package org.forgerock.openam.entitlement.conditions.environment;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.EntitlementConditionAdaptor;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.shared.debug.Debug;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.sdk.org.json.JSONException;
import org.forgerock.openam.sdk.org.json.JSONObject;
import org.forgerock.openam.utils.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.2.jar:org/forgerock/openam/entitlement/conditions/environment/AuthLevelCondition.class */
public class AuthLevelCondition extends EntitlementConditionAdaptor {
    private static final String AUTH_LEVEL = "authLevel";
    private static final String REQUEST_AUTH_LEVEL = "requestAuthLevel";
    private static final String AUTH_LEVEL_CONDITION_ADVICE = "AuthLevelConditionAdvice";
    private final Debug debug;
    private final CoreWrapper coreWrapper;
    private Integer authLevel;
    private String authRealm;

    public AuthLevelCondition() {
        this(PrivilegeManager.debug, new CoreWrapper());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthLevelCondition(Debug debug, CoreWrapper coreWrapper) {
        this.debug = debug;
        this.coreWrapper = coreWrapper;
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void setState(String str) {
        try {
            JSONObject jSONObject = new JSONObject(str);
            setState(jSONObject);
            this.authLevel = Integer.valueOf(jSONObject.getInt("authLevel"));
            this.authRealm = this.coreWrapper.getRealmFromRealmQualifiedData("" + this.authLevel);
        } catch (JSONException e) {
            this.debug.message("AuthLevelCondition: Failed to set state", e);
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public String getState() {
        return toString();
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public ConditionDecision evaluate(String str, Subject subject, String str2, Map<String, Set<String>> map) throws EntitlementException {
        if (this.authLevel == null) {
            throw new EntitlementException(EntitlementException.PROPERTY_VALUE_NOT_DEFINED, new String[]{"authLevel"}, (Throwable) null);
        }
        boolean z = false;
        HashMap hashMap = new HashMap();
        if (this.debug.messageEnabled()) {
            this.debug.message(getConditionName() + ".getConditionDecision():entering");
        }
        try {
            int maxRequestAuthLevel = getMaxRequestAuthLevel(map);
            if (maxRequestAuthLevel == Integer.MIN_VALUE && subject != null) {
                maxRequestAuthLevel = getMaxRequestAuthLevel((SSOToken) subject.getPrivateCredentials().iterator().next());
            }
            z = isAllowed(maxRequestAuthLevel, hashMap);
            if (this.debug.messageEnabled()) {
                this.debug.message("At " + getConditionName() + ".getConditionDecision():authLevel=" + this.authLevel + ",maxRequestAuthLevel=" + maxRequestAuthLevel + ",allowed = " + z);
            }
        } catch (SSOException e) {
            if (this.debug.messageEnabled()) {
                this.debug.message("Problem getting auth level from SSOToken: " + e.getMessage(), e);
            }
        }
        return new ConditionDecision(z, hashMap);
    }

    protected boolean isAllowed(int i, Map<String, Set<String>> map) {
        if (i >= this.authLevel.intValue()) {
            return true;
        }
        HashSet hashSet = new HashSet(1);
        hashSet.add(this.authLevel.toString());
        map.put("AuthLevelConditionAdvice", hashSet);
        return false;
    }

    protected String getConditionName() {
        return "AuthLevelCondition";
    }

    private int getMaxRequestAuthLevel(Map<String, Set<String>> map) throws EntitlementException {
        int i = Integer.MIN_VALUE;
        if (this.debug.messageEnabled()) {
            this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(envMap,realm): entering: envMap= " + map + ", authRealm= " + this.authRealm + ", conditionAuthLevel= " + this.authLevel);
        }
        Set<String> set = map.get("requestAuthLevel");
        if (set != null) {
            i = (this.authRealm == null || this.authRealm.length() == 0) ? getHighestAuthLevel(set) : getHighestRealmAuthLevel(set);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(): returning: maxAuthLevel=" + i);
        }
        return i;
    }

    private int getHighestAuthLevel(Set<String> set) throws EntitlementException {
        int i = Integer.MIN_VALUE;
        if (set != null && !set.isEmpty()) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                int authLevel = getAuthLevel(it.next());
                i = authLevel > i ? authLevel : i;
            }
        }
        return i;
    }

    private int getHighestRealmAuthLevel(Set<String> set) throws EntitlementException {
        int i = Integer.MIN_VALUE;
        if (set != null && !set.isEmpty()) {
            for (String str : set) {
                if (this.authRealm.equals(this.coreWrapper.getRealmFromRealmQualifiedData(str))) {
                    int authLevel = getAuthLevel(str);
                    i = authLevel > i ? authLevel : i;
                }
            }
        }
        return i;
    }

    private int getMaxRequestAuthLevel(SSOToken sSOToken) throws EntitlementException, SSOException {
        int highestAuthLevel;
        if (this.debug.messageEnabled()) {
            this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(token,realm): entering: authRealm = " + this.authRealm + ", conditionAuthLevel= " + this.authLevel);
        }
        if (this.authRealm == null || this.authRealm.length() == 0) {
            Set<String> authenticatedLevels = this.coreWrapper.getAuthenticatedLevels(sSOToken);
            if (this.debug.messageEnabled()) {
                this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(): levels from token= " + authenticatedLevels);
            }
            highestAuthLevel = getHighestAuthLevel(authenticatedLevels);
        } else {
            Set<String> realmQualifiedAuthenticatedLevels = this.coreWrapper.getRealmQualifiedAuthenticatedLevels(sSOToken);
            if (this.debug.messageEnabled()) {
                this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(): qualifiedLevels from token= " + realmQualifiedAuthenticatedLevels);
            }
            highestAuthLevel = getHighestRealmAuthLevel(realmQualifiedAuthenticatedLevels);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message(getConditionName() + ".getMaxRequestAuthLevel(): returning: maxAuthLevel= " + highestAuthLevel);
        }
        return highestAuthLevel;
    }

    private int getAuthLevel(String str) throws EntitlementException {
        String dataFromRealmQualifiedData = this.coreWrapper.getDataFromRealmQualifiedData(str);
        try {
            return Integer.parseInt(dataFromRealmQualifiedData);
        } catch (NumberFormatException e) {
            if (this.debug.warningEnabled()) {
                this.debug.warning(getConditionName() + ".getAuthLevel(qualifiedLevel):got NumberFormatException:qualifiedLevel=" + str + ", levelString = " + dataFromRealmQualifiedData);
            }
            throw new EntitlementException(EntitlementException.AUTH_LEVEL_NOT_INTEGER, new Object[]{dataFromRealmQualifiedData}, e);
        }
    }

    private JSONObject toJSONObject() throws JSONException {
        JSONObject jSONObject = new JSONObject();
        toJSONObject(jSONObject);
        jSONObject.put("authLevel", this.authLevel);
        return jSONObject;
    }

    public String toString() {
        String str = null;
        try {
            str = toJSONObject().toString(2);
        } catch (JSONException e) {
            PrivilegeManager.debug.error(getConditionName() + ".toString()", e);
        }
        return str;
    }

    public Integer getAuthLevel() {
        return this.authLevel;
    }

    public void setAuthLevel(Integer num) {
        this.authLevel = num;
    }

    @Override // com.sun.identity.entitlement.EntitlementCondition
    public void validate() throws EntitlementException {
        if (this.authLevel == null) {
            throw new EntitlementException(EntitlementException.PROPERTY_VALUE_NOT_DEFINED, "authLevel");
        }
        if (this.authLevel.intValue() < 0) {
            throw new EntitlementException(400, "authLevel", this.authLevel);
        }
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public boolean equals(Object obj) {
        if (!super.equals(obj) || !getClass().equals(obj.getClass())) {
            return false;
        }
        AuthLevelCondition authLevelCondition = (AuthLevelCondition) obj;
        if (CollectionUtils.genericCompare(this.authRealm, authLevelCondition.authRealm)) {
            return CollectionUtils.genericCompare(this.authLevel, authLevelCondition.authLevel);
        }
        return false;
    }

    @Override // com.sun.identity.entitlement.EntitlementConditionAdaptor
    public int hashCode() {
        int hashCode = super.hashCode();
        if (this.authRealm != null) {
            hashCode = (31 * hashCode) + this.authRealm.hashCode();
        }
        if (this.authLevel != null) {
            hashCode = (31 * hashCode) + this.authLevel.hashCode();
        }
        return hashCode;
    }
}
