package org.forgerock.openam.entitlement.conditions.environment;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.util.AMAuthUtils;
import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.EntitlementConditionAdaptor;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.shared.debug.Debug;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.openam.sdk.org.forgerock.util.time.TimeService;
import org.forgerock.openam.sdk.org.json.JSONArray;
import org.forgerock.openam.sdk.org.json.JSONException;
import org.forgerock.openam.sdk.org.json.JSONObject;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.0.jar:org/forgerock/openam/entitlement/conditions/environment/AuthSchemeCondition.class */
public class AuthSchemeCondition extends EntitlementConditionAdaptor {
    public static final String APPLICATION_IDLE_TIMESOUT_AT_PREFIX = "am.protected.policy.AppIdleTimesoutAt.";
    public static final String FORCE_AUTH_ADVICE = "ForceAuth";
    public static final String MODULE_INSTANCE = "module_instance";
    private final Debug debug;
    private final EntitlementCoreWrapper coreWrapper;
    private final TimeService timeService;
    private Set<String> authScheme;
    private Integer applicationIdleTimeout;
    private String applicationName;
    private String appIdleTimesoutAtSessionKey;
    private boolean appIdleTimeoutEnabled;

    public AuthSchemeCondition() {
        this(PrivilegeManager.debug, new EntitlementCoreWrapper(), TimeService.SYSTEM);
    }

    AuthSchemeCondition(Debug debug, EntitlementCoreWrapper entitlementCoreWrapper, TimeService timeService) {
        this.authScheme = new HashSet();
        this.applicationIdleTimeout = Integer.MAX_VALUE;
        this.appIdleTimeoutEnabled = false;
        this.debug = debug;
        this.coreWrapper = entitlementCoreWrapper;
        this.timeService = timeService;
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void setState(String str) {
        try {
            JSONObject jSONObject = new JSONObject(str);
            setState(jSONObject);
            JSONArray jSONArray = jSONObject.getJSONArray(ConditionConstants.AUTH_SCHEME);
            HashSet hashSet = new HashSet();
            for (int i = 0; i < jSONArray.length(); i++) {
                hashSet.add(jSONArray.getString(i));
            }
            setAuthScheme(hashSet);
            if (jSONObject.has(ConditionConstants.APPLICATION_NAME)) {
                setApplicationName(jSONObject.getString(ConditionConstants.APPLICATION_NAME));
            }
            if (jSONObject.has(ConditionConstants.APPLICATION_IDLE_TIMEOUT)) {
                setApplicationIdleTimeout(jSONObject.getInt(ConditionConstants.APPLICATION_IDLE_TIMEOUT));
            }
        } catch (JSONException e) {
            this.debug.message("AuthSchemeCondition: Failed to set state", e);
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public String getState() {
        return toString();
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public ConditionDecision evaluate(String str, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        if (this.debug.messageEnabled()) {
            this.debug.message("At AuthSchemeCondition.getConditionDecision():entering:authScheme=" + this.authScheme + ", appName=" + this.applicationName + ", applicationIdleTimeout=" + this.applicationIdleTimeout);
        }
        Set<String> set = null;
        Set<String> set2 = null;
        SSOToken sSOToken = subject == null ? null : (SSOToken) getValue(subject.getPrivateCredentials());
        if (map.get("requestAuthSchemes") != null) {
            set = map.get("requestAuthSchemes");
            if (this.debug.messageEnabled()) {
                this.debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemes from env= " + set);
            }
        } else if (sSOToken != null) {
            set = this.coreWrapper.getRealmQualifiedAuthenticatedSchemes(sSOToken);
            set2 = this.coreWrapper.getAuthenticatedSchemes(sSOToken);
            if (this.debug.messageEnabled()) {
                this.debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemes from ssoToken= " + set);
                this.debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemesIgnoreRealm from ssoToken= " + set2);
            }
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        if (set2 == null) {
            set2 = Collections.emptySet();
        }
        boolean z = true;
        HashSet hashSet = new HashSet(this.authScheme.size());
        Iterator<String> it = this.authScheme.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (!set.contains(next)) {
                String realmFromRealmQualifiedData = AMAuthUtils.getRealmFromRealmQualifiedData(next);
                if (realmFromRealmQualifiedData != null && realmFromRealmQualifiedData.length() != 0) {
                    z = false;
                    hashSet.add(next);
                    if (this.debug.messageEnabled()) {
                        this.debug.message("At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = " + next);
                    }
                } else if (realmFromRealmQualifiedData == null || realmFromRealmQualifiedData.length() == 0) {
                    if (!set2.contains(next)) {
                        z = false;
                        hashSet.add(next);
                        if (this.debug.messageEnabled()) {
                            this.debug.message("At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = " + next);
                        }
                    }
                }
            }
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("At AuthSchemeCondition.getConditionDecision():authScheme = " + this.authScheme + ", requestAuthSchemes = " + set + ",  allowed before applicationIdleTimeout check = " + z);
        }
        HashMap hashMap = new HashMap();
        if (!z) {
            hashMap.put("AuthSchemeConditionAdvice", hashSet);
        }
        long j = Long.MAX_VALUE;
        long now = this.timeService.now();
        HashSet hashSet2 = new HashSet();
        if (this.appIdleTimeoutEnabled) {
            if (z) {
                long applicationIdleTimesoutAt = getApplicationIdleTimesoutAt(sSOToken, hashSet2, now);
                if (applicationIdleTimesoutAt <= now) {
                    z = false;
                }
                if (this.debug.messageEnabled()) {
                    this.debug.message("At AuthSchemeCondition.getConditionDecision():currentTimeMillis = " + now + ", idleTimesOutAtMillis = " + applicationIdleTimesoutAt + ", expiredAuthSchemes = " + hashSet2 + ", allowed after applicationIdleTimeout check = " + z);
                }
            }
            if (z) {
                long applicationIdleTimeoutInMilliseconds = now + getApplicationIdleTimeoutInMilliseconds();
                setTokenProperty(sSOToken, this.appIdleTimesoutAtSessionKey, Long.toString(applicationIdleTimeoutInMilliseconds));
                j = applicationIdleTimeoutInMilliseconds;
                if (this.debug.messageEnabled()) {
                    this.debug.message("At AuthSchemeCondition.getConditionDecision():app access allowed, revised appIdleTimesOutAt=" + applicationIdleTimeoutInMilliseconds + ", currentTimeMillis=" + now);
                }
            } else {
                hashSet.addAll(hashSet2);
                hashMap.put("AuthSchemeConditionAdvice", hashSet);
                HashSet hashSet3 = new HashSet();
                hashSet3.add(Boolean.TRUE.toString());
                hashMap.put(FORCE_AUTH_ADVICE, hashSet3);
            }
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("At AuthSchemeCondition.getConditionDecision():just before return:allowed = " + z + ", timeToLive = " + j + ", advices = " + hashMap);
        }
        return new ConditionDecision(z, hashMap, j);
    }

    private <T> T getValue(Set<T> set) {
        if (set == null || !set.iterator().hasNext()) {
            return null;
        }
        return set.iterator().next();
    }

    private void setTokenProperty(SSOToken sSOToken, String str, String str2) throws EntitlementException {
        try {
            sSOToken.setProperty(str, str2);
        } catch (SSOException e) {
            throw new EntitlementException(510, e);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:19:0x011d, code lost:
    
        r7.add(r0);
     */
    /* JADX WARN: Code restructure failed: missing block: B:20:0x012d, code lost:
    
        if (r5.debug.messageEnabled() == false) goto L29;
     */
    /* JADX WARN: Code restructure failed: missing block: B:21:0x0130, code lost:
    
        r5.debug.message("At AuthSchemeCondition.getApplicationIdleTimesoutAt():expired authScheme=" + r0);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private long getApplicationIdleTimesoutAt(com.iplanet.sso.SSOToken r6, java.util.Set<java.lang.String> r7, long r8) throws com.sun.identity.entitlement.EntitlementException {
        /*
            Method dump skipped, instructions count: 368
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.forgerock.openam.entitlement.conditions.environment.AuthSchemeCondition.getApplicationIdleTimesoutAt(com.iplanet.sso.SSOToken, java.util.Set, long):long");
    }

    private JSONObject toJSONObject() throws JSONException {
        JSONObject jSONObject = new JSONObject();
        toJSONObject(jSONObject);
        jSONObject.put(ConditionConstants.AUTH_SCHEME, (Collection<?>) getAuthScheme());
        jSONObject.put(ConditionConstants.APPLICATION_NAME, getApplicationName());
        jSONObject.put(ConditionConstants.APPLICATION_IDLE_TIMEOUT, getApplicationIdleTimeout());
        return jSONObject;
    }

    public String toString() {
        String str = null;
        try {
            str = toJSONObject().toString(2);
        } catch (JSONException e) {
            PrivilegeManager.debug.error("AuthSchemeCondition.toString()", e);
        }
        return str;
    }

    public Set<String> getAuthScheme() {
        return this.authScheme;
    }

    public void setAuthScheme(Set<String> set) {
        this.authScheme = set;
    }

    public Integer getApplicationIdleTimeout() {
        if (this.applicationIdleTimeout.intValue() == Integer.MAX_VALUE) {
            return null;
        }
        return this.applicationIdleTimeout;
    }

    public void setApplicationIdleTimeout(int i) {
        this.applicationIdleTimeout = Integer.valueOf(i);
        updateIdleTimeoutEnabled();
    }

    public String getApplicationName() {
        return this.applicationName;
    }

    public void setApplicationName(String str) {
        if (str == null || str.trim().isEmpty()) {
            this.applicationName = null;
        } else {
            this.appIdleTimesoutAtSessionKey = APPLICATION_IDLE_TIMESOUT_AT_PREFIX + str;
            this.applicationName = str;
        }
        updateIdleTimeoutEnabled();
    }

    private void updateIdleTimeoutEnabled() {
        if (this.applicationName == null || this.applicationIdleTimeout.intValue() == Integer.MAX_VALUE) {
            return;
        }
        this.appIdleTimeoutEnabled = true;
    }

    private long getApplicationIdleTimeoutInMilliseconds() {
        return this.applicationIdleTimeout.intValue() * 60 * 1000;
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void validate() throws EntitlementException {
        if (this.authScheme == null || this.authScheme.isEmpty()) {
            throw new EntitlementException(EntitlementException.PROPERTY_VALUE_NOT_DEFINED, ConditionConstants.AUTH_SCHEME);
        }
        if (StringUtils.isAnyBlank(this.authScheme)) {
            throw new EntitlementException(EntitlementException.PROPERTY_CONTAINS_BLANK_VALUE, ConditionConstants.AUTH_SCHEME);
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public boolean equals(Object obj) {
        if (!super.equals(obj) || !getClass().equals(obj.getClass())) {
            return false;
        }
        AuthSchemeCondition authSchemeCondition = (AuthSchemeCondition) obj;
        if (this.appIdleTimeoutEnabled == authSchemeCondition.appIdleTimeoutEnabled && CollectionUtils.genericCompare(this.authScheme, authSchemeCondition.authScheme) && CollectionUtils.genericCompare(this.applicationIdleTimeout, authSchemeCondition.applicationIdleTimeout) && CollectionUtils.genericCompare(this.applicationName, authSchemeCondition.applicationName)) {
            return CollectionUtils.genericCompare(this.appIdleTimesoutAtSessionKey, authSchemeCondition.appIdleTimesoutAtSessionKey);
        }
        return false;
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public int hashCode() {
        int hashCode = (31 * super.hashCode()) + (this.appIdleTimeoutEnabled ? 1 : 0);
        if (this.authScheme != null) {
            hashCode = (31 * hashCode) + this.authScheme.hashCode();
        }
        if (this.applicationIdleTimeout != null) {
            hashCode = (31 * hashCode) + this.applicationIdleTimeout.hashCode();
        }
        if (this.applicationName != null) {
            hashCode = (31 * hashCode) + this.applicationName.hashCode();
        }
        if (this.appIdleTimesoutAtSessionKey != null) {
            hashCode = (31 * hashCode) + this.appIdleTimesoutAtSessionKey.hashCode();
        }
        return hashCode;
    }
}
