package org.forgerock.openam.session;

import com.iplanet.dpro.session.SessionException;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.delegation.DelegationEvaluator;
import com.sun.identity.delegation.DelegationException;
import com.sun.identity.delegation.DelegationPermissionFactory;
import com.sun.identity.log.LogConstants;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.session.util.SessionUtils;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfigManager;
import com.sun.identity.sm.ServiceListener;
import java.security.AccessController;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.forgerock.openam.sdk.javax.inject.Inject;
import org.forgerock.openam.sdk.javax.inject.Singleton;

@Singleton
/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.2.jar:org/forgerock/openam/session/SessionPropertyWhitelist.class */
public class SessionPropertyWhitelist {
    public static final String SERVICE_NAME = "SessionPropertyWhitelistService";
    public static final String SERVICE_VERSION = "1.0";
    private static final Debug LOGGER = Debug.getInstance(SessionConstants.SESSION_DEBUG);
    private static final String WHITELIST_ATTRIBUTE_NAME = "forgerock-session-property-whitelist";
    private final Map<String, Set<String>> WHITELIST_REALM_MAP = new ConcurrentHashMap();
    private ServiceConfigManager serviceConfigManager;
    private final DelegationEvaluator delegationEvaluator;
    private final DelegationPermissionFactory delegationPermissionFactory;

    /* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.2.jar:org/forgerock/openam/session/SessionPropertyWhitelist$SessionPropertyWhitelistListener.class */
    private final class SessionPropertyWhitelistListener implements ServiceListener {
        private SessionPropertyWhitelistListener() {
        }

        @Override // com.sun.identity.sm.ServiceListener
        public void schemaChanged(String str, String str2) {
        }

        @Override // com.sun.identity.sm.ServiceListener
        public void globalConfigChanged(String str, String str2, String str3, String str4, int i) {
        }

        @Override // com.sun.identity.sm.ServiceListener
        public void organizationConfigChanged(String str, String str2, String str3, String str4, String str5, int i) {
            try {
                if (SessionPropertyWhitelist.SERVICE_NAME.equals(str) && "1.0".equals(str2)) {
                    SessionPropertyWhitelist.this.installWhitelist(DNMapper.orgNameToRealmName(str3));
                }
            } catch (SSOException | SMSException e) {
                SessionPropertyWhitelist.LOGGER.error("Unable to load ServiceConfigManager for SessionPropertyWhitelist in realm {}", str3, e);
            }
        }
    }

    @Inject
    public SessionPropertyWhitelist(DelegationEvaluator delegationEvaluator, DelegationPermissionFactory delegationPermissionFactory) {
        this.delegationEvaluator = delegationEvaluator;
        this.delegationPermissionFactory = delegationPermissionFactory;
        try {
            this.serviceConfigManager = new ServiceConfigManager((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()), SERVICE_NAME, "1.0");
            this.serviceConfigManager.addListener(new SessionPropertyWhitelistListener());
        } catch (SSOException | SMSException e) {
            if (LOGGER.errorEnabled()) {
                LOGGER.error("Unable to load ServiceConfigManager for SessionPropertyWhitelist.", e);
            }
        }
    }

    public Set<String> getAllListedProperties(String str) {
        return getWhitelist(str);
    }

    public boolean userHasReadAdminPrivs(SSOToken sSOToken, String str) throws DelegationException, SSOException {
        return this.delegationEvaluator.isAllowed(sSOToken, this.delegationPermissionFactory.newInstance(str, "rest", "1.0", "sessions", "getProperty", Collections.singleton(LogConstants.LOG_READ), Collections.emptyMap()), Collections.emptyMap());
    }

    public boolean isPropertyListed(SSOToken sSOToken, String str, Collection<String> collection) throws DelegationException, SSOException {
        return userHasReadAdminPrivs(sSOToken, str) || getWhitelist(str).containsAll(collection);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void installWhitelist(String str) throws SSOException, SMSException {
        this.WHITELIST_REALM_MAP.put(str.toLowerCase(), CollectionHelper.getServerMapAttrs(this.serviceConfigManager.getOrganizationConfig(str, null).getAttributes(), WHITELIST_ATTRIBUTE_NAME));
    }

    private Set<String> getWhitelist(String str) {
        String lowerCase = str.toLowerCase();
        if (this.WHITELIST_REALM_MAP.get(lowerCase) == null) {
            try {
                installWhitelist(lowerCase);
            } catch (SSOException | SMSException e) {
                LOGGER.error("Unable to load ServiceConfigManager for SessionPropertyWhitelist in realm {}", str, e);
                return Collections.emptySet();
            }
        }
        return Collections.unmodifiableSet(this.WHITELIST_REALM_MAP.get(lowerCase));
    }

    public boolean isPropertySetSettable(SSOToken sSOToken, Collection<String> collection) {
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            try {
                SessionUtils.checkPermissionToSetProperty(sSOToken, it.next(), null);
            } catch (SessionException e) {
                return false;
            }
        }
        return true;
    }

    public boolean isPropertyMapSettable(SSOToken sSOToken, Map<String, String> map) {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            try {
                SessionUtils.checkPermissionToSetProperty(sSOToken, entry.getKey(), entry.getValue());
            } catch (SessionException e) {
                return false;
            }
        }
        return true;
    }
}
