package com.sun.identity.entitlement.opensso;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.entitlement.ApplicationPrivilege;
import com.sun.identity.entitlement.ApplicationPrivilegeManager;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PolicyDataStore;
import com.sun.identity.entitlement.Privilege;
import com.sun.identity.entitlement.PrivilegeIndexStore;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.entitlement.ReferralPrivilege;
import com.sun.identity.entitlement.opensso.OpenSSOLogger;
import com.sun.identity.policy.Policy;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.PolicyManager;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.xml.XMLUtils;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSEntry;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfig;
import com.sun.identity.sm.ServiceConfigManager;
import java.io.ByteArrayInputStream;
import java.security.AccessController;
import java.text.MessageFormat;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Set;
import java.util.logging.Level;
import javax.security.auth.Subject;
import org.apache.xerces.dom3.as.ASDataType;
import org.apache.xmlgraphics.image.codec.tiff.TIFFImageDecoder;
import org.forgerock.openam.entitlement.utils.EntitlementUtils;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.1.jar:com/sun/identity/entitlement/opensso/OpenSSOPolicyDataStore.class */
public class OpenSSOPolicyDataStore extends PolicyDataStore {
    private static final String POLICY_XML = "xmlpolicy";
    private static final String REALM_DN_TEMPLATE = "ou=Policies,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,{0}";
    private static SSOToken dsameUserToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    private static Subject dsameUserSubject = SubjectUtils.createSubject(dsameUserToken);

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public void addPolicy(Subject subject, String str, Privilege privilege) throws EntitlementException {
        if (!ApplicationPrivilegeManager.getInstance(str, PrivilegeManager.superAdminSubject).hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        PrivilegeIndexStore privilegeIndexStore = PrivilegeIndexStore.getInstance(dsameUserSubject, str);
        HashSet hashSet = new HashSet();
        hashSet.add(privilege);
        privilegeIndexStore.add(hashSet);
    }

    private void createParentNode(SSOToken sSOToken, String str) throws SSOException, SMSException {
        ServiceConfig orgConfig = getOrgConfig(sSOToken, str);
        if (orgConfig.getSubConfigNames().contains(PolicyManager.NAMED_POLICY)) {
            return;
        }
        orgConfig.addSubConfig(PolicyManager.NAMED_POLICY, PolicyManager.NAMED_POLICY, 0, null);
    }

    private ServiceConfig getOrgConfig(SSOToken sSOToken, String str) throws SMSException, SSOException {
        ServiceConfigManager serviceConfigManager = new ServiceConfigManager(PolicyManager.POLICY_SERVICE_NAME, sSOToken);
        ServiceConfig organizationConfig = serviceConfigManager.getOrganizationConfig(str, null);
        if (organizationConfig == null) {
            serviceConfigManager.createOrganizationConfig(str, null);
            organizationConfig = serviceConfigManager.getOrganizationConfig(str, null);
        }
        return organizationConfig;
    }

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public Object getPolicy(Subject subject, String str, String str2) throws EntitlementException {
        SSOToken sSOToken = SubjectUtils.getSSOToken(subject);
        if (sSOToken == null) {
            throw new EntitlementException(ASDataType.SHORT_DATATYPE, str2);
        }
        String policyDistinguishedName = getPolicyDistinguishedName(str, str2);
        if (!SMSEntry.checkIfEntryExists(policyDistinguishedName, sSOToken)) {
            throw new EntitlementException(203, str2);
        }
        try {
            String str3 = (String) ((Set) new SMSEntry(sSOToken, policyDistinguishedName).getAttributes().get(SMSEntry.ATTR_KEYVAL)).iterator().next();
            if (str3.startsWith(POLICY_XML)) {
                str3 = str3.substring(POLICY_XML.length() + 1);
            }
            return createPolicy(sSOToken, str, str3);
        } catch (SSOException e) {
            throw new EntitlementException(204, new Object[]{str2}, e);
        } catch (SMSException e2) {
            throw new EntitlementException(204, new Object[]{str2}, e2);
        } catch (Exception e3) {
            throw new EntitlementException(204, new Object[]{str2}, e3);
        }
    }

    private String findLegacyPolicyDn(SSOToken sSOToken, String str, String str2) {
        String policyDistinguishedName = getPolicyDistinguishedName(str, str2);
        int length = str2.length();
        while (!SMSEntry.checkIfEntryExists(policyDistinguishedName, sSOToken)) {
            debug("Unable to find policy with name %s using DN %s", str2, policyDistinguishedName);
            length = str2.lastIndexOf(95, length - 1);
            if (length < 0) {
                return null;
            }
            policyDistinguishedName = getPolicyDistinguishedName(str, str2.substring(0, length));
        }
        return policyDistinguishedName;
    }

    private static void debug(String str, Object... objArr) {
        if (PrivilegeManager.debug.messageEnabled()) {
            PrivilegeManager.debug.message(String.format(Locale.US, "OpenSSOPolicyDataStore: " + str, objArr));
        }
    }

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public ReferralPrivilege getReferral(Subject subject, String str, String str2) throws EntitlementException {
        SSOToken sSOToken = subject == PrivilegeManager.superAdminSubject ? dsameUserToken : SubjectUtils.getSSOToken(subject);
        if (sSOToken == null) {
            throw new EntitlementException(TIFFImageDecoder.TIFF_PHOTOMETRIC_INTERPRETATION, str2);
        }
        String policyDistinguishedName = getPolicyDistinguishedName(str, str2);
        if (!SMSEntry.checkIfEntryExists(policyDistinguishedName, sSOToken)) {
            throw new EntitlementException(EntitlementException.NO_SUCH_REFERRAL_PRIVILEGE, str2);
        }
        try {
            String str3 = (String) ((Set) new SMSEntry(sSOToken, policyDistinguishedName).getAttributes().get(SMSEntry.ATTR_KEYVAL)).iterator().next();
            if (str3.startsWith(POLICY_XML)) {
                str3 = str3.substring(POLICY_XML.length() + 1);
            }
            return (ReferralPrivilege) PrivilegeUtils.policyToPrivileges(createPolicy(sSOToken, str, str3)).iterator().next();
        } catch (SSOException e) {
            throw new EntitlementException(204, new Object[]{str2}, e);
        } catch (SMSException e2) {
            throw new EntitlementException(204, new Object[]{str2}, e2);
        } catch (Exception e3) {
            throw new EntitlementException(204, new Object[]{str2}, e3);
        }
    }

    private Object createPolicy(SSOToken sSOToken, String str, String str2) throws Exception, SSOException, PolicyException {
        Policy policy = null;
        if (str2.startsWith("xmlpolicy=")) {
            str2 = str2.substring(10);
        }
        Document xMLDocument = XMLUtils.getXMLDocument(new ByteArrayInputStream(str2.getBytes("UTF8")));
        if (!EntitlementUtils.getEntitlementConfiguration(SubjectUtils.createSubject(sSOToken), "/").xacmlPrivilegeEnabled()) {
            policy = new Policy(new PolicyManager(sSOToken, str), XMLUtils.getRootNode(xMLDocument, "Policy"));
        }
        return policy;
    }

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public void removePrivilege(Subject subject, String str, Privilege privilege) throws EntitlementException {
        SSOToken sSOToken = SubjectUtils.getSSOToken(subject);
        String name = privilege.getName();
        if (sSOToken == null) {
            throw new EntitlementException(ASDataType.NONNEGATIVEINTEGER_DATATYPE, name);
        }
        if (!ApplicationPrivilegeManager.getInstance(str, PrivilegeManager.superAdminSubject).hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        String[] strArr = {DNMapper.orgNameToRealmName(str), name};
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_PRIVILEGE", strArr, subject);
        PrivilegeIndexStore.getInstance(dsameUserSubject, str).delete(name);
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_PRIVILEGE", strArr, subject);
    }

    private static String getPolicyDistinguishedName(String str, String str2) {
        return "ou=" + str2 + "," + getStoreBaseDN(str);
    }

    private static String getStoreBaseDN(String str) {
        return MessageFormat.format(REALM_DN_TEMPLATE, DNMapper.orgNameToDN(str));
    }

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public void addReferral(Subject subject, String str, ReferralPrivilege referralPrivilege) throws EntitlementException {
        String name = referralPrivilege.getName();
        String policyDistinguishedName = getPolicyDistinguishedName(str, name);
        if (SubjectUtils.getSSOToken(subject) == null) {
            throw new EntitlementException(260, name);
        }
        if (!ApplicationPrivilegeManager.getInstance(str, PrivilegeManager.superAdminSubject).hasPrivilege(referralPrivilege, ApplicationPrivilege.Action.MODIFY)) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        try {
            createParentNode(dsameUserToken, str);
            SMSEntry sMSEntry = new SMSEntry(dsameUserToken, policyDistinguishedName);
            HashMap hashMap = new HashMap();
            HashSet hashSet = new HashSet(2);
            hashMap.put(SMSEntry.ATTR_SERVICE_ID, hashSet);
            hashSet.add("NamedPolicy");
            HashSet hashSet2 = new HashSet(4);
            hashMap.put("objectclass", hashSet2);
            hashSet2.add("top");
            hashSet2.add(SMSEntry.OC_SERVICE_COMP);
            HashSet hashSet3 = new HashSet(2);
            hashMap.put(SMSEntry.ATTR_KEYVAL, hashSet3);
            hashSet3.add("xmlpolicy=" + PrivilegeUtils.referralPrivilegeToPolicy(str, referralPrivilege).toXML());
            sMSEntry.setAttributes(hashMap);
            String[] strArr = {DNMapper.orgNameToRealmName(str), name};
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_ADD_REFERRAL", strArr, subject);
            sMSEntry.save();
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_ADD_REFERRAL", strArr, subject);
            PrivilegeIndexStore privilegeIndexStore = PrivilegeIndexStore.getInstance(dsameUserSubject, str);
            HashSet hashSet4 = new HashSet();
            hashSet4.add(referralPrivilege);
            privilegeIndexStore.add(hashSet4);
        } catch (SSOException e) {
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", new String[]{DNMapper.orgNameToRealmName(str), name, e.getMessage()}, subject);
            throw new EntitlementException(261, new Object[]{name}, e);
        } catch (PolicyException e2) {
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", new String[]{DNMapper.orgNameToRealmName(str), name, e2.getMessage()}, subject);
            throw new EntitlementException(261, new Object[]{name}, e2);
        } catch (SMSException e3) {
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", new String[]{DNMapper.orgNameToRealmName(str), name, e3.getMessage()}, subject);
            throw new EntitlementException(261, new Object[]{name}, e3);
        }
    }

    @Override // com.sun.identity.entitlement.PolicyDataStore
    public void removeReferral(Subject subject, String str, ReferralPrivilege referralPrivilege) throws EntitlementException {
        SSOToken sSOToken = SubjectUtils.getSSOToken(subject);
        String name = referralPrivilege.getName();
        if (sSOToken == null) {
            throw new EntitlementException(TIFFImageDecoder.TIFF_FILL_ORDER, name);
        }
        if (!ApplicationPrivilegeManager.getInstance(str, PrivilegeManager.superAdminSubject).hasPrivilege(referralPrivilege, ApplicationPrivilege.Action.MODIFY)) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        String policyDistinguishedName = getPolicyDistinguishedName(str, name);
        if (!SMSEntry.checkIfEntryExists(policyDistinguishedName, dsameUserToken)) {
            throw new EntitlementException(EntitlementException.NO_SUCH_REFERRAL_PRIVILEGE, name);
        }
        try {
            String[] strArr = {DNMapper.orgNameToRealmName(str), name};
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_REFERRAL", strArr, subject);
            new SMSEntry(dsameUserToken, policyDistinguishedName).delete();
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_REFERRAL", strArr, subject);
            PrivilegeIndexStore.getInstance(dsameUserSubject, str).deleteReferral(name);
        } catch (SSOException e) {
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", new String[]{DNMapper.orgNameToRealmName(str), name, e.getMessage()}, subject);
            throw new EntitlementException(205, new Object[]{name}, e);
        } catch (SMSException e2) {
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", new String[]{DNMapper.orgNameToRealmName(str), name, e2.getMessage()}, subject);
            throw new EntitlementException(205, new Object[]{name}, e2);
        }
    }
}
