package com.iplanet.dpro.session;

import com.iplanet.am.util.Misc;
import com.iplanet.sso.SSOToken;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Hash;
import com.sun.identity.sm.ServiceSchemaManager;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.StringTokenizer;
import org.forgerock.openam.sdk.com.fasterxml.jackson.annotation.JsonIgnore;
import org.forgerock.openam.session.SessionConstants;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/iplanet/dpro/session/DNOrIPAddressListTokenRestriction.class */
public class DNOrIPAddressListTokenRestriction implements TokenRestriction {
    static final long serialVersionUID = 8352965917649287133L;
    private String dn;
    private Set<InetAddress> addressList = new HashSet();
    private String asString;
    private static boolean dnRestrictionOnly;
    private static final String SESSION_DNRESTRICTIONONLY_ATTR_NAME = "iplanet-am-session-dnrestrictiononly";

    @JsonIgnore
    private transient ServiceSchemaManager serviceSchemaManager;
    private static final Debug DEBUG = Debug.getInstance(SessionConstants.SESSION_DEBUG);
    private static volatile boolean isInitialized = false;

    public DNOrIPAddressListTokenRestriction() {
    }

    public DNOrIPAddressListTokenRestriction(String str, Set<String> set, ServiceSchemaManager serviceSchemaManager) throws UnknownHostException {
        this.serviceSchemaManager = serviceSchemaManager;
        StringBuilder sb = null;
        if (str.indexOf(124) > 0) {
            StringTokenizer stringTokenizer = new StringTokenizer(str, "|");
            while (stringTokenizer.hasMoreTokens()) {
                if (sb == null) {
                    sb = new StringBuilder(Misc.canonicalize(stringTokenizer.nextToken()));
                } else {
                    sb.append('|').append(Misc.canonicalize(stringTokenizer.nextToken()));
                }
            }
        } else {
            sb = new StringBuilder(Misc.canonicalize(str));
        }
        this.dn = sb.toString();
        if (!isDNRestrictionOnly()) {
            boolean z = false;
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                String next = it.next();
                try {
                    this.addressList.add(InetAddress.getByName(next));
                    z = true;
                } catch (UnknownHostException e) {
                    if (DEBUG.warningEnabled()) {
                        DEBUG.warning("DNOrIPAddressListTokenRestriction.constructor: failure resolving host " + next);
                    }
                    if (it.hasNext()) {
                        continue;
                    } else if (!z) {
                        throw new UnknownHostException(next);
                    }
                }
            }
        }
        sb.append('\n');
        ArrayList arrayList = new ArrayList(set);
        Collections.sort(arrayList);
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            sb.append((String) it2.next()).append('\n');
        }
        this.asString = sb.toString();
        if (DEBUG.messageEnabled()) {
            DEBUG.message("DNOrIPAddressListTokenRestriction.new " + this.asString);
        }
        this.asString = Hash.hash(this.asString);
        if (this.asString == null) {
            throw new IllegalStateException("DNOrIPAddressListTokenRestriction.hashcode error creating SHA-1 hash, hash was null");
        }
        if (DEBUG.messageEnabled()) {
            DEBUG.message("DNOrIPAddressListTokenRestriction.hashCode " + this.asString);
        }
    }

    public String toString() {
        return this.asString;
    }

    @Override // com.iplanet.dpro.session.TokenRestriction
    public int hashCode() {
        return toString().hashCode();
    }

    @Override // com.iplanet.dpro.session.TokenRestriction
    public boolean isSatisfied(Object obj) throws Exception {
        if (obj == null) {
            return false;
        }
        if (obj instanceof SSOToken) {
            if (DEBUG.messageEnabled()) {
                DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): context is instance of SSOToken");
            }
            String canonicalize = Misc.canonicalize(((SSOToken) obj).getPrincipal().getName());
            StringTokenizer stringTokenizer = new StringTokenizer(this.dn, "|");
            while (stringTokenizer.hasMoreTokens()) {
                if (stringTokenizer.nextToken().equals(canonicalize)) {
                    return true;
                }
            }
            if (!DEBUG.messageEnabled()) {
                return false;
            }
            DEBUG.message("DNOrIPAddressListTokenRestriction:isSatisfied SSOToken of " + canonicalize + " does not match with restriction " + this.dn);
            return false;
        }
        if (!(obj instanceof InetAddress)) {
            if (!DEBUG.warningEnabled()) {
                return false;
            }
            DEBUG.warning("Unknown context type:" + obj);
            return false;
        }
        if (isDNRestrictionOnly()) {
            if (!DEBUG.warningEnabled()) {
                return true;
            }
            DEBUG.warning("DNOrIPAddressListTokenRestriction.isSatisfied():dnRestrictionOnly is true, but IP has been received as the restriction context, this could be a suspicious activity. Received InetAddress is: " + ((InetAddress) obj).toString());
            return true;
        }
        if (DEBUG.messageEnabled()) {
            DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): dnRestrictionOnly is false");
            DEBUG.message("DNOrIPAddressListTokenRestriction.isSatisfied(): IP based restriction received and accepted");
        }
        return this.addressList.contains((InetAddress) obj);
    }

    @Override // com.iplanet.dpro.session.TokenRestriction
    public boolean equals(Object obj) {
        return obj != null && (obj instanceof DNOrIPAddressListTokenRestriction) && obj.toString().equals(toString());
    }

    private boolean isDNRestrictionOnly() {
        if (!isInitialized) {
            try {
                dnRestrictionOnly = Boolean.parseBoolean(CollectionHelper.getMapAttr(this.serviceSchemaManager.getGlobalSchema().getAttributeDefaults(), SESSION_DNRESTRICTIONONLY_ATTR_NAME, "false"));
                if (DEBUG.messageEnabled()) {
                    DEBUG.message("DN restriction enabled: " + dnRestrictionOnly);
                }
                isInitialized = true;
            } catch (Exception e) {
                if (DEBUG.messageEnabled()) {
                    DEBUG.message("Failed to get the default dnRestrictionOnly setting. => Setting to false", e);
                }
            }
        }
        return dnRestrictionOnly;
    }
}
