package com.sun.identity.entitlement.opensso;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.common.CaseInsensitiveHashSet;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.entitlement.SubjectAttributesCollector;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfig;
import com.sun.identity.sm.ServiceConfigManager;
import java.security.AccessController;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.openam.utils.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:com/sun/identity/entitlement/opensso/OpenSSOSubjectAttributesCollector.class */
public class OpenSSOSubjectAttributesCollector implements SubjectAttributesCollector {
    static ServiceConfigManager idRepoServiceConfigManager;
    private static final String GROUP_MEMBERSHIP_SEARCH_INDEX_ENABLED_ATTR = "groupMembershipSearchIndexEnabled";
    private static final String LDAPv3Config_USER_ATTR = "sun-idrepo-ldapv3-config-user-attributes";
    private String realm;
    private boolean groupMembershipSearchIndexEnabled = false;

    @Override // com.sun.identity.entitlement.SubjectAttributesCollector
    public void init(String str, Map<String, Set<String>> map) {
        Set<String> set;
        this.realm = str;
        if (map == null || (set = map.get(GROUP_MEMBERSHIP_SEARCH_INDEX_ENABLED_ATTR)) == null || set.isEmpty()) {
            return;
        }
        this.groupMembershipSearchIndexEnabled = Boolean.valueOf(set.iterator().next()).booleanValue();
    }

    @Override // com.sun.identity.entitlement.SubjectAttributesCollector
    public Map<String, Set<String>> getAttributes(Subject subject, Set<String> set) throws EntitlementException {
        String principalId = SubjectUtils.getPrincipalId(subject);
        try {
            AMIdentity aMIdentity = new AMIdentity((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()), principalId);
            HashMap hashMap = new HashMap();
            hashMap.putAll(getIdentityUniversalIds(set, aMIdentity));
            hashMap.putAll(getIdentityAttributes(set, aMIdentity));
            return hashMap;
        } catch (SSOException | IdRepoException e) {
            throw new EntitlementException(600, e, principalId);
        }
    }

    private Map<String, Set<String>> getIdentityUniversalIds(Set<String> set, AMIdentity aMIdentity) throws IdRepoException, SSOException {
        Set<String> filterSet = filterSet(set, SubjectAttributesCollector.NAMESPACE_IDENTITY);
        if (CollectionUtils.isEmpty(filterSet)) {
            return Collections.emptyMap();
        }
        HashSet hashSet = new HashSet();
        Iterator<String> it = filterSet.iterator();
        while (it.hasNext()) {
            hashSet.addAll(getUniversalIdForIdentityType(it.next(), aMIdentity));
        }
        return CollectionUtils.isEmpty(hashSet) ? Collections.emptyMap() : Collections.singletonMap(SubjectAttributesCollector.NAMESPACE_IDENTITY, hashSet);
    }

    private Set<String> getUniversalIdForIdentityType(String str, AMIdentity aMIdentity) throws IdRepoException, SSOException {
        return str.equalsIgnoreCase(IdType.USER.getName()) ? Collections.singleton(aMIdentity.getUniversalId()) : checkTypeForMembership(str, aMIdentity);
    }

    private Set<String> checkTypeForMembership(String str, AMIdentity aMIdentity) throws IdRepoException, SSOException {
        IdType type = IdUtils.getType(str);
        if (type == null) {
            return Collections.emptySet();
        }
        Set memberships = aMIdentity.getMemberships(type);
        if (CollectionUtils.isEmpty(memberships)) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        Iterator it = memberships.iterator();
        while (it.hasNext()) {
            hashSet.add(((AMIdentity) it.next()).getUniversalId());
        }
        return hashSet;
    }

    private Map<String, Set<String>> getIdentityAttributes(Set<String> set, AMIdentity aMIdentity) throws IdRepoException, SSOException {
        Set<String> filterSet = filterSet(set, SubjectAttributesCollector.NAMESPACE_ATTR);
        if (CollectionUtils.isEmpty(filterSet)) {
            return Collections.emptyMap();
        }
        Map attributes = aMIdentity.getAttributes(filterSet);
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : attributes.entrySet()) {
            hashMap.put(SubjectAttributesCollector.NAMESPACE_ATTR + ((String) entry.getKey()), entry.getValue());
        }
        return hashMap;
    }

    private Set<String> filterSet(Set<String> set, String str) {
        HashSet hashSet = new HashSet();
        int length = str.length();
        for (String str2 : set) {
            if (str2.startsWith(str)) {
                hashSet.add(str2.substring(length));
            }
        }
        return hashSet;
    }

    @Override // com.sun.identity.entitlement.SubjectAttributesCollector
    public Set<String> getAvailableSubjectAttributeNames() throws EntitlementException {
        Set<String> subConfigNames;
        CaseInsensitiveHashSet caseInsensitiveHashSet = new CaseInsensitiveHashSet();
        try {
            ServiceConfig organizationConfig = idRepoServiceConfigManager.getOrganizationConfig(this.realm, null);
            if (organizationConfig != null && (subConfigNames = organizationConfig.getSubConfigNames()) != null) {
                Iterator<String> it = subConfigNames.iterator();
                while (it.hasNext()) {
                    Set<String> set = organizationConfig.getSubConfig(it.next()).getAttributesForRead().get("sun-idrepo-ldapv3-config-user-attributes");
                    if (set != null && !set.isEmpty()) {
                        caseInsensitiveHashSet.addAll(set);
                    }
                }
            }
            return caseInsensitiveHashSet;
        } catch (SSOException e) {
            throw new EntitlementException(602, e);
        } catch (SMSException e2) {
            throw new EntitlementException(602, e2);
        }
    }

    @Override // com.sun.identity.entitlement.SubjectAttributesCollector
    public boolean isGroupMembershipSearchIndexEnabled() {
        return this.groupMembershipSearchIndexEnabled;
    }

    @Override // com.sun.identity.entitlement.SubjectAttributesCollector
    public Map<String, Set<String>> getUserAttributes(Subject subject, Set<String> set) throws EntitlementException {
        String principalId = SubjectUtils.getPrincipalId(subject);
        try {
            return new AMIdentity((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()), principalId).getAttributes(set);
        } catch (SSOException e) {
            throw new EntitlementException(601, new Object[]{principalId}, e);
        } catch (IdRepoException e2) {
            throw new EntitlementException(601, new Object[]{principalId}, e2);
        }
    }

    static {
        try {
            idRepoServiceConfigManager = new ServiceConfigManager((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()), "sunIdentityRepositoryService", "1.0");
        } catch (SSOException e) {
            PrivilegeManager.debug.error("OpenSSOSubjectAttributesCollector.static:", e);
        } catch (SMSException e2) {
            PrivilegeManager.debug.error("OpenSSOSubjectAttributesCollector.static:", e2);
        }
    }
}
