package org.forgerock.openam.sso.providers.stateless;

import com.iplanet.dpro.session.Session;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOProviderPlugin;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.util.ISAuthConstants;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfigManager;
import com.sun.identity.sm.ServiceListener;
import java.security.AccessController;
import java.security.Principal;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.openam.blacklist.Blacklist;
import org.forgerock.openam.blacklist.BlacklistException;
import org.forgerock.openam.sdk.javax.inject.Inject;
import org.forgerock.openam.sdk.javax.inject.Named;
import org.forgerock.openam.utils.StringUtils;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:org/forgerock/openam/sso/providers/stateless/StatelessSSOProvider.class */
public class StatelessSSOProvider implements SSOProviderPlugin, ServiceListener {
    private final StatelessSessionManager statelessSessionManager;
    private final Blacklist<Session> sessionBlacklist;
    private final StatelessAdminRestriction restriction;
    private final Debug debug;
    private final ConcurrentHashMap<String, Boolean> statelessEnabledMap = new ConcurrentHashMap<>();

    @Inject
    public StatelessSSOProvider(StatelessSessionManager statelessSessionManager, Blacklist<Session> blacklist, StatelessAdminRestriction statelessAdminRestriction, @Named("amSession") Debug debug) {
        this.statelessSessionManager = statelessSessionManager;
        this.sessionBlacklist = blacklist;
        this.restriction = statelessAdminRestriction;
        this.debug = debug;
        try {
            new ServiceConfigManager(ISAuthConstants.AUTH_SERVICE_NAME, (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance())).addListener(this);
        } catch (SSOException | SMSException e) {
            debug.error("Unable to register StatelessSSOProvider against the service config listening system.");
        }
    }

    @Override // com.iplanet.sso.SSOProviderPlugin
    public boolean isApplicable(HttpServletRequest httpServletRequest) {
        try {
            return this.statelessSessionManager.containsJwt(httpServletRequest);
        } catch (SessionException e) {
            this.debug.message("Error whilst inspecting request for JWT: {0}", httpServletRequest, e);
            return false;
        }
    }

    @Override // com.iplanet.sso.SSOProviderPlugin
    public boolean isApplicable(String str) {
        return StringUtils.isNotBlank(str) && this.statelessSessionManager.containsJwt(str);
    }

    private SSOToken createSSOToken(SessionID sessionID) throws SSOException {
        try {
            StatelessSSOToken statelessSSOToken = new StatelessSSOToken(this.statelessSessionManager.generate(sessionID));
            if (isValidToken(statelessSSOToken, false)) {
                return statelessSSOToken;
            }
            Principal principal = null;
            try {
                principal = statelessSSOToken.getPrincipal();
            } catch (SSOException e) {
                this.debug.warning("Could not obtain token principal for invalid token: " + e.getMessage(), e);
            }
            throw new SSOException("Token for principal " + (principal != null ? principal.getName() : null) + " invalid.");
        } catch (SessionException e2) {
            throw new SSOException(e2);
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public SSOToken createSSOToken(HttpServletRequest httpServletRequest) throws UnsupportedOperationException, SSOException {
        return createSSOToken(new SessionID(httpServletRequest));
    }

    @Override // com.iplanet.sso.SSOProvider
    public SSOToken createSSOToken(Principal principal, String str) throws SSOException, UnsupportedOperationException {
        throw new UnsupportedOperationException("Unsupported Create SSO Token With Principal and Password");
    }

    @Override // com.iplanet.sso.SSOProvider
    public SSOToken createSSOToken(String str) throws SSOException, UnsupportedOperationException {
        return createSSOToken(str, false);
    }

    public SSOToken createSSOToken(String str, boolean z) throws SSOException, UnsupportedOperationException {
        return createSSOToken(str, z, true);
    }

    @Override // com.iplanet.sso.SSOProvider
    public SSOToken createSSOToken(String str, boolean z, boolean z2) throws SSOException, UnsupportedOperationException {
        return createSSOToken(new SessionID(str));
    }

    @Override // com.iplanet.sso.SSOProvider
    public SSOToken createSSOToken(String str, String str2) throws SSOException, UnsupportedOperationException {
        return createSSOToken(new SessionID(str));
    }

    @Override // com.iplanet.sso.SSOProvider
    public void destroyToken(SSOToken sSOToken) throws SSOException {
        logout(sSOToken);
    }

    @Override // com.iplanet.sso.SSOProvider
    public void logout(SSOToken sSOToken) throws SSOException {
        try {
            extractStatelessSession(sSOToken).logout();
        } catch (SessionException e) {
            throw new SSOException(e);
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public boolean isValidToken(SSOToken sSOToken) {
        return isValidToken(sSOToken, true);
    }

    @Override // com.iplanet.sso.SSOProvider
    public boolean isValidToken(SSOToken sSOToken, boolean z) {
        StatelessSSOToken statelessSSOToken = (StatelessSSOToken) sSOToken;
        StatelessSession session = statelessSSOToken.getSession();
        try {
            if (this.restriction.isRestricted(sSOToken)) {
                return false;
            }
            try {
                if (isStatelessEnabled(sSOToken.getProperty("Organization")) && statelessSSOToken.isValid(z)) {
                    if (!this.sessionBlacklist.isBlacklisted(session)) {
                        return true;
                    }
                }
                return false;
            } catch (SSOException | SMSException | BlacklistException e) {
                this.debug.error("Unable to check session blacklist: {}", e);
                return false;
            }
        } catch (SessionException e2) {
            this.debug.message("Unable to verify if the SSOToken represents a super user", e2);
            return false;
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public void validateToken(SSOToken sSOToken) throws SSOException {
        if (!isValidToken(sSOToken, false)) {
            throw new SSOException("Failed verification of JWT contents.");
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public void refreshSession(SSOToken sSOToken) throws SSOException {
        refreshSession(sSOToken, true);
    }

    @Override // com.iplanet.sso.SSOProvider
    public void refreshSession(SSOToken sSOToken, boolean z) throws SSOException {
        try {
            extractStatelessSession(sSOToken).refresh(z);
        } catch (SessionException e) {
            throw new SSOException(e);
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public void destroyToken(SSOToken sSOToken, SSOToken sSOToken2) throws SSOException {
        try {
            extractStatelessSession(sSOToken2).destroySession(extractStatelessSession(sSOToken2));
        } catch (SessionException e) {
            throw new SSOException(e);
        }
    }

    @Override // com.iplanet.sso.SSOProvider
    public Set<SSOToken> getValidSessions(SSOToken sSOToken, String str) throws SSOException {
        return null;
    }

    private static StatelessSession extractStatelessSession(SSOToken sSOToken) throws SSOException {
        if (sSOToken instanceof StatelessSSOToken) {
            return ((StatelessSSOToken) sSOToken).getSession();
        }
        throw new SSOException("Not a stateless SSOToken");
    }

    private boolean isStatelessEnabled(String str) throws SMSException {
        String orgDN = AuthD.getAuth().getOrgDN(str);
        if (!this.statelessEnabledMap.containsKey(orgDN)) {
            writeOrgConfigData(orgDN);
        }
        return this.statelessEnabledMap.get(orgDN).booleanValue();
    }

    @Override // com.sun.identity.sm.ServiceListener
    public void schemaChanged(String str, String str2) {
    }

    @Override // com.sun.identity.sm.ServiceListener
    public void globalConfigChanged(String str, String str2, String str3, String str4, int i) {
    }

    @Override // com.sun.identity.sm.ServiceListener
    public void organizationConfigChanged(String str, String str2, String str3, String str4, String str5, int i) {
        if (str.equals(ISAuthConstants.AUTH_SERVICE_NAME)) {
            writeOrgConfigData(str3);
        }
    }

    private void writeOrgConfigData(String str) {
        try {
            this.statelessEnabledMap.put(str, Boolean.valueOf(CollectionHelper.getBooleanMapAttr(AuthD.getAuth().getOrgConfigManager(DNMapper.orgNameToDN(str)).getServiceAttributes(ISAuthConstants.AUTH_SERVICE_NAME), ISAuthConstants.AUTH_STATELESS_SESSIONS, false)));
        } catch (SMSException e) {
            this.debug.message("StatelessSSOProvider :: organizationConfigChanger - Unable to update org config.");
        }
    }
}
