package org.forgerock.openam.xacml.v3.rest;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.share.AuthXMLTags;
import com.sun.identity.delegation.DelegationEvaluator;
import com.sun.identity.delegation.DelegationException;
import com.sun.identity.delegation.DelegationPermission;
import com.sun.identity.delegation.DelegationPermissionFactory;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.opensso.SubjectUtils;
import com.sun.identity.entitlement.xacml3.XACMLExportImport;
import com.sun.identity.entitlement.xacml3.XACMLPrivilegeUtils;
import com.sun.identity.entitlement.xacml3.core.PolicySet;
import com.sun.identity.liberty.ws.dst.DSTConstants;
import com.sun.identity.log.LogConstants;
import com.sun.identity.shared.debug.Debug;
import java.io.IOException;
import java.io.OutputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.fileupload.FileUploadBase;
import org.apache.hc.core5.http.HttpStatus;
import org.forgerock.openam.forgerockrest.utils.RestLog;
import org.forgerock.openam.rest.representations.JacksonRepresentationFactory;
import org.forgerock.openam.rest.service.RestletRealmRouter;
import org.forgerock.openam.rest.service.XACMLServiceEndpointApplication;
import org.forgerock.openam.sdk.javax.inject.Inject;
import org.forgerock.openam.sdk.javax.inject.Named;
import org.forgerock.openam.sdk.org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.openam.sdk.org.restlet.Request;
import org.forgerock.openam.sdk.org.restlet.data.Disposition;
import org.forgerock.openam.sdk.org.restlet.data.Status;
import org.forgerock.openam.sdk.org.restlet.ext.servlet.ServletUtils;
import org.forgerock.openam.sdk.org.restlet.representation.OutputRepresentation;
import org.forgerock.openam.sdk.org.restlet.representation.Representation;
import org.forgerock.openam.sdk.org.restlet.resource.Get;
import org.forgerock.openam.sdk.org.restlet.resource.Post;
import org.forgerock.openam.sdk.org.restlet.resource.ResourceException;
import org.forgerock.openam.sdk.org.restlet.resource.ServerResource;
import org.forgerock.openam.xacml.v3.ImportStep;

/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.3.jar:org/forgerock/openam/xacml/v3/rest/XacmlService.class */
public class XacmlService extends ServerResource {
    private static final String REST = "rest";
    private static final String VERSION = "1.0";
    public static final String QUERY_PARAM_STRING = "filter";
    private static final String FORGEROCK_AUTH_CONTEXT = "org.forgerock.openam.sdk.org.forgerock.authentication.context";
    private static final String ROOT_REALM = "/";
    private final XACMLExportImport importExport;
    private final PrivilegedAction<SSOToken> admin;
    private final Debug debug;
    private final RestLog restLog;
    private final DelegationEvaluator evaluator;
    private final JacksonRepresentationFactory jacksonRepresentationFactory;

    @Inject
    public XacmlService(XACMLExportImport xACMLExportImport, PrivilegedAction<SSOToken> privilegedAction, @Named("frRest") Debug debug, RestLog restLog, DelegationEvaluator delegationEvaluator, JacksonRepresentationFactory jacksonRepresentationFactory) {
        this.importExport = xACMLExportImport;
        this.admin = privilegedAction;
        this.debug = debug;
        this.restLog = restLog;
        this.evaluator = delegationEvaluator;
        this.jacksonRepresentationFactory = jacksonRepresentationFactory;
    }

    private final Subject getAdminToken() {
        return SubjectUtils.createSubject((SSOToken) AccessController.doPrivileged(this.admin));
    }

    @Post
    public Representation importXACML(Representation representation) {
        boolean equalsIgnoreCase = "true".equalsIgnoreCase(getQuery().getFirstValue("dryrun"));
        try {
            if (!checkPermission(DSTConstants.MODIFY_ACTION)) {
                throw new ResourceException(new Status(HttpStatus.SC_FORBIDDEN));
            }
            List<ImportStep> importXacml = this.importExport.importXacml(RestletRealmRouter.getRealmFromRequest(getRequest()), representation.getStream(), getAdminToken(), equalsIgnoreCase);
            if (importXacml.isEmpty()) {
                throw new ResourceException(new Status(400, "No policies found in XACML document", (String) null, (String) null));
            }
            ArrayList arrayList = new ArrayList();
            for (ImportStep importStep : importXacml) {
                HashMap hashMap = new HashMap();
                hashMap.put(AuthXMLTags.STATUS, String.valueOf(importStep.getDiffStatus().getCode()));
                hashMap.put("name", importStep.getName());
                hashMap.put("type", importStep.getType());
                arrayList.add(hashMap);
            }
            getResponse().setStatus(Status.SUCCESS_OK);
            return this.jacksonRepresentationFactory.create(arrayList);
        } catch (EntitlementException e) {
            this.debug.warning("Importing XACML to policies failed", e);
            throw new ResourceException(new Status(400, e, e.getLocalizedMessage(getRequestLocale()), (String) null, (String) null));
        } catch (IOException e2) {
            this.debug.warning("Reading XACML import failed", e2);
            throw new ResourceException(new Status(400, e2, e2.getLocalizedMessage(), (String) null, (String) null));
        }
    }

    private Locale getRequestLocale() {
        HttpServletRequest request = ServletUtils.getRequest(getRequest());
        return request == null ? Locale.getDefault() : request.getLocale();
    }

    @Get
    public Representation exportXACML() {
        return exportXACML(RestletRealmRouter.getRealmFromRequest(getRequest()));
    }

    @VisibleForTesting
    Representation exportXACML(String str) {
        ArrayList arrayList = new ArrayList(Arrays.asList(getQuery().getValuesArray("filter")));
        try {
            if (!checkPermission(LogConstants.LOG_READ)) {
                throw new ResourceException(new Status(HttpStatus.SC_FORBIDDEN));
            }
            final PolicySet exportXACML = this.importExport.exportXACML(str, getAdminToken(), arrayList);
            getResponse().setStatus(Status.SUCCESS_OK);
            OutputRepresentation outputRepresentation = new OutputRepresentation(XACMLServiceEndpointApplication.APPLICATION_XML_XACML3) { // from class: org.forgerock.openam.xacml.v3.rest.XacmlService.1
                public void write(OutputStream outputStream) throws IOException {
                    try {
                        XACMLPrivilegeUtils.writeXMLToStream(exportXACML, outputStream);
                    } catch (EntitlementException e) {
                        throw new IOException(e);
                    }
                }
            };
            Disposition disposition = new Disposition();
            disposition.setType(FileUploadBase.ATTACHMENT);
            disposition.setFilename(getPolicyAttachmentFileName(str));
            outputRepresentation.setDisposition(disposition);
            return outputRepresentation;
        } catch (EntitlementException e) {
            this.debug.warning("Reading Policies failed", e);
            throw new ResourceException(new Status(500, e.getLocalizedMessage(getRequestLocale()), (String) null, (String) null));
        }
    }

    private String getPolicyAttachmentFileName(String str) {
        return ("/".equals(str) ? "realm-policies" : str.substring(1).replace('/', '-') + "-realm-policies") + ".xml";
    }

    @VisibleForTesting
    boolean checkPermission(String str) throws EntitlementException {
        try {
            Request request = getRequest();
            return checkPermission(str, request.getResourceRef().getLastSegment(), RestletRealmRouter.getRealmFromRequest(request), SSOTokenManager.getInstance().createSSOToken((String) ((Map) ServletUtils.getRequest(getRequest()).getAttribute(FORGEROCK_AUTH_CONTEXT)).get(AuthXMLTags.TOKEN_ID)));
        } catch (SSOException e) {
            this.debug.warning("XacmlService permission evaluation failed", e);
            throw new EntitlementException(500, e);
        }
    }

    private boolean checkPermission(String str, String str2, String str3, SSOToken sSOToken) throws EntitlementException {
        try {
            return checkPermission(new DelegationPermissionFactory().newInstance(str3, REST, "1.0", str2, str, new HashSet(Arrays.asList(str)), Collections.emptyMap()), sSOToken, str2);
        } catch (SSOException e) {
            this.debug.warning("XacmlService permission evaluation failed", e);
            throw new EntitlementException(500, e);
        } catch (DelegationException e2) {
            this.debug.warning("XacmlService permission evaluation failed", e2);
            throw new EntitlementException(500, e2);
        }
    }

    @VisibleForTesting
    boolean checkPermission(DelegationPermission delegationPermission, SSOToken sSOToken, String str) throws DelegationException, SSOException {
        boolean isAllowed = this.evaluator.isAllowed(sSOToken, delegationPermission, Collections.EMPTY_MAP);
        String name = getClass().getName();
        if (isAllowed) {
            this.restLog.auditAccessGranted(name, str, name, sSOToken);
        } else {
            this.restLog.auditAccessDenied(name, str, name, sSOToken);
        }
        return isAllowed;
    }
}
