package com.sun.identity.entitlement.opensso;

import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.util.ISAuthConstants;
import com.sun.identity.common.DisplayUtils;
import com.sun.identity.entitlement.Application;
import com.sun.identity.entitlement.ApplicationPrivilege;
import com.sun.identity.entitlement.ApplicationPrivilegeManager;
import com.sun.identity.entitlement.Entitlement;
import com.sun.identity.entitlement.EntitlementCondition;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.EntitlementSubject;
import com.sun.identity.entitlement.Evaluator;
import com.sun.identity.entitlement.IPrivilege;
import com.sun.identity.entitlement.OrSubject;
import com.sun.identity.entitlement.Privilege;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.entitlement.ReferralPrivilege;
import com.sun.identity.entitlement.RegExResourceName;
import com.sun.identity.entitlement.ResourceMatch;
import com.sun.identity.entitlement.ResourceSearchIndexes;
import com.sun.identity.entitlement.SubjectAttributesManager;
import com.sun.identity.entitlement.SubjectImplementation;
import com.sun.identity.entitlement.interfaces.ResourceName;
import com.sun.identity.entitlement.util.SearchFilter;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSEntry;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.AccessController;
import java.security.Principal;
import java.text.MessageFormat;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import org.apache.xmlgraphics.image.codec.tiff.TIFFImageDecoder;
import org.forgerock.openam.entitlement.PolicyConstants;
import org.forgerock.openam.entitlement.ResourceType;
import org.forgerock.openam.entitlement.conditions.environment.SimpleTimeCondition;
import org.forgerock.openam.entitlement.service.ResourceTypeService;
import org.forgerock.openam.entitlement.utils.EntitlementUtils;
import org.forgerock.openam.ldap.LDAPUtils;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.DN;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/entitlement/opensso/OpenSSOApplicationPrivilegeManager.class */
public class OpenSSOApplicationPrivilegeManager extends ApplicationPrivilegeManager {
    private static final String RESOURCE_PREFIX = "/sunEntitlementService/1.0/application/default/application";
    private static final String APPL_NAME = "sunAMDelegationService";
    private static final String SUN_AM_REALM_RESOURCE = "sms://*{0}/sunAMRealmService/*";
    private static final String SUN_IDREPO_RESOURCE = "sms://*{0}/sunIdentityRepositoryService/1.0/application/*";
    private static final String HIDDEN_REALM_DN = "o=sunamhiddenrealmdelegationservicepermissions,ou=services,";
    private static final String GHOST_PRIVILEGE_NAME_PREFIX = "^^";
    private static final RegExResourceName regExComparator = new RegExResourceName();
    private String realm;
    private Subject caller;
    private Permission delegatables;
    private Permission readables;
    private Permission modifiables;
    private String resourcePrefix;
    private final ResourceTypeService resourceTypeService;
    private SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    private Subject dsameUserSubject = SubjectUtils.createSubject(this.adminToken);
    private boolean bPolicyAdmin = isPolicyAdmin();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/entitlement/opensso/OpenSSOApplicationPrivilegeManager$Permission.class */
    public class Permission {
        private Map<String, Privilege> privileges;
        private Map<String, Set<String>> appNameToResourceNames;
        private Set<String> actions;
        private boolean bPolicyAdmin;
        private String resourcePrefix;

        private Permission(Set<String> set, boolean z, String str, Map<String, Set<String>> map) throws EntitlementException {
            this.actions = new HashSet();
            this.actions.addAll(set);
            this.bPolicyAdmin = z;
            this.resourcePrefix = str;
            this.privileges = new HashMap();
            this.appNameToResourceNames = new HashMap();
            if (z) {
                this.appNameToResourceNames.putAll(map);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getApplications() {
            if (this.appNameToResourceNames.isEmpty()) {
                return Collections.EMPTY_SET;
            }
            HashSet hashSet = new HashSet();
            hashSet.addAll(this.appNameToResourceNames.keySet());
            return hashSet;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean hasPrivilege(String str) {
            return this.privileges.keySet().contains(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void removePrivilege(String str) {
            this.privileges.remove(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Privilege getPrivilege(String str) {
            return this.privileges.get(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getPrivilegeNames() {
            return this.privileges.keySet();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getResourceNames(String str) {
            return this.appNameToResourceNames.get(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void evaluate(Privilege privilege, boolean z) {
            if (this.privileges.keySet().contains(privilege.getName())) {
                return;
            }
            Map<String, Set<String>> resourceNames = getResourceNames(privilege);
            for (String str : resourceNames.keySet()) {
                if (isSubResource(str, resourceNames.get(str))) {
                    OpenSSOApplicationPrivilegeManager.this.addToMap(this.appNameToResourceNames, resourceNames);
                    this.privileges.put(privilege.getName(), privilege);
                }
            }
        }

        private boolean isSubResource(String str, Set<String> set) {
            Set<String> set2 = this.appNameToResourceNames.get(str);
            if (set2 == null || set2.isEmpty()) {
                return false;
            }
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (!isSubResource(set2, it.next())) {
                    return false;
                }
            }
            return true;
        }

        private boolean isSubResource(Set<String> set, String str) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                String next = it.next();
                if (next.endsWith("/*")) {
                    next = next.substring(0, next.length() - 2);
                }
                if (OpenSSOApplicationPrivilegeManager.regExComparator.compare(next, str, true).equals(ResourceMatch.SUB_RESOURCE_MATCH)) {
                    return true;
                }
            }
            return false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void evaluate(Privilege privilege) {
            Map<String, Set<String>> resourceNames;
            Map<String, Boolean> actionValues = privilege.getEntitlement().getActionValues();
            boolean z = this.bPolicyAdmin;
            if (!z) {
                Iterator<String> it = this.actions.iterator();
                while (it.hasNext()) {
                    Boolean bool = actionValues.get(it.next());
                    z = bool != null && bool.booleanValue();
                    if (!z) {
                        break;
                    }
                }
            }
            if (!z || (resourceNames = getResourceNames(privilege)) == null || resourceNames.isEmpty()) {
                return;
            }
            if (!this.bPolicyAdmin) {
                OpenSSOApplicationPrivilegeManager.this.addToMap(this.appNameToResourceNames, resourceNames);
            }
            this.privileges.put(privilege.getName(), privilege);
        }

        private Map<String, Set<String>> getResourceNames(Privilege privilege) {
            Entitlement entitlement = privilege.getEntitlement();
            Iterator<String> it = entitlement.getResourceNames().iterator();
            while (it.hasNext()) {
                if (!it.next().toLowerCase().startsWith(this.resourcePrefix)) {
                    return Collections.EMPTY_MAP;
                }
            }
            return OpenSSOApplicationPrivilegeManager.getApplicationPrivilegeResourceNames(entitlement.getResourceNames());
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean hasPermission(Application application) throws EntitlementException {
            return this.appNameToResourceNames.containsKey(application.getName());
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean hasPermission(Privilege privilege) throws EntitlementException {
            Entitlement entitlement = privilege.getEntitlement();
            String applicationName = entitlement.getApplicationName();
            Application application = EntitlementUtils.getApplicationService(PolicyConstants.SUPER_ADMIN_SUBJECT, OpenSSOApplicationPrivilegeManager.this.realm).getApplication(applicationName);
            if (application == null) {
                return false;
            }
            ResourceName resourceComparator = application.getResourceComparator();
            Set<String> resourceNames = entitlement.getResourceNames();
            Set<String> set = this.appNameToResourceNames.get(applicationName);
            if (set == null || set.isEmpty()) {
                return false;
            }
            Iterator<String> it = resourceNames.iterator();
            while (it.hasNext()) {
                if (!isSubResource(resourceComparator, set, it.next())) {
                    return false;
                }
            }
            return true;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean hasPermission(ReferralPrivilege referralPrivilege) throws EntitlementException {
            Map<String, Set<String>> mapApplNameToResources = referralPrivilege.getMapApplNameToResources();
            for (String str : mapApplNameToResources.keySet()) {
                Application application = EntitlementUtils.getApplicationService(PolicyConstants.SUPER_ADMIN_SUBJECT, OpenSSOApplicationPrivilegeManager.this.realm).getApplication(str);
                if (application == null) {
                    return false;
                }
                ResourceName resourceComparator = application.getResourceComparator();
                Set<String> set = mapApplNameToResources.get(str);
                Set<String> set2 = this.appNameToResourceNames.get(str);
                if (set2 == null || set2.isEmpty()) {
                    return false;
                }
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    if (!isSubResource(resourceComparator, set2, it.next())) {
                        return false;
                    }
                }
            }
            return true;
        }

        private boolean isSubResource(ResourceName resourceName, Set<String> set, String str) {
            for (String str2 : set) {
                ResourceMatch compare = resourceName.compare(str2, str, false);
                if (compare.equals(ResourceMatch.EXACT_MATCH) || compare.equals(ResourceMatch.SUB_RESOURCE_MATCH) || resourceName.compare(str, str2, true).equals(ResourceMatch.WILDCARD_MATCH)) {
                    return true;
                }
            }
            return false;
        }
    }

    public OpenSSOApplicationPrivilegeManager(String str, Subject subject, ResourceTypeService resourceTypeService) throws EntitlementException {
        this.resourceTypeService = resourceTypeService;
        this.realm = str;
        this.caller = subject;
        init();
    }

    public Set<String> getDelegatableResourceNames(String str) {
        Set<String> resourceNames = this.delegatables.getResourceNames(str);
        return resourceNames == null ? Collections.EMPTY_SET : resourceNames;
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public void addPrivilege(ApplicationPrivilege applicationPrivilege) throws EntitlementException {
        validatePrivilege(applicationPrivilege);
        Privilege[] privilege = toPrivilege(applicationPrivilege);
        PrivilegeManager privilegeManager = PrivilegeManager.getInstance(getHiddenRealmDN(), this.dsameUserSubject);
        for (Privilege privilege2 : privilege) {
            privilegeManager.add(privilege2);
        }
        cachePrivilege(privilege[0]);
    }

    private void validatePrivilege(ApplicationPrivilege applicationPrivilege) throws EntitlementException {
        Set<String> applicationNames = applicationPrivilege.getApplicationNames();
        if (applicationNames == null || applicationNames.isEmpty()) {
            throw new EntitlementException(TIFFImageDecoder.TIFF_COLORMAP);
        }
        for (String str : applicationNames) {
            Application application = EntitlementUtils.getApplicationService(PolicyConstants.SUPER_ADMIN_SUBJECT, this.realm).getApplication(str);
            if (application == null) {
                throw new EntitlementException(EntitlementException.NO_SUCH_APPLICATION, str);
            }
            Set<String> resourceNames = applicationPrivilege.getResourceNames(str);
            if (resourceNames == null || resourceNames.isEmpty()) {
                throw new EntitlementException(TIFFImageDecoder.TIFF_TILE_WIDTH);
            }
            for (String str2 : resourceNames) {
                if (!isDelegatableResource(application, str2)) {
                    throw new EntitlementException(TIFFImageDecoder.TIFF_TILE_LENGTH, str2);
                }
            }
        }
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public void removePrivilege(String str) throws EntitlementException {
        if (!isDsameUser() && !this.delegatables.hasPrivilege(str)) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        PrivilegeManager privilegeManager = PrivilegeManager.getInstance(getHiddenRealmDN(), this.dsameUserSubject);
        privilegeManager.remove(str);
        privilegeManager.remove(GHOST_PRIVILEGE_NAME_PREFIX + str);
        this.readables.removePrivilege(str);
        this.modifiables.removePrivilege(str);
        this.delegatables.removePrivilege(str);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public void replacePrivilege(ApplicationPrivilege applicationPrivilege) throws EntitlementException {
        if (!this.delegatables.hasPrivilege(applicationPrivilege.getName())) {
            throw new EntitlementException(EntitlementException.PERMISSION_DENIED);
        }
        validatePrivilege(applicationPrivilege);
        Privilege[] privilege = toPrivilege(applicationPrivilege);
        PrivilegeManager privilegeManager = PrivilegeManager.getInstance(getHiddenRealmDN(), this.dsameUserSubject);
        privilegeManager.modify(privilege[0]);
        cachePrivilege(privilege[0]);
        privilegeManager.modify(privilege[1]);
        cachePrivilege(privilege[1]);
    }

    private void cachePrivilege(Privilege privilege) {
        this.readables.evaluate(privilege);
        this.modifiables.evaluate(privilege);
        this.delegatables.evaluate(privilege);
    }

    private Privilege[] toPrivilege(ApplicationPrivilege applicationPrivilege) throws EntitlementException {
        Privilege[] privilegeArr = new Privilege[2];
        try {
            Privilege newInstance = Privilege.getNewInstance();
            newInstance.setName(applicationPrivilege.getName());
            newInstance.setDescription(applicationPrivilege.getDescription());
            newInstance.setEntitlement(new Entitlement("sunAMDelegationService", createDelegationResources(applicationPrivilege), getActionValues(applicationPrivilege.getActionValues())));
            Privilege newInstance2 = Privilege.getNewInstance();
            newInstance2.setName(GHOST_PRIVILEGE_NAME_PREFIX + applicationPrivilege.getName());
            HashSet hashSet = new HashSet();
            Object[] objArr = {DNMapper.orgNameToDN(this.realm)};
            hashSet.add(MessageFormat.format(SUN_AM_REALM_RESOURCE, objArr));
            hashSet.add(MessageFormat.format(SUN_IDREPO_RESOURCE, objArr));
            newInstance2.setEntitlement(new Entitlement("sunAMDelegationService", hashSet, getActionValues(ApplicationPrivilege.PossibleAction.READ)));
            Set<SubjectImplementation> subjects = applicationPrivilege.getSubjects();
            HashSet hashSet2 = new HashSet();
            Iterator<SubjectImplementation> it = subjects.iterator();
            while (it.hasNext()) {
                hashSet2.add(it.next());
            }
            OrSubject orSubject = new OrSubject(hashSet2);
            newInstance.setSubject(orSubject);
            newInstance.setCondition(applicationPrivilege.getCondition());
            newInstance2.setSubject(orSubject);
            newInstance2.setCondition(applicationPrivilege.getCondition());
            HashSet hashSet3 = new HashSet();
            hashSet3.addAll(applicationPrivilege.getApplicationNames());
            newInstance.setApplicationIndexes(hashSet3);
            privilegeArr[0] = newInstance;
            privilegeArr[1] = newInstance2;
            return privilegeArr;
        } catch (UnsupportedEncodingException e) {
            throw new EntitlementException(TIFFImageDecoder.TIFF_TILE_OFFSETS, new String[0]);
        }
    }

    private Map<String, Boolean> getActionValues(ApplicationPrivilege.PossibleAction possibleAction) {
        HashMap hashMap = new HashMap();
        switch (possibleAction) {
            case READ:
                hashMap.put(ACTION_READ, true);
                break;
            case READ_MODIFY:
                hashMap.put(ACTION_READ, true);
                hashMap.put(ACTION_MODIFY, true);
                break;
            case READ_MODIFY_DELEGATE:
                hashMap.put(ACTION_READ, true);
                hashMap.put(ACTION_MODIFY, true);
                hashMap.put(ACTION_DELEGATE, true);
                break;
            case READ_DELEGATE:
                hashMap.put(ACTION_READ, true);
                hashMap.put(ACTION_DELEGATE, true);
                break;
        }
        return hashMap;
    }

    private ApplicationPrivilege.PossibleAction getActionValues(Map<String, Boolean> map) {
        Boolean bool = map.get(ACTION_READ);
        boolean z = bool != null && bool.booleanValue();
        Boolean bool2 = map.get(ACTION_MODIFY);
        boolean z2 = bool2 != null && bool2.booleanValue();
        Boolean bool3 = map.get(ACTION_DELEGATE);
        boolean z3 = bool3 != null && bool3.booleanValue();
        return (z && z2 && z3) ? ApplicationPrivilege.PossibleAction.READ_MODIFY_DELEGATE : (z && z3) ? ApplicationPrivilege.PossibleAction.READ_DELEGATE : (z && z2) ? ApplicationPrivilege.PossibleAction.READ_MODIFY : ApplicationPrivilege.PossibleAction.READ;
    }

    private ApplicationPrivilege toApplicationPrivilege(Privilege privilege) throws EntitlementException {
        ApplicationPrivilege applicationPrivilege = new ApplicationPrivilege(privilege.getName());
        applicationPrivilege.setDescription(privilege.getDescription());
        applicationPrivilege.setCreatedBy(privilege.getCreatedBy());
        applicationPrivilege.setCreationDate(privilege.getCreationDate());
        applicationPrivilege.setLastModifiedBy(privilege.getLastModifiedBy());
        applicationPrivilege.setLastModifiedDate(privilege.getLastModifiedDate());
        Entitlement entitlement = privilege.getEntitlement();
        applicationPrivilege.setApplicationResources(getApplicationPrivilegeResourceNames(entitlement.getResourceNames()));
        applicationPrivilege.setActionValues(getActionValues(entitlement.getActionValues()));
        HashSet hashSet = new HashSet();
        if (privilege.getSubject() instanceof OrSubject) {
            for (EntitlementSubject entitlementSubject : ((OrSubject) privilege.getSubject()).getESubjects()) {
                if (entitlementSubject instanceof SubjectImplementation) {
                    hashSet.add((SubjectImplementation) entitlementSubject);
                }
            }
        } else if (privilege.getSubject() instanceof SubjectImplementation) {
            hashSet.add((SubjectImplementation) privilege.getSubject());
        }
        applicationPrivilege.setSubject(hashSet);
        EntitlementCondition condition = privilege.getCondition();
        if (condition instanceof SimpleTimeCondition) {
            applicationPrivilege.setCondition(condition);
        }
        return applicationPrivilege;
    }

    private Set<String> createDelegationResources(ApplicationPrivilege applicationPrivilege) throws UnsupportedEncodingException {
        HashSet hashSet = new HashSet();
        for (String str : applicationPrivilege.getApplicationNames()) {
            hashSet.add(createDelegationResources(str, applicationPrivilege.getResourceNames(str)));
        }
        return hashSet;
    }

    private String createDelegationResources(String str, Set<String> set) throws UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder();
        sb.append(this.resourcePrefix).append("/").append(str).append("?");
        boolean z = true;
        for (String str2 : set) {
            if (z) {
                z = false;
            } else {
                sb.append("&");
            }
            sb.append(URLEncoder.encode(str2, "UTF-8"));
        }
        return sb.toString();
    }

    private boolean isDelegatableResource(Application application, String str) {
        Set<String> delegatableResourceNames = getDelegatableResourceNames(application.getName());
        if (delegatableResourceNames == null || delegatableResourceNames.isEmpty()) {
            return false;
        }
        ResourceName resourceComparator = application.getResourceComparator();
        boolean z = resourceComparator instanceof RegExResourceName;
        Iterator<String> it = delegatableResourceNames.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (!next.endsWith("*")) {
                if (!next.endsWith("/")) {
                    next = next + "/";
                }
                next = next + "*";
            }
            if (z) {
                ResourceMatch compare = resourceComparator.compare(str, next, true);
                if (compare.equals(ResourceMatch.EXACT_MATCH) || compare.equals(ResourceMatch.SUB_RESOURCE_MATCH) || compare.equals(ResourceMatch.WILDCARD_MATCH)) {
                    return true;
                }
            } else {
                ResourceMatch compare2 = resourceComparator.compare(next, str, false);
                if (compare2.equals(ResourceMatch.EXACT_MATCH) || compare2.equals(ResourceMatch.SUB_RESOURCE_MATCH)) {
                    return true;
                }
                ResourceMatch compare3 = resourceComparator.compare(str, next, true);
                if (compare3.equals(ResourceMatch.EXACT_MATCH) || compare3.equals(ResourceMatch.SUB_RESOURCE_MATCH) || compare3.equals(ResourceMatch.WILDCARD_MATCH)) {
                    return true;
                }
            }
        }
        return false;
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public ApplicationPrivilege getPrivilege(String str) throws EntitlementException {
        Privilege privilege = this.delegatables.getPrivilege(str);
        if (privilege == null) {
            throw new EntitlementException(325, str);
        }
        return toApplicationPrivilege(privilege);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public Set<String> search(Set<SearchFilter> set) {
        HashSet hashSet = new HashSet();
        Set<String> privilegeNames = this.delegatables.getPrivilegeNames();
        if (set == null || set.isEmpty()) {
            hashSet.addAll(privilegeNames);
        } else {
            for (String str : privilegeNames) {
                if (matchFilter(this.delegatables.getPrivilege(str), set)) {
                    hashSet.add(str);
                }
            }
        }
        return hashSet;
    }

    private boolean matchFilter(Privilege privilege, Set<SearchFilter> set) {
        for (SearchFilter searchFilter : set) {
            searchFilter.getFilter();
            String name = searchFilter.getName();
            if (name.equals("name")) {
                if (attrCompare(privilege.getName(), searchFilter)) {
                    return true;
                }
            } else if (name.equals("description")) {
                if (attrCompare(privilege.getDescription(), searchFilter)) {
                    return true;
                }
            } else if (name.equals("createdby")) {
                if (attrCompare(privilege.getCreatedBy(), searchFilter)) {
                    return true;
                }
            } else if (name.equals("lastmodifiedby")) {
                if (attrCompare(privilege.getLastModifiedBy(), searchFilter)) {
                    return true;
                }
            } else if (name.equals("creationdate")) {
                if (attrCompare(privilege.getCreationDate(), searchFilter)) {
                    return true;
                }
            } else if (name.equals("lastmodifieddate") && attrCompare(privilege.getLastModifiedDate(), searchFilter)) {
                return true;
            }
        }
        return false;
    }

    private boolean attrCompare(String str, SearchFilter searchFilter) {
        String value = searchFilter.getValue();
        if (value != null) {
            return value.equalsIgnoreCase(str) || DisplayUtils.wildcardMatch(str, value);
        }
        return false;
    }

    private boolean attrCompare(long j, SearchFilter searchFilter) {
        long numericValue = searchFilter.getNumericValue();
        SearchFilter.Operator operator = searchFilter.getOperator();
        return operator == SearchFilter.Operator.EQUALS_OPERATOR ? numericValue == j : operator == SearchFilter.Operator.GREATER_THAN_OPERATOR ? j > numericValue : j < numericValue;
    }

    private void init() throws EntitlementException {
        this.resourcePrefix = "sms://" + DNMapper.orgNameToDN(this.realm) + RESOURCE_PREFIX;
        this.resourcePrefix = this.resourcePrefix.toLowerCase();
        initPrivilegeNames();
    }

    private void initPrivilegeNames() throws EntitlementException {
        initPermissionObjects();
        getPrivileges();
        getSubResourceRelatedPrivileges();
    }

    private void getSubResourceRelatedPrivileges() throws EntitlementException {
        if (this.bPolicyAdmin) {
            return;
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(this.readables.getApplications());
        hashSet.addAll(this.modifiables.getApplications());
        hashSet.addAll(this.delegatables.getApplications());
        if (hashSet.isEmpty()) {
            return;
        }
        HashSet hashSet2 = new HashSet();
        hashSet2.add(ISAuthConstants.URL_SEPARATOR + DNMapper.orgNameToDN(this.realm));
        HashSet hashSet3 = new HashSet();
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            hashSet3.add("/sunEntitlementService/1.0/application/default/application/" + ((String) it.next()));
        }
        Iterator<IPrivilege> search = new OpenSSOIndexStore(this.dsameUserSubject, getHiddenRealmDN()).search("/", new ResourceSearchIndexes(hashSet2, null, hashSet3), Collections.EMPTY_SET, true, false);
        while (search.hasNext()) {
            Privilege privilege = (Privilege) search.next();
            this.delegatables.evaluate(privilege, true);
            this.modifiables.evaluate(privilege, true);
            this.readables.evaluate(privilege, true);
        }
    }

    private void getPrivileges() throws EntitlementException {
        HashSet hashSet = new HashSet();
        hashSet.add(ISAuthConstants.URL_SEPARATOR + DNMapper.orgNameToDN(this.realm));
        HashSet hashSet2 = new HashSet();
        hashSet2.add(RESOURCE_PREFIX);
        Iterator<IPrivilege> search = new OpenSSOIndexStore(this.dsameUserSubject, getHiddenRealmDN()).search("/", new ResourceSearchIndexes(hashSet, null, hashSet2), this.bPolicyAdmin ? Collections.EMPTY_SET : SubjectAttributesManager.getInstance(this.dsameUserSubject).getSubjectSearchFilter(this.caller, "sunAMDelegationService"), true, false);
        while (search.hasNext()) {
            Privilege privilege = (Privilege) search.next();
            if (this.bPolicyAdmin || doesSubjectMatch(privilege, this.resourcePrefix)) {
                this.delegatables.evaluate(privilege);
                this.modifiables.evaluate(privilege);
                this.readables.evaluate(privilege);
            }
        }
    }

    private boolean doesSubjectMatch(Privilege privilege, String str) throws EntitlementException {
        return privilege.getSubject().evaluate(this.realm, SubjectAttributesManager.getInstance(this.dsameUserSubject, this.realm), this.caller, str, Collections.EMPTY_MAP).isSatisfied();
    }

    private void initPermissionObjects() throws EntitlementException {
        HashSet hashSet = new HashSet();
        Map<String, Set<String>> map = Collections.EMPTY_MAP;
        if (this.bPolicyAdmin) {
            map = getAllResourceNamesInAllAppls();
        }
        hashSet.add(ACTION_READ);
        hashSet.add(ACTION_DELEGATE);
        this.delegatables = new Permission(hashSet, this.bPolicyAdmin, this.resourcePrefix, map);
        hashSet.clear();
        hashSet.add(ACTION_READ);
        hashSet.add(ACTION_MODIFY);
        this.modifiables = new Permission(hashSet, this.bPolicyAdmin, this.resourcePrefix, map);
        hashSet.clear();
        hashSet.add(ACTION_READ);
        this.readables = new Permission(hashSet, this.bPolicyAdmin, this.resourcePrefix, map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addToMap(Map<String, Set<String>> map, Map<String, Set<String>> map2) {
        if (map2 == null || map2.isEmpty()) {
            return;
        }
        for (String str : map2.keySet()) {
            Set<String> set = map.get(str);
            Set<String> set2 = map2.get(str);
            if (set == null || set.isEmpty()) {
                map.put(str, set2);
            } else {
                set.addAll(set2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, Set<String>> getApplicationPrivilegeResourceNames(Set<String> set) {
        HashMap hashMap = new HashMap();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            Map<String, Set<String>> applicationPrivilegeResourceNames = getApplicationPrivilegeResourceNames(it.next());
            if (applicationPrivilegeResourceNames != null && !applicationPrivilegeResourceNames.isEmpty()) {
                hashMap.putAll(applicationPrivilegeResourceNames);
            }
        }
        return hashMap;
    }

    private static Map<String, Set<String>> getApplicationPrivilegeResourceNames(String str) {
        int indexOf = str.indexOf(63);
        if (indexOf == -1) {
            return Collections.EMPTY_MAP;
        }
        String substring = str.substring(0, indexOf);
        int lastIndexOf = substring.lastIndexOf("/");
        if (lastIndexOf != -1) {
            substring = substring.substring(lastIndexOf + 1);
        }
        String substring2 = str.substring(indexOf + 1);
        HashSet hashSet = new HashSet();
        StringTokenizer stringTokenizer = new StringTokenizer(substring2, "&");
        while (stringTokenizer.hasMoreTokens()) {
            try {
                hashSet.add(URLDecoder.decode(stringTokenizer.nextToken(), "UTF-8"));
            } catch (UnsupportedEncodingException e) {
                PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager .getApplicationPrivilegeResourceNames", e);
                return Collections.EMPTY_MAP;
            }
        }
        HashMap hashMap = new HashMap();
        hashMap.put(substring, hashSet);
        return hashMap;
    }

    private boolean isPolicyAdmin() {
        if (isDsameUser()) {
            return true;
        }
        try {
            Evaluator evaluator = new Evaluator(SubjectUtils.createSuperAdminSubject(), "sunAMDelegationService");
            HashSet hashSet = new HashSet();
            hashSet.add(ACTION_MODIFY);
            return evaluator.hasEntitlement(getHiddenRealmDN(), this.caller, new Entitlement("sms://" + DNMapper.orgNameToDN(this.realm) + "/iPlanetAMPolicyService/*", hashSet), Collections.EMPTY_MAP);
        } catch (EntitlementException e) {
            PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager.isPolicyAdmin", e);
            return false;
        }
    }

    private boolean isDsameUser() {
        if (this.caller == PrivilegeManager.superAdminSubject) {
            return true;
        }
        Set<Principal> principals = this.caller.getPrincipals();
        if (principals == null || principals.isEmpty()) {
            return false;
        }
        String str = "id=dsameuser,ou=user," + SMSEntry.getRootSuffix();
        String str2 = "id=amadmin,ou=user," + SMSEntry.getRootSuffix();
        Principal next = principals.iterator().next();
        if (!LDAPUtils.isDN(next.getName())) {
            return false;
        }
        DN valueOf = DN.valueOf(next.getName().toLowerCase());
        return valueOf.equals(DN.valueOf(str2.toLowerCase())) || valueOf.equals(DN.valueOf(str.toLowerCase()));
    }

    private static String getHiddenRealmDN() {
        return HIDDEN_REALM_DN + SMSEntry.getRootSuffix();
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public boolean hasPrivilege(Privilege privilege, ApplicationPrivilege.Action action) throws EntitlementException {
        if (isPolicyAdmin()) {
            return true;
        }
        return getPermissionObject(action).hasPermission(privilege);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public boolean hasPrivilege(ReferralPrivilege referralPrivilege, ApplicationPrivilege.Action action) throws EntitlementException {
        if (isPolicyAdmin()) {
            return true;
        }
        return getPermissionObject(action).hasPermission(referralPrivilege);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public boolean hasPrivilege(Application application, ApplicationPrivilege.Action action) throws EntitlementException {
        if (!action.equals(ApplicationPrivilege.Action.READ)) {
            return isPolicyAdmin();
        }
        if (isPolicyAdmin()) {
            return true;
        }
        return getPermissionObject(action).hasPermission(application);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public Set<String> getResources(String str, ApplicationPrivilege.Action action) {
        return getPermissionObject(action).getResourceNames(str);
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public Set<String> getApplications(ApplicationPrivilege.Action action) {
        return getPermissionObject(action).getApplications();
    }

    @Override // com.sun.identity.entitlement.ApplicationPrivilegeManager
    public boolean canCreateApplication(String str) {
        return isPolicyAdmin();
    }

    private Permission getPermissionObject(ApplicationPrivilege.Action action) {
        Permission permission = this.readables;
        if (action == ApplicationPrivilege.Action.MODIFY) {
            permission = this.modifiables;
        } else if (action == ApplicationPrivilege.Action.DELEGATE) {
            permission = this.delegatables;
        }
        return permission;
    }

    static Iterator<IPrivilege> getPrivileges(String str) throws EntitlementException {
        HashSet hashSet = new HashSet();
        hashSet.add(ISAuthConstants.URL_SEPARATOR + DNMapper.orgNameToDN(str));
        HashSet hashSet2 = new HashSet();
        hashSet2.add(RESOURCE_PREFIX);
        return new OpenSSOIndexStore(SubjectUtils.createSubject((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance())), getHiddenRealmDN()).search("/", new ResourceSearchIndexes(hashSet, null, hashSet2), Collections.EMPTY_SET, true, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void removeAllPrivileges(String str) throws EntitlementException {
        Subject createSubject = SubjectUtils.createSubject((SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()));
        Iterator<IPrivilege> privileges = getPrivileges(str);
        while (privileges.hasNext()) {
            String name = ((Privilege) privileges.next()).getName();
            PrivilegeManager privilegeManager = PrivilegeManager.getInstance(getHiddenRealmDN(), createSubject);
            privilegeManager.remove(name);
            privilegeManager.remove(GHOST_PRIVILEGE_NAME_PREFIX + name);
        }
    }

    private Map<String, Set<String>> getAllResourceNamesInAllAppls() throws EntitlementException {
        HashMap hashMap = new HashMap();
        for (Application application : EntitlementUtils.getApplicationService(PolicyConstants.SUPER_ADMIN_SUBJECT, this.realm).getApplications()) {
            hashMap.put(application.getName(), getAllBaseResource(application));
        }
        return hashMap;
    }

    private Set<String> getAllBaseResource(Application application) throws EntitlementException {
        HashSet hashSet = new HashSet();
        for (String str : application.getResourceTypeUuids()) {
            ResourceType resourceType = this.resourceTypeService.getResourceType(PrivilegeManager.superAdminSubject, this.realm, str);
            if (resourceType == null) {
                throw new EntitlementException(EntitlementException.NO_SUCH_RESOURCE_TYPE, str, this.realm);
            }
            hashSet.addAll(resourceType.getPatterns());
        }
        return hashSet;
    }
}
