package com.sun.identity.entitlement;

import com.sun.identity.entitlement.interfaces.IThreadPool;
import com.sun.identity.shared.debug.Debug;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.Subject;
import org.forgerock.openam.entitlement.PolicyConstants;
import org.forgerock.openam.entitlement.PrivilegeEvaluatorContext;
import org.forgerock.openam.entitlement.utils.EntitlementUtils;
import org.forgerock.openam.session.util.AppTokenHandler;
import org.forgerock.openam.utils.CollectionUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/entitlement/PrivilegeEvaluator.class */
public class PrivilegeEvaluator {
    private Subject adminSubject;
    private Subject subject;
    private String applicationName;
    private String normalisedResourceName;
    private String requestedResourceName;
    private Map<String, Set<String>> envParameters;
    private ResourceSearchIndexes indexes;
    private Application application;
    private Set<String> actionNames;
    private EntitlementCombiner entitlementCombiner;
    private boolean recursive;
    private EntitlementException eException;
    private static int evalThreadSize;
    private static final int TASKS_PER_THREAD = 5;
    private static final IThreadPool threadPool;
    private static final boolean isMultiThreaded;
    private String realm = "/";
    private List<List<Entitlement>> resultQ = new LinkedList();
    private final Lock lock = new ReentrantLock();
    private final Condition hasResults = this.lock.newCondition();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/entitlement/PrivilegeEvaluator$PrivilegeTask.class */
    public class PrivilegeTask implements Runnable {
        final PrivilegeEvaluator parent;
        private final Set<IPrivilege> privileges;
        private final boolean isThreaded;
        private final Object context;
        private final PrivilegeEvaluatorContext ctx;

        PrivilegeTask(PrivilegeEvaluator privilegeEvaluator, Set<IPrivilege> set, boolean z, Object obj, PrivilegeEvaluatorContext privilegeEvaluatorContext) {
            this.parent = privilegeEvaluator;
            this.privileges = set;
            this.isThreaded = z;
            this.context = obj;
            this.ctx = privilegeEvaluatorContext;
        }

        @Override // java.lang.Runnable
        public void run() {
            PrivilegeEvaluatorContext.setCurrent(this.ctx);
            try {
                Iterator<IPrivilege> it = this.privileges.iterator();
                while (it.hasNext()) {
                    List<Entitlement> evaluate = it.next().evaluate(this.parent.adminSubject, this.parent.realm, this.parent.subject, this.parent.applicationName, this.parent.normalisedResourceName, this.parent.requestedResourceName, this.parent.actionNames, this.parent.envParameters, this.parent.recursive, this.context);
                    if (evaluate != null) {
                        if (this.isThreaded) {
                            try {
                                this.parent.lock.lock();
                                this.parent.resultQ.add(evaluate);
                                this.parent.hasResults.signal();
                                this.parent.lock.unlock();
                            } catch (Throwable th) {
                                throw th;
                            }
                        } else {
                            this.parent.resultQ.add(evaluate);
                        }
                    }
                }
            } catch (EntitlementException e) {
                if (!this.isThreaded) {
                    this.parent.eException = e;
                    return;
                }
                try {
                    this.parent.lock.lock();
                    this.parent.eException = e;
                    this.parent.hasResults.signal();
                    this.parent.lock.unlock();
                } finally {
                    this.parent.lock.unlock();
                }
            }
        }
    }

    private void init(Subject subject, Subject subject2, String str, String str2, String str3, String str4, Set<String> set, Map<String, Set<String>> map, boolean z) throws EntitlementException {
        this.adminSubject = subject;
        this.subject = subject2;
        this.realm = str;
        this.applicationName = str2;
        this.normalisedResourceName = str3;
        this.requestedResourceName = str4;
        this.envParameters = map;
        this.actionNames = new HashSet();
        if (CollectionUtils.isNotEmpty(set)) {
            this.actionNames.addAll(set);
        }
        this.entitlementCombiner = getApplication().getEntitlementCombiner();
        this.entitlementCombiner.init(str, str2, str3, str4, this.actionNames, z);
        this.recursive = z;
        if (PolicyConstants.DEBUG.messageEnabled()) {
            Debug debug = PolicyConstants.DEBUG;
            debug.message("[PolicyEval] PrivilegeEvaluator:init()");
            debug.message("[PolicyEval] subject: " + getPrincipalId(subject2));
            debug.message("[PolicyEval] realm: " + str);
            debug.message("[PolicyEval] applicationName: " + str2);
            debug.message("[PolicyEval] normalisedResourceName: " + this.normalisedResourceName);
            debug.message("[PolicyEval] requestedResourceName: " + this.requestedResourceName);
            debug.message("[PolicyEval] actions: " + this.actionNames);
            if (map == null || map.isEmpty()) {
                return;
            }
            debug.message("[PolicyEval] envParameters: " + map.toString());
        }
    }

    private static String getPrincipalId(Subject subject) {
        if (subject == null) {
            return "";
        }
        Set<Principal> principals = subject.getPrincipals();
        if (principals == null || principals.isEmpty()) {
            return null;
        }
        return principals.iterator().next().getName();
    }

    public boolean hasEntitlement(String str, Subject subject, Subject subject2, String str2, Entitlement entitlement, Map<String, Set<String>> map) throws EntitlementException {
        init(subject, subject2, str, str2, entitlement.getResourceName(), entitlement.getRequestedResourceName(), entitlement.getActionValues().keySet(), map, false);
        entitlement.setApplicationName(str2);
        this.indexes = entitlement.getResourceSearchIndexes(subject, str);
        Entitlement entitlement2 = evaluate(str).get(0);
        Iterator<String> it = entitlement.getActionValues().keySet().iterator();
        while (it.hasNext()) {
            Boolean actionValue = entitlement2.getActionValue(it.next());
            if (actionValue == null || !actionValue.booleanValue()) {
                return false;
            }
        }
        return true;
    }

    public List<Entitlement> evaluate(String str, Subject subject, Subject subject2, String str2, String str3, String str4, Map<String, Set<String>> map, boolean z) throws EntitlementException {
        init(subject, subject2, str, str2, str3, str4, null, map, z);
        this.indexes = getApplication().getResourceSearchIndex(str3, str);
        return evaluate(str);
    }

    private List<Entitlement> evaluate(String str) throws EntitlementException {
        Debug debug = PolicyConstants.DEBUG;
        Iterator<IPrivilege> search = PrivilegeIndexStore.getInstance(this.adminSubject, str).search(str, this.indexes, SubjectAttributesManager.getInstance(this.adminSubject, str).getSubjectSearchFilter(this.subject, this.applicationName), this.recursive);
        int i = 0;
        HashSet hashSet = new HashSet(10);
        while (i < 5 && search.hasNext()) {
            IPrivilege next = search.next();
            if (!(next instanceof ReferralPrivilege)) {
                if (debug.messageEnabled()) {
                    debug.message("[PolicyEval] PolicyEvaluator.evaluate");
                    debug.message("[PolicyEval] search result: privilege=" + next.getName());
                }
                hashSet.add(next);
                i++;
            }
        }
        PrivilegeEvaluatorContext privilegeEvaluatorContext = new PrivilegeEvaluatorContext(str, this.normalisedResourceName, this.applicationName);
        Object andClear = AppTokenHandler.getAndClear();
        HashSet hashSet2 = new HashSet(10);
        boolean z = false;
        while (search.hasNext()) {
            z = true;
            IPrivilege next2 = search.next();
            if (!(next2 instanceof ReferralPrivilege)) {
                if (debug.messageEnabled()) {
                    debug.message("[PolicyEval] PolicyEvaluator.evaluate");
                    debug.message("[PolicyEval] search result: privilege=" + next2.getName());
                }
                hashSet2.add(next2);
                i++;
                if (hashSet2.size() == 5) {
                    threadPool.submit(new PrivilegeTask(this, new HashSet(hashSet2), isMultiThreaded, andClear, privilegeEvaluatorContext));
                    hashSet2.clear();
                }
            }
        }
        if (!hashSet2.isEmpty()) {
            threadPool.submit(new PrivilegeTask(this, hashSet2, isMultiThreaded, andClear, privilegeEvaluatorContext));
        }
        new PrivilegeTask(this, hashSet, z, andClear, privilegeEvaluatorContext).run();
        if (z) {
            if (!isMultiThreaded) {
                boolean z2 = false;
                while (true) {
                    boolean z3 = z2;
                    if (this.resultQ.isEmpty() || z3) {
                        break;
                    }
                    this.entitlementCombiner.add(this.resultQ.remove(0));
                    z2 = this.entitlementCombiner.isDone();
                }
            } else {
                receiveEvalResults(i);
            }
        } else if (this.eException == null) {
            boolean z4 = false;
            while (true) {
                boolean z5 = z4;
                if (this.resultQ.isEmpty() || z5) {
                    break;
                }
                this.entitlementCombiner.add(this.resultQ.remove(0));
                z4 = this.entitlementCombiner.isDone();
            }
        }
        if (this.eException != null) {
            throw this.eException;
        }
        return this.entitlementCombiner.getResults();
    }

    private void receiveEvalResults(int i) {
        int i2 = 0;
        this.lock.lock();
        boolean z = this.eException != null;
        while (!z && i2 < i) {
            try {
                try {
                    if (this.resultQ.isEmpty()) {
                        this.hasResults.await();
                    }
                    while (!this.resultQ.isEmpty() && !z) {
                        this.entitlementCombiner.add(this.resultQ.remove(0));
                        z = this.entitlementCombiner.isDone();
                        i2++;
                    }
                } catch (InterruptedException e) {
                    PolicyConstants.DEBUG.error("PrivilegeEvaluator.evaluate", e);
                    this.lock.unlock();
                    return;
                }
            } finally {
                this.lock.unlock();
            }
        }
    }

    private Application getApplication() throws EntitlementException {
        if (this.application == null) {
            this.application = EntitlementUtils.getApplicationService(PolicyConstants.SUPER_ADMIN_SUBJECT, this.realm).getApplication(this.applicationName);
            if (this.application == null) {
                throw new EntitlementException(248, this.realm);
            }
        }
        return this.application;
    }

    static {
        evalThreadSize = 10;
        Set<String> configuration = EntitlementUtils.getEntitlementConfiguration(PolicyConstants.SUPER_ADMIN_SUBJECT, "/").getConfiguration(EntitlementConfiguration.POLICY_EVAL_THREAD_SIZE);
        if (configuration != null && !configuration.isEmpty()) {
            try {
                evalThreadSize = Integer.parseInt(configuration.iterator().next());
            } catch (NumberFormatException e) {
                PolicyConstants.DEBUG.error("PrivilegeEvaluator.<init>: get evaluation thread pool size", e);
            }
        }
        isMultiThreaded = evalThreadSize > 1;
        threadPool = isMultiThreaded ? new EntitlementThreadPool(evalThreadSize) : new SequentialThreadPool();
    }
}
