if (debug.messageEnabled()) {
            debug.message("Instantiated a DelegationEvaluator.");
        }
    }

    @Override // com.sun.identity.delegation.DelegationEvaluator
    public boolean isAllowed(SSOToken sSOToken, DelegationPermission delegationPermission, Map map, boolean z) throws SSOException, DelegationException {
        try {
            AMIdentity aMIdentity = new AMIdentity(sSOToken);
            if (privilegedUser != null && aMIdentity.equals(privilegedUser)) {
                return true;
            }
            if (installTime && adminUserSet.contains(DNUtils.normalizeDN(sSOToken.getPrincipal().getName()))) {
                return true;
            }
            if (aMIdentity.equals(adminUserId)) {
                return true;
            }
            if (!z) {
                return isAllowed(sSOToken, delegationPermission, map);
            }
            StringBuilder sb = new StringBuilder();
            sb.append("sms://");
            if (delegationPermission.getOrganizationName() != null) {
                sb.append(delegationPermission.getOrganizationName()).append("/");
            }
            if (delegationPermission.getServiceName() != null) {
                sb.append(delegationPermission.getServiceName()).append("/");
            }
            if (delegationPermission.getVersion() != null) {
                sb.append(delegationPermission.getVersion()).append("/");
            }
            if (delegationPermission.getConfigType() != null) {
                sb.append(delegationPermission.getConfigType()).append("/");
            }
            if (delegationPermission.getSubConfigName() != null) {
                sb.append(delegationPermission.getSubConfigName());
            }
            try {
                List<Entitlement> evaluate = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, "sunAMDelegationService").evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), SubjectUtils.createSubject(sSOToken), sb.toString(), map, true);
                ArrayList arrayList = new ArrayList();
                arrayList.addAll(delegationPermission.getActions());
                for (Entitlement entitlement : evaluate) {
                    for (int size = arrayList.size() - 1; size >= 0; size--) {
                        Boolean actionValue = entitlement.getActionValue((String) arrayList.get(size));
                        if (actionValue != null && actionValue.booleanValue()) {
                            arrayList.remove(size);
                        }
                    }
                    if (arrayList.isEmpty()) {
                        return true;
                    }
                }
                return false;
            } catch (EntitlementException e) {
                debug.error("DelegationEvaluator.isAllowed", e);
                throw new DelegationException(e);
            }
        } catch (IdRepoException e2) {
            throw new DelegationException(e2.getMessage());
        }
    }

    @Override // com.sun.identity.delegation.DelegationEvaluator
    public boolean isAllowed(SSOToken sSOToken, DelegationPermission delegationPermission, Map map) throws SSOException, DelegationException {
        boolean z = false;
        if (delegationPermission != null && sSOToken != null) {
            try {
                AMIdentity aMIdentity = new AMIdentity(sSOToken);
                if ((privilegedUser == null || !aMIdentity.equals(privilegedUser)) && !((installTime && adminUserSet.contains(DNUtils.normalizeDN(sSOToken.getPrincipal().getName()))) || aMIdentity.equals(adminUserId))) {
                    if (this.pluginInstance == null) {
                        this.pluginInstance = DelegationManager.getDelegationPlugin();
                        if (this.pluginInstance == null) {
                            throw new DelegationException(ResBundleUtils.rbName, "no_plugin_specified", null, null);
                        }
                    }
                    z = this.pluginInstance.isAllowed(sSOToken, delegationPermission, map);
                } else {
                    z = true;
                }
            } catch (IdRepoException e) {
                throw new DelegationException(e.getMessage());
            }
        }
        if (debug.messageEnabled()) {
            debug.message("isAllowed() returns " + z + " for user:token.getPrincipal().getName() " + sSOToken.getPrincipal().getName() + " for permission " + delegationPermission);
        }
        return z;
    }

    public Set getPermissions(SSOToken sSOToken, String str) throws SSOException, DelegationException {
        if (this.pluginInstance == null) {
            throw new DelegationException(ResBundleUtils.rbName, "no_plugin_specified", null, null);
        }
        return this.pluginInstance.getPermissions(sSOToken, DNMapper.orgNameToDN(str));
    }

    static {
        try {
            String str = SystemProperties.get(Constants.AUTHENTICATION_SUPER_USER);
            if (str != null) {
                adminUserSet.add(DNUtils.normalizeDN(str));
                adminUserId = new AMIdentity(DelegationManager.getAdminToken(), str, IdType.USER, "/", (String) null);
            }
        } catch (Exception e) {
            debug.error("DelegationEvaluator:", e);
        }
        SMServiceListener.getInstance().registerForNotifications();
        try {
            privilegedUser = new AMIdentity(DelegationManager.getAdminToken());
        } catch (Exception e2) {
            debug.error("DelegationEvaluator:", e2);
        }
    }
}
