package com.sun.identity.policy.plugins;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenListenersUnsupportedException;
import com.sun.identity.policy.InvalidNameException;
import com.sun.identity.policy.NameNotFoundException;
import com.sun.identity.policy.PolicyConfig;
import com.sun.identity.policy.PolicyEvaluator;
import com.sun.identity.policy.PolicyException;
import com.sun.identity.policy.PolicyUtils;
import com.sun.identity.policy.SubjectEvaluationCache;
import com.sun.identity.policy.Syntax;
import com.sun.identity.policy.ValidValues;
import com.sun.identity.policy.interfaces.Subject;
import com.sun.identity.shared.debug.Debug;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.forgerock.openam.ldap.LDAPRequests;
import org.forgerock.openam.ldap.LDAPUtils;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.Attribute;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.ByteString;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.Connection;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.DN;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.LdapException;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldap.responses.SearchResultEntry;
import org.forgerock.openam.sdk.org.forgerock.opendj.ldif.ConnectionEntryReader;
import org.forgerock.openam.sdk.org.forgerock.util.Options;
import org.forgerock.openam.sdk.org.forgerock.util.time.Duration;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:com/sun/identity/policy/plugins/LDAPRoles.class */
public class LDAPRoles implements Subject {
    static final String LDAP_OBJECT_CLASS = "objectclass";
    static final String LDAP_ROLE_ATTR = "nsroledefinition";
    static final String LDAP_USER_ROLE_ATTR = "nsrole";
    static final String LDAP_SCOPE_BASE = "SCOPE_BASE";
    static final String LDAP_SCOPE_ONE = "SCOPE_ONE";
    static final String LDAP_SCOPE_SUB = "SCOPE_SUB";
    private String authid;
    private String authpw;
    private String baseDN;
    private String roleSearchFilter;
    private String userSearchFilter;
    private String roleRDNAttrName;
    private String userRDNAttrName;
    private int timeLimit;
    private int maxResults;
    private int minPoolSize;
    private int maxPoolSize;
    private String orgName;
    private ConnectionFactory connPool;
    private boolean localDS;
    private boolean aliasEnabled;
    private String ldapServer;
    public static Map userLDAPRoleCache = Collections.synchronizedMap(new HashMap());
    static Debug debug = Debug.getInstance("amPolicy");
    private boolean initialized = false;
    private Set<String> selectedRoleDNs = Collections.emptySet();
    private Set<String> selectedRFCRoleDNs = Collections.emptySet();
    private SearchScope roleSearchScope = SearchScope.WHOLE_SUBTREE;
    private SearchScope userSearchScope = SearchScope.WHOLE_SUBTREE;
    private boolean sslEnabled = false;

    @Override // com.sun.identity.policy.interfaces.Subject
    public void initialize(Map map) throws PolicyException {
        if (map == null) {
            throw new PolicyException("amPolicy", "ldaproles_initialization_failed", null, null);
        }
        String str = (String) map.get(PolicyConfig.LDAP_SERVER);
        if (str == null) {
            debug.error("LDAPRoles.initialize(): failed to get LDAP server name. If you enter more than one server name in the policy config service's Primary LDAP Server field, please make sure the ldap server name is preceded with the local server name.");
            throw new PolicyException("amPolicy", "invalid_ldap_server_host", null, null);
        }
        this.ldapServer = str.toLowerCase();
        this.localDS = PolicyUtils.isLocalDS(this.ldapServer);
        this.aliasEnabled = Boolean.valueOf((String) map.get(PolicyConfig.USER_ALIAS_ENABLED)).booleanValue();
        this.authid = (String) map.get(PolicyConfig.LDAP_BIND_DN);
        this.authpw = (String) map.get(PolicyConfig.LDAP_BIND_PASSWORD);
        if (this.authpw != null) {
            this.authpw = PolicyUtils.decrypt(this.authpw);
        }
        this.baseDN = (String) map.get(PolicyConfig.LDAP_BASE_DN);
        this.roleSearchFilter = (String) map.get(PolicyConfig.LDAP_ROLES_SEARCH_FILTER);
        String str2 = (String) map.get(PolicyConfig.LDAP_ROLES_SEARCH_SCOPE);
        if (str2.equalsIgnoreCase(LDAP_SCOPE_BASE)) {
            this.roleSearchScope = SearchScope.BASE_OBJECT;
        } else if (str2.equalsIgnoreCase(LDAP_SCOPE_ONE)) {
            this.roleSearchScope = SearchScope.SINGLE_LEVEL;
        } else {
            this.roleSearchScope = SearchScope.WHOLE_SUBTREE;
        }
        this.roleRDNAttrName = (String) map.get(PolicyConfig.LDAP_ROLES_SEARCH_ATTRIBUTE);
        this.userSearchFilter = (String) map.get(PolicyConfig.LDAP_USERS_SEARCH_FILTER);
        this.userSearchScope = LDAPUtils.getSearchScope((String) map.get(PolicyConfig.LDAP_USERS_SEARCH_SCOPE), SearchScope.WHOLE_SUBTREE);
        this.userRDNAttrName = (String) map.get(PolicyConfig.LDAP_USER_SEARCH_ATTRIBUTE);
        try {
            this.timeLimit = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_TIME_OUT));
            this.maxResults = Integer.parseInt((String) map.get(PolicyConfig.LDAP_SEARCH_LIMIT));
            this.minPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MIN_SIZE));
            this.maxPoolSize = Integer.parseInt((String) map.get(PolicyConfig.LDAP_CONNECTION_POOL_MAX_SIZE));
            if (((String) map.get(PolicyConfig.LDAP_SSL_ENABLED)).equalsIgnoreCase("true")) {
                this.sslEnabled = true;
            } else {
                this.sslEnabled = false;
            }
            Set set = (Set) map.get("OrganizationName");
            if (set != null && !set.isEmpty()) {
                this.orgName = (String) set.iterator().next();
            }
            if (debug.messageEnabled()) {
                debug.message("LDAPRoles.initialize(): getting params\nldapServer: " + this.ldapServer + "\nauthid: " + this.authid + "\nbaseDN: " + this.baseDN + "\nroleSearchFilter: " + this.roleSearchFilter + "\nroleRDNAttrName: " + this.roleRDNAttrName + "\nuserSearchFilter: " + this.userSearchFilter + "\nuserRDNAttrName: " + this.userRDNAttrName + "\ntimeLimit: " + this.timeLimit + "\nmaxResults: " + this.maxResults + "\nminPoolSize: " + this.minPoolSize + "\nmaxPoolSize: " + this.maxPoolSize + "\nSSLEnabled: " + this.sslEnabled + "\nOrgName: " + this.orgName);
            }
            LDAPConnectionPools.initConnectionPool(this.ldapServer, this.authid, this.authpw, this.sslEnabled, this.minPoolSize, this.maxPoolSize, Options.defaultOptions().set(LDAPConnectionFactory.REQUEST_TIMEOUT, new Duration(Long.valueOf(this.timeLimit), TimeUnit.SECONDS)));
            this.connPool = LDAPConnectionPools.getConnectionPool(this.ldapServer);
            this.initialized = true;
        } catch (NumberFormatException e) {
            throw new PolicyException(e);
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Syntax getValueSyntax(SSOToken sSOToken) throws SSOException {
        return Syntax.MULTIPLE_CHOICE;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken) throws SSOException, PolicyException {
        return getValidValues(sSOToken, "*");
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public ValidValues getValidValues(SSOToken sSOToken, String str) throws SSOException, PolicyException {
        if (!this.initialized) {
            throw new PolicyException("amPolicy", "ldaproles_subject_not_yet_initialized", null, null);
        }
        String str2 = (str == null || str.trim().length() == 0) ? this.roleSearchFilter : "(&" + this.roleSearchFilter + DefaultExpressionEngine.DEFAULT_INDEX_START + this.roleRDNAttrName + "=" + str + "))";
        if (debug.messageEnabled()) {
            debug.message("LDAPRoles.getValidValues(): role search filter is: " + str2);
        }
        String[] strArr = {this.roleRDNAttrName};
        HashSet hashSet = new HashSet();
        try {
            Connection connection = this.connPool.getConnection();
            Throwable th = null;
            try {
                try {
                    ConnectionEntryReader search = connection.search(LDAPRequests.newSearchRequest(this.baseDN, this.roleSearchScope, str2, strArr));
                    while (search.hasNext()) {
                        if (search.isReference()) {
                            search.readReference();
                        } else {
                            SearchResultEntry readEntry = search.readEntry();
                            if (readEntry != null) {
                                hashSet.add(readEntry.getName().toString());
                                debug.message("LDAPRoles.getValidValues(): found role name={}", readEntry.getName().toString());
                            }
                        }
                    }
                    if (connection != null) {
                        if (0 != 0) {
                            try {
                                connection.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            connection.close();
                        }
                    }
                    return new ValidValues(0, hashSet);
                } finally {
                }
            } catch (Throwable th3) {
                if (connection != null) {
                    if (th != null) {
                        try {
                            connection.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        connection.close();
                    }
                }
                throw th3;
            }
        } catch (LdapException e) {
            ResultCode resultCode = e.getResult().getResultCode();
            if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
                debug.warning("LDAPRoles.getValidValues(): exceeded the size limit");
                return new ValidValues(1, hashSet);
            }
            if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
                debug.warning("LDAPRoles.getValidValues(): exceeded the time limit");
                return new ValidValues(2, hashSet);
            }
            if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
                throw new PolicyException("amPolicy", "ldap_invalid_password", null, null);
            }
            if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
                throw new PolicyException("amPolicy", "no_such_ldap_base_dn", new String[]{this.baseDN}, null);
            }
            String message = e.getMessage();
            String diagnosticMessage = e.getResult().getDiagnosticMessage();
            if (diagnosticMessage != null) {
                throw new PolicyException(message + ": " + diagnosticMessage);
            }
            throw new PolicyException(message);
        } catch (Exception e2) {
            throw new PolicyException(e2);
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public String getDisplayNameForValue(String str, Locale locale) throws NameNotFoundException {
        return PolicyUtils.getDNDisplayString(str);
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Set getValues() {
        if (debug.messageEnabled()) {
            debug.message("LDAPRoles.getValues() gets called");
        }
        return this.selectedRoleDNs;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public void setValues(Set set) throws InvalidNameException {
        if (set == null) {
            debug.error("LDAPRoles.setValues() Invalid names");
            throw new InvalidNameException("amPolicy", "ldaproles_subject_invalid_group_names", null, null, 5);
        }
        this.selectedRoleDNs = new HashSet();
        this.selectedRoleDNs.addAll(set);
        if (debug.messageEnabled()) {
            debug.message("LDAPRoles.setValues(): selected role names=" + this.selectedRoleDNs);
        }
        this.selectedRFCRoleDNs = new HashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            this.selectedRFCRoleDNs.add(DN.valueOf((String) it.next()).toString().toLowerCase());
        }
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public boolean isMember(SSOToken sSOToken) throws SSOException, PolicyException {
        boolean z = false;
        String name = sSOToken.getPrincipal().getName();
        if (this.selectedRFCRoleDNs.size() > 0) {
            SearchResultEntry searchResultEntry = null;
            Set set = null;
            String sSOTokenID = sSOToken.getTokenID().toString();
            for (String str : this.selectedRFCRoleDNs) {
                Boolean isMember = SubjectEvaluationCache.isMember(sSOTokenID, this.ldapServer, str);
                if (isMember == null) {
                    if (debug.messageEnabled()) {
                        debug.message("LDAPRoles.isMember():did not find entry  for " + str + " in SubjectEvaluation cache,  getting from LDAPRole cache");
                    }
                    if (searchResultEntry == null) {
                        searchResultEntry = getUserEntry(sSOToken);
                        if (searchResultEntry == null) {
                            if (!debug.messageEnabled()) {
                                return false;
                            }
                            debug.message("LDAPRoles.isMember(): User " + name + " is not found in the directory");
                            return false;
                        }
                    }
                    if (set == null) {
                        set = getUserRoles(sSOToken, searchResultEntry);
                    }
                    if (!PolicyEvaluator.ssoListenerRegistry.containsKey(sSOTokenID)) {
                        try {
                            sSOToken.addSSOTokenListener(PolicyEvaluator.ssoListener);
                            PolicyEvaluator.ssoListenerRegistry.put(sSOTokenID, PolicyEvaluator.ssoListener);
                            if (debug.messageEnabled()) {
                                debug.message("LDAPRoles.isMember(): sso listener added .\n");
                            }
                        } catch (SSOTokenListenersUnsupportedException e) {
                            debug.message("LDAPRoles.isMember(): could not add sso listener: {}", e.getMessage());
                        }
                    }
                    if (set != null && set.size() > 0 && set.contains(str)) {
                        z = true;
                    }
                    if (debug.messageEnabled()) {
                        debug.message("LDAPRoles.isMember(): User " + name + " " + (z ? "is member of" : "is not a member of") + " the LDAPRole " + str + ", adding to Subject eval cache");
                    }
                    SubjectEvaluationCache.addEntry(sSOTokenID, this.ldapServer, str, z);
                    if (z) {
                        break;
                    }
                } else {
                    if (debug.messageEnabled()) {
                        debug.message("LDAPRoles.isMember():Got membership from cache of " + name + " in LDAP role " + str + " :" + isMember.booleanValue());
                    }
                    boolean booleanValue = isMember.booleanValue();
                    if (booleanValue) {
                        return booleanValue;
                    }
                }
            }
        }
        if (debug.messageEnabled()) {
            if (z) {
                debug.message("LDAPRoles.isMember(): User " + name + " is a member of this LDAPRoles object");
            } else {
                debug.message("LDAPRoles.isMember(): User " + name + " is not a member of this LDAPRoles object");
            }
        }
        return z;
    }

    public int hashCode() {
        return this.selectedRoleDNs.hashCode();
    }

    public boolean equals(Object obj) {
        if (!(obj instanceof LDAPRoles)) {
            return false;
        }
        LDAPRoles lDAPRoles = (LDAPRoles) obj;
        return (this.selectedRoleDNs == null || lDAPRoles.selectedRoleDNs == null || !this.selectedRoleDNs.equals(lDAPRoles.selectedRoleDNs)) ? false : true;
    }

    @Override // com.sun.identity.policy.interfaces.Subject
    public Object clone() {
        try {
            LDAPRoles lDAPRoles = (LDAPRoles) super.clone();
            if (this.selectedRoleDNs != null) {
                lDAPRoles.selectedRoleDNs = new HashSet();
                lDAPRoles.selectedRoleDNs.addAll(this.selectedRoleDNs);
            }
            if (this.selectedRFCRoleDNs != null) {
                lDAPRoles.selectedRFCRoleDNs = new HashSet();
                lDAPRoles.selectedRFCRoleDNs.addAll(this.selectedRFCRoleDNs);
            }
            return lDAPRoles;
        } catch (CloneNotSupportedException e) {
            throw new InternalError();
        }
    }

    private Set getUserRoles(SSOToken sSOToken, SearchResultEntry searchResultEntry) throws SSOException, PolicyException {
        Object[] objArr;
        if (sSOToken == null) {
            return null;
        }
        String sSOTokenID = sSOToken.getTokenID().toString();
        Map map = (Map) userLDAPRoleCache.get(sSOTokenID);
        if (map != null && (objArr = (Object[]) map.get(this.ldapServer)) != null) {
            if ((objArr[0] == null ? 0L : ((Long) objArr[0]).longValue()) > Time.currentTimeMillis()) {
                if (debug.messageEnabled()) {
                    debug.message("LDAPRoles.getUserRoles(): get the nsrole values from cache.\n");
                }
                return (Set) objArr[1];
            }
        }
        HashSet hashSet = new HashSet();
        if (searchResultEntry != null) {
            Attribute attribute = searchResultEntry.getAttribute(LDAP_USER_ROLE_ATTR);
            if (attribute != null) {
                Iterator<ByteString> it = attribute.iterator();
                while (it.hasNext()) {
                    hashSet.add(DN.valueOf(it.next().toString()).toString());
                }
            }
            if (SubjectEvaluationCache.getSubjectEvalTTL() > 0) {
                Object[] objArr2 = {new Long(Time.currentTimeMillis() + SubjectEvaluationCache.getSubjectEvalTTL()), hashSet};
                Map map2 = (Map) userLDAPRoleCache.get(sSOTokenID);
                if (map2 == null) {
                    Map synchronizedMap = Collections.synchronizedMap(new HashMap());
                    synchronizedMap.put(this.ldapServer, objArr2);
                    userLDAPRoleCache.put(sSOTokenID, synchronizedMap);
                } else {
                    map2.put(this.ldapServer, objArr2);
                }
            }
        }
        return hashSet;
    }

    private SearchResultEntry getUserEntry(SSOToken sSOToken) throws SSOException, PolicyException {
        HashSet hashSet = new HashSet();
        String name = sSOToken.getPrincipal().getName();
        if (debug.messageEnabled()) {
            debug.message("LDAPRoles.getUserEntry(): user local DN is " + name);
        }
        String str = this.baseDN;
        if (this.localDS && !PolicyUtils.principalNameEqualsUuid(sSOToken)) {
            str = DN.valueOf(name).toString();
            debug.message("LDAPRoles.getUserEntry(): search user {} only as it is local.", str);
        }
        int indexOf = name.indexOf("=");
        int indexOf2 = name.indexOf(",");
        if (indexOf <= 0 || indexOf2 <= 0 || indexOf >= indexOf2) {
            throw new PolicyException("amPolicy", "ldaproles_subject_invalid_local_user_dn", null, null);
        }
        String substring = name.substring(indexOf + 1, indexOf2);
        String constructUserFilter = (this.userSearchFilter == null || this.userSearchFilter.length() == 0) ? PolicyUtils.constructUserFilter(sSOToken, this.userRDNAttrName, substring, this.aliasEnabled) : "(&" + this.userSearchFilter + PolicyUtils.constructUserFilter(sSOToken, this.userRDNAttrName, substring, this.aliasEnabled) + DefaultExpressionEngine.DEFAULT_INDEX_END;
        if (debug.messageEnabled()) {
            debug.message("LDAPRoles.getUserEntry(): search filter is: " + constructUserFilter);
        }
        String[] strArr = {LDAP_USER_ROLE_ATTR};
        try {
            Connection connection = this.connPool.getConnection();
            Throwable th = null;
            try {
                try {
                    ConnectionEntryReader search = connection.search(LDAPRequests.newSearchRequest(str, this.userSearchScope, constructUserFilter, strArr));
                    while (search.hasNext()) {
                        if (search.isReference()) {
                            search.readReference();
                        } else {
                            hashSet.add(search.readEntry());
                        }
                    }
                    if (connection != null) {
                        if (0 != 0) {
                            try {
                                connection.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            connection.close();
                        }
                    }
                    if (hashSet.size() > 0) {
                        return (SearchResultEntry) hashSet.iterator().next();
                    }
                    return null;
                } finally {
                }
            } finally {
            }
        } catch (LdapException e) {
            ResultCode resultCode = e.getResult().getResultCode();
            if (ResultCode.SIZE_LIMIT_EXCEEDED.equals(resultCode)) {
                String[] strArr2 = {this.orgName};
                debug.warning("LDAPRoles.isMember(): exceeded the size limit");
                throw new PolicyException("amPolicy", "ldap_search_exceed_size_limit", strArr2, null);
            }
            if (ResultCode.TIME_LIMIT_EXCEEDED.equals(resultCode)) {
                String[] strArr3 = {this.orgName};
                debug.warning("LDAPRoles.isMember(): exceeded the time limit");
                throw new PolicyException("amPolicy", "ldap_search_exceed_time_limit", strArr3, null);
            }
            if (ResultCode.INVALID_CREDENTIALS.equals(resultCode)) {
                throw new PolicyException("amPolicy", "ldap_invalid_password", null, null);
            }
            if (ResultCode.NO_SUCH_OBJECT.equals(resultCode)) {
                throw new PolicyException("amPolicy", "no_such_ldap_base_dn", new String[]{this.baseDN}, null);
            }
            String message = e.getMessage();
            String diagnosticMessage = e.getResult().getDiagnosticMessage();
            if (diagnosticMessage != null) {
                throw new PolicyException(message + ": " + diagnosticMessage);
            }
            throw new PolicyException(message);
        } catch (Exception e2) {
            throw new PolicyException(e2);
        }
    }
}
